Updates from: 08/26/2021 03:10:03
Category Microsoft Docs article Related commit history on GitHub Change details
admin Scoped Certified Application Installation And Config https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/scoped-certified-application-installation-and-config.md
Some prerequisites are necessary to set up the Microsoft 365 support integration
:::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image8.png" alt-text="Graphical user interface, application Description automatically generated":::
-### \[Optional\] Whitelist the serviceΓÇÖs Ips of Microsoft 365 support integration
+### \[Optional\] Allow the serviceΓÇÖs Ips of Microsoft 365 support integration
-If your company is limiting internet access with your own policies, enable network access for the service of Microsoft 365 support integration by whitelisting the IP addresses below for both inbound and outbound API access.
+If your company is limiting internet access with your own policies, enable network access for the service of Microsoft 365 support integration by allowing the IP addresses below for both inbound and outbound API access.
- 52.149.152.32
These steps are required to set up the integration between your ServiceNow insta
- Select the integration user created in [Prerequisites (Basic Authentication)](#prerequisites-basic-authentication) step \#4 and select **Next**. 7. \[The person who is a ServiceNow admin\] Set up Repository ID. Specify the repository ID, and then select **Next**. 8. \[The person who is a ServiceNow admin\] Set up Application settings.
These prerequisite steps are necessary to set up the Microsoft 365 support integ
:::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image26.png" alt-text="Graphical user interface, application Description automatically generated":::
-### \[Optional\] Whitelist the serviceΓÇÖs Ips of Microsoft 365 support integration
+### \[Optional\] Allow the serviceΓÇÖs Ips of Microsoft 365 support integration
-If your company is limiting internet access with your own policies, enable network access for the service of Microsoft 365 support integration by whitelisting these IP addresses for both inbound and outbound API access:
+If your company is limiting internet access with your own policies, enable network access for the service of Microsoft 365 support integration by allowing these IP addresses for both inbound and outbound API access:
- 52.149.152.32
Select OAuth profile for Outbound OAuth Provider created at [Prerequisites (AAD
1. Input the Client ID of the application that was created at [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) step \#3 and select **Next**.
- :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image29.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image14.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
7. \[The person who is a ServiceNow admin\] Set up the Repository ID.
Select OAuth profile for Outbound OAuth Provider created at [Prerequisites (AAD
1. Check the following information to make sure it's correct.
- :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image30.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image17.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
1. Go to Microsoft 365 [Admin Portal](https://admin.microsoft.com) > **Settings** > **Settings** > **Organization profiles**.
admin Self Service Sign Up https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/self-service-sign-up.md
- okr_SMB - commerce_signup search.appverid: MET150
-description: "Learn about the Microsoft 365 self-service sign-up and available self-service programs such as Microsoft Power Apps, Microsoft Flow, and Dynamics 365 for Finance."
+description: "Learn about the Microsoft 365 self-service sign-up and available self-service programs such as Microsoft Power Apps, Microsoft Power Automate, and Dynamics 365 for Finance."
Last updated 03/17/2021
admin Get Started Windows 365 Business https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/get-started-windows-365-business.md
Whether you purchased your subscriptions through the Windows 365 products site,
You can assign different Windows 365 Business license types to a user, based on the users business need. See [Windows 365 Business sizing options](windows-365-business-sizing.md) for guidance on which license type might be suitable for your users. > [!IMPORTANT]
-> The first time a Windows 365 license is assigned on your tenant, a system account called "CloudPCBPRT" is automatically created in Azure Active Directory. Do not delete this account. If the system account is deleted, the setup might fail. This system account ensures a smooth set up process, and doesn't have any write capabilities or access to your tenant beyond the scoped service capabilities of Windows 365 Business. If you delete this user, file a ticket through Support Central.
+> The first time a Windows 365 license is assigned on your tenant, a system account called **Windows 365 BPRT Permanent User** is automatically created in Azure Active Directory. Do not delete this account or make any changes to it (such as changing the name or UPN). If the system account is deleted, the setup might fail. This system account ensures a smooth set up process, and doesn't have any write capabilities or access to your tenant beyond the scoped service capabilities of Windows 365 Business. If you delete this user, file a ticket through Support Central.
## Get your users started with Cloud PC
admin Troubleshoot Windows 365 Business https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/troubleshoot-windows-365-business.md
Make sure **Users may join devices to Azure AD** is set to **All**.
2. Under **Manage Azure Active Directory**, select **View**. 3. In the left nav, under **Manage**, select **Devices**, then select **Device settings**. 4. If **Users may join devices to Azure AD** isn't set to **All**, select **All**, then select **Save**.
-5. Go to [Step 2. Verify that the CloudPCBRT system account is active](#step-2-verify-that-the-cloudpcbrt-system-account-is-active).
+5. Go to [Step 2. Verify that the Windows 365 BPRT Permanent User system account is active](#step-2-verify-that-the-windows-365-bprt-permanent-user-system-account-is-active).
-## Step 2. Verify that the CloudPCBRT system account is active
+## Step 2. Verify that the Windows 365 BPRT Permanent User system account is active
-The first time a Windows 365 license is assigned in your organization, a system account called "CloudPCBPRT" is automatically created in Azure AD. Do not delete this account or make any changes to it (such as changing the name or UPN). If the system account is deleted, the setup will fail. This system account ensures a smooth setup process and doesn't have any write capabilities or access to your organization beyond the scoped service capabilities of Windows 365 Business. If you delete this system account, you must open a new support request to have it restored.
+The first time a Windows 365 license is assigned in your organization, a system account called **Windows 365 BPRT Permanent User** is automatically created in Azure AD. Do not delete this account or make any changes to it (such as changing the name or UPN). If the system account is deleted, the setup will fail. This system account ensures a smooth setup process and doesn't have any write capabilities or access to your organization beyond the scoped service capabilities of Windows 365 Business. If you delete this system account, you must open a new support request to have it restored.
-To make sure the CloudPCBRT system account is active in Azure AD, use the following steps.
+To make sure the Windows 365 BPRT Permanent User system account is active in Azure AD, use the following steps.
1. In the Azure portal, go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=516942" target="_blank">Azure Active Directory Overview</a> page. 2. In the left nav, under **Manage**, select **Users**.
-3. In the search box, type **CloudPCBRT**, then press **Enter**.
-4. If the CloudPCBRT system account is present, go to [Step 3. Verify that device-based MFA is turned off](#step-3-verify-that-device-based-mfa-is-turned-off).
-5. If the CloudPCBRT system account is missing, in the left nav, select **New support request** to open a support ticket. After the support ticket is closed, go directly to [Step 6. Reset your Cloud PCs](#step-6-reset-your-cloud-pcs).
+3. In the search box, type **Windows 365 BPRT Permanent User**, then press **Enter**.
+4. If the Windows 365 BPRT Permanent User system account is present, go to [Step 3. Verify that device-based MFA is turned off](#step-3-verify-that-device-based-mfa-is-turned-off).
+5. If the Windows 365 BPRT Permanent User system account is missing, in the left nav, select **New support request** to open a support ticket. After the support ticket is closed, go directly to [Step 6. Reset your Cloud PCs](#step-6-reset-your-cloud-pcs).
## Step 3. Verify that device-based MFA is turned off
admin Usage Analytics Data Model https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/usage-analytics/usage-analytics-data-model.md
This table contains data about each user who had an activity in any of the servi
|SPO_GroupFileSynched <br/> |Number of files this user synchronized on any group site. <br/> | |SPO_GroupFileSharedInternally <br/> |The count of files that have been shared with users within the organization, or with users within groups (that might include external users). <br/> | |SPO_GroupFileSharedExternally <br/> |Number of files this user shared externally from any group site. <br/> |
-|SPO_GroupAccessByOwner <br/> |Number of files the user interacted with that reside on a group site that they own. <br/> |
-|SPO_GroupAccessByOthers <br/> |Number of files the user interacted with that reside on a group site that another user owns. <br/> |
+|SPO_GroupAccessedByOwner <br/> |Number of sites the user interacted with that reside on a group site that they own. <br/> |
+|SPO_GroupAccessedByOthers <br/> |Number of sites the user interacted with that reside on a group site that another user owns. <br/> |
|SPO_OtherFileViewedModified <br/> |Number of files with which this user interacted on any other site. <br/> | |SPO_OtherFileSynched <br/> |Number of files this user synchronized from any other site. <br/> | |SPO_OtherFileSharedInternally <br/> |Number of files this user shared internally from any other site, or with users within groups (that might include external users). <br/> |
This table contains data about each user who had an activity in any of the servi
|SPO_TeamFileSynched <br/> |Number of files this user synchronized from any team site. <br/> | |SPO_TeamFileSharedInternally <br/> |Number of files this user shared internally from any team site, or with users within groups (that might include external users). <br/> | |SPO_TeamFileSharedExternally <br/> |Number of files this user shared externally from any team site. <br/> |
-|SPO_TeamAccessByOwner <br/> |Number of files the user interacted with that reside on a team site that they own. <br/> |
-|SPO_TeamAccessByOthers <br/> |Number of files the user interacted with that reside on a team site that another user owns. <br/> |
+|SPO_TeamAccessedByOwner <br/> |Number of sites the user interacted with that reside on a team site that they own. <br/> |
+|SPO_TeamAccessedByOthers <br/> |Number of sites the user interacted with that reside on a team site that another user owns. <br/> |
|Teams_ChatMessages <br/> |Number of chat messages sent. <br/> | |Teams_ChannelMessage <br/> |Number of messages posted to channels. <br/> | |Teams_CallParticipate <br/> |Number of calls the user participated in. <br/> |
business-video Choose Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/choose-subscription.md
Choosing the right Microsoft 365 subscription is key to getting the most out of
| **Email &amp; calendar** | Outlook, Exchange Online | 50 GB | 50 GB | 100 GB | | **Hub for teamwork** | Chat-based workspace, online meetings, and more in Microsoft Teams | Yes | Yes | Yes | | **File storage** | OneDrive for Business | 1 TB per user | 1 TB per user | Unlimited |
-| **Social, video, sites** | Stream, Yammer, Planner, SharePoint Online\*, Power Apps\*, Microsoft Flow\* | Yes | Yes | Yes |
+| **Social, video, sites** | Stream, Yammer, Planner, SharePoint Online\*, Power Apps\*, Power Automate\* | Yes | Yes | Yes |
| **Business apps** | Scheduling apps - Bookings\*\* | Yes | Yes | Yes | | **Threat Protection** | Office 365 Advanced Threat Protection | No | Yes | No | | Windows Exploit Guard enforcement| | No | Yes | No |
business-video Setup Anti Phishing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/setup-anti-phishing.md
Phishing is a malicious attack where an email looks like it was sent from a fami
## Try it!
-1. In the admin center at [https://admin.microsoft.com](https://admin.microsoft.com), select **Security**, **Threat Management**, **Policy**, then **ATP Anti-phishing**.
+1. In the admin center at [https://admin.microsoft.com](https://admin.microsoft.com), select **Security**, **Policies & rules**, **Threat Policies**, then **Anti-phishing**.
1. Select **Default Policy** to refine it.
-1. In the **Impersonation** section, select **Edit**.
-1. Go to **Add domains to protect** and select the toggle to automatically include the domains you own.
-1. Go to **Actions**, open the drop-down **If email is sent by an impersonated user**, and choose the action you want.
-
- Open the drop-down **If email is sent by an impersonated domain** and choose the action you want.
-1. Select **Turn on impersonation safety tips**. Choose whether tips should be provided to users when the system detects impersonated users, domains, or unusual characters. Select **Save**.
-1. Select **Mailbox intelligence** and verify that it's turned on. This allows your email to be more efficient by learning usage patterns.
+1. In the **Phishing threshold & protection** section, select **Edit protection settings**.
+1. Choose **Enable domains to protect** and select **Include the domains you own** and **Include custom domain**, then select **Manage custom domain(s)** to add a domain.
1. Choose **Add trusted senders and domains**. Here you can add email addresses or domains that shouldn't be classified as an impersonation.
-1. Choose **Review your settings**, make sure everything is correct, select **Save**, then **Close**.
+1. Choose **Enable Mailbox intelligence** and **Enable Intelligence for impersonation protection** to enable enhanced impersonation results based on each user's individual sender map.
+1. Select **Enable Spoof intelligence** to choose how you want to filter email from senders who are spoofing domains.
+1. Select **Save**, then **Close**.
- Your organization now has better protection from phishing threats.
+ Your organization now has better protection from phishing threats.
compliance App Governance Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-get-started.md
description: "Get started with app governance capabilities to govern your apps."
# Get started with app governance (in preview)
-To begin using the app governance add-on to Microsoft Cloud App Security:
+To begin using the app governance add-on to Microsoft Cloud App Security, you need to take three steps:
+
+## Step 1: Meet the licensing and administrator role prerequisites
1. Verify your account has the [appropriate level of licensing](#licensing-for-app-governance). App governance is an add-on feature for Microsoft Cloud App Security (MCAS), and thus MCAS must be present in your account as either a standalone product or as part of the various license packages. 1. You must have one of the [administrator roles](#administrator-roles) listed below to access the app governance pages in the portal. 1. Your organization's billing address must be within one of the [supported areas of North America, Europe, or Africa](app-governance-countries.md) in order to activate the free trial.
-## Sign up for free trial of app governance
+## Step 2: Sign up for free trial of app governance
For new Microsoft 365 customers:
For existing Microsoft 365 customers:
:::image type="content" source="../media/manage-app-protection-governance/app-governance-signup2.gif" alt-text="Simple steps to add app governance to your account":::
-## Add integration with MCAS
+## Step 3: Add integration with MCAS
Prerequisites:
compliance App Governance Manage App Governance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-manage-app-governance.md
description: "Implement Microsoft app governance capabilities to govern your app
>*[Microsoft 365 licensing guidance for security & compliance](https://aka.ms/ComplianceSD).* > [!NOTE]
-> To sign up for app governance, see [Get started with app governance (in preview)](app-governance-get-started.md#sign-up-for-free-trial-of-app-governance).
+> To sign up for app governance, see [Get started with app governance (in preview)](app-governance-get-started.md).
Cyberattacks have become increasingly sophisticated in the ways they exploit the apps you have deployed in your on-premises and cloud infrastructures, establishing a starting point for privilege escalation, lateral movement, and exfiltration of your data. To understand the potential risks and stop these types of attacks, you need to gain clear visibility into your organizationΓÇÖs app compliance posture to quickly identify when an app exhibits anomalous behaviors and to respond when these behaviors present risks to your environment, data, and users.
compliance Archive Mssqldatabaseimporter Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-mssqldatabaseimporter-data.md
The following overview explains the process of using a connector to archive MS S
## Step 1: Set up the MS SQL Database Importer connector
-The first step is to access to the **Data Connectors** page in the Microsoft365 compliance center and create a connector for the MS SQL Database.
+The first step is to access to the **Data Connectors** page in the Microsoft 365 compliance center and create a connector for the MS SQL Database.
1. Go to [https://compliance.microsoft.com](https://compliance.microsoft.com) and then click **Data connectors** > **MS SQL Database Importer**.
compliance Archive Xip Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-xip-data.md
The following overview explains the process of using a connector to archive the
## Step 1: Set up the XIP connector
-The first step is to access to the **Data Connectors** page in the Microsoft365 compliance center and create a connector for the XIP source data.
+The first step is to access to the **Data Connectors** page in the Microsoft 365 compliance center and create a connector for the XIP source data.
1. Go to [https://compliance.microsoft.com](https://compliance.microsoft.com/) and then click **Data connectors** \> **XIP**.
compliance Auto Apply Retention Labels Scenario https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/auto-apply-retention-labels-scenario.md
Now that the retention labels are applied, let's focus on the event that will in
You can manually create the event in the Microsoft 365 compliance center by going to **Records Managements** > **Events**. You would choose the event type, set the correct asset IDs, and enter a date for the event. For more information, see [Start retention when an event occurs](event-driven-retention.md).
-But for this scenario, we'll automatically generate the event from an external production system. The system is a simple SharePoint list that indicates whether a product is in production. A [Power Automate](/flow/getting-started) flow that's associated with the list will trigger the event. In a real-world scenario, you could use various systems to generate the event, such as an HR or CRM system. Power Automate contains many ready-to-use interactions and building block for Microsoft 365 workloads, such as Microsoft Exchange, SharePoint, Teams, and Dynamics 365, plus third-party apps such as Twitter, Box, Salesforce, and Workdays. This feature makes it easy to integrate Power Automate with various systems. For more information, see [Automate event-driven retention](./event-driven-retention.md#automate-events-by-using-a-rest-api).
+But for this scenario, we'll automatically generate the event from an external production system. The system is a simple SharePoint list that indicates whether a product is in production. A [Power Automate](/power-automate/getting-started) flow that's associated with the list will trigger the event. In a real-world scenario, you could use various systems to generate the event, such as an HR or CRM system. Power Automate contains many ready-to-use interactions and building block for Microsoft 365 workloads, such as Microsoft Exchange, SharePoint, Teams, and Dynamics 365, plus third-party apps such as Twitter, Box, Salesforce, and Workdays. This feature makes it easy to integrate Power Automate with various systems. For more information, see [Automate event-driven retention](./event-driven-retention.md#automate-events-by-using-a-rest-api).
The following screenshot shows the SharePoint list that will be used the trigger the event:
compliance Event Driven Retention https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/event-driven-retention.md
The events that get automatically created can be confirmed by viewing them in th
Create a flow that creates an event using the Microsoft 365 REST API:
-![Using Flow to create an event](../media/automate-event-driven-retention-flow-1.png)
+![Using Power Automate to create an event](../media/automate-event-driven-retention-flow-1.png)
-![Using flow to call the REST API](../media/automate-event-driven-retention-flow-2.png)
+![Using Power Automate to call the REST API](../media/automate-event-driven-retention-flow-2.png)
#### Create an event
compliance Insider Risk Management Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-settings.md
Protecting the privacy of users that have policy matches is important and can he
- **Show anonymized versions of usernames**: Names of users are anonymized to prevent admins, data investigators, and reviewers from seeing who is associated with policy alerts. For example, a user 'Grace Taylor' would appear with a randomized pseudonym such as 'AnonIS8-988' in all areas of the insider risk management experience. Choosing this setting anonymizes all users with current and past policy matches and applies to all policies. User profile information in the insider risk alert and case details will not be available when this option is chosen. However, usernames are displayed when adding new users to existing policies or when assigning users to new policies. If you choose to turn off this setting, usernames will be displayed for all users that have current or past policy matches. >[!IMPORTANT]
- >To maintain referential integrity across multiple users with insider risk management alerts and cases in other systems, anonymization of usernames isn't preserved for exported alerts. Exported alerts will display usernames for each alert.
+ >To maintain referential integrity for users who have insider risk alerts or cases in Microsoft 365 or other systems, anonymization of usernames isn't preserved for exported alerts. Exported alerts will display usernames for each alert.
- **Do not show anonymized versions of usernames**: Usernames are displayed for all current and past policy matches for alerts and cases. User profile information (the name, title, alias, and organization or department) is displayed for the user for all insider risk management alerts and cases.
For each of the following domain settings, you can enter up to 500 domains:
Insider risk management alert information is exportable to security information and event management (SIEM) services via the [Office 365 Management Activity API schema](/office/office-365-management-api/office-365-management-activity-api-schema#security-and-compliance-alerts-schema). You can use the Office 365 Management Activity APIs to export alert information to other applications your organization may use to manage or aggregate insider risk information. >[!IMPORTANT]
->To maintain referential integrity across multiple users with insider risk management alerts and cases in other systems, anonymization of usernames isn't preserved for exported alerts. Exported alerts will display usernames for each alert.
+>To maintain referential integrity for users who have insider risk alerts or cases in Microsoft 365 or other systems, anonymization of usernames isn't preserved for exported alerts. Exported alerts will display usernames for each alert.
To use the APIs to review insider risk alert information:
compliance Search The Audit Log In Security And Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance.md
The following table lists the user and admin activities in Yammer that are logge
### Microsoft Power Automate activities
-You can search the audit log for activities in Power Automate (formerly called Microsoft Flow). These activities include creating, editing, and deleting flows, and changing flow permissions. For information about auditing for Power Automate activities, see the blog [Microsoft Flow audit events now available in Microsoft 365 compliance center](https://flow.microsoft.com/blog/security-and-compliance-center).
+You can search the audit log for activities in Power Automate (formerly called Microsoft Flow). These activities include creating, editing, and deleting flows, and changing flow permissions. For information about auditing for Power Automate activities, see the blog [Power Automate audit events now available in Microsoft 365 compliance center](https://flow.microsoft.com/blog/security-and-compliance-center).
### Microsoft Power Apps activities
compliance Sensitive Information Type Entity Definitions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitive-information-type-entity-definitions.md
Any term from the Dictionary_icd_9_updated keyword dictionary, which is based on
Any term from the Dictionary_icd_9_codes keyword dictionary, which is based on the [International Classification of Diseases,Ninth Revision, Clinical Modification (ICD-9-CM)](https://go.microsoft.com/fwlink/?linkid=852605). This type looks only for insurance codes, not the description.
-<!-- ## IP address
+## IP address
### Format
For IPv6, a DLP policy has high confidence that it's detected this type of sensi
```xml <!-- IP Address -->
-<!-- <Entity id="1daa4ad5-e2dd-4ca4-a788-54722c09efb2" patternsProximity="300" recommendedConfidence="85">
+ <Entity id="1daa4ad5-e2dd-4ca4-a788-54722c09efb2" patternsProximity="300" recommendedConfidence="85">
<Pattern confidenceLevel="85"> <IdMatch idRef="Regex_ipv6_address" /> <Any minMatches="0" maxMatches="0">
contentunderstanding Solution Manage Contracts In Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/solution-manage-contracts-in-microsoft-365.md
description: Learn how to manage contracts using a Microsoft 365 solution of Sha
This article describes how to create a contracts management solution for your organization by using SharePoint Syntex and components of Microsoft 365. It provides you with a framework to help you plan and create a solution that fits your unique business needs. Even though this solution talks about contract management, you can adapt it to create other document management solutions, such as for statements of work or invoices.
-*This content set documents a Microsoft 365 solution developed by Thomas Molbach with the Modern Work Solution Strategy Team at Microsoft.*
+</br>
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWJUR0]
+
+</br>
## Identify the business problem
This solution relies on the following functionality, all available as part of a
- Microsoft Teams - Power Automate
+### Learn how to use SharePoint Syntex
+
+New to SharePoint Syntex? Learn how to use SharePoint Syntex to manage content using AI.
+
+The [Get started with SharePoint Syntex](/learn/paths/syntex-get-started) learning path will teach how you can use document understanding and form processing models to classify documents, extract text, and label your documents for quick and easy knowledge management.
+ ## Create the solution The next sections will go into detail about how to configure your contracts management solution. It's divided into three steps: - [Step 1. Use SharePoint Syntex to identify contract files and extract data](solution-manage-contracts-step1.md) - [Step 2. Use Microsoft Teams to create your contract management channel](solution-manage-contracts-step2.md)-- [Step 3. Use Power Automate to create your flow to process your contracts](solution-manage-contracts-step3.md)
+- [Step 3. Use Power Automate to create the flow to process your contracts](solution-manage-contracts-step3.md)
contentunderstanding Solution Manage Contracts Step2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/solution-manage-contracts-step2.md
This section defines how "Classification" will display on the card, and uses the
## Next step
-[Step 3. Use Power Automate to create your flow to process your contracts](solution-manage-contracts-step3.md)
+[Step 3. Use Power Automate to create the flow to process your contracts](solution-manage-contracts-step3.md)
contentunderstanding Solution Manage Contracts Step3 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/solution-manage-contracts-step3.md
Title: "Step 3. Use Power Automate to create your flow to process your contracts"
+ Title: Step 3. Use Power Automate to create the flow to process your contracts
ms.prod: microsoft-365-enterprise
search.appverid: localization_priority: None ROBOTS:
-description: "Learn how to use Power Automate to create your flow to process your contracts by using a Microsoft 365 solution."
+description: Learn how to use Power Automate to create your flow to process your contracts by using a Microsoft 365 solution.
-# Step 3. Use Power Automate to create your flow to process your contracts
+# Step 3. Use Power Automate to create the flow to process your contracts
You've created your Contract Management channel and have attached your SharePoint document library. The next step is to create a Power Automate flow to process your contracts that your SharePoint Syntex model identifies and classifies. You can do this step by [creating a Power Automate flow in your SharePoint document library](https://support.microsoft.com/office/create-a-flow-for-a-list-or-library-in-sharepoint-or-onedrive-a9c3e03b-0654-46af-a254-20252e580d01).
enterprise Managing Office 365 Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/managing-office-365-endpoints.md
For more information, see [Office 365 IP Address and URL Web Service](microsoft-
The Office 365 IP Address and URL Web Service provides an RSS feed that you can subscribe to in Outlook. There are links to the RSS URLs on each of the Office 365 service instance-specific pages for the IP addresses and URLs. For more information, see [Office 365 IP Address and URL Web Service](microsoft-365-ip-web-service.md).
-### Change notification and approval review using Microsoft Flow
+### Change notification and approval review using Power Automate
-We understand that you might still require manual processing for network endpoint changes that come through each month. You can use Microsoft Flow to create a flow that notifies you by email and optionally runs an approval process for changes when Office 365 network endpoints have changes. Once review is completed, you can have the flow automatically email the changes to your firewall and proxy server management team.
+We understand that you might still require manual processing for network endpoint changes that come through each month. You can use Power Automate to create a flow that notifies you by email and optionally runs an approval process for changes when Office 365 network endpoints have changes. Once review is completed, you can have the flow automatically email the changes to your firewall and proxy server management team.
-For information about a Microsoft Flow sample and template, see [Use Microsoft Flow to receive an email for changes to Office 365 IP addresses and URLs](https://techcommunity.microsoft.com/t5/Office-365-Networking/Use-Microsoft-Flow-to-receive-an-email-for-changes-to-Office-365/td-p/240651).
+For information about a Power Automate sample and template, see [Use Power Automate to receive an email for changes to Office 365 IP addresses and URLs](https://techcommunity.microsoft.com/t5/Office-365-Networking/Use-Microsoft-Flow-to-receive-an-email-for-changes-to-Office-365/td-p/240651).
<a name="FAQ"> </a> ## Office 365 network endpoints FAQ
enterprise Microsoft 365 Ip Web Service https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-ip-web-service.md
Updates to the parameters or results for these web service methods may be requir
You can use a few different methods to get email notifications when changes to the IP addresses and URLs are published to the web service. -- To use a Microsoft Flow solution, see [Use Microsoft Flow to receive an email for changes to Office 365 IP Addresses and URLs](https://techcommunity.microsoft.com/t5/Office-365-Networking/Use-Microsoft-Flow-to-receive-an-email-for-changes-to-Office-365/m-p/240651).
+- To use a Power Automate solution, see [Use Power Automate to receive an email for changes to Office 365 IP Addresses and URLs](https://techcommunity.microsoft.com/t5/Office-365-Networking/Use-Microsoft-Flow-to-receive-an-email-for-changes-to-Office-365/m-p/240651).
- To deploy an Azure Logic App using an ARM template, see [Office 365 Update Notification (v1.1)](https://aka.ms/ipurlws-updates-template). - To write your own notification script using PowerShell, see [Send-MailMessage](/powershell/module/microsoft.powershell.utility/send-mailmessage).
enterprise Microsoft 365 Networking Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-networking-overview.md
In traditional network architectures, higher latency for generic Internet traffi
We're making it easier to identify Microsoft 365 network traffic and making it simpler to manage the network identification. - New categories of network endpoints to differentiate highly critical network traffic from network traffic which is not impacted by Internet latencies. There are just a handful of URLs and supporting IP Addresses in the most critical ΓÇ£OptimizeΓÇ¥ category.-- Web services for script usage or direct device configuration and change management of Microsoft 365 network identification. Changes are available from the web service, or in RSS format, or on email using a Microsoft Flow template.
+- Web services for script usage or direct device configuration and change management of Microsoft 365 network identification. Changes are available from the web service, or in RSS format, or on email using a Power Automate template.
- [Office 365 Network partner program](./microsoft-365-networking-partner-program.md) with Microsoft partners who provide devices or services that follow Microsoft 365 network connectivity principles and have simple configuration. ## Securing Microsoft 365 connections
enterprise Microsoft 365 Vpn Implement Split Tunnel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-vpn-implement-split-tunnel.md
This section provides links to detailed guides for implementing split tunneling
- **Palo Alto GlobalProtect**: [Optimizing Office 365 Traffic via VPN Split Tunnel Exclude Access Route](https://live.paloaltonetworks.com/t5/Prisma-Access-Articles/GlobalProtect-Optimizing-Office-365-Traffic/ta-p/319669) - **F5 Networks BIG-IP APM**: [Optimizing Office 365 traffic on Remote Access through VPNs when using BIG-IP APM](https://devcentral.f5.com/s/articles/SSL-VPN-Split-Tunneling-and-Office-365) - **Citrix Gateway**: [Optimizing Citrix Gateway VPN split tunnel for Office365](https://docs.citrix.com/en-us/citrix-gateway/13/optimizing-citrix-gateway-vpn-split-tunnel-for-office365.html)-- **Pulse Secure**: [VPN Tunneling: How to configure split tunneling to exclude Office365 applications](https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44417)
+- **Pulse Secure**: [VPN Tunneling: How to configure split tunneling to exclude Office 365 applications](https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44417)
- **Check Point VPN**: [How to configure Split Tunnel for Office 365 and other SaaS Applications](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk167000) ## FAQ
enterprise Ms Cloud Germany Transition Experience https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-experience.md
Considerations to note:
- As the tenant is transitioned to Office 365 services, its Germany-specific subscriptions and licenses are standardized with new Office 365 services offerings. Corresponding Office 365 services subscriptions are purchased for the transferred Germany subscriptions. Users who have Germany licenses will be assigned Office 365 services licenses. Upon completion, legacy Germany subscriptions are canceled and removed from the current Office 365 services tenant. -- After migration of the individual workloads, additional functionality is made available through the Office 365 services (such as Microsoft Planner and Microsoft Flow) because of the new Office 365 services subscriptions. If appropriate for your organization, the tenant or licensing administrator can disable new service plans as you plan for change management to introduce the new services. For guidance on how to disable service plans that are assigned to users' licenses, see [Disable access to Microsoft 365 services while assigning user licenses](/office365/enterprise/powershell/disable-access-to-services-while-assigning-user-licenses).
+- After migration of the individual workloads, additional functionality is made available through the Office 365 services (such as Microsoft Planner and Power Automate) because of the new Office 365 services subscriptions. If appropriate for your organization, the tenant or licensing administrator can disable new service plans as you plan for change management to introduce the new services. For guidance on how to disable service plans that are assigned to users' licenses, see [Disable access to Microsoft 365 services while assigning user licenses](/office365/enterprise/powershell/disable-access-to-services-while-assigning-user-licenses).
## Exchange Online
enterprise Ms Cloud Germany Transition Phases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-phases.md
Failing to complete this task may result in hybrid free-busy requests failing to
|||| |Subscriptions are transferred|The Microsoft Cloud Deutschland subscription will be migrated to corresponding Office 365 Global services subscription. <ul><li>The Office 365 Global services offer of that subscription is defined by Microsoft (also known as _Offer mapping_).</li><li> Corresponding Office 365 Global services subscriptions are purchased in the Office 365 Global instance for the transferred Microsoft Cloud Deutschland subscriptions.</li><li>Legacy Microsoft Cloud Deutschland subscriptions are removed from the Office 365 services tenant on completion.</li></ul>|<ul><li>Changes to existing subscriptions will be blocked (for example, no new subscription purchases or seat count changes) during this phase.</li><li>License assignment changes will be blocked.</li><li>When subscription migration is complete, both Office 365 services and Microsoft Cloud Deutschland subscriptions will be visible in the Office 365 Admin Portal, with the status of Microsoft Cloud Deutschland subscriptions as _deprovisioned_.</li><li>Any customer processes that have dependencies on Microsoft Cloud Deutschland subscriptions or SKU GUIDs will be broken and need to be revised with the Office 365 services offering.</li><li>New subscriptions in the Office 365 services will be purchased with the new term (monthly/quarterly/yearly), and the customer will receive a prorated refund for the unused balance of the Microsoft Cloud Deutschland subscription.</li></ul>| |Licenses are reassigned|Users with assigned Microsoft Cloud Deutschland licenses will be assigned licenses in the Office 365 Global instance.|<ul><li>Users will be reassigned licenses that are tied to the new Office 365 services subscriptions. User licenses of all users will be automatically assigned to the new features.</li><li>The number of features (service plans) offered by Office 365 services can be larger than in the original Microsoft Cloud Deutschland offer. User licenses in Office 365 services will be equivalently assigned to similar Microsoft Cloud Deutschland features (service plans).</li></ul>|
-|**Admin task** Disable features|The admin needs to take an explicit action to disable those features, if needed.|<ul><li>Users see new unknown services in the portal</li><li>Additional functionality is available (for example, Microsoft Planner and Microsoft Flow), unless disabled by tenant admin.</li></ul> <p> For information about how to disable service plans that are assigned to users' licenses, see [Disable access to Microsoft 365 services while assigning user licenses](disable-access-to-services-while-assigning-user-licenses.md).</li></ul>|
+|**Admin task** Disable features|The admin needs to take an explicit action to disable those features, if needed.|<ul><li>Users see new unknown services in the portal</li><li>Additional functionality is available (for example, Microsoft Planner and Power Automate), unless disabled by tenant admin.</li></ul> <p> For information about how to disable service plans that are assigned to users' licenses, see [Disable access to Microsoft 365 services while assigning user licenses](disable-access-to-services-while-assigning-user-licenses.md).</li></ul>|
|**Admin task**|Revise any customer processes that have dependencies on Microsoft Cloud Deutschland subscriptions or SKU GUIDs with the Office 365 services offering|Customer processes continue to work.| |
enterprise O365 Data Locations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/o365-data-locations.md
Please review the [Products available by region](https://go.microsoft.com/fwlink
### What services support Multi-Geo?
-[Multi-Geo](https://go.microsoft.com/fwlink/p/?linkid=872033) is available for Exchange Online, OneDrive and SharePoint Online. Microsoft is investigating Multi-Geo for other Microsoft 365 services.
+[Multi-Geo](https://go.microsoft.com/fwlink/p/?linkid=872033) is available for Exchange Online, OneDrive for Business, SharePoint Online, and Teams.
### What are the exceptions for Intune data locations?
lti Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lti/index.md
The Microsoft OneDrive LTI App allows you to:
- Integrate Office 365 files with your course modules. - Use your Microsoft account for single sign-on with your LMS.
-For configuration steps, see [Use Microsoft OneDrive LTI with Canvas](use-onedrive-with-lms.md).
+For configuration steps, see [Integrate Microsoft OneDrive LTI with Canvas](onedrive-lti.md).
## Teams LTI apps
managed-desktop Certs Wifi Lan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/certs-wifi-lan.md
Once your LAN profile has been exported, you can prepare the policy for Microsof
- OMA-URI (case sensitive): Enter *./Device/Vendor/MSFT/WiredNetwork/LanXML* - Data type: select **String (XML file)**. - Custom XML: Upload the exported XML file.
-2. Submit a Support request to Microsoft Managed Desktop IT Operations using the Microsoft Managed Desktop Admin portal to review and deploy the configuration profile to ΓÇ£Modern Workplace Devices ΓÇô TestΓÇ¥. Microsoft Managed Desktop IT Operations will let you know when the request is completed via the Support request in the Admin portal.
+2. Assign the custom profile to the *Modern Workplace Devices ΓÇô Test* group.
+3. Do any testing you feel necessary using a device that it's in the Test deployment group. If successful, then assign the custom profile to the *Modern Workplace Devices ΓÇô First*, *Modern Workplace Devices ΓÇô Fast*, and *Modern Workplace Devices ΓÇô Broad* groups.
## Deploy certificates and Wi-Fi/VPN profile To deploy certificates and profiles, follow these steps:
-1. Create a profile for each of the Root and Intermediate certificates (see [Create trusted certificate profiles](/intune/protect/certificates-configure#step-3-create-trusted-certificate-profiles). Each of these profiles must have a description that includes an expiration date in DD/MM/YYYY format. **Certificate profiles without an expiration date will not be deployed.**
-2. Create a profile for each SCEP or PKCS certificates (see [Create a SCEP certificate profile](/intune/protect/certificates-scep-configure#create-a-scep-certificate-profile) or [Create a PKCS certificate profile](/intune/protect/certficates-pfx-configure#create-a-pkcs-certificate-profile)) Each of these profiles must have a description that includes an expiration date in DD/MM/YYYY format. **Certificate profiles without an expiration date will not be deployed.**
+1. Create a profile for each of the Root and Intermediate certificates (see [Create trusted certificate profiles](/intune/protect/certificates-configure#step-3-create-trusted-certificate-profiles). Each of these profiles must have a description that includes an expiration date in DD/MM/YYYY format. **Certificate profiles must have an expiration date.**
+2. Create a profile for each SCEP or PKCS certificates (see [Create a SCEP certificate profile](/intune/protect/certificates-scep-configure#create-a-scep-certificate-profile) or [Create a PKCS certificate profile](/intune/protect/certficates-pfx-configure#create-a-pkcs-certificate-profile)) Each of these profiles must have a description that includes an expiration date in DD/MM/YYYY format. **Certificate profiles must have an expiration date.**
3. Create a profile for each corporate WiFi network (see [Wi-Fi settings for Windows 10 and later devices](/intune/wi-fi-settings-windows)). 4. Create a profile for each corporate VPN (see [Windows 10 and Windows Holographic device settings to add VPN connections using Intune](/intune/vpn-settings-windows-10)).
-5. Submit a Support request titled ΓÇ£Certificate DeploymentΓÇ¥ or ΓÇ£Wi-Fi Profile DeploymentΓÇ¥ to Microsoft Managed Desktop IT Operations using the Microsoft Managed Desktop Admin portal to review and deploy the configuration profile to ΓÇ£Modern Workplace Devices ΓÇô TestΓÇ¥. Microsoft Managed Desktop IT Operations will let you know when the request has been completed via the Support request in the Admin portal.
+5. Assign the profiles to the *Modern Workplace Devices ΓÇô Test* group.
+6. Do any testing you feel necessary using a device that it's in the Test deployment group. If successful, then assign the custom profile to the *Modern Workplace Devices ΓÇô First*, *Modern Workplace Devices ΓÇô Fast*, and *Modern Workplace Devices ΓÇô Broad* groups.
+ ## Steps to get ready for Microsoft Managed Desktop
managed-desktop Readiness Assessment Downloadable https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/readiness-assessment-downloadable.md
The downloadable tool checks these device- and network-related items:
### Hardware
-Devices must meet specific hardware requirements to work with Microsoft Managed Desktop. Currently, only specific [approved devices](../service-description/device-list.md) are allowed to enroll.
+Devices must meet specific hardware requirements to work with Microsoft Managed Desktop. For more information, see [Device requirements](../service-description/device-list.md).
If your device fails any of the checks, it's not compatible with Microsoft Managed Desktop.
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
####### [List machines by vulnerability](get-machines-by-vulnerability.md) ##### [How to use APIs - Samples]()
-###### [Microsoft Flow](api-microsoft-flow.md)
+###### [Power Automate](api-microsoft-flow.md)
###### [Power BI](api-power-bi.md) ###### [Advanced Hunting using Python](run-advanced-query-sample-python.md) ###### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
security Api Microsoft Flow https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-microsoft-flow.md
Automating security procedures is a standard requirement for every modern Security Operations Center. The lack of professional cyber defenders forces SOC to work in the most efficient way and automation is a must. Microsoft Power Automate supports different connectors that were built exactly for that. You can build an end-to-end procedure automation within a few minutes.
-Microsoft Defender API has an official Flow Connector with many capabilities.
+Microsoft Defender API has an official Power Automate Connector with many capabilities.
![Image of edit credentials1](images/api-flow-0.png)
security Configure Cloud Block Timeout Period Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
You can use Group Policy to specify an extended timeout for cloud checks.
3. In the **Group Policy Management Editor**, go to **Computer configuration**, and then select **Administrative templates**.
-3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MpEngine**.
+3. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **MpEngine**.
4. Double-click **Configure extended cloud check** and ensure the option is enabled.
security Configure Conditional Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-conditional-access.md
Take the following steps to enable Conditional Access:
### Step 1: Turn on the Microsoft Intune connection
-1. In the navigation pane, select **Settings** > **Endpoints** > **General** > **Advanced features** > **Microsoft Intune connection**.
+1. In the navigation pane, select **Settings** \> **Endpoints** \> **General** \> **Advanced features** \> **Microsoft Intune connection**.
2. Toggle the Microsoft Intune setting to **On**. 3. Click **Save preferences**. ### Step 2: Turn on the Defender for Endpoint integration in Intune 1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Select **Device compliance** > **Microsoft Defender ATP**.
+2. Select **Device compliance** \> **Microsoft Defender ATP**.
3. Set **Connect Windows 10.0.15063+ devices to Microsoft Defender Advanced Threat Protection** to **On**. 4. Click **Save**. ### Step 3: Create the compliance policy in Intune 1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**.
-2. Select **Device compliance** > **Policies** > **Create policy**.
+2. Select **Device compliance** \> **Policies** \> **Create policy**.
3. Enter a **Name** and **Description**. 4. In **Platform**, select **Windows 10 and later**. 5. In the **Device Health** settings, set **Require the device to be at or under the Device Threat Level** to your preferred level:
Take the following steps to enable Conditional Access:
### Step 4: Assign the policy 1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**.
-2. Select **Device compliance** > **Policies**> select your Microsoft Defender for Endpoint compliance policy.
+2. Select **Device compliance** \> **Policies**> select your Microsoft Defender for Endpoint compliance policy.
3. Select **Assignments**. 4. Include or exclude your Azure AD groups to assign them the policy. 5. To deploy the policy to the groups, select **Save**. The user devices targeted by the policy are evaluated for compliance. ### Step 5: Create an Azure AD Conditional Access policy
-1. In the [Azure portal](https://portal.azure.com), open **Azure Active Directory** > **Conditional Access** > **New policy**.
+1. In the [Azure portal](https://portal.azure.com), open **Azure Active Directory** \> **Conditional Access** \> **New policy**.
2. Enter a policy **Name**, and select **Users and groups**. Use the Include or Exclude options to add your groups for the policy, and select **Done**. 3. Select **Cloud apps**, and choose which apps to protect. For example, choose **Select apps**, and select **Office 365 SharePoint Online** and **Office 365 Exchange Online**. Select **Done** to save your changes.
-4. Select **Conditions** > **Client apps** to apply the policy to apps and browsers. For example, select **Yes**, and then enable **Browser** and **Mobile apps and desktop clients**. Select **Done** to save your changes.
+4. Select **Conditions** \> **Client apps** to apply the policy to apps and browsers. For example, select **Yes**, and then enable **Browser** and **Mobile apps and desktop clients**. Select **Done** to save your changes.
-5. Select **Grant** to apply Conditional Access based on device compliance. For example, select **Grant access** > **Require device to be marked as compliant**. Choose **Select** to save your changes.
+5. Select **Grant** to apply Conditional Access based on device compliance. For example, select **Grant access** \> **Require device to be marked as compliant**. Choose **Select** to save your changes.
6. Select **Enable policy**, and then **Create** to save your changes.
security Configure Email Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-email-notifications.md
The email notification includes basic information about the alert and a link to
You can create rules that determine the devices and alert severities to send email notifications for and the notification recipients.
-1. In the navigation pane, select **Settings** > **Endpoints** > **General** > **Email notifications**.
+1. In the navigation pane, select **Settings** \> **Endpoints** \> **General** \> **Email notifications**.
2. Click **Add item**.
security Configure Endpoints Gp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-gp.md
ms.technology: mde
-# Onboard the Windows 10 devices using Group Policy
+# Onboard the Windows 10 devices using Group Policy
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
ms.technology: mde
Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Defender for Endpoint.
-1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.
-zip*) that you downloaded from the service onboarding wizard. You can also get the
-package from [Microsoft 365 Defender portal](https://security.microsoft.com/):
-
- 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Onboarding**.
-
- 1. Select Windows 10 as the operating system.
-
- 1. In the **Deployment method** field, select **Group policy**.
-
- 1. Click **Download package** and save the .zip file.
+1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft 365 Defender portal](https://security.microsoft.com/):
+ 1. In the navigation pane, select **Settings** \> **Endpoints** \> **Device management** \> **Onboarding**.
+ 2. Select Windows 10 as the operating system.
+ 3. In the **Deployment method** field, select **Group policy**.
+ 4. Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*. 3. To create a new GPO, open the [Group Policy Management Console](/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click **Group Policy Objects** you want to configure and click **New**. Enter the name of the new GPO in the dialogue box that is displayed and click **OK**.
-3. Open the [Group Policy Management Console](/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+4. Open the [Group Policy Management Console](/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
-4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
+5. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
-5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate Task (At least Windows 7)**.
+6. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate Task (At least Windows 7)**.
-6. In the **Task** window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM and then click **Check Names** then **OK**. NT AUTHORITY\SYSTEM appears as the user account the task will run as.
+7. In the **Task** window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM and then click **Check Names** then **OK**. NT AUTHORITY\SYSTEM appears as the user account the task will run as.
-7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
+8. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
-8. In the Name field, type an appropriate name for the scheduled task (for example, Defender for Endpoint Deployment).
+9. In the Name field, type an appropriate name for the scheduled task (for example, Defender for Endpoint Deployment).
-9. Go to the **Actions** tab and select **New...** Ensure that **Start a program** is selected in the **Action** field. Enter the UNC path, using the file server's fully qualified domain name (FQDN), of the shared *WindowsDefenderATPOnboardingScript.cmd* file.
+10. Go to the **Actions** tab and select **New...** Ensure that **Start a program** is selected in the **Action** field. Enter the UNC path, using the file server's fully qualified domain name (FQDN), of the shared *WindowsDefenderATPOnboardingScript.cmd* file.
-10. Select **OK** and close any open GPMC windows.
+11. Select **OK** and close any open GPMC windows.
-1. To link the GPO to an Organization Unit (OU), right-click and select **Link an existing GPO**. In the dialogue box that is displayed, select the Group Policy Object that you wish to link. Click **OK**.
+12. To link the GPO to an Organization Unit (OU), right-click and select **Link an existing GPO**. In the dialogue box that is displayed, select the Group Policy Object that you wish to link. Click **OK**.
> [!TIP] > After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint device](run-detection-test.md). - ## Additional Defender for Endpoint configuration settings+ For each device, you can state whether samples can be collected from the device when a request is made through Microsoft 365 Defender to submit a file for deep analysis. You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
All policies are located under `Computer Configuration\Policies\Administrative T
**Policy location:** \Windows Components\Windows Defender ATP
-Policy | Setting
-:|:
-Enable\Disable Sample collection| Enabled - "Enable sample collection on machines" checked
+Policy|Setting
+|
+Enable\Disable Sample collection|Enabled - "Enable sample collection on machines" checked
<br> **Policy location:** \Windows Components\Microsoft Defender Antivirus
-Policy | Setting
-:|:
-Configure detection for potentially unwanted applications | Enabled, Block
+Policy|Setting
+|
+Configure detection for potentially unwanted applications|Enabled, Block
<br> **Policy location:** \Windows Components\Microsoft Defender Antivirus\MAPS
-Policy | Setting
-:|:
-Join Microsoft MAPS | Enabled, Advanced MAPS
+Policy|Setting
+|
+Join Microsoft MAPS|Enabled, Advanced MAPS
Send file samples when further analysis is required | Enabled, Send safe samples <br> **Policy location:** \Windows Components\Microsoft Defender Antivirus\Real-time Protection
-Policy | Setting
-:|:
+Policy|Setting
+|
Turn off real-time protection|Disabled Turn on behavior monitoring|Enabled Scan all downloaded files and attachments|Enabled
Monitor file and program activity on your computer|Enabled
These settings configure periodic scans of the endpoint. We recommend performing a weekly quick scan, performance permitting.
-Policy | Setting
-:|:
+Policy|Setting
+|
Check for the latest virus and spyware security intelligence before running a scheduled scan |Enabled <br>
Get the current list of attack surface reduction GUIDs from [Customize attack su
![Image of attack surface reduction configuration](images/asr-guid.png)
-Policy | Setting
-:|:
+Policy|Setting
+|
Configure Controlled folder access| Enabled, Audit Mode ## Run a detection test to verify onboarding
-After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md).
+After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md).
## Offboard devices using Group Policy
For security reasons, the package used to Offboard devices will expire 30 days a
> [!NOTE] > Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions. - 1. Get the offboarding package from [Microsoft 365 Defender portal](https://security.microsoft.com/):-
- 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Offboarding**.
-
- 1. Select Windows 10 as the operating system.
-
- 1. In the **Deployment method** field, select **Group policy**.
-
- 1. Click **Download package** and save the .zip file.
+ 1. In the navigation pane, select **Settings** \> **Endpoints** \> **Device management** \> **Offboarding**.
+ 2. Select Windows 10 as the operating system.
+ 3. In the **Deployment method** field, select **Group policy**.
+ 4. Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
With Group Policy there isn't an option to monitor deployment of policies on the
Create a new Group Policy or group these settings in with the other policies. This is dependent upon the customers environment and how they would like to roll out the service by targeting different OUΓÇÖs (Organizational Units). 1. After you choose the GP, or create a new one, edit the GP.
-2. Browse to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Real-time Protection**.
-1. In the Quarantine folder, configure removal of items from Quarantine folder.
+2. Browse to **Computer Configuration** \> **Policies** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Real-time Protection**.
+
+ :::image type="content" source="images/realtime-protect.png" alt-text="real time protection":::
+
+3. In the Quarantine folder, configure removal of items from Quarantine folder.
:::image type="content" source="images/removal-items-quarantine1.png" alt-text="removal items quarantine folder"::: :::image type="content" source="images/config-removal-items-quarantine2.png" alt-text="config-removal quarantine":::
-1. In the Scan folder, configure the scan settings.
+4. In the Scan folder, configure the scan settings.
:::image type="content" source="images/gpo-scans.png" alt-text="gpo scans":::
-**Monitor all files in Real time protection**
+### Monitor all files in Real time protection
-Browse to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Real-time Protection**.
+Browse to **Computer Configuration** \> **Policies** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Real-time Protection**.
:::image type="content" source="images/config-monitor-incoming-outgoing-file-act.png" alt-text="configure monitoring for incoming outgoing file activity":::
-
-#### Configure Windows Defender Smart Screen settings
+### Configure Windows Defender Smart Screen settings
-1. Browse to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Defender SmartScreen** > **Explorer**.
+1. Browse to **Computer Configuration** \> **Policies** \> **Administrative Templates** \> **Windows Components** \> **Windows Defender SmartScreen** \> **Explorer**.
:::image type="content" source="images/config-windows-def-smartscr-explorer.png" alt-text="config windows defender smart screen explorer":::
-
-2. Browse to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Defender SmartScreen** > **Microsoft Edge**.
+
+2. Browse to **Computer Configuration** \> **Policies** \> **Administrative Templates** \> **Windows Components** \> **Windows Defender SmartScreen** \> **Microsoft Edge**.
:::image type="content" source="images/config-windows-def-smartscr-explorer.png" alt-text="config windows defender smart screen Edge":::
-#### Configure Potentially Unwanted Applications
-
-Browse to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**.
+### Configure Potentially Unwanted Applications
+
+Browse to **Computer Configuration** \> **Policies** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus**.
:::image type="content" source="images/config-potential-unwanted-apps.png" alt-text="config potential unwanted app"::: :::image type="content" source="images/config-potential-unwanted-apps2.png" alt-text="config potential":::
-#### Configure Cloud Deliver Protection and send samples automatically
+### Configure Cloud Deliver Protection and send samples automatically
-Browse to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS**.
+Browse to **Computer Configuration** \> **Policies** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **MAPS**.
:::image type="content" source="images/gpo-maps1.png" alt-text="maps":::
Browse to **Computer Configuration** > **Policies** > **Administrative Templates
:::image type="content" source="images/send-file-sample-further-analysis-require.png" alt-text="send file sample when further analysis is required":::
-#### Check for signature update
-Browse to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Signature Updates**
+### Check for signature update
+
+Browse to **Computer Configuration** \> **Policies** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Signature Updates**
:::image type="content" source="images/signature-update-1.png" alt-text="signature update"::: :::image type="content" source="images/signature-update-2.png" alt-text="signature definition update":::
-#### Configure cloud deliver timeout and protection level
+### Configure cloud deliver timeout and protection level
-Browse to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MpEngine**.
+Browse to **Computer Configuration** \> **Policies** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **MpEngine**.
When you configure cloud protection level policy to **Default Microsoft Defender Antivirus blocking policy** this will disable the policy. This is what is required to set the protection level to the windows default. :::image type="content" source="images/config-extended-cloud-check.png" alt-text="config extended cloud check":::
security Configure Endpoints Mdm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-mdm.md
For security reasons, the package used to Offboard devices will expire 30 days a
1. Get the offboarding package from [Microsoft 365 Defender portal](https://security.microsoft.com/):
- 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Offboarding**.
+ 1. In the navigation pane, select **Settings** \> **Endpoints** \> **Device management** \> **Offboarding**.
1. Select Windows 10 as the operating system.
security Configure Endpoints Non Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-non-windows.md
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-nonwindows-abovefoldlink)
-Defender for Endpoint provides a centralized security operations experience for Windows and non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft 365 Defender and better protect your organization's network.
+Defender for Endpoint provides a centralized security operations experience for Windows and non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft 365 Defender and better protect your organization's network.
You'll need to know the exact Linux distros and macOS versions that are compatible with Defender for Endpoint for the integration to work. For more information, see:-- [Microsoft Defender for Endpoint on Linux system requirements](microsoft-defender-endpoint-linux.md#system-requirements) +
+- [Microsoft Defender for Endpoint on Linux system requirements](microsoft-defender-endpoint-linux.md#system-requirements)
- [Microsoft Defender for Endpoint on macOS system requirements](microsoft-defender-endpoint-mac.md#system-requirements). ## Onboarding non-Windows devices+ You'll need to take the following steps to onboard non-Windows devices:+ 1. Select your preferred method of onboarding: - For macOS devices, you can choose to onboard through Microsoft Defender for Endpoint or through a third-party solution. For more information, see [Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac).
- - For other non-Windows devices choose **Onboard non-Windows devices through third-party integration**.
- 1. In the navigation pane, select **Partners and APIs** > **Partner Applications** . Make sure the third-party solution is listed.
+ - For other non-Windows devices choose **Onboard non-Windows devices through third-party integration**.
+ 1. In the navigation pane, select **Partners and APIs** \> **Partner Applications** . Make sure the third-party solution is listed.
2. In the **Partner Applications** page, select the partner that supports your non-Windows devices. 3. Click **View** to open the partner's page. Follow the instructions provided on the page.
- 4. After creating an account or subscribing to the partner solution, you should get to a stage where a tenant Global Admin in your organization is asked to accept a permission request from the partner application. Read the permission request carefully to make sure that it's aligned with the service that you require.
-
+ 4. After creating an account or subscribing to the partner solution, you should get to a stage where a tenant Global Admin in your organization is asked to accept a permission request from the partner application. Read the permission request carefully to make sure that it's aligned with the service that you require.
+ 2. Run a detection test by following the instructions of the third-party solution. ## Offboard non-Windows devices
You'll need to take the following steps to onboard non-Windows devices:
3. Select the application you'd like to offboard. 4. Select the **Delete** button. - ## Related topics+ - [Onboard Windows 10 devices](configure-endpoints.md) - [Onboard servers](configure-server-endpoints.md) - [Configure proxy and Internet connectivity settings](configure-proxy-internet.md)
security Configure Endpoints Sccm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-sccm.md
ms.technology: mde
Based on the version of Configuration Manager you're running, the following client operating systems can be onboarded:
-#### Configuration Manager version 1910 and prior
+- **Configuration Manager version 1910 and prior**:
+ - Clients computers running Windows 10
+- **Configuration Manager version 2002 and later**:
-- Clients computers running Windows 10 -
-#### Configuration Manager version 2002 and later
-
-Starting in Configuration Manager version 2002, you can onboard the following operating systems:
--- Windows 8.1-- Windows 10-- Windows Server 2012 R2-- Windows Server 2016-- Windows Server 2016, version 1803 or later-- Windows Server 2019-
->[!NOTE]
->For more information on how to onboard Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019, see, [Onboard Windows servers](configure-server-endpoints.md).
+ Starting in Configuration Manager version 2002, you can onboard the following operating systems:
+ - Windows 8.1
+ - Windows 10
+ - Windows Server 2012 R2
+ - Windows Server 2016
+ - Windows Server 2016, version 1803 or later
+ - Windows Server 2019
+> [!NOTE]
+> For more information on how to onboard Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019, see, [Onboard Windows servers](configure-server-endpoints.md).
### Onboard devices using System Center Configuration Manager - [![Image of the PDF showing the various deployment paths](images/onboard-config-mgr.png)](images/onboard-config-mgr.png#lightbox) -
-Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender for Endpoint.
-
+Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender for Endpoint.
1. Open the Configuration Manager configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft 365 Defender portal](https://security.microsoft.com/):-
- 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Onboarding**.
-
- 1. Select Windows 10 as the operating system.
-
- 1. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**.
-
- 1. Select **Download package**, and save the .zip file.
+ 1. In the navigation pane, select **Settings** \> **Endpoints** \> **Device management** \> **Onboarding**.
+ 2. Select Windows 10 as the operating system.
+ 3. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**.
+ 4. Select **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*. 3. Deploy the package by following the steps in the [Packages and Programs in System Center 2012 R2 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699369\(v=technet.10\)) article.
- a. Choose a predefined device collection to deploy the package to.
+ Choose a predefined device collection to deploy the package to.
> [!NOTE] > Defender for Endpoint doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading.
If you use Microsoft Endpoint Manager current branch, see [Create an offboarding
### Offboard devices using System Center 2012 R2 Configuration Manager - 1. Get the offboarding package from [Microsoft 365 Defender portal](https://security.microsoft.com/):
- 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Offboarding**.
+ 1. In the navigation pane, select **Settings** \> **Endpoints** \> **Device management** \> **Offboarding**.
1. Select Windows 10 as the operating system. 1. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**. 1. Select **Download package**, and save the .zip file.
security Configure Endpoints Script https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-script.md
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) You can also manually onboard individual devices to Defender for Endpoint. You might want to do this first when testing the service before you commit to onboarding all devices in your network.
You can also manually onboard individual devices to Defender for Endpoint. You m
> > To deploy at scale, use [other deployment options](configure-endpoints.md). For example, you can deploy an onboarding script to more than 10 devices in production with the script available in [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md).
-## Onboard devices
+## Onboard devices
[![Image of the PDF showing the various deployment paths](images/onboard-script.png)](images/onboard-script.png#lightbox)
+Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Defender for Endpoint.
-Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Defender for Endpoint.
--
-1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft 365 Defender portal](https://security.microsoft.com/):
-
- 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Onboarding**.
-
- 1. Select Windows 10 as the operating system.
-
- 1. In the **Deployment method** field, select **Local Script**.
-
- 1. Click **Download package** and save the .zip file.
+1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft 365 Defender portal](https://security.microsoft.com/):
+ 1. In the navigation pane, select **Settings** \> **Endpoints** \> **Device management** \> **Onboarding**.
+ 2. Select Windows 10 as the operating system.
+ 3. In the **Deployment method** field, select **Local Script**.
+ 4. Click **Download package** and save the .zip file.
-
-2. Extract the contents of the configuration package to a location on the device you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPLocalOnboardingScript.cmd*.
+2. Extract the contents of the configuration package to a location on the device you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPLocalOnboardingScript.cmd*.
-3. Open an elevated command-line prompt on the device and run the script:
+3. Open an elevated command-line prompt on the device and run the script:
+ 1. Go to **Start** and type **cmd**.
+ 2. Right-click **Command prompt** and select **Run as administrator**.
- 1. Go to **Start** and type **cmd**.
+ ![Window Start menu pointing to Run as administrator](images/run-as-admin.png)
- 1. Right-click **Command prompt** and select **Run as administrator**.
+4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPLocalOnboardingScript.cmd*
- ![Window Start menu pointing to Run as administrator](images/run-as-admin.png)
-
-4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPLocalOnboardingScript.cmd*
-
-5. Press the **Enter** key or click **OK**.
+5. Press the **Enter** key or click **OK**.
For information on how you can manually validate that the device is compliant and correctly reports sensor data see, [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md). -
->[!TIP]
+> [!TIP]
> After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint endpoint](run-detection-test.md). ## Configure sample collection settings+ For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft 365 Defender to submit a file for deep analysis.
-You can manually configure the sample sharing setting on the device by using *regedit* or creating and running a *.reg* file.
+You can manually configure the sample sharing setting on the device by using *regedit* or creating and running a *.reg* file.
The configuration is set through the following registry key entry:
Path: "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection"
Name: "AllowSampleCollection" Value: 0 or 1 ```
-Where:<br>
-Name type is a D-WORD. <br>
-Possible values are:
+
+Where Name type is a D-WORD. Possible values are:
+ - 0 - doesn't allow sample sharing from this device - 1 - allows sharing of all file types from this device The default value in case the registry key doesn't exist is 1. ## Run a detection test to verify onboarding+ After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md). ## Offboard devices using a local script+ For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. > [!NOTE] > Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions. 1. Get the offboarding package from [Microsoft 365 Defender portal](https://security.microsoft.com/):-
- 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Offboarding**.
-
- 1. Select Windows 10 as the operating system.
-
- 1. In the **Deployment method** field, select **Local Script**.
-
- 1. Click **Download package** and save the .zip file.
+ 1. In the navigation pane, select **Settings** \> **Endpoints** \> **Device management** \> **Offboarding**.
+ 2. Select Windows 10 as the operating system.
+ 3. In the **Deployment method** field, select **Local Script**.
+ 4. Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the devices. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
-3. Open an elevated command-line prompt on the device and run the script:
-
- 1. Go to **Start** and type **cmd**.
-
- 1. Right-click **Command prompt** and select **Run as administrator**.
+3. Open an elevated command-line prompt on the device and run the script:
+ 1. Go to **Start** and type **cmd**.
+ 2. Right-click **Command prompt** and select **Run as administrator**.
- ![Window Start menu pointing to Run as administrator](images/run-as-admin.png)
+ ![Window Start menu pointing to Run as administrator](images/run-as-admin.png)
-4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*
+4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*
-5. Press the **Enter** key or click **OK**.
+5. Press the **Enter** key or click **OK**.
> [!IMPORTANT] > Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months. - ## Monitor device configuration+ You can follow the different verification steps in the [Troubleshoot onboarding issues](troubleshoot-onboarding.md) to verify that the script completed successfully and the agent is running. Monitoring can also be done directly on the portal, or by using the different deployment tools. ### Monitor devices using the portal
-1. Go to Microsoft 365 Defender portal.
+1. Go to Microsoft 365 Defender portal.
2. Click **Devices inventory**.- 3. Verify that devices are appearing. ## Related topics+ - [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md) - [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) - [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md)
security Configure Endpoints Vdi https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-vdi.md
ms.technology: mde
## Onboard non-persistent virtual desktop infrastructure (VDI) devices
-Defender for Endpoint supports non-persistent VDI session onboarding.
+Defender for Endpoint supports non-persistent VDI session onboarding.
There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario:
VDI devices can appear in Defender for Endpoint portal as either:
The following steps will guide you through onboarding VDI devices and will highlight steps for single and multiple entries.
->[!WARNING]
-> For environments where there are low resource configurations, the VDI boot procedure might slow the Defender for Endpoint sensor onboarding.
-
+> [!WARNING]
+> For environments where there are low resource configurations, the VDI boot procedure might slow the Defender for Endpoint sensor onboarding.
### For Windows 10 or Windows Server 2019
-1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Microsoft 365 Defender portal](https://security.microsoft.com/):
-
- 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Onboarding**.
-
- 1. Select Windows 10 as the operating system.
-
- 1. In the **Deployment method** field, select **VDI onboarding scripts for non-persistent endpoints**.
-
- 1. Click **Download package** and save the .zip file.
-
-2. Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted from the .zip file into the golden/master image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.
+1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Microsoft 365 Defender portal](https://security.microsoft.com/):
+ 1. In the navigation pane, select **Settings** \> **Endpoints** \> **Device management** \> **Onboarding**.
+ 2. Select Windows 10 as the operating system.
+ 3. In the **Deployment method** field, select **VDI onboarding scripts for non-persistent endpoints**.
+ 4. Click **Download package** and save the .zip file.
+2. Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted from the .zip file into the golden/master image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.
1. If you are implementing multiple entries for each device - one for each session, copy WindowsDefenderATPOnboardingScript.cmd.
+ 2. If you're implementing a single entry for each device, copy both Onboard-NonPersistentMachine.ps1 and WindowsDefenderATPOnboardingScript.cmd.
- 1. If you're implementing a single entry for each device, copy both Onboard-NonPersistentMachine.ps1 and WindowsDefenderATPOnboardingScript.cmd.
-
> [!NOTE] > If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from File Explorer.
-3. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**.
+3. Open a Local Group Policy Editor window and navigate to **Computer Configuration** \> **Windows Settings** \> **Scripts** \> **Startup**.
> [!NOTE] > Domain Group Policy may also be used for onboarding non-persistent VDI devices. 4. Depending on the method you'd like to implement, follow the appropriate steps:- - For single entry for each device:
-
+ Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. There's no need to specify the other file, as it will be triggered automatically.
-
+ - For multiple entries for each device:
-
+ Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`. 5. Test your solution:- 1. Create a pool with one device.
-
- 1. Log on to device.
-
- 1. Log off from device.
-
- 1. Log on to device with another user.
-
- 1. Depending on the method you'd like to implement, follow the appropriate steps:
-
- - For single entry for each device:
-
- Check only one entry in Microsoft 365 Defender portal.
-
- - For multiple entries for each device:
-
- Check multiple entries in Microsoft 365 Defender portal.
-
+ 2. Log on to device.
+ 3. Log off from device.
+ 4. Log on to device with another user.
+ 5. Depending on the method you'd like to implement, follow the appropriate steps:
+ - For single entry for each device: Check only one entry in Microsoft 365 Defender portal.
+ - For multiple entries for each device: Check multiple entries in Microsoft 365 Defender portal.
6. Click **Devices list** on the Navigation pane. 7. Use the search function by entering the device name and select **Device** as search type. - ## For downlevel SKUs (Windows Server 2008 R2/2012 R2/2016) > [!NOTE]
The following steps will guide you through onboarding VDI devices and will highl
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging" /v VDI /t REG_SZ /d "NonPersistent" /f ```
-2. Follow the [server onboarding process](configure-server-endpoints.md#windows-server-2008-r2-sp1-windows-server-2012-r2-and-windows-server-2016).
+2. Follow the [server onboarding process](configure-server-endpoints.md#windows-server-2008-r2-sp1-windows-server-2012-r2-and-windows-server-2016).
+## Updating non-persistent virtual desktop infrastructure (VDI) images
+As a best practice, we recommend using offline servicing tools to patch golden/master images.
-## Updating non-persistent virtual desktop infrastructure (VDI) images
-As a best practice, we recommend using offline servicing tools to patch golden/master images.<br>
For example, you can use the below commands to install an update while the image remains offline: ```console
-DISM /Mount-image /ImageFile:"D:\Win10-1909.vhdx" /index:1 /MountDir:"C:\Temp\OfflineServicing"
+DISM /Mount-image /ImageFile:"D:\Win10-1909.vhdx" /index:1 /MountDir:"C:\Temp\OfflineServicing"
DISM /Image:"C:\Temp\OfflineServicing" /Add-Package /Packagepath:"C:\temp\patch\windows10.0-kb4541338-x64.msu" DISM /Unmount-Image /MountDir:"C:\Temp\OfflineServicing" /commit ``` For more information on DISM commands and offline servicing, refer to the articles below:+ - [Modify a Windows image using DISM](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism) - [DISM Image Management Command-Line Options](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14) - [Reduce the Size of the Component Store in an Offline Windows Image](/windows-hardware/manufacture/desktop/reduce-the-size-of-the-component-store-in-an-offline-windows-image)
If offline servicing isn't a viable option for your non-persistent VDI environme
5. Reseal the golden/master image as you normally would. ## Related topics+ - [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md) - [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) - [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md)
security Configure Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus.md
Title: Set up exclusions for Microsoft Defender Antivirus scans description: You can exclude files (including files modified by specified processes) and folders from being scanned by Microsoft Defender Antivirus. Validate your exclusions with PowerShell.
-keywords:
+keywords:
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: manage
To configure and validate exclusions, see the following:
## Recommendations for defining exclusions > [!IMPORTANT]
-> Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
->
+> Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
+>
> Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
-Keep the following points in mind when you are defining exclusions:
+Keep the following points in mind when you are defining exclusions:
- Exclusions are technically a protection gap. Consider all your options when defining exclusions. Other options can be as simple as making sure the excluded location has the appropriate access-control lists (ACLs) or setting policies to audit mode at first.
security Configure Extension File Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md
-+
- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) - Microsoft Defender Antivirus
-You can define exclusions for Microsoft Defender Antivirus that apply to [scheduled scans](schedule-antivirus-scans.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on, real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). **Generally, you shouldn't need to apply exclusions**. If you do need to apply exclusions, you can choose from several different kinds:
+You can define exclusions for Microsoft Defender Antivirus that apply to [scheduled scans](schedule-antivirus-scans.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on, real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). **Generally, you shouldn't need to apply exclusions**. If you do need to apply exclusions, you can choose from several different kinds:
- Exclusions based on file extensions and folder locations (described in this article)-- [Exclusions for files that are opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+- [Exclusions for files that are opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
> [!IMPORTANT]
-> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response (EDR)](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response), [attack surface reduction (ASR) rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction), and [controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections.
+> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response (EDR)](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response), [attack surface reduction (ASR) rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction), and [controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections.
> To exclude files broadly, add them to the Microsoft Defender for Endpoint [custom indicators](/microsoft-365/security/defender-endpoint/manage-indicators). ## Before you begin...
To exclude certain files from Microsoft Defender Antivirus scans, you modify you
> > Automatic exclusions apply only to Windows Server 2016 and later. These exclusions are not visible in the Windows Security app and in PowerShell.
-The following table lists some examples of exclusions based on file extension and folder location. <br/><br/>
+The following table lists some examples of exclusions based on file extension and folder location.
-| Exclusion | Examples | Exclusion list |
-|:|:|:|
-|Any file with a specific extension | All files with the specified extension, anywhere on the machine. <p> Valid syntax: `.test` and `test` | Extension exclusions |
-|Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions |
-| A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions |
-| A specific process | The executable file `c:\test\process.exe` | File and folder exclusions |
+<br>
+
+****
+
+|Exclusion|Examples|Exclusion list|
+||||
+|Any file with a specific extension|All files with the specified extension, anywhere on the machine. <p> Valid syntax: `.test` and `test`|Extension exclusions|
+|Any file under a specific folder|All files under the `c:\test\sample` folder|File and folder exclusions|
+|A specific file in a specific folder|The file `c:\sample\sample.test` only|File and folder exclusions|
+|A specific process|The executable file `c:\test\process.exe`|File and folder exclusions|
+|
## Characteristics of exclusion lists - Folder exclusions apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately.- - File extensions apply to any file name with the defined extension if a path or folder is not defined. ## Important notes about exclusions based on file extensions and folder locations
You can choose from several methods to define exclusions for Microsoft Defender
### Use Intune to configure file name, folder, or file extension exclusions
-See the following articles:
+See the following articles:
- [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure)- - [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](/intune/device-restrictions-windows-10#microsoft-defender-antivirus) ### Use Configuration Manager to configure file name, folder, or file extension exclusions
See [How to create and deploy antimalware policies: Exclusion settings](/configm
### Use Group Policy to configure folder or file extension exclusions
->[!NOTE]
->If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder are excluded.
+> [!NOTE]
+> If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder are excluded.
1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**. 2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
-3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**.
+3. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Exclusions**.
4. Open the **Path Exclusions** setting for editing, and add your exclusions.- 1. Set the option to **Enabled**. 2. Under the **Options** section, select **Show**. 3. Specify each folder on its own line under the **Value name** column.
See [How to create and deploy antimalware policies: Exclusion settings](/configm
5. Choose **OK**. 6. Open the **Extension Exclusions** setting for editing and add your exclusions.- 1. Set the option to **Enabled**. 2. Under the **Options** section, select **Show**.
- 3. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
+ 3. Enter each file extension on its own line under the **Value name** columnEnter **0** in the **Value** column.
7. Choose **OK**.
The format for the cmdlets is as follows:
The following table lists cmdlets that you can use in the `<cmdlet>` portion of the PowerShell cmdlet:
-| Configuration action | PowerShell cmdlet |
+<br>
+
+****
+
+|Configuration action|PowerShell cmdlet|
|:|:|
-|Create or overwrite the list | `Set-MpPreference` |
-|Add to the list | `Add-MpPreference` |
-|Remove item from the list | `Remove-MpPreference` |
+|Create or overwrite the list|`Set-MpPreference`|
+|Add to the list|`Add-MpPreference`|
+|Remove item from the list|`Remove-MpPreference`|
+|
The following table lists values that you can use in the `<exclusion list>` portion of the PowerShell cmdlet:
-| Exclusion type | PowerShell parameter |
-|:|:|
-| All files with a specified file extension | `-ExclusionExtension` |
-| All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath` |
+<br>
+
+****
+
+|Exclusion type|PowerShell parameter|
+|||
+|All files with a specified file extension|`-ExclusionExtension`|
+|All files under a folder (including files in subdirectories), or a specific file|`-ExclusionPath`|
+|
> [!IMPORTANT] > If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
You can use the asterisk `*`, question mark `?`, or environment variables (such
> [!IMPORTANT] > There are key limitations and usage scenarios for these wildcards:
+>
> - Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. > - You cannot use a wildcard in place of a drive letter. > - An asterisk `*` in a folder exclusion stands in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names. The following table describes how the wildcards can be used and provides some examples.
-| Wildcard | Examples |
-|:|:|
-| `*` (asterisk) <p> In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument. <p> In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` includes `C:\MyData\notes.txt` <p> `C:\somepath\*\Data` includes any file in `C:\somepath\Archives\Data` and its subfolders, and `C:\somepath\Authorized\Data` and its subfolders <p> `C:\Serv\*\*\Backup` includes any file in `C:\Serv\Primary\Denied\Backup` and its subfolders and `C:\Serv\Secondary\Allowed\Backup` and its subfolders |
-| `?` (question mark) <p> In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument. <p> In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\my?.zip` includes `C:\MyData\my1.zip` <p> `C:\somepath\?\Data` includes any file in `C:\somepath\P\Data` and its subfolders <p> `C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders |
-| Environment variables <p> The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` |
-
+<br>
+
+****
+
+|Wildcard|Examples|
+|||
+|`*` (asterisk) <p> In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument. <p> In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included.|`C:\MyData\*.txt` includes `C:\MyData\notes.txt` <p> `C:\somepath\*\Data` includes any file in `C:\somepath\Archives\Data` and its subfolders, and `C:\somepath\Authorized\Data` and its subfolders <p> `C:\Serv\*\*\Backup` includes any file in `C:\Serv\Primary\Denied\Backup` and its subfolders and `C:\Serv\Secondary\Allowed\Backup` and its subfolders|
+|`?` (question mark) <p> In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument. <p> In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included.|`C:\MyData\my?.zip` includes `C:\MyData\my1.zip` <p> `C:\somepath\?\Data` includes any file in `C:\somepath\P\Data` and its subfolders <p> `C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders|
+|Environment variables <p> The defined variable is populated as a path when the exclusion is evaluated.|`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt`|
+|
> [!IMPORTANT] > If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders.
+>
> For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`.
+>
> This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`. <a id="review"></a> ### System environment variables
-The following table lists and describes the system account environment variables.
-
-| This system environment variable... | Redirects to this |
-|:--|:--|
-| `%APPDATA%`| `C:\Users\UserName.DomainName\AppData\Roaming` |
-| `%APPDATA%\Microsoft\Internet Explorer\Quick Launch` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch` |
-| `%APPDATA%\Microsoft\Windows\Start Menu` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu` |
-| `%APPDATA%\Microsoft\Windows\Start Menu\Programs` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs` |
-| `%LOCALAPPDATA%` | `C:\Windows\System32\config\systemprofile\AppData\Local` |
-| `%ProgramData%` | `C:\ProgramData` |
-| `%ProgramFiles%` | `C:\Program Files` |
-| `%ProgramFiles%\Common Files` | `C:\Program Files\Common Files` |
-| `%ProgramFiles%\Windows Sidebar\Gadgets` | `C:\Program Files\Windows Sidebar\Gadgets` |
-| `%ProgramFiles%\Common Files` | `C:\Program Files\Common Files` |
-| `%ProgramFiles(x86)%` | `C:\Program Files (x86)` |
-| `%ProgramFiles(x86)%\Common Files` | `C:\Program Files (x86)\Common Files` |
-| `%SystemDrive%` | `C:` |
-| `%SystemDrive%\Program Files` | `C:\Program Files` |
-| `%SystemDrive%\Program Files (x86)` | `C:\Program Files (x86)` |
-| `%SystemDrive%\Users` | `C:\Users` |
-| `%SystemDrive%\Users\Public` | `C:\Users\Public` |
-| `%SystemRoot%` | `C:\Windows` |
-| `%windir%` | `C:\Windows` |
-| `%windir%\Fonts` | `C:\Windows\Fonts` |
-| `%windir%\Resources` | `C:\Windows\Resources` |
-| `%windir%\resources\0409` | `C:\Windows\resources\0409` |
-| `%windir%\system32` | `C:\Windows\System32` |
-| `%ALLUSERSPROFILE%` | `C:\ProgramData` |
-| `%ALLUSERSPROFILE%\Application Data` | `C:\ProgramData\Application Data` |
-| `%ALLUSERSPROFILE%\Documents` | `C:\ProgramData\Documents` |
-| `%ALLUSERSPROFILE%\Documents\My Music\Sample Music` | `C:\ProgramData\Documents\My Music\Sample Music` |
-| `%ALLUSERSPROFILE%\Documents\My Music` | `C:\ProgramData\Documents\My Music` |
-| `%ALLUSERSPROFILE%\Documents\My Pictures` | `C:\ProgramData\Documents\My Pictures` |
-| `%ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures` | `C:\ProgramData\Documents\My Pictures\Sample Pictures` |
-| `%ALLUSERSPROFILE%\Documents\My Videos` | `C:\ProgramData\Documents\My Videos` |
-| `%ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore` | `C:\ProgramData\Microsoft\Windows\DeviceMetadataStore` |
-| `%ALLUSERSPROFILE%\Microsoft\Windows\GameExplorer` | `C:\ProgramData\Microsoft\Windows\GameExplorer` |
-| `%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones` | `C:\ProgramData\Microsoft\Windows\Ringtones` |
-| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu` | `C:\ProgramData\Microsoft\Windows\Start Menu` |
-| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs` |
-| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools` |
-| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp` |
-| `%ALLUSERSPROFILE%\Microsoft\Windows\Templates` | `C:\ProgramData\Microsoft\Windows\Templates` |
-| `%ALLUSERSPROFILE%\Start Menu` | `C:\ProgramData\Start Menu` |
-| `%ALLUSERSPROFILE%\Start Menu\Programs` | C:\ProgramData\Start Menu\Programs |
-| `%ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools` | `C:\ProgramData\Start Menu\Programs\Administrative Tools` |
-| `%ALLUSERSPROFILE%\Templates` | `C:\ProgramData\Templates` |
-| `%LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\Templates` | `C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\ConnectedSearch\Templates` |
-| `%LOCALAPPDATA%\Microsoft\Windows\History` | `C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History` |
-| `%PUBLIC%` | `C:\Users\Public` |
-| `%PUBLIC%\AccountPictures` | `C:\Users\Public\AccountPictures` |
-| `%PUBLIC%\Desktop` | `C:\Users\Public\Desktop` |
-| `%PUBLIC%\Documents` | `C:\Users\Public\Documents` |
-| `%PUBLIC%\Downloads` | `C:\Users\Public\Downloads` |
-| `%PUBLIC%\Music\Sample Music` | `C:\Users\Public\Music\Sample Music` |
-| `%PUBLIC%\Music\Sample Playlists` | `C:\Users\Public\Music\Sample Playlists` |
-| `%PUBLIC%\Pictures\Sample Pictures` | `C:\Users\Public\Pictures\Sample Pictures` |
-| `%PUBLIC%\RecordedTV.library-ms` | `C:\Users\Public\RecordedTV.library-ms` |
-| `%PUBLIC%\Videos` | `C:\Users\Public\Videos` |
-| `%PUBLIC%\Videos\Sample Videos` | `C:\Users\Public\Videos\Sample Videos` |
-| `%USERPROFILE%` | `C:\Windows\System32\config\systemprofile` |
-| `%USERPROFILE%\AppData\Local` | `C:\Windows\System32\config\systemprofile\AppData\Local` |
-| `%USERPROFILE%\AppData\LocalLow` | `C:\Windows\System32\config\systemprofile\AppData\LocalLow` |
-| `%USERPROFILE%\AppData\Roaming` | `C:\Windows\System32\config\systemprofile\AppData\Roaming` |
-
+The following table lists and describes the system account environment variables.
+
+<br>
+
+****
+
+|This system environment variable...|Redirects to this|
+|||
+|`%APPDATA%`|`C:\Users\UserName.DomainName\AppData\Roaming`|
+|`%APPDATA%\Microsoft\Internet Explorer\Quick Launch`|`C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch`|
+|`%APPDATA%\Microsoft\Windows\Start Menu`|`C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu`|
+|`%APPDATA%\Microsoft\Windows\Start Menu\Programs`|`C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs`|
+|`%LOCALAPPDATA%`|`C:\Windows\System32\config\systemprofile\AppData\Local`|
+|`%ProgramData%`|`C:\ProgramData`|
+|`%ProgramFiles%`|`C:\Program Files`|
+|`%ProgramFiles%\Common Files`|`C:\Program Files\Common Files`|
+|`%ProgramFiles%\Windows Sidebar\Gadgets`|`C:\Program Files\Windows Sidebar\Gadgets`|
+|`%ProgramFiles%\Common Files`|`C:\Program Files\Common Files`|
+|`%ProgramFiles(x86)%`|`C:\Program Files (x86)`|
+|`%ProgramFiles(x86)%\Common Files`|`C:\Program Files (x86)\Common Files`|
+|`%SystemDrive%`|`C:`|
+|`%SystemDrive%\Program Files`|`C:\Program Files`|
+|`%SystemDrive%\Program Files (x86)`|`C:\Program Files (x86)`|
+|`%SystemDrive%\Users`|`C:\Users`|
+|`%SystemDrive%\Users\Public`|`C:\Users\Public`|
+|`%SystemRoot%`|`C:\Windows`|
+|`%windir%`|`C:\Windows`|
+|`%windir%\Fonts`|`C:\Windows\Fonts`|
+|`%windir%\Resources`|`C:\Windows\Resources`|
+|`%windir%\resources\0409`|`C:\Windows\resources\0409`|
+|`%windir%\system32`|`C:\Windows\System32`|
+|`%ALLUSERSPROFILE%`|`C:\ProgramData`|
+|`%ALLUSERSPROFILE%\Application Data`|`C:\ProgramData\Application Data`|
+|`%ALLUSERSPROFILE%\Documents`|`C:\ProgramData\Documents`|
+|`%ALLUSERSPROFILE%\Documents\My Music\Sample Music`|`C:\ProgramData\Documents\My Music\Sample Music`|
+|`%ALLUSERSPROFILE%\Documents\My Music`|`C:\ProgramData\Documents\My Music`|
+|`%ALLUSERSPROFILE%\Documents\My Pictures`|`C:\ProgramData\Documents\My Pictures`|
+|`%ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures`|`C:\ProgramData\Documents\My Pictures\Sample Pictures`|
+|`%ALLUSERSPROFILE%\Documents\My Videos`|`C:\ProgramData\Documents\My Videos`|
+|`%ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore`|`C:\ProgramData\Microsoft\Windows\DeviceMetadataStore`|
+|`%ALLUSERSPROFILE%\Microsoft\Windows\GameExplorer`|`C:\ProgramData\Microsoft\Windows\GameExplorer`|
+|`%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones`|`C:\ProgramData\Microsoft\Windows\Ringtones`|
+|`%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu`|`C:\ProgramData\Microsoft\Windows\Start Menu`|
+|`%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs`|`C:\ProgramData\Microsoft\Windows\Start Menu\Programs`|
+|`%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools`|`C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools`|
+|`%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp`|`C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp`|
+|`%ALLUSERSPROFILE%\Microsoft\Windows\Templates`|`C:\ProgramData\Microsoft\Windows\Templates`|
+|`%ALLUSERSPROFILE%\Start Menu`|`C:\ProgramData\Start Menu`|
+|`%ALLUSERSPROFILE%\Start Menu\Programs`|C:\ProgramData\Start Menu\Programs|
+|`%ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools`|`C:\ProgramData\Start Menu\Programs\Administrative Tools`|
+|`%ALLUSERSPROFILE%\Templates`|`C:\ProgramData\Templates`|
+|`%LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\Templates`|`C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\ConnectedSearch\Templates`|
+|`%LOCALAPPDATA%\Microsoft\Windows\History`|`C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History`|
+|`%PUBLIC%`|`C:\Users\Public`|
+|`%PUBLIC%\AccountPictures`|`C:\Users\Public\AccountPictures`|
+|`%PUBLIC%\Desktop`|`C:\Users\Public\Desktop`|
+|`%PUBLIC%\Documents`|`C:\Users\Public\Documents`|
+|`%PUBLIC%\Downloads`|`C:\Users\Public\Downloads`|
+|`%PUBLIC%\Music\Sample Music`|`C:\Users\Public\Music\Sample Music`|
+|`%PUBLIC%\Music\Sample Playlists`|`C:\Users\Public\Music\Sample Playlists`|
+|`%PUBLIC%\Pictures\Sample Pictures`|`C:\Users\Public\Pictures\Sample Pictures`|
+|`%PUBLIC%\RecordedTV.library-ms`|`C:\Users\Public\RecordedTV.library-ms`|
+|`%PUBLIC%\Videos`|`C:\Users\Public\Videos`|
+|`%PUBLIC%\Videos\Sample Videos`|`C:\Users\Public\Videos\Sample Videos`|
+|`%USERPROFILE%`|`C:\Windows\System32\config\systemprofile`|
+|`%USERPROFILE%\AppData\Local`|`C:\Windows\System32\config\systemprofile\AppData\Local`|
+|`%USERPROFILE%\AppData\LocalLow`|`C:\Windows\System32\config\systemprofile\AppData\LocalLow`|
+|`%USERPROFILE%\AppData\Roaming`|`C:\Windows\System32\config\systemprofile\AppData\Roaming`|
+|
## Review the list of exclusions You can retrieve the items in the exclusion list using one of the following methods:+ - [Intune](/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) - [Microsoft Endpoint Configuration Manager](/configmgr/protect/deploy-use/endpoint-antimalware-policies) - MpCmdRun - PowerShell - [Windows Security app](microsoft-defender-security-center-antivirus.md)
->[!IMPORTANT]
->Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
+> [!IMPORTANT]
+> Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
>
->Changes made in the Windows Security app **will not show** in the Group Policy lists.
+> Changes made in the Windows Security app **will not show** in the Group Policy lists.
If you use PowerShell, you can retrieve the list in two ways:
cd 4.18.1812.3 (Where 4.18.1812.3 is this month's MDAV "Platform Update".)
MpCmdRun.exe -CheckExclusion -path <path> ```
->[!NOTE]
->Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
+> [!NOTE]
+> Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
### Review the list of exclusions alongside all other Microsoft Defender Antivirus preferences by using PowerShell
You can also copy the string into a blank text file and attempt to save it with
## See also - [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)- - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)- - [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)- - [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
security Configure Local Policy Overrides Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-local-policy-overrides-microsoft-defender-antivirus.md
To configure these settings:
5. Deploy the Group Policy Object as usual.
-Location | Setting | Article
+Location|Setting|Article
|||
-MAPS | Configure local setting override for reporting to Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
-Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md)
-Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
-Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
-Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
-Real-time protection | Configure local setting override for turn on behavior monitoring | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
-Real-time protection | Configure local setting override to turn on real-time protection | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
-Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md)
-Scan | Configure local setting override for maximum percentage of CPU utilization | [Configure and run scans](run-scan-microsoft-defender-antivirus.md)
-Scan | Configure local setting override for schedule scan day | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-Scan | Configure local setting override for scheduled quick scan time | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-Scan | Configure local setting override for scheduled scan time | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-Scan | Configure local setting override for the scan type to use for a scheduled scan | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+MAPS|Configure local setting override for reporting to Microsoft MAPS|[Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
+Quarantine|Configure local setting override for the removal of items from Quarantine folder|[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md)
+Real-time protection|Configure local setting override for monitoring file and program activity on your computer|[Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+Real-time protection|Configure local setting override for monitoring for incoming and outgoing file activity|[Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+Real-time protection|Configure local setting override for scanning all downloaded files and attachments|[Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+Real-time protection|Configure local setting override for turn on behavior monitoring|[Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+Real-time protection|Configure local setting override to turn on real-time protection|[Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+Remediation|Configure local setting override for the time of day to run a scheduled full scan to complete remediation|[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md)
+Scan|Configure local setting override for maximum percentage of CPU utilization|[Configure and run scans](run-scan-microsoft-defender-antivirus.md)
+Scan|Configure local setting override for schedule scan day|[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+Scan|Configure local setting override for scheduled quick scan time|[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+Scan|Configure local setting override for scheduled scan time|[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+Scan|Configure local setting override for the scan type to use for a scheduled scan|[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
<a id="merge-lists"></a>
security Configure Machines Asr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-asr.md
The *Attack surface management card* is an entry point to tools in Microsoft 365
* Review ASR detections and identify possible incorrect detections. * Analyze the impact of exclusions and generate the list of file paths to exclude.
-Select **Go to attack surface management** > **Reports** > **Attack surface reduction rules** > **Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center.
+Select **Go to attack surface management** \> **Reports** \> **Attack surface reduction rules** \> **Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center.
![Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center](images/secconmgmt_asr_m365exlusions.png)<br> The ***Add exclusions** tab in the Attack surface reduction rules page in Microsoft 365 security center*
security Configure Microsoft Defender Antivirus Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features.md
Last updated 06/04/2021-+
You can configure Microsoft Defender Antivirus with a number of tools, such as:
The following broad categories of features can be configured: - Cloud-delivered protection. See [Cloud-delivered protection and Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md)
-
+ - Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection. See [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md). - How end users interact with the client on individual endpoints. See the following resources:
-
- - [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md)
-
- - [Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
+ - [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md)
+ - [Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
> [!TIP] > Review [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md).
security Configure Mssp Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-mssp-notifications.md
ms.technology: mde
-# Configure alert notifications that are sent to MSSPs
+# Configure alert notifications that are sent to MSSPs
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-mssp-support-abovefoldlink) -
->[!NOTE]
->This step can be done by either the MSSP customer or MSSP. MSSPs must be granted the appropriate permissions to configure this on behalf of the MSSP customer.
+> [!NOTE]
+> This step can be done by either the MSSP customer or MSSP. MSSPs must be granted the appropriate permissions to configure this on behalf of the MSSP customer.
After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met.
-
For more information, see [Create rules for alert notifications](configure-email-notifications.md#create-rules-for-alert-notifications).
-
These check boxes must be checked:+ - **Include organization name** - The customer name will be added to email notifications - **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal - ## Related topics+ - [Grant MSSP access to the portal](grant-mssp-access.md) - [Access the MSSP customer portal](access-mssp-portal.md) - [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
security Configure Mssp Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-mssp-support.md
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-mssp-support-abovefoldlink)
-
+ [!include[Prerelease information](../../includes/prerelease.md)] You'll need to take the following configuration steps to enable the managed security service provider (MSSP) integration.
->[!NOTE]
->The following terms are used in this article to distinguish between the service provider and service consumer:
+> [!NOTE]
+> The following terms are used in this article to distinguish between the service provider and service consumer:
+>
> - MSSPs: Security organizations that offer to monitor and manage security devices for an organization. > - MSSP customers: Organizations that engage the services of MSSPs. The integration will allow MSSPs to take the following actions: - Get access to MSSP customer's Microsoft 365 Defender portal-- Get email notifications, and
+- Get email notifications, and
- Fetch alerts through security information and event management (SIEM) tools
-Before MSSPs can take these actions, the MSSP customer will need to grant access to their Defender for Endpoint tenant so that the MSSP can access the portal.
-
+Before MSSPs can take these actions, the MSSP customer will need to grant access to their Defender for Endpoint tenant so that the MSSP can access the portal.
Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP customer or the MSSP. - In general, the following configuration steps need to be taken:
+- **Grant the MSSP access to Microsoft 365 Defender**
-- **Grant the MSSP access to Microsoft 365 Defender** <br>
-This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Defender for Endpoint tenant.
-
+ This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Defender for Endpoint tenant.
-- **Configure alert notifications sent to MSSPs** <br>
-This action can be taken by either the MSSP customer or MSSP. This lets the MSSPs know what alerts they need to address for the MSSP customer.
+- **Configure alert notifications sent to MSSPs**
-- **Fetch alerts from MSSP customer's tenant into SIEM system** <br>
-This action is taken by the MSSP. It allows MSSPs to fetch alerts in SIEM tools.
+ This action can be taken by either the MSSP customer or MSSP. This lets the MSSPs know what alerts they need to address for the MSSP customer.
-- **Fetch alerts from MSSP customer's tenant using APIs** <br>
-This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
+- **Fetch alerts from MSSP customer's tenant into SIEM system**
-## Multi-tenant access for MSSPs
-For information on how to implement a multi-tenant delegated access, see [Multi-tenant access for Managed Security Service Providers](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/multi-tenant-access-for-managed-security-service-providers/ba-p/1533440).
+ This action is taken by the MSSP. It allows MSSPs to fetch alerts in SIEM tools.
+
+- **Fetch alerts from MSSP customer's tenant using APIs**
+ This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
+## Multi-tenant access for MSSPs
+
+For information on how to implement a multi-tenant delegated access, see [Multi-tenant access for Managed Security Service Providers](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/multi-tenant-access-for-managed-security-service-providers/ba-p/1533440).
## Related topics+ - [Grant MSSP access to the portal](grant-mssp-access.md) - [Access the MSSP customer portal](access-mssp-portal.md) - [Configure alert notifications](configure-mssp-notifications.md) - [Fetch alerts from customer tenant](fetch-alerts-mssp.md)-
security Configure Network Connections Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md
Last updated 06/17/2021-+
See the blog post [Important changes to Microsoft Active Protection Services end
## Allow connections to the Microsoft Defender Antivirus cloud service
-The Microsoft Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it's highly recommended because it provides important protection against malware on your endpoints and across your network. See [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) for details on enabling the service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
+The Microsoft Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it's highly recommended because it provides important protection against malware on your endpoints and across your network. See [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) for details on enabling the service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
After you've enabled the service, you might need to configure your network or firewall to allow connections between it and your endpoints. Because your protection is a cloud service, computers must have access to the internet and reach the Microsoft Defender for Office 365 machine learning services. Don't exclude the URL `*.blob.core.windows.net` from any kind of network inspection.
After you've enabled the service, you might need to configure your network or fi
## Services and URLs
-The table in this section lists the services and their associated website addresses (URLs).
+The table in this section lists the services and their associated website addresses (URLs).
Make sure that there are no firewall or network filtering rules denying access to these URLs. Otherwise, you might need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). The URLs in the following table use port 443 for communication.
-| Service and description | URL |
-|-|- |
-| Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)<p>This service is used by Microsoft Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com` <p> `*.wdcpalt.microsoft.com` <p> `*.wd.microsoft.com`|
-| Microsoft Update Service (MU) and Windows Update Service (WU) <p>These services allow for security intelligence and product updates |`*.update.microsoft.com` <p> `*.delivery.mp.microsoft.com`<p> `*.windowsupdate.com` <p> For more details, see [Connection endpoints for Windows Update](/windows/privacy/manage-windows-1709-endpoints#windows-update)|
-|Security intelligence updates Alternate Download Location (ADL)<p>This is an alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com` <p> `*.download.windowsupdate.com`<p> `go.microsoft.com`<p> `https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`|
-| Malware submission storage <p>This is the upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net` <p> `ussus2eastprod.blob.core.windows.net` <p> `ussus3eastprod.blob.core.windows.net` <p> `ussus4eastprod.blob.core.windows.net` <p> `wsus1eastprod.blob.core.windows.net` <p> `wsus2eastprod.blob.core.windows.net` <p> `ussus1westprod.blob.core.windows.net` <p> `ussus2westprod.blob.core.windows.net` <p> `ussus3westprod.blob.core.windows.net` <p> `ussus4westprod.blob.core.windows.net` <p> `wsus1westprod.blob.core.windows.net` <p> `wsus2westprod.blob.core.windows.net` <p> `usseu1northprod.blob.core.windows.net` <p> `wseu1northprod.blob.core.windows.net` <p> `usseu1westprod.blob.core.windows.net` <p> `wseu1westprod.blob.core.windows.net` <p> `ussuk1southprod.blob.core.windows.net` <p> `wsuk1southprod.blob.core.windows.net` <p> `ussuk1westprod.blob.core.windows.net` <p> `wsuk1westprod.blob.core.windows.net` |
-| Certificate Revocation List (CRL) <p>This list is used by Windows when creating the SSL connection to MAPS for updating the CRL | `http://www.microsoft.com/pkiops/crl/` <p> `http://www.microsoft.com/pkiops/certs` <p> `http://crl.microsoft.com/pki/crl/products` <p> `http://www.microsoft.com/pki/certs` |
-| Symbol Store <p>The symbol store is used by Microsoft Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` |
-| Universal Telemetry Client <p>This client is used by Windows to send client diagnostic data<p> Microsoft Defender Antivirus uses telemetry for product quality monitoring purposes | The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: <p> `vortex-win.data.microsoft.com` <p> `settings-win.data.microsoft.com`|
+<br>
+
+****
+
+|Service and description|URL|
+|||
+|Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)<p>This service is used by Microsoft Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com` <p> `*.wdcpalt.microsoft.com` <p> `*.wd.microsoft.com`|
+|Microsoft Update Service (MU) and Windows Update Service (WU) <p>These services allow for security intelligence and product updates|`*.update.microsoft.com` <p> `*.delivery.mp.microsoft.com`<p> `*.windowsupdate.com` <p> For more details, see [Connection endpoints for Windows Update](/windows/privacy/manage-windows-1709-endpoints#windows-update)|
+|Security intelligence updates Alternate Download Location (ADL)<p>This is an alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)|`*.download.microsoft.com` <p> `*.download.windowsupdate.com`<p> `go.microsoft.com`<p> `https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`|
+|Malware submission storage <p>This is the upload location for files submitted to Microsoft via the Submission form or automatic sample submission|`ussus1eastprod.blob.core.windows.net` <p> `ussus2eastprod.blob.core.windows.net` <p> `ussus3eastprod.blob.core.windows.net` <p> `ussus4eastprod.blob.core.windows.net` <p> `wsus1eastprod.blob.core.windows.net` <p> `wsus2eastprod.blob.core.windows.net` <p> `ussus1westprod.blob.core.windows.net` <p> `ussus2westprod.blob.core.windows.net` <p> `ussus3westprod.blob.core.windows.net` <p> `ussus4westprod.blob.core.windows.net` <p> `wsus1westprod.blob.core.windows.net` <p> `wsus2westprod.blob.core.windows.net` <p> `usseu1northprod.blob.core.windows.net` <p> `wseu1northprod.blob.core.windows.net` <p> `usseu1westprod.blob.core.windows.net` <p> `wseu1westprod.blob.core.windows.net` <p> `ussuk1southprod.blob.core.windows.net` <p> `wsuk1southprod.blob.core.windows.net` <p> `ussuk1westprod.blob.core.windows.net` <p> `wsuk1westprod.blob.core.windows.net`|
+|Certificate Revocation List (CRL) <p>This list is used by Windows when creating the SSL connection to MAPS for updating the CRL|`http://www.microsoft.com/pkiops/crl/` <p> `http://www.microsoft.com/pkiops/certs` <p> `http://crl.microsoft.com/pki/crl/products` <p> `http://www.microsoft.com/pki/certs`|
+|Symbol Store <p>The symbol store is used by Microsoft Defender Antivirus to restore certain critical files during remediation flows|`https://msdl.microsoft.com/download/symbols`|
+|Universal Telemetry Client <p> This client is used by Windows to send client diagnostic data <p> Microsoft Defender Antivirus uses telemetry for product quality monitoring purposes|The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: <p> `vortex-win.data.microsoft.com` <p> `settings-win.data.microsoft.com`|
## Validate connections between your network and the cloud
security Configure Notifications Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-notifications-microsoft-defender-antivirus.md
If you're part of your organization's security team, you can configure how notif
You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Security app](microsoft-defender-security-center-antivirus.md) and with Group Policy. > [!NOTE]
-> In Windows 10, version 1607 the feature was called **Enhanced notifications** and was configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings for all versions of Windows 10, the notification feature is called **Enhanced notifications**.
+> In Windows 10, version 1607 the feature was called **Enhanced notifications** and was configured under **Windows Settings** \> **Update & security** \> **Windows Defender**. In Group Policy settings for all versions of Windows 10, the notification feature is called **Enhanced notifications**.
### Use Group Policy to disable additional notifications
You can configure the display of additional notifications, such as recent threat
4. Select **Administrative templates**.
-5. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > Reporting**.
+5. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** > Reporting**.
6. Double-click **Turn off enhanced notifications**, and set the option to **Enabled**. Then select **OK**. This will prevent additional notifications from appearing.
To add custom contact information to endpoint notifications, see [Customize the
3. In the **Group Policy Management Editor** go to **Computer configuration** and then select **Administrative templates**.
-4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Client interface**.
+4. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Client interface**.
5. Double-click **Suppress all notifications** and set the option to **Enabled**.
To add custom contact information to endpoint notifications, see [Customize the
3. Click **Administrative templates**.
-4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Client interface**.
+4. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Client interface**.
5. Double-click **Suppresses reboot notifications** and set the option to **Enabled**.
security Configure Process Opened File Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
-+
You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
-This article describes how to configure exclusion lists.
+This article describes how to configure exclusion lists.
## Examples of exclusions
-|Exclusion | Example |
-|||
-|Any file on the machine that is opened by any process with a specific file name | Specifying `test.exe` would exclude files opened by: <br/>`c:\sample\test.exe`<br/>`d:\internal\files\test.exe` |
-|Any file on the machine that is opened by any process under a specific folder | Specifying `c:\test\sample\*` would exclude files opened by:<br/>`c:\test\sample\test.exe`<br/>`c:\test\sample\test2.exe`<br/>`c:\test\sample\utility.exe` |
-|Any file on the machine that is opened by a specific process in a specific folder | Specifying `c:\test\process.exe` would exclude files only opened by `c:\test\process.exe` |
+<br>
+
+****
+|Exclusion|Example|
+|||
+|Any file on the machine that is opened by any process with a specific file name|Specifying `test.exe` would exclude files opened by: <p>`c:\sample\test.exe` <p> `d:\internal\files\test.exe`|
+|Any file on the machine that is opened by any process under a specific folder|Specifying `c:\test\sample\*` would exclude files opened by: <p> `c:\test\sample\test.exe` <p> `c:\test\sample\test2.exe` <p> `c:\test\sample\utility.exe`|
+|Any file on the machine that is opened by a specific process in a specific folder|Specifying `c:\test\process.exe` would exclude files only opened by `c:\test\process.exe`|
+|
When you add a process to the process exclusion list, Microsoft Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md).
See [How to create and deploy antimalware policies: Exclusion settings](/configm
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
+3. Expand the tree to **Windows components \> Microsoft Defender Antivirus \> Exclusions**.
4. Double-click **Process Exclusions** and add the exclusions:- 1. Set the option to **Enabled**. 2. Under the **Options** section, click **Show...**.
- 3. Enter each process on its own line under the **Value name** column. See the example table for the different types of process exclusions. Enter **0** in the **Value** column for all processes.
+ 3. Enter each process on its own line under the **Value name** column. See the example table for the different types of process exclusions. Enter **0** in the **Value** column for all processes.
5. Click **OK**.
The format for the cmdlets is:
<cmdlet> -ExclusionProcess "<item>" ```
-The following are allowed as the \<cmdlet>:
+The following are allowed as the \<cmdlet\>:
+
+<br>
-|Configuration action | PowerShell cmdlet |
+****
+
+|Configuration action|PowerShell cmdlet|
|||
-|Create or overwrite the list | `Set-MpPreference` |
-|Add to the list | `Add-MpPreference` |
-|Remove items from the list | `Remove-MpPreference` |
+|Create or overwrite the list|`Set-MpPreference`|
+|Add to the list|`Add-MpPreference`|
+|Remove items from the list|`Remove-MpPreference`|
+|
->[!IMPORTANT]
->If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
+> [!IMPORTANT]
+> If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
For example, the following code snippet would cause Microsoft Defender AV scans to exclude any file that is opened by the specified process:
In particular, you cannot use the question mark (`?`) wildcard, and the asterisk
The following table describes how the wildcards can be used in the process exclusion list:
-|Wildcard | Example use | Example matches |
-|:|:|:|
-|`*` (asterisk) <br/><br/> Replaces any number of characters | `C:\MyData\*` | Any file opened by `C:\MyData\file.exe` |
-|Environment variables <br/><br/> The defined variable is populated as a path when the exclusion is evaluated | `%ALLUSERSPROFILE%\CustomLogFiles\file.exe` | Any file opened by `C:\ProgramData\CustomLogFiles\file.exe` |
+<br>
+
+****
+
+|Wildcard|Example use|Example matches|
+||||
+|`*` (asterisk) <p> Replaces any number of characters|`C:\MyData\*`|Any file opened by `C:\MyData\file.exe`|
+|Environment variables <p> The defined variable is populated as a path when the exclusion is evaluated|`%ALLUSERSPROFILE%\CustomLogFiles\file.exe`|Any file opened by `C:\ProgramData\CustomLogFiles\file.exe`|
+|
## Review the list of exclusions
MpCmdRun.exe -CheckExclusion -path <path>
> [!NOTE] > Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. - ### Review the list of exclusions alongside all other Microsoft Defender Antivirus preferences by using PowerShell Use the following cmdlet:
security Configure Protection Features Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus.md
-+
See [Use next-gen Microsoft Defender Antivirus technologies through cloud-delive
## In this section
- Topic | Description
+ Topic|Description
|
-[Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) | Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps
-[Enable and configure Microsoft Defender Antivirus protection capabilities](configure-real-time-protection-microsoft-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on Microsoft Defender Antivirus monitoring features
+[Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)|Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps
+[Enable and configure Microsoft Defender Antivirus protection capabilities](configure-real-time-protection-microsoft-defender-antivirus.md)|Enable and configure real-time protection, heuristics, and other always-on Microsoft Defender Antivirus monitoring features
security Configure Real Time Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus.md
You can use **Local Group Policy Editor** to enable and configure Microsoft Defe
To enable and configure always-on protection:
-1. Open **Local Group Policy Editor**, as follows:
+1. Open **Local Group Policy Editor**, as follows:
1. In your Windows 10 taskbar search box, type **gpedit**.
-
+ 2. Under **Best match**, select **Edit group policy** to launch **Local Group Policy Editor**.
-
+ ![GPEdit taskbar search result](images/gpedit-search.png)
-2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**.
+2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus**.
+
+3. Configure the Microsoft Defender Antivirus antimalware service policy settings, as follows:
+
+ 1. In the **Microsoft Defender Antivirus** details pane on right, double-click the policy setting as specified in the following table:
-3. Configure the Microsoft Defender Antivirus antimalware service policy settings, as follows:
+ <br>
- 1. In the **Microsoft Defender Antivirus** details pane on right, double-click the policy setting as specified in the following table:
+ ****
- | Setting | Default setting |
- |--||
- | Allow antimalware service to start up with normal priority <br/><br/> You can lower the priority of the Microsoft Defender Antivirus engine. Lowering the priority might be useful in cases where you want to have as lean a startup process as possible; however, taking this action could affect endpoint protection. Proceed with caution. | Enabled
- | Allow antimalware service to remain running always <br/><br/> If protection updates have been disabled, you can set Microsoft Defender Antivirus to still run. Disabling protection updates reduces endpoint protection. | Disabled |
-
- 2. Configure the setting as appropriate, and select **OK**.
-
- 3. Repeat the previous steps for each setting in the table.
+ |Setting|Default setting|
+ |||
+ |Allow antimalware service to start up with normal priority <p> You can lower the priority of the Microsoft Defender Antivirus engine. Lowering the priority might be useful in cases where you want to have as lean a startup process as possible; however, taking this action could affect endpoint protection. Proceed with caution.|Enabled
+ |Allow antimalware service to remain running always <p> If protection updates have been disabled, you can set Microsoft Defender Antivirus to still run. Disabling protection updates reduces endpoint protection.|Disabled|
+ |
+
+ 2. Configure the setting as appropriate, and select **OK**.
+
+ 3. Repeat the previous steps for each setting in the table.
4. Configure the Microsoft Defender Antivirus real-time protection policy settings, as follows: 1. In the **Microsoft Defender Antivirus** details pane, double-click **Real-time Protection**. Or, from the **Microsoft Defender Antivirus** tree on left pane, select **Real-time Protection**.
-
- 2. In the **Real-time Protection** details pane on right, double-click the policy setting as specified in [Real-time protection policy settings](#real-time-protection-policy-settings) (later in this article).
+
+ 2. In the **Real-time Protection** details pane on right, double-click the policy setting as specified in [Real-time protection policy settings](#real-time-protection-policy-settings) (later in this article).
3. Configure the setting as appropriate, and select **OK**.
-
+ 4. Repeat the previous steps for each setting in the table.
-5. Configure the Microsoft Defender Antivirus scanning policy setting, as follows:
+5. Configure the Microsoft Defender Antivirus scanning policy setting, as follows:
- 1. From the **Microsoft Defender Antivirus** tree on left pane, select **Scan**.
-
- ![Microsoft Defender Antivirus Scan options](images/gpedit-windows-defender-antivirus-scan.png)
+ 1. From the **Microsoft Defender Antivirus** tree on left pane, select **Scan**.
- 2. In the **Scan** details pane on right, double-click the policy setting as specified in the following table:
+ ![Microsoft Defender Antivirus Scan options](images/gpedit-windows-defender-antivirus-scan.png)
- | Setting | Default setting |
- |||
- | Turn on heuristics <br/><br/> Heuristic protection will disable or block suspicious activity immediately before the Microsoft Defender Antivirus engine is asked to detect the activity. | Enabled |
+ 2. In the **Scan** details pane on right, double-click the policy setting as specified in the following table:
++
+ <br>
+
+ ****
+
+ |Setting|Default setting|
+ |||
+ |Turn on heuristics <p> Heuristic protection will disable or block suspicious activity immediately before the Microsoft Defender Antivirus engine is asked to detect the activity.|Enabled|
+ |
+
+ 3. Configure the setting as appropriate, and select **OK**.
- 3. Configure the setting as appropriate, and select **OK**.
-
6. Close **Local Group Policy Editor**. ### Real-time protection policy settings
-| Setting | Default setting |
-|||
-| Turn on behavior monitoring <br/><br/> The antivirus engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity. | Enabled |
-| Scan all downloaded files and attachments <br/><br/> Downloaded files and attachments are automatically scanned. This scan operates in addition to the Windows Defender SmartScreen filter, which scans files before and during downloading. | Enabled |
-| Monitor file and program activity on your computer <br/><br/> The Microsoft Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run). | Enabled |
-| Turn on raw volume write notifications <br/><br/> Information about raw volume writes will be analyzed by behavior monitoring. | Enabled |
-| Turn on process scanning whenever real-time protection is enabled <br/><br/> You can independently enable the Microsoft Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled. | Enabled |
-| Define the maximum size of downloaded files and attachments to be scanned <br/><br/> You can define the size in kilobytes. | Enabled |
-| Configure local setting override for turn on behavior monitoring <br/><br/> Configure a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
-| Configure local setting override for scanning all downloaded files and attachments <br/><br/> Configure a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
-| Configure local setting override for monitoring file and program activity on your computer <br/><br/> Configure a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
-| Configure local setting override to turn on real-time protection <br/><br/> Configure a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
-| Configure local setting override for monitoring for incoming and outgoing file activity <br/><br/> Configure a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. | Enabled |
-| Configure monitoring for incoming and outgoing file and program activity <br/><br/> Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This action is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions) |
+<br>
+
+****
+
+|Setting|Default setting|
+|||
+|Turn on behavior monitoring <p> The antivirus engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity.|Enabled|
+|Scan all downloaded files and attachments <p> Downloaded files and attachments are automatically scanned. This scan operates in addition to the Windows Defender SmartScreen filter, which scans files before and during downloading.|Enabled|
+|Monitor file and program activity on your computer <p> The Microsoft Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run).|Enabled|
+|Turn on raw volume write notifications <p> Information about raw volume writes will be analyzed by behavior monitoring.|Enabled|
+|Turn on process scanning whenever real-time protection is enabled <p> You can independently enable the Microsoft Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled.|Enabled|
+|Define the maximum size of downloaded files and attachments to be scanned <p> You can define the size in kilobytes.|Enabled|
+|Configure local setting override for turn on behavior monitoring <p> Configure a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.|Enabled|
+|Configure local setting override for scanning all downloaded files and attachments <p> Configure a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.|Enabled|
+|Configure local setting override for monitoring file and program activity on your computer <p> Configure a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.|Enabled|
+|Configure local setting override to turn on real-time protection <p> Configure a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.|Enabled|
+|Configure local setting override for monitoring for incoming and outgoing file activity <p> Configure a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.|Enabled|
+|Configure monitoring for incoming and outgoing file and program activity <p> Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This action is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes.|Enabled (both directions)|
+|
## Disable real-time protection in Group Policy
The main real-time protection capability is enabled by default, but you can disa
1. Open **Local Group Policy Editor**. 1. In your Windows 10 taskbar search box, type **gpedit**.
-
2. Under **Best match**, select **Edit group policy** to launch **Local Group Policy Editor**.
-2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Real-time Protection**.
+2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Real-time Protection**.
3. In the **Real-time Protection** details pane on right, double-click **Turn off real-time protection**.
The main real-time protection capability is enabled by default, but you can disa
4. In the **Turn off real-time protection** setting window, set the option to **Enabled**. ![Turn off real-time protection enabled](images/gpedit-turn-off-real-time-protection-enabled.png)
-
+ 5. select **OK**. 6. Close **Local Group Policy Editor**.
security Configure Remediation Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus.md
Last updated 03/16/2021-+
When Microsoft Defender Antivirus runs a scan, it attempts to remediate or remove threats that are detected. You can configure how Microsoft Defender Antivirus should address certain threats, whether a restore point should be created before remediating, and when threats should be removed.
-This article describes how to configure these settings by using Group Policy, but you can also use [Microsoft Endpoint Configuration Manager](/configmgr/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](/intune/device-restrictions-configure).
+This article describes how to configure these settings by using Group Policy, but you can also use [Microsoft Endpoint Configuration Manager](/configmgr/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](/intune/device-restrictions-configure).
You can also use the [`Set-MpPreference` PowerShell cmdlet](/powershell/module/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal) to configure these settings.
You can also use the [`Set-MpPreference` PowerShell cmdlet](/powershell/module/d
2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
-3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus**.
+3. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus**.
-4. Using the table below, select a location, and then edit the policy as needed.
+4. Using the table below, select a location, and then edit the policy as needed.
5. Select **OK**.
-|Location | Setting | Description | Default setting (if not configured) |
-|:|:|:|:|
-|Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled|
-|Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days |
-|Root | Turn off routine remediation | You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) |
-|Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | 90 days |
-|Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable |
-|Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable |
+<br>
+
+****
+
+|Location|Setting|Description|Default setting (if not configured)|
+|||||
+|Scan|Create a system restore point|A system restore point will be created each day before cleaning or scanning is attempted|Disabled|
+|Scan|Turn on removal of items from scan history folder|Specify how many days items should be kept in the scan history|30 days|
+|Root|Turn off routine remediation|You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do.|Disabled (threats are remediated automatically)|
+|Quarantine|Configure removal of items from Quarantine folder|Specify how many days items should be kept in quarantine before being removed|90 days|
+|Threats|Specify threat alert levels at which default action should not be taken when detected|Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored)|Not applicable|
+|Threats|Specify threats upon which default action should not be taken when detected|Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored|Not applicable|
+|
> [!IMPORTANT] > Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed. > > If you are certain Microsoft Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Microsoft Defender Antivirus](restore-quarantined-files-microsoft-defender-antivirus.md).
->
+>
> To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md). Also see [Configure remediation-required scheduled full Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md#remed) for more remediation-related settings.
security Configure Server Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md
For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: [Configure and update
1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603). 2. Using the Workspace ID and Workspace key obtained in the previous procedure, choose any of the following installation methods to install the agent on the Windows server:
- - [Manually install the agent using setup](/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard).
+ - [Manually install the agent using setup](/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard).
On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. - [Install the agent using the command line](/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line). - [Configure the agent using a script](/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation).
Once completed, you should see onboarded Windows servers in the portal within an
### Option 2: Onboard Windows servers through Azure Security Center
-In the Microsoft 365 Defender navigation pane, select **Settings** > **Endpoints** > **Device management** > **Onboarding**.
+In the Microsoft 365 Defender navigation pane, select **Settings** \> **Endpoints** \> **Device management** \> **Onboarding**.
1. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system.
The following capabilities are included in this integration:
> [!NOTE] > The integration between Azure Defender for Servers and Microsoft Defender for Endpoint has been expanded to support [Windows Server 2019 and Windows Virtual Desktop (WVD)](/azure/security-center/release-notes#microsoft-defender-for-endpoint-integration-with-azure-defender-now-supports-windows-server-2019-and-windows-10-virtual-desktop-wvd-in-preview). -- Windows servers monitored by Azure Defender will also be available in Defender for Endpoint - Azure Defender seamlessly connects to the Defender for Endpoint tenant, providing a single view across clients and servers. In addition, Defender for Endpoint alerts will be available in the Azure Defender console.
+- Windows servers monitored by Azure Defender will also be available in Defender for Endpoint - Azure Defender seamlessly connects to the Defender for Endpoint tenant, providing a single view across clients and servers. In addition, Defender for Endpoint alerts will be available in the Azure Defender console.
-- Server investigation - Azure Defender customers can access Microsoft 365 Defender to perform detailed investigation to uncover the scope of a potential breach.
+- Server investigation - Azure Defender customers can access Microsoft 365 Defender to perform detailed investigation to uncover the scope of a potential breach.
> [!IMPORTANT] >
The following steps are required to enable this integration:
- [Configure the SCEP client Cloud Protection Service membership](/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) to the **Advanced** setting. ## Run a detection test to verify onboarding
-After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md).
+After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md).
## Offboard Windows servers
To offboard the Windows server, you can use either of the following methods:
1. Get your Workspace ID:
- 1. In the Microsoft 365 Defender navigation pane, select **Settings** > **Endpoints** > **Device management** > **Onboarding**.
+ 1. In the Microsoft 365 Defender navigation pane, select **Settings** \> **Endpoints** \> **Device management** \> **Onboarding**.
1. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system and get your Workspace ID:
To offboard the Windows server, you can use either of the following methods:
Add the following lines to the cmd file. Note that you'll need your WORKSPACE ID and KEY. ```dos
-@echo off
+@echo off
cd "C:"
-IF EXIST "C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe" (
+IF EXIST "C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe" (
exit ) ELSE ( wusa.exe c:\Windows\MMA\Windows6.1-KB123456-x86.msu /quiet /norestart
As mentioned in the onboarding documentation for Server specifically around Serv
For Windows Server 2008 R2 PS1, ensure that you fulfill the following requirements: - Install the [February 2018 monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
-
+ - Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework) Please check the KBs are present before onboarding Windows Server 2008 R2
security Configure Server Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus.md
Last updated 08/17/2021
## Summary
-This article provides an overview of exclusions for Microsoft Defender Antivirus on Windows Server 2016 or later.
+This article provides an overview of exclusions for Microsoft Defender Antivirus on Windows Server 2016 or later.
-Because Microsoft Defender Antivirus is built into Windows Server 2016 and later, exclusions for operating system files and server roles happen automatically. However, you can define custom exclusions. You can also opt out of automatic exclusions if necessary.
+Because Microsoft Defender Antivirus is built into Windows Server 2016 and later, exclusions for operating system files and server roles happen automatically. However, you can define custom exclusions. You can also opt out of automatic exclusions if necessary.
-This article includes the following sections: <br/><br/>
+This article includes the following sections:
+<br>
-| Section | Description |
-|||
-| [Automatic exclusions on Windows Server 2016 or later](#automatic-exclusions-on-windows-server-2016-or-later) | Describes the two main types of automatic exclusions and includes a detailed list of automatic exclusions |
-| [Opting out of automatic exclusions](#opting-out-of-automatic-exclusions) | Includes important considerations and procedures describing how to opt out of automatic exclusions |
-| [Defining custom exclusions](#defining-custom-exclusions) | Provides links to how-to information for defining custom exclusions |
+****
+|Section|Description|
+|||
+|[Automatic exclusions on Windows Server 2016 or later](#automatic-exclusions-on-windows-server-2016-or-later)|Describes the two main types of automatic exclusions and includes a detailed list of automatic exclusions|
+|[Opting out of automatic exclusions](#opting-out-of-automatic-exclusions)|Includes important considerations and procedures describing how to opt out of automatic exclusions|
+|[Defining custom exclusions](#defining-custom-exclusions)|Provides links to how-to information for defining custom exclusions|
+|
> [!IMPORTANT] > Keep the following points in mind:
+>
> - Custom exclusions take precedence over automatic exclusions. > - Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a full scan, quick scan, or on-demand scan. > - Custom and duplicate exclusions do not conflict with automatic exclusions.
On Windows Server 2016 or later, you should not need to define the following exc
- Operating system files - Server roles and any files that are added through server roles
-Because Microsoft Defender Antivirus is built in, it does not require exclusions for operating system files on Windows Server 2016 or later. In addition, when you run Windows Server 2016 or later and install a role, Microsoft Defender Antivirus includes automatic exclusions for the server role and any files that are added while installing the role.
+Because Microsoft Defender Antivirus is built in, it does not require exclusions for operating system files on Windows Server 2016 or later. In addition, when you run Windows Server 2016 or later and install a role, Microsoft Defender Antivirus includes automatic exclusions for the server role and any files that are added while installing the role.
-Operating system exclusions and server role exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
+Operating system exclusions and server role exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
Automatic exclusions for server roles and operating system files do not apply to Windows Server 2012 or Windows Server 2012 R2.
This section lists the default exclusions for all roles in Windows Server 2016 a
The following table lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role.
-| Exclusion type | Specifics |
-|:|:|
-| File types | `*.vhd` <br/> `*.vhdx` <br/> `*.avhd` <br/> `*.avhdx` <br/> `*.vsv` <br/> `*.iso` <br/> `*.rct` <br/> `*.vmcx` <br/> `*.vmrs` |
-| Folders | `%ProgramData%\Microsoft\Windows\Hyper-V` <br/> `%ProgramFiles%\Hyper-V` <br/> `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots` <br/> `%Public%\Documents\Hyper-V\Virtual Hard Disks` |
-| Processes | `%systemroot%\System32\Vmms.exe` <br/> `%systemroot%\System32\Vmwp.exe` |
+<br>
+
+****
+
+|Exclusion type|Specifics|
+|||
+|File types|`*.vhd` <br/> `*.vhdx` <br/> `*.avhd` <br/> `*.avhdx` <br/> `*.vsv` <br/> `*.iso` <br/> `*.rct` <br/> `*.vmcx` <br/> `*.vmrs`|
+|Folders|`%ProgramData%\Microsoft\Windows\Hyper-V` <br/> `%ProgramFiles%\Hyper-V` <br/> `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots` <br/> `%Public%\Documents\Hyper-V\Virtual Hard Disks`|
+|Processes|`%systemroot%\System32\Vmms.exe` <br/> `%systemroot%\System32\Vmwp.exe`|
+|
##### SYSVOL files
You can disable the automatic exclusion lists with Group Policy, PowerShell cmdl
2. In the **Group Policy Management Editor** go to **Computer configuration**, and then select **Administrative templates**.
-3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**.
+3. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Exclusions**.
-4. Double-click **Turn off Auto Exclusions**, and set the option to **Enabled**. Then select **OK**.
+4. Double-click **Turn off Auto Exclusions**, and set the option to **Enabled**. Then select **OK**.
### Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server
DisableAutoExclusions
``` See the following for more information and allowed parameters:+ - [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal) ## Defining custom exclusions
security Configure Siem https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-siem.md
ms.technology: mde
## Pull detections using security information and events management (SIEM) tools
->[!NOTE]
->- [Microsoft Defender for Endpoint Alert](alerts.md) is composed from one or more detections.
->- [Microsoft Defender for Endpoint Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
->-The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
+> [!NOTE]
+>
+> - [Microsoft Defender for Endpoint Alert](alerts.md) is composed from one or more detections.
+> - [Microsoft Defender for Endpoint Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
+> -The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
Defender for Endpoint supports security information and event management (SIEM) tools to pull detections. Defender for Endpoint exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
To use either of these supported SIEM tools, you'll need to:
- [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md) - Configure the supported SIEM tool:
- - [Configure Micro Focus ArcSight to pull Defender for Endpoint detections](configure-arcsight.md)
- - Configure IBM QRadar to pull Defender for Endpoint detections For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
+ - [Configure Micro Focus ArcSight to pull Defender for Endpoint detections](configure-arcsight.md)
+ - Configure IBM QRadar to pull Defender for Endpoint detections For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
For more information on the list of fields exposed in the Detection API, see [Defender for Endpoint Detection fields](api-portal-mapping.md).
security Configure Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-updates.md
ms.localizationpriority: medium audience: ITPro--- M365-security-compliance -- m365initiative-m365-defender +
+- M365-security-compliance
+- m365initiative-m365-defender
ms.technology: m365d
To create your own custom gradual rollout process for Defender updates, you can
The following table lists the available group policy settings for configuring update channels:
-| Setting title | Description | Location |
-|:|:|:|
-| Select gradual Microsoft Defender monthly platform update rollout channel | Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. <br><br> Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. <br><br> Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. <br><br> Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). <br><br> Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <br><br> If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. | Windows Components\Microsoft Defender Antivirus |
-| Select gradual Microsoft Defender monthly engine update rollout channel | Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. <br><br> Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. <br><br> Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. <br><br> Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). <br><br> Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <br><br> If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. | Windows Components\Microsoft Defender Antivirus |
-| Select gradual Microsoft Defender daily definition updates rollout channel | Enable this policy to specify when devices receive Microsoft Defender definition updates during the daily gradual rollout. <br><br> Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). <br><br> Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <br><br> If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices. | Windows Components\Microsoft Defender Antivirus |
-| Disable gradual rollout of Microsoft Defender updates | Enable this policy to disable gradual rollout of Defender updates. <br><br> Current Channel (Broad): Devices set to this channel will be offered updates last during the gradual release cycle. Best for datacenter machines that only receive limited updates. <br><br> Note: This setting applies to both monthly as well as daily Defender updates and will override any previously configured channel selections for platform and engine updates. <br><br> If you disable or do not configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices. | Windows Components\Microsoft Defender Antivirus |
+<br>
+
+****
+
+|Setting title|Description|Location|
+||||
+|Select gradual Microsoft Defender monthly platform update rollout channel|Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. <p> Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. <p> Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. <p> Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). <p> Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <p> If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.|Windows Components\Microsoft Defender Antivirus|
+|Select gradual Microsoft Defender monthly engine update rollout channel|Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. <p> Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. <p> Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. <p> Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). <p> Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <p> If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.|Windows Components\Microsoft Defender Antivirus|
+|Select gradual Microsoft Defender daily definition updates rollout channel|Enable this policy to specify when devices receive Microsoft Defender definition updates during the daily gradual rollout. <p> Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). <p> Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <p> If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.|Windows Components\Microsoft Defender Antivirus|
+|Disable gradual rollout of Microsoft Defender updates|Enable this policy to disable gradual rollout of Defender updates. <p> Current Channel (Broad): Devices set to this channel will be offered updates last during the gradual release cycle. Best for datacenter machines that only receive limited updates. <p> Note: This setting applies to both monthly as well as daily Defender updates and will override any previously configured channel selections for platform and engine updates. <p> If you disable or do not configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices.|Windows Components\Microsoft Defender Antivirus|
+|
## Group Policy
In general, you can use the following procedure to configure or change Microsoft
Follow the instructions in below link to create a custom policy in Intune:
-[Add custom settings for Windows 10 devices in Microsoft Intune - Azure \| Microsoft Docs](/mem/intune/configuration/custom-settings-windows-10)
+[Add custom settings for Windows 10 devices in Microsoft Intune - Azure \|Microsoft Docs](/mem/intune/configuration/custom-settings-windows-10)
For more information on the Defender CSPs used for the gradual rollout process, see [Defender CSP](/windows/client-management/mdm/defender-csp).
Example:
Use `Set-MpPreference -PlatformUpdatesChannel Beta` to configure platform updates to arrive from the Beta Channel.
-For more information on the parameters and how to configure them, see [Set-MpPreference (Defender) | Microsoft Docs](/powershell/module/defender/set-mppreference).
+For more information on the parameters and how to configure them, see [Set-MpPreference (Defender)|Microsoft Docs](/powershell/module/defender/set-mppreference).
security Configure Vulnerability Email Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-vulnerability-email-notifications.md
The email notification includes basic information about the vulnerability event.
Create a notification rule to send an email when there are certain exploit or vulnerability events, such as a new public exploit. For each rule, multiple event types can be selected.
-1. In the navigation pane, go to **Settings** > **Email notifications** > **Vulnerabilities**.
+1. In the navigation pane, go to **Settings** \> **Email notifications** \> **Vulnerabilities**.
2. Select **Add notification rule**.
security Connected Applications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/connected-applications.md
Title: Connected applications in Microsoft Defender for Endpoint-+ description: View connected partner applications that use standard OAuth 2.0 protocol to authenticate and provide tokens for use with Microsoft Defender for Endpoint APIs. keywords: partners, applications, third-party, connections, sentinelone, lookout, bitdefender, corrata, morphisec, paloalto, ziften, better mobile search.product: eADQiWindows 10XVcnh
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-assignaccess-abovefoldlink)
-Connected applications integrates with the Defender for Endpoint platform using APIs.
+Connected applications integrates with the Defender for Endpoint platform using APIs.
+
+Applications use standard OAuth 2.0 protocol to authenticate and provide tokens for use with Microsoft Defender for Endpoint APIs. In addition, Azure Active Directory (Azure AD) applications allow tenant admins to set explicit control over which APIs can be accessed using the corresponding app.
-Applications use standard OAuth 2.0 protocol to authenticate and provide tokens for use with Microsoft Defender for Endpoint APIs. In addition, Azure Active Directory (Azure AD) applications allow tenant admins to set explicit control over which APIs can be accessed using the corresponding app.
-
You'll need to follow [these steps](/microsoft-365/security/defender-endpoint/apis-intro) to use the APIs with the connected application.
-
+ From the left navigation menu, select **Partners & APIs** (under **Endpoints**) > **Connected applications**.
-
+ ## View connected application details+ The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender for Endpoint in your organization. You can review the usage of the connected applications: last seen, number of requests in the past 24 hours, and request trends in the last 30 days. ![Image of connected apps](images/connected-apps.png)
-
+ ## Edit, reconfigure, or delete a connected application+ The **Open application settings** link opens the corresponding Azure AD application management page in the Azure portal. From the Azure portal, you can manage permissions, reconfigure, or delete the connected applications.
security Contact Support Usgov https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/contact-support-usgov.md
ms.technology: mde
Defender for Endpoint has recently upgraded the support process to offer a more modern and advanced support experience. ## Using the right portal+ In order to open a support case, you will need to login to your Microsoft Defender for Endpoint portal:
-Environment | Portal URL
-:|:
-GCC-M on Commercial | [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com)
-GCC-M | [https://gcc.securitycenter.microsoft.us](https://gcc.securitycenter.microsoft.us)
-GCC-H | [https://securitycenter.microsoft.us](https://securitycenter.microsoft.us)
-DoD | [https://securitycenter.microsoft.us](https://securitycenter.microsoft.us)
+Environment|Portal URL
+|
+GCC-M on Commercial|<https://securitycenter.microsoft.com>
+GCC-M|<https://gcc.securitycenter.microsoft.us>
+GCC-H|<https://securitycenter.microsoft.us>
+DoD|<https://securitycenter.microsoft.us>
If you are unable to login to the portal, you can also open a support case using the [phone](../../business-video/get-help-support.md). ## Opening a support case+ For prerequisites and instructions, see [Contact Microsoft Defender for Endpoint support](contact-support.md).
security Contact Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/contact-support.md
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-assignaccess-abovefoldlink)
-Defender for Endpoint has recently upgraded the support process to offer a more modern and advanced support experience.
+Defender for Endpoint has recently upgraded the support process to offer a more modern and advanced support experience.
The new widget allows customers to:+ - Find solutions to common problems - Submit a support case to the Microsoft support team ## Prerequisites+ It's important to know the specific roles that have permission to open support cases. At a minimum, you must have a Service Support Administrator **OR** Helpdesk Administrator role. - For more information on which roles have permission see, [Security Administrator permissions](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#security-administrator-permissions). Roles that include the action `microsoft.office365.supportTickets/allEntities/allTasks` can submit a case. For general information on admin roles, see [About admin roles](/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide&preserve-view=true). - ## Access the widget+ Accessing the new support widget can be done in one of two ways:
-1. Clicking on the question mark on the top right of the portal and then clicking on "Microsoft support":
+1. Clicking on the question mark on the top right of the portal and then clicking on "Microsoft support":
:::image type="content" source="../../media/contactsupport.png" alt-text="Microsoft support"::: - 2. Clicking on the **Need help?** button in the bottom right of the Microsoft 365 Defender portal: ![Image of the need help button](images/need-help-option.png) In the widget you will be offered two options: -- Find solutions to common problems -- Open a service request
+- Find solutions to common problems
+- Open a service request
## Find solutions to common problems+ This option includes articles that might be related to the question you may ask. Just start typing the question in the search box and articles related to your search will be surfaced. :::image type="content" source="../../media/contactsupport1.png" alt-text="How can we help?":::
In case the suggested articles are not sufficient, you can open a service reques
## Open a service request
-Learn how to open support tickets by contacting Defender for Endpoint support.
+Learn how to open support tickets by contacting Defender for Endpoint support.
-> [!Note]
-> If you have a permier support contract with Microsoft, you will see the premier tag on the widget. If not, contact your Microsoft account manager.
+> [!NOTE]
+> If you have a premier support contract with Microsoft, you will see the premier tag on the widget. If not, contact your Microsoft account manager.
### Contact support
-This option is available by clicking the icon that looks like a headset. You will then get the following page to submit your support case: </br>
+This option is available by clicking the icon that looks like a headset. You will then get the following page to submit your support case:
1. Fill in a title and description for the issue you are facing, as well as a phone number and email address where we may reach you.-
-2. (Optional) Include up to five attachments that are relevant to the issue in order to provide additional context for the support case.
-
+2. (Optional) Include up to five attachments that are relevant to the issue in order to provide additional context for the support case.
3. Select your time zone and an alternative language, if applicable. The request will be sent to Microsoft Support Team. The team will respond to your service request shortly. - ## Related topics+ - [Troubleshoot service issues](troubleshoot-mdatp.md) - [Check service health](service-status.md)
security Control Usb Devices Using Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/control-usb-devices-using-intune.md
Microsoft recommends [a layered approach to securing removable media](https://ak
2. Configure to allow or block only certain removable devices and prevent threats. 1. [Allow or block removable devices](#allow-or-block-removable-devices) based on granular configuration to deny write access to removable disks and approve or deny devices by using USB device IDs. Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
- 2. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling:
- - Microsoft Defender Antivirus real-time protection (RTP) to scan removable storage for malware.
- - The Attack Surface Reduction (ASR) USB rule to block untrusted and unsigned processes that run from USB.
- - Direct Memory Access (DMA) protection settings to mitigate DMA attacks, including Kernel DMA Protection for Thunderbolt and blocking DMA until a user signs in.
+ 2. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling:
+ - Microsoft Defender Antivirus real-time protection (RTP) to scan removable storage for malware.
+ - The Attack Surface Reduction (ASR) USB rule to block untrusted and unsigned processes that run from USB.
+ - Direct Memory Access (DMA) protection settings to mitigate DMA attacks, including Kernel DMA Protection for Thunderbolt and blocking DMA until a user signs in.
3. [Create customized alerts and response actions](#create-customized-alerts-and-response-actions) to monitor usage of removable devices based on these plug and play events or any other Microsoft Defender for Endpoint events with [custom detection rules](/microsoft-365/security/defender-endpoint/custom-detection-rules).
In this example, the following classes needed to be added: HID, Keyboard, and {3
![Device host controller](images/devicehostcontroller.jpg)
-If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit. Then add the device ID that you want to add. Device ID is based on the vendor ID and product ID values for a device. For information on device ID formats, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers).
+If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit. Then add the device ID that you want to add. Device ID is based on the vendor ID and product ID values for a device. For information on device ID formats, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers).
-To find the device IDs, see [Look up device ID](#look-up-device-id).
+To find the device IDs, see [Look up device ID](#look-up-device-id).
For example: 1. Remove class USBDevice from the **Allow installation of devices using drivers that match these device setup**.
-2. Add the device ID to allow in the **Allow installation of device that match any of these device IDs**.
+2. Add the device ID to allow in the **Allow installation of device that match any of these device IDs**.
#### Prevent installation and usage of USB drives and other peripherals
If you want to prevent the installation of a device class or certain devices, yo
The **Prevent installation of devices that match any of these device IDs** policy allows you to specify a list of devices that Windows is prevented from installing.
-To prevent installation of devices that match any of these device IDs:
+To prevent installation of devices that match any of these device IDs:
1. [Look up device ID](#look-up-device-id) for devices that you want Windows to prevent from installing.
For information about Device ID formats, see [Standard USB Identifiers](/windows
For information on vendor IDs, see [USB members](https://www.usb.org/members).
-The following is an example for looking up a device vendor ID or product ID (which is part of the device ID) using PowerShell:
+The following is an example for looking up a device vendor ID or product ID (which is part of the device ID) using PowerShell:
```powershell
-Get-WMIObject -Class Win32_DiskDrive | Select-Object -Property *
+Get-WMIObject -Class Win32_DiskDrive | Select-Object -Property *
``` The **Prevent installation of devices using drivers that match these device setup classes** policy allows you to specify device setup classes that Windows is prevented from installing.
To prevent installation of particular classes of devices:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
-2. Click **Devices** > **Configuration Profiles** > **Create profile**.
+2. Click **Devices** \> **Configuration Profiles** \> **Create profile**.
> [!div class="mx-imgBorder"] > ![Create device configuration profile](images/create-device-configuration-profile.png)
To prevent installation of particular classes of devices:
> [!div class="mx-imgBorder"] > ![Create profile](images/create-profile.png)
-4. Click **Configure** > **General**.
+4. Click **Configure** \> **General**.
-5. For **Removable storage** and **USB connection (mobile only)**, choose **Block**. **Removable storage** includes USB drives, whereas **USB connection (mobile only)** excludes USB charging but includes other USB connections on mobile devices only.
+5. For **Removable storage** and **USB connection (mobile only)**, choose **Block**. **Removable storage** includes USB drives, whereas **USB connection (mobile only)** excludes USB charging but includes other USB connections on mobile devices only.
![General settings](images/general-settings.png)
Allowing installation of specific devices requires also enabling [DeviceInstalla
Microsoft Defender for Endpoint blocks installation and usage of prohibited peripherals by using either of these options: -- [Administrative Templates](/intune/administrative-templates-windows) can block any device with a matching hardware ID or setup class.
+- [Administrative Templates](/intune/administrative-templates-windows) can block any device with a matching hardware ID or setup class.
- [Device Installation CSP settings](/windows/client-management/mdm/policy-csp-deviceinstallation) with a custom profile in Intune. You can [prevent installation of specific device IDs](/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceids) or [prevent specific device classes](/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdevicesetupclasses). ### Allow installation and usage of specifically approved peripherals with matching device instance IDs
Using Intune, you can limit the services that can use Bluetooth through the ["Bl
> [!div class="mx-imgBorder"] > ![screenshot of Bluetooth settings page](images/bluetooth.png) - ## Prevent threats from removable storage
-
+ Removable storage devices can introduce additional security risk to your organization. Microsoft Defender for Endpoint can help identify and block malicious files on removable storage devices. Microsoft Defender for Endpoint can also prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device.
Microsoft Defender for Endpoint can also prevent USB peripherals from being used
Note that if you block USB devices or any other device classes using the device installation policies, connected devices, such as phones, can still charge. > [!NOTE]
-> Always test and refine these settings with a pilot group of users and devices first before widely distributing to your organization.
+> Always test and refine these settings with a pilot group of users and devices first before widely distributing to your organization.
The following table describes the ways Microsoft Defender for Endpoint can help prevent threats from removable storage.
Protecting authorized removable storage with Microsoft Defender Antivirus requir
- If scheduled scans are used, then you need to disable the DisableRemovableDriveScanning setting (enabled by default) to scan the removable device during a full scan. Removable devices are scanned during a quick or custom scan regardless of the DisableRemovableDriveScanning setting. > [!NOTE]
-> We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10 in **Device Restrictions** > **Configure** > **Microsoft Defender Antivirus** > **Real-time monitoring**.
+> We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10 in **Device Restrictions** \> **Configure** \> **Microsoft Defender Antivirus** \> **Real-time monitoring**.
-<!-- Need to build out point in the preceding note.
+<!-- Need to build out point in the preceding note.
--> ### Block untrusted and unsigned processes on USB peripherals
These settings require [enabling real-time protection](/microsoft-365/security/d
1. Sign in to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/).
-2. Click **Devices** > **Windows** > **Configuration Policies** > **Create profile**.
+2. Click **Devices** \> **Windows** \> **Configuration Policies** \> **Create profile**.
![Create device configuration profile](images/create-device-configuration-profile.png) 3. Use the following settings:
- - Platform: Windows 10 and later
+ - Platform: Windows 10 and later
- Profile type: Device restrictions > [!div class="mx-imgBorder"] > ![Create endpoint protection profile](images/create-endpoint-protection-profile.png)
-4. Click **Create**.
+4. Click **Create**.
5. For **Unsigned and untrusted processes that run from USB**, choose **Block**.
For example, using either approach, you can automatically have the Microsoft Def
- [Policy/DeviceInstallation CSP](/windows/client-management/mdm/policy-csp-deviceinstallation) - [Perform a custom scan of a removable device](/samples/browse/?redirectedfrom=TechNet-Gallery) - [Device Control Power BI Template for custom reporting](https://github.com/microsoft/MDATP-PowerBI-Templates)-- [BitLocker](/windows/security/information-protection/bitlocker/bitlocker-overview.md)
+- [BitLocker](/windows/security/information-protection/bitlocker/bitlocker-overview.md)
- [Windows Information Protection](/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md)
security Controlled Folders https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/controlled-folders.md
## What is controlled folder access?
-Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019 and Windows 10 clients, controlled folder access can be turned on using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices).
+Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019 and Windows 10 clients, controlled folder access can be turned on using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices).
> [!NOTE]
-> Scripting engines are not trusted and you cannot allow them access to controlled protected folders. For example, PowerShell is not trusted by controlled folder access, even if you allow with [certificate and file indicators](/microsoft-365/security/defender-endpoint/indicator-certificates).
+> Scripting engines are not trusted and you cannot allow them access to controlled protected folders. For example, PowerShell is not trusted by controlled folder access, even if you allow with [certificate and file indicators](/microsoft-365/security/defender-endpoint/indicator-certificates).
Controlled folder access works best with [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](investigate-alerts.md).
Controlled folder access works best with [Microsoft Defender for Endpoint](micro
## How does controlled folder access work?
-Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders.
+Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders.
-Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the list are prevented from making any changes to files inside protected folders.
+Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the list are prevented from making any changes to files inside protected folders.
Apps are added to the list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization and that have never displayed any behavior deemed malicious are considered trustworthy. Those apps are added to the list automatically.
The [protected folders](#review-controlled-folder-access-events-in-windows-event
You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. Controlled folder access is supported on the following versions of Windows:+ - [Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) and later - [Windows Server 2019](/windows-server/get-started-19/whats-new-19) ## Windows system folders are protected by default
-Windows system folders are protected by default, along with several other folders:
+Windows system folders are protected by default, along with several other folders:
- `c:\Users\<username>\Documents` - `c:\Users\Public\Documents`
You can review the Windows event log to see events that are created when control
The following table shows events related to controlled folder access:
-|Event ID | Description |
-|:|:|
-|5007 | Event when settings are changed |
-|1124 | Audited controlled folder access event |
-|1123 | Blocked controlled folder access event |
+<br>
+
+****
+
+|Event ID|Description|
+|||
+|5007|Event when settings are changed|
+|1124|Audited controlled folder access event|
+|1123|Blocked controlled folder access event|
+|
## View or change the list of protected folders
-You can use the Windows Security app to view the list of folders that are protected by controlled folder access.
+You can use the Windows Security app to view the list of folders that are protected by controlled folder access.
1. On your Windows 10 device, open the Windows Security app. 2. Select **Virus & threat protection**.
You can use the Windows Security app to view the list of folders that are protec
4. If controlled folder access is turned off, you'll need to turn it on. Select **protected folders**. 5. Do one of the following steps: - To add a folder, select **+ Add a protected folder**.
- - To remove a folder, select it, and then select **Remove**.
+ - To remove a folder, select it, and then select **Remove**.
> [!NOTE] > [Windows system folders](#windows-system-folders-are-protected-by-default) are protected by default, and you cannot remove them from the list.--
security Customize Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-attack-surface-reduction.md
localization_priority: Normal
audience: ITPro -+ ms.technology: mde
For example, consider the ransomware rule:
The ransomware rule is designed to help enterprise customers reduce risks of ransomware attacks while ensuring business continuity. By default, the ransomware rule errors on the side of caution and protect against files that haven't yet attained sufficient reputation and trust. To reemphasize, the ransomware rule only triggers on files that have not gained enough positive reputation and prevalence, based on usage metrics of millions of our customers. Usually, the blocks are self resolved, because each file's "reputation and trust" values are incrementally upgraded as non-problematic usage increases.
-In cases in which blocks aren't self resolved in a timely manner, customers can - _at their own risk_ - make use of either the self-service mechanism or an Indicator of Compromise (IOC)-based "allow list" capability to unblock the files themselves.
+In cases in which blocks aren't self resolved in a timely manner, customers can - _at their own risk_ - make use of either the self-service mechanism or an Indicator of Compromise (IOC)-based "allow list" capability to unblock the files themselves.
> [!WARNING] > Excluding or unblocking files or folders could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
An exclusion is applied only when the excluded application or service starts. Fo
Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) . If you are encountering problems with rules detecting files that you believe should not be detected, [use audit mode to test the rule](evaluate-attack-surface-reduction.md).
-| Rule description | GUID |
-|:-|:-|
-| Block abuse of exploited vulnerable signed drivers | `56a863a9-875e-4185-98a7-b882c64b5ce5` |
-| Block Adobe Reader from creating child processes | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` |
-| Block all Office applications from creating child processes | `d4f940ab-401b-4efc-aadc-ad5f3c50688a` |
-| Block credential stealing from the Windows local security authority subsystem (lsass.exe) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` |
-| Block executable content from email client and webmail | `be9ba2d9-53ea-4cdc-84e5-9b1eeee46550` |
-| Block executable files from running unless they meet a prevalence, age, or trusted list criteria | `01443614-cd74-433a-b99e-2ecdc07bfc25` |
-| Block execution of potentially obfuscated scripts | `5beb7efe-fd9a-4556-801d-275e5ffc04cc` |
-| Block JavaScript or VBScript from launching downloaded executable content | `d3e037e1-3eb8-44c8-a917-57927947596d` |
-| Block Office applications from creating executable content | `3b576869-a4ec-4529-8536-b80a7769e899` |
-| Block Office applications from injecting code into other processes | `75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84` |
-| Block Office communication applications from creating child processes | `26190899-1602-49e8-8b27-eb1d0a1ce869` |
-| Block persistence through WMI event subscription | `e6db77e5-3df2-4cf1-b95a-636979351e5b` |
-| Block process creations originating from PSExec and WMI commands | `d1e49aac-8f56-4280-b9ba-993a6d77406c` |
-| Block untrusted and unsigned processes that run from USB | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` |
-| Block Win32 API calls from Office macro | `92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b` |
-| Use advanced protection against ransomware | `c1db55ab-c21a-4637-bb3f-a12568109d35` |
+<br>
+
+****
+
+|Rule description|GUID|
+|||
+|Block abuse of exploited vulnerable signed drivers|`56a863a9-875e-4185-98a7-b882c64b5ce5`|
+|Block Adobe Reader from creating child processes|`7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`|
+|Block all Office applications from creating child processes|`d4f940ab-401b-4efc-aadc-ad5f3c50688a`|
+|Block credential stealing from the Windows local security authority subsystem (lsass.exe)|`9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2`|
+|Block executable content from email client and webmail|`be9ba2d9-53ea-4cdc-84e5-9b1eeee46550`|
+|Block executable files from running unless they meet a prevalence, age, or trusted list criteria|`01443614-cd74-433a-b99e-2ecdc07bfc25`|
+|Block execution of potentially obfuscated scripts|`5beb7efe-fd9a-4556-801d-275e5ffc04cc`|
+|Block JavaScript or VBScript from launching downloaded executable content|`d3e037e1-3eb8-44c8-a917-57927947596d`|
+|Block Office applications from creating executable content|`3b576869-a4ec-4529-8536-b80a7769e899`|
+|Block Office applications from injecting code into other processes|`75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84`|
+|Block Office communication applications from creating child processes|`26190899-1602-49e8-8b27-eb1d0a1ce869`|
+|Block persistence through WMI event subscription|`e6db77e5-3df2-4cf1-b95a-636979351e5b`|
+|Block process creations originating from PSExec and WMI commands|`d1e49aac-8f56-4280-b9ba-993a6d77406c`|
+|Block untrusted and unsigned processes that run from USB|`b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4`|
+|Block Win32 API calls from Office macro|`92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b`|
+|Use advanced protection against ransomware|`c1db55ab-c21a-4637-bb3f-a12568109d35`|
+|
See the [attack surface reduction](attack-surface-reduction.md) topic for details on each rule.
See the [attack surface reduction](attack-surface-reduction.md) topic for detail
2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Microsoft Defender Exploit Guard** > **Attack surface reduction**.
+3. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Microsoft Defender Exploit Guard** \> **Attack surface reduction**.
4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Select **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
security Customize Controlled Folders https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-controlled-folders.md
You can use the Windows Security app, Group Policy, PowerShell cmdlets, or mobil
2. Right-click the Group Policy Object you want to configure, and then select **Edit**.
-3. In your **Group Policy Management Editor**, go to **Computer configuration** > **Policies** > **Administrative templates**.
+3. In your **Group Policy Management Editor**, go to **Computer configuration** \> **Policies** \> **Administrative templates**.
-4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**. <br/>**NOTE**: On older versions of Windows, you might see **Windows Defender Antivirus** instead of **Microsoft Defender Antivirus**.
+4. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Windows Defender Exploit Guard** \> **Controlled folder access**. <br/>**NOTE**: On older versions of Windows, you might see **Windows Defender Antivirus** instead of **Microsoft Defender Antivirus**.
5. Double-click **Configured protected folders**, and then set the option to **Enabled**. Select **Show**, and specify each folder that you want to protect.
An allowed application or service only has write access to a controlled folder a
2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
-3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
+3. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Windows Defender Exploit Guard** \> **Controlled folder access**.
4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Select **Show** and enter each app.
security Customize Exploit Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-exploit-protection.md
audience: ITPro
-+ ms.technology: mde
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-assignaccess-abovefoldlink) - Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. Configure these settings using the Windows Security app on an individual device. Then, export the configuration as an XML file so you can deploy to other devices. Use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
The **Use default** configuration for each of the mitigation settings indicates
For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this article.
-| Mitigation | Description | Can be applied to | Audit mode available |
-| - | -- | -- | -- |
-| Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | No |
-| Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | No |
-| Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | No |
-| Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations. It includes system structure heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | No |
-| Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | No |
-| Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | No |
-| Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | Yes |
-| Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | Yes |
-| Block remote images | Prevents loading of images from remote devices. | App-level only | No |
-| Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | Yes |
-| Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | Yes |
-| Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | No |
-| Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | Yes |
-| Don't allow child processes | Prevents an app from creating child processes. | App-level only | Yes |
-| Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | Yes |
-| Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | Yes |
-| Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG. | App-level only | Yes |
-| Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | Yes |
-| Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | No |
-| Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | No |
-| Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redirected for sensitive APIs. Not compatible with ACG. | App-level only | Yes |
-
+|Mitigation|Description|Can be applied to|Audit mode available|
+|||||
+|Control flow guard (CFG)|Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG.|System and app-level|No|
+|Data Execution Prevention (DEP)|Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation.|System and app-level|No|
+|Force randomization for images (Mandatory ASLR)|Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information.|System and app-level|No|
+|Randomize memory allocations (Bottom-Up ASLR)|Randomizes locations for virtual memory allocations. It includes system structure heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes.|System and app-level|No|
+|Validate exception chains (SEHOP)|Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications.|System and app-level|No|
+|Validate heap integrity|Terminates a process when heap corruption is detected.|System and app-level|No|
+|Arbitrary code guard (ACG)|Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell).|App-level only|Yes|
+|Block low integrity images|Prevents the loading of images marked with Low Integrity.|App-level only|Yes|
+|Block remote images|Prevents loading of images from remote devices.|App-level only|No|
+|Block untrusted fonts|Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web.|App-level only|Yes|
+|Code integrity guard|Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images.|App-level only|Yes|
+|Disable extension points|Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers.|App-level only|No|
+|Disable Win32k system calls|Prevents an app from using the Win32k system call table.|App-level only|Yes|
+|Don't allow child processes|Prevents an app from creating child processes.|App-level only|Yes|
+|Export address filtering (EAF)|Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits.|App-level only|Yes|
+|Import address filtering (IAF)|Detects dangerous operations being resolved by malicious code.|App-level only|Yes|
+|Simulate execution (SimExec)|Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG.|App-level only|Yes|
+|Validate API invocation (CallerCheck)|Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG|App-level only|Yes|
+|Validate handle usage|Causes an exception to be raised on any invalid handle references.|App-level only|No|
+|Validate image dependency integrity|Enforces code signing for Windows image dependency loading.|App-level only|No|
+|Validate stack integrity (StackPivot)|Ensures that the stack hasn't been redirected for sensitive APIs. Not compatible with ACG.|App-level only|Yes|
> [!IMPORTANT] > If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: > >
-> | Enabled in **Program settings** | Enabled in **System settings** | Behavior |
-> | - | | -- |
-> | Yes | No | As defined in **Program settings** |
-> | Yes | Yes | As defined in **Program settings** |
-> | No | Yes | As defined in **System settings** |
-> | No | Yes | Default as defined in **Use default** option |
->
+> |Enabled in **Program settings**|Enabled in **System settings**|Behavior|
+> ||||
+> |Yes|No|As defined in **Program settings**|
+> |Yes|Yes|As defined in **Program settings**|
+> |No|Yes|As defined in **System settings**|
+> |No|Yes|Default as defined in **Use default** option|
> >
-> * **Example 1**
+> - **Example 1**
> > Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**. >
For the associated PowerShell cmdlets for each mitigation, see the [PowerShell r
> The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied. > >
-> * **Example 2**
+> - **Example 2**
> > Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**. >
For the associated PowerShell cmdlets for each mitigation, see the [PowerShell r
2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**. 3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
- * **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- * **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- * **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
+ - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+ - **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+ - **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
> [!NOTE] > You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting.
For the associated PowerShell cmdlets for each mitigation, see the [PowerShell r
1. If the app you want to configure is already listed, select it and then select **Edit** 2. If the app isn't listed, at the top of the list select **Add program to customize** and then choose how you want to add the app:
- * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+ - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+ - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
6. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, select the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options
Where:
-* \<Scope>:
- * `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
- * `-System` to indicate the mitigation should be applied at the system level
-- \<Action>:
- * `-Enable` to enable the mitigation
- * `-Disable` to disable the mitigation
-* \<Mitigation>:
- * The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma.
+- \<Scope\>:
+ - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
+ - `-System` to indicate the mitigation should be applied at the system level
+- \<Action\>:
+ - `-Enable` to enable the mitigation
+ - `-Disable` to disable the mitigation
+- \<Mitigation\>:
+ - The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma.
For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command:
This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that
<a id="cmdlets-table"></a>
-| Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet |
-| - | - | | -- |
-| Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available |
-| Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available |
-| Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available |
-| Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available |
-| Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available |
-| Validate heap integrity | System and app-level | TerminateOnError | Audit not available |
-| Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode |
-| Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad |
-| Block remote images | App-level only | BlockRemoteImages | Audit not available |
-| Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly |
-| Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned |
-| Disable extension points | App-level only | ExtensionPoint | Audit not available |
-| Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall |
-| Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess |
-| Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter <a href="#r1" id="t1">\[1\]</a> | Audit not available<a href="#r2" id="t2">\[2\]</a> |
-| Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available<a href="#r2" id="t2">\[2\]</a> |
-| Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available<a href="#r2" id="t2">\[2\]</a> |
-| Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available<a href="#r2" id="t2">\[2\]</a> |
-| Validate handle usage | App-level only | StrictHandle | Audit not available |
-| Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available |
-| Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available<a href="#r2" id="t2">\[2\]</a> |
+|Mitigation|Applies to|PowerShell cmdlets|Audit mode cmdlet|
+|||||
+|Control flow guard (CFG)|System and app-level|CFG, StrictCFG, SuppressExports|Audit not available|
+|Data Execution Prevention (DEP)|System and app-level|DEP, EmulateAtlThunks|Audit not available|
+|Force randomization for images (Mandatory ASLR)|System and app-level|ForceRelocateImages|Audit not available|
+|Randomize memory allocations (Bottom-Up ASLR)|System and app-level|BottomUp, HighEntropy|Audit not available|
+|Validate exception chains (SEHOP)|System and app-level|SEHOP, SEHOPTelemetry|Audit not available|
+|Validate heap integrity|System and app-level|TerminateOnError|Audit not available|
+|Arbitrary code guard (ACG)|App-level only|DynamicCode|AuditDynamicCode|
+|Block low integrity images|App-level only|BlockLowLabel|AuditImageLoad|
+|Block remote images|App-level only|BlockRemoteImages|Audit not available|
+|Block untrusted fonts|App-level only|DisableNonSystemFonts|AuditFont, FontAuditOnly|
+|Code integrity guard|App-level only|BlockNonMicrosoftSigned, AllowStoreSigned|AuditMicrosoftSigned, AuditStoreSigned|
+|Disable extension points|App-level only|ExtensionPoint|Audit not available|
+|Disable Win32k system calls|App-level only|DisableWin32kSystemCalls|AuditSystemCall|
+|Do not allow child processes|App-level only|DisallowChildProcessCreation|AuditChildProcess|
+|Export address filtering (EAF)|App-level only|EnableExportAddressFilterPlus, EnableExportAddressFilter <a href="#r1" id="t1">\[1\]</a>|Audit not available<a href="#r2" id="t2">\[2\]</a>|
+|Import address filtering (IAF)|App-level only|EnableImportAddressFilter|Audit not available<a href="#r2" id="t2">\[2\]</a>|
+|Simulate execution (SimExec)|App-level only|EnableRopSimExec|Audit not available<a href="#r2" id="t2">\[2\]</a>|
+|Validate API invocation (CallerCheck)|App-level only|EnableRopCallerCheck|Audit not available<a href="#r2" id="t2">\[2\]</a>|
+|Validate handle usage|App-level only|StrictHandle|Audit not available|
+|Validate image dependency integrity|App-level only|EnforceModuleDepencySigning|Audit not available|
+|Validate stack integrity (StackPivot)|App-level only|EnableRopStackPivot|Audit not available<a href="#r2" id="t2">\[2\]</a>|
<a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for dlls for a process:
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlu
For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Windows Security](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center).
-## See also:
+## See also
-* [Protect devices from exploits](exploit-protection.md)
-* [Evaluate exploit protection](evaluate-exploit-protection.md)
-* [Enable exploit protection](enable-exploit-protection.md)
-* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+- [Protect devices from exploits](exploit-protection.md)
+- [Evaluate exploit protection](evaluate-exploit-protection.md)
+- [Enable exploit protection](enable-exploit-protection.md)
+- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
security Data Collection Analyzer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-collection-analyzer.md
ms.localizationpriority: medium audience: ITPro--- M365-security-compliance -- m365initiative-m365-defender +
+- M365-security-compliance
+- m365initiative-m365-defender
ms.technology: m365d
-# Data collection for advanced troubleshooting on Windows
+# Data collection for advanced troubleshooting on Windows
**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-When collaborating with Microsoft support professionals, you may be asked to use
-the client analyzer to collect data for troubleshooting of more complex
-scenarios. The analyzer script supports other parameters for that purpose
-and can collect a specific log set based on the observed symptoms that need to
-be investigated.
+When collaborating with Microsoft support professionals, you may be asked to use the client analyzer to collect data for troubleshooting of more complex scenarios. The analyzer script supports other parameters for that purpose and can collect a specific log set based on the observed symptoms that need to be investigated.
-Run '**MDEClientAnalyzer.cmd /?**' to see the list of available
-parameters and their description:
+Run '**MDEClientAnalyzer.cmd /?**' to see the list of available parameters and their description:
![Image of client analyzer parameters in command line](images/d89a1c04cf8441e4df72005879871bd0.png) > [!NOTE]
-> When any advanced troubleshooting parameter is used, the analyzer also calls
-into [MpCmdRun.exe](/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance)
-to collect Microsoft Defender Antivirus related support logs.
-
-**-h** - Calls into [Windows Performance
-Recorder](/windows-hardware/test/wpt/wpr-command-line-options)
-to collect a verbose general performance trace in addition to the standard
-log set.
-
-**-l** - Calls into built-in [Windows Performance
-Monitor](/windows-server/remote/remote-desktop-services/rds-rdsh-performance-counters)
-to collect a lightweight perfmon trace. This may be useful when diagnosing slow
-performance degradation issues that occur over time but hard to reproduce on
-demand.
-
-**-c** - Calls into [process
-monitor](/sysinternals/downloads/procmon) for advanced
-monitoring of real-time file system, registry, and process/thread activity. This
-is especially useful when troubleshooting various application compatibility
-scenarios.
-
-**-i** - Calls into built-in
-[netsh.exe](/windows/win32/winsock/netsh-exe) command
-to start a network and windows firewall trace that is useful when
-troubleshooting various network-related issues.
-
-**-b** - Same as '-c' but the process monitor trace will be initiated during next
-boot and stopped only when the -b is used again.
-
-**-a** - Calls into [Windows Performance
-Recorder](/windows-hardware/test/wpt/wpr-command-line-options)
-to collect a verbose performance trace specific to analysis of high CPU
-issues related to the antivirus process (MsMpEng.exe).
-
-**-v** - Uses antivirus [MpCmdRun.exe command line
-argument](/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus)
-with most verbose -trace flags.
-
-**-t** - Starts verbose trace of all client-side components relevant to Endpoint
-DLP. This is useful for scenarios where [DLP
-actions](/microsoft-365/compliance/endpoint-dlp-learn-about#endpoint-activities-you-can-monitor-and-take-action-on) are not happening as expected for files.
-
-**-q** - Calls into DLPDiagnose.ps1 script from the analyzer 'Tools' directory
-that validates the basic configuration and requirements for Endpoint DLP.
-
-**-d** - Collects a memory dump of MsSense**S**.exe (the sensor process on Windows
-Server 2016 or older OS) and related processes.
-\* This flag can be used in conjunction with above mentioned flags.
-\*\* Capturing a memory dump of [PPL protected
-processes](/windows-hardware/drivers/install/early-launch-antimalware)
-such as MsSense.exe or MsMpEng.exe is not supported by the analyzer at this
-time.
-
-**-z** - Configures registry keys on the machine to prepare it for full machine
-memory dump collection via
-[CrashOnCtrlScroll](/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard).
-This would be useful for analysis of computer freeze issues.
+> When any advanced troubleshooting parameter is used, the analyzer also calls into [MpCmdRun.exe](/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance) to collect Microsoft Defender Antivirus related support logs.
+
+**-h** - Calls into [Windows Performance Recorder](/windows-hardware/test/wpt/wpr-command-line-options) to collect a verbose general performance trace in addition to the standard log set.
+
+**-l** - Calls into built-in [Windows Performance Monitor](/windows-server/remote/remote-desktop-services/rds-rdsh-performance-counters) to collect a lightweight perfmon trace. This may be useful when diagnosing slow performance degradation issues that occur over time but hard to reproduce on demand.
+
+**-c** - Calls into [process monitor](/sysinternals/downloads/procmon) for advanced monitoring of real-time file system, registry, and process/thread activity. This is especially useful when troubleshooting various application compatibility scenarios.
+
+**-i** - Calls into built-in [netsh.exe](/windows/win32/winsock/netsh-exe) command to start a network and windows firewall trace that is useful when troubleshooting various network-related issues.
+
+**-b** - Same as '-c' but the process monitor trace will be initiated during next boot and stopped only when the -b is used again.
+
+**-a** - Calls into [Windows Performance Recorder](/windows-hardware/test/wpt/wpr-command-line-options) to collect a verbose performance trace specific to analysis of high CPU issues related to the antivirus process (MsMpEng.exe).
+
+**-v** - Uses antivirus [MpCmdRun.exe command line argument](/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) with most verbose -trace flags.
+
+**-t** - Starts verbose trace of all client-side components relevant to Endpoint DLP. This is useful for scenarios where [DLP actions](/microsoft-365/compliance/endpoint-dlp-learn-about#endpoint-activities-you-can-monitor-and-take-action-on) are not happening as expected for files.
+
+**-q** - Calls into DLPDiagnose.ps1 script from the analyzer 'Tools' directory that validates the basic configuration and requirements for Endpoint DLP.
+
+**-d** - Collects a memory dump of MsSense**S**.exe (the sensor process on Windows Server 2016 or older OS) and related processes.
+
+- \* This flag can be used in conjunction with above mentioned flags.
+- \*\* Capturing a memory dump of [PPL protected processes](/windows-hardware/drivers/install/early-launch-antimalware) such as MsSense.exe or MsMpEng.exe is not supported by the analyzer at this time.
+
+**-z** - Configures registry keys on the machine to prepare it for full machine memory dump collection via [CrashOnCtrlScroll](/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard). This would be useful for analysis of computer freeze issues.
+ \* Hold down the rightmost CTRL key, then press the SCROLL LOCK key twice.
-**-k** - Uses
-[NotMyFault](/sysinternals/downloads/notmyfault) tool
-to force the system to crash and generate a machine memory dump. This would be
-useful for analysis of various OS stability issues.
+**-k** - Uses [NotMyFault](/sysinternals/downloads/notmyfault) tool to force the system to crash and generate a machine memory dump. This would be useful for analysis of various OS stability issues.
-The analyzer and all the above scenario flags can be initiated remotely by
-running 'RemoteMDEClientAnalyzer.cmd', which is also bundled into the
-analyzer toolset:
+The analyzer and all the above scenario flags can be initiated remotely by running 'RemoteMDEClientAnalyzer.cmd', which is also bundled into the analyzer toolset:
![Image of commandline with analyzer information](images/57cab9d82d08f672a92bf9e748ac9572.png)
->[!NOTE]
-> - When using RemoteMDEClientAnalyzer.cmd it calls into psexec to download the
- tool from the configured file share and then run it locally via PsExec.exe.
- The CMD script uses '-r' flag to specify that it is running remotely within
- SYSTEM context and so no prompt to the user will be presented.
->- That same flag can be used with MDEClientAnalyzer.cmd to avoid a prompt to
- user that requests to specify the number of minutes for data collection. For
- example:
- **MDEClientAnalyzer.cmd -r -i -m 5**
-> <br> **-r** - Indicates that tool is being run from remote (or
- non-interactive context)
- **-i** - Scenario flag for collection of network trace along with other
- related logs
- **-m** \# - The number of minutes to run (5 minutes in the above example)
+> [!NOTE]
+>
+> - When using RemoteMDEClientAnalyzer.cmd it calls into psexec to download the tool from the configured file share and then run it locally via PsExec.exe.
+ The CMD script uses '-r' flag to specify that it is running remotely within SYSTEM context and so no prompt to the user will be presented.
+> - That same flag can be used with MDEClientAnalyzer.cmd to avoid a prompt to user that requests to specify the number of minutes for data collection. For example:
+>
+> **MDEClientAnalyzer.cmd -r -i -m 5**
+>
+> - **-r** - Indicates that tool is being run from remote (or non-interactive context)
+> - **-i** - Scenario flag for collection of network trace along with other related logs
+> - **-m** \# - The number of minutes to run (5 minutes in the above example)
security Data Retention Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-retention-settings.md
After completing the onboarding, you can verify your selection in the data reten
During the [Set up phase](production-deployment.md), you would have selected the location to store your data.
-You can verify the data location by navigating to **Settings** > **Endpoints** > **Data retention** (under **General**).
+You can verify the data location by navigating to **Settings** \> **Endpoints** \> **Data retention** (under **General**).
## Update data retention settings You can update the data retention settings. By default, the retention period is 180 days.
-1. In the navigation pane, select **Settings** > **Endpoints** > **Data retention** (under **General**).
+1. In the navigation pane, select **Settings** \> **Endpoints** \> **Data retention** (under **General**).
2. Select the data retention duration from the drop-down list.
security Defender Compatibility https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-compatibility.md
Title: Antivirus solution compatibility with Defender for Endpoint
-description: Learn about how Windows Defender works with Microsoft Defender for Endpoint and how it functions when a third-party antimalware client is used.
+description: Learn about how Windows Defender works with Microsoft Defender for Endpoint. Also learn how Defender for Endpoint works when a third-party anti-malware client is used.
keywords: windows defender compatibility, defender, Microsoft Defender for Endpoint, defender for endpoint, antivirus, mde search.product: eADQiWindows 10XVcnh search.appverid: met150
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-defendercompat-abovefoldlink) The Microsoft Defender for Endpoint agent depends on Microsoft Defender Antivirus for some capabilities such as file scanning.
->[!IMPORTANT]
->Defender for Endpoint does not adhere to the Microsoft Defender Antivirus Exclusions settings.
+> [!IMPORTANT]
+> Defender for Endpoint does not adhere to the Microsoft Defender Antivirus Exclusions settings.
-You must configure Security intelligence updates on the Defender for Endpoint devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).
+You must configure Security intelligence updates on the Defender for Endpoint devices whether Microsoft Defender Antivirus is the active anti-malware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).
-If an onboarded device is protected by a third-party antimalware client, Microsoft Defender Antivirus on that endpoint will enter into passive mode.
+If an onboarded device is protected by a third-party anti-malware client, Microsoft Defender Antivirus on that endpoint will enter into passive mode.
-Microsoft Defender Antivirus will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client.
+Microsoft Defender Antivirus will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service. But, it won't perform scans and doesn't replace the running third-party anti-malware client.
-The Microsoft Defender Antivirus interface will be disabled, and users on the device will not be able to use Microsoft Defender Antivirus to perform on-demand scans or configure most options.
+The Microsoft Defender Antivirus interface will be disabled. Users on the device won't be able to use Microsoft Defender Antivirus to perform on-demand scans or configure most options.
For more information, see the [Microsoft Defender Antivirus and Defender for Endpoint compatibility topic](microsoft-defender-antivirus-compatibility.md).
security Defender Endpoint False Positives Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives.md
Alerts can be classified as false positives or true positives in Microsoft 365 D
2. Select **Alerts queue**, and then select an alert.
-3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens.
+3. For the selected alert, select **Actions** \> **Manage alert**. A flyout pane opens.
4. In the **Manage alert** section, select either **True alert** or **False alert**. (Use **False alert** to classify a false positive.)
After you have reviewed your alerts, your next step is to [review remediation ac
- [Restore a quarantined file from the Action Center](#restore-a-quarantined-file-from-the-action-center) - [Undo multiple actions at one time](#undo-multiple-actions-at-one-time)-- [Remove a file from quarantine across multiple devices](#remove-a-file-from-quarantine-across-multiple-devices). and
+- [Remove a file from quarantine across multiple devices](#remove-a-file-from-quarantine-across-multiple-devices). and
- [Restore file from quarantine](#restore-file-from-quarantine) When you're done reviewing and undoing actions that were taken as a result of false positives, proceed to [review or define exclusions](#part-3-review-or-define-exclusions).
In general, you should not need to define exclusions for Microsoft Defender Anti
1. Go to the Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com>) and sign in.
-2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don't have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-a-new-antivirus-policy-with-exclusions)).
+2. Choose **Endpoint security** \> **Antivirus**, and then select an existing policy. (If you don't have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-a-new-antivirus-policy-with-exclusions)).
3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**.
In general, you should not need to define exclusions for Microsoft Defender Anti
1. Go to the Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com>) and sign in.
-2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**.
+2. Choose **Endpoint security** \> **Antivirus** \> **+ Create Policy**.
3. Select a platform (such as **Windows 10 and later**, **macOS**, or **Windows 10 and Windows Server**).
We recommend using [Microsoft Endpoint Manager](/mem/endpoint-manager-overview)
1. Go to the Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com>) and sign in.
-2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don't have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-policy)).
+2. Choose **Endpoint security** \> **Antivirus** and then select an existing policy. (If you don't have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-policy)).
3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**.
We recommend using [Microsoft Endpoint Manager](/mem/endpoint-manager-overview)
1. Go to the Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com>) and sign in.
-2. Choose **Endpoint security** > **Antivirus** > **+ Create policy**.
+2. Choose **Endpoint security** \> **Antivirus** \> **+ Create policy**.
3. For **Platform**, select an option, and then for **Profile**, select **Antivirus** or **Microsoft Defender Antivirus** (the specific option depends on what you selected for **Platform**.) Then choose **Create**.
We recommend using [Microsoft Endpoint Manager](/mem/endpoint-manager-overview)
1. Go to the Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com>) and sign in.
-2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don't have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-pua-protection-for-a-new-configuration-profile).)
+2. Choose **Devices** \> **Configuration profiles**, and then select an existing policy. (If you don't have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-pua-protection-for-a-new-configuration-profile).)
3. Under **Manage**, choose **Properties**, and then, next to **Configuration settings**, choose **Edit**.
We recommend using [Microsoft Endpoint Manager](/mem/endpoint-manager-overview)
1. Go to the Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com>) and sign in.
-2. Choose **Devices** > **Configuration profiles** > **+ Create profile**.
+2. Choose **Devices** \> **Configuration profiles** \> **+ Create profile**.
3. For the **Platform**, choose **Windows 10 and later**, and for **Profile**, select **Device restrictions**.
security Deploy Manage Report Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-manage-report-microsoft-defender-antivirus.md
Last updated 09/03/2018-+ ms.technology: mde
You'll also see additional links for:
> [!IMPORTANT] > In most cases, Windows 10 will disable Microsoft Defender Antivirus if it finds another antivirus product that is running and up-to-date. You must disable or uninstall third-party antivirus products before Microsoft Defender Antivirus will function. If you re-enable or install third-party antivirus products, then Windows 10 automatically disables Microsoft Defender Antivirus.
-Tool|Deployment options (<a href="#fn2" id="ref2">2</a>)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options
-|||
-Microsoft Intune|[Add endpoint protection settings in Intune](/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](/intune/device-restrictions-configure)| [Use the Intune console to manage devices](/intune/device-management)
-Microsoft Endpoint Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]
+Tool|Deployment options (<a href="#fn2" id="ref2">2</a>)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options
+|||
+Microsoft Intune|[Add endpoint protection settings in Intune](/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](/intune/device-restrictions-configure)| [Use the Intune console to manage devices](/intune/device-management)
+Microsoft Endpoint Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]
Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Microsoft Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Microsoft Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][] PowerShell|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference] and [Update-MpSignature] cmdlets available in the Defender module.|Use the appropriate [Get- cmdlets available in the Defender module][] Windows Management Instrumentation|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][] Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Defender*](/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Microsoft Defender Antivirus events][] and add that tool as an app in AAD. 1. <span id="fn1" />The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Manager (Current Branch) and System Center 2012 Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Manager (Current Branch). See [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2)
-
+ 2. <span id="fn2" />In Windows 10, Microsoft Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](microsoft-defender-antivirus-on-windows-server.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Microsoft Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2) 3. <span id="fn3" />Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Microsoft Defender Antivirus features](configure-notifications-microsoft-defender-antivirus.md) section in this library. [(Return to table)](#ref2)
Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by
[email alerts]: /configmgr/protect/deploy-use/endpoint-configure-alerts [Deploy the Microsoft Intune client to endpoints]: /intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune [custom Intune policy]: /intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection
- [custom Intune policy]: /intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection
+ [custom Intune policy]: /intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection
[manage tasks]: /intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#choose-management-tasks-for-endpoint-protection [Monitor endpoint protection in the Microsoft Intune administration console]: /intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection [Set method of the MSFT_MpPreference class]: /previous-versions/windows/desktop/defender/set-msft-mppreference
Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by
Topic | Description |
-[Deploy and enable Microsoft Defender Antivirus protection](deploy-microsoft-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with Microsoft Endpoint Configuration Manager, Microsoft Intune, or Group Policy Objects.
+[Deploy and enable Microsoft Defender Antivirus protection](deploy-microsoft-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with Microsoft Endpoint Configuration Manager, Microsoft Intune, or Group Policy Objects.
[Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) | There are two parts to updating Microsoft Defender Antivirus: updating the client on endpoints (product updates), and updating Security intelligence (protection updates). You can update Security intelligence in a number of ways, using Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, and WMI. [Monitor and report on Microsoft Defender Antivirus protection](report-monitor-microsoft-defender-antivirus.md) | You can use Microsoft Intune, Microsoft Endpoint Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, or a third-party SIEM product (by consuming Windows event logs) to monitor protection status and create reports about endpoint protection.
security Deployment Phases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-phases.md
localization_priority: Normal audience: ITPro-+ - M365-security-compliance - m365solution-endpointprotect - m365solution-overview
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-assignaccess-abovefoldlink)
-Learn how to deploy Microsoft Defender for Endpoint so that your enterprise can take advantage of preventative protection, post-breach detection, automated investigation, and response.
-
+Learn how to deploy Microsoft Defender for Endpoint so that your enterprise can take advantage of preventative protection, post-breach detection, automated investigation, and response.
This guide helps you work across stakeholders to prepare your environment and then onboard devices in a methodical way, moving from evaluation, to a meaningful pilot, to full deployment.
Each section corresponds to a separate article in this solution.
![Image of deployment phases with details from table](images/deployment-guide-phases.png) - ![Summary of deployment phases: prepare, setup, onboard](images/phase-diagrams/deployment-phases.png)
-|Phase | Description |
-|:-|:--|
-| [Phase 1: Prepare](prepare-deployment.md)| Learn about what you need to consider when deploying Defender for Endpoint such as stakeholder approvals, environment considerations, access permissions, and adoption order of capabilities.
-| [Phase 2: Setup](production-deployment.md)| Get guidance on the initial steps you need to take so that you can access the portal such as validating licensing, completing the setup wizard, and network configuration.
-| [Phase 3: Onboard](onboarding.md) | Learn how to make use of deployment rings, supported onboarding tools based on the type of endpoint, and configuring available capabilities.
--
-After you've completed this guide, you'll be setup with the right access permissions, your endpoints will be onboarded and reporting sensor data to the service, and capabilities such as next-generation protection and attack surface reduction will be in place.
---
-Regardless of the environment architecture and method of deployment you choose outlined in the [Plan deployment](deployment-strategy.md) guidance, this guide is going to support you in onboarding endpoints.
---
+<br>
+****
+|Phase|Description|
+|||
+|[Phase 1: Prepare](prepare-deployment.md)|Learn about what you need to consider when deploying Defender for Endpoint such as stakeholder approvals, environment considerations, access permissions, and adoption order of capabilities.|
+|[Phase 2: Setup](production-deployment.md)|Get guidance on the initial steps you need to take so that you can access the portal such as validating licensing, completing the set up wizard, and network configuration.|
+|[Phase 3: Onboard](onboarding.md)|Learn how to make use of deployment rings, supported onboarding tools based on the type of endpoint, and configuring available capabilities.|
+|
+After you've completed this guide, you'll be set up with the right access permissions, your endpoints will be onboarded and reporting sensor data to the service, and capabilities such as next-generation protection and attack surface reduction will be in place.
+Regardless of the environment architecture and method of deployment you choose outlined in the [Plan deployment](deployment-strategy.md) guidance, this guide is going to support you in onboarding endpoints.
## Key capabilities While Microsoft Defender for Endpoint provides many capabilities, the primary purpose of this deployment guide is to get you started by onboarding devices. In addition to onboarding, this guidance gets you started with the following capabilities.
+<br>
+****
-Capability | Description
-:|:
-Endpoint detection and response | Endpoint detection and response capabilities are put in place to detect, investigate, and respond to intrusion attempts and active breaches.
-Next-generation protection | To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats.
-Attack surface reduction | Provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation.
+|Capability|Description|
+|||
+|Endpoint detection and response|Endpoint detection and response capabilities are put in place to detect, investigate, and respond to intrusion attempts and active breaches.|
+|Next-generation protection|To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats.|
+|Attack surface reduction|Provide the first line of defense in the stack. By ensuring the configuration settings are properly set and the exploit mitigation techniques are applied, these capabilities resist attacks and exploitation.|
+|
All these capabilities are available for Microsoft Defender for Endpoint license holders. For more information, see [Licensing requirements](minimum-requirements.md#licensing-requirements).
All these capabilities are available for Microsoft Defender for Endpoint license
### In scope -- Use of Microsoft Endpoint Manager and Microsoft Endpoint Manager to onboard endpoints into the service and configure capabilities--- Enabling Defender for Endpoint endpoint detection and response (EDR) capabilities--- Enabling Defender for Endpoint endpoint protection platform (EPP)
- capabilities
-
- - Next-generation protection
-
- - Attack surface reduction
-
+- Use of Microsoft Endpoint Manager and Microsoft Endpoint Manager to onboard endpoints into the service and configure capabilities
+- Enabling Defender for Endpoint endpoint detection and response (EDR) capabilities
+- Enabling Defender for Endpoint endpoint protection platform (EPP) capabilities
+ - Next-generation protection
+ - Attack surface reduction
### Out of scope The following are out of scope of this deployment guide: -- Configuration of third-party solutions that might integrate with Defender for Endpoint--- Penetration testing in production environment---
+- Configuration of third-party solutions that might integrate with Defender for Endpoint
+- Penetration testing in production environment
## See also+ - [Phase 1: Prepare](prepare-deployment.md) - [Phase 2: Set up](production-deployment.md) - [Phase 3: Onboard](onboarding.md)-- [Plan deployment](deployment-strategy.md)
+- [Plan deployment](deployment-strategy.md)
security Deployment Rings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-rings.md
localization_priority: Normal audience: ITPro-+ - M365-security-compliance - m365solution-endpointprotect - m365solution-overview
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-assignaccess-abovefoldlink)
-Deploying Microsoft Defender for Endpoint can be done using a ring-based deployment approach.
+Deploying Microsoft Defender for Endpoint can be done using a ring-based deployment approach.
The deployment rings can be applied in the following scenarios:+ - [New deployments](#new-deployments) - [Existing deployments](#existing-deployments)
The deployment rings can be applied in the following scenarios:
![Image of deployment rings](images/deployment-rings.png) - A ring-based approach is a method of identifying a set of endpoints to onboard and verifying that certain criteria is met before proceeding to deploy the service to a larger set of devices. You can define the exit criteria for each ring and ensure that they are satisfied before moving on to the next ring.
-Adopting a ring-based deployment helps reduce potential issues that could arise while rolling out the service. By piloting a certain number of devices first, you can identify potential issues and mitigate potential risks that might arise.
+Adopting a ring-based deployment helps reduce potential issues that could arise while rolling out the service. By piloting a certain number of devices first, you can identify potential issues and mitigate potential risks that might arise.
Table 1 provides an example of the deployment rings you might use.
-**Table 1**
+**Table 1**:
+
+<br>
-|Deployment ring|Description
+****
+
+|Deployment ring|Description|
|||
-Evaluate | Ring 1: Identify 50 systems for pilot testing
-Pilot | Ring 2: Identify the next 50-100 endpoints in production environment
-Full deployment | Ring 3: Roll out service to the rest of environment in larger increments
+|Evaluate|Ring 1: Identify 50 systems for pilot testing|
+|Pilot|Ring 2: Identify the next 50-100 endpoints in production environment|
+|Full deployment|Ring 3: Roll out service to the rest of environment in larger increments|
+|
### Exit criteria
Identify a small number of test machines in your environment to onboard to the s
Microsoft Defender for Endpoint supports a variety of endpoints that you can onboard to the service. In this ring, identify several devices to onboard and based on the exit criteria you define, decide to proceed to the next deployment ring.
-The following table shows the supported endpoints and the corresponding tool you can use to onboard devices to the service.
+The following table shows the supported endpoints and the corresponding tool you can use to onboard devices to the service.
+
+<br>
-| Endpoint | Deployment tool |
-|--||
-| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md) <br> NOTE: If you want to deploy more than 10 devices in a production environment, use the Group Policy method instead or the other supported tools listed below.<br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) <br> [Integration with Azure Defender](configure-server-endpoints.md#integration-with-azure-defender) |
-| **macOS** | [Local script](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md) |
-| **Linux Server** | [Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md)|
-| **iOS** | [App-based](ios-install.md) |
-| **Android** | [Microsoft Endpoint Manager](android-intune.md) |
+****
+
+|Endpoint|Deployment tool|
+|||
+|**Windows**|[Local script (up to 10 devices)](configure-endpoints-script.md) <p> **NOTE**: If you want to deploy more than 10 devices in a production environment, use the Group Policy method instead or the other supported tools listed below. <p> [Group Policy](configure-endpoints-gp.md) <p> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <p> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <p> [VDI scripts](configure-endpoints-vdi.md) <p> [Integration with Azure Defender](configure-server-endpoints.md#integration-with-azure-defender)|
+|**macOS**|[Local script](mac-install-manually.md) <p> [Microsoft Endpoint Manager](mac-install-with-intune.md) <p> [JAMF Pro](mac-install-with-jamf.md) <p> [Mobile Device Management](mac-install-with-other-mdm.md)|
+|**Linux Server**|[Local script](linux-install-manually.md) <p> [Puppet](linux-install-with-puppet.md) <p> [Ansible](linux-install-with-ansible.md)|
+|**iOS**|[App-based](ios-install.md)|
+|**Android**|[Microsoft Endpoint Manager](android-intune.md)|
+|
### Full deployment
-At this stage, you can use the [Plan deployment](deployment-strategy.md) material to help you plan your deployment.
+At this stage, you can use the [Plan deployment](deployment-strategy.md) material to help you plan your deployment.
Use the following material to select the appropriate Microsoft Defender for Endpoint architecture that best suites your organization.
-|**Item**|**Description**|
-|:--|:--|
-|[![Thumb image for Microsoft Defender for Endpoint deployment strategy](images/mdatp-deployment-strategy.png)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf)<br/> [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf) \| [Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures: <ul><li> Cloud-native </li><li> Co-management </li><li> On-premise</li><li>Evaluation and local onboarding</li></ul>
+<br>
+
+****
+
+|Item|Description|
+|||
+|[![Thumb image for Microsoft Defender for Endpoint deployment strategy](images/mdatp-deployment-strategy.png)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf)<br/> [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf) \|[Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.vsdx)|The architectural material helps you plan your deployment for the following architectures: <ul><li> Cloud-native </li><li> Co-management </li><li> On-premise</li><li>Evaluation and local onboarding</li></ul>|
## Existing deployments
security Deployment Strategy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-strategy.md
ms.technology: mde
-# Plan your Microsoft Defender for Endpoint deployment
+# Plan your Microsoft Defender for Endpoint deployment
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
This solution provides guidance on how to identify your environment architecture
![Image of deployment flow](images/deployment-guide-plan.png) - ## Step 1: Identify architecture+ We understand that every enterprise environment is unique, so we've provided several options to give you the flexibility in choosing how to deploy the service.
-Depending on your environment, some tools are better suited for certain architectures.
+Depending on your environment, some tools are better suited for certain architectures.
Use the following material to select the appropriate Defender for Endpoint architecture that best suites your organization.
-| Item | Description |
-|:--|:--|
-|[![Thumb image for Defender for Endpoint deployment strategy](images/mdatp-deployment-strategy.png)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf)<br/> [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf) \| [Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures: <ul><li> Cloud-native </li><li> Co-management </li><li> On-premise</li><li>Evaluation and local onboarding</li>
+|Item|Description|
+|||
+|[![Thumb image for Defender for Endpoint deployment strategy](images/mdatp-deployment-strategy.png)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf) <br> [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf) \|[Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.vsdx)|The architectural material helps you plan your deployment for the following architectures: <ul><li>Cloud-native</li><li>Co-management</li><li>On-premise</li><li>Evaluation and local onboarding</li></ul>|
## Step 2: Select deployment method
-Defender for Endpoint supports a variety of endpoints that you can onboard to the service.
-
-The following table lists the supported endpoints and the corresponding deployment tool that you can use so that you can plan the deployment appropriately.
-| Endpoint | Deployment tool |
-|--||
-| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) <br> [Integration with Azure Defender](configure-server-endpoints.md#integration-with-azure-defender) |
-| **macOS** | [Local script](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md) |
-| **Linux Server** | [Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md)|
-| **iOS** | [App-based](ios-install.md) |
-| **Android** | [Microsoft Endpoint Manager](android-intune.md) |
+Defender for Endpoint supports a variety of endpoints that you can onboard to the service.
+The following table lists the supported endpoints and the corresponding deployment tool that you can use so that you can plan the deployment appropriately.
+|Endpoint|Deployment tool|
+|||
+|**Windows**|[Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) <br> [Integration with Azure Defender](configure-server-endpoints.md#integration-with-azure-defender)|
+|**macOS**|[Local script](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md)|
+|**Linux Server**|[Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md)|
+|**iOS**|[App-based](ios-install.md)|
+|**Android**|[Microsoft Endpoint Manager](android-intune.md)|
## Step 3: Configure capabilities+ After onboarding endpoints, configure the security capabilities in Defender for Endpoint so that you can maximize the robust security protection available in the suite. Capabilities include: - Endpoint detection and response - Next-generation protection - Attack surface reduction -
-
## Related topics+ - [Deployment phases](deployment-phases.md)
security Deployment Vdi Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md
In Windows 10, version 1903, we introduced the shared security intelligence feat
3. Click **Administrative templates**.
-4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
+4. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Security Intelligence Updates**.
5. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears.
Security intelligence packages are typically published once every three to four
1. On the management machine, open the Start menu and type **Task Scheduler**. Open it and select **Create task...** on the side panel.
-2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Select **New...** > **Daily**, and select **OK**.
+2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Select **New...** \> **Daily**, and select **OK**.
3. Go to the **Actions** tab. Select **New...** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Select **OK**.
See [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) f
You can specify the type of scan that should be performed during a scheduled scan. Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active. The following procedure describes how to set up quick scans using Group Policy.
-1. In your Group Policy Editor, go to **Administrative templates** > **Windows components** > **Microsoft Defender Antivirus** > **Scan**.
+1. In your Group Policy Editor, go to **Administrative templates** \> **Windows components** \> **Microsoft Defender Antivirus** \> **Scan**.
2. Select **Specify the scan type to use for a scheduled scan** and then edit the policy setting.
You can specify the type of scan that should be performed during a scheduled sca
Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can lock down the Microsoft Defender Antivirus user interface. The following procedure describes how to suppress notifications with Group Policy.
-1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Client Interface**.
+1. In your Group Policy Editor, go to **Windows components** \> **Microsoft Defender Antivirus** \> **Client Interface**.
2. Select **Suppress all notifications** and then edit the policy settings.
Disabling a scan after an update will prevent a scan from occurring after receiv
> [!IMPORTANT] > Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image.
-1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
+1. In your Group Policy Editor, go to **Windows components** \> **Microsoft Defender Antivirus** \> **Security Intelligence Updates**.
2. Select **Turn on scan after security intelligence update** and then edit the policy setting.
This policy prevents a scan from running immediately after an update.
## Scan VMs that have been offline
-1. In your Group Policy Editor, go to to **Windows components** > **Microsoft Defender Antivirus** > **Scan**.
+1. In your Group Policy Editor, go to to **Windows components** \> **Microsoft Defender Antivirus** \> **Scan**.
2. Select **Turn on catch-up quick scan** and then edit the policy setting.
This policy forces a scan if the VM has missed two or more consecutive scheduled
## Enable headless UI mode
-1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Client Interface**.
+1. In your Group Policy Editor, go to **Windows components** \> **Microsoft Defender Antivirus** \> **Client Interface**.
2. Select **Enable headless UI mode** and edit the policy.
security Detect Block Potentially Unwanted Apps Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw
4. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
-5. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus**.
+5. Expand the tree to **Windows Components** \> **Microsoft Defender Antivirus**.
6. Double-click **Configure detection for potentially unwanted applications**.
security Device Control Removable Storage Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-protection.md
Microsoft Defender for Endpoint Device Control Removable Storage Protection allo
**** |Property Name|Applicable Policies|Applies to Operating Systems|Description|
-|||||
-|Device Class|- [How to control USB devices and other removable media using Microsoft Defender for Endpoint](control-usb-devices-using-intune.md)|Windows|For information about Device ID formats, see [device setup class](/windows-hardware/drivers/install/overview-of-device-setup-classes). The following two links provide the complete list of Device Setup Classes. ΓÇÿSystem UseΓÇÖ classes are mostly refer to devices that come with a computer/machine from the factory, while ΓÇÿVendorΓÇÖ classes are mostly refer to devices that could be connected to an existing computer/machine: [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors) and [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use). **Note**: Device Installation can be applied to any devices, not only Removable storage.|
-|Primary ID|- [Removable storage Access Control](device-control-removable-storage-access-control.md)|Windows|The Primary ID includes removable storage and CD/DVD and Windows Portable Device/WPD.|
-|Device ID|- [Removable storage Access Control](device-control-removable-storage-access-control.md);</br>- [How to control USB devices and other removable media using Microsoft Defender for Endpoint](control-usb-devices-using-intune.md)|Windows|For information about Device ID formats, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers), for example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07|
-|Hardware ID|- [Removable storage Access Control](device-control-removable-storage-access-control.md);</br>- [How to control USB devices and other removable media using Microsoft Defender for Endpoint](control-usb-devices-using-intune.md)|Windows|A string identified the device in the system, for example, USBSTOR\DiskGeneric_Flash_Disk___8.07; **Note**: Hardware ID is not unique; different devices might share the same value.|
-|Instance ID|- [Removable storage Access Control](device-control-removable-storage-access-control.md);</br>- Device Installation|Windows|A string uniquely identifies the device in the system, for example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0|
-|Friendly Name|- [Removable storage Access Control](device-control-removable-storage-access-control.md)|Windows|A string attached to the device, for example, Generic Flash Disk USB Device|
-|Vendor ID / Product ID|- [Removable storage Access Control](device-control-removable-storage-access-control.md)|Windows <br/> macOS |Vendor ID is the four-digit vendor code that the USB committee assigns to the vendor. Product ID is the four-digit product code that the vendor assigns to the device; Support wildcard.|
-|Serial NumberId|- [Removable storage Access Control](device-control-removable-storage-access-control.md)|Windows <br/> macOS |For example, <SerialNumberId>002324B534BCB431B000058A</SerialNumberId>|
-
+|||||
+|Device Class|[How to control USB devices and other removable media using Microsoft Defender for Endpoint](control-usb-devices-using-intune.md)|Windows|For information about Device ID formats, see [device setup class](/windows-hardware/drivers/install/overview-of-device-setup-classes). The following two links provide the complete list of Device Setup Classes. ΓÇÿSystem UseΓÇÖ classes are mostly refer to devices that come with a computer/machine from the factory, while ΓÇÿVendorΓÇÖ classes are mostly refer to devices that could be connected to an existing computer/machine: [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors) and [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use). **Note**: Device Installation can be applied to any devices, not only Removable storage.|
+|Primary ID|[Removable storage Access Control](device-control-removable-storage-access-control.md)|Windows|The Primary ID includes removable storage and CD/DVD and Windows Portable Device/WPD.|
+|Device ID|[Removable storage Access Control](device-control-removable-storage-access-control.md); <p> [How to control USB devices and other removable media using Microsoft Defender for Endpoint](control-usb-devices-using-intune.md)|Windows|For information about Device ID formats, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers), for example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07|
+|Hardware ID|[Removable storage Access Control](device-control-removable-storage-access-control.md) <p> [How to control USB devices and other removable media using Microsoft Defender for Endpoint](control-usb-devices-using-intune.md)|Windows|A string identified the device in the system, for example, USBSTOR\DiskGeneric_Flash_Disk___8.07; **Note**: Hardware ID is not unique; different devices might share the same value.|
+|Instance ID|[Removable storage Access Control](device-control-removable-storage-access-control.md) <p> Device Installation|Windows|A string uniquely identifies the device in the system, for example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0|
+|Friendly Name|[Removable storage Access Control](device-control-removable-storage-access-control.md)|Windows|A string attached to the device, for example, Generic Flash Disk USB Device|
+|Vendor ID / Product ID|[Removable storage Access Control](device-control-removable-storage-access-control.md)|Windows <p> macOS|Vendor ID is the four-digit vendor code that the USB committee assigns to the vendor. Product ID is the four-digit product code that the vendor assigns to the device; Support wildcard.|
+|Serial NumberId|[Removable storage Access Control](device-control-removable-storage-access-control.md)|Windows <p> macOS |For example, <SerialNumberId>002324B534BCB431B000058A</SerialNumberId>|
+|
security Device Timeline Event Flag https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-timeline-event-flag.md
ms.technology: mde
Event flags in the Defender for Endpoint device timeline help you filter and organize specific events when you're investigate potential attacks.
-The Defender for Endpoint device timeline provides a chronological view of the events and associated alerts observed on a device. This list of events provides full visibility into any events, files, and IP addresses observed on the device. The list can sometimes be lengthy. Device timeline event flags help you track events that could be related.
+The Defender for Endpoint device timeline provides a chronological view of the events and associated alerts observed on a device. This list of events provides full visibility into any events, files, and IP addresses observed on the device. The list can sometimes be lengthy. Device timeline event flags help you track events that could be related.
After you've gone through a device timeline, you can sort, filter, and export the specific events that you flagged.
-While navigating the device timeline, you can search and filter for specific events. You can set event flags by:
+While navigating the device timeline, you can search and filter for specific events. You can set event flags by:
-- Highlighting the most important events -- Marking events that requires deep dive
+- Highlighting the most important events
+- Marking events that requires deep dive
- Building a clean breach timeline -- ## Flag an event+ 1. Find the event that you want to flag
-2. Click the flag icon in the Flag column.
-![Image of device timeline flag](images/device-flags.png)
+2. Click the flag icon in the Flag column.
+
+ ![Image of device timeline flag](images/device-flags.png)
+
+## View flagged events
-## View flagged events
1. In the timeline **Filters** section, enable **Flagged events**.
-2. Click **Apply**. Only flagged events are displayed.
-You can apply additional filters by clicking on the time bar. This will only show events prior to the flagged event.
-![Image of device timeline flag with filter on](images/device-flag-filter.png)
+2. Click **Apply**. Only flagged events are displayed. You can apply additional filters by clicking on the time bar. This will only show events prior to the flagged event.
+
+ ![Image of device timeline flag with filter on](images/device-flag-filter.png)
security Download Client Analyzer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/download-client-analyzer.md
ms.localizationpriority: medium audience: ITPro--- M365-security-compliance -- m365initiative-m365-defender +
+- M365-security-compliance
+- m365initiative-m365-defender
ms.technology: m365d
-# Download the Microsoft Defender for Endpoint client analyzer
+# Download the Microsoft Defender for Endpoint client analyzer
**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Learn how to download the Microsoft Defender for Endpoint client analyzer on sup
## Download client analyzer for Windows OS
-1. The latest stable edition is available for download from following URL:
- <https://aka.ms/MDEAnalyzer>
+1. The latest stable edition is available for download from following URL: <https://aka.ms/MDEAnalyzer>
+2. The latest preview edition is available for download from following URL: <https://aka.ms/BetaMDEAnalyzer>
-2. The latest preview edition is available for download from following URL:
- <https://aka.ms/BetaMDEAnalyzer>
-
-## Download client analyzer for macOS or Linux
-
-1. The latest stable edition will be integrated into the MDE for Endpoint
- agent.
- Ensure that you are running the latest edition for either
- [macOS](mac-whatsnew.md)
- or
- [Linux](linux-whatsnew.md).
-
-2. The latest preview edition is available for direct download from following
- URL: <https://aka.ms/XMDEClientAnalyzer>
+## Download client analyzer for macOS or Linux
+1. The latest stable edition will be integrated into the MDE for Endpoint agent. Ensure that you are running the latest edition for either [macOS](mac-whatsnew.md) or [Linux](linux-whatsnew.md).
+2. The latest preview edition is available for direct download from following URL: <https://aka.ms/XMDEClientAnalyzer>
security Onboarding Notification https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-notification.md
Create a notification rule so that when a local onboarding or offboarding script
You'll need to have access to: -- Microsoft Flow (Flow Plan 1 at a minimum). For more information, see [Flow pricing page](https://flow.microsoft.com/pricing/).
+- Power Automate (Per-user plan at a minimum). For more information, see [Power Automate pricing page](https://flow.microsoft.com/pricing/).
- Azure Table or SharePoint List or Library / SQL DB. ## Create the notification flow
security Partner Applications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/partner-applications.md
Logo|Partner name|Description
![Image of CyberSponse CyOps logo](images/cybersponse-logo.png)|[CyberSponse CyOps](https://go.microsoft.com/fwlink/?linkid=2115943)|CyOps integrates with Defender for Endpoint to automate customers' high-speed incident response playbooks ![Image of Delta Risk ActiveEye logo](images/delta-risk-activeeye-logo.png)|[Delta Risk ActiveEye](https://go.microsoft.com/fwlink/?linkid=2127468)|Delta Risk, a leading provider of SOC-as-a-Service and security services, integrate Defender for Endpoint with its cloud-native SOAR platform, ActiveEye. ![Image of Demisto, a Palo Alto Networks Company logo](images/demisto-logo.png)|[Demisto, a Palo Alto Networks Company](https://go.microsoft.com/fwlink/?linkid=2108414)|Demisto integrates with Defender for Endpoint to enable security teams to orchestrate and automate endpoint security monitoring, enrichment, and response
-![Image of Microsoft Flow & Azure Functions logo](images/ms-flow-logo.png)|[Microsoft Flow & Azure Functions](https://go.microsoft.com/fwlink/?linkid=2114300)|Use the Defender for Endpoint connectors for Azure Logic Apps & Microsoft Flow to automating security procedures
+![Image of Power Automate & Azure Functions logo](images/ms-flow-logo.png)|[Power Automate & Azure Functions](https://go.microsoft.com/fwlink/?linkid=2114300)|Use the Defender for Endpoint connectors for Azure Logic Apps & Power Automate to automating security procedures
![Image of Rapid7 InsightConnect logo](images/rapid7-logo.png)|[Rapid7 InsightConnect](https://go.microsoft.com/fwlink/?linkid=2116040)|InsightConnect integrates with Defender for Endpoint to accelerate, streamline, and integrate your time-intensive security processes ![Image of ServiceNow logo](images/servicenow-logo.png)|[ServiceNow](https://go.microsoft.com/fwlink/?linkid=2135621)|Ingest alerts into ServiceNow Security Operations solution based on Microsoft Graph API integration ![Image of Swimlane logo](images/swimlane-logo.png)|[Swimlane](https://go.microsoft.com/fwlink/?linkid=2113902)|Maximize incident response capabilities utilizing Swimlane and Defender for Endpoint together
security Advanced Hunting Aadspnsignineventsbeta Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-aadspnsignineventsbeta-table.md
ms.technology: m365d
# AADSpnSignInEventsBeta **Applies to:**- - Microsoft 365 Defender
->[!IMPORTANT]
+> [!IMPORTANT]
> The `AADSpnSignInEventsBeta` table is currently in beta and is being offered on a short-term basis to allow you to hunt through Azure Active Directory (AAD) service principal and managed identity sign-in events. We will eventually move all sign-in schema information to the `IdentityLogonEvents` table. --
-The `AADSpnSignInEventsBeta` table in the advanced hunting schema contains
-information about Azure Active Directory service principal and managed identity
-sign-ins. You can learn more about the different kinds of sign-ins in [Azure
-Active Directory sign-in activity reports -
-preview](/azure/active-directory/reports-monitoring/concept-all-sign-ins).
+The `AADSpnSignInEventsBeta` table in the advanced hunting schema contains information about Azure Active Directory service principal and managed identity sign-ins. You can learn more about the different kinds of sign-ins in [Azure Active Directory sign-in activity reports - preview](/azure/active-directory/reports-monitoring/concept-all-sign-ins).
Use this reference to construct queries that return information from the table.
-For information on other tables in the advanced hunting schema, see [the
-advanced hunting
-reference](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference).
-----
-| Column name | Data type | Description |
-|--|--|--|
-| `Timestamp` | datetime | Date and time when the record was generated |
-| `Application` | string | Application that performed the recorded action |
-| `ApplicationId` | string | Unique identifier for the application |
-| `IsManagedIdentity` | boolean | Indicates whether the sign-in was initiated by a managed identity |
-| `ErrorCode` | int | Contains the error code if a sign-in error occurs. To find a description of a specific error code, visit <https://aka.ms/AADsigninsErrorCodes>. |
-| `CorrelationId` | string | Unique identifier of the sign-in event |
-| `ServicePrincipalName` | string | Name of the service principal that initiated the sign-in |
-| `ServicePrincipalId` | string | Unique identifier of the service principal that initiated the sign-in |
-| `ResourceDisplayName` | string | Display name of the resource accessed |
-| `ResourceId` | string | Unique identifier of the resource accessed |
-| `ResourceTenantId` | string | Unique identifier of the tenant of the resource accessed |
-| `IPAddress` | string | IP address assigned to the endpoint and used during related network communications |
-| `Country` | string | Two-letter code indicating the country where the client IP address is geolocated |
-| `State` | string | State where the sign-in occurred, if available |
-| `City` | string | City where the account user is located |
-| `Latitude` | string | The north to south coordinates of the sign-in location |
-| `Longitude` | string | The east to west coordinates of the sign-in location |
-| `RequestId` | string | Unique identifier of the request |
-|`ReportId` | string | Unique identifier for the event |
-
- 
+For information on other tables in the advanced hunting schema, see [the advanced hunting reference](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference).
+
+<br>
+
+****
+
+|Column name|Data type|Description|
+||||
+|`Timestamp`|datetime|Date and time when the record was generated|
+|`Application`|string|Application that performed the recorded action|
+|`ApplicationId`|string|Unique identifier for the application|
+|`IsManagedIdentity`|boolean|Indicates whether the sign-in was initiated by a managed identity|
+|`ErrorCode`|int|Contains the error code if a sign-in error occurs. To find a description of a specific error code, visit <https://aka.ms/AADsigninsErrorCodes>.|
+|`CorrelationId`|string|Unique identifier of the sign-in event|
+|`ServicePrincipalName`|string|Name of the service principal that initiated the sign-in|
+|`ServicePrincipalId`|string|Unique identifier of the service principal that initiated the sign-in|
+|`ResourceDisplayName`|string|Display name of the resource accessed|
+|`ResourceId`|string|Unique identifier of the resource accessed|
+|`ResourceTenantId`|string|Unique identifier of the tenant of the resource accessed|
+|`IPAddress`|string|IP address assigned to the endpoint and used during related network communications|
+|`Country`|string|Two-letter code indicating the country where the client IP address is geolocated|
+|`State`|string|State where the sign-in occurred, if available|
+|`City`|string|City where the account user is located|
+|`Latitude`|string|The north to south coordinates of the sign-in location|
+|`Longitude`|string|The east to west coordinates of the sign-in location|
+|`RequestId`|string|Unique identifier of the request|
+|`ReportId`|string|Unique identifier for the event|
+||||
## Related articles -- [AADSignInEventsBeta](./advanced-hunting-aadsignineventsbeta-table.md)-- [Advanced hunting
- overview](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview)
-- [Learn the query
- language](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language)
-- [Understand the
- schema](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference)
+- [AADSignInEventsBeta](./advanced-hunting-aadsignineventsbeta-table.md)
+- [Advanced hunting overview](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview)
+- [Learn the query language](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language)
+- [Understand the schema](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference)
security Eval Defender Office 365 Enable Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-enable-eval.md
Title: Enable the evaluation environment for Microsoft Defender for Office 365 in your production environment
-description: Steps to activate Microsoft Defender for Office365 evaluation, with trial licenses, MX record handling, & auditing of accepted domains and inbound connections.
+description: Steps to activate Microsoft Defender for Office 365 evaluation, with trial licenses, MX record handling, & auditing of accepted domains and inbound connections.
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Threat Analytics Analyst Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/threat-analytics-analyst-reports.md
Title: Understand the analyst report section in threat analytics
+ Title: Understand the analyst report section in threat analytics in Microsoft 365 Defender
description: Learn about the analyst report section of each threat analytics report. Understand how it provides information about threats, mitigations, detections, advanced hunting queries, and more. keywords: analyst report, threat analytics, detections, advanced hunting queries, mitigations,
-# Understand the analyst report in threat analytics
+# Understand the analyst report in threat analytics in Microsoft 365 Defender
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
security Threat Analytics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/threat-analytics.md
-# Track and respond to emerging threats with threat analytics
+# Track and respond to emerging threats with threat analytics in Microsoft 365 Defender
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
security Anti Spam Message Headers https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-message-headers.md
The individual fields and values are described in the following table.
|`LANG`|The language in which the message was written, as specified by the country code (for example, ru_RU for Russian).| |`PTR:[ReverseDNS]`|The PTR record (also known as the reverse DNS lookup) of the source IP address.| |`SCL`|The spam confidence level (SCL) of the message. A higher value indicates the message is more likely to be spam. For more information, see [Spam confidence level (SCL)](spam-confidence-levels.md).|
-|`SFTY`|The message was identified as phishing and will also be marked with one of the following values: <ul><li>9.19: Domain impersonation. The sending domain is attempting to [impersonate a protected domain](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). The safety tip for domain impersonation is added to the message (if it's enabled).</li><li>9.20: User impersonation. The sending user is attempting to impersonate a user in the recipient's organization, or [a protected user that's specified in an anti-phishing policy](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) in Microsoft Defender for office 365. The safety tip for user impersonation is added to the message (if it's enabled).</li></ul>|
+|`SFTY`|The message was identified as phishing and will also be marked with one of the following values: <ul><li>9.19: Domain impersonation. The sending domain is attempting to [impersonate a protected domain](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). The safety tip for domain impersonation is added to the message (if it's enabled).</li><li>9.20: User impersonation. The sending user is attempting to impersonate a user in the recipient's organization, or [a protected user that's specified in an anti-phishing policy](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) in Microsoft Defender for Office 365. The safety tip for user impersonation is added to the message (if it's enabled).</li></ul>|
|`SFV:BLK`|Filtering was skipped and the message was blocked because it was sent from an address in a user's Blocked Senders list. <p> For more information about how admins can manage a user's Blocked Senders list, see [Configure junk email settings on Exchange Online mailboxes](configure-junk-email-settings-on-exo-mailboxes.md).| |`SFV:NSPM`|Spam filtering marked the message as non-spam and the message was sent to the intended recipients.| |`SFV:SFE`|Filtering was skipped and the message was allowed because it was sent from an address in a user's Safe Senders list. <p> For more information about how admins can manage a user's Safe Senders list, see [Configure junk email settings on Exchange Online mailboxes](configure-junk-email-settings-on-exo-mailboxes.md).|
security Configure Mdo Anti Phishing Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-mdo-anti-phishing-policies.md
The difference between these two elements isn't obvious when you manage anti-phi
In Exchange Online PowerShell, you manage the policy and the rule separately. For more information, see the [Use Exchange Online PowerShell to configure anti-phishing policies](#use-exchange-online-powershell-to-configure-anti-phishing-policies) section later in this article.
-Every Defender for Office 365 organization has a built-in anti-phishing policy named Office365 AntiPhish Default that has these properties:
+Every Defender for Office 365 organization has a built-in anti-phishing policy named Office 365 AntiPhish Default that has these properties:
- The policy is applied to all recipients in the organization, even though there's no anti-phish rule (recipient filters) associated with the policy. - The policy has the custom priority value **Lowest** that you can't modify (the policy is always applied last). Any custom policies that you create always have a higher priority.
security Monitor For Leaks Of Personal Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/monitor-for-leaks-of-personal-data.md
In the illustration:
- Start with Microsoft 365 data loss prevention reports for monitoring personal data in SharePoint Online, OneDrive for Business, and email in transit. These reports provide the greatest level of detail for monitoring personal data. However, these reports don't include all services in Office 365. -- Next, use alert policies and the audit log to monitor activity across services. Set up ongoing monitoring or search the audit log to investigate an incident. The audit log works across servicesΓÇöSway, Power BI, eDiscovery, Dynamics 365, Microsoft Flow, Microsoft Teams, Admin activity, OneDrive for Business, SharePoint Online, mail in transit, and mailboxes at rest. Skype conversations are included in mailboxes at rest.
+- Next, use alert policies and the audit log to monitor activity across services. Set up ongoing monitoring or search the audit log to investigate an incident. The audit log works across servicesΓÇöSway, Power BI, eDiscovery, Dynamics 365, Power Automate, Microsoft Teams, Admin activity, OneDrive for Business, SharePoint Online, mail in transit, and mailboxes at rest. Skype conversations are included in mailboxes at rest.
- Finally, Use Microsoft Cloud App Security to monitor files with sensitive data in other SaaS providers. Coming soon is the ability to use sensitive information types and unified labels across Azure Information Protection and Office with Cloud App Security. You can set up policies that apply to all of your SaaS apps or specific apps (like Box). Cloud App Security doesn't discover files in Exchange Online, including files attached to email.
security Quarantine Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-policies.md
Remove-QuarantineTag -Identity "<QuarantinePolicyName>"
For detailed syntax and parameter information, see [Remove-QuarantineTag](/powershell/module/exchange/remove-quarantinetag).
+## System alerts for quarantine release requests
+
+By default, the default alert policy named **User requested to release a quarantined message** automatically generates a medium severity alert and sends notification messages to members of the following role groups whenever a user requests the release of a quarantined message:
+
+- Quarantine Administrator
+- Security Administrator
+- Organization Management (global administrator)
+
+Admins can customize the email notification recipients or create a custom alert policy for additional options.
+
+For more information about alert policies, see [Alert policies in Microsoft 365](../../compliance/alert-policies.md).
+ ## Quarantine policy permission details The following sections describe the effects of preset permission groups and individual permissions in the details of quarantined messages and in end-user spam notifications.
security Recommended Settings For Eop And Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
In PowerShell, you use the [New-SafeLinksPolicy](/powershell/module/exchange/new
||::|::|::|| |**Protection settings**||||| |**Select the action for unknown potentially malicious URLs in messages** <p> _IsEnabled_|**Off** <p> `$false`|**On** <p> `$true`|**On** <p> `$true`||
-|**Select the action for unknown or potentially malicious URLs within Microsoft Teams** <p> _EnableSafeLinksForTeams_|**Off** <p> `$false`|**On** <p> `$true`|**On** <p> `$true`|As of March 2020, this feature is in Preview and is available or functional only for members of the Microsoft Teams Technology Adoption Program (TAP).|
+|**Select the action for unknown or potentially malicious URLs within Microsoft Teams** <p> _EnableSafeLinksForTeams_|**Off** <p> `$false`|**On** <p> `$true`|**On** <p> `$true`||
|**Apply real-time URL scanning for suspicious links and links that point to files** <p> _ScanUrls_|Not selected <p> `$false`|Selected <p> `$true`|Selected <p> `$true`|| |**Wait for URL scanning to complete before delivering the message** <p> _DeliverMessageAfterScan_|Not selected <p> `$false`|Selected <p> `$true`|Selected <p> `$true`|| |**Apply Safe Links to email messages sent within the organization** <p> _EnableForInternalSenders_|Not selected <p> `$false`|Selected <p> `$true`|Selected <p> `$true`||
security Safe Links https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links.md
Safe Links protection is available in the following locations:
> [!NOTE] > Safe Links does not work on mail-enabled public folders. -- **Microsoft Teams** (currently in TAP Preview): Safe Links protection for links in Teams conversations, group chats, or from channels is also controlled by Safe Links policies. There is no default Safe Links policy, **so to get the protection of Safe Links in Teams, you need to create one or more Safe Links policies**.
+- **Microsoft Teams**: Safe Links protection for links in Teams conversations, group chats, or from channels is also controlled by Safe Links policies. There is no default Safe Links policy, **so to get the protection of Safe Links in Teams, you need to create one or more Safe Links policies**.
For more information about Safe Links protection in Teams, see the [Safe Links settings for Microsoft Teams](#safe-links-settings-for-microsoft-teams) section later in this article.
security Services For Non Customers https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/services-for-non-customers.md
This is a self-service portal you can use to remove yourself from the Microsoft
## Abuse and spam reporting for junk email originating from Exchange Online
-Sometimes Microsoft365 is used by third parties to send junk email, in violation of our terms of use and policy. If you receive any junk email from Office 365, you can report these messages to Microsoft. For instructions, see [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md).
+Sometimes Microsoft 365 is used by third parties to send junk email, in violation of our terms of use and policy. If you receive any junk email from Office 365, you can report these messages to Microsoft. For instructions, see [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md).
security Set Up Safe Attachments Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-safe-attachments-policies.md
Creating a custom Safe Attachments policy in the Microsoft 365 Defender portal c
- **Monitor** - **Block**: This is the default value, and the recommended value in Standard and Strict [preset security policies](preset-security-policies.md). - **Replace**
- - **Dynamic Delivery (Preview Feature)**
+ - **Dynamic Delivery (Preview feature)**
These values are explained in [Safe Attachments policy settings](safe-attachments.md#safe-attachments-policy-settings).
security Set Up Safe Links Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-safe-links-policies.md
New-SafeLinksPolicy -Name "<PolicyName>" [-AdminDisplayName "<Comments>"] [-IsEn
This example creates a safe links policy named Contoso All with the following values: - Turn on URL scanning and rewriting in email messages.-- Turn on URL scanning in Teams (TAP Preview only).
+- Turn on URL scanning in Teams.
- Turn on real-time scanning of clicked URLs, including clicked links that point to files. - Wait for URL scanning to complete before delivering the message. - Turn on URL scanning and rewriting for internal messages.
security Tenant Allow Block List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list.md
ms.prod: m365-security
> [!NOTE] > > Some of the features described in this article are in Preview, are subject to change, and are not available in all organizations.
->
+>
> If your organization does not have the spoof features as described in this article, see the older spoof management experience at [Manage spoofed senders using the spoof intelligence policy and spoof intelligence insight in EOP](walkthrough-spoof-intelligence-insight.md). In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, you might disagree with the EOP filtering verdict. For example, a good message might be marked as bad (a false positive), or a bad message might be allowed through (a false negative).
security Use Dkim To Validate Outbound Email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email.md
In this example, if you had only published an SPF TXT record for your domain, th
All the accepted domains of your tenant will be shown in Microsoft 365 Defender portal under DKIM page. If you do not see it, add your accepted domain from [domains page](/microsoft-365/admin/setup/add-domain#add-a-domain). Once your domain is added, follow the steps as shown below to configure DKIM.
-Step 1: Click on the domain you wish to configure DKIM on DKIM page.
+Step 1: Click on the domain you wish to configure DKIM on DKIM page (https://security.microsoft.com/dkimv2 or https://protection.office.com/dkimv2).
![DKIM page in the Microsoft 365 Defender portal with a domain selected](../../media/126996261-2d331ec1-fc83-4a9d-a014-bd7e1854eb07.png)
security Whats New In Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/whats-new-in-defender-for-office-365.md
ms.prod: m365-security
This article lists new features in the latest release of Microsoft Defender for Office 365. Features that are currently in preview are denoted with **(preview)**. Learn more by watching [this video](https://www.youtube.com/watch?v=Tdz6KfruDGo&list=PL3ZTgFEc7LystRja2GnDeUFqk44k7-KXf&index=3).+ > [!TIP] > Don't have Microsoft Defender for Office 365 yet? [Contact sales to start a trial](https://info.microsoft.com/ww-landing-M365SMB-web-contact.html). ## August 2021
+- [Admin review for reported messages](admin-review-reported-message.md): Admins can now send templated messages back to end users after they review reported messages. This can be customized for your organization and based on your admin's verdict as well.
+=======
+## September 2021
+
+- [Quarantine policies](quarantine-policies.md): Admins can configure granular control for recipient access to quarantined messages and customize end-user spam notifications.
+ - [Video of admin experience](https://youtu.be/vnar4HowfpY)
+ - [Video of end-user experience](https://youtu.be/s-vozLO43rI)
+ - Other new capabilities coming to the quarantine experience are described in this blog post: [Simplifying the Quarantine experience](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/simplifying-the-quarantine-experience/ba-p/2676388).
+
+## August 2021
+ - [Admin review for reported messages](admin-review-reported-message.md): Admins can now send templated messages back to end users after they review reported messages. The templates can be customized for your organization and based on your admin's verdict as well.-- [Add allows in the Tenant Allow/Block List](manage-tenant-allows.md): Allows cannot be added directly to the Tenant Allow/Block List but now can be if the blocked message is submitted as part of the admin submission process. Depending on the block that happened, an URL, file, and/or sender allow will be added to the Tenant Allow/Block List. In most cases, the allows are added to give the system some time and allow it naturally if warranted. In some cases, Microsoft manages the allow for you.
+- [Add allows in the Tenant Allow/Block List](manage-tenant-allows.md): You can now add allow entries to the Tenant Allow/Block List if the blocked message was submitted as part of the admin submission process. Depending on the nature of the block, the submitted URL, file, and/or sender allow will be added to the Tenant Allow/Block List. In most cases, the allows are added to give the system some time and allow it naturally if warranted. In some cases, Microsoft manages the allow for you.
## July 2021
Learn more by watching [this video](https://www.youtube.com/watch?v=Tdz6KfruDGo&
- [User Tags](user-tags.md) are now integrated into Microsoft Defender for Office 365 alerting experiences, including: the alerts queue and details in Office 365 Security & Compliance, and scoping custom alert policies to user tags to create targeted alert policies. - Tags are also available in the unified alerts queue in the Microsoft 365 Defender center (Microsoft Defender for Office 365 Plan 2) - ## June 2021 - New first contact safety tip setting within anti-phishing policies. This safety tip is shown when recipients first receive an email from a sender or do not often receive email from a sender. For more information on this setting and how to configure it, see the following articles: