+> [!NOTE]

+> [Integrated Apps](test-and-deploy-microsoft-365-apps.md) is the recommended and most feature-rich way for most customers to centrally deploy Office add-ins to users and groups within your organization.

+>

+>If Integrated Apps is not available for you or you are a customer in one of the sovereign or government clouds (GCC, GCC-H, DoD, AirGap or Gallatin), use this article as guidance to determine if your organization and users meet the requirements to use Centralized Deployment.

+> [!NOTE]

+> Compatibility checker is currently not supported in any of the sovereign or government clouds (GCC, GCC-H, DoD, AirGap, Gallatin).

+> [!NOTE]

+> [Integrated Apps](test-and-deploy-microsoft-365-apps.md) is the recommended and most feature-rich way for most customers to centrally deploy Office add-ins to users and groups within your organization.

+> [!NOTE]

+> [Integrated Apps](test-and-deploy-microsoft-365-apps.md) is the recommended and most feature-rich way for most customers to centrally deploy Office add-ins to users and groups within your organization.

+Office Add-ins help you personalize your documents and streamline the way you access information on the web (see [Start using your Office Add-in](https://support.microsoft.com/office/82e665c4-6700-4b56-a3f3-ef5441996862)). As an admin, you can deploy Office Add-ins for the users in your organization by using the Centralized Deployment feature in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>.

+ > [!NOTE]

+ > You can also deploy add-ins in the admin center through [Integrated Apps](test-and-deploy-microsoft-365-apps.md). Integrated Apps is the recommended place for admins to deploy add-ins, and is available to Global Administrator, Azure Application Administrator and Exchange Administrator.

+ >

+ > If you still want to continue using Centralized Deployment for admin deployment of add-ins, navigate to **Settings**, then select **Integrated Apps**. On top of the Integrated Apps page, choose the **Add-ins** link. If Integrated Apps is not available for you, you should be able to navigate to Centralized Deployment from **Settings**, and then select **Add-ins**.

+ :::image type="content" source="../../media/Deployaddin.png" alt-text="Deploy Add-in" lightbox="../../media/Deployaddin.png":::

+ > [!NOTE]

+ > You can also deploy add-ins in the admin center through [Integrated Apps](test-and-deploy-microsoft-365-apps.md). Integrated Apps is visible to Global and Exchange administrators. If you don't see the above steps, go to the Centralized Deployment section by going to **Settings** > **Integrated apps**. On the top of the **Integrated apps** page, choose **Add-ins**.

+2. Select **Deploy Add-in** at the top of the page, and then select **Next**.

+ :::image type="content" source="../../media/chooseofficestore.png" alt-text="Deploy Add-in" lightbox="../../media/chooseofficestore.png":::

+ You can view available add-ins by categories: **Suggested for you**, **Rating**, or **Name**. Only free add-ins are available from the Office Store. Paid add-ins aren't supported currently. After you select an add-in, accept the terms and conditions to proceed. <br/>

+ :::image type="content" source="../../media/addanaddin.png" alt-text="Deploy Add-in" lightbox="../../media/addanaddin.png":::

+ > [!NOTE]

+ > With the Office Store option, updates and enhancements are automatically deployed to users.

+ :::image type="content" source="../../media/selectusers.png" alt-text="Deploy Add-in" lightbox="../../media/selectusers.png":::

+ > [!NOTE]

+ > To learn about other states that apply to an add-in, see [Add-in states](./manage-addins-in-the-admin-center.md).

+ > [!NOTE]

+ > Users might need to relaunch Microsoft 365 to view the add-in icon on the app ribbon. Outlook add-ins can take up to 24 hours to appear on app ribbons.

+ If you've deployed the add-in to other members of your organization, follow the instructions to announce the deployment of the add-in. <br/>

+ It's good practice to inform users and groups that the deployed add-in is available. Consider sending an email that describes when and how to use the add-in. Include or link to Help content or FAQs that might help users if they have problems with the add-in.

+ > [!NOTE]

+ > Admin does not need to remove a LOB Add-in for doing an update. In the Add-ins section, Admin can simply click on the LOB Add-in and choose the **Update Button** in the bottom right corner. Update will work only if the version of the new add-in is greater than that of the existing add-in.

+You can continue to deploy [Deploy and manage Office Add-ins](/microsoft-365/admin/manage/office-addins) and [Teams Apps via Teams admin center](/microsoftteams/manage-apps).

+- Exchange Admins can edit any controls for Outlook add-ins deployed by them.

+To help you better assess which device management option is best for you, see [Choose between Basic Mobility Security and Intune](/microsoft-365/admin/basic-mobility-security/choose-between-basic-mobility-and-security-and-intune).

+|**Last updated:** 08/29/2023 -  [Change Log subscription](https://endpoints.office.com/version/USGOVGCCHigh?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)|**Download:** the full list in [JSON format](https://endpoints.office.com/endpoints/USGOVGCCHigh?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)|

+3. [Implement security](/microsoft-365/security/office-365-security/defender-for-office-365-whats-new)

+**Last updated:** 08/29/2023 -  [Change Log subscription](https://endpoints.office.com/version/China?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)

+|**Last updated:** 08/29/2023 - |

+<!--China endpoints version 2023082900-->

+<!--File generated 2023-08-30 08:00:16.5825-->

+-- | | -- | -- | -

+8 | Allow<BR>Required | No | `*.onmschina.cn, *.partner.microsoftonline.net.cn, *.partner.microsoftonline-i.net.cn`<BR>`101.28.252.0/24, 115.231.150.0/24, 123.235.32.0/24, 171.111.154.0/24, 175.6.10.0/24, 180.210.229.0/24, 211.90.28.0/24` | **TCP:** 443, 80

+22 | Default<BR>Required | No | `*.partner.office365.cn` | **TCP:** 443, 80

+23 | Default<BR>Optional<BR>**Notes:** allow new microsoft365 home page | No | `microsoft365.microsoftonline.cn` | **TCP:** 443, 80

+<!--USGovGCCHigh endpoints version 2023082900-->

+<!--File generated 2023-08-30 08:00:15.0134-->

+<!--Worldwide endpoints version 2023082900-->

+<!--File generated 2023-08-30 08:00:13.1514-->

+11 | Optimize<BR>Required | Yes | `13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15, 2603:1063::/38` | **UDP:** 3478, 3479, 3480, 3481

+12 | Allow<BR>Required | Yes | `*.lync.com, *.teams.microsoft.com, teams.microsoft.com`<BR>`13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2603:1063::/38, 2620:1ec:6::/48, 2620:1ec:40::/42` | **TCP:** 443, 80

+13 | Allow<BR>Required | Yes | `*.broadcast.skype.com, broadcast.skype.com`<BR>`13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2603:1063::/38, 2620:1ec:6::/48, 2620:1ec:40::/42` | **TCP:** 443

+22 | Allow<BR>Optional<BR>**Notes:** Teams: Messaging interop with Skype for Business | Yes | `*.skypeforbusiness.com`<BR>`13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2603:1063::/38, 2620:1ec:6::/48, 2620:1ec:40::/42` | **TCP:** 443

+There is no configuration UX for **Define device control policy groups** and **Define device control policy rules** on your Group Policy. But, you can still get the related `.adml` and `.admx` files by selecting **Raw** and **Save as** at the [WindowsDefender.adml](https://github.com/microsoft/mdatp-devicecontrol/blob/main/WindowsDefender.adml) and [WindowsDefender.admx](https://github.com/microsoft/mdatp-devicecontrol/blob/main/WindowsDefender.admx) files.

+> To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=11091).

+The following table shows the exclusion types supported by Defender for Endpoint on Linux.

+If Defender for Endpoint on Linux reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](https://www.eicar.org/download-anti-malware-testfile/).

+Example 2: [demo.mobileconfig](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/macOS/mobileconfig/demo.mobileconfig)

+```xml

+If Defender for Endpoint on Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](https://www.eicar.org/download-anti-malware-testfile/).

+ Title: Troubleshoot system extension issues for Microsoft Defender for Endpoint on macOS

+description: Troubleshoot system extension issues in Microsoft Defender for Endpoint on macOS.

+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, performance, big sur, monterey, ventura, mde for mac

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+- m365-security

+- tier3

+search.appverid: met150

+# Troubleshoot system extension issues in Microsoft Defender for Endpoint on macOS

+**Applies to:**

+- [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md)

+- [Microsoft Defender for Endpoint Plan 1](defender-endpoint-plan-1-2.md)

+- [Microsoft Defender for Endpoint Plan 2](defender-endpoint-plan-1-2.md)

+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/get-started/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https%3a%2f%2faka.ms%2fMDEp2OpenTrial%3focid%3ddocs-wdatp-exposedapis-abovefoldlink&brandingId=28b276fb-d2a0-4379-a7c0-57dce33da0f9&ali=1&bac=1&signedinuser=v-smandalika%40microsoft.com)

+You can submit feedback by opening Microsoft Defender for Endpoint on Mac on your device and by navigating to **Help > Send feedback**.

+Another option is to submit feedback via the Microsoft 365 Defender by launching **security.microsoft.com** and selecting the **Give feedback** tab.

+This article provides information on how to troubleshoot issues with the system extension that's installed as part of Microsoft Defender for Endpoint (MDE) on macOS.

+Starting with macOS BigSur (11), AppleΓÇÖs macOS requires all system extensions to be explicitly approved before they're allowed to run on the device.

+## Symptom

+You'll notice that the Microsoft Defender for Endpoint has an **x** symbol in the shield, as shown in the following screenshot:

+If you click the shield with the **x** symbol, you'll get options as shown in the following screenshot:

+Click **Action needed**.

+The screen as shown in the following screenshot appears:

+You can also run **mdatp health**: It reports if real-time protection is enabled but not available. This report indicates that the system extension isn't approved to run on your device.

+```bash

+mdatp health

+```

+The output on running **mdatp health** is:

+```Output

+healthy : false

+health_issues : [ΓÇ£no active event providerΓÇ¥, ΓÇ£network event provider not runningΓÇ¥, ΓÇ£full disk access has not been grantedΓÇ¥]

+...

+real_time_protection_enabled : unavailable

+real_time_protection_available: unavailable

+...

+full_disk_access_enabled : false

+```

+The output report displayed on running **mdatp health** is shown in the following screenshot:

+## Cause

+macOS requires that a user manually and explicitly approves certain functions that an application uses, for example, system extensions, running in background, sending notifications, full disk access, and so on. Microsoft Defender for Endpoint relies on these applications and can't properly function until all these consents are received from a user.

+If you didn't approve the system extension during the deployment/installation of Microsoft Defender for Endpoint on macOS, perform the following steps:

+1. Check the system extensions by running the following command in the terminal:

+ ```BashCopy

+ systemextensionsctl list

+ ```

+ :::image type="content" source="images/check-system-extension.png" alt-text="The screen that shows what should be done to check the system extension." lightbox="images/check-system-extension.png":::

+You'll notice that both Microsoft Defender for Endpoint on macOS extensions are in the **[activated waiting for user]** state.

+2. In the terminal, run the following command:

+ ```BashCopy

+ mdatp health --details system_extensions

+ ```

+You'll get the following output:

+```OutputCopy

+network_extension_enabled : false

+network_extension_installed : true

+endpoint_security_extension_ready : false

+endpoint_security_extension_installed : true

+```

+This output is shown in the following screenshot:

+The following files might be missing if you're managing it via Intune, JamF, or another MDM solution:

+|MobileConfig (Plist) |ΓÇ£mdatp healthΓÇ¥ console command output |macOS setting needed for MDE on macOS to function properly |

+||||

+|"/Library/Managed Preferences/com.apple.system-extension-policy.plist" | real_time_protection_subsystem | System extension |

+|"/Library/Managed Preferences/com.apple.webcontent-filter.plist" | network_events_subsystem | Network Filter extension |

+|"/Library/Managed Preferences/com.apple.TCC.configuration-profile-policy.plist" | full_disk_access_enabled | Privacy Preference Policy Controls (PPPC, aka TCC (Transparency, Consent & Control), Full Disk Access (FDA)) |

+|"/Library/Managed Preferences/com.apple.notificationsettings.plist" | n/a | End-user notifications |

+|"/Library/Managed Preferences/servicemanagement.plistΓÇ¥ | n/a | Background services |

+|"/Library/Managed Preferences/com.apple.TCC.configuration-profile-policy.plist" | full_disk_access_enabled (for DLP) | Accessibility |

+To troubleshoot the issue of missing files to make Microsoft Defender for Endpoint on macOS work properly, see [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md#microsoft-defender-for-endpoint-on-mac).

+## Solution

+This section describes the solution of approving the functions such system extension, background services, notifications, full disk access, and so on using the management tools, namely Intune, JamF, Other MDM, and using the method of manual deployment. To perform these functions using these management tools, see:

+- [Intune](manage-profiles-approve-sys-extensions-intune.md#manage-profiles-and-approve-extensions-using-intune)

+- [JamF](manage-sys-extensions-using-jamf.md#manage-system-extensions-using-jamf)

+- [Other MDM](manage-sys-extensions-other-mdm.md#manage-system-extensions-using-other-mdm-solutions)

+- [Manual deployment](manage-sys-extensions-manual-deployment.md#manage-system-extensions-using-the-manual-methods-of-deployment)

+### Prerequisites

+Prior to approving the system extension (using any of the specified management tools), ensure that the following prerequisites are fulfilled:

+#### Step 1: Are the profiles coming down to your macOS?

+If you're using Intune, see [Manage macOS software update policies in Intune](/mem/intune/protect/software-updates-macos).

+1. Click the ellipses (three dots).

+1. Select **Refresh devices**. The screen as shown in the following screenshot appears:

+ :::image type="content" source="images/screen-on-clicking-refresh-devices.png" alt-text="The screen that appears on clicking Refresh devices." lightbox="images/screen-on-clicking-refresh-devices.png":::

+1. In Launchpad, type **System Preferences**.

+1. Double-click **Profiles**.

+ > [!NOTE]

+ > If you aren't MDM joined, you won't see **Profiles** as an option. Contact your MDM support team to see why the **Profiles** option isn't visible. You should be able to see the different profiles such as **System Extensions**, **Accessibility**, **Background Services**, **Notifications**, **Microsoft AutoUpdate**, and so on, as shown in the preceding screenshot.

+If you're using JamF, use sudo jamf policy. For more information, see [Policy Management](https://docs.jamf.com/10.26.0/jamf-pro/administrator-guide/Policy_Management.html#:~:text=To%20manually%20trigger%20the%20policy%20using%20the%20jamf,pre-defined%20trigger%2C%20replace%20%3CtriggerName%3E%20with%20the%20appropriate%20value.).

+#### Step 2: Ensure that the profiles needed for Microsoft Defender for Endpoint are enabled

+The section [Sections that provide guidance on enabling profiles needed for Microsoft Defender for Endpoint](#sections-that-provide-guidance-on-enabling-profiles-needed-for-microsoft-defender-for-endpoint) provides guidance on how to address this issue, depending on the method that you used to deploy Microsoft Defender for Endpoint on macOS.

+> [!NOTE]

+> A proper naming convention for your configuration profiles is a real advantage. We recommend the following naming scheme:

+> `Name of the Setting(s) [(additional info)] -Platform - Set - Policy-Type`

+> For example, `FullDiskAccess (piloting) - macOS - Default - MDE`

+Using the recommended naming convention enables you to confirm that the correct profiles are dropping down at the time of checking.

+> [!TIP]

+> To ensure that the correct profiles are coming down, instead of typing **.mobileconfig (plist)**, you can download this profile from Github, to avoid typos elongated hyphens.

+In terminal, enter the following syntax:

+`curl -O https://URL`

+For example,

+```BashCopy

+ curl -O https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/sysext.mobileconfig

+```

+##### Sections that provide guidance on enabling profiles needed for Microsoft Defender for Endpoint

+1.

+ - **Function**: [Approve System Extensions](mac-install-with-intune.md)

+ - **Mobile config (plist)**: https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/sysext.mobileconfig

+ - **Applicable to**:

+ - **Intune**: Yes

+ - **JamF**: Yes

+ - **Other MDM**: Yes

+ - **Manual**: Must approve the extension by going to **Security Preferences or System Preferences > Security & Privacy** and then selecting **Allow**.

+2.

+ - **Function**: [Network Filter](mac-install-with-intune.md)

+ - **Mobile config (plist)**: https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/netfilter.mobileconfig

+ - **Applicable to**:

+ - **Intune**: Yes

+ - **JamF**: Yes

+ - **Other MDM**: Yes

+ - **Manual**: Must approve the extension by going to **Security Preferences or System Preferences > Security & Privacy** and then selecting **Allow**.

+3.

+ - **Function**: [Privacy Preference Policy Controls (PPPC, aka TCC (Transparency, Consent & Control), Full Disk Access (FDA))](mac-install-with-intune.md)

+ - **Mobile config (plist)**: https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig

+ - **Applicable to**:

+ - **Intune**: Yes

+ - **JamF**: Yes

+ - **Other MDM**: Yes

+ - **Manual**: Must approve the extension by going to **Security Preferences or System Preferences > Security & Privacy > Privacy > Full Disk Access** and then selecting **Allow**, and checking the box next to the following:

+ - **Microsoft Defender**

+ - **Microsoft Defender Security Extension**

+4.

+ - **Function**: Running in background

+ - **Mobile config (plist)**: https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/background_services.mobileconfig

+ - **Applicable to**:

+ - **Intune**: Yes

+ - **JamF**: Yes

+ - **Other MDM**: Yes

+ - **Manual**: Not applicable

+5.

+ - **Function**: Sending notifications

+ - **Mobile config (plist)**: https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/notif.mobileconfig

+ - **Applicable to**:

+ - **Intune**: Yes

+ - **JamF**: Yes

+ - **Other MDM**: Yes

+ - **Manual**: Not applicable

+6.

+ - **Function**: Accessibility

+ - **Mobile config (plist)**: https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/accessibility.mobileconfig

+ - **Applicable to**:

+ - **Intune**: Yes

+ - **JamF**: Yes

+ - **Other MDM**: Yes

+ - **Manual**: Not applicable

+#### Step 3: Test the installed profiles using macOS built-in ΓÇÿprofileΓÇÖ tool. It compares your profiles with what we have published in GitHub, reporting inconsistent profiles or profiles missing altogether

+1. Download the script from https://github.com/microsoft/mdatp-xplat/tree/master/macos/mdm.

+1. Click **Raw**. The new URL will be https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mdm/analyze_profiles.py.

+1. Save it as *analyze_profiles.py* to **Downloads** by running the following command in terminal:

+```BashCopy

+ curl -O https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mdm/analyze_profiles.py

+```

+4. Run the profile analyzer python3 script without any parameters by executing the following command in terminal:

+```BashCopy

+ cd /Downloads

+ sudo python3 analyze_profiles.py

+```

+ > [!NOTE]

+ > Sudo permissions are required to execute this command.

+OR

+5. Run the script directly from the Web by executing the following command:

+```BashCopy

+ sudo curl https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mdm/analyze_profiles.py

+| python3 -

+```

+ > [!NOTE]

+ > Sudo permissions are required to execute this command.

+The output will show all potential issues with profiles.

+## Recommended content

+- [Deploying Microsoft Defender for Endpoint on macOS with Jamf Pro](mac-install-with-jamf.md): Learn how to deploy Microsoft Defender for Endpoint on macOS with Jamf Pro.

+- [Set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro](mac-jamfpro-policies.md): Learn how to set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro.

+- [Set up device groups in Jamf Pro](mac-jamfpro-device-groups.md):

+Learn how to set up device groups in Jamf Pro for Microsoft Defender for Endpoint on macOS.

+- [Log in to Jamf Pro](mac-install-jamfpro-login.md)

+ Title: Manage profiles and approve extensions using Intune

+description: Manage profiles and approve extensions using Intune for Microsoft Defender for Endpoint to work properly on macOS.

+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, performance, big sur, monterey, ventura, mde for mac

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+- m365-security

+- tier3

+search.appverid: met150

+# Manage profiles and approve extensions using Intune

+This article describes the procedures to follow to manage profiles properly using the Intune management tool.

+## Intune

+### Intune System Extensions Policy

+To approve the system extensions:

+1. In Intune, select **Manage > Device configuration**, and then select **Manage > Profiles > Create Profile**.

+1. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Extensions**, and then select **Create**.

+1. In the **Basics** tab, give a name to this new profile.

+1. In the **Configuration settings** tab, add the following entries in the **Allowed system extensions** section:

+ |Bundle identifier |Team identifier |

+ |||

+ |com.microsoft.wdav.epsext | UBF8T346G9 |

+ |com.microsoft.wdav.netext | UBF8T346G9 |

+ :::image type="content" source="images/entries-in-configuration-settings-tab.png" alt-text="Adding entries in the Configuration settings tab." lightbox="images/entries-in-configuration-settings-tab.png":::

+1. In the **Assignments** tab, assign this profile to **All Users & All devices**.

+1. Review and create this configuration profile.

+### Create the custom configuration profile

+The custom configuration profile enables the network extension and grants Full Disk Access to the Endpoint Security system extension.

+1. Save the following content to a file named *sysext.xml*:

+```powershell

+ <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

+<plist version="1">

+ <dict>

+ <key>PayloadUUID</key>

+ <string>7E53AC50-B88D-4132-99B6-29F7974EAA3C</string>

+ <key>PayloadType</key>

+ <string>Configuration</string>

+ <key>PayloadOrganization</key>

+ <string>Microsoft Corporation</string>

+ <key>PayloadIdentifier</key>

+ <string>7E53AC50-B88D-4132-99B6-29F7974EAA3C</string>

+ <key>PayloadDisplayName</key>

+ <string>Microsoft Defender System Extensions</string>

+ <key>PayloadDescription</key>

+ <string/>

+ <key>PayloadVersion</key>

+ <integer>1</integer>

+ <key>PayloadEnabled</key>

+ <true/>

+ <key>PayloadRemovalDisallowed</key>

+ <true/>

+ <key>PayloadScope</key>

+ <string>System</string>

+ <key>PayloadContent</key>

+ <array>

+ <dict>

+ <key>PayloadUUID</key>

+ <string>2BA070D9-2233-4827-AFC1-1F44C8C8E527</string>

+ <key>PayloadType</key>

+ <string>com.apple.webcontent-filter</string>

+ <key>PayloadOrganization</key>

+ <string>Microsoft Corporation</string>

+ <key>PayloadIdentifier</key>

+ <string>CEBF7A71-D9A1-48BD-8CCF-BD9D18EC155A</string>

+ <key>PayloadDisplayName</key>

+ <string>Approved Network Extension</string>

+ <key>PayloadDescription</key>

+ <string/>

+ <key>PayloadVersion</key>

+ <integer>1</integer>

+ <key>PayloadEnabled</key>

+ <true/>

+ <key>FilterType</key>

+ <string>Plugin</string>

+ <key>UserDefinedName</key>

+ <string>Microsoft Defender Network Extension</string>

+ <key>PluginBundleID</key>

+ <string>com.microsoft.wdav</string>

+ <key>FilterSockets</key>

+ <true/>

+ <key>FilterDataProviderBundleIdentifier</key>

+ <string>com.microsoft.wdav.netext</string>

+ <key>FilterDataProviderDesignatedRequirement</key>

+ <string>identifier &quot;com.microsoft.wdav.netext&quot; and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>

+ </dict>

+ <dict>

+ <key>PayloadUUID</key>

+ <string>56105E89-C7C8-4A95-AEE6-E11B8BEA0366</string>

+ <key>PayloadType</key>

+ <string>com.apple.TCC.configuration-profile-policy</string>

+ <key>PayloadOrganization</key>

+ <string>Microsoft Corporation</string>

+ <key>PayloadIdentifier</key>

+ <string>56105E89-C7C8-4A95-AEE6-E11B8BEA0366</string>

+ <key>PayloadDisplayName</key>

+ <string>Privacy Preferences Policy Control</string>

+ <key>PayloadDescription</key>

+ <string/>

+ <key>PayloadVersion</key>

+ <integer>1</integer>

+ <key>PayloadEnabled</key>

+ <true/>

+ <key>Services</key>

+ <dict>

+ <key>SystemPolicyAllFiles</key>

+ <array>

+ <dict>

+ <key>Identifier</key>

+ <string>com.microsoft.wdav.epsext</string>

+ <key>CodeRequirement</key>

+ <string>identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>

+ <key>IdentifierType</key>

+ <string>bundleID</string>

+ <key>StaticCode</key>

+ <integer>0</integer>

+ <key>Allowed</key>

+ <integer>1</integer>

+ </dict>

+ </array>

+ </dict>

+ </dict>

+ </array>

+ </dict>

+</plist>

+```

+Verify that the above content was copied into the file correctly. From terminal, run the following command and verify that it outputs to the result as shown in the following example:

+```powershell-interactive

+$ plutil -lint sysext.xml

+sysext.xml: OK

+```

+### Deploy this custom configuration profile

+1. In Intune, select **Manage > Device configuration**, and then select **Manage > Profiles > Create profile**.

+1. Choose a name for the profile. For the **Platform** attribute, set the value as **macOS** and for the **Profile type** attribute, set the value as **Custom**, and then select **Configure**. The file *sysext.xml* is created.

+1. Open the configuration profile and upload the *sysext.xml* file.

+1. Select **OK**.

+5. In the **Assignments** tab, assign this profile to **All Users & All devices**.

+6. Review and create this configuration profile.

+ Title: Manage system extensions using the manual methods of deployment

+description: Manage system extensions using the manual methods of deployment.

+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, performance, big sur, monterey, ventura, mde for mac

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+- m365-security

+- tier3

+search.appverid: met150

+# Manage system extensions using the manual methods of deployment

+This article describes the procedures involved when deploying Microsoft Defender for Endpoint manually.

+## Manual deployment

+### System Extensions

+You might see the prompt that's shown in the following screenshot:

+1. Select **OK**. You might get a second prompt as shown in the following screenshot:

+ :::image type="content" source="images/system-extension-blocked-second-prompt.png" alt-text="The second prompt regarding system extensions being blocked." lightbox="images/system-extension-blocked-second-prompt.png":::

+1. From this second-prompt screen, select **OK**. You'll receive a notification message that reads **Installation succeeded**, as shown in the following screenshot:

+ :::image type="content" source="images/installation-succeeded-notification-message.png" alt-text="The screen displaying the installation succeeded notification message." lightbox="images/installation-succeeded-notification-message.png":::

+1. On the screen displaying the **Installation succeeded** notification message, select **OK**. You'll return to the following screen:

+ :::image type="content" source="images/mde-menu.png" alt-text="The Microsoft Defender for Endpoint menu containing the x symbol." lightbox="images/mde-menu.png":::

+1. From the menu bar, click the **x** symbol on the shield. You'll get the options shown in the following screenshot:

+ :::image type="content" source="images/options-on-clicking-x-symbol.png" alt-text="The screen on clicking the x symbol in the shield." lightbox="images/options-on-clicking-x-symbol.png":::

+1. Select **Action needed**. The following screen appears:

+ :::image type="content" source="images/virus-and-threat-protection-screen.png" alt-text="The Virus & threat protection screen containing the Fix button." lightbox="images/virus-and-threat-protection-screen.png":::

+1. Click **Fix** on the top-right corner of this screen. You'll get a prompt, as shown in the following screenshot:

+ :::image type="content" source="images/prompt-on-virus-and-threat-protection-screen.png" alt-text="The prompt dialog box on the Virus & threat protection screen." lightbox="images/prompt-on-virus-and-threat-protection-screen.png":::

+1. Enter your password and select **OK**.

+1. Click

+ :::image type="content" source="images/system-preferences-icon.png" alt-text="The System Preferences icon." lightbox="images/system-preferences-icon.png":::

+ The **System Preferences** screen appears.

+ :::image type="content" source="images/system-preferences-screen.png" alt-text="The System Preferences screen." lightbox="images/system-preferences-screen.png":::

+1. Click **Security & Privacy**. The **Security & Privacy** screen appears.

+ :::image type="content" source="images/security-and-privacy-screen.png" alt-text="The Security & Privacy screen." lightbox="images/security-and-privacy-screen.png":::

+1. Select **Click the lock to make changes**. You'll get a prompt as shown in the following screenshot:

+ :::image type="content" source="images/prompt-on-security-and-privacy-screen.png" alt-text="The prompt on the Security & Privacy screen." lightbox="images/prompt-on-security-and-privacy-screen.png":::

+1. Enter your password and click **Unlock**. The following screen appears:

+ :::image type="content" source="images/screen-on-clicking-unlock.png" alt-text="The screen that is displayed on clicking Unlock." lightbox="images/screen-on-clicking-unlock.png":::

+1. Select **Details**, next to **Some software system requires your attention before it can be used**.

+ :::image type="content" source="images/screen-on-clicking-details.png" alt-text="The screen that is displayed on clicking Details." lightbox="images/screen-on-clicking-details.png":::

+1. Check both the **Microsoft Defender** checkboxes, and select **OK**. You'll get two pop-up screens, as shown in the following screenshot:

+ :::image type="content" source="images/popup-after-checking-both-md-checkboxes.png" alt-text="The popup that appears on checking both the checkboxes." lightbox="images/popup-after-checking-both-md-checkboxes.png":::

+1. On the **ΓÇ£Microsoft DefenderΓÇ¥ Would like to Filter Network Content** pop-up screen, click **Allow**.

+1. On the **Microsoft Defender wants to make changes** pop-up screen, enter your password and select **OK**.

+If you run systemextensionsctl list, the following screen appears:

+### Accessibility

+1. On the **Security & Privacy** screen, select the **Privacy** tab.

+ :::image type="content" source="images/privacy-tab.png" alt-text="The Privacy tab." lightbox="images/privacy-tab.png":::

+2. Select **Accessibility** from the left navigation pane, and click **+**.

+ :::image type="content" source="images/accessibility-and-plus-icon.png" alt-text="The Accessibility menu item and the Plus icon." lightbox="images/accessibility-and-plus-icon.png":::

+3. From the resultant screen, select **Applications** from the **Favorites** pane in the left-side of the screen; select **Microsoft Defender**; and then select **Open** at the bottom-right of the screen.

+ :::image type="content" source="images/applications-md-options.png" alt-text="The process of selecting Applications and Microsoft Defender." lightbox="images/applications-md-options.png":::

+

+4. From the resultant screen, check the **Microsoft Defender** checkbox.

+ :::image type="content" source="images/checking-md-checkbox.png" alt-text="Checking the Microsoft Defender checkbox." lightbox="images/checking-md-checkbox.png":::

+### Full Disk Access

+1. On the **Security & Privacy** screen, select the **Privacy** tab.

+1. Select **Full Disk Access** from the left navigation pane, and then click the **Lock** icon.

+ :::image type="content" source="images/full-disk-access-and-lock-icon.png" alt-text="The Full Disk Access option in the menu and the Lock icon." lightbox="images/full-disk-access-and-lock-icon.png":::

+1. Confirm that the Microsoft Defender extension has full disk access; if not, check the **Microsoft Defender** checkbox.

+

+ :::image type="content" source="images/check-md-checkbox.png" alt-text="Checking the MD checkbox." lightbox="images/check-md-checkbox.png":::

+### Notifications

+1. From the **System Preferences** home screen, select **Notifications**.

+ :::image type="content" source="images/notifications-option.png" alt-text="The Notifications option in the System Preferences screen." lightbox="images/notifications-option.png":::

+

+ The **Notifications** screen appears.

+1. Select **Microsoft Defender** from the left navigation pane.

+1. Enable the **Allow Notifications** option; select **Alerts**, and retain the default settings as is.

+ :::image type="content" source="images/notifications-md.png" alt-text="Selecting Microsoft Defender option from the Notifications screen." lightbox="images/notifications-md.png":::

+### What a healthy system looks like

+#### mdatp health output

+#### Check the system extensions

+In terminal, run the following command to check the system extensions:

+`systemextensionsctl list`

+The execution of this command is shown in the following screenshot:

+ Title: Manage system extensions using other MDM solutions

+description: Manage system extensions using other MDM solutions.

+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, performance, big sur, monterey, ventura, mde for mac

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+- m365-security

+- tier3

+search.appverid: met150

+# Manage system extensions using other MDM solutions

+This article deals with deployment of Microsoft Defender for Endpoint on macOS using other MDM solutions. For detailed information, see [System configuration profiles](mac-install-with-other-mdm.md).

+ Title: Manage system extensions using JamF

+description: Manage system extensions using JamF for Microsoft Defender for Endpoint to work properly on macOS.

+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, performance, big sur, monterey, ventura, mde for mac

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+- m365-security

+- tier3

+search.appverid: met150

+# Manage system extensions using JamF

+This article describes the procedures to implement in the process of managing the system extensions to ensure Microsoft Defender for Endpoint works properly on macOS.

+## JamF

+### JAMF System Extensions Policy

+To approve the system extensions, perform the following steps:

+1. Select **Computers > Configuration Profiles**, and then select **Options > System Extensions**.

+2. Select **Allowed System Extensions** from the **System Extension Types** drop-down list.

+3. Use **UBF8T346G9** for Team ID.

+4. Add the following bundle identifiers to the **Allowed System Extensions** list:

+ - com.microsoft.wdav.epsext

+ - com.microsoft.wdav.netext

+

+ :::image type="content" source="images/jamf-system-extensions-approval.png" alt-text="Approving system extensions in JamF." lightbox="images/jamf-system-extensions-approval.png":::

+### Privacy Preferences Policy Control (also known as Full Disk Access)

+Add the following JAMF payload to grant Full Disk Access to the Microsoft Defender for Endpoint Security Extension. This policy is a prerequisite for running the extension on your device.

+1. Select **Options > Privacy Preferences Policy Control**.

+1. Use **com.microsoft.wdav.epsext** as the Identifier and **Bundle ID** as Bundle type.

+1. Set Code Requirement to **identifier com.microsoft.wdav.epsext and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9**.

+1. Set **App or service** to **SystemPolicyAllFiles** and access to **Allow**.

+ :::image type="content" source="images/privacy-preferences-policy-control.png" alt-text="Privacy preferences policy control." lightbox="images/privacy-preferences-policy-control.png":::

+### Network Extension Policy

+As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on macOS inspects socket traffic and reports this information to the Microsoft 365 Defender portal. The following policy allows the network extension to perform this functionality:

+> [!NOTE]

+> JAMF doesn't have built-in support for content filtering policies, which are a prerequisite for enabling the network extensions that Microsoft Defender for Endpoint on macOS installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed. As such, the following steps provide a workaround that involves signing the configuration profile.

+1. Save the following content to your device as **com.microsoft.network-extension.mobileconfig** using a text editor:

+```powershell

+ <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

+<plist version="1">

+ <dict>

+ <key>PayloadUUID</key>

+ <string>DA2CC794-488B-4AFF-89F7-6686A7E7B8AB</string>

+ <key>PayloadType</key>

+ <string>Configuration</string>

+ <key>PayloadOrganization</key>

+ <string>Microsoft Corporation</string>

+ <key>PayloadIdentifier</key>

+ <string>DA2CC794-488B-4AFF-89F7-6686A7E7B8AB</string>

+ <key>PayloadDisplayName</key>

+ <string>Microsoft Defender Network Extension</string>

+ <key>PayloadDescription</key>

+ <string/>

+ <key>PayloadVersion</key>

+ <integer>1</integer>

+ <key>PayloadEnabled</key>

+ <true/>

+ <key>PayloadRemovalDisallowed</key>

+ <true/>

+ <key>PayloadScope</key>

+ <string>System</string>

+ <key>PayloadContent</key>

+ <array>

+ <dict>

+ <key>PayloadUUID</key>

+ <string>2BA070D9-2233-4827-AFC1-1F44C8C8E527</string>

+ <key>PayloadType</key>

+ <string>com.apple.webcontent-filter</string>

+ <key>PayloadOrganization</key>

+ <string>Microsoft Corporation</string>

+ <key>PayloadIdentifier</key>

+ <string>CEBF7A71-D9A1-48BD-8CCF-BD9D18EC155A</string>

+ <key>PayloadDisplayName</key>

+ <string>Approved Network Extension</string>

+ <key>PayloadDescription</key>

+ <string/>

+ <key>PayloadVersion</key>

+ <integer>1</integer>

+ <key>PayloadEnabled</key>

+ <true/>

+ <key>FilterType</key>

+ <string>Plugin</string>

+ <key>UserDefinedName</key>

+ <string>Microsoft Defender Network Extension</string>

+ <key>PluginBundleID</key>

+ <string>com.microsoft.wdav</string>

+ <key>FilterSockets</key>

+ <true/>

+ <key>FilterDataProviderBundleIdentifier</key>

+ <string>com.microsoft.wdav.netext</string>

+ <key>FilterDataProviderDesignatedRequirement</key>

+ <string>identifier "com.microsoft.wdav.netext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>

+ </dict>

+ </array>

+ </dict>

+</plist>

+```

+2. Verify that the above content was copied correctly into the file by running the **plutil** utility in terminal:

+```BashCopy

+$ plutil -lint <PathToFile>/com.microsoft.network-extension.mobileconfig

+```

+For example, if the file was stored in *Documents*:

+```BashCopy

+$ plutil -lint ~/Documents/com.microsoft.network-extension.mobileconfig

+```

+3. Verify that the command outputs **OK**

+```BashCopy

+<PathToFile>/com.microsoft.network-extension.mobileconfig: OK

+```

+5. Follow the instructions on [this page](https://learn.jamf.com/bundle/technical-articles/page/Welcome.html) to create a signing certificate using JAMF's built-in certificate authority.

+5. After the certificate is created and installed to your device, run the following command from terminal to sign the file:

+```BashCopy

+$ security cms -S -N "<CertificateName>" -i <PathToFile>/com.microsoft.network-extension.mobileconfig -o <PathToSignedFile>/com.microsoft.network-extension.signed.mobileconfig

+```

+For example, if the certificate name is *SigningCertificate* and the signed file is going to be stored in *Documents*:

+```BashCopy

+$ security cms -S -N "SigningCertificate" -i ~/Documents/com.microsoft.network-extension.mobileconfig -o ~/Documents/com.microsoft.network-extension.signed.mobileconfig

+```

+6. From the JAMF portal, navigate to **Configuration Profiles** and select the **Upload** button. Select **com.microsoft.network-extension.signed.mobileconfig** when prompted for the file.

+ To learn more about the different Microsoft Defender Antivirus Update channels, see [Manage the gradual rollout process for Microsoft Defender updates](manage-gradual-rollout.md)

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-updates-add-rule.png" alt-text="Screenshot that shows a screen capture of an example name for a rule." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-updates-add-rule.png":::

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channels.png" alt-text="Screenshot that shows a screen capture of the pilot Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus update channels." lightbox="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channels.png":::

+ For more information, see [Manage the gradual rollout process for Microsoft Defender updates](manage-gradual-rollout.md)

+1. Go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**.

+ - From the command line, run the Group Policy update command. For example, run `gpupdate / force`. For more information, see [gpupdate](/windows-server/administration/windows-commands/gpupdate)

+3. Set up a PowerShell script, `CopySignatures.ps1`

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channels.png" alt-text="Screenshot that shows a screen capture of the pilot Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus update channels." lightbox="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channels.png":::

+ For more information, see [Manage the gradual rollout process for Microsoft Defender updates](manage-gradual-rollout.md)

+1. Go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**.

+### August-2023 (Platform: 4.18.23080.2006 | Engine: 1.1.23080.2005)

+- Security intelligence update version: **1.397.59.0**

+- Released: **August 30, 2023 (Platform and Engine)**

+- Platform: **4.18.23080.2006**

+- Engine: **1.1.23080.2005**

+- Support phase: **Security and Critical Updates**

+### What's new

+- Fixed an issue where Microsoft Defender Antivirus switched from [passive mode to active mode](microsoft-defender-antivirus-windows.md#comparing-active-mode-passive-mode-and-disabled-mode) following an update on Windows Server 2016 and Windows Server 2012 R2 [onboarded using the modern, unified client](configure-server-endpoints.md)

+- Fixed an issue where [exclusions](defender-endpoint-antivirus-exclusions.md) were not applied correctly using [gpupdate](/windows-server/administration/windows-commands/gpupdate) when registry policy processing was set to process even if Group Policy Objects did not change

+- Excluded IP addresses can now be configured using [Intune](/windows/client-management/mdm/defender-csp#configurationexcludedipaddresses)

+- Improved [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) on Windows Server 2016

+- [DisableFtpParsing](/windows/client-management/mdm/defender-csp#configurationdisableftpparsing) can now be configured through [Set-MpPreference](/powershell/module/defender/set-mppreference)

+- Fixed an issue where [device control](device-control-removable-storage-protection.md) policies were not applied correctly without a reboot following product updates

+- Fixed an issue in the attack surface reduction rule, [Block Win32 API calls from Office macros](attack-surface-reduction-rules-reference.md#block-win32-api-calls-from-office-macros), configured in warn mode where excluded files were incorrectly blocked until the next device reboot

+### Known issues

+- None

+## May-2023 (Platform: 4.18.23050.3 | Engine: 1.1.23050.2)

+- Security intelligence update version: **1.391.64.0**

+- Released: **May 31, 2023**

+- Platform: **4.18.23050.3**

+- Engine: **1.1.23050.2**

+- Support phase: **Technical upgrade support (only)**

+

+### What's new

+- New version format for Platform and Engine (see the [April-2023 update](#whats-new))

+- Improved processing of SmartLockerMode

+- Fixed input parameters for DefinitionUpdateChannel cmdlet in [Set-MpPreference](/powershell/module/defender/set-mppreference)

+- Improved installation experience for [Windows Server 2012 R2 and Windows Server 2016](microsoft-defender-antivirus-on-windows-server.md)

+- Added ability to disable Defender task maintenance tasks programmatically

+- Fixed WDFilter 0x50 bug check

+- Fixed print enforcement issue for device control

+- Fixed scan randomization issue when setting Intune policy

+- Fixed sense offboarding on Windows Server 2016 when [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) is enabled

+- Fixed inconsistent results of caching files with the internal Defender file cache

+- Augmented attack surface reduction (ASR) telemetry with more data related to an ASR detection

+- Removed Image File Execution Options (IFEO) debugger value during installation, which can be used to prevent service starts

+- Fixed memory leaked in ASR logic

+- Improved validation guard-rail for Malicious Software Removal Tool (MSRT) releases

+

+### Known Issues

+- Potential issue that could lead to resolution of incorrect service endpoint

+<!--These links are purposely blocked; will trigger as broken link>

+> The above **'Custom network indicators'** toggle controls **Custom Indicators** enablement **for ALL platforms** with Network Protection support, including Windows. Reminder thatΓÇöon WindowsΓÇöfor indicators to be enforced you also must have Network Protection explicitly enabled.

+|[Synergy Advisors Teams App](https://synergyadvisors.biz/e-visor-teams-app/)|Synergy Advisors LLC|E-Visor Teams App is a centralized place to involve and empower your end-users in the security and productivity of the organization by presenting unique information using data from Microsoft Defenders and Azure Active Directory while ensuring identity governance, and compliance.|

+|[Invoke Monthly Microsoft 365 Security Assessments](https://go.microsoft.com/fwlink/?linkid=2202583)|Invoke LLC|Provides monthly detailed assessment reports of active threats, vulnerabilities active and Phishing/malware campaigns targeted on your Microsoft 365 Environment. Helps with prescribed mitigations for active threats and improvement actions for recurring threats if any. Monitor Secure score and recommendations, giving your security teams an extra set of eyes to stay on top of risks.|

+|[Synergy Advisors Teams App](https://synergyadvisors.biz/e-visor-teams-app/)|Synergy Advisors LLC|E-Visor Teams App is a centralized place to involve and empower your end-users in the security and productivity of the organization by presenting unique information using data from Microsoft Defenders and Azure Active Directory while ensuring identity governance, and compliance.|

+|[Synergy Advisors Teams App](https://synergyadvisors.biz/e-visor-teams-app/)|Synergy Advisors LLC|E-Visor Teams App is a centralized place to involve and empower your end-users in the security and productivity of the organization by presenting unique information using data from Microsoft Defenders and Azure Active Directory while ensuring identity governance, and compliance.|

+|`70`|Offboarding script is for a different organization|Get an offboarding script for the correct organization that the SENSE service is onboarded to.|

+> If you've arrived on this page as a result of clicking on a notification at the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), you have devices in your environment with outdated agents, and you need to take action (see below) to avoid service disruption. For more details, please reference message center post MC598631 (requires access to [Message Center](/microsoft-365/admin/manage/message-center)).

+*This option applies to devices running Windows 7 SP1 Enterprise, Windows 7 SP1 Pro, Windows 8.1 Pro, Windows 8.1 Enterprise, and Windows Server 2008 R2 SP1.*

+- If you are, however, still using MMA for other purposes (such as Log Analytics), MMA is currently set to retire in August 2024. See [We're retiring the Log Analytics agent in Azure Monitor on 31 August 2024](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/). Depending on your particular scenario, this could be a good time to upgrade to [Azure Monitoring Agent, the successor of MMA](/azure/azure-monitor/agents/azure-monitor-agent-migration).

+## August 2023

+- (GA) The [Monthly security summary report](monthly-security-summary-report.md) is now generally available. The report helps organizations get a visual summary of key findings and overall preventative actions taken to enhance the organization's overall security posture completed in the last month.

+|Exchange Online Protection|Exchange Online Protection is the native cloud-based SMTP relay and filtering service that helps protect your organization against spam and malware.|[Exchange Online Protection (EOP) overview - Office 365](../office-365-security/eop-about.md)|

+|Microsoft Defender for Office 365|Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs) and collaboration tools.|[Microsoft Defender for Office 365 - Office 365](/microsoft-365/security/office-365-security/defender-for-office-365-whats-new)|

+- If you have granted Defender Experts for XDR the default Security Reader access, then the recommended response actions, along with an **Investigation summary**, show up in the incident's **Managed response** flyout panel in your Microsoft 365 Defender portal for you or your SOC team to perform. To identify this handover, the incident's **Status** field is updated to _Awaiting Customer Action_ and its **Assigned to** field is updated to _Customer_.

+> The status of incidents investigated by Defender Experts in Microsoft 365 Defender typically transitions from _Active_ to _In progress_ to _Awaiting Customer Action_ to _Resolved_, while in Sentinel, it follows the _New_ to _Active_ to _Resolved_ path. The Microsoft 365 Defender Status ***Awaiting Customer Action*** doesn't have an equivalent field in Sentinel; instead, it's displayed as a tag in an incident in Sentinel.

+1. Once our experts have concluded their investigation and closed an incident as _False Positive_ or _Informational_, _Expected Activity_, the incident's **Status** is updated to _Resolved_, the **Owner** is updated to _Unassigned_, and a **Reason for closing** is provided.

+Besides being vulnerable at the firmware level, CPUs could be manufactured with backdoors inserted directly in the hardware circuitry. This attack has been [researched and proved possible](https://www.microsoft.com/en-us/security/blog/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/) in the past. It has been reported that certain models of x86 processors contain a secondary embedded RISC-like CPU core that can [effectively provide a backdoor](https://www.theregister.co.uk/2018/08/10/via_c3_x86_processor_backdoor/) through which regular applications can gain privileged execution.

+|West Coast Labs|Checkmark Certified </br> <http://www.checkmarkcertified.com/>|"A" Rating on Product Security Performance|

+#### True type matching in the common attachments filter

+The common attachments filter uses best effort true type matching to detect the file type, regardless of the filename extension. True type matching uses file characteristics to determine the real file type (for example, leading and trailing bytes in the file). For example, if an `exe` file is renamed with a `txt` filename extension, the common attachments filter detects the file as an `exe` file.

+True type matching in the common attachments filter supports the following file types:

+`7zip, ace, adoc, ani, arc, arj, asf, asice, avi, bmp, bz, bz2, cab, cda, chm, deb, dex, dll, dmg, doc, docm, docx, dot, dotm, dotx, dwg, eml, eps, epub, excelml, exe, fluid, gif, gzip, heic, heif, html, hyper, icon, ics, infopathml, jar, javabytecode, jnlp, jpeg, json,lib, lnk, lzh, lzma, macho, mhtml, mp3, mp4, mpeg, mpp, msaccess, mscompress, msg, msp, musx, nws, obd, obj, obt, odbcexcel, odc, odf, odg, odi, odm, odp, ods, odt, one, otc, otf, otg, oth, oti, otp, ots, ott, pal, pcx, pdf, pfb, pfile, pif, png, pointpub, pot, potm, potx, powerpointml, ppam, pps, ppsm, ppsx, ppt, pptm, pptx, ps, pub, qcp, quicktime, rar, rar4, riff, rmi, rpm, rpmsg, rtf, smime, swf,tar, tiff, tlb, tnef, ttf, txt, vcf, vcs, vdw, vdx, vsd, vsdm, vsdx, vss, vssm, vssx, vst, vstm, vstx, vsx, vtt, vtx, wav, webp, whiteboard, wmf, woff, woff2, word2, wordml, xar, xlam, xlb, xlc, xls, xlsb, xlsm, xlsx, xlt, xltm, xltx, xml, xps, xz, z, zip, zoo`

+If true type matching fails or isn't supported for the file type, then simple extension matching is used.

+## August 2023

+- If the [User reported settings](submissions-user-reported-messages-custom-mailbox.md) in the organization send user reported messages (email and [Microsoft Teams](submissions-teams.md)) to Microsoft (exclusively or in addition to the reporting mailbox), we now do the same checks as when admins submit messages to Microsoft for analysis from the **Submissions** page.

+3. The anti-virus (AV) engines use true type matching to detect the file type, regardless of the filename extension (for example, `exe` files renamed to `txt` are detected as `exe` files). This capability allows **Type blocking** (also known as the common attachment filter) to correctly block file types specified by admins. For the list of supported file types, see [True type matching in the common attachments filter](anti-malware-protection-about.md#true-type-matching-in-the-common-attachments-filter).

+|Messages quarantined by anti-spam policies as spam, high confidence spam, phishing, high confidence phishing, or bulk.|15 days <ul><li>In the default anti-spam policy.</li><li>In anti-spam policies that you create in PowerShell.</li></ul> <br/> 30 days <ul><li>In anti-spam policies that you create in the Microsoft 365 Defender portal.</li><li>In the Standard and Strict [preset security policies](preset-security-policies.md#appendix)</li></ul>|Yes^\*|You can configure (lower) the value in the default anti-spam policy and in custom anti-spam policies. For more information, see the **Retain spam in quarantine for this many days** (_QuarantineRetentionPeriod_) setting in [Configure anti-spam policies](anti-spam-policies-configure.md). <br/><br/> ^\*You can't change the value in the Standard or Strict preset security policies.|

+|Messages quarantined by anti-phishing policies: <ul><li>**EOP**: Spoof intelligence.</li><li>**Defender for Office 365**: User impersonation protection, domain impersonation protection, and mailbox intelligence protection.</li></ul>|15 days or 30 days|Yes^\*|This retention period is also controlled by the **Retain spam in quarantine for this many days** (_QuarantineRetentionPeriod_) setting in **anti-spam** policies. The retention period that's used is the value from the first matching **anti-spam** policy that the recipient is defined in.|

+|Messages quarantined by anti-malware policies (malware messages).|30 days|No|If you turn on the *common attachments filter* in anti-malware policies (in the default policy or in custom policies), file attachments in email messages to the affected recipients are treated as malware based solely on the file extension using true type matching. A predefined list of mostly executable file types is used by default, but you can customize the list. For more information, see [Common attachments filter in anti-malware policies](anti-malware-protection-about.md#common-attachments-filter-in-anti-malware-policies).|

+|Messages quarantined by mail flow rules where the action is **Deliver the message to the hosted quarantine** (_Quarantine_).|30 days|No||

+- If the [User reported settings](submissions-user-reported-messages-custom-mailbox.md) in the organization send user reported messages (email and [Microsoft Teams](submissions-teams.md)) to Microsoft (exclusively or in addition to the reporting mailbox), we do the same checks as when admins submit messages to Microsoft for analysis from the **Submissions** page:

+ - **Email authentication check** (email messages only): Whether email authentication passed or failed when it was delivered.

+ - **Policy hits**: Information about any policies or overrides that might have allowed or blocked the incoming email into the organization, thus overriding our filtering verdicts.

+ - **Payload reputation/detonation**: Up-to-date examination of any URLs and attachments in the message.

+ - **Grader analysis**: Review done by human graders to confirm whether or not messages are malicious.

+ So, submitting or resubmitting messages to Microsoft is useful to admins only for messages that have never been submitted to Microsoft, or when you disagree with the original verdict.

+When admins submit messages to Microsoft for analysis, we do the following checks:

+> In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD), admins can submit email messages to Microsoft for analysis, but the messages are analyzed for email authentication and policy hits only. Payload reputation, detonation, and grader analysis aren't done for compliance reasons (data isn't allowed to leave the organization boundary).

+- If the [User reported settings](submissions-user-reported-messages-custom-mailbox.md) in the organization send user reported messages (email and [Microsoft Teams](submissions-teams.md)) to Microsoft (exclusively or in addition to the reporting mailbox), we do the same checks as when admins submit messages to Microsoft for analysis from the **Submissions** page. So, submitting or resubmitting messages to Microsoft is useful to admins only for messages that have never been submitted to Microsoft, or when you disagree with the original verdict.

+ > [!NOTE]

+ > If the [User reported settings](submissions-user-reported-messages-custom-mailbox.md) in the organization send user reported messages (email and [Microsoft Teams](submissions-teams.md)) to Microsoft (exclusively or in addition to the reporting mailbox), we do the same checks as when admins submit messages to Microsoft for analysis from the **Submissions** page. So, submitting or resubmitting messages to Microsoft is useful to admins only for messages that have never been submitted to Microsoft, or when you disagree with the original verdict.

+>

+> For information about reporting messages in Microsoft Teams in Defender for Office 365 Plan 2, see [User reported message settings in Microsoft Teams](submissions-teams.md).

+>

+> For information about user reporting of email messages, see [Report suspicious email messages to Microsoft](submissions-report-messages-files-to-microsoft.md).

+> For information about user reported message settings in Microsoft Teams in Defender for Office 365 Plan 2, see [User reported message settings in Microsoft Teams](submissions-teams.md).

+>

+> If the [User reported settings](submissions-user-reported-messages-custom-mailbox.md) in the organization send user reported messages (email and [Microsoft Teams](submissions-teams.md)) to Microsoft (exclusively or in addition to the reporting mailbox), we do the same checks as when admins submit messages to Microsoft for analysis from the **Submissions** page. So, submitting or resubmitting messages to Microsoft is useful to admins only for messages that have never been submitted to Microsoft, or when you disagree with the original verdict.

+- If the [User reported settings](submissions-user-reported-messages-custom-mailbox.md) in the organization send user reported messages (email and [Microsoft Teams](submissions-teams.md)) to Microsoft (exclusively or in addition to the reporting mailbox), we do the same checks as when admins submit messages to Microsoft for analysis from the **Submissions** page:

+ - **Email authentication check** (email messages only): Whether email authentication passed or failed when it was delivered.

+ - **Policy hits**: Information about any policies or overrides that might have allowed or blocked the incoming email into the organization, thus overriding our filtering verdicts.

+ - **Payload reputation/detonation**: Up-to-date examination of any URLs and attachments in the message.

+ - **Grader analysis**: Review done by human graders to confirm whether or not messages are malicious.

+ So, submitting or resubmitting messages to Microsoft is useful to admins only for messages that have never been submitted to Microsoft, or when you disagree with the original verdict.

+Intune includes several Microsoft apps based on the Microsoft license that you use for Intune. To learn more about the different Microsoft enterprise license available that includes Intune, see [Microsoft Intune licensing](/mem/intune/fundamentals/licenses). To compare the different Microsoft apps that are available with Microsoft 365, see the [licensing options available with Microsoft 365](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans). To see all the options for each plan (including the available Microsoft apps), download the full [Microsoft subscription comparison table](https://go.microsoft.com/fwlink/?linkid=2139145) and locate the plans that include Microsoft Intune.

+Teams with Microsoft Teams allows your organization to chat, meet, call, and collaborate all in one place. Millions of people get their work done with teams every day because it brings together everything you need to work on-site or remotely into a hub for teamwork.

+For detailed guidance, see [Support remote workers using Microsoft Teams](/microsoftteams/support-remote-work-with-teams).

+Read [Enabling hybrid work with Microsoft 365 and collaborative apps](https://www.microsoft.com/en-us/microsoft-365/blog/2022/07/19/from-enabling-hybrid-work-to-creating-collaborative-experiences-heres-whats-new-in-microsoft-365/) for guidance and demos on using Teams for hybrid work.

+| Transactional cost | Not applicable | For per-user licensing, uses AI Builder credits. 3,500 credits are included for each Syntex license per month. One million credits will allow processing of 10,000 file pages.<br>For pay-as-you-go licensing, not applicable. | For per-user licensing, uses AI Builder credits. 3,500 credits are included for each Syntex license per month. One million credits will allow processing of 10,000 file pages.<br>For pay-as-you-go licensing, not applicable. |

+ Title: Overview of enhanced image tagging in Microsoft Syntex

+description: Learn about enhanced image tagging in Microsoft Syntex.

+# Overview of enhanced image tagging in Microsoft Syntex

+ Title: Set up and manage enhanced image tagging in Microsoft Syntex

+description: Learn how to set and configure enhanced image tagging in Microsoft Syntex.

+# Set up and manage enhanced image tagging in Microsoft Syntex

+ Title: Find and manage images using enhanced image tagging in Microsoft Syntex

+description: Learn how to use enhacnced image tagging to search, sort, filter, and manage images in Microsoft Syntex.

+# Find and manage images using enhanced image tagging in Microsoft Syntex