Updates from: 09/01/2021 03:39:44
Category Microsoft Docs article Related commit history on GitHub Change details
admin Remove Former Employee Step 2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-2.md
Once you've blocked a user from being able to log into your organization you can
**OR**
-2. Add the former employee's email address to your version of Outlook on Desktop, and then export the data to a .pst file. You can import the data to another email account as needed. Check out [Step 6 - Give another employee access to OneDrive and Outlook data](remove-former-employee-step-6.md).
+2. Add the former employee's email address to your version of Outlook on Desktop, and then export the data to a .pst file. You can import the data to another email account as needed. Check out [Step 4 - Give another employee access to OneDrive and Outlook data](remove-former-employee-step-4.md).
## Related content
admin Manage Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/manage-groups.md
This option is great if you want to have a company email address such as info@co
Sometimes you may want to permanently purge a group without waiting for the 30 day soft-deletion period to expire. To do that, start PowerShell and run this command to get the object ID of the group: ```powershell
-`Get-AzureADMSDeletedGroup`
+Get-AzureADMSDeletedGroup
``` Take note of the object ID of the group, or groups, that you want to permanently delete.
Take note of the object ID of the group, or groups, that you want to permanently
To purge the group run this command in PowerShell: ```powershell
-`Remove-AzureADMSDeletedDirectoryObject -Id <objectId>`
+Remove-AzureADMSDeletedDirectoryObject -Id <objectId>
``` To confirm that the group has been successfully purged, run the *Get-AzureADMSDeletedGroup* cmdlet again to confirm that the group no longer appears on the list of soft-deleted groups. In some cases it may take as long as 24 hours for the group and all of its data to be permanently deleted.
admin Set Password Expiration Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/set-password-expiration-policy.md
Follow the steps below if you want to set user passwords to expire after a speci
6. In the second box type when users are notified that their password will expire, and then select **Save**. Choose a number of days from 1 to 30. > [!NOTE]
-> Password expiration notifications are no longer supported in the Office 365 portal or any Office apps except Outlook.
+> Password expiration notifications are no longer supported in the Office 365 portal or any Office apps except Outlook when using Basic Authentication. Outlook with Modern Authentication does not support Password Expiry Notifications.
## Important things you need to know about the password expiration feature
admin Get Started Windows 365 Business https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/get-started-windows-365-business.md
All Windows 365 Business users have local administrator privileges on their Clou
## Management through Intune
-Windows 365 Business does not enroll Cloud PCs to [Intune](/mem/intune/fundamentals/what-is-intune) as part of the provisioning process. If the organization and users are properly licensed, Cloud PCs can be enrolled to Intune using the same procedure for [enrolling Windows 10 machines to Intune](/mem/intune/user-help/enroll-windows-10-device).
+If the organization and users are properly licensed, Cloud PCs can be enrolled to Intune using the same procedure for [enrolling Windows 10 machines to Intune](/mem/intune/user-help/enroll-windows-10-device).
## Sending outbound email messages using port 25 is not supported
bookings Bookings Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/bookings/bookings-overview.md
description: "An overview of the Microsoft Bookings app, which includes a web-ba
# Microsoft Bookings
-Microsoft Bookings makes scheduling and managing appointments a breeze. Bookings includes a web-based booking calendar and integrates with Outlook to optimize your staffΓÇÖs calendar and give your customers flexibility to book a time that works best for them. Automated notification emails reduce no-shows and enhance customer satisfaction, and organizations save time with a reduction in repetitive scheduling tasks. With built in flexibility and ability to customize, Bookings can be designed to fit the situation and needs of many different parts of an organization. The Bookings calendar is a mailbox in Exchange Online.
+Microsoft Bookings makes scheduling and managing appointments a breeze. Bookings includes a web-based booking calendar and integrates with Outlook to optimize your staffΓÇÖs calendar and give your customers flexibility to book a time that works best for them. Email and SMS text notifications reduce no-shows and enhances customer satisfaction Your organization saves time with a reduction in repetitive scheduling tasks. With built in flexibility and ability to customize, Bookings can be designed to fit the situation and needs of many different parts of an organization.
-Bookings provides you the ability to make your organizationΓÇÖs meetings virtual with online meetings via [Microsoft Teams](https://support.microsoft.com/office/overview-of-the-bookings-app-in-teams-7b8569e1-0c8a-444e-b712-d9968b05110b) and Skype for Business. Each appointment booked as an online meeting creates a unique meeting link that is sent to attendees so they can join via a web browser, phone dial-in, or the Skype or Teams app. Bookings is also available as an app within Teams, which allows you to create Bookings calendars, assign staff, and both schedule new and manage existing appointments without ever leaving Teams.
+> [!NOTE]
+> The Bookings calendar is a mailbox in Exchange Online.
+
+Use Bookings to make your organizationΓÇÖs meetings virtual with online meetings via [Microsoft Teams](https://support.microsoft.com/office/overview-of-the-bookings-app-in-teams-7b8569e1-0c8a-444e-b712-d9968b05110b) and Skype for Business. Each appointment booked as an online meeting creates a unique meeting link that is sent to attendees so they can join via a web browser, phone dial-in, or the Skype or Teams app. Bookings is also available as an app within Teams, which allows you to create Bookings calendars, assign staff, and both schedule new and manage existing appointments without ever leaving Teams.
Bookings has three primary components:
Bookings has three primary components:
Microsoft Bookings is available in the following subscriptions: - Office 365: A3, A5, E3, E5, F1, F3-- Microsoft 365: A3, A5, E3, E5, F1, F3, Business Premium
+- Microsoft 365: A3, A5, E3, E5, F1, F3, Business Standard, Business Premium
## Get started using Bookings
-Ready to get started?
-
-Watch this video or follow the steps below to set up Bookings.
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE26B1q]
-
-To get started, see [Get access to Microsoft Bookings](get-access.md). To turn Bookings on or off, see [Turn Bookings on or off for your organization](turn-bookings-on-or-off.md).
+To get started, see [Get access to Microsoft Bookings](get-access.md). To turn Bookings on or off, see [Turn Bookings on or off for your organization](turn-bookings-on-or-off.md).
bookings Customize Booking Page https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/bookings/customize-booking-page.md
description: "Change the color theme of your booking page in the Microsoft Booki
# Customize and publish your booking page
-The Booking Page is where you set up what your external customer facing booking page will look like. Once you customize and publish your booking page, your customers will use it to book appointments with you.
+The Booking Page is where you set up what your external facing booking page will look like. Once you customize and publish your booking page, people will use it to book appointments with you.
-To customize your booking page, sign in to [Office.com](https://office.com), and then go to **Bookings** \> **Booking page**. You can customize the booking page with the following options. Once you've setup up your Booking Page, you can publish it so customers can start booking appointments with you.
+To customize your booking page, sign in to [Office.com](https://office.com), and then go to **Bookings** \> **Booking page**. You can customize the booking page with the following options. Once you've setup up your Booking Page, you can publish it so people can start booking appointments with you.
1. In Microsoft 365, select the app launcher, and then select **Bookings**.
-2. In the navigation pane, select **Booking page**.
+2. In the navigation pane, select **Settings** -> **Booking page**.
The section below gives you information about setting up your bookings page and how to publish your page. -- **Booking page status** Publish your calendar live to make your service bookable. You have the options to share the link to your calendar via email and Twitter, and to add a **Book Now** button to a Facebook page. The link can also be embedded in your organizationΓÇÖs Web site.
+- **Configure booking page** Publish your calendar live to make your service bookable. You have the options to share the link to your calendar via email and Twitter, and to add a **Book Now** button to a Facebook page. The link can also be embedded in your organizationΓÇÖs Web site.
The internal Booking Page looks like this:
bookings Define Service Offerings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/bookings/define-service-offerings.md
description: "Instructions for entering service offerings information, including
# Define your service offerings in Bookings
-When you define your service offerings in Microsoft Bookings, you set, a service name, description, location (choose whether you want to meet in person or have an online meeting), duration, default reminders to customers and staff, internal notes about the service, and pricing. You can also tag the employees who are qualified to provide the service. Then, when customers come to your business web site to book an appointment, they can see exactly what types of appointments are available, choose the person they want to provide the service, and how much their service will cost.
+When you define your service offerings in Microsoft Bookings, you set a service name, description, location (choose whether you want to meet in person or have an online meeting), duration, default reminders to customers and staff, internal notes about the service, and pricing. You can also tag the employees who are qualified to provide the service. Then, when customers come to your business web site to book an appointment, they can see exactly what types of appointments are available, choose the person they want to provide the service, and how much their service will cost.
You can also add customized information and URLs to the email confirmation and reminders that you send when someone books a service through your booking page. ## Create the service details
-1. Go to the [Manage services page](https://outlook.office.com/bookings/services) and select **Add a service**.
+1. In Microsoft 365, select the App launcher, and then select **Bookings**.
-2. **Service name**: enter the name of your service. This is the name that will appear in the drop-down menu on the Calendar page. This name will also appear when anyone manually adds an appointment on the Calendar page, and it will appear as a tile on the Self-service page.
+2. Go to **Settings** -> [Manage services page](https://outlook.office.com/bookings/settings/services) and select **Add new service**.
-3. **Description**: The description you enter is what will appear when a user clicks the information icon on the Self-service page.
+3. On the **Basic details** page, add your selections.
-4. **Default location**: This location is what will be displayed on confirmation and reminder emails for both staff and customers, and it will be displayed on the calendar event created for the booking.
+**Service name**: enter the name of your service. This is the name that will appear in the drop-down menu on the Calendar page. This name will also appear when anyone manually adds an appointment on the Calendar page, and it will appear as a tile on the Self-service page.
-5. **Add online meeting**: This setting enables or disables online meetings for each appointment, either via Teams or Skype, depending on which one you configure as the default client for the staff member.
+**Description**: The description you enter is what will appear when a user clicks the information icon on the Self-service page.
+
+**Default location**: This location is what will be displayed on confirmation and reminder emails for both staff and customers, and it will be displayed on the calendar event created for the booking.
+
+**Add online meeting**: This setting enables or disables online meetings for each appointment, either via Teams or Skype, depending on which one you configure as the default client for the staff member.
- Enabled:
You can also add customized information and URLs to the email confirmation and r
- Disabled: - Appointments will not contain a meeting option, and all of the meeting-related fields that appear when **Add online meeting** is enabled will not be shown.
-6. **Default duration**: This is how long all meetings will be booked for. The time is blocked beginning from the start time, which is selected during booking. The full appointment time will be blocked on the staff's calendars.
+**Duration**: This is how long all meetings will be booked for. The time is blocked beginning from the start time, which is selected during booking. The full appointment time will be blocked on the staff's calendars.
-7. **Buffer time your customer canΓÇÖt book**: Enabling this setting allows for the addition of extra time to the staffΓÇÖs calendar every time an appointment is booked.
+**Buffer time**: Enabling this setting allows for the addition of extra time to the staffΓÇÖs calendar every time an appointment is booked.
The time will be blocked on the staffΓÇÖs calendar and impact free/busy information. This means if an appointment ends at 3:00 pm and 10 minutes of buffer time has been added to the end of the meeting, the staffΓÇÖs calendar will show as busy and non-bookable until 3:10pm. This can be useful if your staff needs time before a meeting to prepare, such as a doctor reviewing a patientΓÇÖs chart, or a financial advisor preparing relevant account information. It can also be useful after a meeting, such as when someone needs time to travel to another location.
-8. **Let the customer manage their booking**: This setting determines whether or notthe customer can modify or cancel their booking, provided it was booked through the Calendar tab on the Bookings Web app.
+**Price not set** Select the price options that will display on the Self-Service page. If **Price not set** is selected, then no price or reference to cost or pricing will appear.
+
+**Notes** This field appears in the booking event for booked staff, as well as on the event that appears on the Calendar tab in the Bookings web app.
+
+**Maximum attendees per event** This setting allows you to create services that require the ability for multiple people to book the same appointment time and the same staff (such as a fitness class). The appointment time slot for the selected service, staff, and time will be available to book until the maximum number of attendees, specified by you, has been reached. Current appointment capacity and attendees can be viewed in the Calendar tab in the Bookings Web app.
+
+ :::image type="content" source="media/bookings-maximum-attendees.jpg" alt-text="Example of setting maximum attendees in Bookings":::
+
+**Let the customer manage their booking**: This setting determines whether or not the customer can modify or cancel their booking, provided it was booked through the Calendar tab on the Bookings Web app.
- Enabled:
You can also add customized information and URLs to the email confirmation and r
We recommend disabling this setting if you want to limit access to the Self-Service page. Additionally, we suggest adding text to your confirmation and reminder emails that tells your customers how to make changes to their booking through other means, such as by calling the office or emailing the help desk.
-9. **Maximum attendees per event** This setting allows you to create services that require the ability for multiple people to book the same appointment time and the same staff (such as a fitness class). The appointment time slot for the selected service, staff, and time will be available to book until the maximum number of attendees, specified by you, has been reached. Current appointment capacity and attendees can be viewed in the Calendar tab in the Bookings Web app.
+4. On the **Availability options** page, you can see the options you've selected from your **Booking page** for your scheduling policy and availability for your staff. For more information, see [Set your scheduling policies](set-scheduling-policies.md).
:::image type="content" source="media/bookings-maximum-attendees.jpg" alt-text="Example of setting maximum attendees in Bookings.":::
You can also add customized information and URLs to the email confirmation and r
11. **Notes** This field appears in the booking event for booked staff, as well as on the event that appears on the Calendar tab in the Bookings web app.
-12. **Custom Fields** This section allows questions to be added, or removed, if the customer needs to answer any in order to successfully book.
+6. **Custom fields** can be useful when collecting information that is needed every time the specific appointment is booked. Examples include insurance provider prior to a clinic visit, loan type for loan consultations, major of study for academic advising, or applicant ID for candidate interviews. These fields will appear on the Booking page when your customers book appointments with you and your staff.
- Customer email, phone number, address, and notes are non-removable fields, but you can make them optional by deselecting **Required** beside each field.
- - You can add a multiple choice or text-response question by selecting **Add a question**.
-
- Custom fields can be useful when collecting information that is needed every time the specific appointment is booked. Examples include insurance provider prior to a clinic visit, loan type for loan consultations, major of study for academic advising, or applicant ID for candidate interviews.
-
-13. **Reminders and Confirmations** Both types of emails are sent out to customers, staff members, or both, at a specified time period before the appointment. Multiple messages can be created for each appointment, according to your preference.
-
- - The default confirmation and reminder emails include basic information about the appointment, such as the customer/client name, staff member's name, the service or appointment booked, and the time of the appointment. For online meetings, a link to join will also be included. The ability to manage the booking can also be included, if this setting is enabled (as described above in step 8).
+7. On the **Reminders and Confirmations** page, you can set up reminders and notifications you send. Reminders and notifications are sent out to customers, staff members, or both, at a specified time before the appointment. Multiple messages can be created for each appointment, according to your preference.
:::image type="content" source="media/bookings-remind-confirm.jpg" alt-text="A confirmation email from Bookings.":::
- - Optionally, you can include any additional text you would like here, such as information about rescheduling or what customers should bring for the appointment. The following is an example of customized text added to the original confirmation email, seen in the **Additional information for Email Confirmation** field:
+ - You can include any additional text you would like here, such as information about rescheduling or what customers should bring for the appointment. The following is an example of customized text added to the original confirmation email, seen in the **Additional information for Email Confirmation** field:
:::image type="content" source="media/bookings-additional-info.jpg" alt-text="Additional information in a Bookings email.":::
-14. **Enable text message notifications for your customer** If selected, SMS messages are sent to the customer, but only if they opt-in.
+8. **Enable text message notifications for your customer** If selected, SMS messages are sent to the customer, but only if they opt-in.
- Opt-in box on the manual booking and Self-Service Page:
You can also add customized information and URLs to the email confirmation and r
:::image type="content" source="media/bookings-text-notifications.jpg" alt-text="A text notification from Bookings.":::
-15. **Publishing options** Choose whether to have this service appear as bookable on the Self-Service page, or to make the service bookable only on the Calendar tab within the Bookings Web app.
-
-16. **Scheduling Policy** This setting determines how appointment times are viewed, and the time period in which bookings can be made or cancelled.
-
-17. **Email notifications** Sets when emails are sent to organization staff and to customers or clients.
-
-18. **Staff** Selecting this checkbox allows customers or clients to choose a specific staff member for their appointment.
-
- - Enabled:
-
- Customers can choose from all staff assigned to the appointment when booking on the Self-Service page. Selecting the option of **Anyone** will make Bookings choose an available staff member at random to assign to the appointment.
-
- - Disabled:
-
- Customers booking via the Self-Service page can select a service and a time and date. The available staff will be booked at random. Note that specific staff can still be selected when booked through the Calendar tab in the Bookings Web app.
-
-19. **Availability** The following options determine when the service can be booked:
-
- - **Bookable when staff are free** The service maintains availability based on when staff are free within business hours, with no extra time restrictions.
-
- - **Custom hours (recurring weekly)** The service has an added layer of availability that can be further restricted (in addition to restricting by business hours or with staff hours). Use this option when your service can only be provided or performed at a specific time.
-
- - **Set different availability for a date range** This setting impacts availability at a specific point in time, instead of a recurring basis. For example, this could be used when a machine that is needed for the service is temporarily being serviced and unavailable, or when an organization is closed for a holiday.
+9. The **Default scheduling options** is on by default. Turn the toggle off if you want to customize how customers book a particular staff member.
-20. **Assign Staff** Select the staff (provided you have added staff members to the Staff tab) who will be bookable for that specific service. Selecting no individual staff will result in all staff being assigned to the service.
+10. **Publishing options** Choose whether to have this service appear as bookable on the Self-Service page, or to make the service bookable only on the Calendar tab within the Bookings Web app.
bookings Employee Hours https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/bookings/employee-hours.md
description: "Set employee working hours and availability in Microsoft Bookings.
# Employee working hours in Microsoft Bookings
-Setting employee working hours ensures that their availability is accurately shown when your customers try to book them. By default, the working hours for each of your employees match the business hours you've established in the Microsoft Bookings app. See the "Set your business hours" section of [Enter business information](enter-business-information.md#set-your-business-hours).
+Setting employee working hours ensures that their availability is accurately shown when your customers try to book them. By default, the working hours for each of your employees match the business hours you've established in the Microsoft Bookings app. See the "Set your business hours" section of [Enter business information](enter-business-information.md).
On the **Staff** page, you can customize employee working hours to match the needs of your business and employees.
bookings Enter Business Information https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/bookings/enter-business-information.md
The information you provide here will be displayed on the page customers and cli
1. In Microsoft 365, select the App launcher, and then select **Bookings**.
-1. In the navigation pane, select **Business information**.
+1. In the navigation pane, select **Settings** -> **Business information**.
-1. Enter the relevant name, address, and phone number you would like to use for your Bookings calendar.
+1. On the **Basic details** section, enter your business name, address, and phone number you would like to use for your Bookings calendar.
-1. In **Send customer replies to**, type the preferred email address where email replies to booking confirmations and reminders should be forwarded.
-1. In the **Website URL** field, enter the URL of the home page for your business.
+In **Send customer replies to**, type the preferred email address where email replies to booking confirmations and reminders should be forwarded.
-1. Enter the **privacy policy** and **terms & conditions** URLs.
+In the **Website URL** field, enter the URL of the home page for your business.
-1. Select **Save**.
+Enter the **privacy policy** and **terms & conditions** URLs.
-## Set your business hours
+1. On the **Business logo** section, if you haven't already uploaded your business logo to the Bookings app, add your business logo.
-By default, the business hours in the Bookings app are set to 8 a.m. to 5 p.m., Monday through Friday. Times are provided in 15-minute increments. The Bookings app uses the 12-hour clock.
+1. On the **Set your business hours** section, set business hours to your operational hours. These are the hours to which all bookings are restricted. Additional time restrictions of when appointments can be booked can be set for each service and for each staff member in the **Services** and **Staff** pages.
-Set **business hours** to your operational hours. These are the hours to which all bookings are restricted. Additional time restrictions of when appointments can be booked can be set for each service and for each staff member in the Services and Staff pages, respectively.
+On the Business information page, under Business hours, use the dropdowns to select start and end times for each day. Click **+** to add start- and end-time selectors.
-1. On the Business information page, under Business hours, use the dropdowns to select start and end times for each day.
+By default, the business hours in the Bookings app are set to 8 a.m. to 5 p.m., Monday through Friday. Times are provided in 15-minute increments. The Bookings app uses the 12-hour clock.
-1. Click **+** to add start- and end-time selectors.
+1. Select **Save**.
-## How to set hours for a split shift
+### How to set hours for a split shift
You might need to block out a portion of each day or week to have staff meetings, update inventory, or take care of other rhythm-of-business details. The Bookings app allows you to limit customer appointments to your specified time slots.
bookings Get Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/bookings/get-access.md
The first time you use [Bookings](https://outlook.office.com/bookings/onboarding
1. Select **Get it now** and choose, **Add a booking calendar**. If this isn't your first time on this page, you can select another booking calendar or do a search for another booking calendar. - 2. Enter your business name and business type and select **Continue**. You're now ready to set up Bookings for your organization. You can get to the Bookings page with this [link](https://outlook.office.com/bookings/onboarding), from the app launcher or from office.com. Use the following topics to continue setting up your Bookings features.
bookings Get Bookings App https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/bookings/get-bookings-app.md
description: "The Bookings mobile apps are not yet available worldwide. This art
# Get the Microsoft Bookings app for iOS and Android
-Thanks for downloading the Microsoft Bookings app! Microsoft Bookings is available as a mobile app for iOS and Android. The Bookings app for iOS is available in all regions and countries that Apple supports. You can download the app from the [iTunes App Store](https://apps.apple.com/app/microsoft-bookings/id1065657468). The Bookings app for Android is available for download from the [Google Play Store](https://play.google.com/store/apps/details?id=com.microsoft.exchange.bookings) in the US and Canada.
+Microsoft Bookings is available as a mobile app for iOS and Android. The Bookings app for iOS is available in all regions and countries that Apple supports. You can download the app from the [iTunes App Store](https://apps.apple.com/app/microsoft-bookings/id1065657468). The Bookings app for Android is available for download from the [Google Play Store](https://play.google.com/store/apps/details?id=com.microsoft.exchange.bookings) in the US and Canada.
+
+## Before you begin
Before getting started, you need to set up Bookings on the web.
-1. Can't find the app you're looking for? From the app launcher, select All apps to see an alphabetical list of the Microsoft 365 apps available to you. From there, you can search for a specific app
+1. From the app launcher, select All apps to see an alphabetical list of the Microsoft 365 apps available to you. From there, you can search for a specific app
![Image of app launcher.](../media/bookings-all-apps-launcher.png)
Before getting started, you need to set up Bookings on the web.
3. Select **Get it now**.
-4. Provide the name and type of business you run, such as hair salon or dental practice, and select **To Bookings**.
+4. Provide the name and type of business or organization you own or run.
+
+5. You're now ready to set up Bookings for your organization. Follow the steps in the [Microsoft Bookings](bookings-overview.md) topic to finish setting up Bookings.
+
+## Download the Bookings app
-5. You're now ready to set up Bookings for your organization. Follow the steps in the [Microsoft Bookings](bookings-overview.md) topic to finish setting up Bookings. Go back to your mobile device and log out of the mobile app. Log back in to go to your new booking calendar.
+Once you've set up the Bookings web app, go to your device's online store and download the Bookings app and sign in with your admin account.
## View-only mode
bookings Reporting Info https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/bookings/reporting-info.md
This appointment level information can be used to visualize the customer activit
## See four months of Booking activity
-1. On the Bookings calendar dashboard, select **Export more data as TSV**.
+1. In Microsoft 365, select the App launcher, and then select **Bookings**.
+1. On the Bookings home page, select **Export**.
+
+1. On the **Export recent data** page, select your date range and select **Export**.
1. Save the file with a new name, and specify .xls or xlsx format.
This appointment level information can be used to visualize the customer activit
1. Choose the date for your report and select **Export**. - 1. The downloaded report contains a new set of fields in addition to the existing fields. The report includes the following fields.
bookings Turn Bookings On Or Off https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/bookings/turn-bookings-on-or-off.md
Admins can require employees in their organization to opt-in before their availa
When this setting is enabled, employees added as staff in booking calendars will find an Approve/Reject link in the email notification they receive.
-This feature is gradually rolling out world wide to Microsoft 365 customers. If you don't see this option in the Microsoft 365 admin center, check back soon.
- ## Block social sharing options Admins can control how booking pages are shared on social networks. This setting is available in the Microsoft 365 admin center under **Settings** \> **Settings** \> **Bookings**.
-This feature is gradually rolling out world wide to Microsoft 365 customers. If you don't see this option in the Microsoft 365 admin center, check back soon.
- ## Allow only selected users to create Bookings calendars By using policy restrictions, you can restrict licensed users from being able to create Bookings calendars. You must first enable Bookings for your entire organization. All users in you organization will have Bookings licenses, but only those included in the policy can create Bookings calendars and have full control over who can access the calendars they create.
commerce Withholding Tax Credit Global https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/withholding-tax-credit-global.md
f1.keywords:
-+ audience: Admin
commerce Withholding Tax Credit India https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/withholding-tax-credit-india.md
f1.keywords:
-+ audience: Admin
compliance Dlp Conditions And Exceptions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-conditions-and-exceptions.md
The tables in the following sections describe the conditions and exceptions that
|condition or exception in DLP|condition/exception parameters in Microsoft 365 PowerShell|property type|description| ||||| |Sender is|condition: *From* <br/> exception: *ExceptIfFrom*|Addresses|Messages that are sent by the specified mailboxes, mail users, mail contacts, or Microsoft 365 groups in the organization.|
+|The sender is a member of |_FromMemberOf_ <br/> _ExceptIfFromMemberOf_|Addresses|Messages that are sent by a member of the specified distribution group, mail-enabled security group, or Microsoft 365 group.|
|Sender IP address is|condition: *SenderIPRanges*<br/> exception: *ExceptIfSenderIPRanges*|IPAddressRanges|Messages where the sender's IP address matches the specified IP address, or falls within the specified IP address range.| |Sender address contains words|condition: *FromAddressContainsWords* <br/> exception: *ExceptIfFromAddressContainsWords*|Words|Messages that contain the specified words in the sender's email address.| |Sender address matches patterns|condition: *FromAddressMatchesPatterns* <br/> exception: *ExceptFromAddressMatchesPatterns*|Patterns|Messages where the sender's email address contains text patterns that match the specified regular expressions.|
The tables in the following sections describe the conditions and exceptions that
|Recipient address contains words|condition: *AnyOfRecipientAddressContainsWords* <br/> exception: *ExceptIfAnyOfRecipientAddressContainsWords*|Words|Messages that contain the specified words in the recipient's email address. <br/>**Note**: This condition doesn't consider messages that are sent to recipient proxy addresses. It only matches messages that are sent to the recipient's primary email address.| |Recipient address matches patterns|condition: *AnyOfRecipientAddressMatchesPatterns* <br/> exception: *ExceptIfAnyOfRecipientAddressMatchesPatterns*|Patterns|Messages where a recipient's email address contains text patterns that match the specified regular expressions. <br/> **Note**: This condition doesn't consider messages that are sent to recipient proxy addresses. It only matches messages that are sent to the recipient's primary email address.| |Sent to member of|condition: *SentToMemberOf* <br/> exception: *ExceptIfSentToMemberOf*|Addresses|Messages that contain recipients who are members of the specified distribution group, mail-enabled security group, or Microsoft 365 group. The group can be in the **To**, **Cc**, or **Bcc** fields of the message.|
+|The recipient's specified properties include any of these words |_RecipientADAttributeContainsWords_ <br/> _ExceptIfRecipientADAttributeContainsWords_|First property: `ADAttribute` <p> Second property: `Words`|Messages where the specified Active Directory attribute of a recipient contains any of the specified words. <p> Note that the **Country** attribute requires the two-letter country code value (for example, DE for Germany).|
+|The recipient's specified properties match these text patterns |_RecipientADAttributeMatchesPatterns_ <br/> _ExceptIfRecipientADAttributeMatchesPatterns_|First property: `ADAttribute` <p> Second property: `Patterns`|Messages where the specified Active Directory attribute of a recipient contains text patterns that match the specified regular expressions.|
| ### Message subject or body
compliance Ediscovery Decryption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-decryption.md
The following table identifies the supported tasks that can be performed in Micr
|eDiscovery task |Content search |Core eDiscovery |Advanced eDiscovery | |:|:|:|:|
-|Search for content in encrypted files in email and sites<sup>1</sup> |Yes |Yes |Yes |
+|Search for content in encrypted files in sites and email attachments<sup>1</sup> |No |No |Yes |
|Preview encrypted files attached to email |Yes |Yes |Yes | |Preview encrypted documents in SharePoint and OneDrive|No |No |Yes | |Review encrypted files in a review set |N/A |N/A | Yes |
The following table identifies the supported tasks that can be performed in Micr
||||| > [!NOTE]
-> <sup>1</sup> Encrypted files that are located on a local computer (and not stored on a SharePoint or OneDrive site) aren't indexed for eDiscovery. That means if an encrypted local file is attached to an email message, the file won't be returned by a keyword search query, even if the file contains keywords that match the search query. However, email messages with local encrypted file can be returned by an eDiscovery search if an email property (such as sent date, sender, recipient, or subject) matches the search query.
+> <sup>1</sup> Encrypted files located on a local computer and cloud attachments copied to an email message aren't decrypted and indexed for eDiscovery. For more information and a workaround for these scenarios, see the [Decryption limitations with email attachments](#decryption-limitations-with-email-attachments) section in this article.
-### Decryption limitations with sensitivity labels
+## Decryption limitations with sensitivity labels in SharePoint and OneDrive
eDiscovery doesn't support encrypted files in SharePoint and OneDrive when a sensitivity label that applied the encryption is configured with either of the following settings:
For more information about these settings, see the "Configure encryption setting
Documents encrypted with the previous settings can still be returned by an eDiscovery search. This may happen when a document property (such as the title, author, or modified date) matches the search criteria. Although these documents might be included in search results, they can't be previewed or reviewed. These documents will also remain encrypted when they're exported in Advanced eDiscovery.
+## Decryption limitations with email attachments
+
+The following scenarios describe limitations in the decryption of files attached to email messages. These scenario descriptions also include workarounds to mitigate these limitations.
+
+- If a file that's located on a local computer (and not stored in a SharePoint site or OneDrive account) is attached to an email message, and a sensitivity label that applies encryption is applied to the email message, the attached file can't be decrypted by eDiscovery. That means that if you run a keyword search query of the recipient's mailbox, the encrypted file attachment won't be returned by a keyword search query.
+
+ The workaround for this limitation is to search the sender's mailbox for the same file attachment. That's because the encryption applied by the sensitivity label is applied during transport of the email message. This means the attachment is encrypted when the email message is sent. The result is the instance of the attached file in the sender's mailbox is unencrypted, even though the same file in the recipient's mailbox is encrypted.
+
+- Similarly, cloud attachments (files stored in a SharePoint site or OneDrive account) that are copied to an email message (by using the **Attach as copy** option in Outlook) can't be decrypted by eDiscovery. This is also because the encryption that applied by a sensitivity label is applied when the email message is sent. Searching the sender's mailbox for the unencrypted instance of the copy of the cloud attachment is also the workaround for this limitation.
+
+In both these scenarios, email messages with encrypted file attachments can be returned by an eDiscovery search if an email property (such as sent date, sender, recipient, or subject) matches the search query.
+ ## Requirements for decryption in eDiscovery You have to be assigned the RMS Decrypt role to preview, review, and export files encrypted with Microsoft encryption technologies. You also have to be assigned this role to review and query encrypted files that are added to a review set in Advanced eDiscovery.
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
## [Overview]() ### [What is Microsoft Defender for Endpoint?](microsoft-defender-endpoint.md)
+### [Compare Defender for Endpoint Plan 1 to Plan 2](defender-endpoint-plan-1-2.md)
### [Minimum requirements](minimum-requirements.md) ### [What's new in Microsoft Defender for Endpoint?](whats-new-in-microsoft-defender-atp.md) ### [Preview features](preview.md) ### [Data storage and privacy](data-storage-privacy.md) ### [Overview of Microsoft Defender Security Center](use.md) ### [Portal overview](portal-overview.md)
+### [Defender for Endpoint Plan 1 (preview)]()
+#### [Overview](defender-endpoint-plan-1.md)
+#### [Setup and configuration](mde-p1-setup-configuration.md)
+#### [Get started](mde-plan1-getting-started.md)
+#### [Maintenance and operations](mde-p1-maintenance-operations.md)
### [Microsoft Defender for Endpoint for US Government customers](gov.md) ### [Microsoft Defender for Endpoint on non-Windows platforms](non-windows.md) + ## [Evaluate capabilities](evaluation-lab.md) ## [Plan deployment](deployment-strategy.md)
#### [Onboard supported devices](onboard-configure.md) ## [Migration guides](migration-guides.md)
-### [Switch from non-Microsoft endpoint protection to Defender for Endpoint]()
-#### [Overview of migration](switch-to-microsoft-defender-migration.md)
+### [Switch from non-Microsoft endpoint protection to Defender for Endpoint](switch-to-microsoft-defender-migration.md)
#### [Phase 1: Prepare](switch-to-microsoft-defender-prepare.md) #### [Phase 2: Setup](switch-to-microsoft-defender-setup.md) #### [Phase 3: Onboard](switch-to-microsoft-defender-onboard.md)
-### [Manage Defender for Endpoint after migration]()
-#### [Overview of managing Defender for Endpoint](manage-atp-post-migration.md)
-#### [Intune (recommended)](manage-atp-post-migration-intune.md)
-#### [Configuration Manager](manage-atp-post-migration-configuration-manager.md)
-#### [Group Policy Objects](manage-atp-post-migration-group-policy-objects.md)
-#### [PowerShell, WMI, and MPCmdRun.exe](manage-atp-post-migration-other-tools.md)
-
+### [Manage Defender for Endpoint after migration](manage-atp-post-migration.md)
+#### [Use Intune (recommended)](manage-atp-post-migration-intune.md)
+#### [Use Configuration Manager](manage-atp-post-migration-configuration-manager.md)
+#### [Use Group Policy](manage-atp-post-migration-group-policy-objects.md)
+#### [Use PowerShell, WMI, or MPCmdRun.exe](manage-atp-post-migration-other-tools.md)
## [Configure and onboard devices]() ### [Microsoft Defender for Endpoint on Windows and Windows Server]()
security Configure Extension File Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md
Last updated : 08/27/2021 # Configure and validate exclusions based on file extension and folder location
The following table lists some examples of exclusions based on file extension an
|Any file under a specific folder|All files under the `c:\test\sample` folder|File and folder exclusions| |A specific file in a specific folder|The file `c:\sample\sample.test` only|File and folder exclusions| |A specific process|The executable file `c:\test\process.exe`|File and folder exclusions|
-|
## Characteristics of exclusion lists
The following table lists cmdlets that you can use in the `<cmdlet>` portion of
<br>
-****
- |Configuration action|PowerShell cmdlet| |:|:| |Create or overwrite the list|`Set-MpPreference`| |Add to the list|`Add-MpPreference`| |Remove item from the list|`Remove-MpPreference`|
-|
The following table lists values that you can use in the `<exclusion list>` portion of the PowerShell cmdlet: <br>
-****
- |Exclusion type|PowerShell parameter| ||| |All files with a specified file extension|`-ExclusionExtension`| |All files under a folder (including files in subdirectories), or a specific file|`-ExclusionPath`|
-|
> [!IMPORTANT] > If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
You can use the asterisk `*`, question mark `?`, or environment variables (such
> - Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. > - You cannot use a wildcard in place of a drive letter. > - An asterisk `*` in a folder exclusion stands in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names.-
+> - Currently, Microsoft Endpoint Configuration Manager does not support wildcard characters (such as `*` or `?`).
+
The following table describes how the wildcards can be used and provides some examples. <br>
-****
- |Wildcard|Examples| ||| |`*` (asterisk) <p> In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument. <p> In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included.|`C:\MyData\*.txt` includes `C:\MyData\notes.txt` <p> `C:\somepath\*\Data` includes any file in `C:\somepath\Archives\Data` and its subfolders, and `C:\somepath\Authorized\Data` and its subfolders <p> `C:\Serv\*\*\Backup` includes any file in `C:\Serv\Primary\Denied\Backup` and its subfolders and `C:\Serv\Secondary\Allowed\Backup` and its subfolders| |`?` (question mark) <p> In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument. <p> In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included.|`C:\MyData\my?.zip` includes `C:\MyData\my1.zip` <p> `C:\somepath\?\Data` includes any file in `C:\somepath\P\Data` and its subfolders <p> `C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders| |Environment variables <p> The defined variable is populated as a path when the exclusion is evaluated.|`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt`|
-|
> [!IMPORTANT] > If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders.
The following table describes how the wildcards can be used and provides some ex
The following table lists and describes the system account environment variables. <br>-
-****
-
+
|This system environment variable...|Redirects to this| ||| |`%APPDATA%`|`C:\Users\UserName.DomainName\AppData\Roaming`|
The following table lists and describes the system account environment variables
|`%USERPROFILE%\AppData\Local`|`C:\Windows\System32\config\systemprofile\AppData\Local`| |`%USERPROFILE%\AppData\LocalLow`|`C:\Windows\System32\config\systemprofile\AppData\LocalLow`| |`%USERPROFILE%\AppData\Roaming`|`C:\Windows\System32\config\systemprofile\AppData\Roaming`|
-|
## Review the list of exclusions
security Defender Endpoint Plan 1 2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1-2.md
+
+ Title: Compare Microsoft Defender for Endpoint Plan 1 (preview) to Plan 2
+description: Compare Defender for Endpoint Plan 1 to Plan 2. Learn about the differences between the plans and select the plan that suits your organization's needs.
+keywords: Defender for Endpoint, advanced threat protection, endpoint protection
+search.appverid: MET150
+++
+audience: ITPro
+ Last updated : 08/30/2021
+ms.technology: mde
+localization_priority: Normal
+
+f1.keywords: NOCSH
++
+# Microsoft Defender for Endpoint Plan 1 (preview) and Plan 2
+
+Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Defender for Endpoint provides advanced threat protection that includes antivirus, antimalware, ransomware mitigation, and more, together with centralized management and reporting. Soon, two plans will be available:
+
+- [Microsoft Defender for Endpoint Plan 1](defender-endpoint-plan-1.md), currently in preview; and
+- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md), available now, and known as [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md).
+
+## Compare Defender for Endpoint plans
+
+The following table describes what's included in each plan at a high level.
+
+| [Defender for Endpoint Plan 1](defender-endpoint-plan-1.md) <br/>(preview) | [Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) <br/>(available now) |
+|:|:|
+| [Next-generation protection](defender-endpoint-plan-1.md#next-generation-protection) <br/>(includes antimalware and antivirus) <p> [Attack surface reduction](defender-endpoint-plan-1.md#attack-surface-reduction) <p> [Manual response actions](defender-endpoint-plan-1.md#manual-response-actions) <p> [Centralized management](defender-endpoint-plan-1.md#centralized-management) <p>[Security reports](defender-endpoint-plan-1.md#reporting) <p>[APIs](defender-endpoint-plan-1.md#apis) | [Defender for Endpoint Plan 1](defender-endpoint-plan-1.md), plus: <p> [Device discovery](device-discovery.md) <p> [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) <p> [Automated investigation and response](automated-investigations.md) <p> [Advanced hunting](advanced-hunting-overview.md) <p> [Endpoint detection and response](overview-endpoint-detection-response.md) <p> [Microsoft Threat Experts](microsoft-threat-experts.md) |
+| [Support for Windows 10, iOS, Android OS, and macOS devices](defender-endpoint-plan-1.md#cross-platform-support) | Support for Windows (client and server) and non-Windows platforms<br/> (macOS, iOS, Android, and Linux) |
+| To try Defender for Endpoint Plan 1, visit [https://aka.ms/mdep1trial](https://aka.ms/mdep1trial). | To try Defender for Endpoint Plan 2, visit [https://aka.ms/MDEp2OpenTrial](https://aka.ms/MDEp2OpenTrial). |
+
+> [!IMPORTANT]
+> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here. This content includes links to other articles that might describe some features that are not included in Defender for Endpoint Plan 1 (preview).
+
+## Next steps
+
+- [Get an overview of Microsoft Defender for Endpoint Plan 1 (preview)](defender-endpoint-plan-1.md)
+- [Set up and configure Defender for Endpoint Plan 1 (preview)](mde-p1-setup-configuration.md)
+- [Get started using Defender for Endpoint Plan 1 (preview)](mde-plan1-getting-started.md)
security Defender Endpoint Plan 1 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1.md
+
+ Title: Overview of Microsoft Defender for Endpoint Plan 1 (preview)
+description: Get an overview of Defender for Endpoint Plan 1. Learn about the features and capabilities included in this endpoint protection subscription.
+search.appverid: MET150
+++
+audience: ITPro
+ Last updated : 08/30/2021
+ms.technology: mde
+localization_priority: Normal
+
+f1.keywords: NOCSH
++
+# Overview of Microsoft Defender for Endpoint Plan 1 (preview)
+
+> [!TIP]
+> If you have Microsoft 365 E3 but not Microsoft 365 E5, visit [https://aka.ms/mdep1trial](https://aka.ms/mdep1trial) to sign up for the preview program!
+
+Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help organizations like yours to prevent, detect, investigate, and respond to advanced threats. We are pleased to announce that Defender for Endpoint is now available in two plans:
+
+- **Defender for Endpoint Plan 1**, currently in preview, and described in this article; and
+- **[Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)**, generally available, and formerly known as [Defender for Endpoint](microsoft-defender-endpoint.md).
+
+The following image depicts what's included in Defender for Endpoint Plan 1 (preview):
++
+Use this guide to:
+
+- [Get an overview of whatΓÇÖs included in Defender for Endpoint Plan 1 (preview)](#defender-for-endpoint-plan-1-capabilities)
+- [Compare Defender for Endpoint Plan 1 to Plan 2](defender-endpoint-plan-1-2.md)
+- [Learn how to set up and configure Defender for Endpoint Plan 1](mde-p1-setup-configuration.md)
+- [Get started using the Microsoft 365 Defender portal, where you can view incidents and alerts, manage devices, and use reports about detected threats](mde-plan1-getting-started.md)
+- [Get an overview of maintenance and operations](mde-p1-maintenance-operations.md)
+
+> [!TIP]
+> [Learn more about the differences between Defender for Endpoint Plan 1 and Plan 2](defender-endpoint-plan-1-2.md).
+
+## Defender for Endpoint Plan 1 capabilities
+
+Defender for Endpoint Plan 1 (preview) includes the following capabilities:
+
+- **[Next-generation protection](#next-generation-protection)** that includes industry-leading, robust antimalware and antivirus protection
+- **[Manual response actions](#manual-response-actions)**, such as sending a file to quarantine, that your security team can take on devices or files when threats are detected
+- **[Attack surface reduction capabilities](#attack-surface-reduction)** that harden devices, prevent zero-day attacks, and offer granular control over endpoint access and behaviors
+- **[Centralized configuration and management](#centralized-management)** with the Microsoft 365 Defender portal and integration with Microsoft Endpoint Manager
+- **[Protection for a variety of platforms](#cross-platform-support)**, including Windows, macOS, iOS, and Android devices
+
+The following sections provide more details about these capabilities.
+
+> [!IMPORTANT]
+> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here. This guide includes links to online content that might describe or depict some features that are not included in Defender for Endpoint Plan 1 (preview).
+
+## Next-generation protection
+
+Next-generation protection includes robust antivirus and antimalware protection. With next-generation protection, you get:
+
+- Behavior-based, heuristic, and real-time antivirus protection
+- Cloud-delivered protection, which includes near-instant detection and blocking of new and emerging threats
+- Dedicated protection and product updates, including updates related to Microsoft Defender Antivirus
+
+To learn more, see [Next-generation protection overview](next-generation-protection.md).
+
+## Manual response actions
+
+Manual response actions are actions that your security team can take when threats are detected on endpoints or in files. Defender for Endpoint includes certain [manual response actions that can be taken on a device](respond-machine-alerts.md) that is detected as potentially compromised or has suspicious content. You can also run [response actions on files](respond-file-alerts.md) that are detected as threats. The following table summarizes the manual response actions that are available in Defender for Endpoint Plan 1. <br/><br/>
+
+| File/Device | Action | Description |
+|:|:|:|
+| Device | Run antivirus scan | Starts an antivirus scan. If any threats are detected on the device, those threats are often addressed during an antivirus scan. |
+| Device | Isolate device | Disconnects a device from your organizationΓÇÖs network while retaining connectivity to Defender for Endpoint. This action enables you to monitor the device and take further action if needed. |
+| File | Stop and quarantine |Stops processes from running and quarantines associated files. |
+| File | Add an indicator to block or allow a file | Block indicators prevent portable executable files from being read, written, or executed on devices. <p>Allow indicators prevent files from being blocked or remediated. |
+
+To learn more, see the following articles:
+
+- [Take response actions on devices](respond-machine-alerts.md)
+- [Take response actions on files](respond-file-alerts.md)
+
+## Attack surface reduction
+
+Your organizationΓÇÖs attack surfaces are all the places where youΓÇÖre vulnerable to cyberattacks. With Defender for Endpoint Plan 1 (preview), you can reduce your attack surfaces by protecting the devices and applications that your organization uses. The attack surface reduction capabilities that are included in Defender for Endpoint Plan 1 (preview) are described in the following sections.
+
+- [Attack surface reduction rules](#attack-surface-reduction-rules)
+- [Ransomware mitigation](#ransomware-mitigation)
+- [Device control](#device-control)
+- [Web protection](#web-protection)
+- [Network protection](#web-protection)
+- [Network firewall](#network-firewall)
+- [Application control](#application-control)
+
+To learn more about attack surface reduction capabilities in Defender for Endpoint, see [Overview of attack surface reduction](overview-attack-surface-reduction.md).
+
+### Attack surface reduction rules
+
+Attack surface reduction rules target certain software behaviors that are considered risky. Such behaviors include:
+
+- Launching executable files and scripts that attempt to download or run other files
+- Running obfuscated or otherwise suspicious scripts
+- Initiating behaviors that apps don't usually initiate during normal work
+
+Legitimate business applications can exhibit such software behaviors; however, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain risky behaviors and help keep your organization safe.
+
+To learn more, see [Use attack surface reduction rules to prevent malware infection](attack-surface-reduction.md).
+
+### Ransomware mitigation
+
+With controlled folder access, you get ransomware mitigation. Controlled folder access allows only trusted apps to access protected folders on your endpoints. Apps are added to the trusted apps list based on their prevalence and reputation. Your security operations team can add or remove apps from the trusted apps list, too.
+
+To learn more, see [Protect important folders with controlled folder access](controlled-folders.md).
+
+### Device control
+
+Sometimes threats to your organizationΓÇÖs devices come in the form of files on removable drives, such as USB drives. Defender for Endpoint includes capabilities to help prevent threats from unauthorized peripherals from compromising your devices. You can configure Defender for Endpoint to block or allow removable devices and files on removable devices.
+
+To learn more, see [Control USB devices and removable media](control-usb-devices-using-intune.md).
+
+### Web protection
+
+With web protection, you can protect your organizationΓÇÖs devices from web threats and unwanted content. Web protection includes web threat protection and web content filtering.
+
+- [Web threat protection](web-threat-protection.md) prevents access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, and sites that you explicitly block.
+- [Web content filtering](web-content-filtering.md) (preview) prevents access to certain sites based on their category. Categories can include adult content, leisure sites, legal liability sites, and more.
+
+To learn more, see [web protection](web-protection-overview.md).
+
+### Network protection
+
+With network protection, you can prevent your organization from accessing dangerous domains that might host phishing scams, exploits, and other malicious content on the Internet.
+
+To learn more, see [Protect your network](network-protection.md).
+
+### Network firewall
+
+With network firewall protection, you can set rules that determine which network traffic is permitted to flow to or from your organizationΓÇÖs devices. With your network firewall and advanced security that you get with Defender for Endpoint, you can:
+
+- Reduce the risk of network security threats
+- Safeguard sensitive data and intellectual property
+- Extend your security investment
+
+To learn more, see [Windows Defender Firewall with advanced security](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security).
+
+### Application control
+
+Application control protects your Windows endpoints by running only trusted applications and code in the system core (kernel). Your security team can define application control rules that consider an application's attributes, such as its codesigning certificates, reputation, launching process, and more. Application control is available in Windows 10 or later.
+
+To learn more, see [Application control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control).
+
+## Centralized management
+
+Defender for Endpoint Plan 1 (preview) includes the Microsoft 365 Defender portal, which enables your security team to view current information about detected threats, take appropriate actions to mitigate threats, and centrally manage your organization's threat protection settings.
+
+To learn more, see [Microsoft 365 Defender portal overview](portal-overview.md).
+
+### Role-based access control
+
+Using role-based access control (RBAC), your security administrator can create roles and groups to grant appropriate access to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). With RBAC, you have fine-grained control over who can access the security center, and what they can see and do.
+
+To learn more, see [Manage portal access using role-based access control](rbac.md).
+
+### Reporting
+
+The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) provides easy access to information about detected threats and actions to address those threats.
+
+- The **Home** page includes cards to show at a glance which users or devices are at risk, how many threats were detected, and what alerts/incidents were created.
+- The **Incidents & alerts** section lists any incidents that were created as a result of triggered alerts. Alerts and incidents are generated as threats are detected across devices.
+- The **Action center** lists remediation actions that were taken. For example, if a file is sent to quarantine, or a URL is blocked, each action is listed in the Action center on the **History** tab.
+- The **Reports** section includes reports that show threats detected and their status.
+
+To learn more, see [Get started with Microsoft Defender for Endpoint Plan 1 (preview)](mde-plan1-getting-started.md).
+
+### APIs
+
+With the Defender for Endpoint APIs, you can automate workflows and integrate with your organizationΓÇÖs custom solutions.
+
+To learn more, see [Defender for Endpoint APIs](management-apis.md).
+
+## Cross-platform support
+
+Most organizations use various devices and operating systems. Currently, Defender for Endpoint Plan 1 (preview) supports the following operating systems:
+
+- Windows 10, version 1709, or later
+- macOS: 11.5 (Big Sur), 10.15.7 (Catalina), or 10.14.6 (Mojave)
+- iOS
+- Android OS
+
+## Next steps
+
+- [Compare Microsoft Defender for Endpoint Plan 1 (preview) to Plan 2](defender-endpoint-plan-1-2.md)
+- [Set up and configure Defender for Endpoint Plan 1 (preview)](mde-p1-setup-configuration.md)
+- [Get started with Defender for Endpoint Plan 1 (preview)](mde-plan1-getting-started.md)
+- [Manage Defender for Endpoint Plan 1 (preview)](mde-p1-maintenance-operations.md)
security Deployment Vdi Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md
Previously updated : 06/11/2021 Last updated : 08/31/2021 ms.technology: mde
ms.technology: mde
In addition to standard on-premises or hardware configurations, you can also use Microsoft Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.
-See [Windows Virtual Desktop Documentation](/azure/virtual-desktop) for more details on Microsoft Remote Desktop Services and VDI support.
+See [Azure Virtual Desktop Documentation](/azure/virtual-desktop) for more details on Microsoft Remote Desktop Services and VDI support.
For Azure-based virtual machines, see [Install Endpoint Protection in Azure Defender](/azure/security-center/security-center-install-endpoint-protection).
security Device Control Removable Storage Access Control https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control.md
Microsoft Defender for Endpoint Device Control Removable Storage Access Control
- auditing, allowing or preventing the read, write or execute access to removable storage with or without exclusion
-<br>
-
-****
+<br><br/>
|Privilege|Permission| |||
You can use the following properties to create a removable storage group:
### Removable Storage Group
-<br>
-
-****
+<br/><br/>
|Property Name|Description|Options| |||| |**GroupId**|[GUID](https://en.wikipedia.org/wiki/Universally_unique_identifier), a unique ID, represents the group and will be used in the policy.||
-|**DescriptorIdList**|List the device properties you want to use to cover in the group. For each device property, see [Device Properties](device-control-removable-storage-protection.md) for more detail.ΓÇï|<ul><li>**PrimaryId**ΓÇï: RemovableMediaDevices, CdRomDevices, WpdDevices</li><li>**DeviceIdΓÇï**</li><li>**HardwareIdΓÇï**</li><li>**InstancePathId**ΓÇï: InstancePathId is a string that uniquely identifies the device in the system, for example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0`. The number at the end (for example &0) represents the available slot and may change from device to device. For best results, use a wildcard at the end. For example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*`.</li><li>**FriendlyNameIdΓÇï**</li><li>**SerialNumberIdΓÇï**</li><li>**VIDΓÇï**</li><li>**PIDΓÇï**</li><li>**VID_PID**<ul><li>0751_55E0: match this exact VID/PID pair</li><li>55E0: match any media with PID=55E0 </li><li>0751: match any media with VID=0751</li></ul></li></ul>|
-|**MatchType**|When there are multiple device properties being used in the DescriptorIDList, MatchType defines the relationship.|**MatchAll**: ΓÇïAny attributes under the DescriptorIdList will be **And** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will check to see whether the USB meets both values. <p> **MatchAny**: ΓÇïThe attributes under the DescriptorIdList will be **Or** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will do the enforcement as long as the USB has either an identical **DeviceID** or **InstanceID** value.ΓÇï|
-||||
+|**DescriptorIdList**|List the device properties you want to use to cover in the group. For each device property, see [Device Properties](device-control-removable-storage-protection.md) for more detail. |<ul><li>**PrimaryId**: RemovableMediaDevices, CdRomDevices, WpdDevices</li><li>**DeviceId**</li><li>**HardwareId**</li><li>**InstancePathId**: InstancePathId is a string that uniquely identifies the device in the system, for example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0`. The number at the end (for example &0) represents the available slot and may change from device to device. For best results, use a wildcard at the end. For example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*`.</li><li>**FriendlyNameIdΓÇï**</li><li>**SerialNumberIdΓÇï**</li><li>**VID**</li><li>**PID**</li><li>**VID_PID**<ul><li>0751_55E0: match this exact VID/PID pair</li><li>55E0: match any media with PID=55E0 </li><li>0751: match any media with VID=0751</li></ul></li></ul>|
+|**MatchType**|When there are multiple device properties being used in the DescriptorIDList, MatchType defines the relationship.|**MatchAll**: Any attributes under the DescriptorIdList will be **And** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will check to see whether the USB meets both values. <p> **MatchAny**: The attributes under the DescriptorIdList will be **Or** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will do the enforcement as long as the USB has either an identical **DeviceID** or **InstanceID** value. |
### Access Control Policy
-<br>
-
-****
+<br/><br/>
|Property Name|Description|Options| ||||
-|PolicyRuleIdΓÇï|[GUID](https://en.wikipedia.org/wiki/Universally_unique_identifier), a unique ID, represents the policy and will be used in the reporting and troubleshooting.||
-|IncludedIdList|The group(s) that the policy will be applied to. If multiple groups are added, the policy will be applied to any media in all those groups.|The Group ID/GUID must be used at this instance. <p> ΓÇïThe following example shows the usage of GroupID: <p> `<IncludedIdList> <GroupId> {EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1}</GroupId> </IncludedIdList>ΓÇï`|
+|PolicyRuleId |[GUID](https://en.wikipedia.org/wiki/Universally_unique_identifier), a unique ID, represents the policy and will be used in the reporting and troubleshooting.||
+|IncludedIdList|The group(s) that the policy will be applied to. If multiple groups are added, the policy will be applied to any media in all those groups.|The Group ID/GUID must be used at this instance. <p> The following example shows the usage of GroupID: <p> `<IncludedIdList> <GroupId> {EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1}</GroupId> </IncludedIdList>`|
|ExcludedIDList|The group(s) that the policy will not be applied to.|The Group ID/GUID must be used at this instance.|
-|Entry Id|One PolicyRule can have multiple entries; each entry with a unique GUID tells Device Control one restriction.ΓÇï||
-|Type|Defines the action for the removable storage groups in IncludedIDList. <ul><li>Enforcement: Allow or DenyΓÇï</li><li>Audit: AuditAllowed or AuditDenied</ul></li>ΓÇï|<ul><li>Allow</li><li>DenyΓÇï</li><li>AuditAllowed: Defines notification and event when access is allowedΓÇï</li><li>AuditDenied: Defines notification and event when access is denied; has to work together with **Deny** entry.</li></ul> <p> When there are conflict types for the same media, the system will apply the first one in the policy. An example of a conflict type is **Allow** and **Deny**.ΓÇï|
-|Sid|Local computer Sid or the Sid of the AD object, defines whether to apply this policy over a specific user or user group; one entry can have a maximum of one Sid and an entry without any Sid means applying the policy over the machine.ΓÇï||
-|ComputerSid|Local computer Sid or the Sid of the AD object, defines whether to apply this policy over a specific machine or machine group; one entry can have a maximum of one ComputerSid and an entry without any ComputerSid means applying the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both Sid and ComputerSid into the same Entry.ΓÇï||
-|Options|Defines whether to display notification or notΓÇï|**0-4**: When Type Allow or Deny is selected. <ul><li>0: nothing</li><li>4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Block** happens and the AuditDenied is setting configured, the system will not show notification.ΓÇï</li></ul> <p> When Type **AuditAllowed** or **AuditDenied** is selected: <ul><li>0: nothingΓÇï</li><li>1: show notificationΓÇï</li><li>2: send event</li><li>3: show notification and send eventΓÇï</li></ul>|
-|AccessMask|Defines the access.ΓÇï|**1-7**: <ol><li>ReadΓÇï</li><li>WriteΓÇï</li><li>Read and WriteΓÇï</li><li>ExecuteΓÇï</li><li>Read and Execute</li><li>Write and ExecuteΓÇï</li><li>Read and Write and Execute</li></ol>ΓÇï|
-||||
+|Entry Id|One PolicyRule can have multiple entries; each entry with a unique GUID tells Device Control one restriction.||
+|Type|Defines the action for the removable storage groups in IncludedIDList. <ul><li>Enforcement: Allow or Deny </li><li>Audit: AuditAllowed or AuditDenied</ul></li> | <ul><li>Allow</li><li>Deny </li><li>AuditAllowed: Defines notification and event when access is allowedΓÇï</li><li>AuditDenied: Defines notification and event when access is denied; has to work together with **Deny** entry.</li></ul> <p> When there are conflict types for the same media, the system will apply the first one in the policy. An example of a conflict type is **Allow** and **Deny**. |
+|Sid|Local computer Sid or the Sid of the AD object, defines whether to apply this policy over a specific user or user group; one entry can have a maximum of one Sid and an entry without any Sid means applying the policy over the machine. ||
+|ComputerSid|Local computer Sid or the Sid of the AD object, defines whether to apply this policy over a specific machine or machine group; one entry can have a maximum of one ComputerSid and an entry without any ComputerSid means applying the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both Sid and ComputerSid into the same Entry. ||
+|Options|Defines whether to display notification or not |**0-4**: When Type Allow or Deny is selected. <ul><li>0: nothing</li><li>4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Block** happens and the AuditDenied is setting configured, the system will not show notification. </li></ul> <p> When Type **AuditAllowed** or **AuditDenied** is selected: <ul><li>0: nothingΓÇï</li><li>1: show notificationΓÇï</li><li>2: send event</li><li>3: show notification and send event </li></ul>|
+|AccessMask|Defines the access. |**1-7**: <ol><li>ReadΓÇï</li><li>WriteΓÇï</li><li>Read and WriteΓÇï</li><li>ExecuteΓÇï</li><li>Read and Execute</li><li>Write and Execute </li><li>Read and Write and Execute</li></ol> |
## Common Removable Storage Access Control scenarios
The most common reason is there's no required [antimalware client version](/micr
Another reason could be that the XML file isn't correctly formatted, for example, not using the correct markdown formatting for the "&" character in the XML file, or the text editor might add a byte order mark (BOM) 0xEF 0xBB 0xBF at the beginning of the files, which causes the XML parsing not to work. One simple solution is to download the [sample file](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) (select **Raw** and then **Save as**) and then update.
+If you are deploying and managing the policy via Group Policy, please make sure combine all PolicyRule into one XML file within a parant node called PolicyRules and all Group into one XML file within a parant node called Groups; if you manage through Intune, keep one PolicyRule one XML file, same thing, one Group one XML file.
+ ### There is no configuration UX for 'Define device control policy groups' and 'Define device control policy rules' on my Group Policy We don't backport the Group Policy configuration UX, but you can still get the related adml and admx files by clicking 'Raw' and 'Save as' at the [WindowsDefender.adml](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.adml) and [WindowsDefender.admx](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.admx) files.
security Edr In Block Mode https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/edr-in-block-mode.md
localization_priority: Normal
- next-gen - edr Previously updated : 08/05/2021 Last updated : 08/31/2021 - m365-security-compliance - m365initiative-defender-endpoint
ms.technology: mde
# Endpoint detection and response (EDR) in block mode - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
ms.technology: mde
## What is EDR in block mode?
-[Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) in block mode provides added protection from malicious artifacts when Microsoft Defender Antivirus is not the primary antivirus product and is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that were detected by EDR capabilities. Such artifacts might have been missed by the primary, non-Microsoft antivirus product.
+[Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) in block mode provides added protection from malicious artifacts when Microsoft Defender Antivirus is not the primary antivirus product and is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that were detected by EDR capabilities. Such artifacts might have been missed by the primary, non-Microsoft antivirus product. For devices running Microsoft Defender Antivirus as their primary antivirus, EDR in block mode provides an extra layer of defense by allowing Microsoft Defender Antivirus to take automatic actions on post-breach, behavioral EDR detections.
> [!IMPORTANT] > EDR in block mode does not provide all the protection that is available when Microsoft Defender Antivirus real-time protection is enabled. All features that depend on Microsoft Defender Antivirus to be the active antivirus solution will not work, including the following key examples:
The following image shows an instance of unwanted software that was detected and
The primary purpose of EDR in block mode is to remediate post-breach detections that were missed by a non-Microsoft antivirus product. However, we recommend keeping EDR in block mode turned on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. - When Microsoft Defender Antivirus is in passive mode, EDR in block mode provides another layer of defense together with Microsoft Defender for Endpoint.-- When Microsoft Defender Antivirus is in active mode, EDR in block mode does not provide extra scanning, but it does allow Defender for Endpoint to take automatic actions on post-breach, behavioral EDR detections.
+- When Microsoft Defender Antivirus is in active mode, EDR in block mode does not provide extra scanning, but it does allow Microsoft Defender Antivirus to take automatic actions on post-breach, behavioral EDR detections.
### Will EDR in block mode affect a user's antivirus protection?
security Gov https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/gov.md
These are the known gaps:
|Feature name|GCC|GCC High|DoD| ||::|::|::|
-|Network discovery|![No](images/svg/check-no.svg) Rolling out|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development|
+|Network discovery|![Yes](images/svg/check-yes.svg)|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development|
|Web content filtering|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development| |Integrations: Azure Sentinel|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg) Alerts <p> ![Yes](images/svg/check-yes.svg) Incidents & Raw data: In private preview|![Yes](images/svg/check-yes.svg) Alerts <p> ![Yes](images/svg/check-yes.svg) Incidents & Raw data: In private preview|
-|Integrations: Microsoft Cloud App Security|![Yes](images/svg/check-yes.svg)|![No](images/svg/check-no.svg) Rolling out|![No](images/svg/check-no.svg) Rolling out|
+|Integrations: Microsoft Cloud App Security|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
|Integrations: Microsoft Defender for Identity|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)| |Integrations: Microsoft Endpoint DLP|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![No](images/svg/check-no.svg) Rolling out| |Integrations: Microsoft Power Automate & Azure Logic Apps|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg) Azure Logic Apps <p> ![No](images/svg/check-no.svg) Power Automate: In development|
security Linux Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-manually.md
In order to preview new features and provide early feedback, it is recommended t
```Output deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/config/ubuntu/18.04/prod insiders-fast main
- deb [arch=amd64] https://packages.microsoft.com/cofig/ubuntu/18.04/prod bionic main
+ deb [arch=amd64] https://packages.microsoft.com/config/ubuntu/18.04/prod bionic main
``` ```bash
security Manage Atp Post Migration Configuration Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-atp-post-migration-configuration-manager.md
localization_priority: Normal audience: ITPro-+ - M365-security-compliance - m365solution-scenario
# Manage Microsoft Defender for Endpoint with Configuration Manager - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
-We recommend using We recommend using [Microsoft Endpoint Manager](/mem), which includes [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) (Intune) and [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/understand/introduction) (Configuration Manager) to manage your organization's threat protection features for devices (also referred to as endpoints).
+We recommend using We recommend using [Microsoft Endpoint Manager](/mem), which includes [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) (Intune) and [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/understand/introduction) (Configuration Manager) to manage your organization's threat protection features for devices (also referred to as endpoints).
+ - [Learn more about Endpoint Manager](/mem/endpoint-manager-overview) - [Co-manage Microsoft Defender for Endpoint on Windows 10 devices with Configuration Manager and Intune](manage-atp-post-migration-intune.md) ## Configure Microsoft Defender for Endpoint with Configuration Manager
-|Task |Resources to learn more |
-|||
-|**Install the Configuration Manager console** if you don't already have it<br/><br/>*If you don't already have the Configuration Manger console, use these resources to get the bits and install it.* |[Get the installation media](/mem/configmgr/core/servers/deploy/install/get-install-media)<br/><br/>[Install the Configuration Manager console](/mem/configmgr/core/servers/deploy/install/install-consoles) |
-|**Use Configuration Manager to onboard devices** to Microsoft Defender for Endpoint <br/><br/> *If you have devices (or endpoints) not already onboarded to Microsoft Defender for Endpoint, you can do that with Configuration Manager.* |[Onboard to Microsoft Defender for Endpoint with Configuration Manager](/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection#about-onboarding-to-atp-with-configuration-manager) |
-|**Manage antimalware policies and Windows Firewall security** for client computers (endpoints)<br/><br/>*Configure endpoint protection features, including Microsoft Defender for Endpoint, exploit protection, application control, antimalware, firewall settings, and more.* |[Configuration
-|**Choose methods for updating antimalware updates** on your organization's devices <br/><br/>*With Endpoint Protection in Configuration Manager, you can choose from several methods to keep antimalware definitions up to date on your organization's devices.* |[Configure definition updates for Endpoint Protection](/mem/configmgr/protect/deploy-use/endpoint-definition-updates) <br/><br/>[Use Configuration Manager to deliver definition updates](/mem/configmgr/protect/deploy-use/endpoint-definitions-configmgr) |
-|**Enable Network Protection** to help prevent employees from using apps that malicious content on the Internet <br/><br/>*We recommend using [audit mode](/microsoft-365/security/defender-endpoint/evaluate-network-protection) at first for network protection in a test environment to see which apps would be blocked before rolling out.* |[Turn on network protection with Configuration Manager](/microsoft-365/security/defender-endpoint/enable-network-protection#microsoft-endpoint-configuration-manager) |
-|**Configure controlled folder access** to protect against ransomware <br/><br/>*Controlled folder access is also referred to as antiransomware protection.* |[Endpoint protection: Controlled folder access](/mem/intune/protect/endpoint-protection-windows-10#controlled-folder-access) <br/><br/>[Enable controlled folder access in Microsoft Endpoint Configuration Manage](/microsoft-365/security/defender-endpoint/enable-controlled-folders#microsoft-endpoint-configuration-manager) |
+<br/><br/>
+
+|Task|Resources to learn more|
+|||
+|**Install the Configuration Manager console** if you don't already have it <p> *If you don't already have the Configuration Manger console, use these resources to get the bits and install it.*|[Get the installation media](/mem/configmgr/core/servers/deploy/install/get-install-media) <p> [Install the Configuration Manager console](/mem/configmgr/core/servers/deploy/install/install-consoles)|
+|**Use Configuration Manager to onboard devices** to Microsoft Defender for Endpoint <p> *If you have devices (or endpoints) not already onboarded to Microsoft Defender for Endpoint, you can do that with Configuration Manager.*|[Onboard to Microsoft Defender for Endpoint with Configuration Manager](/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection#about-onboarding-to-atp-with-configuration-manager)|
+|**Manage antimalware policies and Windows Firewall security** for client computers (endpoints) <p> *Configure endpoint protection features, including Microsoft Defender for Endpoint, exploit protection, application control, antimalware, firewall settings, and more.*|[Configuration
+|**Choose methods for updating antimalware updates** on your organization's devices <p> *With Endpoint Protection in Configuration Manager, you can choose from several methods to keep antimalware definitions up to date on your organization's devices.*|[Configure definition updates for Endpoint Protection](/mem/configmgr/protect/deploy-use/endpoint-definition-updates) <p> [Use Configuration Manager to deliver definition updates](/mem/configmgr/protect/deploy-use/endpoint-definitions-configmgr)|
+|**Enable Network Protection** to help prevent employees from using apps that malicious content on the Internet <p> *We recommend using [audit mode](/microsoft-365/security/defender-endpoint/evaluate-network-protection) at first for network protection in a test environment to see which apps would be blocked before rolling out.*|[Turn on network protection with Configuration Manager](/microsoft-365/security/defender-endpoint/enable-network-protection#microsoft-endpoint-configuration-manager)|
+|**Configure controlled folder access** to protect against ransomware <p> *Controlled folder access is also referred to as antiransomware protection.*|[Endpoint protection: Controlled folder access](/mem/intune/protect/endpoint-protection-windows-10#controlled-folder-access) <p> [Enable controlled folder access in Microsoft Endpoint Configuration Manage](/microsoft-365/security/defender-endpoint/enable-controlled-folders#microsoft-endpoint-configuration-manager)|
+|||
## Configure your Microsoft 365 Defender portal If you haven't already done so, configure your Microsoft 365 Defender portal to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture. See [Microsoft 365 Defender portal](microsoft-defender-security-center.md). You can also configure whether and what features end users can see in the Microsoft 365 Defender portal. - [Overview of Microsoft 365 Defender](/microsoft-365/security/defender-endpoint/use)- - [Endpoint protection: Microsoft 365 Defender](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-security-center) ## Next steps - [Get an overview of threat and vulnerability management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)- - [Visit the Microsoft 365 Defender portal security operations dashboard](/microsoft-365/security/defender-endpoint/security-operations-dashboard)- - [Manage Microsoft Defender for Endpoint with Intune](manage-atp-post-migration-intune.md)
security Manage Atp Post Migration Group Policy Objects https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-atp-post-migration-group-policy-objects.md
localization_priority: Normal audience: ITPro-+ - M365-security-compliance - m365solution-scenario
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) - > [!NOTE]
-> We recommend using [Microsoft Endpoint Manager](/mem) to manage your organization's threat protection features for devices (also referred to as endpoints). Endpoint Manager includes [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/understand/introduction). **[Learn more about Endpoint Manager](/mem/endpoint-manager-overview)**.
+> We recommend using [Microsoft Endpoint Manager](/mem) to manage your organization's threat protection features for devices (also referred to as endpoints). Endpoint Manager includes [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/understand/introduction). **[Learn more about Endpoint Manager](/mem/endpoint-manager-overview)**.
You can use Group Policy Objects in Azure Active Directory Domain Services to manage some settings in Microsoft Defender for Endpoint.
You can use Group Policy Objects in Azure Active Directory Domain Services to ma
The following table lists various tasks you can perform to configure Microsoft Defender for Endpoint with Group Policy Objects.
-|Task |Resources to learn more |
-|||
-|**Manage settings for user and computer objects** <br/><br/>*Customize built-in Group Policy Objects, or create custom Group Policy Objects and organizational units to suit your organizational needs.* |[Administer Group Policy in an Azure Active Directory Domain Services managed domain](/azure/active-directory-domain-services/manage-group-policy) |
-|**Configure Microsoft Defender Antivirus** <br/><br/>*Configure antivirus features & capabilities, including policy settings, exclusions, remediation, and scheduled scans on your organization's devices (also referred to as endpoints).* |[Use Group Policy settings to configure and manage Microsoft Defender Antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) <br/><br/>[Use Group Policy to enable cloud-delivered protection](/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus#use-group-policy-to-enable-cloud-delivered-protection) |
-|**Manage your organization's attack surface reduction rules** <br/><br/>*Customize your attack surface reduction rules by excluding files & folders, or by adding custom text to notification alerts that appear on users' devices.* |[Customize attack surface reduction rules with Group Policy Objects](/microsoft-365/security/defender-endpoint/customize-attack-surface-reduction#use-group-policy-to-exclude-files-and-folders) |
-|**Manage exploit protection settings**<br/><br/>*You can customize your exploit protection settings, import a configuration file, and then use Group Policy to deploy that configuration file.* |[Customize exploit protection settings](/microsoft-365/security/defender-endpoint/customize-exploit-protection) <br/><br/>[Import, export, and deploy exploit protection configurations](/microsoft-365/security/defender-endpoint/import-export-exploit-protection-emet-xml)<br/><br/>[Use Group Policy to distribute the configuration](/microsoft-365/security/defender-endpoint/import-export-exploit-protection-emet-xml#use-group-policy-to-distribute-the-configuration) |
-|**Enable Network Protection** to help prevent employees from using apps that malicious content on the Internet <br/><br/>*We recommend using [audit mode](/microsoft-365/security/defender-endpoint/evaluate-network-protection) at first for network protection in a test environment to see which apps would be blocked before rolling out.* |[Turn on network protection using Group Policy](/microsoft-365/security/defender-endpoint/enable-network-protection#group-policy) |
-|**Configure controlled folder access** to protect against ransomware <br/><br/>*[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders) is also referred to as antiransomware protection.* |[Enable controlled folder access using Group Policy](/microsoft-365/security/defender-endpoint/enable-controlled-folders#group-policy) |
-|**Configure Microsoft Defender SmartScreen** to protect against malicious sites and files on the internet. |[Configure Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings using Group Policy](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings#group-policy-settings) |
-|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows |[BitLocker Group Policy settings](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings) |
-|**Configure Microsoft Defender Credential Guard** to protect against credential theft attacks |[Enable Windows Defender Credential Guard by using Group Policy](/windows/security/identity-protection/credential-guard/credential-guard-manage#enable-windows-defender-credential-guard-by-using-group-policy) |
+<br>
+
+****
+
+|Task|Resources to learn more|
+|||
+|**Manage settings for user and computer objects** <p> *Customize built-in Group Policy Objects, or create custom Group Policy Objects and organizational units to suit your organizational needs.*|[Administer Group Policy in an Azure Active Directory Domain Services managed domain](/azure/active-directory-domain-services/manage-group-policy)|
+|**Configure Microsoft Defender Antivirus** <p> *Configure antivirus features & capabilities, including policy settings, exclusions, remediation, and scheduled scans on your organization's devices (also referred to as endpoints).*|[Use Group Policy settings to configure and manage Microsoft Defender Antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) <p> [Use Group Policy to enable cloud-delivered protection](/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus#use-group-policy-to-enable-cloud-delivered-protection)|
+|**Manage your organization's attack surface reduction rules** <p> *Customize your attack surface reduction rules by excluding files & folders, or by adding custom text to notification alerts that appear on users' devices.*|[Customize attack surface reduction rules with Group Policy Objects](/microsoft-365/security/defender-endpoint/customize-attack-surface-reduction#use-group-policy-to-exclude-files-and-folders)|
+|**Manage exploit protection settings** <p> *You can customize your exploit protection settings, import a configuration file, and then use Group Policy to deploy that configuration file.*|[Customize exploit protection settings](/microsoft-365/security/defender-endpoint/customize-exploit-protection) <p> [Import, export, and deploy exploit protection configurations](/microsoft-365/security/defender-endpoint/import-export-exploit-protection-emet-xml) <p> [Use Group Policy to distribute the configuration](/microsoft-365/security/defender-endpoint/import-export-exploit-protection-emet-xml#use-group-policy-to-distribute-the-configuration)|
+|**Enable Network Protection** to help prevent employees from using apps that malicious content on the Internet <p> *We recommend using [audit mode](/microsoft-365/security/defender-endpoint/evaluate-network-protection) at first for network protection in a test environment to see which apps would be blocked before rolling out.*|[Turn on network protection using Group Policy](/microsoft-365/security/defender-endpoint/enable-network-protection#group-policy)|
+|**Configure controlled folder access** to protect against ransomware <p> *[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders) is also referred to as antiransomware protection.*|[Enable controlled folder access using Group Policy](/microsoft-365/security/defender-endpoint/enable-controlled-folders#group-policy)|
+|**Configure Microsoft Defender SmartScreen** to protect against malicious sites and files on the internet.|[Configure Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings using Group Policy](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings#group-policy-settings)|
+|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows|[BitLocker Group Policy settings](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings)|
+|**Configure Microsoft Defender Credential Guard** to protect against credential theft attacks|[Enable Windows Defender Credential Guard by using Group Policy](/windows/security/identity-protection/credential-guard/credential-guard-manage#enable-windows-defender-credential-guard-by-using-group-policy)|
+|||
## Configure your Microsoft 365 Defender portal If you haven't already done so, configure your Microsoft 365 Defender portal to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture. See [Microsoft 365 Defender](microsoft-defender-security-center.md). You can also configure whether and what features end users can see in the Microsoft 365 Defender portal. - [Overview of Microsoft 365 Defender](/microsoft-365/security/defender-endpoint/use)- - [Endpoint protection: Microsoft 365 Defender](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-security-center) ## Next steps - [Get an overview of threat and vulnerability management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)- - [Visit the Microsoft 365 Defender portal security operations dashboard](/microsoft-365/security/defender-endpoint/security-operations-dashboard)- - [Manage Microsoft Defender for Endpoint with Intune](manage-atp-post-migration-intune.md)
security Manage Atp Post Migration Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-atp-post-migration-intune.md
localization_priority: Normal audience: ITPro-+ - M365-security-compliance - m365solution-scenario
This article describes how to find your Microsoft Defender for Endpoint settings
4. Select an existing profile, or create a new one. > [!TIP]
-> Need help? See **[Using Microsoft Defender for Endpoint with Intune](/mem/intune/protect/advanced-threat-protection#example-of-using-microsoft-defender-atp-with-intune)**.
+> Need help? See **[Using Microsoft Defender for Endpoint with Intune](/mem/intune/protect/advanced-threat-protection#example-of-using-microsoft-defender-atp-with-intune)**.
## Configure Microsoft Defender for Endpoint with Intune The following table lists various tasks you can perform to configure Microsoft Defender for Endpoint with Intune. You don't have to configure everything all at once; choose a task, read the corresponding resources, and then proceed.
-|Task |Resources to learn more |
-|||
-|**Manage your organization's devices using Intune** to protect those devices and data stored on them |[Protect devices with Microsoft Intune](/mem/intune/protect/device-protect) |
-|**Integrate Microsoft Defender for Endpoint with Intune** as a Mobile Threat Defense solution <br/>*(for Android devices and devices running Windows 10 or later)* |[Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](/mem/intune/protect/advanced-threat-protection) |
-|**Use Conditional Access** to control the devices and apps that can connect to your email and company resources |[Configure Conditional Access in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-conditional-access) |
-|**Configure Microsoft Defender Antivirus settings** using the Policy configuration service provider ([Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider)) |[Device restrictions: Microsoft Defender Antivirus](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus)<br/><br/>[Policy CSP - Microsoft Defender for Endpoint](/windows/client-management/mdm/policy-csp-defender) |
-|**If necessary, specify exclusions for Microsoft Defender Antivirus** <br/><br/>*Generally, you shouldn't need to apply exclusions. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios.* |[Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows](https://support.microsoft.com/help/822158/virus-scanning-recommendations-for-enterprise-computers)<br/><br/>[Device restrictions: Microsoft Defender Antivirus Exclusions for Windows 10 devices](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions) <br/><br/>[Configure Microsoft Defender Antivirus exclusions on Windows Server 2016 or 2019](/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus)|
-|**Configure your attack surface reduction rules** to target software behaviors that are often abused by attackers<br/><br/>*Configure your attack surface reduction rules in [audit mode](/microsoft-365/security/defender-endpoint/audit-windows-defender) at first (for at least one week and up to two months). You can monitor status using Power BI ([get our template](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Attack%20Surface%20Reduction%20rules)), and then set those rules to active mode when you're ready.* |[Audit mode in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/audit-windows-defender)<br/><br/>[Endpoint protection: Attack Surface Reduction](/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json#attack-surface-reduction)<br/><br/>[Learn more about attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)<br/><br/>[Tech Community blog post: Demystifying attack surface reduction rules - Part 1](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420) |
-|**Configure your network filtering** to block outbound connections from any app to IP addresses or domains with low reputations <br/><br/>*Network filtering is also referred to as [network protection](/microsoft-365/security/defender-endpoint/network-protection).*<br/><br/>*Make sure that Windows 10 devices have the latest [antimalware platform updates](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform) installed.*|[Endpoint protection: Network filtering](/mem/intune/protect/endpoint-protection-windows-10#network-filtering)<br/><br/>[Review network protection events in Windows Event Viewer](/microsoft-365/security/defender-endpoint/evaluate-network-protection#review-network-protection-events-in-windows-event-viewer) |
-|**Configure controlled folder access** to protect against ransomware <br/><br/>*[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders) is also referred to as antiransomware protection.* |[Endpoint protection: Controlled folder access](/mem/intune/protect/endpoint-protection-windows-10#controlled-folder-access) <br/><br/>[Enable controlled folder access in Intune](/microsoft-365/security/defender-endpoint/enable-controlled-folders#intune) |
-|**Configure exploit protection** to protect your organization's devices from malware that uses exploits to spread and infect other devices <br/><br/> *[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection) is also referred to as Exploit Guard.* |[Endpoint protection: Microsoft Defender Exploit Guard](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-exploit-guard) <br/><br/>[Enable exploit protection in Intune](/microsoft-365/security/defender-endpoint/enable-exploit-protection#intune) |
-|**Configure Microsoft Defender SmartScreen** to protect against malicious sites and files on the internet. <br/><br/> *Microsoft Edge should be installed on your organization's devices. For protection on Google Chrome and FireFox browsers, configure exploit protection.* |[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) <br/><br/>[Device restrictions: Microsoft Defender SmartScreen](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-smartscreen)<br/><br/>[Policy settings for managing SmartScreen in Intune](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings#mdm-settings) |
-|**Configure Microsoft Defender Firewall** to block unauthorized network traffic flowing into or out of your organization's devices |[Endpoint protection: Microsoft Defender Firewall](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-firewall) <br/><br/> [Microsoft Defender Firewall with Advanced Security](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security) |
-|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows |[Endpoint protection: Windows Encryption](/mem/intune/protect/endpoint-protection-windows-10#windows-encryption)<br/><br/>[BitLocker for Windows 10 devices](/windows/security/information-protection/bitlocker/bitlocker-overview) |
-|**Configure Microsoft Defender Credential Guard** to protect against credential theft attacks |For Windows 10, Windows Server 2016, and Windows Server 2019, see [Endpoint protection: Microsoft Defender Credential Guard](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-credential-guard) <br/><br/>For Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1, and Windows Server 2012 R2, see [Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Versions 1 and 2](https://www.microsoft.com/download/details.aspx?id=36036) |
-|**Configure Microsoft Defender Application Control** to choose whether to audit or trust apps on your organization's devices <br/><br/>*Microsoft Defender Application Control is also referred to as [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).*|[Deploy Microsoft Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune)<br/><br/>[Endpoint protection: Microsoft Defender Application Control](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-application-control)<br/><br/>[AppLocker CSP](/windows/client-management/mdm/applocker-csp)|
-|**Configure device control and USB peripherals access** to help prevent threats in unauthorized peripherals from compromising your devices |[Control USB devices and other removable media using Microsoft Defender for Endpoint and Intune](/windows/security/threat-protection/device-control/control-usb-devices-using-intune) |
+<br>
+
+****
+
+|Task|Resources to learn more|
+|||
+|**Manage your organization's devices using Intune** to protect those devices and data stored on them|[Protect devices with Microsoft Intune](/mem/intune/protect/device-protect)|
+|**Integrate Microsoft Defender for Endpoint with Intune** as a Mobile Threat Defense solution <br/>*(for Android devices and devices running Windows 10 or later)*|[Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](/mem/intune/protect/advanced-threat-protection)|
+|**Use Conditional Access** to control the devices and apps that can connect to your email and company resources|[Configure Conditional Access in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-conditional-access)|
+|**Configure Microsoft Defender Antivirus settings** using the Policy configuration service provider ([Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider))|[Device restrictions: Microsoft Defender Antivirus](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus) <p> [Policy CSP - Microsoft Defender for Endpoint](/windows/client-management/mdm/policy-csp-defender)|
+|**If necessary, specify exclusions for Microsoft Defender Antivirus** <p> *Generally, you shouldn't need to apply exclusions. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios.*|[Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows](https://support.microsoft.com/help/822158/virus-scanning-recommendations-for-enterprise-computers) <p> [Device restrictions: Microsoft Defender Antivirus Exclusions for Windows 10 devices](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions) <p> [Configure Microsoft Defender Antivirus exclusions on Windows Server 2016 or 2019](/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus)|
+|**Configure your attack surface reduction rules** to target software behaviors that are often abused by attackers <p> *Configure your attack surface reduction rules in [audit mode](/microsoft-365/security/defender-endpoint/audit-windows-defender) at first (for at least one week and up to two months). You can monitor status using Power BI ([get our template](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Attack%20Surface%20Reduction%20rules)), and then set those rules to active mode when you're ready.*|[Audit mode in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/audit-windows-defender) <p> [Endpoint protection: Attack Surface Reduction](/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json#attack-surface-reduction) <p> [Learn more about attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) <p> [Tech Community blog post: Demystifying attack surface reduction rules - Part 1](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420)|
+|**Configure your network filtering** to block outbound connections from any app to IP addresses or domains with low reputations <p> *Network filtering is also referred to as [network protection](/microsoft-365/security/defender-endpoint/network-protection).* <p> *Make sure that Windows 10 devices have the latest [antimalware platform updates](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform) installed.*|[Endpoint protection: Network filtering](/mem/intune/protect/endpoint-protection-windows-10#network-filtering) <p> [Review network protection events in Windows Event Viewer](/microsoft-365/security/defender-endpoint/evaluate-network-protection#review-network-protection-events-in-windows-event-viewer)|
+|**Configure controlled folder access** to protect against ransomware <p> *[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders) is also referred to as antiransomware protection.*|[Endpoint protection: Controlled folder access](/mem/intune/protect/endpoint-protection-windows-10#controlled-folder-access) <p> [Enable controlled folder access in Intune](/microsoft-365/security/defender-endpoint/enable-controlled-folders#intune)|
+|**Configure exploit protection** to protect your organization's devices from malware that uses exploits to spread and infect other devices <p> *[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection) is also referred to as Exploit Guard.*|[Endpoint protection: Microsoft Defender Exploit Guard](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-exploit-guard) <p> [Enable exploit protection in Intune](/microsoft-365/security/defender-endpoint/enable-exploit-protection#intune)|
+|**Configure Microsoft Defender SmartScreen** to protect against malicious sites and files on the internet. <p> *Microsoft Edge should be installed on your organization's devices. For protection on Google Chrome and FireFox browsers, configure exploit protection.*|[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) <p> [Device restrictions: Microsoft Defender SmartScreen](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-smartscreen) <p> [Policy settings for managing SmartScreen in Intune](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings#mdm-settings)|
+|**Configure Microsoft Defender Firewall** to block unauthorized network traffic flowing into or out of your organization's devices|[Endpoint protection: Microsoft Defender Firewall](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-firewall) <p> [Microsoft Defender Firewall with Advanced Security](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)|
+|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows|[Endpoint protection: Windows Encryption](/mem/intune/protect/endpoint-protection-windows-10#windows-encryption) <p> [BitLocker for Windows 10 devices](/windows/security/information-protection/bitlocker/bitlocker-overview)|
+|**Configure Microsoft Defender Credential Guard** to protect against credential theft attacks|For Windows 10, Windows Server 2016, and Windows Server 2019, see [Endpoint protection: Microsoft Defender Credential Guard](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-credential-guard) <p> For Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1, and Windows Server 2012 R2, see [Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Versions 1 and 2](https://www.microsoft.com/download/details.aspx?id=36036)|
+|**Configure Microsoft Defender Application Control** to choose whether to audit or trust apps on your organization's devices <p> *Microsoft Defender Application Control is also referred to as [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).*|[Deploy Microsoft Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) <p> [Endpoint protection: Microsoft Defender Application Control](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-application-control) <p> [AppLocker CSP](/windows/client-management/mdm/applocker-csp)|
+|**Configure device control and USB peripherals access** to help prevent threats in unauthorized peripherals from compromising your devices|[Control USB devices and other removable media using Microsoft Defender for Endpoint and Intune](/windows/security/threat-protection/device-control/control-usb-devices-using-intune)|
+|||
## Configure your Microsoft 365 Defender portal If you haven't already done so, configure your Microsoft 365 Defender portal to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture. See [Microsoft 365 Defender](microsoft-defender-security-center.md). You can also configure whether and what features end users can see in the Microsoft 365 Defender portal. - [Overview of Microsoft 365 Defender](/microsoft-365/security/defender-endpoint/use)- - [Endpoint protection: Microsoft 365 Defender](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-security-center) ## Next steps - [Get an overview of threat and vulnerability management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)- - [Visit the Microsoft 365 Defender portal security operations dashboard](/microsoft-365/security/defender-endpoint/security-operations-dashboard)
security Manage Atp Post Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-atp-post-migration.md
The following table lists various tools/methods you can use, with links to learn
**** |Tool/Method|Description|
-|||
+|||
|**[Threat and vulnerability management dashboard insights](/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights)** in the [Microsoft 365 Defender](https://security.microsoft.com/) portal|The threat & vulnerability management dashboard provides actionable information that your security operations team can use to reduce exposure and improve your organization's security posture. <p> See [Threat & vulnerability management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) and [Overview of Microsoft 365 Defender](/microsoft-365/security/defender-endpoint/use).| |**[Microsoft Intune](/mem/intune/fundamentals/what-is-intune)** (recommended)|Microsoft Intune (Intune), a component of [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), focuses on mobile device management (MDM) and mobile application management (MAM). With Intune, you control how your organization's devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications. <p> See [Manage Microsoft Defender for Endpoint using Intune](manage-atp-post-migration-intune.md).| |**[Microsoft Endpoint Configuration Manager](/mem/configmgr/core/understand/introduction)**|Microsoft Endpoint Manager (Configuration Manager), formerly known as System Center Configuration Manager, is a component of [Microsoft Endpoint Manager](/mem/endpoint-manager-overview). Configuration Manager is a powerful tool to manage your users, devices, and software. <p> See [Manage Microsoft Defender for Endpoint with Configuration Manager](manage-atp-post-migration-configuration-manager.md).| |**[Group Policy Objects in Azure Active Directory Domain Services](/azure/active-directory-domain-services/manage-group-policy)**|[Azure Active Directory Domain Services](/azure/active-directory-domain-services/overview) includes built-in Group Policy Objects for users and devices. You can customize the built-in Group Policy Objects as needed for your environment, as well as create custom Group Policy Objects and organizational units (OUs). <p> See [Manage Microsoft Defender for Endpoint with Group Policy Objects](manage-atp-post-migration-group-policy-objects.md).| |**[PowerShell, WMI, and MPCmdRun.exe](manage-atp-post-migration-other-tools.md)**|*We recommend using Microsoft Endpoint Manager (which includes Intune and Configuration Manager) to manage threat protection features on your organization's devices. However, you can configure some settings, such as Microsoft Defender Antivirus settings on individual devices (endpoints) with PowerShell, WMI, or the MPCmdRun.exe tool.* <p> You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules. See [Configure Microsoft Defender for Endpoint with PowerShell](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-powershell). <p> You can use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus and exclusions. See [Configure Microsoft Defender for Endpoint with WMI](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-windows-management-instrumentation-wmi). <p> You can use the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) to manage Microsoft Defender Antivirus and exclusions, as well as validate connections between your network and the cloud. See [Configure Microsoft Defender for Endpoint with MPCmdRun.exe](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe).|
+|
## See also
security Manage Auto Investigation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-auto-investigation.md
localization_priority: Normal audience: ITPro-+ - m365-security-compliance - m365initiative-defender-endpoint
ms.technology: mde
## Remediation actions
-When an [automated investigation](automated-investigations.md) runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*.
+When an [automated investigation](automated-investigations.md) runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*.
Depending on -- the type of threat, -- the resulting verdict, and -- how your organization's [device groups](/microsoft-365/security/defender-endpoint/machine-groups) are configured,
+- the type of threat,
+- the resulting verdict, and
+- how your organization's [device groups](/microsoft-365/security/defender-endpoint/machine-groups) are configured,
-remediation actions can occur automatically or only upon approval by your organization's security operations team.
+remediation actions can occur automatically or only upon approval by your organization's security operations team.
Here are a few examples:
Here are a few examples:
- **Example 3**: Tailspin Toys has their device groups set to **No automated response** (not recommended). In this case, automated investigations do not occur. No remediation actions are taken or pending, and no actions are logged in the [Action center](/microsoft-365/security/defender-endpoint/auto-investigation-action-center#the-action-center) for their devices (see [Manage device groups](/microsoft-365/security/defender-endpoint/machine-groups#manage-device-groups)). Whether taken automatically or upon approval, an automated investigation can result in one or more of the remediation actions:+ - Quarantine a file-- Remove a registry key -- Kill a process -- Stop a service -- Disable a driver
+- Remove a registry key
+- Kill a process
+- Stop a service
+- Disable a driver
- Remove a scheduled task ## Review pending actions 1. Go to the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
-2. In the navigation pane, choose **Action center**.
-3. Review the items on the **Pending** tab.
+2. In the navigation pane, choose **Action center**.
+3. Review the items on the **Pending** tab.
4. Select an action to open its flyout pane. 5. In the flyout pane, review the information, and then take one of the following steps: - Select **Open investigation page** to view more details about the investigation. - Select **Approve** to initiate a pending action. - Select **Reject** to prevent a pending action from being taken.
- - Select **Go hunt** to go into [Advanced hunting](advanced-hunting-overview.md).
+ - Select **Go hunt** to go into [Advanced hunting](advanced-hunting-overview.md).
## Review completed actions 1. Go to the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
-2. In the navigation pane, choose **Action center**.
-3. Review the items on the **History** tab.
+2. In the navigation pane, choose **Action center**.
+3. Review the items on the **History** tab.
4. Select an item to view more details about that remediation action.
-
+ ## Undo completed actions
-If you've determined that a device or a file is not a threat, you can undo remediation actions that were taken, whether those actions were taken automatically or manually. In the Action center, on the **History** tab, you can undo any of the following actions:
+If you've determined that a device or a file is not a threat, you can undo remediation actions that were taken, whether those actions were taken automatically or manually. In the Action center, on the **History** tab, you can undo any of the following actions:
+
+<br>
+
+****
-| Action source | Supported Actions |
-|:|:|
-| - Automated investigation <br/>- Microsoft Defender Antivirus <br/>- Manual response actions | - Isolate device <br/>- Restrict code execution <br/>- Quarantine a file <br/>- Remove a registry key <br/>- Stop a service <br/>- Disable a driver <br/>- Remove a scheduled task |
+|Action source|Supported Actions|
+|||
+|<ul><li>Automated investigation</li><li>Microsoft Defender Antivirus</li><li>Manual response actions</li></ul>|<ul><li>Isolate device</li><li>Restrict code execution</li><li>Quarantine a file</li><li>Remove a registry key</li><li>Stop a service</li><li>Disable a driver</li><li>Remove a scheduled task</li></ul>|
+|
### To undo multiple actions at one time
If you've determined that a device or a file is not a threat, you can undo remed
2. On the **History** tab, select the actions that you want to undo. Make sure to select items that have the same Action type. A flyout pane opens. 3. In the flyout pane, select **Undo**.
-### To remove a file from quarantine across multiple devices
+### To remove a file from quarantine across multiple devices
1. Go to the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) and sign in. 2. On the **History** tab, select an item that has the Action type **Quarantine file**.
If you've determined that a device or a file is not a threat, you can undo remed
## Automation levels, automated investigation results, and resulting actions
-Automation levels affect whether certain remediation actions are taken automatically or only upon approval. Sometimes your security operations team has more steps to take, depending on the results of an automated investigation. The following table summarizes automation levels, results of automated investigations, and what to do in each case.
-
-|Device group setting | Automated investigation results | What to do |
-|:|:|:|
-|**Full - remediate threats automatically** (the recommended setting) |A verdict of *Malicious* is reached for a piece of evidence. <br/><br/>Appropriate remediation actions are taken automatically. |[Review completed actions](#review-completed-actions) |
-|**Full - remediate threats automatically** |A verdict of *Suspicious* is reached for a piece of evidence. <br/><br/>Remediation actions are pending approval to proceed. | [Approve (or reject) pending actions](#review-pending-actions) |
-|**Semi - require approval for any remediation** |A verdict of either *Malicious* or *Suspicious* is reached for a piece of evidence. <br/><br/>Remediation actions are pending approval to proceed. |[Approve (or reject) pending actions](#review-pending-actions) |
-|**Semi - require approval for core folders remediation** |A verdict of *Malicious* is reached for a piece of evidence. <br/><br/>If the artifact is a file or executable and is in an operating system directory, such as the Windows folder or the Program files folder, then remediation actions are pending approval. <br/><br/>If the artifact is *not* in an operating system directory, remediation actions are taken automatically. |1. [Approve (or reject) pending actions](#review-pending-actions)<br/><br/>2. [Review completed actions](#review-completed-actions) |
-|**Semi - require approval for core folders remediation** |A verdict of *Suspicious* is reached for a piece of evidence. <br/><br/>Remediation actions are pending approval. |[Approve (or reject) pending actions](#review-pending-actions).|
-|**Semi - require approval for non-temp folders remediation** |A verdict of *Malicious* is reached for a piece of evidence. <br/><br/>If the artifact is a file or executable that is not in a temporary folder, such as the user's downloads folder or temp folder, remediation actions are pending approval. <br/><br/>If the artifact is a file or executable that *is* in a temporary folder, remediation actions are taken automatically. |1. [Approve (or reject) pending actions](#review-pending-actions)<br/><br/>2. [Review completed actions](#review-completed-actions) |
-|**Semi - require approval for non-temp folders remediation** |A verdict of *Suspicious* is reached for a piece of evidence. <br/><br/>Remediation actions are pending approval. |[Approve (or reject) pending actions](#review-pending-actions) |
-|Any of the **Full** or **Semi** automation levels |A verdict of *No threats found* is reached for a piece of evidence. <br/><br/>No remediation actions are taken, and no actions are pending approval. |[View details and results of automated investigations](/microsoft-365/security/defender-endpoint/auto-investigation-action-center) |
-|**No automated response** (not recommended)|No automated investigations run, so no verdicts are reached, and no remediation actions are taken or awaiting approval. |[Consider setting up or changing your device groups to use **Full** or **Semi** automation](/microsoft-365/security/defender-endpoint/machine-groups) |
+Automation levels affect whether certain remediation actions are taken automatically or only upon approval. Sometimes your security operations team has more steps to take, depending on the results of an automated investigation. The following table summarizes automation levels, results of automated investigations, and what to do in each case.
+
+<br>
+
+****
+
+|Device group setting|Automated investigation results|What to do|
+||||
+|**Full - remediate threats automatically** (the recommended setting)|A verdict of *Malicious* is reached for a piece of evidence. <p> Appropriate remediation actions are taken automatically.|[Review completed actions](#review-completed-actions)|
+|**Full - remediate threats automatically**|A verdict of *Suspicious* is reached for a piece of evidence. <p> Remediation actions are pending approval to proceed.|[Approve (or reject) pending actions](#review-pending-actions)|
+|**Semi - require approval for any remediation**|A verdict of either *Malicious* or *Suspicious* is reached for a piece of evidence. <p> Remediation actions are pending approval to proceed.|[Approve (or reject) pending actions](#review-pending-actions)|
+|**Semi - require approval for core folders remediation**|A verdict of *Malicious* is reached for a piece of evidence. <p> If the artifact is a file or executable and is in an operating system directory, such as the Windows folder or the Program files folder, then remediation actions are pending approval. <p> If the artifact is *not* in an operating system directory, remediation actions are taken automatically.|<ol><li>[Approve (or reject) pending actions](#review-pending-actions)</li><li>[Review completed actions](#review-completed-actions)</li></ol>|
+|**Semi - require approval for core folders remediation**|A verdict of *Suspicious* is reached for a piece of evidence. <p> Remediation actions are pending approval.|[Approve (or reject) pending actions](#review-pending-actions).|
+|**Semi - require approval for non-temp folders remediation**|A verdict of *Malicious* is reached for a piece of evidence. <p> If the artifact is a file or executable that is not in a temporary folder, such as the user's downloads folder or temp folder, remediation actions are pending approval. <p> If the artifact is a file or executable that *is* in a temporary folder, remediation actions are taken automatically.|<ol><li>[Approve (or reject) pending actions](#review-pending-actions)</li><li>[Review completed actions](#review-completed-actions)</li></ol>|
+|**Semi - require approval for non-temp folders remediation**|A verdict of *Suspicious* is reached for a piece of evidence. <p> Remediation actions are pending approval.|[Approve (or reject) pending actions](#review-pending-actions)|
+|Any of the **Full** or **Semi** automation levels|A verdict of *No threats found* is reached for a piece of evidence. <p> No remediation actions are taken, and no actions are pending approval.|[View details and results of automated investigations](/microsoft-365/security/defender-endpoint/auto-investigation-action-center)|
+|**No automated response** (not recommended)|No automated investigations run, so no verdicts are reached, and no remediation actions are taken or awaiting approval.|[Consider setting up or changing your device groups to use **Full** or **Semi** automation](/microsoft-365/security/defender-endpoint/machine-groups)|
+|
In Microsoft Defender for Endpoint, all verdicts are tracked in the [Action center](auto-investigation-action-center.md#new-a-unified-action-center).
security Manage Automation File Uploads https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-automation-file-uploads.md
ms.technology: mde
Enable the content analysis capability so that certain files and email attachments can automatically be uploaded to the cloud for additional inspection in Automated investigation.
-Identify the files and email attachments by specifying the file extension names and email attachment extension names.
+Identify the files and email attachments by specifying the file extension names and email attachment extension names.
-For example, if you add *exe* and *bat* as file or attachment extension names, then all files or attachments with those extensions will automatically be sent to the cloud for additional inspection during Automated investigation.
+For example, if you add *exe* and *bat* as file or attachment extension names, then all files or attachments with those extensions will automatically be sent to the cloud for additional inspection during Automated investigation.
## Add file extension names and attachment extension names.
-1. In the navigation pane, select **Settings** > **Endpoints** > **Rules** > **Automation uploads**.
+1. In the navigation pane, select **Settings** \> **Endpoints** \> **Rules** \> **Automation uploads**.
2. Toggle the content analysis setting between **On** and **Off**. 3. Configure the following extension names and separate extension names with a comma:
- - **File extension names** - Suspicious files except email attachments will be submitted for additional inspection
-
+ - **File extension names** - Suspicious files except email attachments will be submitted for additional inspection
## Related topics+ - [Manage automation folder exclusions](manage-automation-folder-exclusions.md)
security Manage Automation Folder Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-automation-folder-exclusions.md
ms.technology: mde
-# Manage automation folder exclusions
+# Manage automation folder exclusions
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-automationexclusionfolder-abovefoldlink)
-Automation folder exclusions allow you to specify folders that the Automated investigation will skip.
+Automation folder exclusions allow you to specify folders that the Automated investigation will skip.
You can control the following attributes about the folder that you'd like to be skipped:-- Folders -- Extensions of the files-- File names
+- **Folders**: You can specify a folder and its subfolders to be skipped.
-**Folders**<br>
-You can specify a folder and its subfolders to be skipped.
--
->[!NOTE]
->At this time, use of wild cards as a way to exclude files under a directory is not yet supported.
--
-**Extensions**<br>
-You can specify the extensions to exclude in a specific directory. The extensions are a way to prevent an attacker from using an excluded folder to hide an exploit. The extensions explicitly define which files to ignore.
-
-**File names**<br>
-You can specify the file names that you want to be excluded in a specific directory. The names are a way to prevent an attacker from using an excluded folder to hide an exploit. The names explicitly define which files to ignore.
+ > [!NOTE]
+ > At this time, use of wild cards as a way to exclude files under a directory is not yet supported.
+- **Extensions of the files**: You can specify the extensions to exclude in a specific directory. The extensions are a way to prevent an attacker from using an excluded folder to hide an exploit. The extensions explicitly define which files to ignore.
+- **File names**: You can specify the file names that you want to be excluded in a specific directory. The names are a way to prevent an attacker from using an excluded folder to hide an exploit. The names explicitly define which files to ignore.
## Add an automation folder exclusion
-1. In the navigation pane, select **Settings** > **Endpoints** > **Rules** > **Automation folder exclusions**.
-2. Click **New folder exclusion**.
+1. In the navigation pane, select **Settings** \> **Endpoints** \> **Rules** \> **Automation folder exclusions**.
+
+2. Click **New folder exclusion**.
3. Enter the folder details:
You can specify the file names that you want to be excluded in a specific direct
4. Click **Save**.
->[!NOTE]
+> [!NOTE]
> Live Response commands to collect or examine excluded files will fail with error: "File is excluded". In addition, automated investigations will ignore the excluded items.
-## Edit an automation folder exclusion
-1. In the navigation pane, select **Settings** > **Endpoints** > **Rules** > **Automation folder exclusions**.
-
-2. Click **Edit** on the folder exclusion.
+## Edit an automation folder exclusion
+1. In the navigation pane, select **Settings** \> **Endpoints** \> **Rules** \> **Automation folder exclusions**.
+2. Click **Edit** on the folder exclusion.
3. Update the details of the rule and click **Save**.
-## Remove an automation folder exclusion
-1. In the navigation pane, select **Settings** > **Endpoints** > **Rules** > **Automation folder exclusions**.
-2. Click **Remove exclusion**.
+## Remove an automation folder exclusion
+1. In the navigation pane, select **Settings** \> **Endpoints** \> **Rules** \> **Automation folder exclusions**.
+2. Click **Remove exclusion**.
## Related topics+ - [Manage automation allowed/blocked lists](manage-indicators.md) - [Manage automation file uploads](manage-automation-file-uploads.md)
security Manage Event Based Updates Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus.md
You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell c
### Use Configuration Manager to check for protection updates before running a scan
-1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** \> **Endpoint Protection** \> **Antimalware Policies**)
2. Go to the **Scheduled scans** section and set **Check for the latest security intelligence updates before running a scan** to **Yes**.
You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell c
3. Click **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Scan**.
+4. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Scan**.
5. Double-click **Check for the latest virus and spyware definitions before running a scheduled scan** and set the option to **Enabled**.
You can use Group Policy to force Microsoft Defender Antivirus to check and down
3. Click **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
+4. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Security Intelligence Updates**.
-5. Double-click **Check for the latest virus and spyware definitions on startup** and set the option to **Enabled**.
+5. Double-click **Check for the latest virus and spyware definitions on startup** and set the option to **Enabled**.
6. Click **OK**.
You can also use Group Policy, PowerShell, or WMI to configure Microsoft Defende
3. Click **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
+4. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Security Intelligence Updates**.
5. Double-click **Initiate security intelligence update on startup** and set the option to **Enabled**.
If you have enabled cloud-delivered protection, Microsoft Defender AV will send
3. Click **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
+4. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Security Intelligence Updates**.
5. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**. 6. **Allow notifications to disable definitions-based reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**.
-
+ > [!NOTE] > **Allow notifications to disable definitions based reports** enables Microsoft MAPS to disable those definitions known to cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work.
security Manage Gradual Rollout https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-gradual-rollout.md
Title: Manage the gradual rollout process for Microsoft Defender updates
-description: Learn about the gradual update process and controls
+description: Learn about the gradual update process and controls
keywords: update, update process, controls, release search.product: eADQiWindows 10XVcnh search.appverid: met150
ms.localizationpriority: medium audience: ITPro--- M365-security-compliance -- m365initiative-m365-defender +
+- M365-security-compliance
+- m365initiative-m365-defender
ms.technology: m365d
-# Manage the gradual rollout process for Microsoft Defender updates
+# Manage the gradual rollout process for Microsoft Defender updates
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
ms.technology: m365d
- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) - It is important to ensure that client components are up-to-date to deliver critical protection capabilities and prevent attacks.
-Capabilities are provided through several components:
+Capabilities are provided through several components:
-- [Endpoint Detection & Response](overview-endpoint-detection-response.md) -- [Next-generation protection](microsoft-defender-antivirus-windows.md) with [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md)
+- [Endpoint Detection & Response](overview-endpoint-detection-response.md)
+- [Next-generation protection](microsoft-defender-antivirus-windows.md) with [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md)
- [Attack Surface Reduction](overview-attack-surface-reduction.md)
-Updates are released monthly using a gradual release process. This process helps to enable early failure detection to catch impact as it occurs and address it quickly before a larger rollout.
+Updates are released monthly using a gradual release process. This process helps to enable early failure detection to catch impact as it occurs and address it quickly before a larger rollout.
> [!NOTE] > For more information on how to control daily security intelligence updates, see [Schedule Microsoft Defender Antivirus protection updates](manage-protection-update-schedule-microsoft-defender-antivirus.md). Updates ensure that next-generation protection can defend against new threats, even if cloud-delivered protection is not available to the endpoint.
If your machines are receiving Defender updates from Windows Update, the gradual
For machines receiving updates through, for example, Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager (MECM), more options are available to all Windows updates, including options for Microsoft Defender for Endpoint. -- Read more about how to use a solution like WSUS, MECM to manage the distribution and application of updates at [Manage Microsoft Defender Antivirus updates and apply baselines - Windows security | Microsoft Docs](manage-updates-baselines-microsoft-defender-antivirus.md#product-updates).
+- Read more about how to use a solution like WSUS, MECM to manage the distribution and application of updates at [Manage Microsoft Defender Antivirus updates and apply baselines - Windows security](manage-updates-baselines-microsoft-defender-antivirus.md#product-updates).
## Update channels for monthly updates
For more information on how to configure updates, see [Create a custom gradual r
The following update channels are available:
-| Channel name | Description | Application |
-|-|-|-|
-| Beta Channel - Prerelease | Test updates before others | Devices set to this channel will be the first to receive new monthly updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in test environments only. |
-| Current Channel (Preview) | Get Current Channel updates **earlier** during gradual release | Devices set to this channel will be offered updates earliest during the gradual release cycle. Suggested for pre-production/validation environments. |
-| Current Channel (Staged) | Get Current Channel updates later during gradual release | Devices will be offered updates later during the gradual release cycle. Suggested to apply to a small, representative part of your device population (~10%). |
-| Current Channel (Broad) | Get updates at the end of gradual release | Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). |
-| (default) | | If you disable or do not configure this policy, the device will remain in Current Channel (Default): Stay up to date automatically during the gradual release cycle. Suitable for most devices. |
+<br>
+
+****
+
+|Channel name|Description|Application|
+||||
+|Beta Channel - Prerelease|Test updates before others|Devices set to this channel will be the first to receive new monthly updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in test environments only.|
+|Current Channel (Preview)|Get Current Channel updates **earlier** during gradual release|Devices set to this channel will be offered updates earliest during the gradual release cycle. Suggested for pre-production/validation environments.|
+|Current Channel (Staged)|Get Current Channel updates later during gradual release|Devices will be offered updates later during the gradual release cycle. Suggested to apply to a small, representative part of your device population (~10%).|
+|Current Channel (Broad)|Get updates at the end of gradual release|Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).|
+|(default)||If you disable or do not configure this policy, the device will remain in Current Channel (Default): Stay up to date automatically during the gradual release cycle. Suitable for most devices.|
+|
### Update channels for daily updates You can also assign a machine to a channel to define the cadence in which it receives daily updates. Note that unlike the monthly process, there is no Beta channel and this gradual release cycle occurs multiple times a day.
-
-| Channel name | Description | Application |
-|-|-|-|
-| Current Channel (Staged) | Get Current Channel updates later during gradual release | Devices will be offered updates later during the gradual release cycle. Suggested to apply to a small, representative part of your device population (~10%). |
-| Current Channel (Broad) | Get updates at the end of gradual release | Devices will be offered updates after the gradual release cycle. Best for datacenter machines that only receive limited updates. Note: this setting applies to all Defender updates. |
-| (default) | | If you disable or do not configure this policy, the device will remain in Current Channel (Default): Stay up to date automatically during the gradual release cycle. Suitable for most devices |
+
+<br>
+
+****
+
+|Channel name|Description|Application|
+||||
+|Current Channel (Staged)|Get Current Channel updates later during gradual release|Devices will be offered updates later during the gradual release cycle. Suggested to apply to a small, representative part of your device population (~10%).|
+|Current Channel (Broad)|Get updates at the end of gradual release|Devices will be offered updates after the gradual release cycle. Best for datacenter machines that only receive limited updates. Note: this setting applies to all Defender updates.|
+|(default)||If you disable or do not configure this policy, the device will remain in Current Channel (Default): Stay up to date automatically during the gradual release cycle. Suitable for most devices|
+|
> [!NOTE] > In case you wish to force an update to the newest signature instead of leveraging the time delay, you will need to remove this policy first.
For environments where there is a need for a more controlled gradual rollout of
3. Designate a group of machines that receive updates later during the gradual rollout from Staged channel. Typically, this would be a representative ~10% of the population. 4. Designate a group of machines that receive updates after the gradual release cycle completes. These are typically important production systems.
-For the remainder of devices, the default setting is to receive new updates as they arrive during the Microsoft gradual rollout process and no further configuration is required.
+For the remainder of devices, the default setting is to receive new updates as they arrive during the Microsoft gradual rollout process and no further configuration is required.
Adopting this model:-- Allows you to test early releases before they reach a production environment +
+- Allows you to test early releases before they reach a production environment
- Ensure the production environment still receives regular updates and ensure protection against critical threats. ## Management tools+ To create your own custom gradual rollout process for monthly updates, you can use the following tools: - Group policy
security Manage Outdated Endpoints Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus.md
If Microsoft Defender Antivirus did not download protection updates for a specif
### Use Configuration Manager to configure catch-up protection updates
-1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** \> **Endpoint Protection** \> **Antimalware Policies**)
2. Go to the **Security intelligence updates** section and configure the following settings:
See the following for more information and allowed parameters:
### Use Configuration Manager to configure catch-up scans
-1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** \> **Endpoint Protection** \> **Antimalware Policies**)
2. Go to the **Scheduled scans** section and **Force a scan of the selected scan type if client computer is offline...** to **Yes**.
security Manage Protection Update Schedule Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus.md
You can also randomize the times when each endpoint checks and downloads protect
## Use Configuration Manager to schedule protection updates
-1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** \> **Endpoint Protection** \> **Antimalware Policies**)
2. Go to the **Security intelligence updates** section.
You can also randomize the times when each endpoint checks and downloads protect
3. Click **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Intelligence Updates** and configure the following settings:
+4. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Signature Intelligence Updates** and configure the following settings:
1. Double-click the **Specify the day of the week to check for security intelligence updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**. 2. Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**.
security Manage Protection Updates Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus.md
To ensure the best level of protection, Microsoft Update allows for rapid releas
Each source has typical scenarios that depend on how your network is configured, in addition to how often they publish updates, as described in the following table:
+<br>
+
+****
+ |Location|Sample scenario| ||| |Windows Server Update Service|You are using Windows Server Update Service to manage updates for your network.|
Each source has typical scenarios that depend on how your network is configured,
|File share|You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-microsoft-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.| |Microsoft Endpoint Manager|You are using Microsoft Endpoint Manager to update your endpoints.| |Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC)|[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively. <br/>Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-microsoft-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).|
+|
You can manage the order in which update sources are used with Group Policy, Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and WMI.
The procedures in this article first describe how to set the order, and then how
3. Click **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components** > **Windows Defender** > **Signature updates** and configure the following settings:
+4. Expand the tree to **Windows components** \> **Windows Defender** \> **Signature updates** and configure the following settings:
1. Double-click the **Define the order of sources for downloading security intelligence updates** setting and set the option to **Enabled**.
The procedures in this article first describe how to set the order, and then how
4. Double-click the **Define file shares for downloading security intelligence updates** setting and set the option to **Enabled**.
- 5. Specify the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](/openspecs/windows_protocols/ms-dtyp/62e862f4-2a51-452e-8eeb-dc4ff5ee33cc) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`. If you do not enter any paths, then this source will be skipped when the VM downloads updates.
+ 5. Specify the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](/openspecs/windows_protocols/ms-dtyp/62e862f4-2a51-452e-8eeb-dc4ff5ee33cc) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`. If you do not enter any paths, then this source will be skipped when the VM downloads updates.
6. Click **OK**. This will set the order of file shares when that source is referenced in the **Define the order of sources...** group policy setting.
security Manage Suppression Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-suppression-rules.md
There might be scenarios where you need to suppress alerts from appearing in the
You can view a list of all the suppression rules and manage them in one place. You can also turn an alert suppression rule on or off.
-1. In the navigation pane, select **Settings** > **Endpoints** > **Rules** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
+1. In the navigation pane, select **Settings** \> **Endpoints** \> **Rules** \> **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
2. Select a rule by clicking on the check-box beside the rule name.
You can view a list of all the suppression rules and manage them in one place. Y
## View details of a suppression rule
-1. In the navigation pane, select **Settings** > **Endpoints** > **Rules** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
+1. In the navigation pane, select **Settings** \> **Endpoints** \> **Rules** \> **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
2. Click on a rule name. Details of the rule is displayed. You'll see the rule details such as status, scope, action, number of matching alerts, created by, and date when the rule was created. You can also view associated alerts and the rule conditions.
security Manage Updates Baselines Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md
Keeping Microsoft Defender Antivirus up to date is critical to assure your devic
Microsoft Defender Antivirus uses [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection. > [!NOTE]
-> Updates are released under the below KB numbers:
-> - Microsoft Defender Antivirus: KB2267602
+> Updates are released under the below KB numbers:
+>
+> - Microsoft Defender Antivirus: KB2267602
> - System Center Endpoint Protection: KB2461484
-Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md).
+Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md).
For a list of recent security intelligence updates, see [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates).
Engine updates are included with security intelligence updates and are released
Microsoft Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) known as *platform updates*.
-You can manage the distribution of updates through one of the following methods:
+You can manage the distribution of updates through one of the following methods:
- [Windows Server Update Service (WSUS)](/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus) - [Microsoft Endpoint Configuration Manager](/configmgr/sum/understand/software-updates-introduction)
You can manage the distribution of updates through one of the following methods:
For more information, see [Manage the sources for Microsoft Defender Antivirus protection updates](/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus). > [!NOTE]
+>
> - Monthly updates are released in phases, resulting in multiple packages visible in your [Window Server Update Services](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus).
-> - This article lists changes that are included in the broad release channel. [See the latest broad channel release here](https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info).
+> - This article lists changes that are included in the broad release channel. [See the latest broad channel release here](https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info).
> - To learn more about the gradual rollout process, and to see more information about the next release, see [Manage the gradual rollout process for Microsoft Defender updates](manage-gradual-rollout.md).
-> - To learn more about security intelligence updates, see [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/wdsi/defenderupdates).
+> - To learn more about security intelligence updates, see [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/wdsi/defenderupdates).
## Monthly platform and engine versions For information how to update or install the platform update, see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform).
-All our updates contain
+All our updates contain
+ - performance improvements;-- serviceability improvements; and
+- serviceability improvements; and
- integration improvements (Cloud, [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender)). <br/> <details> <summary> July-2021 (Platform: 4.18.2107.4 | Engine: 1.1.18400.4)</summary>
-&ensp;Security intelligence update version: **1.345.13.0**
-&ensp;Released: **August 5, 2021**
-&ensp;Platform: **4.18.2107.4**
-&ensp;Engine: **1.1.18400.4**
+&ensp;Security intelligence update version: **1.345.13.0**
+&ensp;Released: **August 5, 2021**
+&ensp;Platform: **4.18.2107.4**
+&ensp;Engine: **1.1.18400.4**
&ensp;Support phase: **Security and Critical Updates**
-
+ ### What's new - Device control support added for Windows Portable Devices - Potentially unwanted applications (PUA) protection is turned on by default for consumers (See [Potentially unwanted apps will be blocked by default](https://support.microsoft.com/windows/potentially-unwanted-apps-will-be-blocked-by-default-b9f53cb9-7f1e-40bb-8c6b-a17e0ab6289e))-- Scheduled scans for Group Policy Object managed systems will adhere to user configured scan time
+- Scheduled scans for Group Policy Object managed systems will adhere to user configured scan time
- Improvements to the behavior monitoring engine ### Known Issues
-No known issues
+No known issues
<br/> </details><details> <summary> June-2021 (Platform: 4.18.2106.5 | Engine: 1.1.18300.4)</summary>
-&ensp;Security intelligence update version: **1.343.17.0**
-&ensp;Released: **June 28, 2021**
-&ensp;Platform: **4.18.2106.5**
-&ensp;Engine: **1.1.18300.4**
+&ensp;Security intelligence update version: **1.343.17.0**
+&ensp;Released: **June 28, 2021**
+&ensp;Platform: **4.18.2106.5**
+&ensp;Engine: **1.1.18300.4**
&ensp;Support phase: **Security and Critical Updates**
-
+ ### What's new - New controls for managing the gradual rollout process of Microsoft Defender updates. See [Manage the gradual rollout process for Microsoft Defender updates](manage-gradual-rollout.md). - Improvement to the behavior monitoring engine
No known issues
- Extended Edge network event inspections ### Known Issues
-No known issues
+No known issues
<br/> </details><details> <summary> May-2021 (Platform: 4.18.2105.4 | Engine: 1.1.18200.4)</summary>
-&ensp;Security intelligence update version: **1.341.8.0**
-&ensp;Released: **June 3, 2021**
-&ensp;Platform: **4.18.2105.4**
-&ensp;Engine: **1.1.18200.4**
+&ensp;Security intelligence update version: **1.341.8.0**
+&ensp;Released: **June 3, 2021**
+&ensp;Platform: **4.18.2105.4**
+&ensp;Engine: **1.1.18200.4**
&ensp;Support phase: **Security and Critical Updates**
-
+ ### What's new-- Improvements to [behavior monitoring](client-behavioral-blocking.md)
+- Improvements to [behavior monitoring](client-behavioral-blocking.md)
- Fixed [network protection](network-protection.md) notification filtering feature ### Known Issues
-No known issues
+No known issues
<br/> </details> ### Previous version updates: Technical upgrade support only
-After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that are listed in this section, and are provided for technical upgrade support only.
+After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that are listed in this section, and are provided for technical upgrade support only.
<details> <summary> April-2021 (Platform: 4.18.2104.14 | Engine: 1.1.18100.5)</summary>
-&ensp;Security intelligence update version: **1.337.2.0**
+&ensp;Security intelligence update version: **1.337.2.0**
&ensp;Released: **April 26, 2021** (Engine: 1.1.18100.6 released May 5, 2021)
-&ensp;Platform: **4.18.2104.14**
-&ensp;Engine: **1.1.18100.5**
+&ensp;Platform: **4.18.2104.14**
+&ensp;Engine: **1.1.18100.5**
&ensp;Support phase: **Technical upgrade support (only)**
-
+ ### What's new - Additional behavior monitoring logic - Improved kernel mode key logger detection
After a new package version is released, support for the previous two versions i
### Known Issues
-No known issues
+No known issues
<br/> </details><details> <summary> March-2021 (Platform: 4.18.2103.7 | Engine: 1.1.18000.5)</summary>
-&ensp;Security intelligence update version: **1.335.36.0**
-&ensp;Released: **April 2, 2021**
-&ensp;Platform: **4.18.2103.7**
-&ensp;Engine: **1.1.18000.5**
+&ensp;Security intelligence update version: **1.335.36.0**
+&ensp;Released: **April 2, 2021**
+&ensp;Platform: **4.18.2103.7**
+&ensp;Engine: **1.1.18000.5**
&ensp;Support phase: **Technical upgrade support (only)**
-
+ ### What's new -- Improvement to the Behavior Monitoring engine -- Expanded network brute-force-attack mitigations
+- Improvement to the Behavior Monitoring engine
+- Expanded network brute-force-attack mitigations
- Additional failed tampering attempt event generation when [Tamper Protection](prevent-changes-to-security-settings-with-tamper-protection.md) is enabled ### Known Issues
-No known issues
+No known issues
<br/> </details><details> <summary> February-2021 (Platform: 4.18.2102.3 | Engine: 1.1.17900.7)</summary>
-&ensp;Security intelligence update version: **1.333.7.0**
-&ensp;Released: **March 9, 2021**
-&ensp;Platform: **4.18.2102.3**
-&ensp;Engine: **1.1.17900.7**
+&ensp;Security intelligence update version: **1.333.7.0**
+&ensp;Released: **March 9, 2021**
+&ensp;Platform: **4.18.2102.3**
+&ensp;Engine: **1.1.17900.7**
&ensp;Support phase: **Technical upgrade support (only)**
-
+ ### What's new - Improved service recovery through [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) - Extend tamper protection scope ### Known Issues
-No known issues
+No known issues
<br/> </details><details> <summary> January-2021 (Platform: 4.18.2101.9 | Engine: 1.1.17800.5)</summary>
-&ensp;Security intelligence update version: **1.327.1854.0**
-&ensp;Released: **February 2, 2021**
-&ensp;Platform: **4.18.2101.9**
-&ensp;Engine: **1.1.17800.5**
+&ensp;Security intelligence update version: **1.327.1854.0**
+&ensp;Released: **February 2, 2021**
+&ensp;Platform: **4.18.2101.9**
+&ensp;Engine: **1.1.17800.5**
&ensp;Support phase: **Technical upgrade support (only)**
-
+ ### What's new - Shellcode exploit detection improvements
No known issues
- Fix: EDR Block notification remains in threat history after real-time protection performed initial detection ### Known Issues
-No known issues
+No known issues
<br/> </details><details> <summary> November-2020 (Platform: 4.18.2011.6 | Engine: 1.1.17700.4)</summary>
-&ensp;Security intelligence update version: **1.327.1854.0**
-&ensp;Released: **December 03, 2020**
-&ensp;Platform: **4.18.2011.6**
-&ensp;Engine: **1.1.17700.4**
+&ensp;Security intelligence update version: **1.327.1854.0**
+&ensp;Released: **December 03, 2020**
+&ensp;Platform: **4.18.2011.6**
+&ensp;Engine: **1.1.17700.4**
&ensp;Support phase: **Technical upgrade support (only)**
-
+ ### What's new - Improved [SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) status support logging ### Known Issues
-No known issues
+No known issues
<br/> </details><details> <summary> October-2020 (Platform: 4.18.2010.7 | Engine: 1.1.17600.5)</summary>
-&ensp;Security intelligence update version: **1.327.7.0**
-&ensp;Released: **October 29, 2020**
-&ensp;Platform: **4.18.2010.7**
-&ensp;Engine: **1.1.17600.5**
+&ensp;Security intelligence update version: **1.327.7.0**
+&ensp;Released: **October 29, 2020**
+&ensp;Platform: **4.18.2010.7**
+&ensp;Engine: **1.1.17600.5**
&ensp;Support phase: **Technical upgrade support (only)**
-
+ ### What's new - New descriptions for special threat categories
No known issues
### Known Issues
-No known issues
+No known issues
<br/> </details><details> <summary> September-2020 (Platform: 4.18.2009.7 | Engine: 1.1.17500.4)</summary>
-&ensp;Security intelligence update version: **1.325.10.0**
-&ensp;Released: **October 01, 2020**
-&ensp;Platform: **4.18.2009.7**
-&ensp;Engine: **1.1.17500.4**
+&ensp;Security intelligence update version: **1.325.10.0**
+&ensp;Released: **October 01, 2020**
+&ensp;Platform: **4.18.2009.7**
+&ensp;Engine: **1.1.17500.4**
&ensp;Support phase: **Technical upgrade support (only)**
-
+ ### What's new - Admin permissions are required to restore files in quarantine
No known issues
### Known Issues
-No known issues
+No known issues
<br/> </details> <details> <summary> August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)</summary>
-&ensp;Security intelligence update version: **1.323.9.0**
-&ensp;Released: **August 27, 2020**
-&ensp;Platform: **4.18.2008.9**
-&ensp;Engine: **1.1.17400.5**
+&ensp;Security intelligence update version: **1.323.9.0**
+&ensp;Released: **August 27, 2020**
+&ensp;Platform: **4.18.2008.9**
+&ensp;Engine: **1.1.17400.5**
&ensp;Support phase: **Technical upgrade support (only)** ### What's new
No known issues
### Known Issues
-No known issues
+No known issues
<br/> </details> <details> <summary> July-2020 (Platform: 4.18.2007.8 | Engine: 1.1.17300.4)</summary>
-&ensp;Security intelligence update version: **1.321.30.0**
-&ensp;Released: **July 28, 2020**
-&ensp;Platform: **4.18.2007.8**
-&ensp;Engine: **1.1.17300.4**
+&ensp;Security intelligence update version: **1.321.30.0**
+&ensp;Released: **July 28, 2020**
+&ensp;Platform: **4.18.2007.8**
+&ensp;Engine: **1.1.17300.4**
&ensp;Support phase: **Technical upgrade support (only)**
-
+ ### What's new - Improved telemetry for BITS - Improved Authenticode code signing certificate validation ### Known Issues
-No known issues
+No known issues
<br/> </details> <details> <summary> June-2020 (Platform: 4.18.2006.10 | Engine: 1.1.17200.2)</summary>
-&ensp;Security intelligence update version: **1.319.20.0**
-&ensp;Released: **June 22, 2020**
-&ensp;Platform: **4.18.2006.10**
-&ensp;Engine: **1.1.17200.2**
+&ensp;Security intelligence update version: **1.319.20.0**
+&ensp;Released: **June 22, 2020**
+&ensp;Platform: **4.18.2006.10**
+&ensp;Engine: **1.1.17200.2**
&ensp;Support phase: **Technical upgrade support (only)**
-
+ ### What's new - Possibility to specify the [location of the support logs](./collect-diagnostic-data.md) - Skipping aggressive catchup scan in Passive mode. - Allow Defender to update on metered connections-- Fixed performance tuning when caching is disabled -- Fixed registry query
+- Fixed performance tuning when caching is disabled
+- Fixed registry query
- Fixed scantime randomization in ADMX ### Known Issues
-No known issues
+No known issues
<br/> </details> <details> <summary> May-2020 (Platform: 4.18.2005.4 | Engine: 1.1.17100.2)</summary>
-&ensp;Security intelligence update version: **1.317.20.0**
-&ensp;Released: **May 26, 2020**
-&ensp;Platform: **4.18.2005.4**
-&ensp;Engine: **1.1.17100.2**
+&ensp;Security intelligence update version: **1.317.20.0**
+&ensp;Released: **May 26, 2020**
+&ensp;Platform: **4.18.2005.4**
+&ensp;Engine: **1.1.17100.2**
&ensp;Support phase: **Technical upgrade support (only)**
-
+ ### What's new - Improved logging for scan events
No known issues
- Fixed Security update install log ### Known Issues
-No known issues
+No known issues
<br/> </details> <details> <summary> April-2020 (Platform: 4.18.2004.6 | Engine: 1.1.17000.2)</summary>
-&ensp;Security intelligence update version: **1.315.12.0**
-&ensp;Released: **April 30, 2020**
-&ensp;Platform: **4.18.2004.6**
-&ensp;Engine: **1.1.17000.2**
+&ensp;Security intelligence update version: **1.315.12.0**
+&ensp;Released: **April 30, 2020**
+&ensp;Platform: **4.18.2004.6**
+&ensp;Engine: **1.1.17000.2**
&ensp;Support phase: **Technical upgrade support (only)**
-
+ ### What's new - WDfilter improvements - Add more actionable event data to attack surface reduction detection events
No known issues
- Extend logging for updates ### Known Issues
-No known issues
+No known issues
<br/> </details> <details> <summary> March-2020 (Platform: 4.18.2003.8 | Engine: 1.1.16900.2)</summary>
-&ensp;Security intelligence update version: **1.313.8.0**
-&ensp;Released: **March 24, 2020**
-&ensp;Platform: **4.18.2003.8**
-&ensp;Engine: **1.1.16900.4**
+&ensp;Security intelligence update version: **1.313.8.0**
+&ensp;Released: **March 24, 2020**
+&ensp;Platform: **4.18.2003.8**
+&ensp;Engine: **1.1.16900.4**
&ensp;Support phase: **Technical upgrade support (only)**
-
+ ### What's new - CPU Throttling option added to [MpCmdRun](./command-line-arguments-microsoft-defender-antivirus.md)
No known issues
- reduce Security intelligence timeout (5 min) - Extend AMSI engine internal log capability - Improve notification for process blocking
-
+ ### Known Issues [**Fixed**] Microsoft Defender Antivirus is skipping files when running a scan.
No known issues
<details> <summary> February-2020 (Platform: - | Engine: 1.1.16800.2)</summary>
-
-&ensp;Security intelligence update version: **1.311.4.0**
-&ensp;Released: **February 25, 2020**
-&ensp;Platform/Client: **-**
-&ensp;Engine: **1.1.16800.2**
+
+&ensp;Security intelligence update version: **1.311.4.0**
+&ensp;Released: **February 25, 2020**
+&ensp;Platform/Client: **-**
+&ensp;Engine: **1.1.16800.2**
&ensp;Support phase: **Technical upgrade support (only)**
-
+ ### What's new
-
+ ### Known Issues No known issues <br/>
No known issues
<details> <summary> January-2020 (Platform: 4.18.2001.10 | Engine: 1.1.16700.2)</summary>
-
-Security intelligence update version: **1.309.32.0**
-Released: **January 30, 2020**
-Platform/Client: **4.18.2001.10**
-Engine: **1.1.16700.2**
+
+Security intelligence update version: **1.309.32.0**
+Released: **January 30, 2020**
+Platform/Client: **4.18.2001.10**
+Engine: **1.1.16700.2**
&ensp;Support phase: **Technical upgrade support (only)**
-
+ ### What's new - Fixed BSOD on WS2016 with Exchange
Engine: **1.1.16700.2**
- Platform and engine versions are added to [WDSI](https://www.microsoft.com/en-us/wdsi/defenderupdates) <!-- The preceding URL must include "/en-us" --> - extend Emergency signature update to [passive mode](./microsoft-defender-antivirus-compatibility.md) - Fix 4.18.1911.3 hang
-
+ ### Known Issues
-[**Fixed**] devices utilizing [modern standby mode](/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.
+[**Fixed**] devices utilizing [modern standby mode](/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.
<br/> > [!IMPORTANT] > This update is: > - needed by RS1 devices running lower version of the platform to support SHA2; > - has a reboot flag for systems that have hanging issues;
-> - is re-released in April 2020 and will not be superseded by newer updates to keep future availability;
+> - is re-released in April 2020 and will not be superseded by newer updates to keep future availability;
> - is categorized as an update due to the reboot requirement; and > - is only be offered with [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update). <br/>
Engine: **1.1.16700.2**
<details> <summary> November-2019 (Platform: 4.18.1911.3 | Engine: 1.1.16600.7)</summary>
-Security intelligence update version: **1.307.13.0**
-Released: **December 7, 2019**
-Platform: **4.18.1911.3**
-Engine: **1.1.17000.7**
-Support phase: **No support**
-
+Security intelligence update version: **1.307.13.0**
+Released: **December 7, 2019**
+Platform: **4.18.1911.3**
+Engine: **1.1.17000.7**
+Support phase: **No support**
+ ### What's new - Fixed MpCmdRun tracing level - Fixed WDFilter version info - Improve notifications (PUA) - add MRT logs to support files
-
+ ### Known Issues When this update is installed, the device needs the jump package 4.18.2001.10 to be able to update to the latest platform version. <br/>
When this update is installed, the device needs the jump package 4.18.2001.10 to
Platform and engine updates are provided on a monthly cadence. To be fully supported, keep current with the latest platform updates. Our support structure is dynamic, evolving into two phases depending on the availability of the latest platform version: - **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform.
-
+ - **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.* \* Technical support will continue to be provided for upgrades from the Windows 10 release version (see [Platform version included with Windows 10 releases](#platform-version-included-with-windows-10-releases)) to the latest platform version.
Platform and engine updates are provided on a monthly cadence. To be fully suppo
During the technical support (only) phase, commercially reasonable support incidents will be provided through Microsoft Customer Service & Support and Microsoft's managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a non-security update, or requires a security update, customers will be asked to upgrade to the latest platform version or an intermediate update (*). ### Platform version included with Windows 10 releases
-The below table provides the Microsoft Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases:
+The below table provides the Microsoft Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases:
|Windows 10 release |Platform version |Engine version |Support phase | |:|:|:|:|
The below table provides the Microsoft Defender Antivirus platform and engine ve
|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade support (only) | |1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade support (only) | |1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade support (only) |
-|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade support (only) |
+|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade support (only) |
For Windows 10 release information, see the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet). ## Updates for Deployment Image Servicing and Management (DISM)
-We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 OS installation images with the latest antivirus and antimalware updates. Keeping your OS installation images up to date helps avoid a gap in protection.
+We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 OS installation images with the latest antivirus and antimalware updates. Keeping your OS installation images up to date helps avoid a gap in protection.
For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images). <details> <summary>1.1.2108.01</summary>
-&ensp;Package version: **1.1.2108.01**
-&ensp;Platform version: **4.18.2107.4**
-&ensp;Engine version: **1.1.18300.4**
-&ensp;Signature version: **1.343.2244.0**
-
+&ensp;Package version: **1.1.2108.01**
+&ensp;Platform version: **4.18.2107.4**
+&ensp;Engine version: **1.1.18300.4**
+&ensp;Signature version: **1.343.2244.0**
+ ### Fixes - None ### Additional information-- None
+- None
<br/> </details><details> <summary>1.1.2107.02</summary>
-&ensp;Package version: **1.1.2107.02**
-&ensp;Platform version: **4.18.2105.5**
-&ensp;Engine version: **1.1.18300.4**
-&ensp;Signature version: **1.343.658.0**
-
+&ensp;Package version: **1.1.2107.02**
+&ensp;Platform version: **4.18.2105.5**
+&ensp;Engine version: **1.1.18300.4**
+&ensp;Signature version: **1.343.658.0**
+ ### Fixes - None ### Additional information-- None
+- None
<br/> </details><details> <summary>1.1.2106.01</summary>
-&ensp;Package version: **1.1.2106.01**
-&ensp;Platform version: **4.18.2104.14**
-&ensp;Engine version: **1.1.18100.6**
-&ensp;Signature version: **1.339.1923.0**
-
+&ensp;Package version: **1.1.2106.01**
+&ensp;Platform version: **4.18.2104.14**
+&ensp;Engine version: **1.1.18100.6**
+&ensp;Signature version: **1.339.1923.0**
+ ### Fixes - None ### Additional information-- None
+- None
<br/> </details><details> <summary>1.1.2105.01</summary>
-&ensp;Package version: **1.1.2105.01**
-&ensp;Platform version: **4.18.2103.7**
-&ensp;Engine version: **1.1.18100.6**
-&ensp;Signature version: **1.339.42.0**
-
+&ensp;Package version: **1.1.2105.01**
+&ensp;Platform version: **4.18.2103.7**
+&ensp;Engine version: **1.1.18100.6**
+&ensp;Signature version: **1.339.42.0**
+ ### Fixes - None ### Additional information-- None
+- None
<br/> </details><details> <summary>1.1.2104.01</summary>
-&ensp;Package version: **1.1.2104.01**
-&ensp;Platform version: **4.18.2102.4**
-&ensp;Engine version: **1.1.18000.5**
-&ensp;Signature version: **1.335.232.0**
-
+&ensp;Package version: **1.1.2104.01**
+&ensp;Platform version: **4.18.2102.4**
+&ensp;Engine version: **1.1.18000.5**
+&ensp;Signature version: **1.335.232.0**
+ ### Fixes - None ### Additional information-- None
+- None
<br/> </details><details> <summary>1.1.2103.01</summary>
-&ensp;Package version: **1.1.2103.01**
-&ensp;Platform version: **4.18.2101.9**
-&ensp;Engine version: **1.1.17800.5**
-&ensp;Signature version: **1.331.2302.0**
-
+&ensp;Package version: **1.1.2103.01**
+&ensp;Platform version: **4.18.2101.9**
+&ensp;Engine version: **1.1.17800.5**
+&ensp;Signature version: **1.331.2302.0**
+ ### Fixes - None ### Additional information-- None
+- None
<br/> </details><details> <summary>1.1.2102.03</summary>
-&ensp;Package version: **1.1.2102.03**
-&ensp;Platform version: **4.18.2011.6**
-&ensp;Engine version: **1.1.17800.5**
-&ensp;Signature version: **1.331.174.0**
-
+&ensp;Package version: **1.1.2102.03**
+&ensp;Platform version: **4.18.2011.6**
+&ensp;Engine version: **1.1.17800.5**
+&ensp;Signature version: **1.331.174.0**
+ ### Fixes - None ### Additional information-- None
+- None
<br/> </details><details> <summary>1.1.2101.02</summary>
-&ensp;Package version: **1.1.2101.02**
-&ensp;Platform version: **4.18.2011.6**
-&ensp;Engine version: **1.1.17700.4**
-&ensp;Signature version: **1.329.1796.0**
-
+&ensp;Package version: **1.1.2101.02**
+&ensp;Platform version: **4.18.2011.6**
+&ensp;Engine version: **1.1.17700.4**
+&ensp;Signature version: **1.329.1796.0**
+ ### Fixes - None ### Additional information-- None
+- None
<br/> </details><details> <summary>1.1.2012.01</summary>
-&ensp;Package version: **1.1.2012.01**
-&ensp;Platform version: **4.18.2010.7**
-&ensp;Engine version: **1.1.17600.5**
-&ensp;Signature version: **1.327.1991.0**
-
+&ensp;Package version: **1.1.2012.01**
+&ensp;Platform version: **4.18.2010.7**
+&ensp;Engine version: **1.1.17600.5**
+&ensp;Signature version: **1.327.1991.0**
+ ### Fixes - None ### Additional information-- None
+- None
<br/> </details><details> <summary>1.1.2011.02</summary>
-&ensp;Package version: **1.1.2011.02**
-&ensp;Platform version: **4.18.2010.7**
-&ensp;Engine version: **1.1.17600.5**
-&ensp;Signature version: **1.327.658.0**
-
+&ensp;Package version: **1.1.2011.02**
+&ensp;Platform version: **4.18.2010.7**
+&ensp;Engine version: **1.1.17600.5**
+&ensp;Signature version: **1.327.658.0**
+ ### Fixes - None ### Additional information-- Refreshed Microsoft Defender Antivirus signatures
+- Refreshed Microsoft Defender Antivirus signatures
<br/> </details><details> <summary>1.1.2011.01</summary>
-&ensp;Package version: **1.1.2011.01**
-&ensp;Platform version: **4.18.2009.7**
-&ensp;Engine version: **1.1.17600.5**
-&ensp;Signature version: **1.327.344.0**
-
+&ensp;Package version: **1.1.2011.01**
+&ensp;Platform version: **4.18.2009.7**
+&ensp;Engine version: **1.1.17600.5**
+&ensp;Signature version: **1.327.344.0**
+ ### Fixes - None ### Additional information-- None
+- None
<br/> </details><details> <summary>1.1.2009.10</summary>
-&ensp;Package version: **1.1.2011.01**
-&ensp;Platform version: **4.18.2008.9**
-&ensp;Engine version: **1.1.17400.5**
-&ensp;Signature version: **1.327.2216.0**
-
+&ensp;Package version: **1.1.2011.01**
+&ensp;Platform version: **4.18.2008.9**
+&ensp;Engine version: **1.1.17400.5**
+&ensp;Signature version: **1.327.2216.0**
+ ### Fixes - None ### Additional information-- Added support for Windows 10 RS1 or later OS install images.
+- Added support for Windows 10 RS1 or later OS install images.
<br/> </details>
security Manage Updates Mobile Devices Vms Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
-+ ms.technology: mde
The following articles may also be useful in these situations:
## Opt in to Microsoft Update on mobile computers without a WSUS connection
-You can use Microsoft Update to keep Security intelligence on mobile devices running Microsoft Defender Antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection.
+You can use Microsoft Update to keep Security intelligence on mobile devices running Microsoft Defender Antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection.
This means that protection updates can be delivered to devices (via Microsoft Update) even if you have set WSUS to override Microsoft Update.
You can opt in to Microsoft Update on the mobile device in one of the following
3. Select **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**.
+4. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Signature Updates**.
5. Set **Allow security intelligence updates from Microsoft Update** to **Enabled**, and then select **OK**. - ### Use a VBScript to opt in to Microsoft Update 1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](/windows/win32/wua_sdk/opt-in-to-microsoft-update) to create the VBScript.
You can opt in to Microsoft Update on the mobile device in one of the following
## Prevent Security intelligence updates when running on battery power
-You can configure Microsoft Defender Antivirus to only download protection updates when the PC is connected to a wired power source.
+You can configure Microsoft Defender Antivirus to only download protection updates when the PC is connected to a wired power source.
### Use Group Policy to prevent security intelligence updates on battery power
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), choose the Group Policy Object you want to configure, and open it for editing.
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), choose the Group Policy Object you want to configure, and open it for editing.
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
-3. Select **Policies** then **Administrative templates**.
+3. Select **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**, and then set **Allow security intelligence updates when running on battery power** to **Disabled**. Then select **OK**.
+4. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Signature Updates**, and then set **Allow security intelligence updates when running on battery power** to **Disabled**. Then select **OK**.
This action prevents protection updates from downloading when the PC is on battery power.
security Management Apis https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/management-apis.md
Defender for Endpoint provides fine-grained control over what users with access
- Fully segregated divisions with single centralized global security operations teams ## Available APIs+ The Microsoft Defender for Endpoint solution is built on top of an integration-ready platform. Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Defender for Endpoint capabilities.
The Defender for Endpoint APIs can be grouped into three:
Defender for Endpoint offers a layered API model exposing data and capabilities in a structured, clear, and easy to use model, exposed through a standard Azure AD-based authentication and authorization model allowing access in context of users or SaaS applications. The API model was designed to expose entities and capabilities in a consistent form. Watch this video for a quick overview of Defender for Endpoint's APIs.
->[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4d73M]
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4d73M]
The **Investigation API** exposes the richness of Defender for Endpoint - exposing calculated or 'profiled' entities (for example, device, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information, see [Supported APIs](exposed-apis-list.md).
security Mde P1 Maintenance Operations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-p1-maintenance-operations.md
+
+ Title: Manage Microsoft Defender for Endpoint Plan 1 (preview)
+description: Maintain and update Defender for Endpoint Plan 1. Manage settings, get updates, and address false positives/negatives.
+search.appverid: MET150
+++
+audience: ITPro
+ Last updated : 08/30/2021
+ms.technology: mde
+localization_priority: Normal
+
+f1.keywords: NOCSH
++
+# Manage Microsoft Defender for Endpoint Plan 1 (preview)
+
+> [!TIP]
+> If you have Microsoft 365 E3 but not Microsoft 365 E5, visit [https://aka.ms/mdep1trial](https://aka.ms/mdep1trial) to sign up for the preview program!
+
+As you use Defender for Endpoint Plan 1 (preview) in your organization, your security team can take certain steps to maintain your security solution. As your security team puts together your maintenance and operations plan, make sure to include at least the following activities:
+
+- [Manage security intelligence and product updates](#manage-security-intelligence-and-product-updates)
+- [Fine-tune and adjust Defender for Endpoint](#fine-tune-and-adjust-defender-for-endpoint)
+- [Address false positives/negatives](#address-false-positivesnegatives)
+
+> [!IMPORTANT]
+> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here. This article includes links to online content that might describe some features that are not included in Defender for Endpoint Plan 1 (preview).
+
+## Manage security intelligence and product updates
+
+Keeping Microsoft Defender Antivirus up to date is critical to protecting against new malware and attack techniques. Microsoft releases regular updates for security intelligence, antivirus, and antimalware protection. Updates are organized into two categories:
+
+- Security intelligence updates
+- Product updates
+
+To manage your security intelligence and product updates, see [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).
+
+## Fine-tune and adjust Defender for Endpoint
+
+Defender for Endpoint offers you much flexibility and configuration options. You can adjust and fine-tune your settings to suit your organizationΓÇÖs needs. For example, you can use Microsoft Endpoint Manager, Group Policy, and other methods to manage your endpoint security settings.
+
+To learn more, see [Manage Defender for Endpoint](manage-atp-post-migration.md).
+
+## Address false positives/negatives
+
+A false positive is an artifact, like a file or a process, that was detected as malicious, even though it isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is. False positives/negatives can occur with any endpoint protection solution, including Defender for Endpoint. However, there are steps you can take to address these kinds of issues and fine-tune your solution, as depicted in the following image:
++
+If youΓÇÖre seeing false positives/negatives in Defender for Endpoint, see [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md).
+
+## Next steps
+
+- [See what's new in Microsoft Defender for Endpoint](whats-new-in-microsoft-defender-atp.md)
security Mde P1 Setup Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-p1-setup-configuration.md
+
+ Title: Set up and configure Microsoft Defender for Endpoint Plan 1 (preview)
+description: Learn how to set up and configure Defender for Endpoint Plan 1. Review the requirements, plan your rollout, and set up your environment.
+search.appverid: MET150
+++
+audience: ITPro
+ Last updated : 08/30/2021
+ms.technology: mde
+localization_priority: Normal
+
+f1.keywords: NOCSH
++
+# Set up and configure Microsoft Defender for Endpoint Plan 1 (preview)
+
+> [!TIP]
+> If you have Microsoft 365 E3 but not Microsoft 365 E5, visit [https://aka.ms/mdep1trial](https://aka.ms/mdep1trial) to sign up for the preview program!
+
+This article describes how to set up and configure Defender for Endpoint Plan 1 (preview). Whether you have assistance or are doing it yourself, you can use this article as a guide throughout your deployment.
+
+## The setup and configuration process
++
+The general setup and configuration process for Defender for Endpoint Plan 1 (preview) is as follows: <br/><br/>
++
+| Number | Step | Description |
+|::|:|:|
+| 1 | [Review the requirements](#review-the-requirements) | Lists licensing, browser, operating system, and datacenter requirements |
+| 2 | [Plan your deployment](#plan-your-deployment) | Lists several deployment methods to consider and includes links to more resources to help you decide which method to use |
+| 3 | [Set up your tenant environment](#set-up-your-tenant-environment) | Lists tasks for setting up your tenant environment |
+| 4 | [Assign roles and permissions](#assign-roles-and-permissions) | Lists roles and permissions to consider for your security team <br/><br/>**TIP**: As soon as roles and permissions are assigned, your security team can get started using the Microsoft 365 Defender portal. To learn more, see [Getting started](mde-plan1-getting-started.md). |
+| 5 | [Onboard to Defender for Endpoint](#onboard-to-defender-for-endpoint) | Lists several methods by operating system to onboard to Defender for Endpoint Plan 1 and includes links to more detailed information for each method |
+| 6 | [Configure next-generation protection](#configure-next-generation-protection) | Describes how to configure your next-generation protection settings in Microsoft Endpoint Manager |
+| 7 | [Configure your attack surface reduction capabilities](#configure-your-attack-surface-reduction-capabilities) | Lists the types of attack surface reduction capabilities you can configure and includes procedures with links to more resources |
+
+> [!IMPORTANT]
+> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here. This article includes links to online content that might describe some features that are not included in Defender for Endpoint Plan 1 (preview).
+
+## Review the requirements
+
+The following table lists the basic requirements for Defender for Endpoint Plan 1 (preview):<br/><br/>
+
+| Requirement | Description |
+|:|:|
+| Licensing requirements | Defender for Endpoint Plan 1 (preview) <br/><br/>*If you have Microsoft 365 E3, you can join the preview program.* |
+| Browser requirements | Microsoft Edge <br/> Internet Explorer version 11 <br/> Google Chrome |
+| Operating systems | Windows 10, version 1709 or later <br/>macOS: 11.5 (Big Sur), 10.15.7 (Catalina), or 10.14.6 (Mojave) <br/>iOS <br/>Android OS |
+| Datacenter | One of the following datacenter locations: <br/>- European Union <br/>- United Kingdom <br/>- United States |
++
+## Plan your deployment
+
+When you plan your deployment, you can choose from several different architectures and deployment methods. Every organization is unique, so you have several options to consider, as listed in the following table: <br/><br/>
+
+| Method | Description |
+|:|:|
+| [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) (included in Microsoft Endpoint Manager) | Use Intune to manage endpoints in a cloud native environment |
+| [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Configuration Manager](/mem/configmgr/core/understand/introduction) (included in Microsoft Endpoint Manager) | Use Intune and Configuration Manager to manage endpoints and workloads that span an on-premises and cloud environment |
+| [Configuration Manager](/mem/configmgr/core/understand/introduction) | Use Configuration Manager to protect on-premises endpoints with the cloud-based power of Defender for Endpoint |
+| Local script downloaded from the Microsoft 365 Defender Portal | Use local scripts on endpoints to run a pilot or onboard just a few devices |
+
+To learn more about your deployment options, see [Plan your Defender for Endpoint deployment](deployment-strategy.md). And, download the following poster:
+
+[:::image type="content" source="../../mediatp-deployment-strategy.pdf)
+
+**[Get the deployment poster](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf)**
+
+> [!TIP]
+> For more detailed information about planning your deployment, see [Plan your Microsoft Defender for Endpoint deployment](deployment-strategy.md).
+
+## Set up your tenant environment
+
+Setting up your tenant environment includes tasks, such as:
+
+- Verifying your licenses
+- Configuring your tenant
+- Configuring your proxy settings (only if necessary)
+- Making sure sensors are working correctly and reporting data to Defender for Endpoint
+
+These tasks are included in the setup phase for Defender for Endpoint. See [Set up Defender for Endpoint](production-deployment.md).
+
+## Assign roles and permissions
+
+In order to access the Microsoft 365 Defender portal, configure settings for Defender for Endpoint, or perform tasks, such as taking response actions on detected threats, appropriate permissions must be assigned. Defender for Endpoint uses [built-in roles within Azure Active Directory](/azure/active-directory/roles/permissions-reference).
+
+Microsoft recommends assigning users only the level of permission they need to perform their tasks. You can assign permissions by using basic permissions management, or by using [role-based access control](rbac.md) (RBAC).
+
+- With basic permissions management, global admins and security admins have full access, whereas security readers read-only access.
+- With RBAC, you can set more granular permissions through more roles. For example, you can have security readers, security operators, security admins, endpoint administrators, and more.
++
+The following table describes key roles to consider for Defender for Endpoint in your organization: <br/><br/>
+
+| Role | Description |
+|:|:|
+| Global administrators (also referred to as global admins) <br/><br/> *As a best practice, limit the number of global administrators.* | Global admins can perform all kinds of tasks. The person who signed up your company for Microsoft 365 or for Microsoft Defender for Endpoint Plan 1 is a global administrator by default. <br/><br/> Global admins are able to access/change settings across all Microsoft 365 portals, such as: <br/>- The Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)) <br/>- Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) <br/>- Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) |
+| Security administrators (also referred to as security admins) | Security admins can perform security operator tasks plus the following tasks: <br/>- Monitor security-related policies <br/>- Manage security threats and alerts <br/>- View reports |
+| Security operator | Security operators can perform security reader tasks plus the following tasks: <br/>- View information about detected threats <br/>- Investigate and respond to detected threats |
+| Security reader | Security readers can perform the following tasks: <br/>- View security-related policies across Microsoft 365 services <br/>- View security threats and alerts <br/>- View reports |
++
+> [!TIP]
+> To learn more about roles in Azure Active Directory, see [Assign administrator and non-administrator roles to users with Azure Active Directory](/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). And, more information about roles for Defender for Endpoint, see [Role-based access control](prepare-deployment.md#role-based-access-control).
+
+## Onboard to Defender for Endpoint
+
+When youΓÇÖre ready to onboard your organizationΓÇÖs endpoints, you can choose from several methods, as listed in the following table: <br/><br/>
+
+|Endpoint Operating System | Onboarding methods|
+|||
+| Windows 10 | [Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) |
+| macOS | [Local scripts](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md) |
+| iOS |[App-based](ios-install.md) |
+| Android | [Microsoft Endpoint Manager](android-intune.md) |
+
+Then, proceed to configure your next-generation protection and attack surface reduction capabilities.
+
+## Configure next-generation protection
+
+We recommend using [Microsoft Endpoint Manager](/mem) to manage your organizationΓÇÖs devices and security settings, as shown in the following image:
+
+
+To configure your next-generation protection in Microsoft Endpoint Manager, follow these steps:
+
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+
+2. Select **Endpoint security** > **Antivirus**, and then select an existing policy. (If you donΓÇÖt have an existing policy, create a new policy.)
+
+3. Set or change your antivirus configuration settings. Need help? Refer to the following resources: <br/>
+
+ - [Settings for Windows 10 Microsoft Defender Antivirus policy in Microsoft Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-windows)
+ - [Configure Defender for Endpoint on iOS features](ios-configure-features.md)
+
+4. When you are finished specifying your settings, choose **Review + save**.
+
+## Configure your attack surface reduction capabilities
+
+Attack surface reduction is all about reducing the places and ways your organization is open to attack. Defender for Endpoint Plan 1 (preview) includes several features and capabilities to help you reduce your attack surfaces across your endpoints. These features and capabilities are listed in the following table: <br/><br/>
+
+| Feature/capability | Description |
+|:|:|
+| [Attack surface reduction rules](#attack-surface-reduction-rules) | Configure attack surface reduction rules to constrain software-based risky behaviors and help keep your organization safe. Attack surface reduction rules target certain software behaviors, such as<br/>- Launching executable files and scripts that attempt to download or run files <br/>- Running obfuscated or otherwise suspicious scripts <br/>- Performing behaviors that apps don't usually initiate during normal day-to-day work <br/><br/>Such software behaviors are sometimes seen in legitimate applications. However, these behaviors are often considered risky because they are commonly abused by attackers through malware. |
+| [Ransomware mitigation](#ransomware-mitigation) | Set up ransomware mitigation by configuring controlled folder access, which helps protect your organization's valuable data from malicious apps and threats, such as ransomware. |
+| [Device control](#device-control) | Configure device control settings for your organization to allow or block removable devices (such as USB drives). |
+| [Network protection](#network-protection) | Set up network protection to prevent people in your organization from using applications that access dangerous domains or malicious content on the Internet. |
+| [Web protection](#web-protection) | Set up web threat protection to protect your organization's devices from phishing sites, exploit sites, and other untrusted or low-reputation sites. Set up web content filtering to track and regulate access to websites based on their content categories (such as Leisure, High bandwidth, Adult content, or Legal liability). |
+| [Network firewall](#network-firewall) | Configure your network firewall with rules that determine which network traffic is permitted to come into or go out from your organization's devices. |
+| [Application control](#application-control) | Configure application control rules if you want to allow only trusted applications and processes to run on your Windows devices. |
+
+### Attack surface reduction rules
+
+Attack surface reduction rules are available on devices running Windows. We recommend using Microsoft Endpoint Manager, as shown in the following image:
++
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+
+2. Choose **Endpoint security** > **Attack surface reduction** > **+ Create policy**.
+
+3. For **Platform**, select **Windows 10 and later**.
+
+4. For **Profile**, select **Attack surface reduction rules**, and then choose **Create**.
+
+5. On the **Basics** tab, specify a name and description for the policy, and then choose **Next**.
+
+6. On the **Configuration settings** tab, expand **Attack Surface Reduction Rules**.
+
+7. Specify settings for each rule, and then choose **Next**. (For more information about what each rule does, see [Attack surface reduction rules](attack-surface-reduction.md).)
+
+8. On the **Scope tags** tab, if your organization is using scope tags, choose **+ Select scope tags**, and then select the tags you want to use. Then, choose **Next**.
+
+ To learn more about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).
+
+9. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (To learn more about assignments, see [Assign user and device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign).)
+
+10. On the **Review + create** tab, review the settings, and then choose **Create**.
+
+> [!TIP]
+> To learn more about attack surface reduction rules, see the following resources:
+> - [Use attack surface reduction rules to prevent malware infection](attack-surface-reduction.md)
+> - [View the list of attack surface reduction rules](attack-surface-reduction-rules.md)
+> - [Customize attack surface reduction rules](customize-attack-surface-reduction.md)
+
+### Ransomware mitigation
+
+You get ransomware mitigation through [controlled folder access](controlled-folders.md#what-is-controlled-folder-access), which allows only trusted apps to access protected folders on your endpoints.
+
+We recommend using Microsoft Endpoint Manager to configure controlled folder access.
++
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+
+2. Select **Endpoint Security**, and then select **Attack Surface Reduction**.
+
+3. Choose **+ Create Policy**.
+
+4. For **Platform**, select **Windows 10 and later**, and for **Profile**, select **Attack surface reduction rules**. Then choose **Create**.
+
+5. On the **Basics** tab, name the policy and add a description. Select **Next**.
+
+6. On the **Configuration settings** tab, in the **Attack Surface Reduction Rules** section, scroll down to the bottom. In the **Enable folder protection** drop-down, select **Enable**. You can optionally specify these other settings:
+
+ - Next to **List of additional folders that need to be protected**, select the drop-down menu, and then add folders that need to be protected.
+ - Next to **List of apps that have access to protected folders**, select the drop-down menu, and then add apps that should have access to protected folders.
+ - Next to **Exclude files and paths from attack surface reduction rules**, select the drop-down menu, and then add the files and paths that need to be excluded from attack surface reduction rules.
+
+ Then choose **Next**.
+
+7. On the **Scope tags** tab, if your organization is using scope tags, choose **+ Select scope tags**, and then select the tags you want to use. Then, choose **Next**.
+
+ To learn more about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).
+
+8. On the **Assignments** tab, select **Add all users** and **+ Add all devices**, and then choose **Next**. (You can alternately specify specific groups of users or devices.)
+
+9. On the **Review + create** tab, review the settings for your policy, and then choose **Create**. The policy will be applied to any endpoints that were onboarded to Defender for Endpoint shortly.
+
+### Device control
+
+You can configure Defender for Endpoint to block or allow removable devices and files on removable devices. We recommend using Microsoft Endpoint Manager to configure your device control settings.
++
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+
+2. Select **Devices** > **Configuration profiles** > **Create profile**.
+
+3. For **Platform**, select **Windows 10 and later**, and for **Profile type**, select **Templates**.
+
+ Under **Template name**, select **Administrative Templates**, and then choose **Create**.
+
+4. On the **Basics** tab, name the policy and add a description. Select **Next**.
+
+5. On the **Configuration settings** tab, select **All Settings**. Then in the search box, type `Removable` to see all the settings that pertain to removable devices.
+
+6. Select an item in the list, such as **All Removable Storage classes: Deny all access**, to open its flyout pane. The flyout for each setting explains what happens when it is enabled, disabled, or not configured. Select a setting, and then choose **OK**.
+
+7. Repeat step 6 for each setting that you want to configure. Then choose **Next**.
+
+8. On the **Scope tags** tab, if your organization is using scope tags, choose **+ Select scope tags**, and then select the tags you want to use. Then, choose **Next**.
+
+ To learn more about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).
+
+9. On the **Assignments** tab, select **Add all users** and **+ Add all devices**, and then choose **Next**. (You can alternately specify specific groups of users or devices.)
+
+10. On the **Review + create** tab, review the settings for your policy, and then choose **Create**. The policy will be applied to any endpoints that were onboarded to Defender for Endpoint shortly.
+
+> [!TIP]
+> For more information, see [How to control USB devices and other removable media using Microsoft Defender for Endpoint](control-usb-devices-using-intune.md).
+
+### Network protection
+
+With network protection, you can help protect your organization against dangerous domains that might host phishing scams, exploits, and other malicious content on the Internet. We recommend using Microsoft Endpoint Manager to turn on network protection.
++
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+
+2. Select **Devices** > **Configuration profiles** > **Create profile**.
+
+3. For **Platform**, select **Windows 10 and later**, and for **Profile type**, select **Templates**.
+
+ Under **Template name**, select **Endpoint protection**, and then choose **Create**.
+
+4. On the **Basics** tab, name the policy and add a description. Select **Next**.
+
+5. On the **Configuration settings** tab, expand **Microsoft Defender Exploit Guard**, and then expand **Network filtering**.
+
+ Set **Network protection** to **Enable**. (You can alternately choose **Audit** to see how network protection will work in your environment at first.)
+
+ Then choose **Next**.
+
+6. On the **Assignments** tab, select **Add all users** and **+ Add all devices**, and then choose **Next**. (You can alternately specify specific groups of users or devices.)
+
+7. On the **Applicability Rules** tab, set up a rule. The profile you are configuring will be applied only to devices that meet the combined criteria you specify.
+
+ For example, you might choose to assign the policy to endpoints that are running a certain OS edition only.
+
+ Then choose **Next**.
+
+8. On the **Review + create** tab, review the settings for your policy, and then choose **Create**. The policy will be applied to any endpoints that were onboarded to Defender for Endpoint shortly.
+
+> [!TIP]
+> You can use other methods, such as Windows PowerShell or Group Policy, to enable network protection. To learn more, see [Turn on network protection](enable-network-protection.md).
+
+### Web protection
+
+With web protection, you can protect your organization's devices from web threats and unwanted content. Your web protection includes [web threat protection](#configure-web-threat-protection) and [web content filtering](#configure-web-content-filtering) (preview). Configure both sets of capabilities. We recommend using Microsoft Endpoint Manager to configure your web protection settings.
+
+#### Configure web threat protection
+
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), and sign in.
+
+2. Choose **Endpoint security** > **Attack surface reduction**, and then choose **+ Create policy**.
+
+3. Select a platform, such as **Windows 10 and later**, select the **Web protection** profile, and then choose **Create**.
+
+4. On the **Basics** tab, specify a name and description, and then choose **Next**.
+
+5. On the **Configuration settings** tab, expand **Web Protection**, specify the settings in the following table, and then choose **Next**. <br/><br/>
+
+ | Setting | Recommendation |
+ |:|:|
+ | **Enable network protection** | Set to **Enabled**. Prevents users from visiting malicious sites or domains. <br/><br/>Alternately, you can set network protection to **Audit mode** to see how it will work in your environment. In audit mode, network protection does not prevent users from visiting sites or domains, but it does track detections as events. |
+ | **Require SmartScreen for Microsoft Edge Legacy** | Set to **Yes**. Helps protect users from potential phishing scams and malicious software. |
+ | **Block malicious site access** | Set to **Yes**. Prevents users from bypassing warnings about potentially malicious sites. |
+ | **Block unverified file download** | Set to **Yes**. Prevents users from bypassing the warnings and downloading unverified files. |
+
+6. On the **Scope tags** tab, if your organization is using scope tags, choose **+ Select scope tags**, and then select the tags you want to use. Then, choose **Next**.
+
+ To learn more about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).
+
+7. On the **Assignments** tab, specify the users and devices to receive the web protection policy, and then choose **Next**.
+
+8. On the **Review + create** tab, review your policy settings, and then choose **Create**.
+
+> [!TIP]
+> To learn more about web threat protection, see [Protect your organization against web threats](web-threat-protection.md).
+
+#### Configure web content filtering
+
+> [!NOTE]
+> Web content filtering is currently in preview.
+
+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)) and sign in.
+
+2. Choose **Settings** > **Endpoints**.
+
+3. Under **Rules**, choose **Web content filtering**, and then choose **+ Add policy**.
+
+4. In the **Add policy** flyout, on the **General** tab, specify a name for your policy, and then choose **Next**.
+
+5. On the **Blocked categories**, select one or more categories that you want to block, and then choose **Next**.
+
+6. On the **Scope** tab, select the device groups you want to receive this policy, and then choose **Next**.
+
+7. On the **Summary** tab, review your policy settings, and then choose **Save**.
+
+> [!TIP]
+> To learn more about configuring web content filtering, see [Web content filtering](web-content-filtering.md).
+
+### Network firewall
+
+Network firewall helps reduce the risk of network security threats. Your security team can set rules that determine which traffic is permitted to flow to or from your organization's devices. We recommend using Microsoft Endpoint Manager to configure your network firewall.
++
+To configure basic firewall settings, follow these steps:
+
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), and sign in.
+
+2. Choose **Endpoint security** > **Firewall**, and then choose **+ Create Policy**.
+
+3. Select a platform, such as **Windows 10 and later**, select the **Microsoft Defender Firewall** profile, and then choose **Create**.
+
+4. On the **Basics** tab, specify a name and description, and then choose **Next**.
+
+5. Expand **Microsoft Defender Firewall**, and then scroll down to the bottom of the list.
+
+6. Set each of the following settings to **Yes**:
+
+ - **Turn on Microsoft Defender Firewall for domain networks**
+ - **Turn on Microsoft Defender Firewall for private networks**
+ - **Turn on Microsoft Defender Firewall for public networks**
+
+ Review the list of settings under each of domain networks, private networks, and public networks. You can leave them set to **Not configured**, or change them to suit your organization's needs.
+
+ Then choose **Next**.
+
+7. On the **Scope tags** tab, if your organization is using scope tags, choose **+ Select scope tags**, and then select the tags you want to use. Then, choose **Next**.
+
+ To learn more about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).
+
+8. On the **Assignments** tab, select **Add all users** and **+ Add all devices**, and then choose **Next**. (You can alternately specify specific groups of users or devices.)
+
+9. On the **Review + create** tab, review your policy settings, and then choose **Create**.
+
+> [!TIP]
+> Firewall settings are detailed and can seem complex. Refer to [Best practices for configuring Windows Defender Firewall](/windows/security/threat-protection/windows-firewall/best-practices-configuring).
+
+### Application control
+
+Windows Defender Application Control (WDAC) helps protect your Windows endpoints by only allowing trusted applications and processes to run. Most organizations used a phased deployment of WDAC. That is, most organizations don't roll out WDAC across all Windows endpoints at first. In fact, depending on whether your organization's Windows endpoints are fully managed, lightly managed, or "Bring Your Own Device" endpoints, you might deploy WDAC on all or some endpoints.
+
+To help with planning your WDAC deployment, see the following resources:
+
+- [Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)
+
+- [Windows Defender Application Control policy design decisions](/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions)
+
+- [Windows Defender Application Control deployment in different scenarios: types of devices](/windows/security/threat-protection/windows-defender-application-control/types-of-devices)
+
+## Next steps
+
+Now that you have gone through the setup and configuration process, your next step is to get started using Defender for Endpoint.
+
+- [Get started with Defender for Endpoint Plan 1 (preview)](mde-plan1-getting-started.md)
security Mde Plan1 Getting Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-plan1-getting-started.md
+
+ Title: Get started with Microsoft Defender for Endpoint Plan 1 (preview)
+description: Get started using Defender for Endpoint Plan 1. Learn how to use the security center, manage alerts and devices, and view reports.
+search.appverid: MET150
+++
+audience: ITPro
+ Last updated : 08/30/2021
+ms.technology: mde
+localization_priority: Normal
+
+f1.keywords: NOCSH
++
+# Get started with Microsoft Defender for Endpoint Plan 1 (preview)
+
+> [!TIP]
+> If you have Microsoft 365 E3 but not Microsoft 365 E5, visit [https://aka.ms/mdep1trial](https://aka.ms/mdep1trial) to sign up for the preview program!
+
+The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) enables you to view information about detected threats, manage your alerts and incidents, take any needed action on detected threats, and manage devices. The Microsoft 365 Defender portal is where you can get started interacting with the threat protection capabilities you get with Defender for Endpoint Plan 1 (preview). The following sections describe how to get started:
+
+- [The Microsoft 365 Defender portal](#the-microsoft-365-defender-portal)
+- [Viewing and managing incidents & alerts](#view-and-manage-incidents--alerts)
+- [Managing devices](#manage-devices)
+- [Viewing reports](#view-reports)
+
+## The Microsoft 365 Defender portal
+
+The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) is where you'll view alerts, manage devices, and view reports. When you sign into the Microsoft 365 Defender portal, youΓÇÖll start with the Home page, as shown in the following image:
++
+The Home page provides your security team with a snapshot aggregate view of alerts, device status, and threats detected. The security center is set up so that your security operations team can find the information they are looking for quickly and easily.
+
+> [!NOTE]
+> Our examples shown in this article might differ from what you see in your Microsoft 365 Defender portal. What you see in your portal depends on your licenses and permissions. In addition, your security team can customize your organization's portal by adding, removing, and rearranging cards.
+
+### Cards highlight key information and include recommendations
+
+The Home page includes cards, such as the Active incidents card shown in the following image:
++
+The card provides you with information at a glance, along with a link or button that you can select to view more detailed information. Referring to our example Active incidents card, we can select **View all incidents** to navigate to our list of incidents.
++
+### Navigation bar makes it easy to find alerts, the Action center, and more
+
+The navigation bar on the left side of the screen enables you to move easily between incidents, alerts, the Action center, reports, and settings. The following table describes the navigation bar.
+
+| Navigation bar item | Description |
+|:|:|
+| **Home** | Navigates to the Home page of the [Microsoft 365 Defender portal](../defender/microsoft-365-security-center-mde.md). |
+| **Incidents & alerts** | Expands to show **Incidents** and **Alerts**. |
+| **Incidents & alerts** > **Incidents** | Navigates to the **Incidents** list. Incidents are created when alerts are triggered and/or threats are detected. By default, the **Incidents** list displays data for the last 30 days, with the most recent incident listed first. <br/><br/> To learn more, see [Incidents](view-incidents-queue.md). |
+| **Incidents & alerts** > **Alerts** | Navigates to the **Alerts** list (also referred to as the **Alerts queue**). Alerts are triggered when a suspicious or malicious file, process, or behavior is detected. By default, the **Alerts** list displays data for the last 30 days, with the most recent alert listed first. <br/><br/> To learn more, see [Alerts](alerts-queue.md). |
+| **Action center** | Navigates to the Action center, which tracks remediation and manual response actions. The Action center tracks activities like these: <br/>- Microsoft Defender Antivirus encounters a malicious file and then blocks/removes that file. <br/>- Your security team isolates a device.<br/>- Defender for Endpoint detects and quarantines a file. <br/><br/> To learn more, see [Action center](auto-investigation-action-center.md). |
+| **Secure score** | Displays a representation of your organization's security posture along with a list of improvement actions and metrics. <br/><br/> To learn more, see [Microsoft Secure Score](../defender/microsoft-secure-score.md). |
+| **Learning hub** | Navigates to a list of learning paths that you can access to learn more about Microsoft 365 security capabilities. |
+| **Endpoints** > **Search** | Navigates to a page where you can search for specific devices by device name. In the list of results, you can see details, such as risk level and health state, at a glance. |
+| **Endpoints** > **Device inventory** | Navigates to your list of devices that are onboarded to Defender for Endpoint. Provides information about devices, such as their exposure and risk levels. <br/><br/> To learn more, see [Device inventory](machines-view-overview.md). |
+| **Endpoints** > **Configuration & baselines** | Expands to show **Security baselines** and **Configuration management**. |
+| **Endpoints** > **Configuration & baselines** > **Security baselines** | Security baselines are pre-configured policies and groups of settings that can help you apply recommended security settings efficiently and effectively. Baselines include settings that are based on industry best practices. You can keep the default settings, or customize your baselines to suit your organization's needs. <br/><br/> To learn more, see [Use security baselines to configure Windows 10 devices in Intune](/mem/intune/protect/security-baselines). |
+| **Endpoints** > **Configuration & baselines** > **Configuration management** | Navigates to the **Device configuration management** page, where you can view information about onboarded devices, and take steps to onboard more devices. |
+| **Reports** | Navigates to your reports, such as your [Threat protection report](threat-protection-reports.md), [Device health and compliance report](machine-reports.md), and your [Web protection report](web-protection-overview.md). |
+| **Health** | Includes links to the **Service health** and **Message center**. |
+| **Health** > **Service health** | Navigates to the Service health page in the Microsoft 365 admin center. This page enables you to view health status across all the services available with your organization's subscriptions. |
+| **Health** > **Message center** | Navigates to the Message center in the Microsoft 365 admin center. The Message center provides information about planned changes. Each message describes what's coming, how it might affect users, and how to manage changes. |
+| **Permissions & roles** | Enables you to grant permissions to use the Microsoft 365 Defender portal. Permissions are granted through roles in Azure Active Directory (Azure AD). Select a role, and a flyout pane appears. The flyout contains a link to Azure AD where you can add or remove members in a role group. <br/><br/> To learn more, see [Manage portal access using role-based access control](rbac.md). |
+| **Settings** | Navigates to general settings for your Microsoft 365 Defender portal (listed as **Security center**) and Defender for Endpoint (listed as **Endpoints**). <br/><br/> To learn more, see [Settings](../defender/overview-security-center.md). |
+| **More resources** | Displays a list of more portals and centers, such as Azure Active Directory and the Microsoft 365 compliance center. <br/><br/> To learn more, see [Microsoft security portals and admin centers](../defender/portals.md). |
+
+> [!TIP]
+> To learn more, see the [Microsoft 365 Defender portal overview](../defender/microsoft-365-security-center-mde.md).
+
+## View and manage incidents & alerts
+
+When you sign into the Microsoft 365 Defender portal, make sure to view and manage your incidents and alerts. Start with your **Incidents** list. The following image shows a list of incidents, including one with high severity, and another with medium severity.
+
+
+Select an incident to view details about the incident. Details include what alerts were triggered, how many devices and users were affected, and other details. The following image shows an example of incident details.
+
+
+Use the **Alerts**, **Devices**, and **Users** tabs to view more information, such as the alerts that were triggered, devices that were affected, and user accounts that were affected. From there, you can take manual response actions, such as isolating a device, stopping and quarantining a file, and so on.
+
+> [!TIP]
+> To learn more about using the **Incident** view, see [Manage incidents](manage-incidents.md).
+
+## Manage devices
+
+To view and manage your organizationΓÇÖs devices, in the navigation bar, under **Endpoints**, select **Device inventory**. YouΓÇÖll see a list of devices as shown in the following image:
++
+The list includes devices for which alerts were generated. By default, the data shown is for the past 30 days, with the most recent items listed first. Select a device to view more information about it. A flyout pane opens, as shown in the following image:
++
+The flyout pane displays details, such as any active alerts for the device, and includes links to take action, such as isolating a device.
+
+If there are active alerts on the device, you can view them in the flyout pane. Select an individual alert to view more details about it. Or, take an action, such as **Isolate device**, so you can investigate the device further while minimizing the risk of infecting other devices.
+
+> [!TIP]
+> To learn more, see [Investigate devices in the Defender for Endpoint devices list](investigate-machines.md).
+
+## View reports
+
+In Defender for Endpoint Plan 1, several reports are available in the Microsoft 365 Defender portal. To access your reports, follow these steps:
+
+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
+
+2. In the navigation bar, choose **Reports**.
+
+3. Select a report in the list. You'll see the following three reports:
+
+ - Threat protection report
+ - Device health report
+ - Web protection report
+
+> [!TIP]
+> For more information, see [Threat protection reports](threat-protection-reports.md).
+
+### Threat protection report
+
+To access your Threat protection report, in the Microsoft 365 Defender portal, choose **Reports**, and then choose **Threat protection**. The Threat Protection report shows alert trends, status, categories, and more. Views are arranged in two columns: **Alert trends** and **Alert status**, as shown in the following image:
+
+
+Scroll down to see all the views in each list.
+
+- By default, the views in the **Alert trends** column display data for the past 30 days, but you can set a view to display data for the last three months, last six months, or a custom time range (up to 180 days).
+- The views in the **Alert status** column are a snapshot for the previous business day.
+
+> [!TIP]
+> To learn more, see [Threat protection report in Defender for Endpoint](threat-protection-reports.md).
+
+### Device health report
+
+To access your Device health report, in the Microsoft 365 Defender portal, choose **Reports**, and then choose **Device health**. The Device health report shows health state and antivirus across devices in your organization. Similar to the [Threat protection report](#threat-protection-report), views are arranged in two columns: **Device trends** and **Device summary**, as shown in the following image:
+
+
+Scroll down to see all the views in each list. By default, the views in the **Device trends** column display data for the past 30 days, but you can change a view to display data for the last three months, last six months, or a custom time range (up to 180 days). The **Device summary** views are snapshots for the previous business day.
+
+> [!TIP]
+> To learn more, see [Device health](machine-reports.md).
+
+### Web protection report
+
+To access your Device health report, in the Microsoft 365 Defender portal, choose **Reports**, and then choose **Web protection**. The Web protection report shows detections over time, such as malicious URLs and attempts to access blocked URLs, as shown in the following image:
+
+
+Scroll down to see all the views in the Web protection report. Some views include links that enable you to view more details, configure your threat protection features, and even manage indicators that serve as exceptions in Defender for Endpoint.
+
+> [!TIP]
+> To learn more, see [Web protection](web-protection-overview.md).
+
+## Next steps
+
+- [Manage Microsoft Defender for Endpoint Plan 1 (preview)](mde-p1-maintenance-operations.md)
+- [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md)
security Microsoft Cloud App Security Config https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-cloud-app-security-config.md
Title: Configure Microsoft Cloud App Security integration-+ description: Learn how to turn on the settings to enable the Microsoft Defender for Endpoint integration with Microsoft Cloud App Security. keywords: cloud, app, security, settings, integration, discovery, report search.product: eADQiWindows 10XVcnh
ms.technology: mde
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) - To benefit from Microsoft Defender for Endpoint cloud app discovery signals, turn on Microsoft Cloud App Security integration.
->[!NOTE]
->This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions.
+> [!NOTE]
+> This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions.
-> See [Microsoft Defender for Endpoint integration with Microsoft Cloud App Security](/cloud-app-security/mde-integration) for detailed integration of Microsoft Defender for Endpoint with Microsoft Cloud App Security.
+> See [Microsoft Defender for Endpoint integration with Microsoft Cloud App Security](/cloud-app-security/mde-integration) for detailed integration of Microsoft Defender for Endpoint with Microsoft Cloud App Security.
## Enable Microsoft Cloud App Security in Microsoft Defender for Endpoint
-1. In the navigation pane, select **Preferences setup** > **Advanced features**.
+1. In the navigation pane, select **Preferences setup** \> **Advanced features**.
2. Select **Microsoft Cloud App Security** and switch the toggle to **On**. 3. Click **Save preferences**.
Once activated, Microsoft Defender for Endpoint will immediately start forwardin
To view and access Microsoft Defender for Endpoint data in Microsoft Cloud Apps Security, see [Investigate devices in Cloud App Security](/cloud-app-security/mde-integration#investigate-devices-in-cloud-app-security). - For more information about cloud discovery, see [Working with discovered apps](/cloud-app-security/discovered-apps). If you're interested in trying Microsoft Cloud App Security, see [Microsoft Cloud App Security Trial](https://signup.microsoft.com/Signup?OfferId=757c4c34-d589-46e4-9579-120bba5c92ed&ali=1). ## Related topic+ - [Microsoft Cloud App Security integration](microsoft-cloud-app-security-integration.md)
security Microsoft Defender Antivirus Compatibility https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility.md
Microsoft Defender Antivirus is automatically installed on endpoints running the
- Windows Server, version 1803, or later - Windows Server 2019
-What happens when another non-Microsoft antivirus/antimalware solution is used? Can you run Microsoft Defender Antivirus alongside another antivirus product? The answers depend on several factors, such as your operating system and whether you're using [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) (Defender for Endpoint) together with your antivirus protection.
+What happens when another non-Microsoft antivirus/antimalware solution is used? Can you run Microsoft Defender Antivirus alongside another antivirus product? The answers depend on several factors, such as your operating system and whether you're using [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) (Defender for Endpoint) together with your antivirus protection.
This article describes what happens with Microsoft Defender Antivirus and a non-Microsoft antivirus/antimalware solution, with or without Defender for Endpoint. ## Antivirus protection without Defender for Endpoint
-This section describes what happens with Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware products on endpoints that are not onboarded to Defender for Endpoint. The following table summarizes what to expect: <br/>
+This section describes what happens with Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware products on endpoints that are not onboarded to Defender for Endpoint. The following table summarizes what to expect:
-| Windows version | Primary antivirus/antimalware solution | Microsoft Defender Antivirus state |
-|||-|-|
-| Windows 10 | Microsoft Defender Antivirus | Active mode |
-| Windows 10 | A non-Microsoft antivirus/antimalware solution | Disabled mode (happens automatically) |
-| Windows Server 2016 <br/> Windows Server, version 1803, or newer <br/> Windows Server 2019 | Microsoft Defender Antivirus | Active mode |
-| Windows Server 2016 <br/> Windows Server, version 1803, or newer <br/> Windows Server 2019 | A non-Microsoft antivirus/antimalware solution | Disabled (set manually) <sup>[[1](#fn1)]<sup></sup> |
+<br>
-(<a id="fn1">1</a>) On Windows Server, if you are running a non-Microsoft antivirus product, you can disable Microsoft Defender Antivirus by using Group Policy to turn off Microsoft Defender Antivirus, or by using the [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key. To use the registry key, navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`, and set or create a DWORD entry called `DisableAntiSpyware`. Set its value to `1` (which sets the registry key's value to *true*), and select **Hexadecimal** for its base.
+****
+
+|Windows version|Primary antivirus/antimalware solution|Microsoft Defender Antivirus state|
+|||||
+|Windows 10|Microsoft Defender Antivirus|Active mode|
+|Windows 10|A non-Microsoft antivirus/antimalware solution|Disabled mode (happens automatically)|
+|Windows Server 2016 <p> Windows Server, version 1803, or newer <p> Windows Server 2019|Microsoft Defender Antivirus|Active mode|
+|Windows Server 2016 <p> Windows Server, version 1803, or newer <p> Windows Server 2019|A non-Microsoft antivirus/antimalware solution|Disabled (set manually) <sup>[[1](#fn1)]<sup></sup>|
+
+(<a id="fn1">1</a>) On Windows Server, if you are running a non-Microsoft antivirus product, you can disable Microsoft Defender Antivirus by using Group Policy to turn off Microsoft Defender Antivirus, or by using the [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key. To use the registry key, navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`, and set or create a DWORD entry called `DisableAntiSpyware`. Set its value to `1` (which sets the registry key's value to *true*), and select **Hexadecimal** for its base.
> [!TIP] > See [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md) for key differences and management options for Windows Server installations. On Windows Server 2016, you might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus*. ## Antivirus protection with Defender for Endpoint
-If your organization is using a non-Microsoft antivirus/antimalware solution together with Defender for Endpoint, Microsoft Defender Antivirus can, depending on your operating system, run in passive mode. <br/>
+If your organization is using a non-Microsoft antivirus/antimalware solution together with Defender for Endpoint, Microsoft Defender Antivirus can, depending on your operating system, run in passive mode.
+
+<br>
-| Windows version | Primary antivirus/antimalware solution | Microsoft Defender Antivirus state |
-|||-|-|
-| Windows 10 or later | Microsoft Defender Antivirus | Active mode |
-| Windows 10 or later | A non-Microsoft antivirus/antimalware solution | Passive mode (happens automatically) |
-| Windows Server 2016 <br/> Windows Server, version 1803, or newer <br/> Windows Server 2019 | Microsoft Defender Antivirus | Active mode |
-| Windows Server, version 1803, or newer <br/> Windows Server 2019 | A non-Microsoft antivirus/antimalware solution | Passive mode (set manually) <sup>[[2](#fn2)]<sup></sup> |
-| Windows Server 2016 | A non-Microsoft antivirus/antimalware solution | Disabled (set manually) <sup>[[3](#fn3)]<sup> |
+****
+
+|Windows version|Primary antivirus/antimalware solution|Microsoft Defender Antivirus state|
+|||||
+|Windows 10 or later|Microsoft Defender Antivirus|Active mode|
+|Windows 10 or later|A non-Microsoft antivirus/antimalware solution|Passive mode (happens automatically)|
+|Windows Server 2016 <p> Windows Server, version 1803, or newer <p> Windows Server 2019|Microsoft Defender Antivirus|Active mode|
+|Windows Server, version 1803, or newer <p> Windows Server 2019|A non-Microsoft antivirus/antimalware solution|Passive mode (set manually) <sup>[[2](#fn2)]<sup></sup>|
+|Windows Server 2016|A non-Microsoft antivirus/antimalware solution|Disabled (set manually) <sup>[[3](#fn3)]<sup>|
(<a id="fn2">2</a>) On Windows Server, version 1803, or newer, or Windows Server 2019, when you install a non-Microsoft antivirus product, set Microsoft Defender Antivirus to passive mode manually. You can use the **ForceDefenderPassiveMode** registry key to perform this task. To use the registry key, navigate to `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`, and set or create a DWORD entry called `ForceDefenderPassiveMode`. Set its value to `1` (which sets the registry key's value to *true*), and select **Hexadecimal** for its base. For more information, see [Passive mode and Windows Server](microsoft-defender-antivirus-on-windows-server.md#passive-mode-and-windows-server).
-(<a id="fn3">3</a>) On Windows Server 2016, you can disable Microsoft Defender Antivirus by using Group Policy to turn off Windows Defender Antivirus, or by using the [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key. To use the registry key, navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`, and set or create a DWORD entry called `DisableAntiSpyware`. Set its value to `1` (which sets the registry key's value to *true*), and select **Hexadecimal** for its base.
+(<a id="fn3">3</a>) On Windows Server 2016, you can disable Microsoft Defender Antivirus by using Group Policy to turn off Windows Defender Antivirus, or by using the [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key. To use the registry key, navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`, and set or create a DWORD entry called `DisableAntiSpyware`. Set its value to `1` (which sets the registry key's value to *true*), and select **Hexadecimal** for its base.
> [!TIP] > See [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md) for key differences and management options for Windows Server installations. On Windows Server 2016, you might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus*. ### Why run Microsoft Defender Antivirus in passive mode?
-Defender for Endpoint includes capabilities that further extend the antivirus protection that is installed on your endpoint. You can benefit from running Microsoft Defender Antivirus alongside another antivirus solution.
+Defender for Endpoint includes capabilities that further extend the antivirus protection that is installed on your endpoint. You can benefit from running Microsoft Defender Antivirus alongside another antivirus solution.
For example, [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md) provides added protection from malicious artifacts even if Microsoft Defender Antivirus is not the primary antivirus product. Such capabilities require Microsoft Defender Antivirus to be installed and running in passive mode or active mode.
In order for Microsoft Defender Antivirus to run in passive mode, endpoints must
## How Microsoft Defender Antivirus affects Defender for Endpoint functionality
-Defender for Endpoint affects whether Microsoft Defender Antivirus can run in passive mode. Microsoft Defender Antivirus can affect certain capabilities in Defender for Endpoint, too. For example, real-time protection works when Microsoft Defender Antivirus is in active or passive mode, but not when Microsoft Defender Antivirus is disabled or uninstalled.
+Defender for Endpoint affects whether Microsoft Defender Antivirus can run in passive mode. Microsoft Defender Antivirus can affect certain capabilities in Defender for Endpoint, too. For example, real-time protection works when Microsoft Defender Antivirus is in active or passive mode, but not when Microsoft Defender Antivirus is disabled or uninstalled.
-The table in this section summarizes the features and capabilities that are actively working or not, according to whether Microsoft Defender Antivirus is in active mode, passive mode, or disabled/uninstalled.
+The table in this section summarizes the features and capabilities that are actively working or not, according to whether Microsoft Defender Antivirus is in active mode, passive mode, or disabled/uninstalled.
> [!IMPORTANT]
-> The following table is designed to be informational only. **Do not turn off capabilities**, such as real-time protection, cloud-delivered protection, or limited periodic scanning if you are using Microsoft Defender Antivirus in passive mode, or if you are using [EDR in block mode](edr-in-block-mode.md), which works behind the scenes to detect and remediate malicious artifacts that were detected post-breach.
-<br/>
+> The following table is designed to be informational only. **Do not turn off capabilities**, such as real-time protection, cloud-delivered protection, or limited periodic scanning if you are using Microsoft Defender Antivirus in passive mode, or if you are using [EDR in block mode](edr-in-block-mode.md), which works behind the scenes to detect and remediate malicious artifacts that were detected post-breach.
+
+<br>
-| Protection | Microsoft Defender Antivirus <br/> Active mode | Microsoft Defender Antivirus <br/> Passive mode | Microsoft Defender Antivirus <br/> Disabled or uninstalled | [EDR in block mode](edr-in-block-mode.md) |
-|:|:|:|:|:|
-| [Real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) | Yes | No <sup>[[5](#fn5)]<sup> | No | No |
-| [Limited periodic scanning availability](limited-periodic-scanning-microsoft-defender-antivirus.md) | No | No | Yes | No |
-| [File scanning and detection information](review-scan-results-microsoft-defender-antivirus.md) | Yes | Yes | No | Yes |
-| [Threat remediation](configure-remediation-microsoft-defender-antivirus.md) | Yes | See note <sup>[[6](#fn6)]<sup> | No | Yes |
-| [Security intelligence updates](manage-updates-baselines-microsoft-defender-antivirus.md) | Yes | Yes | No | Yes |
+****
-(<a id="fn5">5</a>) In general, when Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode.
+|Protection|Microsoft Defender Antivirus <p> Active mode|Microsoft Defender Antivirus <p> Passive mode|Microsoft Defender Antivirus <p> Disabled or uninstalled|[EDR in block mode](edr-in-block-mode.md)|
+||||||
+|[Real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)|Yes|No <sup>[[5](#fn5)]<sup>|No|No|
+|[Limited periodic scanning availability](limited-periodic-scanning-microsoft-defender-antivirus.md)|No|No|Yes|No|
+|[File scanning and detection information](review-scan-results-microsoft-defender-antivirus.md)|Yes|Yes|No|Yes|
+|[Threat remediation](configure-remediation-microsoft-defender-antivirus.md)|Yes|See note <sup>[[6](#fn6)]<sup>|No|Yes|
+|[Security intelligence updates](manage-updates-baselines-microsoft-defender-antivirus.md)|Yes|Yes|No|Yes|
+||||||
+
+(<a id="fn5">5</a>) In general, when Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode.
(<a id="fn6">6</a>) When Microsoft Defender Antivirus is in passive mode, threat remediation features are active only during scheduled or on-demand scans.
The table in this section summarizes the features and capabilities that are acti
You can use one of several methods to confirm the state of Microsoft Defender Antivirus, as described in the following table:
-| Method | Procedure |
-|:|:|
-| Windows Security app | 1. On a Windows device, open the Windows Security app. <br/>2. Select **Virus & threat protection**.<br/>3. Under **Who's protecting me?** select **Manage providers**. <br/>4. On the **Security providers** page, under **Antivirus**, you should see **Microsoft Defender Antivirus is turned on**. |
-| Task Manager | 1. On a Windows device, open the Task Manager app. <br/>2. Select the **Details** tab.<br/>3. Look for **MsMpEng.exe** in the list. |
-| Windows PowerShell <br/> (To confirm that Microsoft Defender Antivirus is running) | 1. On a Windows device, open Windows PowerShell.<br/>2. Run the following PowerShell cmdlet: `Get-Process`.<br/>3. Review the results. You should see **MsMpEng.exe** if Microsoft Defender Antivirus is enabled. |
-| Windows PowerShell <br/> (To confirm that antivirus protection is in place) | You can use the [Get-MpComputerStatus PowerShell cmdlet](/powershell/module/defender/get-mpcomputerstatus).<br/>1. On a Windows device, open Windows PowerShell.<br/>2. Run following PowerShell cmdlet: `Get-MpComputerStatus | select AMRunningMode`.<br/>3. Review the results. You should see either **Normal** or **Passive** if Microsoft Defender Antivirus is enabled on the endpoint. |
-| Command Prompt | 1. On a Windows device, open Command Prompt. <br/> 2. Type `sc query windefend`, and then press Enter.<br/> 3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
+<br>
+
+****
+
+|Method|Procedure|
+|||
+|Windows Security app|<ol><li>On a Windows device, open the Windows Security app.</li><li>Select **Virus & threat protection**.</li><li>Under **Who's protecting me?** select **Manage providers**.</li><li>On the **Security providers** page, under **Antivirus**, you should see **Microsoft Defender Antivirus is turned on**.</li></ol>|
+|Task Manager|<ol><li>On a Windows device, open the Task Manager app.</li><li>Select the **Details** tab.</li><li>Look for **MsMpEng.exe** in the list.</li></ol>|
+|Windows PowerShell <p> (To confirm that Microsoft Defender Antivirus is running)|<ol><li>On a Windows device, open Windows PowerShell</li><li>Run the following PowerShell cmdlet: `Get-Process`.</li><li>Review the results. You should see **MsMpEng.exe** if Microsoft Defender Antivirus is enabled.</li></ol>|
+|Windows PowerShell <p> (To confirm that antivirus protection is in place)|You can use the [Get-MpComputerStatus PowerShell cmdlet](/powershell/module/defender/get-mpcomputerstatus). <ol><li>On a Windows device, open Windows PowerShell.</li><li>Run following PowerShell cmdlet: `Get-MpComputerStatus|select AMRunningMode`.</li><li>Review the results. You should see either **Normal** or **Passive** if Microsoft Defender Antivirus is enabled on the endpoint.</li></ol>|
+|Command Prompt|<ol><li>On a Windows device, open Command Prompt.</li><li>Type `sc query windefend`, and then press Enter.</li><li>Review the results to confirm that Microsoft Defender Antivirus is running in passive mode.</li></ol>|
+|||
## More details about Microsoft Defender Antivirus states
-The table in this section describes various states you might see with Microsoft Defender Antivirus. <br/>
+The table in this section describes various states you might see with Microsoft Defender Antivirus.
+
+<br>
+
+****
-| Microsoft Defender Antivirus state | What happens |
-|||
-| Active mode | In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. Settings that are configured by using Configuration Manager, Group Policy, Microsoft Intune, or other management products will apply. Files are scanned, threats are remediated, and detection information is reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the endpoint itself). |
-| Passive mode | In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are *not* remediated by Microsoft Defender Antivirus. Threats can be remediated by [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md), however.<br/><br/> Files are scanned, and reports are provided for threat detections that are shared with the Defender for Endpoint service. You might see alerts in the [security center](microsoft-defender-security-center.md) showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode. <br/>When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have a non-Microsoft antivirus product that is providing real-time protection from malware. <br/><br/>For optimal security layered defense and detection efficacy, make sure to get your antivirus and antimwalware updates, even if Microsoft Defender Antivirus is running in passive mode. See [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md). <br/><br/>**NOTE**: Passive mode is not supported on Windows Server 2016. |
-| Disabled <br/>or<br/>Uninstalled | When disabled or uninstalled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.<br/><br/> Disabling or uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution.<br/><br/>In cases where Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the non-Microsoft antivirus/antimalware product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. The automatic re-enabling of Microsoft Defender Antivirus helps to ensure that antivirus protection is maintained on your endpoints.<br/><br/>You might also use [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which works with the Microsoft Defender Antivirus engine to periodically check for threats if you are using a non-Microsoft antivirus app. |
+|Microsoft Defender Antivirus state|What happens|
+|||
+|Active mode|In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. Settings that are configured by using Configuration Manager, Group Policy, Microsoft Intune, or other management products will apply. Files are scanned, threats are remediated, and detection information is reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the endpoint itself).|
+|Passive mode|In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are *not* remediated by Microsoft Defender Antivirus. Threats can be remediated by [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md), however. <p> Files are scanned, and reports are provided for threat detections that are shared with the Defender for Endpoint service. You might see alerts in the [security center](microsoft-defender-security-center.md) showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode. <p> When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have a non-Microsoft antivirus product that is providing real-time protection from malware. <p> For optimal security layered defense and detection efficacy, make sure to get your antivirus and antimwalware updates, even if Microsoft Defender Antivirus is running in passive mode. See [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md). <p> **NOTE**: Passive mode is not supported on Windows Server 2016.|
+|Disabled <p> or <p> Uninstalled|When disabled or uninstalled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. <p> Disabling or uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution. <p> In cases where Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the non-Microsoft antivirus/antimalware product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. The automatic re-enabling of Microsoft Defender Antivirus helps to ensure that antivirus protection is maintained on your endpoints. <p> You might also use [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which works with the Microsoft Defender Antivirus engine to periodically check for threats if you are using a non-Microsoft antivirus app.|
+|||
## See also
security Microsoft Defender Antivirus On Windows Server https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md
Last updated 08/05/2021
- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) Microsoft Defender Antivirus is available on the following editions/versions of Windows Server:+ - Windows Server 2019 - Windows Server, version 1803 or later-- Windows Server 2016.
+- Windows Server 2016.
In some instances, Microsoft Defender Antivirus is referred to as *Endpoint Protection*; however, the protection engine is the same. Although the functionality, configuration, and management are largely the same for [Microsoft Defender Antivirus on Windows 10](microsoft-defender-antivirus-in-windows-10.md), there are a few key differences on Windows Server: - On Windows Server, [automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md) are applied based on your defined Server Role.
-
+ - On Windows Server, if you are running a non-Microsoft antivirus/antimalware solution, Microsoft Defender Antivirus does not go into either passive mode or disabled mode automatically. However, you can set Microsoft Defender Antivirus to passive or disabled mode manually. ## Setting up Microsoft Defender Antivirus on Windows Server
The process of setting up and running Microsoft Defender Antivirus on a server p
## Enable the user interface on Windows Server
-By default, Microsoft Defender Antivirus is installed and functional on Windows Server. Sometimes, the user interface (GUI) is installed by default, but the GUI is not required. You can use PowerShell, Group Policy, or other methods to manage Microsoft Defender Antivirus.
+By default, Microsoft Defender Antivirus is installed and functional on Windows Server. Sometimes, the user interface (GUI) is installed by default, but the GUI is not required. You can use PowerShell, Group Policy, or other methods to manage Microsoft Defender Antivirus.
If the GUI is not installed on your server, and you want to install it, either the **Add Roles and Features** wizard or PowerShell cmdlets.
If the GUI is not installed on your server, and you want to install it, either t
### Turn on the GUI using PowerShell
-The following PowerShell cmdlet will enable the interface:
+The following PowerShell cmdlet will enable the interface:
```PowerShell Install-WindowsFeature -Name Windows-Defender-GUI
Install-WindowsFeature -Name Windows-Defender
Event messages for the antimalware engine included with Microsoft Defender Antivirus can be found in [Microsoft Defender AV Events](troubleshoot-microsoft-defender-antivirus.md). - ## Verify Microsoft Defender Antivirus is running Once Microsoft Defender Antivirus is installed, your next step is to verify that it's running. On your Windows Server endpoint, run the following PowerShell cmdlet:
Get-Service -Name windefend
To verify that firewall protection is turned on, run the following PowerShell cmdlet:
-```PowerShell
+```PowerShell
Get-Service -Name mpssvc ```
-As an alternative to PowerShell, you can use Command Prompt to verify that Microsoft Defender Antivirus is running. To do that, run the following command from a command prompt:
+As an alternative to PowerShell, you can use Command Prompt to verify that Microsoft Defender Antivirus is running. To do that, run the following command from a command prompt:
```console sc query Windefend
sc query Windefend
The `sc query` command returns information about the Microsoft Defender Antivirus service. When Microsoft Defender Antivirus is running, the `STATE` value displays `RUNNING`.
-## Update antimalware Security intelligence
+## Update antimalware Security intelligence
To get updated antimalware security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage. By default, Windows Update does not download and install updates automatically on Windows Server 2019 or Windows Server 2016. You can change this configuration by using one of the following methods:
+<br>
-|Method |Description |
-|||
-|**Windows Update** in Control Panel | **Install updates automatically** results in all updates being automatically installed, including Windows Defender Security intelligence updates. <p>**Download updates but let me choose whether to install them** allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
-|**Group Policy** | You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: **Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates** |
-|The **AUOptions** registry key | The following two values allow Windows Update to automatically download and install Security intelligence updates: <p>**4** - **Install updates automatically**. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates. <p>**3** - **Download updates but let me choose whether to install them**. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
+****
+
+|Method|Description|
+|||
+|**Windows Update** in Control Panel|**Install updates automatically** results in all updates being automatically installed, including Windows Defender Security intelligence updates. <p> **Download updates but let me choose whether to install them** allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed.|
+|**Group Policy**|You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: **Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates**|
+|The **AUOptions** registry key|The following two values allow Windows Update to automatically download and install Security intelligence updates: <p> **4** - **Install updates automatically**. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates. <p> **3** - **Download updates but let me choose whether to install them**. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed.|
+|
To ensure that protection from malware is maintained, we recommend that you enable the following - Windows Error Reporting service- - Windows Update service The following table lists the services for Microsoft Defender Antivirus and the dependent services.
+<br>
+
+****
+ |Service Name|File Location|Description|
-|--||--|
+||||
|Windows Defender Service (WinDefend)|`C:\Program Files\Windows Defender\MsMpEng.exe`|This is the main Microsoft Defender Antivirus service that needs to be running at all times.| |Windows Error Reporting Service (Wersvc)|`C:\WINDOWS\System32\svchost.exe -k WerSvcGroup`|This service sends error reports back to Microsoft.| |Windows Defender Firewall (MpsSvc)|`C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork`|We recommend leaving the Windows Defender Firewall service enabled.| |Windows Update (Wuauserv)|`C:\WINDOWS\system32\svchost.exe -k netsvcs`|Windows Update is needed to get Security intelligence updates and antimalware engine updates|
+|
## Submit samples
Sample submission allows Microsoft to collect samples of potentially malicious s
### Submit a file 1. Review the [submission guide](/windows/security/threat-protection/intelligence/submission-guide).- 2. Visit the [sample submission portal](https://www.microsoft.com/wdsi/filesubmission), and submit your file. - ### Enable automatic sample submission To enable automatic sample submission, start a Windows PowerShell console as an administrator, and set the **SubmitSamplesConsent** value data according to one of the following settings:
-|Setting |Description |
-|||
-|**0** - **Always prompt** |The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. |
-|**1** - **Send safe samples automatically** |The Microsoft Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. |
-|**2** - **Never send** |The Microsoft Defender Antivirus service does not prompt and does not send any files. |
-|**3** - **Send all samples automatically** |The Microsoft Defender Antivirus service sends all files without a prompt for confirmation. |
+<br>
+
+****
+
+|Setting|Description|
+|||
+|**0** - **Always prompt**|The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI.|
+|**1** - **Send safe samples automatically**|The Microsoft Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files.|
+|**2** - **Never send**|The Microsoft Defender Antivirus service does not prompt and does not send any files.|
+|**3** - **Send all samples automatically**|The Microsoft Defender Antivirus service sends all files without a prompt for confirmation.|
+|
## Configure automatic exclusions To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Microsoft Defender Antivirus on Windows Server 2016 or 2019.
-See [Configure exclusions in Microsoft Defender Antivirus on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md).
+See [Configure exclusions in Microsoft Defender Antivirus on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md).
## Passive mode and Windows Server If you are using a non-Microsoft antivirus product as your primary antivirus solution on Windows Server, you must set Microsoft Defender Antivirus to passive mode or disabled mode. -- On Windows Server, version 1803 or newer, or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode. See the following sections:
-
- - [Set Microsoft Defender Antivirus to passive mode using a registry key](#set-microsoft-defender-antivirus-to-passive-mode-using-a-registry-key)
- - [Disable Microsoft Defender Antivirus using the Remove Roles and Features wizard](#disable-microsoft-defender-antivirus-using-the-remove-roles-and-features-wizard)
- - [Turn off the Microsoft Defender Antivirus user interface using PowerShell](#turn-off-the-microsoft-defender-antivirus-user-interface-using-powershell)
+- On Windows Server, version 1803 or newer, or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode. See the following sections:
+ - [Set Microsoft Defender Antivirus to passive mode using a registry key](#set-microsoft-defender-antivirus-to-passive-mode-using-a-registry-key)
+ - [Disable Microsoft Defender Antivirus using the Remove Roles and Features wizard](#disable-microsoft-defender-antivirus-using-the-remove-roles-and-features-wizard)
+ - [Turn off the Microsoft Defender Antivirus user interface using PowerShell](#turn-off-the-microsoft-defender-antivirus-user-interface-using-powershell)
- On Windows Server 2016, Microsoft Defender Antivirus is not supported alongside a non-Microsoft antivirus/antimalware product. In these cases, you must set Microsoft Defender Antivirus to disabled mode. See [Uninstalling or disabling Microsoft Defender Antivirus on Windows Server 2016](#uninstalling-or-disabling-microsoft-defender-antivirus-on-windows-server-2016) ### Set Microsoft Defender Antivirus to passive mode using a registry key If you are using Windows Server, version 1803 or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key:+ - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` - Name: `ForceDefenderPassiveMode` - Type: `REG_DWORD`
If you are using Windows Server, version 1803 or Windows Server 2019, you can se
### Disable Microsoft Defender Antivirus using the Remove Roles and Features wizard
-1. See [Install or Uninstall Roles, Role Services, or Features](/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**.
+1. See [Install or Uninstall Roles, Role Services, or Features](/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**.
+
+2. When you get to the **Features** step of the wizard, clear the **Windows Defender Features** option.
-2. When you get to the **Features** step of the wizard, clear the **Windows Defender Features** option.
+ If you clear **Windows Defender** by itself under the **Windows Defender Features** section, you will be prompted to remove the interface option **GUI for Windows Defender**.
- If you clear **Windows Defender** by itself under the **Windows Defender Features** section, you will be prompted to remove the interface option **GUI for Windows Defender**.
-
Microsoft Defender Antivirus will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature. ### Turn off the Microsoft Defender Antivirus user interface using PowerShell
Uninstall-WindowsFeature -Name Windows-Defender-GUI
If you are using Windows Server 2016 with a non-Microsoft antimalware/antivirus product, you'll need to either disable or uninstall Microsoft Defender Antivirus. You can use one of several methods:
-| Procedure | Description |
-|||
-| Disable Microsoft Defender Antivirus using Group Policy | In your Local Group Policy Editor, navigate to **Windows Defender**, and then select **Turn off Windows Defender Antivirus**. |
-| Disable Microsoft Defender Antivirus using a registry key | To use the the [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key, navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`, and set or create a DWORD entry called `DisableAntiSpyware`. Set its value to `1` (which sets the registry key's value to *true*). |
-| Disable Microsoft Defender Antivirus using PowerShell | Use the following PowerShell cmdlet: `Set-MpPreference -DisableRealtimeMonitoring $true` |
-| Uninstall Microsoft Defender Antivirus using PowerShell | Use the following PowerShell cmdlet: `Uninstall-WindowsFeature -Name Windows-Defender` |
+<br>
+
+****
+
+|Procedure|Description|
+|||
+|Disable Microsoft Defender Antivirus using Group Policy|In your Local Group Policy Editor, navigate to **Windows Defender**, and then select **Turn off Windows Defender Antivirus**.|
+|Disable Microsoft Defender Antivirus using a registry key|To use the the [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key, navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`, and set or create a DWORD entry called `DisableAntiSpyware`. Set its value to `1` (which sets the registry key's value to *true*).|
+|Disable Microsoft Defender Antivirus using PowerShell|Use the following PowerShell cmdlet: `Set-MpPreference -DisableRealtimeMonitoring $true`|
+|Uninstall Microsoft Defender Antivirus using PowerShell|Use the following PowerShell cmdlet: `Uninstall-WindowsFeature -Name Windows-Defender`|
+|
## See also
security Microsoft Defender Antivirus Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows.md
ms.technology: mde
- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-Microsoft Defender Antivirus is a major component of your next-generation protection in Microsoft Defender for Endpoint. This protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices (or endpoints) in your organization. Microsoft Defender Antivirus is built into Windows, and it works with Microsoft Defender for Endpoint to provide protection on your device and in the cloud.
+Microsoft Defender Antivirus is a major component of your next-generation protection in Microsoft Defender for Endpoint. This protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices (or endpoints) in your organization. Microsoft Defender Antivirus is built into Windows, and it works with Microsoft Defender for Endpoint to provide protection on your device and in the cloud.
## Compatibility with other antivirus products
If you're using a non-Microsoft antivirus/antimalware product on your device, yo
The following table describes what to expect when Microsoft Defender Antivirus is in active mode, passive mode, or disabled.
-| Mode | What happens |
-|||
-| Active mode | In active mode, Microsoft Defender Antivirus is used as the primary antivirus app on the device. Files are scanned, threats are remediated, and detected threats are listed in your organization's security reports and in your Windows Security app. |
-| Passive mode | In passive mode, Microsoft Defender Antivirus is not used as the primary antivirus app on the device. Files are scanned, and detected threats are reported, but threats are not remediated by Microsoft Defender Antivirus. <br/><br/>**IMPORTANT**: Microsoft Defender Antivirus can run in passive mode only on endpoints that are onboarded to Microsoft Defender for Endpoint. See [Requirements for Microsoft Defender Antivirus to run in passive mode](microsoft-defender-antivirus-compatibility.md#requirements-for-microsoft-defender-antivirus-to-run-in-passive-mode). |
-| Disabled or uninstalled | When disabled or uninstalled, Microsoft Defender Antivirus is not used. Files are not scanned, and threats are not remediated. In general, we do not recommend disabling or uninstalling Microsoft Defender Antivirus. |
+<br>
+
+****
+
+|Mode|What happens|
+|||
+|Active mode|In active mode, Microsoft Defender Antivirus is used as the primary antivirus app on the device. Files are scanned, threats are remediated, and detected threats are listed in your organization's security reports and in your Windows Security app.|
+|Passive mode|In passive mode, Microsoft Defender Antivirus is not used as the primary antivirus app on the device. Files are scanned, and detected threats are reported, but threats are not remediated by Microsoft Defender Antivirus. <p> **IMPORTANT**: Microsoft Defender Antivirus can run in passive mode only on endpoints that are onboarded to Microsoft Defender for Endpoint. See [Requirements for Microsoft Defender Antivirus to run in passive mode](microsoft-defender-antivirus-compatibility.md#requirements-for-microsoft-defender-antivirus-to-run-in-passive-mode).|
+|Disabled or uninstalled|When disabled or uninstalled, Microsoft Defender Antivirus is not used. Files are not scanned, and threats are not remediated. In general, we do not recommend disabling or uninstalling Microsoft Defender Antivirus.|
+|
To learn more, see [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md).
You'll see the name of your antivirus/antimalware solution on the settings page.
## Get your antivirus/antimalware platform updates
-It's important to keep Microsoft Defender Antivirus, or any antivirus/antimalware solution, up to date. Microsoft releases regular updates to help ensure that your devices have the latest technology to protect against new malware and attack techniques. To learn more, see [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).
+It's important to keep Microsoft Defender Antivirus, or any antivirus/antimalware solution, up to date. Microsoft releases regular updates to help ensure that your devices have the latest technology to protect against new malware and attack techniques. To learn more, see [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).
## See also
security Microsoft Defender Endpoint Mac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac.md
This topic describes how to install, configure, update, and use Defender for End
[What's new in Microsoft Defender for Endpoint on Mac](mac-whatsnew.md) > [!TIP]
-> If you have any feedback that you would like to share, submit it by opening Microsoft Defender for Endpoint on Mac on your device and navigating to **Help** > **Send feedback**.
+> If you have any feedback that you would like to share, submit it by opening Microsoft Defender for Endpoint on Mac on your device and navigating to **Help** \> **Send feedback**.
To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac devices), configure your macOS device running Microsoft Defender for Endpoint to be an "Insider" device.
security Microsoft Defender Endpoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint.md
ms.technology: mde
> For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy). Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
-<p></p>
->[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4wDob]
+> [!TIP]
+> Soon, Microsoft Defender for Endpoint will be available in two plans. This article describes the features and capabilities that are included in Microsoft Defender for Endpoint Plan 2. [Learn more about Microsoft Defender for Endpoint Plan 1 (preview) and Plan 2](defender-endpoint-plan-1-2.md).
+>
-Defender for Endpoint uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
+<p><p>
-- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated, cloud instance of Microsoft Defender for Endpoint.
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4wDob]
+
+Defender for Endpoint uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
+- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated, cloud instance of Microsoft Defender for Endpoint.
-- **Cloud security analytics**: Leveraging big-data, device-learning, and
- unique Microsoft optics across the Windows ecosystem,
- enterprise cloud products (such as Office 365), and online assets, behavioral signals
- are translated into insights, detections, and recommended responses
- to advanced threats.
+- **Cloud security analytics**: Leveraging big-data, device-learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products (such as Office 365), and online assets, behavioral signals are translated into insights, detections, and recommended responses to advanced threats.
-- **Threat intelligence**: Generated by Microsoft hunters, security teams,
- and augmented by threat intelligence provided by partners, threat
- intelligence enables Defender for Endpoint to identify attacker
- tools, techniques, and procedures, and generate alerts when they
- are observed in collected sensor data.
+- **Threat intelligence**: Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Defender for Endpoint to identify attacker tools, techniques, and procedures, and generate alerts when they are observed in collected sensor data.
<center><h2>Microsoft Defender for Endpoint</center></h2> <table>
Defender for Endpoint uses the following combination of technology built into Wi
<p></p>
->[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4vnC4?rel=0]
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4vnC4?rel=0]
> [!TIP]
+>
> - Learn about the latest enhancements in Defender for Endpoint: [What's new in Microsoft Defender for Endpoint](whats-new-in-microsoft-defender-atp.md). > - Microsoft Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). <a name="tvm"></a>
-**[Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)**<br>
-This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
+**[Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)**
+
+This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
<a name="asr"></a>
-**[Attack surface reduction](overview-attack-surface-reduction.md)**<br>
-The attack surface reduction set of capabilities provides the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, the capabilities resist attacks and exploitation. This set of capabilities also includes [network protection](network-protection.md) and [web protection](web-protection-overview.md), which regulate access to malicious IP addresses, domains, and URLs.
+**[Attack surface reduction](overview-attack-surface-reduction.md)**
+
+The attack surface reduction set of capabilities provides the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, the capabilities resist attacks and exploitation. This set of capabilities also includes [network protection](network-protection.md) and [web protection](web-protection-overview.md), which regulate access to malicious IP addresses, domains, and URLs.
<a name="ngp"></a>
-**[Next-generation protection](next-generation-protection.md)**<br>
+**[Next-generation protection](next-generation-protection.md)**
+ To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats. <a name="edr"></a>
-**[Endpoint detection and response](overview-endpoint-detection-response.md)**<br>
+**[Endpoint detection and response](overview-endpoint-detection-response.md)**
+ Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. [Advanced hunting](advanced-hunting-overview.md) provides a query-based threat-hunting tool that lets you proactively find breaches and create custom detections. <a name="ai"></a>
-**[Automated investigation and remediation](automated-investigations.md)**<br>
-In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender for Endpoint offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
+**[Automated investigation and remediation](automated-investigations.md)**
+
+In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender for Endpoint offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
<a name="ss"></a>
-**[Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)**<br>
+**[Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)**
Defender for Endpoint includes Microsoft Secure Score for Devices to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. <a name="mte"></a>
-**[Microsoft Threat Experts](microsoft-threat-experts.md)**<br>
+**[Microsoft Threat Experts](microsoft-threat-experts.md)**
+ Microsoft Defender for Endpoint's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately.
->[!IMPORTANT]
->Defender for Endpoint customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.<p>
-><p>If you are not enrolled yet and would like to experience its benefits, go to <b>Settings</b> > <b>General</b> > <b>Advanced features</b> > <b>Microsoft Threat Experts</b> to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription.
+> [!IMPORTANT]
+> Defender for Endpoint customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.
+>
+> If you are not enrolled yet and would like to experience its benefits, go to **Settings** \> **General** \> **Advanced features** \> **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription.
<a name="apis"></a>
-**[Centralized configuration and administration, APIs](management-apis.md)**<br>
+**[Centralized configuration and administration, APIs](management-apis.md)**
+ Integrate Microsoft Defender for Endpoint into your existing workflows. <a name="mtp"></a>
-**[Integration with Microsoft solutions](threat-protection-integration.md)** <br>
+**[Integration with Microsoft solutions](threat-protection-integration.md)**
+ Defender for Endpoint directly integrates with various Microsoft solutions, including:+ - Azure Defender - Azure Sentinel - Intune
Defender for Endpoint directly integrates with various Microsoft solutions, incl
- Microsoft Defender for Office - Skype for Business
-**[Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-threat-protection)**<br>
-With Microsoft 365 Defender, Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.
-
+**[Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-threat-protection)**
+With Microsoft 365 Defender, Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.
security Microsoft Defender Offline https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-offline.md
localization_priority: Normal
-+ ms.technology: mde
In Windows 10, Microsoft Defender Offline can be run with one click directly fro
## prerequisites and requirements
-Microsoft Defender Offline in Windows 10 has the same hardware requirements as Windows 10.
+Microsoft Defender Offline in Windows 10 has the same hardware requirements as Windows 10.
For more information about Windows 10 requirements, see the following topics:
For more information about Windows 10 requirements, see the following topics:
> Microsoft Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units. To run Microsoft Defender Offline from the endpoint, the user must be logged in with administrator privileges.
-
+ ## Microsoft Defender Offline updates
-Microsoft Defender Offline uses the most recent protection updates available on the endpoint; it's updated whenever Windows Defender Antivirus is updated.
+Microsoft Defender Offline uses the most recent protection updates available on the endpoint; it's updated whenever Windows Defender Antivirus is updated.
> [!NOTE] > Before running an offline scan, you should attempt to update Microsoft Defender AV protection. You can either force an update with Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest protection updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
See the [Manage Microsoft Defender Antivirus Security intelligence updates](man
## Usage scenarios
-In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Microsoft Defender Offline needs to run, it will prompt the user on the endpoint.
+In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Microsoft Defender Offline needs to run, it will prompt the user on the endpoint.
The need to perform an offline scan will also be revealed in Microsoft Endpoint Manager if you're using it to manage your endpoints.
The prompt can occur via a notification, similar to the following:
The user will also be notified within the Windows Defender client.
-In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**.
+In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**.
Microsoft Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**.
Microsoft Defender Offline notifications are configured in the same policy setti
For more information about notifications in Windows Defender, see the [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) topic.
-## Run a scan
+## Run a scan
> [!IMPORTANT] > Before you use Microsoft Defender Offline, make sure you save any files and shut down running programs. The Microsoft Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
Use the [**MSFT_MpWDOScan**](/previous-versions/windows/desktop/legacy/dn455323(
The following WMI script snippet will immediately run a Microsoft Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows. ```console
-wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start
+wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start
``` See the following for more information:-- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
+- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
### Use the Windows Defender Security app to run an offline scan 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Advanced scan** label:
-
+ 3. Select **Microsoft Defender Offline scan** and click **Scan now**. > [!NOTE]
- > In Windows 10, version 1607, the offline scan could be run from under **Windows Settings** > **Update & security** > **Windows Defender** or from the Windows Defender client.
-
+ > In Windows 10, version 1607, the offline scan could be run from under **Windows Settings** \> **Update & security** \> **Windows Defender** or from the Windows Defender client.
## Review scan results
-Microsoft Defender Offline scan results will be listed in the [Scan history section of the Windows Security app](microsoft-defender-security-center-antivirus.md).
-
+Microsoft Defender Offline scan results will be listed in the [Scan history section of the Windows Security app](microsoft-defender-security-center-antivirus.md).
## Related articles
security Microsoft Defender Security Center Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus.md
-+ ms.technology: mde
The Windows Security app is a client interface on Windows 10, version 1703 and l
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-
+ The following sections describe how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Microsoft Defender Antivirus in the Windows Security app. > [!NOTE]
The following sections describe how to perform some of the most common tasks whe
2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-3. Select **Virus & threat protection updates**. The currently installed version is displayed along with some information about when it was downloaded. You can check your current against the latest version available for manual download, or review the change log for that version. See [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates).
+3. Select **Virus & threat protection updates**. The currently installed version is displayed along with some information about when it was downloaded. You can check your current against the latest version available for manual download, or review the change log for that version. See [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/wdsi/defenderupdates).
4. Select **Check for updates** to download new protection updates (if there are any).
The following sections describe how to perform some of the most common tasks whe
3. Under the **Manage settings**, select **Virus & threat protection settings**.
-4. Under the **Exclusions** setting, select **Add or remove exclusions**.
+4. Under the **Exclusions** setting, select **Add or remove exclusions**.
-5. Select the plus icon (**+**) to choose the type and set the options for each exclusion.
+5. Select the plus icon (**+**) to choose the type and set the options for each exclusion.
The following table summarizes exclusion types and what happens:
-|Exclusion type |Defined by |What happens |
-||||
-|**File** |Location <br/>Example: `c:\sample\sample.test` |The specific file is skipped by Microsoft Defender Antivirus. |
-|**Folder** |Location <br/>Example: `c:\test\sample` |All items in the specified folder are skipped by Microsoft Defender Antivirus. |
-|**File type** |File extension <br/>Example: `.test` |All files with the `.test` extension anywhere on your device are skipped by Microsoft Defender Antivirus. |
-|**Process** |Executable file path <br>Example: `c:\test\process.exe` |The specific process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. |
+<br>
+
+****
+|Exclusion type|Defined by|What happens|
+||||
+|**File**|Location <br/>Example: `c:\sample\sample.test`|The specific file is skipped by Microsoft Defender Antivirus.|
+|**Folder**|Location <br/>Example: `c:\test\sample`|All items in the specified folder are skipped by Microsoft Defender Antivirus.|
+|**File type**|File extension <br/>Example: `.test`|All files with the `.test` extension anywhere on your device are skipped by Microsoft Defender Antivirus.|
+|**Process**|Executable file path <br>Example: `c:\test\process.exe`|The specific process and any files that are opened by that process are skipped by Microsoft Defender Antivirus.|
+|
To learn more, see the following resources:-- [Configure and validate exclusions based on file extension and folder location](./configure-extension-file-exclusions-microsoft-defender-antivirus.md) +
+- [Configure and validate exclusions based on file extension and folder location](./configure-extension-file-exclusions-microsoft-defender-antivirus.md)
- [Configure exclusions for files opened by processes](./configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) ## Review threat detection history in the Windows Defender Security Center app
To learn more, see the following resources:
5. To set up ransomware recovery options, select **Set up** under **Ransomware data recovery** and follow the instructions for linking or setting up your OneDrive account so you can easily recover from a ransomware attack. ## See also-- [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md)+
+- [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md)
security Minimum Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/minimum-requirements.md
ms.technology: mde
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-minreqs-abovefoldlink) - There are some minimum requirements for onboarding devices to the service. Learn about the licensing, hardware and software requirements, and other configuration settings to onboard devices to the service. > [!TIP]
+> - This article describes the minimum requirements for Microsoft Defender for Endpoint Plan 2. If you are looking for information about Defender for Endpoint Plan 1 (preview), see [Requirements for Defender for Endpoint Plan 1 (preview)](mde-p1-setup-configuration.md#review-the-requirements).
> - Learn about the latest enhancements in Defender for Endpoint: [Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced). > - Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
security Next Generation Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/next-generation-protection.md
Microsoft Defender for Endpoint includes next-generation protection to reinforce
- [Cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md), which includes near-instant detection and blocking of new and emerging threats. - [Dedicated protection and product updates](manage-updates-baselines-microsoft-defender-antivirus.md), which includes updates related to keeping Microsoft Defender Antivirus up to date.
+> [!TIP]
+> Next-generation protection is included in both Microsoft Defender for Endpoint Plan 1 (preview) and Plan 2. [Learn more about Defender for Endpoint Plan 1 (preview) and Plan 2](defender-endpoint-plan-1-2.md)
+ ## Try a demo! Visit the [Microsoft Defender for Endpoint demo website](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following protection features are working and explore them using demo scenarios:
security Respond File Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-file-alerts.md
If you come across a problem when trying to submit a file, try each of the follo
- [Take response actions on a device](respond-machine-alerts.md) - [Investigate files](investigate-files.md)
+- [Manual response actions in Microsoft Defender for Endpoint Plan 1 (preview)](defender-endpoint-plan-1.md#manual-response-actions)
security Respond Machine Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md
All other related details are also shown, for example, submission date/time, sub
![Image of action center with information.](images/action-center-details.png)
-## Related topic
+## See also
- [Take response actions on a file](respond-file-alerts.md)
+- [Manual response actions in Microsoft Defender for Endpoint Plan 1 (preview)](defender-endpoint-plan-1.md#manual-response-actions)
- [Report inaccuracy](/microsoft-365/security/defender-endpoint/tvm-security-recommendation#report-inaccuracy)
security Threat Protection Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-protection-integration.md
We recently deprecated the Azure Information Protection integration as our Endpo
Microsoft Defender for Endpoint's dynamic device risk score is integrated into the Conditional Access evaluation, ensuring that only secure devices have access to resources. ### Microsoft Cloud App Security
-Microsoft Cloud App Security leverages Microsoft Defender for Endpoint endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender for Endpoint monitored devices.
+Microsoft Cloud App Security leverages Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender for Endpoint monitored devices.
### Microsoft Defender for Identity Suspicious activities are processes running under a user context. The integration between Microsoft Defender for Endpoint and Microsoft Defender for Identity provides the flexibility of conducting cyber security investigation across activities and identities.
security Troubleshoot Collect Support Log https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log.md
This topic provides instructions on how to run the tool via Live Response.
> ``` > > - For more information on gathering data locally on a machine in case the machine isn't communicating with Microsoft Defender for Endpoint cloud services, or does not appear in Microsoft Defender for Endpoint portal as expected, see [Verify client connectivity to Microsoft Defender for Endpoint service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-for-endpoint-service-urls).
+>
+> - As described in [Live response command examples](live-response-command-examples.md), you may want to use the '&' symbol at the end of the command to collect logs as a background action:
+> ```console
+> Run MDELiveAnalyzer.ps1&
+> ```
## See also
security Troubleshoot Np https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-np.md
If you've tested the feature with the demo site and with audit mode, and network
See [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md).
-## Exclude website from network protection scope
+## Add exclusions
+The current exclusion options are:
+
+1. Setting up a custom allow indicator.
+2. Using IP exclusions: `Add-MpPreference -Exclusion IpAddress 192.168.1.1`
+3. Excluding an entire process. For more information, see [Microsoft Defender Antivirus exclusions](configure-exclusions-microsoft-defender-antivirus.md).
-To allow the website that is being blocked (false positive), add its URL to the [list of trusted sites](https://blogs.msdn.microsoft.com/asiatech/2014/08/19/how-to-add-web-sites-to-trusted-sites-via-gpo-from-dc-installed-ie10-or-higher-ie-version/). Web resources from this list bypass the network protection check.
## Collect diagnostic data for file submissions
security Whats New In Microsoft Defender Atp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-atp.md
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-pullalerts-abovefoldlink)
-The following features are generally available (GA) in the latest release of Microsoft Defender for Endpoint as well as security features in Windows 10 and Windows Server.
+The following features are generally available (GA) in the latest release of Microsoft Defender for Endpoint and security features in Windows 10 and Windows Server.
For more information on preview features, see [Preview features](preview.md).
For more information on preview features, see [Preview features](preview.md).
> https://docs.microsoft.com/api/search/rss?search=%22features+are+generally+available+%28GA%29+in+the+latest+release+of+Microsoft+Defender+for+Endpoint%22&locale=en-us&facet= > ```
+## August 2021
+
+- [Microsoft Defender for Endpoint Plan 1 (preview)](defender-endpoint-plan-1.md) <br/>Defender for Endpoint Plan 1 (preview) is an endpoint protection solution that includes next-generation protection, attack surface reduction, centralized management and reporting, and APIs. Defender for Endpoint Plan 1 (preview) is a new offering for customers who want to try our endpoint protection capabilities, have Microsoft 365 E3, and do not yet have Microsoft 365 E5.
+
+ To learn more, see [Microsoft Defender for Endpoint Plan 1 (preview)](defender-endpoint-plan-1.md). Existing [Defender for Endpoint](microsoft-defender-endpoint.md) capabilities will be known as Defender for Endpoint Plan 2.
+ ## June 2021 - [Delta export software vulnerabilities assessment](get-assessment-methods-properties.md#31-methods) API <br> An addition to the [Export assessments of vulnerabilities and secure configurations](get-assessment-methods-properties.md) API collection. <br> Unlike the full software vulnerabilities assessment (JSON response) - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export API call is used to fetch only the changes that have happened between a selected date and the current date (the "delta" API call). Instead of getting a full export with a large amount of data every time, you'll only get specific information on new, fixed, and updated vulnerabilities. Delta export API call can also be used to calculate different KPIs such as "how many vulnerabilities were fixed" or "how many new vulnerabilities were added to an organization."
For more information on preview features, see [Preview features](preview.md).
- [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) <br> Microsoft Defender for Endpoint now adds support for Linux. Learn how to install, configure, update, and use Microsoft Defender for Endpoint on Linux. -- [Attack simulators in the evaluation lab](evaluation-lab.md#threat-simulator-scenarios) <br> Microsoft Defender for Endpoint has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform right from the within the portal.
+- [Attack simulators in the evaluation lab](evaluation-lab.md#threat-simulator-scenarios) <br> Microsoft Defender for Endpoint has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform within the portal.
## April 2020
For more information on preview features, see [Preview features](preview.md).
- [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md) <BR> Microsoft Defender for Endpoint on macOS brings the next-generation protection to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices, including [endpoint detection and response](microsoft-defender-endpoint-mac.md). -- [Threat & Vulnerability Management application and application version end-of-life information](tvm-security-recommendation.md) <BR>Applications and application versions which have reached their end-of-life are tagged or labeled as such so you are aware that they will no longer be supported, and can take action to either uninstall or replace. Doing so will help lessen the risks related to various vulnerability exposures due to unpatched applications.
+- [Threat & Vulnerability Management application and application version end-of-life information](tvm-security-recommendation.md) <BR>Applications and application versions that have reached their end-of-life are tagged or labeled as such so that you are aware they will no longer be supported. You can then take action to either uninstall or replace such applications. Doing so will help lessen the risks related to various vulnerability exposures due to unpatched applications.
- [Threat & Vulnerability Management Advanced Hunting Schemas](advanced-hunting-schema-reference.md) <BR>Use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase.
For more information on preview features, see [Preview features](preview.md).
- [Connected Azure AD applications](connected-applications.md)<br> The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender for Endpoint in your organization. -- [API Explorer](api-explorer.md)<br> The API explorer makes it easy to construct and perform API queries, test and send requests for any available Microsoft Defender for Endpoint API endpoint.
+- [API Explorer](api-explorer.md)<br> The API explorer makes it easy to construct and perform API queries, test, and send requests for any available Microsoft Defender for Endpoint API endpoint.
## September 2019 -- [Tamper Protection settings using Intune](prevent-changes-to-security-settings-with-tamper-protection.md) <br/> You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management Portal (Intune).
+- [Tamper Protection settings using Intune](prevent-changes-to-security-settings-with-tamper-protection.md) <br/> You can now turn on Tamper Protection (or off) for your organization in the Microsoft 365 Device Management Portal (Intune).
-- [Live response](live-response.md) <BR> Get instantaneous access to a device using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats - real-time.
+- [Live response](live-response.md) <BR> Get instantaneous access to a device using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats - real time.
- [Evaluation lab](evaluation-lab.md) <BR> The Microsoft Defender for Endpoint evaluation lab is designed to eliminate the complexities of device and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
For more information on preview features, see [Preview features](preview.md).
- [Threat protection reports](threat-protection-reports.md)<BR>The threat protection report provides high-level information about alerts generated in your organization. -- [Microsoft Threat Experts](microsoft-threat-experts.md)<BR> Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender for Endpoint that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365.
+- [Microsoft Threat Experts](microsoft-threat-experts.md)<BR> Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender for Endpoint that provides proactive hunting, prioritization, and more context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides another layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365.
- [Indicators](ti-indicator.md) <BR> APIs for indicators are now generally available.
security Find And Release Quarantined Messages As A User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/find-and-release-quarantined-messages-as-a-user.md
ms.prod: m365-security
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, quarantine holds potentially dangerous or unwanted messages. For more information, see [Quarantine in EOP](quarantine-email-messages.md).
-As a recipient of a quarantined message, what you can do to the message as an ordinary use (not an admin) is described in the following table:
+As a recipient of a quarantined message, what you can do to the message as an ordinary user (not an admin) is described in the following table:
<br>
As a recipient of a quarantined message, what you can do to the message as an or
|Quarantine reason|View|Release|Delete| ||::|::|::|
-|Bulk|![Check mark.](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|
-|Spam|![Check mark.](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|
-|Phishing (not high confidence phishing)|![Check mark.](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|
+|Bulk|![Check mark.](../../media/checkmark.png)|![Check mark.](../../media/checkmark.png)|![Check mark.](../../media/checkmark.png)|
+|Spam|![Check mark.](../../media/checkmark.png)|![Check mark.](../../media/checkmark.png)|![Check mark.](../../media/checkmark.png)|
+|Phishing (not high confidence phishing)|![Check mark.](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|![Check mark.](../../media/checkmark.png)|
| You view and manage your quarantined messages in the Microsoft 365 Defender portal or (if an admin has set this up) in [end-user spam notifications](use-spam-notifications-to-release-and-report-quarantined-messages.md).
security Remediate Malicious Email Delivered Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/remediate-malicious-email-delivered-office-365.md
Open any remediation item to view details about it, including its name, creation
- **Already in destination**: The desired action was already taken on the email OR the email already existed in the destination location. For example: An email was soft deleted by the admin through Explorer on day one. Then similar emails show up on day 2, which are again soft deleted by the admin. While selecting these emails, admin ends up picking some emails from day one that are already soft deleted. Now these emails will not be acted upon again, they will just show as "already in destination", since no action was taken on them as they existed in the destination location.
- Select any item in the action log to display remediation details. If the details say "successful" or "not found in mailbox," that item was already removed from the mailbox. Sometimes there's a systemic error during remediation. In those cases, it's a good idea to retry remediation.
+ - **New**: An *Already in destination* column has been added in the Action Log. This feature uses the latest delivery location in Threat Explorer to signal if the mail has already been remediated. *Already in destination* will help security teams understand the total number of messages that still need to be addressed.
+
+Actions can only be taken on messages in Inbox, Junk, Deleted, and Soft Deleted folders of Threat Explorer. Here's an example of how the new column works. A *soft delete action* takes place on the message present in the Inbox, then the message will be handled according to policies. The next time a soft delete is performed, this message will show under the column 'Already in destination' signaling it doesn't need to be addressed again.
- In case of remediating large batches, you can also export the messages send for remediation via Mail Submission and messages that got remediated via Action Logs. The export limit is increased to 100k records.
+Select any item in the action log to display remediation details. If the details say "successful" or "not found in mailbox", that item was already removed from the mailbox. Sometimes there's a system error during remediation. In those cases, it's a good idea to retry the remediation action.
-Security team can take up to 50 concurrent manual remediations; however, there is no limit set for automated investigation and response actions.
+In case of remediating large batches of email, export the messages sent for remediation via Mail Submission, and messages that were remediated via Action Logs. The export limit is increased to 100,000 records.
- Remediation is a powerful tool to mitigate threats and address suspicious emails. It helps keep an organization secure.
+Remediation mitigates threats, addresses suspicious emails, and helps keep an organization secure.