Updates from: 08/05/2022 01:35:10
Category Microsoft Docs article Related commit history on GitHub Change details
commerce Pay For Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription.md
- AdminSurgePortfolio - business_assist - AdminTemplateSet Previously updated : 05/26/2022 Last updated : 08/04/2022 # How to pay for your subscription
You can pay for your subscription with a credit or debit card, or a bank account
In some cases, you can pay for your subscription by invoice with a check or EFT. To be eligible to pay by invoice, you must: -- Be an established customer-- Have a subscription cost that exceeds a certain amount (this amount varies by service location)
+- Be an established customer for at least six months and have no outstanding balances
+- Spend a minimum of $6,000 USD a month, or purchase a minimum amount for any 3 of the last 12 months (this amount can vary by service location).
- Pass a credit check
+When you request to change your payment method to check/wire transfer, there are two possible results:
+
+- You're automatically approved, and you're prompted for information about your company.
+- You're not automatically approved, but you can submit a [support request](../../admin/get-help-support.md).
+ If a credit check is required, you're notified when you buy your subscription. If you agree to be contacted, you get an email that includes more information about applying for credit approval. Credit checks are usually completed within two business days. > [!NOTE]
If you didn't add the payment method used to pay for the subscription, you must
> - Paying by check is only available in a few countries. > - If you must pay the membership fee for the Microsoft Partner Network (MPN) program (Action Pack subscription, Silver or Gold competencies), see [Pay competency fees](/partner-center/mpn-pay-fee-silver-gold-competency?tabs=workspaces-view) for information about how to make an MPN payment.
+## Check or wire transfer payment processing time
+
+Payments made by check are posted three to five business days after the check clears your bank. You can contact your bank to confirm the check status.
+
+Payments made by wire transfer have processing times that vary, depending on the type of transfer:
+
+- ACH domestic transfers - Five business days. Two to three days to arrive, plus two days to post.
+- Wire transfers (domestic) - Four business days. Two days to arrive, plus two days to post.
+- Wire transfers (international) - Seven business days. Five days to arrive, plus two days to post.
+
+If your account is approved for payment by check or wire transfer, the instructions for payment are on the invoice.
+ ## Can I pay my invoice online? You can't pay your invoice online. You must remit payment via either check or EFT.
compliance Sensitivity Labels Sharepoint Default Label https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-sharepoint-default-label.md
Summary of outcomes:
For an existing document library:
-1. In SharePoint, navigate to the document library > **Settings**.
+1. In SharePoint, navigate to the document library \> **Settings** \> **Library settings**.
2. From the **Library settings** flyout pane, select **Default sensitivity labels**, and then select a label from the drop-down box. For example:
frontline Virtual Appointments Toolkit https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/virtual-appointments-toolkit.md
Link to your organizationΓÇÖs booking page. Let your customers know if there are
**Who can I make an appointment with?**
-Make sure your clients can maintain relationships with their preferred providers by sharing which, if any, staff are operating exclusively virtually or in-person.
+Make sure your clients can maintain relationships with their preferred providers by sharing which, if any, staff members are operating exclusively virtually or in-person.
**How do I cancel or reschedule a virtual appointment?**
You can link your customers here Join a Bookings appointment as an attendee (mic
Make the most of virtual appointments by making sure your staff members know how to conduct them. You can share these articles and videos with your team members to help them better understand virtual appointments. -- [Learn how to use the Bookings app in Teams](https://support.microsoft.com/office/what-is-bookings-42d4e852-8e99-4d8f-9b70-d7fc93973cb5)-- [Learn how to join a Bookings appointment](https://support.microsoft.com/office/join-a-bookings-appointment-attendees-3deb7bde-3ea3-4b41-8a06-741ad0db9fc0)-- [Conduct an appointment](bookings-virtual-visits.md#conduct-an-appointment)-- [Watch a video about virtual appointments](#help-your-clients-and-customers-use-virtual-appointments)
+- [Learn how to use the Bookings app in Teams](https://support.microsoft.com/office/what-is-bookings-42d4e852-8e99-4d8f-9b70-d7fc93973cb5).
+- [Learn how to join a Bookings appointment](https://support.microsoft.com/office/join-a-bookings-appointment-attendees-3deb7bde-3ea3-4b41-8a06-741ad0db9fc0).
+- [Conduct an appointment](bookings-virtual-visits.md#conduct-an-appointment).
+- [Watch a video about virtual appointments](#help-your-clients-and-customers-use-virtual-appointments).
+- [Watch a video about how to manage the queue in virtual appointments](https://go.microsoft.com/fwlink/?linkid=2202615).
+- [Watch a video about waiting room features in virtual appointments](https://go.microsoft.com/fwlink/?linkid=2202614).
## Resources for your clients
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
####### [Export assessment methods and properties](get-assessment-methods-properties.md) ####### [Export secure configuration assessment](get-assessment-secure-config.md) ####### [Export software inventory assessment](get-assessment-software-inventory.md)
+####### [Export non product code software inventory assessment](get-assessment-non-cpe-software-inventory.md)
####### [Export software vulnerabilities assessment](get-assessment-software-vulnerabilities.md) ###### [Automated Investigation]()
security Application Deployment Via Mecm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/application-deployment-via-mecm.md
This article guides you in migrating down-level servers from Microsoft Monitorin
- Down-level OS devices in your environment onboarded with Microsoft Monitoring Agent. To confirm, verify that `MsSenseS.exe` is running in Task Manager. - Presence of the MMA agent. You can verify it by checking if the correct Workspace ID is present in the Control Panel> Microsoft Monitoring Agent. - Active Microsoft 365 Defender portal with devices onboarded.-- A Device Collection containing down-level servers such as Windows Server 2012 R2 or Windows Server 2016 using MMA agent is set up in your MECM instance.
+- A **Device Collection** containing down-level servers such as Windows Server 2012 R2 or Windows Server 2016 using MMA agent is set up in your MECM instance.
For more information on installing the listed prerequisites, see [related topics](#related-topics) section.
For more information on installing the listed prerequisites, see [related topics
Copy the unified solution package, onboarding script and migration script to the same content source you deploy other apps with MECM. 1. Download Onboarding Script and the unified solution from [Microsoft 365 Defender settings page](https://sip.security.microsoft.com/preferences2/onboarding).
- :::image type="content" source="images/onboarding-script.png" alt-text="Screenshot of onboarding script and unified solution download." lightbox="images/onboarding-script.png":::
+
+ :::image type="content" source="images/onboarding-script.png" alt-text="Screenshot of onboarding script and unified solution download." lightbox="images/onboarding-script.png":::
+
2. Download the migration script from the document: [Server migration scenarios from the previous, MMA-based Microsoft Defender for Endpoint solution](server-migration.md). This script can also be found on GitHub: [GitHub - microsoft/mdefordownlevelserver](https://github.com/microsoft/mdefordownlevelserver). 3. Save all three files in a shared folder used by MECM as a Software Source.
- :::image type="content" source="images/ua-migration.png" alt-text="Screenshot of saving the shared folder by MECM.":::
+
+ :::image type="content" source="images/ua-migration.png" alt-text="Screenshot of saving the shared folder by MECM.":::
## Create the package as an application 1. In the MECM console, follow these steps: **Software Library>Applications>Create Application**. 2. Select **Manually specify the application information**.
- :::image type="content" source="images/manual-application-information.png" alt-text="Screenshot of manually specifying the application information selection." lightbox="images/manual-application-information.png":::
-3. Click **Next** on the Software Center screen of the wizard.
+
+ :::image type="content" source="images/manual-application-information.png" alt-text="Screenshot of manually specifying the application information selection." lightbox="images/manual-application-information.png":::
+
+3. Select **Next** on the Software Center screen of the wizard.
4. On the Deployment Types, click **Add**.
-5. Select **Manually to specify the deployment type information** and click **Next**.
-6. Give a name to your script deployment and click **Next**.
- :::image type="content" source="images/manual-deployment-information.png" alt-text="Screenshot specifying the script deployment information.":::
+5. Select **Manually to specify the deployment type information** and select **Next**.
+6. Give a name to your script deployment and select **Next**.
+
+ :::image type="content" source="images/manual-deployment-information.png" alt-text="Screenshot specifying the script deployment information.":::
+
7. On this step, copy the UNC path that your content is located. Example: `\\Cm1\h$\SOFTWARE_SOURCE\UAmigrate`.
- :::image type="content" source="images/deployment-type-wizard.png" alt-text="Screenshot that shows UNC path copy.":::
+
+ :::image type="content" source="images/deployment-type-wizard.png" alt-text="Screenshot that shows UNC path copy.":::
+
8. Additionally, set the following as the installation program: ```powershell
- Powershell.exe -ExecutionPolicy ByPass -File install.ps1 -Log -Etl -RemoveMMA 48594f03-7e66-4e15-8b60-d9da2f92d564 -OnboardingScript .\WindowsDefenderATP.onboarding
+ Powershell.exe -ExecutionPolicy ByPass -File install.ps1 -RemoveMMA <workspace ID> -OnboardingScript .\WindowsDefenderATPOnboardingScript.cmd
```
+ Click **Next** and make sure to add your own Workspace ID in this section.
9. Click **Next** and click add a clause.
-10. The clause will be looking in the registry to see if the following key is present:
- `HKEY_LOCAL_MACHINESOFTWARE\Classes\Installer\Products\63FAD065BFFD18F1926692665F704C6D`
+10. The detection method will be based on the registry key shown below.
+ `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense\ImagePath`
- Provide the following inputs:
- - Value: **ProductName**
- - Data Type: **String**
- - Check the option: **This registry setting must exit on the target system to indicate presence of this application.**
+ Check the option: **This registry setting must exit on the target system to indicate presence of this application.**
- :::image type="content" source="images/detection-rule-wizard.png" alt-text="Screenshot that shows registry key detection.":::
+ :::image type="content" source="images/detection-wizard.png" alt-text="Screenshot that shows detection type wizard":::
- >[!TIP]
- >This registry key value was obtained by running the following PowerShell command on a device that has had the unified solution installed. Other creative methods of detection can also be used. The goal is to identity whether the unified solution has already been installed on a specific device.
+ >[!TIP]
+ >This registry key value was obtained by running the Powershell command shown below on a device that has the unified solution installed. Other creative methods of detection can also be used. The goal is to identify whether the unified solution has already been installed on a specific device.
```powershell
- PowerShell Cmd: get-wmiobject Win32_Product | Sort-Object -Property Name |Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize
+ get-wmiobject Win32_Product | Sort-Object -Property Name |Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize
```
-11. In the **User Experience** section, you can choose what suits your environment and click **Next**. For **Installation program visibility**, it's advisable to install with **Normal visibility** during phase testing then change it to **Minimized** for general deployment.
+11. In the **User Experience** section, check the recommended settings shown in the screenshot. You can choose what suits your environment and click **Next**. For **Installation program visibility**, it's advisable to install with **Normal** during phase testing then change it to **Minimized** for general deployment.
+
>[!TIP]
- > Maximum allowed runtime can be lowered from (default) 120 minutes to 30 minutes.
+ >The maximum allowed runtime can be lowered from (default) 120 minutes to 60 minutes.
:::image type="content" source="images/user-experience-in-deployment-type-wizard.png" alt-text="Screenshot that shows user experience in deployment-type wizard.":::
-12. Click **Next** on Requirements.
-13. Click **Next** on Dependencies.
-14. Click **Next** until completion screen comes up, then **Close**.
-15. Keep clicking next until the completion of Application Wizard. Verify all have been green checked.
-16. Close the wizard, right click on the recently created application and deploy it to your down-level-server collection.
- :::image type="content" source="images/deploy-application.png" alt-text="Screenshot that shows deployment of created application." lightbox="images/deploy-application.png":::
-17. Verify in MECM>Monitoring>Deployments the status of this migration.
+12. Add any additional requirements then select **Next**.
+13. Under the Dependencies section, select **Next**.
+14. Select **Next** until completion screen comes up, then **Close**.
+15. Keep select **Next** until the completion of Application Wizard. Verify all have been green checked.
+16. Close the wizard, right-click on the recently created application and deploy it to your down-level-server collection. Locally, the installation can be confirmed at Software Center. For details, check the CM logs at `C:\Windows\CCM\Logs\AppEnforce.log`.
+
+ :::image type="content" source="images/deploy-application.png" alt-text="Screenshot that shows deployment of created application." lightbox="images/deploy-application.png":::
+
+17. Verify the status of the migration at MECM > Monitoring > Deployments.
- :::image type="content" source="images/deployment-status.png" alt-text="Screenshot that shows deployment status check." lightbox="images/deployment-status.png":::
+ :::image type="content" source="images/deployment-status.png" alt-text="Screenshot that shows deployment status check." lightbox="images/deployment-status.png":::
+
+18. Troubleshooting .ETL files will be created and automatically saved locally in each server at this location `C:\Windows\ccmcache\#\`. These files can be leveraged by support to troubleshoot onboarding issues.
## Related topics
security Configure Local Policy Overrides Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-local-policy-overrides-microsoft-defender-antivirus.md
To configure these settings:
You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-microsoft-defender-antivirus.md), [specified remediation lists](configure-remediation-microsoft-defender-antivirus.md), and [attack surface reduction](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction).
-By default, lists that have been configured in local group policy and the Windows Security app are merged with lists that are defined by the appropriate Group Policy Object that you have deployed on your network. Where there are conflicts, the globally-defined list takes precedence. You can disable this setting to ensure that only globally-defined lists (such as those from any deployed GPOs) are used.
+By default, lists that have been configured in local group policy and the Windows Security app are merged with lists that are defined by the appropriate Group Policy Object that you have deployed on your network. Where there are conflicts, the globally defined list takes precedence. You can disable this setting to ensure that only globally-defined lists (such as those from any deployed GPOs) are used.
### Use Group Policy to disable local list merging
security Get Assessment Methods Properties https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-methods-properties.md
## API description
-Provides methods and property details about the APIs that pull threat and vulnerability management data on a per-device basis. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization.
+Provides methods and property details about the APIs that pull vulnerability management data on a per-device basis. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization.
> [!NOTE] > Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**).
You can use the export assessment APIs to retrieve (export) different types of i
- [1. Export secure configurations assessment](#1-export-secure-configurations-assessment) - [2. Export software inventory assessment](#2-export-software-inventory-assessment) - [3. Export software vulnerabilities assessment](#3-export-software-vulnerabilities-assessment)
+- [4. Export non product code software inventory assessment](#4-export-non-product-code-software-inventory-assessment)
The APIs that correspond to the export information types are described in sections 1, 2, and 3.
deviceName|String|Fully qualified domain name (FQDN) of the device.
isApplicable|Bool|Indicates whether the configuration or policy is applicable. isCompliant|Bool|Indicates whether the configuration or policy is properly configured. isExpectedUserImpact|Bool|Indicates whether the user gets affected if the configuration will be applied.
-osPlatform|String|Platform of the operating system running on the device. Specific operating systems with variations within the same family, such as Windows 10 and Windows 11. See TVM supported operating systems and platforms for details.
+osPlatform|String|Platform of the operating system running on the device. Specific operating systems with variations within the same family, such as Windows 10 and Windows 11. See [Supported operating systems, platforms and capabilities](../defender-vulnerability-management/tvm-supported-os.md) for details.
osVersion|String|Specific version of the operating system running on the device. rbacGroupName|String|The role-based access control (RBAC) group. If the device isn't assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None." rbacGroupId|String|The role-based access control (RBAC) group ID.
DiskPaths|Array[string]|Disk evidence that the product is installed on the devic
EndOfSupportDate|String|The date in which support for this software has or will end. EndOfSupportStatus|String|End of support status. Can contain these possible values: None, EOS Version, Upcoming EOS Version, EOS Software, Upcoming EOS Software. NumberOfWeaknesses|Int|Number of weaknesses on this software on this device.
-OSPlatform|String|Platform of the operating system running on the device; specific operating systems with variations within the same family, such as Windows 10 and Windows 11. See tvm supported operating systems and platforms for details.
+OSPlatform|String|Platform of the operating system running on the device; specific operating systems with variations within the same family, such as Windows 10 and Windows 11. See [Supported operating systems, platforms and capabilities](../defender-vulnerability-management/tvm-supported-os.md) for details.
RbacGroupName|String|The role-based access control (RBAC) group. If this device isn't assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None." rbacGroupId|String|The role-based access control (RBAC) group ID. RegistryPaths|Array[string]|Registry evidence that the product is installed in the device.
ExploitabilityLevel|String|The exploitability level of this vulnerability (NoExp
FirstSeenTimestamp|String|First time the CVE of this product was seen on the device. Id|String|Unique identifier for the record. LastSeenTimestamp|String|Last time the CVE was seen on the device.
-OSPlatform|String|Platform of the operating system running on the device; specific operating systems with variations within the same family, such as Windows 10 and Windows 11. See tvm supported operating systems and platforms for details.
+OSPlatform|String|Platform of the operating system running on the device; specific operating systems with variations within the same family, such as Windows 10 and Windows 11. See [Supported operating systems, platforms and capabilities](../defender-vulnerability-management/tvm-supported-os.md) for details.
RbacGroupName|String|The role-based access control (RBAC) group. If this device isn't assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None." rbacGroupId|String|The role-based access control (RBAC) group ID. RecommendationReference|String|A reference to the recommendation ID related to this software.
ExploitabilityLevel|String|The exploitability level of the vulnerability (NoExpl
FirstSeenTimestamp|String|First time the CVE of the product was seen on the device. Id|String|Unique identifier for the record. LastSeenTimestamp|String|Last time the CVE was seen on the device.
-OSPlatform|String|Platform of the operating system running on the device; specific operating systems with variations within the same family, such as Windows 10 and Windows 11. See tvm supported operating systems and platforms for details.
+OSPlatform|String|Platform of the operating system running on the device; specific operating systems with variations within the same family, such as Windows 10 and Windows 11. See [Supported operating systems, platforms and capabilities](../defender-vulnerability-management/tvm-supported-os.md) for details.
RbacGroupName|String|The role-based access control (RBAC) group. If this device isn't assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None." RecommendationReference|String|A reference to the recommendation ID related to this software. RecommendedSecurityUpdate |String|Name or description of the security update provided by the software vendor to address the vulnerability.
SoftwareVersion|String|Version number of the software product.
Status|String|**New** (for a new vulnerability introduced on a device). **Fixed** (for a vulnerability that doesn't exist anymore on the device, which means it was remediated). **Updated** (for a vulnerability on a device that has changed. The possible changes are: CVSS score, exploitability level, severity level, DiskPaths, RegistryPaths, RecommendedSecurityUpdate). VulnerabilitySeverityLevel|String|Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape.
+## 4. Export non product code software inventory assessment
+
+Returns all of the installed software that does not have a [Common Platform Enumeration(CPE)](https://nvd.nist.gov/products/cpe) and their details on each device.
+
+### 4.1 Methods
+
+|Method|Data type|Description|
+|:|:|:|
+|Export non product code software inventory assessment **(JSON response)**|Non product code software inventory by device collection. See: [4.2 Properties (JSON response)](#42-properties-json-response)|Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion. The API pulls all data in your organization as JSON responses. This method is best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results. |
+| Export non product code software inventory assessment **(via files)**|Non product code software inventory by device files. See: [4.3 Properties (via files)](#43-properties-via-files)|Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion. This API solution enables pulling larger amounts of data faster and more reliably. So, it's recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download data from Azure Storage as follows: <ol><li>Call the API to get a list of download URLs with your organization data</li><li>Download the files using the download URLs and process the data as you like.</li></ol> |
+
+### 4.2 Properties (JSON response)
+
+Property (ID)|Data type|Description
+:|:|:
+DeviceId|string|Unique identifier for the device in the service.
+DeviceName|string|Fully qualified domain name (FQDN) of the device.
+OSPlatform|string|Platform of the operating system running on the device. These are specific operating systems with variations within the same family, such as Windows 10 and Windows 11. See [Supported operating systems, platforms and capabilities](../defender-vulnerability-management/tvm-supported-os.md) for details.
+RbacGroupName|string|The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."
+RbacGroupId|string|The role-based access control (RBAC) group ID.
+SoftwareLastSeenTimestamp|string|The last time this software was seen on the device.
+SoftwareName|string|Name of the software product.
+SoftwareVendor|string|Name of the software vendor.
+SoftwareVersion|string|Version number of the software product.
+
+### 4.3 Properties (via files)
+
+Property (ID)|Data type|Description
+:|:|:
+Export files|array\[string\]|A list of download URLs for files holding the current snapshot of the organization.
+GeneratedTime|String|The time that the export was generated.
+ ## See also - [Export secure configuration assessment per device](get-assessment-secure-config.md) - [Export software inventory assessment per device](get-assessment-software-inventory.md) - [Export software vulnerabilities assessment per device](get-assessment-software-vulnerabilities.md)
+- [Export non cpe software inventory assessment per device](get-assessment-non-cpe-software-inventory.md)
Other related
security Get Assessment Non Cpe Software Inventory https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-non-cpe-software-inventory.md
+
+ Title: Export non product code software inventory assessment per device
+description: Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion for software that doesn't have a Common Platform Enumeration (CPE)
+keywords: api, apis, export assessment, per device assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine,
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+ms.localizationpriority: medium
+
+audience: ITPro
++
+ms.technology: mde
+++
+# Export non product code software inventory assessment per device
++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+This API returns all the data for installed software that doesn't have a [Common Platform Enumeration(CPE)](https://nvd.nist.gov/products/cpe), on a per-device basis. The information returned by this API, along with the information returned by the [Export software inventory assessment](get-assessment-non-cpe-software-inventory.md) API, for software that does have a CPE, gives you full visibility into the software installed across your organization and the devices itΓÇÖs installed on.
+
+> [!NOTE]
+> Software products without a CPE are not supported by vulnerability management. They will be shown in the software inventory page, but because CPEs are used by vulnerability management to identify the software and any vulnerabilities, information like, exploits, number of exposed devices, and weaknesses won't be available for them. For more information, see [Software inventory](../defender-vulnerability-management/tvm-software-inventory.md).
+
+Different API calls get different types of data. Because the amount of data can be large, there are two ways it can be retrieved:
+
+- [Export non product code software inventory assessment **JSON response**](#1-export-non-product-code-software-inventory-assessment-json-response) The API pulls all data in your organization as Json responses. This method is best for _small organizations with less than 100-K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
+
+- [Export non product code software inventory assessment **via files**](#2-export-non-product-code-software-inventory-assessment-via-files) This API solution enables pulling larger amounts of data faster and more reliably. So, it's recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
+ - Call the API to get a list of download URLs with all your organization data.
+ - Download all the files using the download URLs and process the data as you like.
+
+Data that is collected (using either _Json response_ or _via files_) is the current snapshot of the current state. It doesn't contain historic data. To collect historic data, customers must save the data in their own data storages.
+
+> [!NOTE]
+> Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**).
+
+## 1. Export non product code software inventory assessment (JSON response)
+
+### 1.1 API method description
+
+This API response contains all the data of installed software that does not have a [Common Platform Enumeration(CPE)](https://nvd.nist.gov/products/cpe) per device. Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion.
+
+#### Limitations
+
+- Maximum page size is 200,000.
+- Rate limitations for this API are 30 calls per minute and 1000 calls per hour.
+
+### 1.2 Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)
+
+Permission type|Permission|Permission display name
+||
+Application|Software.Read.All|\'Read Threat and Vulnerability Management vulnerability information\'
+Delegated (work or school account)|Software.Read|\'Read Threat and Vulnerability Management vulnerability information\'
+
+### 1.3 URL
+
+```http
+GET /api/machines/SoftwareInventoryNoProductCodeByMachine
+```
+
+### 1.4 Parameters
+
+- pageSize (default = 50,000): Number of results in response.
+- $top: Number of results to return (doesn't return @odata.nextLink and therefore doesn't pull all the data)
+
+### 1.5 Properties
+
+> [!NOTE]
+>
+> - Each record is approximately 0.5KB of data. You should take this into account when choosing the correct pageSize parameter for you.
+> - The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.
+> - Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.
+
+<br>
+
+Property (ID)|Data type|Description
+:|:|:
+DeviceId|string|Unique identifier for the device in the service.
+DeviceName|string|Fully qualified domain name (FQDN) of the device.
+OSPlatform|string|Platform of the operating system running on the device. These are specific operating systems with variations within the same family, such as Windows 10 and Windows 11. See [Supported operating systems, platforms and capabilities](../defender-vulnerability-management/tvm-supported-os.md) for details.
+RbacGroupName|string|The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."
+RbacGroupId|string|The role-based access control (RBAC) group ID.
+SoftwareLastSeenTimestamp|string|The last time this software was seen on the device.
+SoftwareName|string|Name of the software product.
+SoftwareVendor|string|Name of the software vendor.
+SoftwareVersion|string|Version number of the software product.
+
+### 1.6 Examples
+
+#### 1.6.1 Request example
+
+```http
+https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryNoProductCodeByMachine?pageSize=3 &sinceTime=2021-05-19
+```
+
+#### 1.6.2 Response example
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.AssetNonCpeSoftware)",
+ "value": [
+ {
+ "deviceId": "1234512345123451234512345",
+ "rbacGroupId": 11,
+ "rbacGroupName": "London",
+ "deviceName": "Device1",
+ "osPlatform": "Windows11",
+ "softwareVendor": "microsoft",
+ "softwareName": "vs_communitymsi",
+ "softwareVersion": "11.11.31111.1",
+ "softwareLastSeenTimestamp": "2021-01-30 11:31:12.271"
+ },
+ {
+ "deviceId": "232323232323232322323232323",
+ "rbacGroupId": 23,
+ "rbacGroupName": "Tokyo",
+ "deviceName": "Device23",
+ "osPlatform": "Windows10",
+ "softwareVendor": "intel",
+ "softwareName": "intel®_software_installer",
+ "softwareVersion": "22.20.2.2",
+ "softwareLastSeenTimestamp": "2022-05-30 15:35:12.271"
+ },
+ {
+ "deviceId": "6565656565",
+ "rbacGroupId": 65,
+ "rbacGroupName": "Center",
+ "deviceName": "Device56",
+ "osPlatform": "Windows10",
+ "softwareVendor": "Lob Apps",
+ "softwareName": "Headtrax",
+ "softwareVersion": "60.273.3",
+ "softwareLastSeenTimestamp": "2022-05-05 15:35:12.271"
+ },
+ ],
+ "@odata.nextLink": "https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryNoProductCodeByMachine?pagesize=3%20%20&sincetime=2021-05-19&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMi0wNS0zMC8xMTAxLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjV9"
+}
+
+```
+
+## 2. Export non product code software inventory assessment (via files)
+
+### 2.1 API method description
+
+This API response contains all the data of installed software that does not have a [Common Platform Enumeration(CPE)](https://nvd.nist.gov/products/cpe) per device. Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion.
+
+#### 2.1.1 Limitations
+
+Rate limitations for this API are 5 calls per minute and 20 calls per hour.
+
+### 2.2 Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)
+
+Permission type|Permission|Permission display name
+||
+Application|Software.Read.All|\'Read Threat and Vulnerability Management vulnerability information\'
+Delegated (work or school account)|Software.Read|\'Read Threat and Vulnerability Management vulnerability information\'
+
+### 2.3 URL
+
+```http
+GET /api/machines/Api/Machines/SoftwareInventoryNonCpeExport
+```
+
+### Parameters
+
+- sasValidHours: The number of hours that the download URLs will be valid for (Maximum 24 hours)
+
+### 2.5 Properties
+
+> [!NOTE]
+>
+> - The files are gzip compressed & in multiline JSON format.
+> - The download URLs are only valid for 3 hours. Otherwise you can use the parameter.
+> - For maximum download speed of your data, you can make sure you are downloading from the same Azure region that your data resides.
+
+<br>
+
+****
+
+Property (ID)|Data type|Description|Example of a returned value
+:|:|:|:
+Export files|array\[string\]|A list of download URLs for files holding the current snapshot of the organization|"[Https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1", "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2"]
+GeneratedTime|string|The time that the export was generated.|2021-05-20T08:00:00Z
+|
+
+### 2.6 Examples
+
+#### 2.6.1 Request example
+
+```http
+GET https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryNonCpeExport
+```
+
+#### 2.6.2 Response example
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.ExportFilesResponse",
+ "exportFiles": [
+ "https://tvmexportexternalprdcanc.blob.core.windows.net/temp-ffd80447-7b3d-4ad2-b366-f0979b129662/2022-05-30/1101/NonCpeSoftwareInventory/json/OrgId=47d41a0c-188d-46d3-bbea-a93dbc0bfcaa/_RbacGroupId=1/part-00337-5e15412b-5c85-4896-ac60-b7b3ab8da096.c000.json.gz?sv=2020-08-04&st=2022-05-30T13%3A41%3A59Z&se=2022-05-30T16%3A41%3A59Z&sr=b&sp=r&sig=aHnmuOKlIvpR0PsdamYfmCCDZ1nhpuXBzK2%2FkJ9xTpg%3D",
+ "https://tvmexportexternalprdcanc.blob.core.windows.net/temp-ffd80447-7b3d-4ad2-b366-f0979b129662/2022-05-30/1101/NonCpeSoftwareInventory/json/OrgId=47d41a0c-188d-46d3-bbea-a93dbc0bfcaa/_RbacGroupId=1/part-00338-5e15412b-5c85-4896-ac60-b7b3ab8da096.c000.json.gz?sv=2020-08-04&st=2022-05-30T13%3A41%3A59Z&se=2022-05-30T16%3A41%3A59Z&sr=b&sp=r&sig=0fQg%2Ft469x26KvPLmvctLl0g6DC38CNM3lXYi9dnFfo%3D",
+ "https://tvmexportexternalprdcanc.blob.core.windows.net/temp-ffd80447-7b3d-4ad2-b366-f0979b129662/2022-05-30/1101/NonCpeSoftwareInventory/json/OrgId=47d41a0c-188d-46d3-bbea-a93dbc0bfcaa/_RbacGroupId=1/part-00339-5e15412b-5c85-4896-ac60-b7b3ab8da096.c000.json.gz?sv=2020-08-04&st=2022-05-30T13%3A41%3A59Z&se=2022-05-30T16%3A41%3A59Z&sr=b&sp=r&sig=P6HGHoLXXipMauBpLueoQVrwHL7qmvLoCjcij6ERx8o%3D",
+ "https://tvmexportexternalprdcanc.blob.core.windows.net/temp-ffd80447-7b3d-4ad2-b366-f0979b129662/2022-05-30/1101/NonCpeSoftwareInventory/json/OrgId=47d41a0c-188d-46d3-bbea-a93dbc0bfcaa/_RbacGroupId=1/part-00340-5e15412b-5c85-4896-ac60-b7b3ab8da096.c000.json.gz?sv=2020-08-04&st=2022-05-30T13%3A41%3A59Z&se=2022-05-30T16%3A41%3A59Z&sr=b&sp=r&sig=VnpVct%2F8vdiIFTf2xXP9DF7ngWv1Zqew30q2jBPVghg%3D",
+ "https://tvmexportexternalprdcanc.blob.core.windows.net/temp-ffd80447-7b3d-4ad2-b366-f0979b129662/2022-05-30/1101/NonCpeSoftwareInventory/json/OrgId=47d41a0c-188d-46d3-bbea-a93dbc0bfcaa/_RbacGroupId=1/part-00341-5e15412b-5c85-4896-ac60-b7b3ab8da096.c000.json.gz?sv=2020-08-04&st=2022-05-30T13%3A41%3A59Z&se=2022-05-30T16%3A41%3A59Z&sr=b&sp=r&sig=GY0zxMfEmr9v9fZBWYyKEtT2k%2F0ELQIlOP0ct%2B6SdGU%3D",
+ ],
+ "generatedTime": "2022-05-30T11:01:00Z"
+}
+```
+
+## See also
+
+- [Export software assessment per device](get-assessment-software-inventory.md)
+- [Export assessment methods and properties per device](get-assessment-methods-properties.md)
+- [Export secure configuration assessment per device](get-assessment-secure-config.md)
+- [Export software vulnerabilities assessment per device](get-assessment-software-vulnerabilities.md)
+
+Other related
+
+- [Risk-based threat & vulnerability management](next-gen-threat-and-vuln-mgt.md)
+- [Vulnerabilities in your organization](tvm-weaknesses.md)
security Get Assessment Software Inventory https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-software-inventory.md
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
+This API returns all the data for installed software that has a [Common Platform Enumeration(CPE)](https://nvd.nist.gov/products/cpe), on a per-device basis.
Different API calls get different types of data. Because the amount of data can be large, there are two ways it can be retrieved:
Data that is collected (using either _Json response_ or _via files_) is the curr
### 1.1 API method description
-This API response contains all the data of installed software per device. Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion.
+This API response contains all the data of installed software that has a [Common Platform Enumeration(CPE)](https://nvd.nist.gov/products/cpe), per device. Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion.
#### Limitations
GET https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryByMac
} ```
+> [!NOTE]
+> The information returned by this API, along with the information returned by the [Export non product code software inventory assessment](get-assessment-non-cpe-software-inventory.md) API, for software that doesn't have a CPE, gives you full visibility into the software installed across your organization and the devices itΓÇÖs installed on.
+ ## 2. Export software inventory assessment (via files) ### 2.1 API method description
GET https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryExpor
- [Export assessment methods and properties per device](get-assessment-methods-properties.md) - [Export secure configuration assessment per device](get-assessment-secure-config.md) - [Export software vulnerabilities assessment per device](get-assessment-software-vulnerabilities.md)
+- [Export non product code software inventory assessment](get-assessment-non-cpe-software-inventory.md)
Other related
security Manage Updates Baselines Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md
ms.mktglfcycl: manage
ms.sitesec: library ms.pagetype: security ms.localizationpriority: high Last updated : 08/04/2022 audience: ITPro
Keeping Microsoft Defender Antivirus up to date is critical to assure your devic
## Security intelligence updates
-Microsoft Defender Antivirus uses [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads dynamic security intelligence updates to provide additional protection. These dynamic updates don't take the place of regular security intelligence updates via security intelligence update KB2267602.
+Microsoft Defender Antivirus uses [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads dynamic security intelligence updates to provide more protection. These dynamic updates don't take the place of regular security intelligence updates via security intelligence update KB2267602.
> [!NOTE] > Updates are released under the following KBs:
No known issues
</details><details> <summary>March-2022 *UPDATE* (Platform: 4.18.2203.5 | Engine: 1.1.19200.5)</summary>
-*Customers who applied the March 2022 Microsoft Defender engine update (**1.1.19100.5**) might have encountered high resource utilization (CPU and/or memory). Microsoft has released an update (**1.1.19200.5**) that resolves the bugs introduced in the earlier version. Customers are recommended to update to at least this new engine build of Antivirus Engine (**1.1.19200.5**). To ensure any performance issues are fully fixed, it is recommended to reboot machines after applying update.*
+*Customers who applied the March 2022 Microsoft Defender engine update (**1.1.19100.5**) might have encountered high resource utilization (CPU and/or memory). Microsoft has released an update (**1.1.19200.5**) that resolves the bugs introduced in the earlier version. Customers are recommended to update to at least this new engine build of Antivirus Engine (**1.1.19200.5**). To ensure any performance issues are fully fixed, it's recommended to reboot machines after applying update.*
&ensp;Security intelligence update version: **1.363.817.0**<br/> &ensp;Released: **April 22, 2022**<br/>
Security intelligence update version: 1.361.1449.0<br/>
- Added fix for [behavior monitoring](configure-protection-features-microsoft-defender-antivirus.md) performance issue related to short live processes - Added fix for [AMSI](/windows/win32/amsi/antimalware-scan-interface-portal) exclusion - Improved [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) capabilities -- Added a fix for [real-time protection](configure-protection-features-microsoft-defender-antivirus.md) getting disabled in some cases when using `SharedSignaturesPath` config (For more details about the `SharedSignaturesPath` parameter, see [Set-MpPreference](/powershell/module/defender/set-mppreference))
+- Added a fix for [real-time protection](configure-protection-features-microsoft-defender-antivirus.md) getting disabled in some cases when using `SharedSignaturesPath` config. For more details about the `SharedSignaturesPath` parameter, see [Set-MpPreference](/powershell/module/defender/set-mppreference).
### Known Issues
We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Wind
For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images). <details>
+<summary>20220802.1</summary>
+
+&ensp;Package version: **20220802.1**<br/>
+&ensp;Platform version: **4.18.2205.7**<br/>
+&ensp;Engine version: **1.1.19400.3**<br/>
+&ensp;Signature version: **1.371.1205.0**<br/>
+
+### Fixes
+- None
+
+### Additional information
+- None
+
+<br/>
+</details><details>
<summary>20220629.5</summary> &ensp;Package version: **20220629.5**<br/>
For more information, see [Microsoft Defender update for Windows operating syste
|[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) | You can schedule when protection updates should be downloaded. | |[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan the next time a user signs in. | |[Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events. |
-|[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines. |
+|[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power that are especially useful for mobile devices and virtual machines. |
| [Microsoft Defender for Endpoint update for EDR Sensor](https://support.microsoft.com/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f69773-f17f-420f-91f4-a8e5167284ac) | You can update the EDR sensor (MsSense.exe) that is included in the new Microsoft Defender for Endpoint unified solution package released in 2021. | > [!TIP]
security Troubleshoot Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus.md
Previously updated : 06/02/2022 Last updated : 08/04/2022 ms.technology: mde
Message:
Description: </td> <td >
-If Tamper protection is enabled then, any attempt to change any of Defender's settings if blocked and Event ID 5013 is generated that states which setting change was blocked.
+If Tamper protection is enabled then, any attempt to change any of Defender's settings is blocked. Event ID 5013 is generated and states which setting change was blocked.
</td> </tr> <tr>
Description of the error. </dt>
<a id="error-codes"></a> ## Microsoft Defender Antivirus client error codes
-If Microsoft Defender Antivirus experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update.
-This section provides the following information about Microsoft Defender Antivirus client errors.
+If Microsoft Defender Antivirus experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update. This section provides the following information about Microsoft Defender Antivirus client errors.
- The error code - The possible reason for the error - Advice on what to do now
security Tune Performance Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security-- ms.localizationpriority: medium- audience: ITPro++ Last updated : 08/13/2022+ ms.technology: mde
ms.technology: mde
# Performance analyzer for Microsoft Defender Antivirus **Applies to**+ - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - Microsoft Defender Antivirus **Platforms**+ - Windows ## What is Microsoft Defender Antivirus performance analyzer?
In some cases, you might need to tune the performance of Microsoft Defender Anti
Some options to analyze include:
+- Top paths that impact scan time
- Top files that impact scan time - Top processes that impact scan time - Top file extensions that impact scan time-- Combinations ΓÇô for example, top files per extension, top scans per file, top scans per file per process-
+- Combinations ΓÇô for example:
+ - top files per extension
+ - top paths per extension
+ - top processes per path
+ - top scans per file
+ - top scans per file per process
+
## Running performance analyzer The high-level process for running performance analyzer involves the following steps:
For more information on command-line parameters and options, see the [New-MpPerf
## Performance tuning data and information
-Based on the query, the user will be able to view data for scan counts, duration (total/min/average/max/median), path, process, and reason for scan. The image below shows sample output for a simple query of the top 10 files for scan impact.
+Based on the query, the user will be able to view data for scan counts, duration (total/min/average/max/median), path, process, and **reason for scan**. The image below shows sample output for a simple query of the top 10 files for scan impact.
:::image type="content" source="images/example-output.png" alt-text="Example output for a basic TopFiles query" lightbox="images/example-output.png":::
Based on the query, the user will be able to view data for scan counts, duration
The results of the performance analyzer can also be exported and converted to a CSV or JSON file. For examples that describe the process of "export" and "convert" through sample codes, see below.
+Starting with Defender version 4.18.2206.X, users will be able to view scan skip reason information under ΓÇ£SkipReasonΓÇ¥ column. The possible values are:
+
+1. Not Skipped
+1. Optimization (typically due to performance reasons)
+1. User skipped (typically due to user-set exclusions)
+ ### For CSV - **To export**:
The following section describes the Get-MpPerformanceReport PowerShell cmdlet. A
```powershell Get-MpPerformanceReport [-Path] <String>
-[-TopScans <Int32>]
-[-TopFiles <Int32>
- [-TopScansPerFile <Int32>]
- [-TopProcessesPerFile <Int32>
- [-TopScansPerProcessPerFile <Int32>]
- ]
-]
-[-TopExtensions <Int32>
- [-TopScansPerExtension <Int32>]
- [-TopProcessesPerExtension <Int32>
- [-TopScansPerProcessPerExtension <Int32>]
- ]
- [-TopFilesPerExtension <Int32>
- [-TopScansPerFilePerExtension <Int32>]
- ]
- ]
-]
-[-TopProcesses <Int32>
- [-TopScansPerProcess <Int32>]
- [-TopExtensionsPerProcess <Int32>
- [-TopScansPerExtensionPerProcess <Int32>]
- ]
-]
-[-TopFilesPerProcess <Int32>
- [-TopScansPerFilePerProcess <Int32>]
-]
-[-MinDuration <String>]
-[-Raw]
+ [-TopScans [<Int32>]]
+ [-TopPaths [<Int32>] [-TopPathsDepth [<Int32>]]]
+ [-TopScansPerPath [<Int32>]]
+ [-TopFilesPerPath [<Int32>]
+ [-TopScansPerFilePerPath [<Int32>]]
+ ]
+ [-TopExtensionsPerPath [<Int32>]
+ [-TopScansPerExtensionPerPath [<Int32>]]
+ ]
+ [-TopProcessesPerPath [<Int32>]
+ [-TopScansPerProcessPerPath [<Int32>]]
+ ]
+ ]
+ [-TopFiles [<Int32>]
+ [-TopScansPerFile [<Int32>]]
+ [-TopProcessesPerFile [<Int32>]
+ [-TopScansPerProcessPerFile [<Int32>]]
+ ]
+ ]
+ [-TopExtensions [<Int32>]
+ [-TopScansPerExtension [<Int32>]
+ [-TopPathsPerExtension [<Int32>] [-TopPathsDepth [<Int32>]]
+ [-TopScansPerPathPerExtension [<Int32>]]
+ ]
+ [-TopProcessesPerExtension [<Int32>]
+ [-TopScansPerProcessPerExtension [<Int32>]]
+ ]
+ [-TopFilesPerExtension [<Int32>]
+ [-TopScansPerFilePerExtension [<Int32>]]
+ ]
+ ]
+ [-TopProcesses [<Int32>]
+ [-TopScansPerProcess [<Int32>]]
+ [-TopExtensionsPerProcess [<Int32>]
+ [-TopScansPerExtensionPerProcess [<Int32>]]
+ ]
+ [-TopPathsPerProcess [<Int32>] [-TopPathsDepth [<Int32>]]
+ [-TopScansPerPathPerProcess [<Int32>]]
+ ]
+ [-TopFilesPerProcess [<Int32>]
+ [-TopScansPerFilePerProcess [<Int32>]]
+ ]
+ ]
+ [-MinDuration <String>]
+ [-Raw]
+ ``` #### Description: Get-MpPerformanceReport
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopScans:100 -MinDuration:10
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopFiles:10 -TopExtensions:10 -TopProcesses:10 -TopScans:10 -Raw | ConvertTo-Json ```
-Using -Raw in the above command specifies that the output should be machine readable and readily convertible to serialization formats like JSON
+Using \-Raw in the above command specifies that the output should be machine readable and readily convertible to serialization formats like JSON
#### Parameters: Get-MpPerformanceReport
+##### -TopPaths
+
+Requests a top-paths report and specifies how many top paths to output, sorted by "Duration". Aggregates the scans based on their path and directory. User can specify how many directories should be displayed on each level and the depth of the selection.
+
+- Type: Int32
+- Position: Named
+- Default value: None
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+##### -TopPathsDepth
+
+Specifies recursive depth that will be used to group and display aggregated path results. For example "C:\" corresponds to a depth of 1, "C:\Users\Foo" corresponds to a depth of 3.
+
+This flag can accompany all other Top Path options. If missing, a default value of 3 is assumed. Value cannot be 0.
+
+- Type: Int32
+- Position: Named
+- Default value: 3
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+| flag | definition |
+|:|:|
+| -**TopScansPerPath** | Specifies how may top scans to specify for each top path. |
+| -**TopFilesPerPath** | Specifies how may top files to specify for each top path. |
+| -**TopScansPerFilePerPath** | Specifies how many top scans to output for each top file for each top path, sorted by "Duration" |
+| -**TopExtensionsPerPath** | Specifies how many top extensions to output for each top path |
+| -**TopScansPerExtensionPerPath** | Specifies how many top scans to output for each top extension for each top path |
+| -**TopProcessesPerPath** | Specifies how many top processes to output for each top path |
+| -**TopScansPerProcessPerPath** | Specifies how many top scans to output for each top process for each top path |
+| -**TopPathsPerExtension** | Specifies how many top paths to output for each top extension |
+| -**TopScansPerPathPerExtension** | Specifies how many top scans to output for each top path for each top extension |
+| -**TopPathsPerProcess** | Specifies how many top paths to output for each top process |
+| -**TopScansPerPathPerProcess** | Specifies how many top scans to output for each top path for each top process |
+ ##### -MinDuration Specifies the minimum duration of any scan or total scan durations of files, extensions, and processes included in the report; accepts values like **0.1234567sec**, **0.1234ms**, **0.1us**, or a valid TimeSpan.
security Defender Vulnerability Management Capabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-capabilities.md
audience: ITPro Previously updated : 05/12/2022 Last updated : 07/26/2022 ms.prod: m365-security ms.technology: mdep1 ms.localizationpriority: medium
> [!NOTE] > Microsoft Defender Vulnerability Management, a new standalone offering will provide the complete set of vulnerability tools and capabilities discussed in this article. To learn more, go to [What is Microsoft Defender Vulnerability Management.](defender-vulnerability-management.md)
->[!Note]
+> [!NOTE]
> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md). This article helps clarify what Defender Vulnerability Management capabilities are included in the following plans:
This article helps clarify what Defender Vulnerability Management capabilities a
|:|:|:| [Device discovery](../defender-endpoint/device-discovery.md) <p> [Device inventory](../defender-endpoint/machines-view-overview.md) <p> [Vulnerability assessment](tvm-weaknesses.md) <p> [Configuration assessment](tvm-microsoft-secure-score-devices.md) <p> [Risk based prioritization](tvm-security-recommendation.md) <p> [Remediation tracking](tvm-remediation.md) <p> [Continuous monitoring](../defender-endpoint/configure-vulnerability-email-notifications.md) <p> [Software assessment](tvm-software-inventory.md) <p> | [Security baselines assessment](tvm-security-baselines.md) <p> [Block vulnerable applications](tvm-block-vuln-apps.md) <p> [Browser extensions](tvm-browser-extensions.md) <p> [Digital certificate assessment](tvm-certificate-inventory.md) <p> [Network share analysis](tvm-network-share-assessment.md) | [Device discovery](../defender-endpoint/device-discovery.md) <p> [Device inventory](../defender-endpoint/machines-view-overview.md) <p> [Vulnerability assessment](tvm-weaknesses.md) <p> [Continuous monitoring](../defender-endpoint/configure-vulnerability-email-notifications.md) <p> [Risk based prioritization](tvm-security-recommendation.md) <p> [Remediation tracking](tvm-remediation.md) <p> [Configuration assessment](tvm-microsoft-secure-score-devices.md) <p> [Software assessment](tvm-software-inventory.md) <p> [Security baselines assessment](tvm-security-baselines.md) <p> [Block vulnerable applications](tvm-block-vuln-apps.md) <p> [Browser extensions](tvm-browser-extensions.md) <p> [Digital certificate assessment](tvm-certificate-inventory.md) <p> [Network share analysis](tvm-network-share-assessment.md)|
+> [!NOTE]
+> Microsoft 365 Business Premium and the standalone version of Microsoft Defender for Business include the capabilities that are listed under **Core capabilities part of Defender for Endpoint Plan 2** in the preceding table.
+ ## Next steps - [Get Microsoft Defender Vulnerability Management](get-defender-vulnerability-management.md)
security Utilize Microsoft Defender For Office 365 In Sharepoint Online https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/utilize-microsoft-defender-for-office-365-in-sharepoint-online.md
+
+ Title: Use Microsoft Defender for Office 365 in SharePoint Online
+description: The steps to ensure that you can use, and get the value from, Microsoft Defender for Office 365 in SharePoint Online and OneDrive for Business
+search.product:
+search.appverid:
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++
+ms.localizationpriority: medium
+
+audience: ITPro
++
+ms.technology: mdo
++
+# Use Microsoft Defender for Office 365 with SharePoint Online
+
+Microsoft SharePoint Online is a widely used user collaboration and file storage tool. The following steps help reduce the attack surface area in SharePoint Online and that help keep this collaboration tool in your organization secure. However, itΓÇÖs important to note there is a balance to strike between security and productivity, and not all these steps may be relevant for your organizational risk profile. Take a look, test, and maintain that balance.
+
+## What you'll need
+
+- Microsoft Defender for Office 365 Plan 1
+- Sufficient permissions (SharePoint administrator/security administrator).
+- Microsoft SharePoint Online (part of Microsoft 365).
+- Five to ten minutes to perform these steps.
+
+## Turn on Microsoft Defender for Office 365 in SharePoint Online
+If licensed for Microsoft Defender for Office 365 **(free 90-day evaluation available at aka.ms/trymdo)** you can ensure seamless protection from zero day malware and time of click protection within Microsoft Teams.
+
+To learn more, read [Step 1: Use the Microsoft 365 Defender portal to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](/microsoft-365/security/office-365-security/turn-on-mdo-for-spo-odb-and-teams#step-1-use-the-microsoft-365-defender-portal-to-turn-on-safe-attachments-for-sharepoint-onedrive-and-microsoft-teams).
+
+1. Sign in to the [security centerΓÇÖs safe attachments configuration page](https://security.microsoft.com/safeattachmentv2).
+1. Select **Global settings**.
+1. Ensure that **Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams** is set to **on**.
+1. Navigate to the [security centerΓÇÖs Safe links configuration page](https://security.microsoft.com/safelinksv2).
+1. Select **Save**.
+
+## Stop infected file downloads from SharePoint Online
+
+By default, users can't open, move, copy, or share malicious files that are detected by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. However, the *Download* option is still available and should be *disabled*.
+
+To learn more, read [Step 2: (*Recommended*) Use SharePoint Online PowerShell to prevent users from downloading malicious files](/microsoft-365/security/office-365-security/turn-on-mdo-for-spo-odb-and-teams#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files).
+
+1. Open and connect to [SharePoint Online PowerShell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online).
+1. Run the following command: **Set-SPOTenant -DisallowInfectedFileDownload $true**.
+
+### Further reading
+[Policy recommendations for securing SharePoint sites and files](/microsoft-365/security/office-365-security/sharepoint-file-access-policies)