Updates from: 08/12/2021 03:27:43
Category Microsoft Docs article Related commit history on GitHub Change details
admin Domain Registrar Setup Limitations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/get-help-with-domains/domain-registrar-setup-limitations.md
+
+ Title: "Domain registrars with setup limitations"
+f1.keywords:
+- CSH
+++
+audience: Admin
++
+localization_priority: Priority
+
+- M365-subscription-management
+- Adm_O365
+- Adm_TOC
+
+- AdminSurgePortfolio
+- okr_smb
+- AdminTemplateSet
+search.appverid:
+- MET150
+
+description: "Some domain registrars offer limited services, which means not all Microsoft features will work with every domain."
++
+# Domain registrars with setup limitations
+
+[Create DNS records at DNSMadeEasy for Microsoft](#create-dns-records-at-dnsmadeeasy-for-microsoft)\
+[Create DNS records at easyDNS for Microsoft](#create-dns-records-at-easydns-for-microsoft)\
+[Create DNS records at Freenom for Microsoft](#create-dns-records-at-freenom-for-microsoft)\
+[Create DNS records at MyDomain for Microsoft](#create-dns-records-at-mydomain-for-microsoft)\
+[Create DNS records for Microsoft using Windows-based DNS](#create-dns-records-for-microsoft-using-windows-based-dns)\
+[Create DNS records when your domain is managed by Google (eNom)](#create-dns-records-when-your-domain-is-managed-by-google-enom)\
+[Create DNS records at 1&1 IONOS for Microsoft](#create-dns-records-at-11-ionos-for-microsoft)
+
+Some domain registrars have significant service limitations, which means not all Microsoft features will work with every domain. Specific limitations for some registrars are identified in this article.
+
+## Create DNS records at DNSMadeEasy for Microsoft
+
+For DNSMadeEasy accounts, the domain you added was purchased from a separate domain registrar. DNSMadeEasy does not offer domain registration services. Your ability to log in at DNSMadeEasy and create the DNS record is sufficient proof of ownership.
+
+## Create DNS records at easyDNS for Microsoft
+
+SRV Records are currently NOT available under all easyDNS service packages. You may need to upgrade to a higher service level with easyDNS to add SRV records which are required for Skype for Business.
+
+## Create DNS records at Freenom for Microsoft
+
+The Freenom website doesn't support SRV records, which means that several Skype for Business Online and Outlook Web App features won't work. No matter which Microsoft plan you use, there are significant service limitations, and you may want to switch to a different DNS hosting provider.
+
+## Create DNS records at MyDomain for Microsoft
+
+The MyDomain website doesn't support SRV records, which means several Skype for Business Online and Outlook Web App features won't work. No matter which Microsoft plan you use, if you manage your DNS records at MyDomain, there are significant service limitations, and you might want to switch to a different DNS hosting provider.
+
+## Create DNS records for Microsoft using Windows-based DNS
+
+Go to the page that has the DNS records for your domain. If you're working in Windows Server 2008, go to Start > Run. If you're working in Windows Server 2012, press the Windows key and r. Type **dnsmgmnt.msc**, and then select **OK**. In DNS Manager, expand <DNS server name> > **Forward Lookup Zones**. Select your domain. You're now ready to create the DNS records.
+
+## Create DNS records when your domain is managed by Google (eNom)
+
+If you purchased your domain through Google while signing up for your Google Apps for Work account, your DNS records are managed by Google but registered with eNom. You can access eNom, and create DNS, through the Google Domains page.
+
+## Create DNS records at 1&1 IONOS for Microsoft
+
+1&1 IONOS doesn't allow a domain to have both an MX record and a top-level Autodiscover CNAME record. This limits the ways in which you can configure Exchange Online for Microsoft. There is a workaround, but we recommend employing it only if you already have experience with creating subdomains at 1&1 IONOS.
+
+If despite this service limitation you choose to manage your own Microsoft DNS records at 1&1 IONOS, follow the steps in this article to verify your domain and to set up DNS records for email, Skype for Business Online, and so on.
+
+1&1 IONOS requires a workaround so that you can use an MX record together with the CNAME records required for Microsoft email services. This workaround requires you to create a set of subdomains at 1&1 IONOS, and to assign them to CNAME records.
+
+> [!NOTE]
+> Make sure that you have at least two available subdomains before starting this procedure. We recommend this solution only if you already have experience with creating subdomains at 1&1 IONOS.
+
+### Basic CNAME records
+
+1. To get started, go to your domains page at 1&1 IONOS. You'll be prompted to log in.
+
+1. Select **Manage domains**.
+
+1. On the Domain Center page, find the domain that you want to update, and then select **Manage Subdomains**. Now you'll create two subdomains and set an **Alias** value for each (This is required because 1&1 IONOS supports only one top-level CNAME record, but Microsoft requires several CNAME records.)
+
+1. First, you'll create the Autodiscover subdomain. In the **Subdomain Overview** section, select **Create Subdomain**.
+
+1. In the **Create Subdomain** box for the new subdomain, type or copy and paste only the **Create Subdomain** value from the following table. (You'll add the **Alias** value at a later step.)
+
+ |Create Subdomain|Alias|
+ |:-|:-|
+ |autodiscover|autodiscover.outlook.com|
+
+1. Select **Create Subdomain**.
+
+1. In the **Subdomain Overview** section, locate the autodiscover subdomain that you just created, and then select the Panel (v) control for that subdomain.
+
+1. In the **Subdomain Settings** area, select **Edit DNS Settings**.
+
+1. In the **A/AAAA Records (IP Addresses)** section, in the **IP address (A Record)** area, select **CNAME**.
+
+1. In the **Alias:** box, type or copy and paste only the **Alias** value from the following table.
+
+ |Create Subdomain|Alias|
+ |:-|:-|
+ |autodiscover|autodiscover.outlook.com|
+
+1. Select the check box for the **I am aware** disclaimer.
+
+1. Select **Save**.
+
+### Additional CNAME records
+
+The additional CNAME records in the following procedure enable Skype for Business Online services. Use the same steps that you used for the two CNAME records you already created.
+
+**Create the third subdomain (Lyncdiscover)**
+
+1. On the **Subdomain Overview** section, select **Create Subdomain**.
+
+1. In the **Create Subdomain** box for the new subdomain, type or copy and paste only the **Create Subdomain** value from the following table. (You'll add the **Alias** value at a later step.)
+
+ |Create Subdomain|Alias|
+ |:-|:-|
+ |lyncdiscover|webdir.online.lync.com|
+
+1. Select **Create Subdomain**.
+
+1. On the Domain Center page, select **Manage Subdomains**.
+
+1. In the **Subdomain Overview** section, find the lyncdiscover subdomain that you just created, and then select the Panel (v) control for that subdomain. In the **Subdomain Settings** area, select **Edit DNS Settings**.
+
+1. In the **A/AAAA Records (IP Addresses)** section, in the **IP address (A Record)** area, select **CNAME**.
+
+1. In the **Alias:** box, type or copy and paste only the **Alias** value from the following table.
+
+ |Create Subdomain|Alias|
+ |:-|:-|
+ |lyncdiscover|webdir.online.lync.com|
+
+1. Select the check box for the **I am aware** disclaimer, and then select **Save**.
+
+1. In the **Edit DNS Settings** dialog box, select **Yes**.
+
+**Create the fourth subdomain (SIP)**
+
+1. In the **Subdomain Overview** section, select **Create Subdomain**.
+
+1. In the **Create Subdomain** box for the new subdomain, type or copy and paste only the **Create Subdomain** value from the following table. (You'll add the **Alias** value a later step.)
+
+ |Create Subdomain|Alias|
+ |:-|:-|
+ |sip|sipdir.online.lync.com|
+
+1. Select **Create Subdomain**.
+
+1. On the Domain Center page, select **Manage Subdomains**.
+
+1. In the **Subdomain Overview** section, find the sip subdomain that you just created, and then select the Panel (v) control for that subdomain. <br/> In the **Subdomain Settings** area, select **Edit DNS Settings**.
+
+1. In the **A/AAAA Records (IP Addresses)** section, in the **IP address (A Record)** area, select **CNAME**.
+
+1. In the **Alias:** box, type or copy and paste only the **Alias** value from the following table.
+
+ |Create Subdomain|Alias|
+ |:-|:-|
+ |sip|sipdir.online.lync.com|
+
+1. Select the check box for the **I am aware** disclaimer, and then select **Save**.
+
+1. In the **Edit DNS Settings** dialog box, select **Yes**.
+
+### CNAME records needed for MDM
+
+Follow the procedure that you used for the other four CNAME records but supply these values:
+
+|Create Subdomain|Alias|
+|:-|:-|
+|enterpriseregistration|enterpriseregistration.windows.net|
+|enterpriseenrollment|enterpriseenrollment-s.manage.microsoft.com|
admin Centralized Deployment FAQ https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/centralized-deployment-FAQ.md
- Title: "Centralized Deployment FAQ"-- NOCSH-----
-localization_priority: Normal
--- M365-subscription-management -- Adm_O365-- Adm_NonTOC--- BCS160-- MET150-- MOE150
-description: "Review the answers to frequent questions about Centralized Deployment from the Microsoft 365 admin center."
--
-# Centralized Deployment FAQ
-
-Centralized Deployment is the recommended way for an Office 365 admin to deploy Office add-ins (Word, Excel, PowerPoint, and Outlook) to users and groups within an organization, provided the organization meets all requirements for using Centralized Deployment as outlined in this article.  
-
-## How do I know if my organization is set up for Centralized Deployment?ΓÇ»
-
-Centralized deployment of add-ins requires that users are using Microsoft 365 Apps for enterprise (and are signed into Office using their organizational log-in credentials) and have Exchange Online mailboxes. Your subscription directory must either be in, or federated to, Azure Active Directory.ΓÇ»
-
-Centralized Deployment is only supported for online mailboxes. It does not support deployment to on-premises Exchange mailboxes.
-
-You can use the [Centralized Deployment Compatibility Checker](centralized-deployment-of-add-ins.md#centralized-deployment-compatibility-checker) to determine if your subscription is eligible.
-
-## How do you target add-in user assignments with Centralized Deployment?ΓÇ»
-
-Centralized Deployment supports assignments to individual users, groups, and everyone in the tenant. Centralized Deployment can be used for users in top-level groups or groups without parent groups, but not for users in nested groups or groups that have parent groups. Centralized Deployment is also part of most Azure Active Directory groups, including Office 365 Groups, distribution lists, and security groups.ΓÇ»
-
-It is better to use groups assignments instead of individual user assignment for easier management.
-
-For more details, see [User and Group assignments](./centralized-deployment-of-add-ins.md#user-and-group-assignments).ΓÇ»
-ΓÇ»
-## How long does it take for add-ins to show up for all users?ΓÇ»
-
-It can take up to 24 hours for an add-in to show up for all users. It can take the same amount of time for add-in updates, changes from turn on or turn off, or add-in removals.
-
-## As an administrator, how do I manage the user access to add-ins for my organization?
-
-For easy deployment of add-ins to users, groups, or to your entire organization, we recommend administrators use Centralized Deployment.
-
-For more information about managing user access, see:
-
-## Will Centralized Deployment provide admins the flexibility to choose the deployment method for Outlook add-ins?ΓÇ»
-
-Yes. Centralized Deployment provides admins the flexibility to choose one of three deployment methods for Outlook add-ins during add-in deployment:
-
-**Fixed (Default)**ΓÇ»
-The add-in is deployed automatically to the assigned users, and they cannot remove it.ΓÇ»
-
-**Available**
-Users can install the add-in in Outlook by choosing **Home > Get More add-ins > Admin-managed**.
-
-**Optional**
-The add-in is deployed automatically to the assigned users, but they can choose to remove it.ΓÇ»
-
-## Can admins update Line-of-Business (LOB) add-ins?ΓÇ»
-
-Yes. Admins can upload a new manifest file to support metadata changes for admin-deployed LOB add-ins. The add-in updates the next time the Office applications starts. The web application can change at any time.ΓÇ»
-
-For more information, see [line-of-business add-in](./manage-addins-in-the-admin-center.md).
-
-## Can admins turn off add-ins?ΓÇ»
-
-Yes. Admins can turn on or off the add-ins they deploy for all users from the Microsoft admin center.
-
-For more information, see [Add-in states](./manage-addins-in-the-admin-center.md#add-in-states).ΓÇ»
-
-##  Can admins delete or remove add-ins?
-
-Yes. Admins can delete add-ins they deployed for all users from the Microsoft admin center.
-
-For more information, see [Delete an add-in](./manage-addins-in-the-admin-center.md#delete-an-add-in).
-
-## Can admins deploy paid add-ins from the Office Store using Centralized Deployment?
-
-No. You can't deploy paid add-ins from the Office Store using Centralized Deployment at this time.ΓÇ»
-
-We suggest reaching out to the ISV Developer for the paid add-in to request a manifest file or a URL. The tenant admin can then deploy the add-in as a LOB add-in using Centralized Deployment.
-ΓÇ»
-## Which admin role do I need to manage add-ins for my organization?ΓÇ»
-
-Global Admin is the recommended role with complete access to add-in management lifecycle. If you're the person who purchased your Microsoft 365 Business subscription, you are the Global admin.
-
-Your subscription comes with a set of admin roles that you can assign to other users in your organization. Each admin role maps to common business functions and gives people in your organization permissions to perform specific tasks in the Microsoft 365 admin center.
-
-For more information, see [Assign admin roles](../add-users/assign-admin-roles.md).ΓÇ»
admin Centralized Deployment Of Add Ins https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/centralized-deployment-of-add-ins.md
If you or your users encounter problems loading the add-in while using Office ap
[Deploy add-ins in the admin center](../manage/manage-deployment-of-add-ins.md) (article)\ [Manage add-ins in the admin center](manage-addins-in-the-admin-center.md) (article)\
-[Centralized Deployment FAQ](../manage/centralized-deployment-faq.md) (article)\
+[Centralized Deployment FAQ](../manage/centralized-deployment-faq.yml) (article)\
[Upgrade your Microsoft 365 for business users to the latest Office client](../setup/upgrade-users-to-latest-office-client.md) (article)
bookings Bookings Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/bookings/bookings-overview.md
Bookings has three primary components:
- A business-facing mobile app where Bookings calendar owners and administrators can see all of their appointments, access customer lists and contact information, and make manual bookings on the go.
+## Before you begin
+
+Microsoft Bookings is available in the following subscriptions:
+
+- Office 365: A3, A5, E3, E5, F1, F3
+- Microsoft 365: A3, A5, E3, E5, F1, F3, Business Premium
+ ## Get started using Bookings Ready to get started?
commerce Cancel Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/cancel-your-subscription.md
Your subscription now appears in a **Disabled** state, and has reduced functiona
> [!NOTE] > If you explicitly delete a subscription, then it skips the Expired and Disabled stages and the SharePoint Online data and content, including OneDrive, is deleted immediately.
-Your subscription now appears in a **Disabled** state, and has reduced functionality until it's deleted. For more information about what you can expect when a paid Microsoft 365 for business subscription is canceled, see [What happens to my data and access when my Microsoft 365 for business subscription ends?](what-if-my-subscription-expires.md).
- ## What happens when you cancel a subscription If you cancel a subscription before the end of your term, the subscription status moves directly into a disabled state. For most subscriptions, in most countries and regions, the disabled state lasts 90 days. Admins can still access and back up data for their organization while the subscription is in the disabled state, but we recommend that admins [back up their data](back-up-data-before-switching-plans.md) before they cancel a subscription, especially if it's their only subscription. Admins can also reactivate the subscription while it's in the disabled state.
compliance Apply Retention Labels Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-retention-labels-automatically.md
You can apply retention labels to content automatically when that content contai
- [A match for trainable classifiers](#auto-apply-labels-to-content-by-using-trainable-classifiers)
+All three conditions can automatically apply retention labels to emails as they are sent. For items in SharePoint and OneDrive, use the following table to identify when retention labels can be automatically applied to them:
+
+|Condition|New or modified items |Existing items (data at rest)|
+|:--|:--|:--|
+|Sensitive info types - built-in| Yes | Yes |
+|Sensitive info types - custom| Yes | No |
+|Specific keywords or searchable properties| Yes |Yes |
+|Trainable classifiers| Yes | Yes (last six months only) |
++ #### Auto-apply labels to content with specific types of sensitive information > [!WARNING]
For more information about these options, see the following guidance from the DL
To consider when using sensitive information types to auto-apply retention labels: -- New and modified items can be auto-labeled.
+- If you use custom sensitive information types, these can't auto-label existing items in SharePoint and OneDrive.
#### Auto-apply labels to content with keywords or searchable properties
Query-based auto-apply policies use the same search index as eDiscovery content
Some things to consider when using keywords or searchable properties to auto-apply retention labels: -- New, modified, and existing items will be auto-labeled for SharePoint, OneDrive, and Exchange.- - For SharePoint, crawled properties and custom properties aren't supported for these KQL queries and you must use only predefined managed properties for documents. However, you can use mappings at the tenant level with the predefined managed properties that are enabled as refiners by default (RefinableDate00-19, RefinableString00-99, RefinableInt00-49, RefinableDecimals00-09, and RefinableDouble00-09). For more information, see [Overview of crawled and managed properties in SharePoint Server](/SharePoint/technical-reference/crawled-and-managed-properties-overview), and for instructions, see [Create a new managed property](/sharepoint/manage-search-schema#create-a-new-managed-property). - If you map a custom property to one of the refiner properties, wait 24 hours before you use it in your KQL query for a retention label.
For more information about trainable classifiers, see [Learn about trainable cla
To consider when using trainable classifiers to auto-apply retention labels: -- New and modified items can be auto-labeled, and existing items from the last six months.
+- You can't auto-label SharePoint and OneDrive items that are older than six months.
## How long it takes for retention labels to take effect
compliance Get Started With Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-sensitivity-labels.md
A successful strategy to deploy sensitivity labels for an organization is to cre
Using the table in the next section, we recommend identifying your top one or two scenarios that map to your most impactful business requirements. After these scenarios are deployed, return to the list to identify the next one or two priorities for deployment.
-You'll find additional general deployment guidance in the downloadable Data Loss Prevention and Microsoft Information Protection Deployment Acceleration Guide. For more information, see the blog post, [Microsoft 365 Information Protection and Compliance Deployment Acceleration Guides](https://techcommunity.microsoft.com/t5/microsoft-security-and/microsoft-365-information-protection-and-compliance-deployment/ba-p/2076404).
+You'll find additional general deployment guidance and best practices in the [Deployment Acceleration Guide for Microsoft Information Protection and Data Loss Prevention](https://microsoft.github.io/ComplianceCxE/dag/mip-dlp/), one of the resources from the [Customer Acceleration Team (CAT)](https://microsoft.github.io/ComplianceCxE/) site.
## Common scenarios for sensitivity labels
compliance Insider Risk Management Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-policies.md
For more details about any recommendations or warnings, select a policy on the *
![Insider risk management policy health](../media/insider-risk-policy-health.png)
+### Notification messages
+ Use the following table to learn more about recommendations and warning notifications and actions to take to resolve potential issues. |**Notification messages**|**Policy templates**|**Causes / Try this action to fix**|
compliance New Defender Alert Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/new-defender-alert-policies.md
The following table identifies when the new alert policies will begin triggering
| **Email messages containing malicious file removed after delivery** (new) | Alerts will start triggering on April 11, 2021 | | **Emails messages from a campaign were delivered and later removed** (new) | Alerts will start triggering on May 28, 2021| | **Malicious emails were delivered and later removed** (new) | Alerts will start triggering on May 28, 2021|
-| **Email messages containing phish URLs removed after delivery** (existing, will be removed)| The alert policy will be removed on May 28, 2021. See the [What you need to do to prepare for these changes](#what-you-need-to-do-to-prepare-for-these-changes) section.|
-| **Email messages containing malware removed after delivery** (existing, will be removed) | The alert policy will be removed on May 28, 2021. See the [What you need to do to prepare for these changes](#what-you-need-to-do-to-prepare-for-these-changes) section. |
+| **Email messages containing phish URLs removed after delivery** (existing, will be removed)| The alert policy was removed in June 2021. See the [What you need to do to prepare for these changes](#what-you-need-to-do-to-prepare-for-these-changes) section.|
+| **Email messages containing malware removed after delivery** (existing, will be removed) | The alert policy was removed in June 2021. See the [What you need to do to prepare for these changes](#what-you-need-to-do-to-prepare-for-these-changes) section. |
||| The alert severity changes will be rolled out to all organizations by May 14, 2021.
compliance Ome Advanced Message Encryption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ome-advanced-message-encryption.md
audience: Admin
localization_priority: Normal Previously updated : 10/16/2019 Last updated : 08/11/2021 - Strat_O365_IP - M365-security-compliance
Your organization must have a subscription that includes Office 365 Advanced Mes
If you do not have Office 365 Message Encryption set up already, see [Set up new Office 365 Message Encryption capabilities](set-up-new-message-encryption-capabilities.md).
-With Advanced Message Encryption you're not limited to a single branding template. Instead, you can create and use multiple branding templates. For information, see [Add your organization's brand to your encrypted messages](add-your-organization-brand-to-encrypted-messages.md).
+With Advanced Message Encryption, you're not limited to a single branding template. Instead, you can create and use multiple branding templates. For information, see [Add your organization's brand to your encrypted messages](add-your-organization-brand-to-encrypted-messages.md). When you use custom branding, external recipients receive a notification email that contains a link to the OME portal. The mail flow rule determines which branding template the notification email and OME Portal use. This way, your secure content isn't sent outside your organization.
+
+You can only revoke messages and apply expiration dates to messages that users receive through the portal. In other words, email that has a custom branding template applied. For more information and an example, see the guidance in [Ensure all external recipients use the OME Portal to read encrypted mail](manage-office-365-message-encryption.md#ensure-all-external-recipients-use-the-ome-portal-to-read-encrypted-mail).
[Set an expiration date for email encrypted by Office 365 Advanced Message Encryption](ome-advanced-expiration.md). Control sensitive emails shared outside the organization with automatic policies that enhance protection by expiring access through a secure web portal to encrypted emails. [Revoke email encrypted by Office 365 Advanced Message Encryption](revoke-ome-encrypted-mail.md). Control sensitive emails shared outside the organization and enhance protection by revoking access through a secure web portal to encrypted emails. -
-With Office 365 Advanced Message Encryption, anytime you apply a custom branding template, Microsoft applies a wrapper to email that fits the mail flow rule to which you apply the template. You can only revoke messages and apply expiration dates to messages that users receive through the portal. In other words, email that has a custom branding template applied. For more information and an example, see the guidance in [Ensure all external recipients use the OME Portal to read encrypted mail](manage-office-365-message-encryption.md#ensure-all-external-recipients-use-the-ome-portal-to-read-encrypted-mail).
enterprise Microsoft 365 Network Connectivity Principles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-network-connectivity-principles.md
The local egress architecture has the following benefits over the traditional mo
![Avoid hairpins](../media/ee53e8af-f57b-4292-a256-4f36733b263a.png)
-As a general rule of thumb, the shortest, most direct route between user and closest Microsoft 365 endpoint will offer the best performance. A network hairpin happens when WAN or VPN traffic bound for a particular destination is first directed to another intermediate location (such as security stack, cloud access broker, of cloud-based web gateway), introducing latency and potential redirection to a geographically distant endpoint. Network hairpins can also be caused by routing/peering inefficiencies or suboptimal (remote) DNS lookups.
+As a general rule of thumb, the shortest, most direct route between user and closest Microsoft 365 endpoint will offer the best performance. A network hairpin happens when WAN or VPN traffic bound for a particular destination is first directed to another intermediate location (such as security stack, cloud access broker, or cloud-based web gateway), introducing latency and potential redirection to a geographically distant endpoint. Network hairpins can also be caused by routing/peering inefficiencies or suboptimal (remote) DNS lookups.
To ensure that Microsoft 365 connectivity is not subject to network hairpins even in the local egress case, check whether the ISP that is used to provide Internet egress for the user location has a direct peering relationship with the Microsoft Global Network in close proximity to that location. You may also want to configure egress routing to send trusted Microsoft 365 traffic directly, as opposed to proxying or tunneling through a third-party cloud or cloud-based network security vendor that processes your Internet-bound traffic. Local DNS name resolution of Microsoft 365 endpoints helps to ensure that in addition to direct routing, the closest Microsoft 365 entry points are being used for user connections.
You can approach optimization as an incremental process, applying each method su
[How Microsoft builds its fast and reliable global network](https://azure.microsoft.com/blog/how-microsoft-builds-its-fast-and-reliable-global-network/)
-[Office 365 Networking blog](https://techcommunity.microsoft.com/t5/Office-365-Networking/bd-p/Office365Networking)
+[Office 365 Networking blog](https://techcommunity.microsoft.com/t5/Office-365-Networking/bd-p/Office365Networking)
lighthouse M365 Lighthouse Device Compliance Page Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-device-compliance-page-overview.md
Microsoft 365 Lighthouse lets you view insights and information related to Intun
## Overview tab
-On the Overview tab, you can view device compliance status across your tenants, see monthly device compliance trends, and track whether devices have compliance policies assigned to them. You can also view information on tenant device compliance actions and requirements based on Conditional Access policies.
+On the Overview tab, you can view device compliance status across your tenants, see monthly device compliance trends, and track whether devices have compliance policies assigned to them. You can also view information on tenant device compliance actions and requirements based on Conditional Access policies.
+
+To get detailed device compliance information for a particular customer tenant, select a value under any of the status columns for that tenant. This will open the Devices tab so you can view device compliance details for the selected tenant.
+
+To export device compliance data to an Excel comma-separated values (.csv) file, select **Export**.
:::image type="content" source="../media/m365-lighthouse-device-compliance-page-overview/device-overview-tab.png" alt-text="Screenshot of the Overview tab."::: ## Devices tab
-On the Devices tab, you can view a list of all tenant devices and filter the list based on the following compliance statuses: Compliant, Non-compliant, In Grace period, and Not evaluated. For more information about the different compliance statuses, see [Monitor Intune Device compliance policies](/mem/intune/protect/compliance-policy-monitor).
+On the Devices tab, the colored count-annotation bar displays the total number of devices across all your customer tenants that have the following compliance statuses: Compliant, Not compliant, In grace period, and Not evaluated. For more information about the different compliance statuses, see [Monitor Intune Device compliance policies](/mem/intune/protect/compliance-policy-monitor).
-Select any device to view more information on why the device is in its current compliance state. If you need to take action on the device, there's an option to view the device in Microsoft Endpoint Manager.
+To see which tenants have devices with a specific compliance status, select that status from the count-annotation bar to filter the list. To see device compliance statuses for one or more specific customer tenants, use the **Tenants** dropdown menu to filter the list.
+Select any device name in the list to view more details about that device's current compliance state. You can sync or restart the device, or select **View device in Microsoft Endpoint Manager** if you need to troubleshoot or take further action.
+
+> [!NOTE]
+> When you restart a device, the device owner isn't automatically notified and may lose unsaved work. For this reason, you may want to notify the device owner before you restart a device.
+
+The Devices tab also includes the following options:
+
+- **Export:** Select to export device compliance data to an Excel comma-separated values (.csv) file.
+- **Refresh:** Select to retrieve the most current device compliance data.
+- **Sync:** Select one or more devices from the list that have a status of Not compliant, In grace period, or Not evaluated, and then select this option to force those devices to check in with Intune and immediately receive any policies that have been assigned to them.
+- **Restart:** Select one or more devices from the list that have a status of Not compliant, In grace period, or Not evaluated, and then select this option to restart those devices.
+- **Search:** Enter keywords to quickly locate a specific device in the list.
+
:::image type="content" source="../media/m365-lighthouse-device-compliance-page-overview/devices-device-tab.png" alt-text="Screenshot of the Devices tab."::: ## Policies tab
-On the Policies tab, you can view compliance policies across your tenants and compare two or three policies of the same platform type by using the Compare feature on the toolbar. You can also select any policy to view more information.
+On the Policies tab, you can view device compliance policies across your tenants and compare two or three policies of the same platform type by using the **Compare** option.
+
+To see policies for devices on a specific platform, use the **OS** dropdown menu to filter the list. To see policies for one or more specific customer tenants, use the **Tenants** dropdown menu to filter the list.
+
+Select any policy name in the list to view more details about that policy. If you need to take action or see additional information, select **View this policy in Microsoft Endpoint Manager**.
+
+The Policies tab also includes the following options:
+
+- **Export:** Select to export device compliance policy data to an Excel comma-separated values (.csv) file.
+- **Refresh:** Select to retrieve the most current device compliance policy data.
+- **Search:** Enter keywords to quickly locate a specific device compliance policy in the list.
:::image type="content" source="../media/m365-lighthouse-device-compliance-page-overview/devices-policies-tab.png" alt-text="Screenshot of the Policies tab."::: ## Settings tab
-The settings tab provides an aggregated report of non-compliant settings across tenant devices. Select any of the report rows to view more information, including which tenants the non-compliant devices belong to.
+The settings tab provides an aggregated report of non-compliant settings across tenant devices.
+
+To see non-compliant settings for devices on a specific platform, use the **Platform** dropdown menu to filter the list. To see non-compliant settings for one or more specific customer tenants, use the **Tenants** dropdown menu to filter the list.
+
+Select any non-compliant setting name in the list to open a pane where you can view a list of tenants that have devices with that specific non-compliant setting. From here, you can further drill down by selecting any tenant from the list to view information about the devices within that tenant that have the specific non-compliant setting. You can also sync or restart the device, or select **View device in Microsoft Endpoint Manager** if you need to troubleshoot or take further action.
+
+The Settings tab also includes the following options:
+
+- **Export:** Select to export non-compliant settings data to an Excel comma-separated values (.csv) file.
+- **Refresh:** Select to retrieve the most current non-compliant settings data.
+- **Search:** Enter keywords to quickly locate a specific non-compliant setting in the list.
:::image type="content" source="../media/m365-lighthouse-device-compliance-page-overview/device-settings-tab.png" alt-text="Screenshot of the Settings tab."::: ## Related content
-[Microsoft 365 Lighthouse Users page overview](m365-lighthouse-users-page-overview.md) (article)\
+[Windows 365 (Cloud PCs) page overview](m365-lighthouse-win365-page-overview.md) (article)\
[Microsoft 365 Lighthouse FAQ](m365-lighthouse-faq.yml) (article)
security Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction.md
ms.sitesec: library
ms.pagetype: security localization_priority: Normal audience: ITPro--++
security Configure Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-attack-surface-reduction.md
ms.prod: m365-security
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security--++ localization_priority: Normal audience: ITPro ms.technology: mde Previously updated : 06/02/2021 Last updated : 08/11/2021 # Configure attack surface reduction capabilities
security Configure Endpoints Gp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-gp.md
ms.technology: mde
Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Defender for Endpoint.
-1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft 365 Defender portal](https://security.microsoft.com/):
-
-1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft 365 Defender](https://security.microsoft.com/):
+1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.
+zip*) that you downloaded from the service onboarding wizard. You can also get the
+package from [Microsoft 365 Defender portal](https://security.microsoft.com/):
1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Onboarding**.
Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/publ
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
+3. To create a new GPO, open the [Group Policy Management Console](/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click **Group Policy Objects** you want to configure and click **New**. Enter the name of the new GPO in the dialogue box that is displayed and click **OK**.
+ 3. Open the [Group Policy Management Console](/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. 4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/publ
10. Select **OK** and close any open GPMC windows.
+1. To link the GPO to an Organization Unit (OU), right-click and select **Link an existing GPO**. In the dialogue box that is displayed, select the Group Policy Object that you wish to link. Click **OK**.
+
+> [!TIP]
+> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint device](run-detection-test.md).
## Additional Defender for Endpoint configuration settings
With Group Policy there isn't an option to monitor deployment of policies on the
> [!NOTE] > It can take several days for devices to start showing on the **Devices list**. This includes the time it takes for the policies to be distributed to the device, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
+## Setup Defender AV policies
+
+Create a new Group Policy or group these settings in with the other policies. This is dependent upon the customers environment and how they would like to roll out the service by targeting different OUΓÇÖs (Organizational Units).
+
+1. After you choose the GP, or create a new one, edit the GP.
+2. Browse to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Real-time Protection**.
+1. In the Quarantine folder, configure removal of items from Quarantine folder.
+
+ :::image type="content" source="images/removal-items-quarantine1.png" alt-text="removal items quarantine folder":::
+
+ :::image type="content" source="images/config-removal-items-quarantine2.png" alt-text="config-removal quarantine":::
+
+1. In the Scan folder, configure the scan settings.
+
+ :::image type="content" source="images/gpo-scans.png" alt-text="gpo scans":::
+
+**Monitor all files in Real time protection**
+
+Browse to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Real-time Protection**.
++
+
+#### Configure Windows Defender Smart Screen settings
+
+1. Browse to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Defender SmartScreen** > **Explorer**.
+
+ :::image type="content" source="images/config-windows-def-smartscr-explorer.png" alt-text="config windows defender smart screen explorer":::
+
+2. Browse to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Defender SmartScreen** > **Microsoft Edge**.
+
+ :::image type="content" source="images/config-windows-def-smartscr-explorer.png" alt-text="config windows defender smart screen Edge":::
+
+#### Configure Potentially Unwanted Applications
+
+Browse to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**.
+++
+#### Configure Cloud Deliver Protection and send samples automatically
+
+Browse to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS**.
+++++
+#### Check for signature update
+Browse to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Signature Updates**
+++
+#### Configure cloud deliver timeout and protection level
+
+Browse to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MpEngine**.
+When you configure cloud protection level policy to **Default Microsoft Defender Antivirus blocking policy** this will disable the policy. This is what is required to set the protection level to the windows default.
+++ ## Related topics - [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
security Customize Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-attack-surface-reduction.md
ms.mktglfcycl: manage
ms.sitesec: library localization_priority: Normal audience: ITPro--++ ms.technology: mde
security Device Discovery Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-discovery-faq.md
ARP, FTP, HTTP, HTTPS, ICMP, LLMNR, NBNS, RDP, SIP, SMTP, SNMP, SSH, Telnet, UPN
As device discovery uses passive methods to discover devices in the network, any device that communicates with your onboarded devices in the corporate network can be discovered and listed in the inventory. You can exclude devices from active probing only. ## How frequent is the active probing?
- Devices will actively be probed when changes in device characteristics are observed (every 1 to 3 weeks) to make sure the existing information is up-to-date.
+ Devices will actively be probed when changes in device characteristics are observed to make sure the existing information is up-to-date (typically, devices probed no more than once in a three-week period)
## My security tool raised alert on UnicastScanner.ps1 or port scanning activity initiated by it, what should I do? The active probing scripts are signed by Microsoft and are safe. You can add the following path to your exclusion list:
You may notice differences between the number of listed devices under "can be on
## I've noticed that unmanaged device health state is always "Active", why is that? Temporarily, unmanaged device health state will be "Active" during the standard retention period of the device inventory, regardless of their actual state.++
+## Does standard discovery look like malicious network activity?
+When considering Standard discovery, you may be wondering about the implications of probing, and specifically whether security tools might suspect such activity as malicious. The following subsection will explain why, in almost all cases, organizations should have no concerns around enabling Standard discovery.  
+
+### Probing is distributed across all Windows devices on the network
+As opposed to malicious activity, which would typically scan the entire network from a small number of compromised devices, Microsoft Defender for Endpoint’s Standard discovery probing is initiated from all onboarded Windows devices making the activity benign and non-anomalous. The probing is centrally managed from the cloud to balance the probing attempt between all the supported onboarded devices in the network.  
+
+### Active probing generates negligible amount of extra traffic
+Unmanaged devices would typically get probed no more than once in a three-week period and generate less than 50KB of traffic. Malicious activity usually includes high repetitive probing attempts and in some cases data exfiltration that generates a significant amount of network traffic that can be identified an anomaly by network monitoring tools. 
+
+### Your Windows device already runs active discovery
+Active discovery capabilities have always been embedded in the Windows operating system, to find nearby devices, endpoints, and printers, for easier "plug and play" experiences and file sharing between endpoints in the network. Similar functionality is implemented in mobile devices, network equipment and inventory applications just to name a few.  
+
+Standard discovery uses the same discovery methods to identify devices and to have a unified visibility for all the devices in your network in the Microsoft 365 Defender Device Inventory. For example – Standard discovery identifies nearby endpoints in the network the same way Windows lists available printers in the network. 
+
+Network security and monitoring tools are indifferent to such activities performed by devices on the network. 
+
+### Only unmanaged devices are being probed
+The device discovery capabilities have been built to only discover and identify unmanaged devices on your network. This means that previously discovered devices that are already onboarded with Microsoft Defender for Endpoint won’t be probed. 
+
+### You can exclude network lures from active probing
+Standard discovery supports exclusion of devices or ranges (subnets) from active probing. If you have network lures deployed in place, you can use the Device Discovery settings to define exclusions based on IP addresses or subnets (a range of IP addresses). Defining those exclusions will ensure that those devices won’t be actively probed and won’t be alerted. Those devices will be discovered using passive methods only (similar to Basic discovery mode).
security Enable Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction.md
ms.sitesec: library
ms.pagetype: security localization_priority: Normal audience: ITPro--++ ms.technology: mde
security Evaluate Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-attack-surface-reduction.md
ms.sitesec: library
localization_priority: Normal audience: ITPro--++ ms.technology: mde
security Event Views https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/event-views.md
ms.mktglfcycl: manage
ms.sitesec: library localization_priority: Normal audience: ITPro--++ ms.technology: mde
security Get Live Response Result https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-live-response-result.md
need to run live response again.
|Property|Description| |||
-|name|Executed script name|
+|script_name|Executed script name|
|exit_code|Executed script exit code| |script_output|Executed script standard output|
-|script_error|Executed script standard error output|
+|script_errors|Executed script standard error output|
## Example
Content-type: application/json
"exit_code": 0, "script_output": "Transcript started, output file is C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\PSScriptOutputs\\PSScript_Transcript_{TRANSCRIPT_ID}.txt C:\\windows\\TEMP\\OfficeClickToRun.dmp.zip\n51 MB\n\u0000\u0000\u0000",
- "script_error":""
+ "script_errors":""
} ```
security Gov https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/gov.md
The following OS versions are supported:
OS version|GCC|GCC High|DoD :|::|::|::
+Windows 10, version 21H1 and above|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
Windows 10, version 20H2 (with [KB4586853](https://support.microsoft.com/help/4586853))|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg) Windows 10, version 2004 (with [KB4586853](https://support.microsoft.com/help/4586853))|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg) Windows 10, version 1909 (with [KB4586819](https://support.microsoft.com/help/4586819))|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
These are the known gaps:
Feature name|GCC|GCC High|DoD :|::|::|::
-Network discovery|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development
+Network discovery|![No](images/svg/check-no.svg) Rolling out|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development
Web content filtering|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development
-Integrations: Azure Sentinel|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg) Alerts <p> ![No](images/svg/check-no.svg) Incidents & Raw data: In development|![Yes](images/svg/check-yes.svg) Alerts <p> ![No](images/svg/check-no.svg) Incidents & Raw data: In development
+Integrations: Azure Sentinel|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg) Alerts <p> ![Yes](images/svg/check-yes.svg) Incidents & Raw data: In preview|![Yes](images/svg/check-yes.svg) Alerts <p> ![Yes](images/svg/check-yes.svg) Incidents & Raw data: In preview
Integrations: Microsoft Cloud App Security|![Yes](images/svg/check-yes.svg)|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development Integrations: Microsoft Compliance Manager|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg) Integrations: Microsoft Defender for Identity|![No](images/svg/check-no.svg) Rolling out|![No](images/svg/check-no.svg) Rolling out|![No](images/svg/check-no.svg) Rolling out
-Integrations: Microsoft Endpoint DLP|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development
+Integrations: Microsoft Endpoint DLP|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![No](images/svg/check-no.svg) Rolling out
Integrations: Microsoft Power Automate & Azure Logic Apps|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg) Azure Logic Apps <p> ![No](images/svg/check-no.svg) Power Automate: In development Microsoft Threat Experts|![No](images/svg/check-no.svg) On engineering backlog|![No](images/svg/check-no.svg) On engineering backlog|![No](images/svg/check-no.svg) On engineering backlog
security Investigation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigation.md
id|String|Identity of the investigation entity.
startTime|DateTime Nullable|The date and time when the investigation was created. endTime|DateTime Nullable|The date and time when the investigation was completed. cancelledBy|String|The ID of the user/application that canceled that investigation.
-investigationState|Enum|The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
+state|Enum|The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
statusDetails|String|Additional information about the state of the investigation. machineId|String|The ID of the device on which the investigation is executed. computerDnsName|String|The name of the device on which the investigation is executed.
security List Recommendation Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/list-recommendation-software.md
+
+ Title: List software by recommendation
+description: Retrieves a security recommendation related to a specific software.
+keywords: apis, graph api, supported apis, get, security recommendation, security recommendation for software, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+localization_priority: Normal
+
+audience: ITPro
++
+MS.technology: mde
+++
+# List software by recommendation
++
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
+++++
+Retrieves a security recommendation related to a specific software.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
+
+Permission type|Permission|Permission display name
+:|:|:
+Application|SecurityRecommendation.Read.All|'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account)|SecurityRecommendation.Read|'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+
+```http
+GET /api/recommendations/{id}/software
+```
+
+## Request headers
+
+Name|Type|Description
+:|:|:
+Authorization|String|Bearer {token}. **Required**.
+
+## Request body
+
+Empty
+
+## Response
+
+If successful, this method returns 200 OK with the software associated with the security recommendations in the body.
+
+## Example
+
+### Request example
+
+Here is an example of the request.
+
+```http
+GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/software
+```
+
+### Response example
+
+Here is an example of the response.
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Analytics.Contracts.PublicAPI.PublicProductDto",
+ "id": "google-_-chrome",
+ "name": "chrome",
+ "vendor": "google",
+ "weaknesses": 38,
+ "publicExploit": false,
+ "activeAlert": false,
+ "exposedMachines": 5,
+ "impactScore": 3.94418621
+}
+```
+
+## Related topics
+
+- [Risk-based Threat & Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](/microsoft-365/security/defender-endpoint/tvm-security-recommendation)
security Microsoft Defender Antivirus Compatibility https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility.md
ms.technology: mde Previously updated : 08/10/2021 Last updated : 08/11/2021 # Microsoft Defender Antivirus compatibility with other security products
Microsoft Defender Antivirus is automatically installed on endpoints running the
- Windows 10 or later - Windows Server 2016-- Windows Server, version 1803 or later
+- Windows Server, version 1803, or later
- Windows Server 2019 What happens when another non-Microsoft antivirus/antimalware solution is used? Can you run Microsoft Defender Antivirus alongside another antivirus product? The answers depend on several factors, such as your operating system and whether you're using [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) (Defender for Endpoint) together with your antivirus protection.
This article describes what happens with Microsoft Defender Antivirus and a non-
## Antivirus protection without Defender for Endpoint
-This section describes what happens with Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware products on endpoints that are not onboarded to Defender for Endpoint. The following table summarizes what to expect: <br/><br/>
+This section describes what happens with Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware products on endpoints that are not onboarded to Defender for Endpoint. The following table summarizes what to expect: <br/>
| Windows version | Primary antivirus/antimalware solution | Microsoft Defender Antivirus state | |||-|-| | Windows 10 | Microsoft Defender Antivirus | Active mode | | Windows 10 | A non-Microsoft antivirus/antimalware solution | Disabled mode (happens automatically) |
-| Windows Server 2016 <br/><br/> Windows Server, version 1803 or newer <br/><br/> Windows Server 2019 | Microsoft Defender Antivirus | Active mode |
-| Windows Server 2016 <br/><br/> Windows Server, version 1803 or newer <br/><br/> Windows Server 2019 | A non-Microsoft antivirus/antimalware solution | Disabled (set manually) <sup>[[1](#fn1)]<sup></sup> |
+| Windows Server 2016 <br/> Windows Server, version 1803, or newer <br/> Windows Server 2019 | Microsoft Defender Antivirus | Active mode |
+| Windows Server 2016 <br/> Windows Server, version 1803, or newer <br/> Windows Server 2019 | A non-Microsoft antivirus/antimalware solution | Disabled (set manually) <sup>[[1](#fn1)]<sup></sup> |
(<a id="fn1">1</a>) On Windows Server, if you are running a non-Microsoft antivirus product, you can disable Microsoft Defender Antivirus by using Group Policy to turn off Microsoft Defender Antivirus, or by using the [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key. To use the registry key, navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`, and set or create a DWORD entry called `DisableAntiSpyware`. Set its value to `1` (which sets the registry key's value to *true*), and select **Hexadecimal** for its base.
This section describes what happens with Microsoft Defender Antivirus and non-Mi
## Antivirus protection with Defender for Endpoint
-If your organization is using a non-Microsoft antivirus/antimalware solution together with Defender for Endpoint, Microsoft Defender Antivirus can, depending on your operating system, run in passive mode. <br/><br/>
+If your organization is using a non-Microsoft antivirus/antimalware solution together with Defender for Endpoint, Microsoft Defender Antivirus can, depending on your operating system, run in passive mode. <br/>
| Windows version | Primary antivirus/antimalware solution | Microsoft Defender Antivirus state | |||-|-| | Windows 10 or later | Microsoft Defender Antivirus | Active mode | | Windows 10 or later | A non-Microsoft antivirus/antimalware solution | Passive mode (happens automatically) |
-| Windows Server 2016 <br/><br/> Windows Server, version 1803 or newer <br/><br/> Windows Server 2019 | Microsoft Defender Antivirus | Active mode |
-| Windows Server, version 1803 or newer <br/><br/> Windows Server 2019 | A non-Microsoft antivirus/antimalware solution | Passive mode (set manually) <sup>[[2](#fn2)]<sup></sup> |
+| Windows Server 2016 <br/> Windows Server, version 1803, or newer <br/> Windows Server 2019 | Microsoft Defender Antivirus | Active mode |
+| Windows Server, version 1803, or newer <br/> Windows Server 2019 | A non-Microsoft antivirus/antimalware solution | Passive mode (set manually) <sup>[[2](#fn2)]<sup></sup> |
| Windows Server 2016 | A non-Microsoft antivirus/antimalware solution | Disabled (set manually) <sup>[[3](#fn3)]<sup> |
-(<a id="fn2">2</a>) On Windows Server, version 1803 or newer, or Windows Server 2019, when you install a non-Microsoft antivirus product, set Microsoft Defender Antivirus to passive mode manually. You can use the **ForceDefenderPassiveMode** registry key to perform this task. To use the registry key, navigate to `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`, and set or create a DWORD entry called `ForceDefenderPassiveMode`. Set its value to `1` (which sets the registry key's value to *true*), and select **Hexadecimal** for its base. For more information, see [Passive mode and Windows Server](microsoft-defender-antivirus-on-windows-server.md#passive-mode-and-windows-server).
+(<a id="fn2">2</a>) On Windows Server, version 1803, or newer, or Windows Server 2019, when you install a non-Microsoft antivirus product, set Microsoft Defender Antivirus to passive mode manually. You can use the **ForceDefenderPassiveMode** registry key to perform this task. To use the registry key, navigate to `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`, and set or create a DWORD entry called `ForceDefenderPassiveMode`. Set its value to `1` (which sets the registry key's value to *true*), and select **Hexadecimal** for its base. For more information, see [Passive mode and Windows Server](microsoft-defender-antivirus-on-windows-server.md#passive-mode-and-windows-server).
(<a id="fn3">3</a>) On Windows Server 2016, you can disable Microsoft Defender Antivirus by using Group Policy to turn off Windows Defender Antivirus, or by using the [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key. To use the registry key, navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`, and set or create a DWORD entry called `DisableAntiSpyware`. Set its value to `1` (which sets the registry key's value to *true*), and select **Hexadecimal** for its base.
For example, [Endpoint detection and response (EDR) in block mode](edr-in-block-
In order for Microsoft Defender Antivirus to run in passive mode, endpoints must meet the following requirements: -- Operating system: Windows 10 or later; Windows Server, version 1803 or newer; or Windows Server 2019
+- Operating system: Windows 10 or later; Windows Server, version 1803, or newer; or Windows Server 2019
- Microsoft Defender Antivirus must be installed - Another non-Microsoft antivirus/antimalware product must be installed and used as the primary antivirus solution - Endpoints must be onboarded to Defender for Endpoint
The table in this section summarizes the features and capabilities that are acti
> [!IMPORTANT] > The following table is designed to be informational only. **Do not turn off capabilities**, such as real-time protection, cloud-delivered protection, or limited periodic scanning if you are using Microsoft Defender Antivirus in passive mode, or if you are using [EDR in block mode](edr-in-block-mode.md), which works behind the scenes to detect and remediate malicious artifacts that were detected post-breach.
-<br/><br/>
+<br/>
| Protection | Microsoft Defender Antivirus <br/> Active mode | Microsoft Defender Antivirus <br/> Passive mode | Microsoft Defender Antivirus <br/> Disabled or uninstalled | [EDR in block mode](edr-in-block-mode.md) | |:|:|:|:|:|
The table in this section summarizes the features and capabilities that are acti
## How to confirm the state of Microsoft Defender Antivirus
-To check the state of Microsoft Defender Antivirus, you can use the [Get-MpComputerStatus PowerShell cmdlet](/powershell/module/defender/get-mpcomputerstatus).
+You can use one of several methods to confirm the state of Microsoft Defender Antivirus, as described in the following table:
-1. On a Windows device, open Windows PowerShell.
-
-2. Run following PowerShell cmdlet: `Get-MpComputerStatus | select AMRunningMode`.
-
-3. Review the results. You should see either **Normal** or **Passive** if Microsoft Defender Antivirus is enabled on the endpoint.
+| Method | Procedure |
+|:|:|
+| Windows Security app | 1. On a Windows device, open the Windows Security app. <br/>2. Select **Virus & threat protection**.<br/>3. Under **Who's protecting me?** select **Manage providers**. <br/>4. On the **Security providers** page, under **Antivirus**, you should see **Microsoft Defender Antivirus is turned on**. |
+| Task Manager | 1. On a Windows device, open the Task Manager app. <br/>2. Select the **Details** tab.<br/>3. Look for **MsMpEng.exe** in the list. |
+| Windows PowerShell <br/> (To confirm that Microsoft Defender Antivirus is running) | 1. On a Windows device, open Windows PowerShell.<br/>2. Run the following PowerShell cmdlet: `Get-Process`.<br/>3. Review the results. You should see **MsMpEng.exe** if Microsoft Defender Antivirus is enabled. |
+| Windows PowerShell <br/> (To confirm that antivirus protection is in place) | You can use the [Get-MpComputerStatus PowerShell cmdlet](/powershell/module/defender/get-mpcomputerstatus).<br/>1. On a Windows device, open Windows PowerShell.<br/>2. Run following PowerShell cmdlet: `Get-MpComputerStatus | select AMRunningMode`.<br/>3. Review the results. You should see either **Normal** or **Passive** if Microsoft Defender Antivirus is enabled on the endpoint. |
+| Command Prompt | 1. On a Windows device, open Command Prompt. <br/> 2. Type `sc query windefend`, and then press Enter.<br/> 3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
## More details about Microsoft Defender Antivirus states
-The table in this section describes various states you might see with Microsoft Defender Antivirus. <br/><br/>
+The table in this section describes various states you might see with Microsoft Defender Antivirus. <br/>
| Microsoft Defender Antivirus state | What happens | ||| | Active mode | In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. Settings that are configured by using Configuration Manager, Group Policy, Microsoft Intune, or other management products will apply. Files are scanned, threats are remediated, and detection information is reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the endpoint itself). |
-| Passive mode | In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are *not* remediated by Microsoft Defender Antivirus. Threats can be remediated by [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md), however.<br/><br/> Files are scanned, and reports are provided for threat detections that are shared with the Defender for Endpoint service. You might see alerts in the [security center](microsoft-defender-security-center.md) showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode. <br/><br/>When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have a non-Microsoft antivirus product that is providing real-time protection from malware. <br/><br/>For optimal security layered defense and detection efficacy, make sure to get your antivirus and antimwalware updates, even if Microsoft Defender Antivirus is running in passive mode. See [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md). <br/><br/>**NOTE**: Passive mode is not supported on Windows Server 2016. |
-| Disabled <br/>or<br/>Uninstalled | When disabled or uninstalled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.<br/><br/> Disabling or uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution. <br/><br/>In cases where Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the non-Microsoft antivirus/antimalware product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. The automatic re-enabling of Microsoft Defender Antivirus helps to ensure that antivirus protection is maintained on your endpoints.<br/><br/>You might also use [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which works with the Microsoft Defender Antivirus engine to periodically check for threats if you are using a non-Microsoft antivirus app. |
+| Passive mode | In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are *not* remediated by Microsoft Defender Antivirus. Threats can be remediated by [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md), however.<br/><br/> Files are scanned, and reports are provided for threat detections that are shared with the Defender for Endpoint service. You might see alerts in the [security center](microsoft-defender-security-center.md) showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode. <br/>When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have a non-Microsoft antivirus product that is providing real-time protection from malware. <br/><br/>For optimal security layered defense and detection efficacy, make sure to get your antivirus and antimwalware updates, even if Microsoft Defender Antivirus is running in passive mode. See [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md). <br/><br/>**NOTE**: Passive mode is not supported on Windows Server 2016. |
+| Disabled <br/>or<br/>Uninstalled | When disabled or uninstalled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.<br/><br/> Disabling or uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution.<br/><br/>In cases where Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the non-Microsoft antivirus/antimalware product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. The automatic re-enabling of Microsoft Defender Antivirus helps to ensure that antivirus protection is maintained on your endpoints.<br/><br/>You might also use [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which works with the Microsoft Defender Antivirus engine to periodically check for threats if you are using a non-Microsoft antivirus app. |
## See also
security Overview Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction.md
ms.prod: m365-security
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security--++ localization_priority: Normal audience: ITPro
security Switch To Microsoft Defender Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-migration.md
The process of migrating to Defender for Endpoint can be divided into three phas
|Phase |Description | |--|--|
-|[Prepare for your migration](switch-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](switch-to-microsoft-defender-prepare.md): <p>1. Update your organization's devices. <p>2. Get Defender for Endpoint. <p>3. Plan your roles and permissions, and grant access to the Microsoft 365 Defender portal. <p>4. Configure your device proxy and internet settings to enable communication between your organization's devices and Defender for Endpoint. |
-|[Set up Defender for Endpoint](switch-to-microsoft-defender-setup.md) |During [the **Setup** phase](switch-to-microsoft-defender-setup.md): <p>1. Enable/reinstall Microsoft Defender Antivirus. <p>2. Configure Defender for Endpoint. <p>3. Add Defender for Endpoint to the exclusion list for your existing solution. <p>4. Add your existing solution to the exclusion list for Microsoft Defender Antivirus. <p>5. Set up your device groups, collections, and organizational units. <p>6. Configure your antimalware policies and real-time protection settings.|
-|[Onboard to Defender for Endpoint](switch-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](switch-to-microsoft-defender-onboard.md): <p>1. Onboard your devices to Defender for Endpoint. <p>2. Run a detection test. <p>3. Confirm that Microsoft Defender Antivirus is running in passive mode. <p>4. Get updates for Microsoft Defender Antivirus. <p>5. Uninstall your existing endpoint protection solution. <p>6. Make sure that Defender for Endpoint working correctly. |
+|[Prepare for your migration](switch-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](switch-to-microsoft-defender-prepare.md): <br/>1. Update your organization's devices. <br/>2. Get Defender for Endpoint. <br/>3. Plan roles and permissions, and grant access to the Microsoft 365 Defender portal. <br/>4. Configure your device proxy and internet settings to enable communication between your organization's devices and Defender for Endpoint. |
+|[Set up Defender for Endpoint](switch-to-microsoft-defender-setup.md) |During [the **Setup** phase](switch-to-microsoft-defender-setup.md): <br/>1. Enable/reinstall Microsoft Defender Antivirus, and set it to passive mode. <br/>2. Configure Defender for Endpoint. <br/>3. Add Defender for Endpoint to the exclusion list for your existing solution. <br/>4. Add your existing solution to the exclusion list for Microsoft Defender Antivirus. <br/>5. Set up your device groups, collections, and organizational units. <br/>6. Configure your antimalware policies and real-time protection settings.|
+|[Onboard to Defender for Endpoint](switch-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](switch-to-microsoft-defender-onboard.md): <br/>1. Onboard your devices to Defender for Endpoint. <br/>2. Run a detection test. <br/>3. Confirm that Microsoft Defender Antivirus is running in passive mode. <br/>4. Get updates for Microsoft Defender Antivirus. <br/>5. Uninstall your existing endpoint protection solution. <br/>6. Make sure that Defender for Endpoint working correctly. |
## What's included in Microsoft Defender for Endpoint?
security Switch To Microsoft Defender Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-onboard.md
- m365solution-symantecmigrate Previously updated : 08/10/2021 Last updated : 08/11/2021
4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods) (in this article).
+> [!NOTE]
+> If something goes wrong while onboarding, see [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md). That article describes how to resolve onboarding issues and common errors on endpoints.
+ ### Onboarding methods Deployment methods vary, depending on operating system and preferred methods. The following table lists resources to help you onboard to Defender for Endpoint: |Operating systems |Methods | |||
-| Windows 10 | [Group Policy](configure-endpoints-gp.md)<p>[Configuration Manager](configure-endpoints-sccm.md)<p>[Mobile Device Management (Intune)](configure-endpoints-mdm.md)<p>[Local script](configure-endpoints-script.md) <p>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-| Windows 8.1 Enterprise <p>Windows 8.1 Pro <p>Windows 7 SP1 Enterprise <p>Windows 7 SP1 Pro | [Microsoft Monitoring Agent](onboard-downlevel.md)<p>**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](/azure/azure-monitor/platform/log-analytics-agent). |
-| Windows Server 2019 and later <p>Windows Server 2019 core edition <p>Windows Server version 1803 and later | [Local script](configure-endpoints-script.md) <p>[Group Policy](configure-endpoints-gp.md) <p>[Configuration Manager](configure-endpoints-sccm.md) <p>[System Center Configuration Manager](configure-endpoints-sccm.md) <p>[VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md) <p>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-| Windows Server 2016 <p>Windows Server 2012 R2 <p>Windows Server 2008 R2 SP1 | [Microsoft 365 Defender portal](configure-server-endpoints.md)<p>[Azure Defender](/azure/security-center/security-center-wdatp) |
-| macOS:<p>11.3.1 (Big Sur) <p>10.15 (Catalina)<p>10.14 (Mojave) | [Onboard non-Windows devices](configure-endpoints-non-windows.md) |
+| Windows 10 | [Group Policy](configure-endpoints-gp.md)<br/>[Configuration Manager](configure-endpoints-sccm.md)<br/>[Mobile Device Management (Intune)](configure-endpoints-mdm.md)<br/>[Local script](configure-endpoints-script.md)<br/><br/>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
+| Windows 8.1 Enterprise <br/>Windows 8.1 Pro <br/>Windows 7 SP1 Enterprise <br/>Windows 7 SP1 Pro | [Microsoft Monitoring Agent](onboard-downlevel.md)<br/><br/>**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](/azure/azure-monitor/platform/log-analytics-agent). |
+| Windows Server 2019 and later <br/>Windows Server 2019 core edition <br/>Windows Server version 1803, and later | [Local script](configure-endpoints-script.md) <br/>[Group Policy](configure-endpoints-gp.md) <br/>[Configuration Manager](configure-endpoints-sccm.md) <br/>[System Center Configuration Manager](configure-endpoints-sccm.md) <br/>[VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md) <br/><br/>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
+| Windows Server 2016 <br/>Windows Server 2012 R2 <br/>Windows Server 2008 R2 SP1 | [Microsoft 365 Defender portal](configure-server-endpoints.md)<br/>[Azure Defender](/azure/security-center/security-center-wdatp) |
+| macOS: 11.3.1 (Big Sur); 10.15 (Catalina); 10.14 (Mojave) | [Onboard non-Windows devices](configure-endpoints-non-windows.md) |
| iOS | [Onboard non-Windows devices](configure-endpoints-non-windows.md) |
-| Linux:<p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 | [Onboard non-Windows devices](configure-endpoints-non-windows.md) |
+| Linux: RHEL 7.2+; CentOS Linux 7.2+; Ubuntu 16 LTS, or higher LTS; SLES 12+; Debian 9+; Oracle Linux 7.2 | [Onboard non-Windows devices](configure-endpoints-non-windows.md) |
## Run a detection test
To verify that your onboarded devices are properly connected to Defender for End
|Operating system |Guidance | |||
-| Windows 10 <p>Windows Server 2019 <p>Windows Server, version 1803 <p>Windows Server 2016 <p>Windows Server 2012 R2 | See [Run a detection test](run-detection-test.md). <p>Visit the Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
-| macOS:<p>11.3.1 (Big Sur) <p>10.15 (Catalina)<p>10.14 (Mojave) | Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy). <p>For more information, see [Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md). |
-| Linux:<p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 | 1. Run the following command, and look for a result of **1**: <br/>`mdatp health --field real_time_protection_enabled`. <p>2. Open a Terminal window, and run the following command: <br/>`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`. <p>3. Run the following command to list any detected threats: <br/>`mdatp threat list`. <p>For more information, see [Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md). |
+| Windows 10 <br/> Windows Server 2019<br/> Windows Server, version 1803, or later<br/> Windows Server 2016<br/> Windows Server 2012 R2 | See [Run a detection test](run-detection-test.md). <br/><br/>Visit the Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
+| macOS: 11.3.1 (Big Sur); 10.15 (Catalina); 10.14 (Mojave) | Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy). <br/><br/>For more information, see [Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md). |
+| Linux: RHEL 7.2+; CentOS Linux 7.2+; Ubuntu 16 LTS, or higher LTS; SLES 12+; Debian 9+; Oracle Linux 7.2 | 1. Run the following command, and look for a result of **1**: <br/>`mdatp health --field real_time_protection_enabled`. <br/> 2. Open a Terminal window, and run the following command: <br/>`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`. <br/> 3. Run the following command to list any detected threats: <br/>`mdatp threat list`. <br/><br/>For more information, see [Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md). |
## Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints
Now that your endpoints have been onboarded to Defender for Endpoint, your next
| Method | What to do | |:-|:-|
-|Command Prompt | 1. On a Windows device, open Command Prompt as an administrator.<p>2. Type `sc query windefend`, and then press Enter.<p>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-| PowerShell | 1. On a Windows device, open Windows PowerShell as an administrator.<p>2. Run following PowerShell cmdlet: `Get-MpComputerStatus | select AMRunningMode`. <p>Review the results. You should see **Passive mode**. [Learn more about Microsoft Defender Antivirus states](microsoft-defender-antivirus-compatibility.md#more-details-about-microsoft-defender-antivirus-states). |
+|Command Prompt | 1. On a Windows device, open Command Prompt. <br/> 2. Type `sc query windefend`, and then press Enter. <br/> 3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
+| PowerShell | 1. On a Windows device, open Windows PowerShell as an administrator. <br/> 2. Run following PowerShell cmdlet: `Get-MpComputerStatus | select AMRunningMode`. <br/> Review the results. You should see **Passive mode**. |
+| Windows Security app | 1. On a Windows device, open the Windows Security app. <br/>2. Select **Virus & threat protection**.<br/>3. Under **Who's protecting me?** select **Manage providers**. <br/>4. On the **Security providers** page, under **Antivirus**, you should see **Microsoft Defender Antivirus is turned on**. |
+| Task Manager | 1. On a Windows device, open the Task Manager app. <br/>2. Select the **Details** tab.<br/>3. Look for **MsMpEng.exe** in the list. |
> [!NOTE] > You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
+> To learn more about passive mode and active mode, see [More details about Microsoft Defender Antivirus states](microsoft-defender-antivirus-compatibility.md#more-details-about-microsoft-defender-antivirus-states).
### Set Microsoft Defender Antivirus on Windows Server to passive mode manually
security Switch To Microsoft Defender Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-prepare.md
- m365solution-symantecmigrate Previously updated : 06/14/2021 Last updated : 08/11/2021
To enable communication between your devices and Defender for Endpoint, configur
| Capabilities | Operating System | Resources | |:--|:--|:--|
-| [Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) | [Windows 10](/windows/release-health/release-information) <p>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p>[Windows Server 1803 or later](/windows-server/get-started/whats-new-in-windows-server-1803) | [Configure machine proxy and internet connectivity settings](configure-proxy-internet.md) |
-| EDR | [Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016) <p>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>[Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<p>[Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>[Windows 7 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](onboard-downlevel.md#configure-proxy-and-internet-connectivity-settings) |
-| EDR | macOS:<p>11.3.1 (Big Sur)<p>10.15 (Catalina)<p>10.14 (Mojave) | [Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
-| [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md) | [Windows 10](/windows/release-health/release-information) <p>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p>[Windows Server 1803 or later](/windows-server/get-started/whats-new-in-windows-server-1803) <p>[Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016) | [Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md)<br/> |
-| Antivirus | macOS:<p>11.3.1 (Big Sur)<p>10.15 (Catalina)<p>10.14 (Mojave) | [Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
-| Antivirus | Linux: <p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 | [Defender for Endpoint on Linux: Network connections](microsoft-defender-endpoint-linux.md#network-connections) |
+| [Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) | [Windows 10](/windows/release-health/release-information) <br/>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<br/>[Windows Server 1803, or later](/windows-server/get-started/whats-new-in-windows-server-1803) | [Configure machine proxy and internet connectivity settings](configure-proxy-internet.md) |
+| EDR | [Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016) <br/>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/>[Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<br/>[Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/>[Windows 7 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](onboard-downlevel.md#configure-proxy-and-internet-connectivity-settings) |
+| EDR | macOS: 11.3.1 (Big Sur); 10.15 (Catalina); 10.14 (Mojave) | [Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
+| [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md) | [Windows 10](/windows/release-health/release-information) <br/>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<br/>[Windows Server 1803, or later](/windows-server/get-started/whats-new-in-windows-server-1803) <br/>[Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016) | [Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md) |
+| Antivirus | macOS: 11.3.1 (Big Sur); 10.15 (Catalina); 10.14 (Mojave) | [Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
+| Antivirus | Linux: RHEL 7.2+; CentOS Linux 7.2+; Ubuntu 16 LTS, or higher LTS; SLES 12+; Debian 9+; Oracle Linux 7.2 | [Defender for Endpoint on Linux: Network connections](microsoft-defender-endpoint-linux.md#network-connections) |
## Next step
security Switch To Microsoft Defender Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-setup.md
- m365solution-symantecmigrate Previously updated : 08/10/2021 Last updated : 08/11/2021
Now that you're planning to switch to Defender for Endpoint, you might need to t
| Endpoint type | What to do | |||
-| Windows clients (such as endpoints running Windows 10) | In general, you do not need to take any action for Windows clients (unless Microsoft Defender Antivirus has been uninstalled). Here's why: <p>Microsoft Defender Antivirus should still be installed, but is most likely disabled at this point of the migration process.<p> When a non-Microsoft antivirus/antimalware solution is installed and the clients are not yet onboarded to Defender for Endpoint, Microsoft Defender Antivirus is disabled automatically. <p>Later, when the client endpoints are onboarded to Defender for Endpoint, if those endpoints are running a non-Microsoft antivirus solution, Microsoft Defender Antivirus goes into passive mode. <p>If the non-Microsoft antivirus solution is uninstalled, Microsoft Defender Antivirus goes into active mode automatically. |
-| Windows servers | On Windows Server, you'll need to reinstall Microsoft Defender Antivirus, and set it to passive mode manually. Here's why: <p>On Windows servers, when a non-Microsoft antivirus/antimalware is installed, Microsoft Defender Antivirus cannot run alongside the non-Microsoft antivirus solution. In those cases, Microsoft Defender Antivirus is disabled or uninstalled manually. <p>To reinstall or enable Microsoft Defender Antivirus on Windows Server, perform the following tasks: <p>- [Set DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server) (only if necessary)<br/>- [Reinstall Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server)<br/>- [Set Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server) |
+| Windows clients (such as endpoints running Windows 10) | In general, you do not need to take any action for Windows clients (unless Microsoft Defender Antivirus has been uninstalled). Here's why: <br/><br/>Microsoft Defender Antivirus should still be installed, but is most likely disabled at this point of the migration process.<br/><br/> When a non-Microsoft antivirus/antimalware solution is installed and the clients are not yet onboarded to Defender for Endpoint, Microsoft Defender Antivirus is disabled automatically. <br/><br/>Later, when the client endpoints are onboarded to Defender for Endpoint, if those endpoints are running a non-Microsoft antivirus solution, Microsoft Defender Antivirus goes into passive mode. <br/><br/>If the non-Microsoft antivirus solution is uninstalled, Microsoft Defender Antivirus goes into active mode automatically. |
+| Windows servers | On Windows Server, you'll need to reinstall Microsoft Defender Antivirus, and set it to passive mode manually. Here's why: <br/><br/>On Windows servers, when a non-Microsoft antivirus/antimalware is installed, Microsoft Defender Antivirus cannot run alongside the non-Microsoft antivirus solution. In those cases, Microsoft Defender Antivirus is disabled or uninstalled manually. <br/><br/>To reinstall or enable Microsoft Defender Antivirus on Windows Server, perform the following tasks: <br/><br/>- [Set DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server) (only if necessary)<br/>- [Reinstall Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server)<br/>- [Set Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server) |
> [!TIP]
The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-m
2. Run the following PowerShell cmdlets: <br/>
- `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features` <p>
+ `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features` <br/>
`Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender` <br/> When using the DISM command within a task sequence running PowerShell, the following path to cmd.exe is required. Example:<br/>
- `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`<p>
+ `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`<br/>
`c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`<br/> ### Set Microsoft Defender Antivirus to passive mode on Windows Server
Currently, you cannot run Microsoft Defender Antivirus in passive mode on Window
1. On the device, open PowerShell as an administrator.
-2. Type the following PowerShell cmdlet: `mpcmdrun -wdenable`
+2. Type the following PowerShell cmdlet: `mpcmdrun -wdenable`.
> [!TIP] > For more information, see the following articles:
Currently, you cannot run Microsoft Defender Antivirus in passive mode on Window
### Confirm that Microsoft Defender Antivirus is enabled
-To check the state of Microsoft Defender Antivirus, you can use the [Get-MpComputerStatus PowerShell cmdlet](/powershell/module/defender/get-mpcomputerstatus).
+You can use one of several methods to confirm the state of Microsoft Defender Antivirus, as described in the following table:
-1. On a Windows device, open Windows PowerShell.
-
-2. Run following PowerShell cmdlet: `Get-MpComputerStatus | select AMRunningMode`.
+| Method | Procedure |
+|:|:|
+| Windows Security app | 1. On a Windows device, open the Windows Security app. <br/>2. Select **Virus & threat protection**.<br/>3. Under **Who's protecting me?** select **Manage providers**. <br/>4. On the **Security providers** page, under **Antivirus**, you should see **Microsoft Defender Antivirus is turned on**. |
+| Task Manager | 1. On a Windows device, open the Task Manager app. <br/>2. Select the **Details** tab.<br/>3. Look for **MsMpEng.exe** in the list. |
+| Windows PowerShell <br/> (To confirm that Microsoft Defender Antivirus is running) | 1. On a Windows device, open Windows PowerShell.<br/>2. Run the following PowerShell cmdlet: `Get-Process`.<br/>3. Review the results. You should see **MsMpEng.exe** if Microsoft Defender Antivirus is enabled. |
+| Windows PowerShell <br/> (To confirm that antivirus protection is in place) | You can use the [Get-MpComputerStatus PowerShell cmdlet](/powershell/module/defender/get-mpcomputerstatus).<br/>1. On a Windows device, open Windows PowerShell.<br/>2. Run following PowerShell cmdlet: `Get-MpComputerStatus | select AMRunningMode`.<br/>3. Review the results. You should see either **Normal** or **Passive** if Microsoft Defender Antivirus is enabled on the endpoint. |
-3. Review the results. You should see either **Normal** or **Passive** if Microsoft Defender Antivirus is enabled on the endpoint. [Learn more about Microsoft Defender Antivirus states](microsoft-defender-antivirus-compatibility.md#more-details-about-microsoft-defender-antivirus-states).
+> [!TIP]
+> [Learn more about Microsoft Defender Antivirus states](microsoft-defender-antivirus-compatibility.md#more-details-about-microsoft-defender-antivirus-states).
## Configure Defender for Endpoint
This step of the migration process involves configuring Microsoft Defender Antiv
|Method |What to do | |||
-| [Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now part of Microsoft Endpoint Manager. | 1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<p> 2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).<p> 3. Select **Properties**, and then select **Configuration settings: Edit**.<p> 4. Expand **Microsoft Defender Antivirus**. <p> 5. Enable **Cloud-delivered protection**.<p> 6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.<p> 7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.<p> 8. Select **Review + save**, and then choose **Save**.<p>**TIP**: For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](/intune/device-profiles).|
-| Microsoft Endpoint Configuration Manager | See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies). While you create and configure your antimalware policies, make sure to review the [real-time protection settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md).
-| Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](/mem/intune/user-help/turn-on-defender-windows). <p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-| [Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) <br/>or<br/>[Group Policy Management Console](/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) | 1. Go to **Computer configuration** > **Administrative templates** > **Windows components** > **Microsoft Defender Antivirus**. <p> 2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<p> 3. Choose **Edit policy setting**, and make sure that policy is disabled. This action enables Microsoft Defender Antivirus. <p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+| [Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now part of Microsoft Endpoint Manager. | 1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<br/> 2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).<br/> 3. Select **Properties**, and then select **Configuration settings: Edit**.<br/>4. Expand **Microsoft Defender Antivirus**. <br/>5. Enable **Cloud-delivered protection**.<br/>6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.<br/> 7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.<br/>8. Select **Review + save**, and then choose **Save**.<br/><br/>**TIP**: For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](/intune/device-profiles).|
+| Microsoft Endpoint Configuration Manager | See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies). <br/><br/> When you create and configure your antimalware policies, make sure to review the [real-time protection settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md).
+| Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](/mem/intune/user-help/turn-on-defender-windows). (You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.) |
+| [Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) <br/>or<br/>[Group Policy Management Console](/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) | 1. Go to **Computer configuration** > **Administrative templates** > **Windows components** > **Microsoft Defender Antivirus**. <br/> 2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<br/> 3. Choose **Edit policy setting**, and make sure that policy is disabled. This action enables Microsoft Defender Antivirus. (You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.) |
> [!TIP] > You can deploy the policies before your organization's devices are onboarded.
The specific exclusions to configure will depend on which version of Windows you
|OS |Exclusions | |--|--|
-|Windows 10, [version 1803](/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](/windows/release-health/release-information))<p>Windows 10, version 1703 or 1709 with [KB4493441](https://support.microsoft.com/help/4493441) installed <p>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p>[Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<p> |
-|[Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2) <p>[Windows 7](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<p>[Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<p>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>[Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<p>**NOTE**: Monitoring Host Temporary Files 6\45 can be different numbered subfolders. <p>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
+|Windows 10, [version 1803](/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](/windows/release-health/release-information))<br/>Windows 10, version 1703 or 1709 with [KB4493441](https://support.microsoft.com/help/4493441) installed <br/>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<br/>[Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe` |
+|[Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2) <br/>[Windows 7](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<br/>[Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<br/>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/>[Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<br/><br/>**NOTE**: Monitoring Host Temporary Files 6\45 can be different numbered subfolders. <br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
## Add your existing solution to the exclusion list for Microsoft Defender Antivirus
During this step of the setup process, you add your existing solution to the Mic
|Method | What to do| |:|:|
-| [Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now part of Microsoft Endpoint Manager. | 1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<p> 2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.<p> 3. Under **Manage**, select **Properties**.<p> 4. Select **Configuration settings: Edit**.<p> 5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.<p> 6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).<p> 7. Choose **Review + save**, and then choose **Save**. |
-| [Microsoft Endpoint Configuration Manager](/mem/configmgr/) | 1. Using the [Configuration Manager console](/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify. <p> 2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
-| [Group Policy Object](/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and then select **Edit**.<p> 2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.<p> 3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.<br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<p> 4. Double-click the **Path Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, select **Show...**.<br/>- Specify each folder on its own line under the **Value name** column.<br/>- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.<p> 5. Select **OK**.<p> 6. Double-click the **Extension Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, select **Show...**.<br/>- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.<p> 7. Select **OK**. |
-| Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor. <p>2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.<p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<p>3. Specify your path and process exclusions. |
-| Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.<p>2. Import the registry key. Here are two examples:<br/>- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg` <br/>- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
+| [Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now part of Microsoft Endpoint Manager. | 1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<br/> 2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.<br/>3. Under **Manage**, select **Properties**.<br/> 4. Select **Configuration settings: Edit**.<br/> 5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.<br/> 6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).<br/> 7. Choose **Review + save**, and then choose **Save**. |
+| [Microsoft Endpoint Configuration Manager](/mem/configmgr/) | 1. Using the [Configuration Manager console](/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify. <br/>2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
+| [Group Policy Object](/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and then select **Edit**.<br/> 2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.<br/> 3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**. (You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.)<br/>4. Double-click the **Path Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, select **Show...**.<br/>- Specify each folder on its own line under the **Value name** column.<br/>- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.<br/>5. Select **OK**.<br/>6. Double-click the **Extension Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, select **Show...**.<br/>- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.<br/>7. Select **OK**. |
+| Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor. <br/>2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**. (You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.)<br/>3. Specify your path and process exclusions. |
+| Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.<br/>2. Import the registry key. Here are two examples:<br/>- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg` <br/>- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
### Keep the following points about exclusions in mind
Device groups, device collections, and organizational units enable your security
| Collection type | What to do | |--|--|
-|[Device groups](/microsoft-365/security/defender-endpoint/machine-groups) (formerly called *machine groups*) enable your security operations team to configure security capabilities, such as automated investigation and remediation.<p>Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed. <p>Device groups are created in the [Microsoft 365 Defender portal](microsoft-defender-security-center.md). |1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).<p>2. In the navigation pane on the left, choose **Settings** > **Endpoints** > **Permissions** > **Device groups**. <p>3. Choose **+ Add device group**.<p>4. Specify a name and description for the device group.<p>5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](/microsoft-365/security/defender-endpoint/automated-investigations#how-threats-are-remediated).<p>6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](/microsoft-365/security/defender-endpoint/machine-tags).<p>7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group. <p>8. Choose **Done**. |
-|[Device collections](/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.<p>Device collections are created by using [Configuration Manager](/mem/configmgr/). |Follow the steps in [Create a collection](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
-|[Organizational units](/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.<p> Organizational units are defined in [Azure Active Directory Domain Services](/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](/azure/active-directory-domain-services/create-ou). |
+|[Device groups](/microsoft-365/security/defender-endpoint/machine-groups) (formerly called *machine groups*) enable your security operations team to configure security capabilities, such as automated investigation and remediation.<br/><br/>Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed. <br/><br/>Device groups are created in the [Microsoft 365 Defender portal](microsoft-defender-security-center.md). |1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).<br/>2. In the navigation pane on the left, choose **Settings** > **Endpoints** > **Permissions** > **Device groups**. <br/>3. Choose **+ Add device group**.<br/>4. Specify a name and description for the device group.<br/>5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](/microsoft-365/security/defender-endpoint/automated-investigations#how-threats-are-remediated).<br/>6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](/microsoft-365/security/defender-endpoint/machine-tags).<br/>7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group. <br/>8. Choose **Done**. |
+|[Device collections](/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.<br/><br/>Device collections are created by using [Configuration Manager](/mem/configmgr/). |Follow the steps in [Create a collection](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
+|[Organizational units](/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts.<br/><br/> You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.<br/><br/> Organizational units are defined in [Azure Active Directory Domain Services](/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](/azure/active-directory-domain-services/create-ou). |
## Next step
security Troubleshoot Asr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-asr.md
ms.mktglfcycl: manage
ms.sitesec: library localization_priority: Normal audience: ITPro--++ Last updated 03/27/2019
security User Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/user-roles.md
The following steps guide you on how to create roles in Microsoft 365 Defender.
- **Basic** commands: - Start a live-response session - Perform read-only live-response commands on remote device (excluding file copy and execution)
- - **Advanced** commands:
- Download a file from the remote device via live response
+ - **Advanced** commands:
- Download PE and non-PE files from the file page - Upload a file to the remote device - View a script from the files library
security Vulnerability https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/vulnerability.md
Method|Return Type|Description
[Get all vulnerabilities](get-all-vulnerabilities.md)|Vulnerability collection|Retrieves a list of all the vulnerabilities affecting the organization [Get vulnerability by Id](get-vulnerability-by-id.md)|Vulnerability|Retrieves vulnerability information by its ID [List devices by vulnerability](get-machines-by-vulnerability.md)|MachineRef collection|Retrieve a list of devices that are associated with the vulnerability ID
+[List vulnerabilities by machine and software](get-all-vulnerabilities-by-machines.md)|Vulnerability|Retrieves a list of all the vulnerabilities affecting the organization per machine and software.
## Properties
security Eval Defender Endpoint Architecture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-endpoint-architecture.md
The following table identified key concepts that are important to understand whe
Concept | Description | More information :|:|:|
-Administration Portal | Microsoft 365 Defender portal to monitor and assist in responding to alerts of potential advanced persistent threat activity or data breaches. | [Microsoft Defender for Endpoint portal overview](/defender-endpoint/portal-overview)
-Attack Surface Reduction | Help reduce your attack surfaces by minimizing the places where your organization is vulnerable to cyberthreats and attacks. | [Overview of attack surface reduction](/defender-endpoint/overview-attack-surface-reduction)
-Endpoint Detection and Response | Endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. | [Overview of endpoint detection and response capabilities](/defender-endpoint/overview-endpoint-detection-response)
-Behavioral Blocking and Containment | Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. | [Behavioral blocking and containment](/defender-endpoint/behavioral-blocking-containment)
-Automated Investigation and Response | Automated investigation uses various inspection algorithms based on processes that are used by security analysts and designed to examine alerts and take immediate action to resolve breaches. | [Use automated investigations to investigate and remediate threats](/defender-endpoint/automated-investigations)
-Advanced Hunting | Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data so that you can proactively inspect events in your network to locate threat indicators and entities. | [Overview of advanced hunting](/defender-endpoint/advanced-hunting-overview)
-Threat Analytics | Threat analytics is a set of reports from expert Microsoft security researchers covering the most relevant threats. | [Track and respond to emerging threats](/defender-endpoint/threat-analytics)
+Administration Portal | Microsoft 365 Defender portal to monitor and assist in responding to alerts of potential advanced persistent threat activity or data breaches. | [Microsoft Defender for Endpoint portal overview](/microsoft-365/security/defender-endpoint/portal-overview)
+Attack Surface Reduction | Help reduce your attack surfaces by minimizing the places where your organization is vulnerable to cyberthreats and attacks. | [Overview of attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)
+Endpoint Detection and Response | Endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. | [Overview of endpoint detection and response capabilities](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response)
+Behavioral Blocking and Containment | Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. | [Behavioral blocking and containment](/microsoft-365/security/defender-endpoint/behavioral-blocking-containment)
+Automated Investigation and Response | Automated investigation uses various inspection algorithms based on processes that are used by security analysts and designed to examine alerts and take immediate action to resolve breaches. | [Use automated investigations to investigate and remediate threats](/microsoft-365/security/defender-endpoint/automated-investigations)
+Advanced Hunting | Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data so that you can proactively inspect events in your network to locate threat indicators and entities. | [Overview of advanced hunting](/microsoft-365/security/defender-endpoint/advanced-hunting-overview)
+Threat Analytics | Threat analytics is a set of reports from expert Microsoft security researchers covering the most relevant threats. | [Track and respond to emerging threats](/microsoft-365/security/defender-endpoint/threat-analytics)
-For more detailed information about the capabilities included with Microsoft Defender for Endpoint, see [What is Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint).
+For more detailed information about the capabilities included with Microsoft Defender for Endpoint, see [What is Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint).
## SIEM integration You can integrate Microsoft Defender for Endpoint with Azure Sentinel to more comprehensively analyze security events across your organization and build playbooks for effective and immediate response.
-Microsoft Defender for Endpoint can also be integrated into other Security Information and Event Management (SIEM) solutions. For more information, see [Enable SIEM integration in Microsoft Defender for Endpoint](/defender-endpoint/enable-siem-integration).
+Microsoft Defender for Endpoint can also be integrated into other Security Information and Event Management (SIEM) solutions. For more information, see [Enable SIEM integration in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/enable-siem-integration).
## Next steps
Microsoft Defender for Endpoint can also be integrated into other Security Infor
Return to the overview for [Evaluate Microsoft Defender for Endpoint](eval-defender-endpoint-overview.md)
-Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)
+Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)
security Integrate Microsoft 365 Defender Secops https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/integrate-microsoft-365-defender-secops.md
If you are not already familiar with Microsoft 365 Defender, see these articles:
- [Get started with Microsoft 365 Defender](get-started.md) - [Turn on Microsoft 365 Defender](m365d-enable.md)
+If your organization has already implemented some aspects of Microsoft 365 Defender, these articles can either affirm or help improve your existing architecture and processes.
+ >[!Note]
->If your organization has already implemented some aspects of Microsoft 365 Defender, these articles can either affirm or help improve your existing architecture and processes.
+>As a Microsoft partner, Protiviti contributed to and provided material feedback to this article.
> ## Target audience
security Streaming Api Event Hub https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/streaming-api-event-hub.md
ms.technology: mde
2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to Microsoft.Insights**.
-3. Create an Event Hub Namespace, go to **Event Hub > Add** and select the pricing tier, throughput units and Auto-Inflate appropriate for expected load. For more information, see [Pricing - Event Hub | Microsoft Azure](https://azure.microsoft.com/en-us/pricing/details/event-hubs/).
+3. Create an Event Hub Namespace, go to **Event Hub > Add** and select the pricing tier, throughput units and Auto-Inflate appropriate for expected load. For more information, see [Event Hubs pricing](https://azure.microsoft.com/pricing/details/event-hubs/).
### Add contributor permissions
security View Email Security Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-email-security-reports.md
For more information about composite authentication result codes, see [Anti-spam
The **Submissions** report shows information about items that admins have reported to Microsoft for analysis. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
-To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **Submissions** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/adminSubmissionReport>. To go to [admin submissions in the Microsoft 365 Defender portal](admin-submission.md), click **Go to Submissions**.
+To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **Submissions** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/adminSubmissionReport>. To go to [admin submissions in the Microsoft 365 Defender portal](admin-submission.md), click **Go to Submissions**. Admins will be able to view the report for last 30 days.
![Submissions widget on the Email & collaboration reports page](../../media/submissions-report-widget.png)