+description: "Get a periodic report about how people in your organization use Microsoft 365 services and drill into each chart for more insights."

+In this introductory course, you'll learn the six critical elements to drive adoption of your Microsoft cloud services to deliver value to your company. This course is applicable to any size company and uses Office 365 and Microsoft Teams as the example service to create real-world scenarios. For more information about training for adoption specialists, read [Use the Microsoft service adoption framework to drive adoption in your enterprise](/learn/paths/m365-service-adoption).

+Welcome to the Driving Adoption Community! Connect and discuss the latest topics and best practices in driving cloud adoption. Meet and learn from peers and Microsoft Staff and stay up to date on upcoming training, events, and our monthly Community calls. For more information, read [Driving Adoption](https://techcommunity.microsoft.com/t5/driving-adoption/ct-p/DrivingAdoption).

+Use our resources to go from inspiration to execution with our productivity cloud. Get started, experiment with our services, and onboard employees at scale while being confident that you are improving the employee experience. For more information, read [Drive value with Microsoft 365 adoption tools](https://adoption.microsoft.com).

+All the Microsoft 365 plans offer baseline protection and security with Microsoft Defender Antivirus, but with Microsoft 365 Business Premium you also have threat protection, data protection, and device management features due to the inclusion of Microsoft Defender for Business. These additional capabilities protect your organization from online threats and unauthorized access, as well as allow you to manage company data on your phones, tablets, and computers.

+ :::image type="content" source="../media/Autopilot.png" alt-text="In the Microsoft 365 admin center, choose devices and then Autopilot.":::

+ :::image type="content" source="../media/31662655-d1e6-437d-87ea-c0dec5da56f7.png" alt-text="Click Start guide for step-by-step instructions for Autopilot":::

+- [Manage calendar sharing](#manage-calendar-sharing) to enable people to schedule meetings appropriately.

+2. **Standard protection**

+3. **Custom security policies**

+4. **Built-in protection** receives the lowest priority and is overridden by strict protection, standard protection, and custom policies.

+2. Go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Preset Security Policies** in the **Templated policies** section. (To go directly to the **Preset security policies** page, use <https://security.microsoft.com/presetSecurityPolicies>.)

+3. On the **Preset security policies** page, in either the **Standard protection** or **Strict protection** section, change the toggle from **Disabled** to **Enabled**, and then select **Manage**.

+4. The **Apply Standard protection** or **Apply Strict protection** wizard starts in a flyout. On the **EOP protections apply to** page, identify the internal recipients that the policies apply to (recipient conditions):

+5. On the **Defender for Office 365 protections apply to** page to identify the internal recipients that the policies apply to (recipient conditions). Specify users, groups, and domains just like what you did in the previous step.

+6. On the **Review and confirm your changes** page, verify your selections, and then select **Confirm**.

+2. Under **External sharing**, specify the level of sharing. (We recommend using **Least permissive** to prevent external sharing.)

+3. Under **File and folder links**, select an option (such as **Specific people**). Then choose whether to grant View or Edit permissions by default for shared links (such as **View**).

+4. Under **Other settings**, select the options you want to use.

+5. Then choose **Save**.

+2. In the navigation pane, choose **Policies**, and then choose **Alert policies**.

+3. Select an individual policy to view more details or to edit the policy. The following image shows a list of alert policies with one policy selected:

+## Manage calendar sharing

+You can help people in your organization share their calendars appropriately for better collaboration. You can manage what level of detail they can share, such as by limiting the details that are shared to free/busy times only.

+2. Choose **Calendar**, and choose whether people in your organization can share their calendars with people outside who have Office 365 or Exchange, or with anyone. We recommend clearing the **External sharing** option. If you choose to share calendars with anyone option, you can choose to also share free/busy information only.

+3. Choose **Save changes** on the bottom of the page.

+## Watch: Understand your bill or invoice

+Check out this video and others on our [YouTube channel](https://go.microsoft.com/fwlink/?linkid=2197915).

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE53wxS?autoplay=false]

+description: "If you bought Microsoft 365 Business Standard from a retail store, learn how to redeem the product key and activate your subscription."

+If you bought Microsoft 365 Business Standard from a retail store, this article helps you activate your subscription.

+To extend the expiration date or add a license to your existing Microsoft 365 Business Standard subscription, use a new and unused product key for the same Microsoft 365 plan. Entering your original Microsoft 365 product key won't work because a key that has already been redeemed can't be used again. For more information, see [Extend the expiration date of your prepaid subscription by using a Microsoft 365 product key](subscriptions/renew-your-subscription.md#extend-the-expiration-date-of-your-prepaid-subscription-by-using-a-microsoft-365-product-key) or [Add licenses to a prepaid subscription by using a Microsoft 365 product key](licenses/buy-licenses.md#add-licenses-to-a-prepaid-subscription-by-using-a-microsoft-365-product-key).

+If the people who you're buying licenses for aren't active users in your organization yet, the next thing to do is [add users and assign licenses at the same time](../../admin/add-users/add-users.md).

+If you've removed licenses from a subscription, the next thing to do is [delete users from your organization](../../admin/add-users/delete-a-user.md).

+## Add licenses to a prepaid subscription by using a Microsoft 365 product key

+Prepaid product licenses are issued to you as a 25-character alphanumeric code, called a product key. After you buy the licenses you need, you can add them to your subscription by using the steps below. You can also use a product key to [extend the expiration date of your subscription](../subscriptions/renew-your-subscription.md#extend-the-expiration-date-of-your-prepaid-subscription-by-using-a-microsoft-365-product-key).

+> [!NOTE]

+> If you don't want to buy a new product key, you can always choose to add a credit card or bank account to your subscription to pay for more licenses. For more information, see [Renew your subscription](../subscriptions/renew-your-subscription.md).

+

+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.

+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Your products</a> page.

+2. On the **Products** tab, select the subscription to which you want to add licenses.

+3. On the subscription details page, in the **Licenses** section, select **Add more licenses**.

+4. In the **Add more licenses pane**, select **Use a new and unused product key**, then select **Next**.

+5. Enter the product key, then select **Next**.

+ > [!NOTE]

+ > If you have more than one product key, you can select **Add another product key** to enter them.

+6. Review your order details, then select **Redeem**.

+If you reduced the number of licenses for your subscription because someone has left your organization, you might want to remove that user's account. To learn more, see [Remove a former employee](../../admin/add-users/remove-former-employee.md).

+## Extend the expiration date of your prepaid subscription by using a Microsoft 365 product key

+Prepaid product licenses are issued to you as a 25-character alphanumeric code, called a product key. If you buy another pre-paid subscription for a product you already own, you can use the product key to extend the expiration date of your subscription. You can also use a product key to [add more licenses to your subscription](../licenses/buy-licenses.md#add-licenses-to-a-prepaid-subscription-by-using-a-microsoft-365-product-key).

+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.

+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Your products</a> page.

+2. On the **Products** tab, select the subscription that you want to extend.

+3. On the subscription details page, in the **Subscription and payment settings** section, select **Extend end date**.

+4. On the **renew or add user licenses** page, select **Use a new and unused product key**, then select **Next**.

+5. Enter the product key, then select **Next**.

+ > [!NOTE]

+ > If you have more than one product key, you can select **Add another product key** to enter them.

+6. Review your order details, then select **Redeem**.

+For example, another organization might have settings configured that prevent their users from opening content encrypted by your organization. In this scenario, until their Azure AD admin reconfigures their cross-tenant settings, an external user attempting to open that content will see a message that informs them **Access is blocked by your organization** with a reference to **Your tenant administrator**.

+Example message for the signed in user from the Fabrikam, Inc organization, when their local Azure AD blocks access:

+

+Your users will see a similar message when it's your Azure AD configuration that blocks access.

+From the perspective of the signed in user, if it's another Azure AD organization that's responsible for blocking access, the message changes to **Access is blocked by the organization** and displays the domain name of that other organization in the body of the message. For example:

+

+|[PDF support](#pdf-support)| Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) | Under review | Under review | Under review | Under review |

+- Protection from malware with Microsoft Defender Antivirus

+ Contoso is using [Microsoft Defender Antivirus](/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) for malware protection and anti-malware management for PCs and devices running Windows 10 Enterprise.

+> Please use a broadband internet connection to download this content and allow approximately 30 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The Windows client virtual machines expire 90 days after activation of the lab. New versions of the labs will be published on or before November 5, 2022.

+| View for a retail worker |View for a retail manager |

+| :- | :- |

+|  |  |

+

+|Manufacturing |A supervisor can send the **Leadership** badge to a foreman whose team is performing well. |

+### Use Viva Connections to create a personalized experience

+Viva Connections is part of the [Microsoft Viva suite](/viva/microsoft-viva-overview) and enables you to create a personalized landing experience in Teams.

+

+Use the Viva Connections Dashboard and add the Shifts, Tasks, and Approvals cards. Cards are connected to the Shifts, Tasks, and Approvals apps in Teams. Content in the cards is dynamic and personalized to the user.

+Learn more about [how to get Viva Connections](/viva/connections/viva-connections-overview) and [how to create a Viva Connections Dashboard](/viva/connections/create-dashboard).

+- [Microsoft OneDrive LTI with D2l Brightspace](onedrive-lti-brightspace.md)

+ Title: Use Microsoft OneDrive LTI with Blackboard

+description: Create and grade assignments, build and curate course content, and collaborate on files in real time with the new Microsoft OneDrive Learning Tools Interoperability for Blackboard.

+# Use Microsoft OneDrive LTI with Blackboard

+ > [!CAUTION]

+ > If this step isn't performed, the following step will give you an error, and you won't be able to take this step for an hour once you've gotten the error.

+ Title: Integrate Microsoft OneDrive LTI with Desire2Learn Brightspace

+audience: admin

+ms.localizationpriority: medium

+description: Create and grade assignments, build and curate course content, and collaborate on files in real time with the new Microsoft OneDrive Learning Tools Interoperability for Desire2Learn Brightspace.

+# Integrate Microsoft OneDrive LTI with Desire2Learn Brightspace

+This guide provides IT admins steps for registering the OneDrive LTI app for the Desire2Learn (D2L) Brightspace LMS.

+For an overview of Microsoft LTI, see [Integrating Microsoft products with your Learning Management System (LMS)](index.md).

+The steps to add the OneDrive LTI app are:

+1. [Step 1: Add the new Microsoft OneDrive LTI app](#step-1-add-the-new-microsoft-onedrive-lti-app).

+1. [Step 2: Deploy the LTI app in users' Brightspace experience](#step-2-deploy-the-lti-app-in-users-brightspace-experience).

+1. [Step 3: Turn off the older OneDrive app](#step-3-turn-off-the-older-onedrive-app).

+1. [Step 4: Turn on the new OneDrive LTI app on the Quicklinks activity bar](#step-4-turn-on-the-new-onedrive-lti-app-on-the-quicklinks-activity-bar-optional) (optional).

+> [!IMPORTANT]

+> The person who performs this integration should be an administrator of Brightspace and an administrator of the Microsoft 365 tenant.

+>

+> The source documentation for LTI 1.3 settings is located in the [LTI Advantage - Administrator Guide](https://community.brightspace.com/s/article/LTI-Advantage-Administrator-Guide).

+## Step 1: Add the new Microsoft OneDrive LTI app

+### Register a new Microsoft OneDrive LTI app

+1. Sign into the [Microsoft OneDrive LTI Registration Portal](https://onedrivelti.microsoft.com/admin).

+1. Select the **Admin Consent** button and accept the permissions.

+ 1. If this step isn't performed, the following step will give you an error, and you won't be able to take this step for an hour once you've gotten the error.

+1. Select the **Create new LTI Tenant** button.

+1. In the **LTI Consumer Platform** list, select **D2L Brightspace**.

+1. In the **D2L Brightspace Base URL** field, enter your Brightspace base URL, like `https://testschool.brightspace.com`.

+1. Select the **Next** button. The **Register LTI 1.3 App** page will load.

+ 1. Keep this page open in its own tab when completing the next set of steps.

+### Add Microsoft LTI registration details to Brightspace

+1. In a new tab, open your Brightspace admin site to register the new Microsoft LTI app.

+1. Navigate to **Admin** > **Manage Extensibility** and select **LTI Advantage**.

+1. Select **Register App**.

+1. Register your app as **standard**.

+1. Enter a name for the app, like `OneDrive LTI`.

+1. Enter the domain of the URL where you registered the LTI app, like `https://onedrivelti.microsoft.com`.

+1. Using the details given in the Microsoft LTI Registration Portal, copy and paste the **Redirect URL**, **OpenID Connect Login URL**, and **Keyset URL** into Brightspace.

+ 1. Paste Microsoft's **Redirect URL** into Brightspace's **ToolOIDCLaunchRedirectUri** field.

+ 1. Paste Microsoft's **OpenID Connect Login URL** into Brightspace's **OIDCLoginInitiationUri** field.

+ 1. Paste Microsoft's **Keyset URL** in Brightspace's **ToolPublicJwksUri** field.

+1. Select the **Deep Linking** extension.

+1. Select **Register**.

+1. You'll be shown Brightspace registration details.

+ 1. Keep this page open in its own tab when completing the next set of steps.

+### Add Brightspace LTI registration details to the Microsoft LTI Registration Portal

+After the app is registered in Brightspace, copy values from Brightspace's registration portal into Microsoft's LTI registration portal.

+1. Navigate back your open tab of Microsoft's **Register LTI 1.3 App** page.

+1. Copy Brightspace registration details and paste them into Microsoft's LTI Registration Portal.

+ 1. Paste Brightspace's **Issuer** into Microsoft's **LTI Issuer** field.

+ 2. Paste Brightspace's **OpenID Connect Authentication Endpoint** into Microsoft's **LTI Authorize URL** field.

+ 3. Paste Brightspace's **Brightspace Keyset URL** into Microsoft's **LTI Public Jwks URL** field.

+ 4. Paste Brightspace's **Brightspace OAuth2 Access Token URL** into Microsoft's **LTI Access Token URL** field.

+ 5. Paste Brightspace's **Client ID** into Microsoft's **LTI Client ID** field.

+1. Select the **Next** button.

+1. Select the **Save** button.

+1. A message saying *LTI consumer was created successfully.* will appear.

+1. Review your registration details by selecting the **View LTI Tenants** button on the home page.

+## Step 2: Deploy the LTI app in users' Brightspace experience

+After Microsoft OneDrive LTI and Brightspace are connected, you need to deploy the OneDrive LTI app in users' Brightspace experience.

+1. Sign into your Brightspace admin site.

+1. Select the LTI app that you created.

+1. Enter in a deployment a name.

+1. Select all security settings except **Classlist** and **Anonymous**.

+1. Don't set configuration settings.

+1. Select **Create Deployment**.

+1. Choose the org units you want to use the new LTI app. You can select the root org to include everyone or select individual org units.

+### Create links to the OneDrive LTI app in users' Brightspace experience

+1. Sign into your Brightspace admin site.

+1. Select the Brightspace OneDrive LTI app you created. Deployment details will appear.

+1. Select **View Links**.

+1. Select **Create a link**.

+1. Enter in a name for the link.

+1. Paste the **Redirect URL** into the **URL** field.

+1. Set the **Type** to **Deep Linking Quicklink**.

+1. Select the **Save and Close** button.

+The OneDrive LTI app will now show up in **Add Existing Content** and **QuickLinks** in Brightspace. The link will show a generic *link* icon rather than a OneDrive *cloud* icon. Also, the title will reflect the name provided in the app's LTI link settings.

+## Step 3: Turn off the older OneDrive app

+The OneDrive LTI app is now available to users, but the older OneDrive app must now be turned off.

+1. Sign in to your Brightspace admin portal.

+1. Navigate to **Admin** > **Config Variable Browser**

+1. Locate the variable titled **d2l.3rdParty.OneDrive.EnableOneDrivePicker** and set the value to **off**.

+## Step 4: Turn on the new OneDrive LTI app on the Quicklinks activity bar (optional)

+To add the OneDrive LTI app to Brightspace's activity bar, set an org unit **Config Variable** to the **link ID** of the LTI app.

+You'll need to repeat these steps for every org ID (or parent org ID) where you want the OneDrive LTI app to appear in the activity bar.

+### Collect the Link IDs

+1. Sign in to your Brightspace admin portal.

+1. Navigate to **Admin** > **External Learning Tools** > **LTI Advantage Deployments** > **View Links** at the bottom of the page.

+1. Navigate to the correct link, and then move your mouse to the URL at the top of the browser.

+ 1. For example, `https://example.desire2learn.com/d2l/le/ltiadvantage/deployments/3bfcc0b7-2fb6-4ffe-b353-95b520d4bae6/links/details/25988`.

+1. Copy the digits after the final `/` in the URL.

+ 1. For example, using the URL above, copy `25988`.

+### Update the Config Variables

+1. In the Brightspace admin portal, navigate to **Admin** > **Config Variable Browser**.

+1. Locate the variable titled **3rdparty.microsoft.onedriveLTI.linkId**, and paste the copied URL to the **link ID** field for the org units where OneDrive LTI should appear.

+ 1. This value is a number.

+## Common questions concerning the OneDrive LTI app

+### Does the new OneDrive LTI FilePicker support personal accounts?

+Yes, personal accounts are allowed to open OneDrive to upload the files. There's a checkbox in the app in the OneDrive LTI registration portal to allow multiple accounts or not. If checked, personal accounts are allowed.

+### Does the FilePicker support multiple languages?

+The OneDrive LTI FilePicker looks at the LTI language setting parameter passed from the LMS, and (as backup) the browser setting (since the former is an optional claim) to determine the language to use.

+Microsoft Defender Antivirus and Defender for Endpoint alert severities are different because they represent different scopes.

+- An alert about a commercial malware was detected while executing, but blocked and remediated by Microsoft Defender Antivirus, is categorized as "Low" because it may have caused some damage to the individual device but poses no organizational threat.

+keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender AV, Microsoft Defender Antivirus

+keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av, group policy object, setting, diagnostic data, Microsoft Defender Antivirus

+description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the command line to manage Microsoft Defender Antivirus

+description: You can configure Microsoft Defender Antivirus to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files).

+This capability requires Microsoft Defender Antivirus:

+3. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Exclusions**.

+description: Enable or disable users from locally changing settings in Microsoft Defender Antivirus.

+For example, the following code snippet would cause Microsoft Defender Antivirus scans to exclude any file that is opened by the specified process:

+description: Enable behavior-based, heuristic, and real-time protection in Microsoft Defender Antivirus.

+- Enable the Microsoft Defender Antivirus feature and ensure it's up to date. For more information on enabling Defender Antivirus on Windows Server, see [Re-enable Defender Antivirus on Windows Server if it was disabled](enable-update-mdav-to-latest-ws.md#re-enable-microsoft-defender-antivirus-on-windows-server-if-it-was-disabled) and [Re-enable Defender Antivirus on Windows Server if it was uninstalled](enable-update-mdav-to-latest-ws.md#re-enable-microsoft-defender-antivirus-on-windows-server-if-it-was-uninstalled).

+- Windows Server 2012 R2 does not have Microsoft Defender Antivirus as an installable feature. When you onboard those servers to Defender for Endpoint, you will install Microsoft Defender Antivirus, and default exclusions for operating system files are applied. However, exclusions for server roles (as specified below) don't apply automatically, and you should configure these exclusions as appropriate. To learn more, see [Onboard Windows servers to the Microsoft Defender for Endpoint service](configure-server-endpoints.md).

+> There are performance and feature improvements to the way in which Microsoft Defender Antivirus operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607.

+description: Presents methods to retrieve Microsoft Defender Antivirus device health details.

+- Microsoft Defender Antivirus as primary AV (real-time protection on)

+For more information about disabling local list merging, see [Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings](/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus).

+ |84|Set Microsoft Defender Antivirus running mode. Force passive mode: %1, result code: %2.|Set defender running mode (active or passive).|Normal operating notification; no action required.|

+- This feature is available if your organization uses Microsoft Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).

+You'll see details such as the file's MD5, the Virus Total detection ratio, and Microsoft Defender Antivirus detection if available, and the file's prevalence.

+- Cards (active alerts, logged on users, security assessment, device health status)

+

+### Device health status

+The **Device health status** card shows a summarized health report for the specific device. One of the following status is displayed at the top of the card to indicate the overall status of the device:

+- Device is up to date

+- Platform is not up to date

+- Full scan failed

+- Quick scan failed

+- Engine is not up to date

+- Security intelligence is not up to date

+- Defender Antivirus not active

+- Status not available for macOS & Linux

+Other information in the card include: the last full scan, last quick scan, security intelligence update version, engine update version, platform update version, and Defender Antivirus mode.

+>[!NOTE]

+>The overall status message for macOS and Linux devices currently shows up as 'Status not available for macOS & Linux'. Currently, the status summary is only available for Windows devices. All other information in the table is up to date to show the individual states of each device health signal for all supported platforms.

+To gain an in-depth view of the device health report, you can go to **Reports > Devices health**. For more information, see [Device health and compliance report in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/machine-reports).

+Sliding the switch to **On** will show the standard Microsoft Defender Antivirus options underneath the third party AV product. The limited periodic scanning option will appear at the bottom of the page.

+### Report access permissions

+To access the Device health and antivirus compliance report in the Microsoft 365 Security dashboard, the following permissions are required:

+| Permission name | Permission type |

+|:|:|

+| View Data | Threat and vulnerability management (TVM) |

+To Assign these permissions:

+1. Log in to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a> using account with Security administrator or Global administrator role assigned.

+1. In the navigation pane, select **Settings** \> **Endpoints** \> **Roles** (under **Permissions**).

+1. Select the role you'd like to edit.

+1. Click **Edit**.

+1. In **Edit role**, on the **General** tab, in **Role name**, type a name for the role.

+1. In **Description** type a brief summary of the role.

+1. In **Permissions**, select **View Data**, and under **View Data** select **Threat and vulnerability management** (TVM).

+For more information about user role management, see [Create and manage roles for role-based access control](user-roles.md).

+Microsoft Defender Antivirus can make changes to its protection based on cloud-delivered protection. Such changes can occur outside of normal or scheduled protection updates.

+If you have enabled cloud-delivered protection, Microsoft Defender Antivirus will send files it is suspicious about to the Windows Defender cloud. If the cloud service reports that the file is malicious, and the file is detected in a recent protection update, you can use Group Policy to configure Microsoft Defender Antivirus to automatically receive that protection update. Other important protection updates can also be applied.

+The same list of indicators is honored by the prevention agent. Meaning, if Microsoft Defender Antivirus is the primary Antivirus configured, the matched indicators will be treated according to the settings. For example, if the action is "Alert and Block", Microsoft Defender Antivirus will prevent file executions (block and remediate) and a corresponding alert will be raised. On the other hand, if the Action is set to "Allow", Microsoft Defender Antivirus will not detect nor block the file from being run.

+4. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Signature Updates** and configure the following settings:

+description: You can use Microsoft Defender Offline straight from the Microsoft Defender Antivirus app. You can also manage how it is deployed in your network.

+Microsoft Defender Offline uses the most recent protection updates available on the endpoint; it's updated whenever Microsoft Defender Antivirus is updated.

+> Before running an offline scan, you should attempt to update Microsoft Defender Antivirus protection. You can either force an update with Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest protection updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).

+Microsoft Defender Offline notifications are configured in the same policy setting as other Microsoft Defender Antivirus notifications.

+keywords: wdav, antivirus, firewall, security, windows, microsoft defender antivirus

+- **Other recommended features**- Having Microsoft Defender Antivirus enabled, along with Cloud Protection and Behavior Analysis is highly recommended. We recommend that you use other prevention, such as the ASR rule "Use advanced protection against ransomware". This provides a greater level of protection against ransomware attacks. Furthermore, many of these registry keys are monitored by Microsoft Defender for Endpoint, such as ASEP techniques, which will trigger specific alerts. The registry keys used require a minimum of Local Admin or Trusted Installer privileges can be modified. Using a locked down environment, with minimum administrative accounts or rights, is recommended. Other system configurations can be enabled, including "Disable SeDebug for non-required roles" that are part of our wider security recommendations.

+- **Other recommended features**- Having Microsoft Defender Antivirus enabled, along with Cloud Protection and Behavior Analysis is highly recommended. We recommend you use additional prevention, such as the ASR rule "Use advanced protection against ransomware". This provides a greater level of protection against ransomware attacks. Furthermore, several of these registry keys are monitored by Microsoft Defender for Endpoint, such as ASEP techniques, which will trigger specific alerts. Additionally, the registry keys used require a minimum of Local Admin or Trusted Installer privileges can be modified. Using a locked down environment, with minimum administrative accounts or rights, is recommended. Other system configurations can be enabled, including "Disable SeDebug for non-required roles" that are part of our wider security recommendations.

+- **Other recommended features**- Microsoft Defender Antivirus prevents CertUtil from creating or downloading executable content.

+ - **Microsoft Defender for Endpoint Linux client version**: 101.78.13 -insiderSlow(Preview)

+The following example shows the sequence of commands needed to the mdatp package on ubuntu 20.04 for insiders-Slow channel.

+curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/20.04/insiders-slow.list

+sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-insiders-slow.list

+Verify that Microsoft Defender Antivirus and Microsoft Defender for Endpoint are running.

+> Running Microsoft Defender Antivirus is not required but it is recommended. If another antivirus vendor product is the primary endpoint protection solution, you can run Defender Antivirus in Passive mode. You can only confirm that passive mode is on after verifying that Microsoft Defender for Endpoint sensor (SENSE) is running.

+1. Run the following command to verify that Microsoft Defender Antivirus is installed:

+ If the result is 'The specified service doesn't exist as an installed service', then you'll need to install Microsoft Defender Antivirus. For more information, see [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-windows.md).

+After completing this task, you now have successfully configured Microsoft Defender Antivirus.

+## Use Group Policy to hide the Microsoft Defender Antivirus interface from users

+description: Use Configuration Manager or security information and event management (SIEM) tools to consume reports, and monitor Microsoft Defender Antivirus with PowerShell and WMI.

+keywords: siem, monitor, report, Microsoft Defender AV, Microsoft Defender Antivirus

+> - A Microsoft Defender Antivirus scan can run alongside other antivirus solutions, whether Microsoft Defender Antivirus is the active antivirus solution or not. Microsoft Defender Antivirus can be in Passive mode. For more information, see [Microsoft Defender Antivirus compatibility](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).

+The Action center will show the scan information and the device timeline will include a new event, reflecting that a scan action was submitted on the device. Microsoft Defender Antivirus alerts will reflect any detections that surfaced during the scan.

+> - A Microsoft Defender Antivirus scan can run alongside other antivirus solutions, whether Microsoft Defender Antivirus is the active antivirus solution or not. Microsoft Defender Antivirus can be in Passive mode. For more information, see [Microsoft Defender Antivirus compatibility](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).

+keywords: event, error code, logging, troubleshooting, microsoft defender antivirus, windows defender antivirus, migration, microsoft defender antivirus

+5007|Microsoft-Windows-Windows Defender/Operational|Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. <p> **Old value:** Default\IsServiceRunning = 0x0 <p> **New value:** HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1|Windows Defender

+5010|Microsoft-Windows-Windows Defender/Operational|Microsoft Defender Antivirus scanning for spyware and other potentially unwanted software is disabled.|Windows Defender

+Information about Microsoft Defender Antivirus will be listed within the Services app under **Windows Defender** \> **Operational**. The antivirus service name is *Microsoft Defender Antivirus Service*.

+While checking the app, you may see that *Microsoft Defender Antivirus Service* is set to manual, but when you try to start this service manually, you get a warning stating, *The Microsoft Defender Antivirus Service service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.*

+Within the GPResults report, under the heading, *Windows Components/Microsoft Defender Antivirus*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off.

+Turn off Microsoft Defender Antivirus|Enabled|Win10-Workstations

+The following section describes the Get-MpPerformanceReport PowerShell cmdlet. Analyzes and reports on Microsoft Defender Antivirus performance recording.

+## August 2022

+- [Device health status](investigate-machines.md#device-health-status)<br>The Device health status card shows a summarized health report for the specific device.

+- [Device health reporting (Preview)](/microsoft-365/security/defender-endpoint/machine-reports)<br> The devices status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions.

+## Get access

+To use advanced hunting or other [Microsoft 365 Defender](microsoft-365-defender.md) capabilities, you need an appropriate role in Azure Active Directory. [Read about required roles and permissions for advanced hunting](custom-roles.md).

+Also, your access to endpoint data is determined by role-based access control (RBAC) settings in Microsoft Defender for Endpoint. [Read about managing access to Microsoft 365 Defender](m365d-permissions.md).

+## AlertInfo

+The miscellaneous device events or `DeviceEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Microsoft Defender Antivirus and exploit protection. Use this reference to construct queries that return information from this table.

+| **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Microsoft Defender Antivirus and exploit protection |

+ "description": "Readily available tools, such as hacking programs, can be used by unauthorized individuals to spy on users. When used by attackers, these tools are often installed without authorization and used to compromise targeted machines.\n\nThese tools are often used to collect personal information from browser records, record key presses, access email and instant messages, record voice and video conversations, and take screenshots.\n\nThis detection might indicate that Microsoft Defender Antivirus has stopped the tool from being installed and used effectively. However, it is prudent to check the machine for the files and processes associated with the detected tool.",

+When you edit a rule, it will run with the applied changes in the next run time scheduled according to the frequency you set. The rule frequency is based on the event timestamp and not the ingestion time.

+- **Run antivirus scan**ΓÇöperforms a full Microsoft Defender Antivirus scan on the device

+* **Run antivirus scan** - Updates Microsoft Defender Antivirus definitions and immediately runs an antivirus scan. Choose between Quick scan or Full scan.

+ c. [Turn on Microsoft Defender Antivirus](/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features). If you are having trouble enabling Microsoft Defender Antivirus, see [this troubleshooting topic](/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy).

+ - Has [Microsoft Defender Antivirus](/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) enabled. If you are having trouble enabling Microsoft Defender Antivirus, see this [troubleshooting topic](/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy).

+> You can do on-demand scans on a device page. In the Microsoft 365 Defender portal, choose **Endpoints > Device inventory**. Select a device that has alerts, and then run an antivirus scan. Actions, such as antivirus scans, are tracked and are visible on the **Device inventory** page. To learn more, see [Run Microsoft Defender Antivirus scan on devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#run-microsoft-defender-antivirus-scan-on-devices).

+As an admin, you might have company requirements to restrict or control automatically forwarded messages to external recipients (recipients outside of your organization). Email forwarding can be useful, but can also pose a security risk due to the potential disclosure of information. Attackers might use this information to attack your organization or partners.

+|**If mailbox intelligence detects an impersonated user** <br><br> _MailboxIntelligenceProtectionAction_|**Don't apply any action** <br><br> `NoAction`|**Move message to the recipients' Junk Email folders** <br><br> `MoveToJmf`|**Quarantine the message** <br><br> `Quarantine`||

+When a group expires, [almost all of its associated services (the mailbox, Planner, SharePoint site, team, etc.) are also deleted](/microsoft-365/solutions/end-life-cycle-groups-teams-sites-yammer).

+Administrators can specify an expiration period and any inactive group that reaches the end of that period, and is not renewed, will be deleted. (This includes archived teams.) The expiration period begins when the group is created, or on the date it was last renewed. Group owners will automatically be sent a notification before the expiration that allows them to renew the group for another expiration interval. Expiration notices for groups used in Teams appear in the Teams Owners feed.

+As noted above, expiry is turned off by default. An administrator will have to enable the expiration policy and set the properties for it to take effect. To enable it, go to **Azure Active Directory** > **Groups** > **Expiration**. Here you can set the default group lifetime.

+If the group does not have an owner, the expiration emails will go to the specified email.

+|Add the whiteboard to a channel or chat from a desktop or mobile device|Storage: OneDrive for Business<br><br>Owner: User who creates the whiteboard|Not applicable (only applies to meetings)|In-tenant users: Can initiate, view, and collaborate<br><br>External users: Not supported<br><br>Teams guests: Not supported<br><br>Shared device accounts: Not applicable|