Updates from: 09/15/2021 03:13:30
Category Microsoft Docs article Related commit history on GitHub Change details
admin Convert User Mailbox To Shared Mailbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/convert-user-mailbox-to-shared-mailbox.md
When you convert a user's mailbox to a shared mailbox, all of the existing email
- The rules are intact after the mailbox is converted to a shared mailbox.
-## Use the Exchange admin center to convert a mailbox
+## Use the Classic Exchange admin center to convert a mailbox
-1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>.
+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Classic Exchange admin center</a>.
2. Select **Recipients** \> **Mailboxes**. 3. Select the user mailbox. Under **Convert to Shared Mailbox**, select **Convert**.
+4. If the mailbox is smaller than 50 GB, you can remove the [license from the user](../manage/remove-licenses-from-users.md), and stop paying for it. Don't delete the user's account. The shared mailbox needs it there as an anchor. If you're converting the mailbox of an employee that's leaving your organization, you should take additional steps to make sure that they can no longer log in. For more information, see [Remove a former employee from Microsoft 365](../add-users/remove-former-employee.md).
+
+> [!NOTE]
+> It's not required to reset the user's password during mailbox conversion. However, if the password is not reset, **the original username and password continue to work** after the mailbox conversion is finished.
+
+For everything else you need to know about shared mailboxes, see [About shared mailboxes](about-shared-mailboxes.md) and [Create a shared mailbox](create-a-shared-mailbox.md).
+
+> [!NOTE]
+> Shared mailboxes donΓÇÖt require a separate license. However, if you want to enable In-Place Archive or put an In-Place Hold or a Litigation Hold on a shared mailbox, you must assign an Exchange Online Plan 1 with Exchange Online Archiving or Exchange Online Plan 2 license to the mailbox.
+
+## Use the New Exchange admin center to convert a mailbox
+
+1. Go to the <a href="https://admin.exchange.microsoft.com/#/homepage" target="_blank"> Exchange admin center</a>.
+
+2. Select **Recipients** \> **Mailboxes**.
+
+3. Select the user mailbox. In the **Mailbox** tab, under **More Actions**, select **Convert to shared mailbox**.
+ 4. If the mailbox is smaller than 50 GB, you can remove the [license from the user](../manage/remove-licenses-from-users.md), and stop paying for it. Don't delete the user's account. The shared mailbox needs it there as an anchor. If you are converting the mailbox of an employee that is leaving your organization, you should take additional steps to make sure that they cannot log in anymore. Please see [Remove a former employee from Microsoft 365](../add-users/remove-former-employee.md). > [!NOTE]
For everything else you need to know about shared mailboxes, see [About shared m
## Convert the mailbox of a deleted user
-Let's say you've deleted a user account and now you want to convert their old mailbox to a share mailbox. Here's what you need to do:
+After deleting a user account, follow these steps to convert their old mailbox to a share mailbox:
1. [Restore the user's account](../add-users/restore-user.md).
Let's say you've deleted a user account and now you want to convert their old ma
3. Reset the user's password.
-4. Wait 20-30 minutes for their mailbox to be recreated.
-
-5. Now follow the instructions on this page to convert their mailbox to a shared mailbox.
-
-6. After that's done, you can remove the license from the user's mailbox. Don't delete the user's old mailbox. The shared mailbox needs it there as an anchor.
+4. Wait 20-30 minutes for their mailbox to be re-created.
+
+6. Once the mailbox is re-created, remove the license from the user's mailbox. Don't delete the user's old mailbox. The shared mailbox needs it there as an anchor.
7. Add members to the shared mailbox.
Let's say you've deleted a user account and now you want to convert their old ma
3. Select the shared mailbox. Under **Convert to Regular Mailbox**, select **Convert**.
-4. Go back to the admin center. Under **Users**, choose the user account associated with the old shared mailbox. Assign a license to the account, and reset the password.
+4. Go back to the admin center. Under **Users**, choose the user account associated with the old shared mailbox. Assign a license to the account, and then reset the password.
- It will take a few minutes for the mailbox to get set up, but after that, the person who is going to use that account is ready to go. When they sign in, they'll see the email and calendar items that used to be in the shared mailbox.
+ It will take a few minutes for the mailbox to get set up, but after that, the person who's going to use that account is ready to go. When they sign in, they'll see the email and calendar items that used to be in the shared mailbox.
## Convert a user's mailbox in a hybrid environment
For more info about converting a user mailbox to a shared mailbox in an Exchange
> [!NOTE]
-> If you are a member of the Organization Management or Recipient Management role group, you can use the Exchange Management Shell to change a user mailbox to a shared mailbox on-premises. For example, `Set-Mailbox -Identity mailbox1@contoso.com -Type Shared`.
+> If you're a member of the Organization Management or Recipient Management role group, you can use the Exchange Management Shell to change a user mailbox to a shared mailbox on-premises. For example, `Set-Mailbox -Identity mailbox1@contoso.com -Type Shared`.
## Related content
For more info about converting a user mailbox to a shared mailbox in an Exchange
[Create a shared mailbox](create-a-shared-mailbox.md) (article)\ [Configure a shared mailbox](configure-a-shared-mailbox.md) (article)\ [Remove a license from a shared mailbox](remove-license-from-shared-mailbox.md) (article)\
-[Resolve issues with shared mailboxes](resolve-issues-with-shared-mailboxes.md) (article)
+[Resolve issues with shared mailboxes](resolve-issues-with-shared-mailboxes.md) (article)
admin Microsoft 365 Servicenow Support Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/microsoft-365-servicenow-support-integration.md
+
+ Title: "Microsoft 365 support integration with ServiceNow configuration guide"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
++
+search.appverid:
+- MET150
+description: "Scoped Certified application installation and configuration guide for ServiceNow."
++
+# Microsoft 365 support integration with ServiceNow configuration guide
+
+[Overview](#overview)
+
+[Application dependencies in ServiceNow environments](#application-dependencies-in-servicenow-environments)
+
+[Configuration instructions](#configuration-instructions)
+
+[Who can set up the Microsoft 365 support integration?](#who-can-set-up-microsoft-365-support-integration)
+
+[What features are available in Microsoft 365 support integration?](#what-features-are-available-in-microsoft-365-support-integration)
+
+[Set up Microsoft 365 support integration with ServiceNow Basic Authentication](#set-up-microsoft-365-support-integration-with-servicenow-basic-authentication)
+
+[Set up Microsoft 365 support integration with AAD OAuth Token](#set-up-microsoft-365-support-integration-with-aad-oauth-token)
+
+[Set up Microsoft 365 support integration for Insights ONLY](#set-up-microsoft-365-support-integration-for-insights-only)
+
+[Testing the configuration](#testing-the-configuration)
+
+[Troubleshooting](#troubleshooting)
+
+## Overview
+
+Microsoft 365 support integration enables you to integrate Microsoft 365 help, support, and service health with ServiceNow. You can research Microsoft known and reported issues, resolve incidents, and complete tasks by using Microsoft recommended solutions and, if necessary, escalate to Microsoft human- assisted support.
+
+## Application dependencies in ServiceNow environments
+
+Permissions required:
+
+- oauth\_entity
+
+- oauth\_entity\_profile
+
+After Microsoft 365 support integration was installed, two Application Cross-Scope accesses were created. If they're not created successfully for any reason, create them manually.
++
+## Configuration instructions
++
+To set up Microsoft 365 support integration:
+
+- Register applications in Microsoft Azure Active Directory (AAD) for authentication of both outbound and inbound API calls.
+
+- Create ServiceNow entities with Microsoft AAD applications for both outbound and inbound data flow.
+
+- Integrate ServiceNow instance with Microsoft support through Microsoft 365 Admin Portal.
+
+## Who can set up Microsoft 365 support integration?
+
+- Anyone with permissions to create AAD applications.
+
+- A ServiceNow admin.
+
+- A Helpdesk admin or Service Request admin in Microsoft 365 tenants.
+
+## What features are available in Microsoft 365 support integration?
+
+Before setting up any configuration for Microsoft 365 support integration, review your answers to these questions:
+
+**Question #1** Does your ServiceNow environment allow Basic Authentication (access with ServiceNow user credential) for inbound webservice calls?
+
+**Question #2** If you have multiple tenants, do you plan to use a single tenant integrated with your ServiceNow environment for Microsoft 365 support integration?
+
+Depending on your answers to the questions above, this table tells you what features are available and how to set up Microsoft 365 support integration. For a description of each feature, see [Microsoft 365 support integration](https://store.servicenow.com/sn_appstore_store.do#!/store/application/6d05c93f1b7784507ddd4227cc4bcb9f).
+
+|Question #1 Answer|Question #2 Answer|What features are available?|Configuration Steps|
+| | | | |
+|Yes|Yes|Service Health Incidents <br/>Recommended Solutions </br>Microsoft service request|[Set up Microsoft 365 support integration with ServiceNow Basic Authentication](#set-up-microsoft-365-support-integration-with-servicenow-basic-authentication)|
+|Yes|No|Service Health Incidents <br/>Recommended Solutions </br>Microsoft service request||
+|No|Yes|Service Health Incidents <br/>Recommended Solutions </br>Microsoft service request|[Set up Microsoft 365 support integration with AAD OAuth Token](#set-up-microsoft-365-support-integration-with-aad-oauth-token)|
+|No|No|Service Health Incidents <br/>Recommended Solutions|[Set up Microsoft 365 support integration for Insights ONLY](#set-up-microsoft-365-support-integration-for-insights-only) |
+
+## Set up Microsoft 365 support integration with ServiceNow Basic Authentication
+
+### Prerequisites (Basic Authentication)
+
+Some prerequisites are necessary to set up the Microsoft 365 support integration.
+
+1. \[The person who can create AAD applications\] Create AAD Application under your Microsoft 365 tenant.
+
+ 1. Log on to the [Azure Portal](https://portal.azure.com/) with your Microsoft 365 tenant credentials.
+
+ 1. Go to the App registrations page and create a new application.
+
+ Select **Accounts in this organizational directory only ({microsoft-365-tenant-name} only ΓÇô Single tenant**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image3.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. Add redirect URL: `https://{your-servicenow-instance}.service-now.com/oauth_redirect.do`.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image4.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. Get the application Client ID and create an App Secret.
+
+2. \[The person who is a ServiceNow admin\] Set up Outbound OAuth Provider in ServiceNow.
+
+ 1. If the scope is not set to **Global**, open **Settings** > **Developer** > **Applications** to switch to **Global**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image5.png" alt-text="Graphical user interface, text, application, chat or text message Description automatically generated":::
+
+ 1. Go to **System OAuth** > **Application Registry**.
+
+ 1. Create a new application with the values following values by selecting **Connect to a third party OAuth Provider**.
+
+ - Client ID: The Client ID of the application created in step \#1
+
+ - Client Secret: The App Secret of the application created in step \#1
+
+ - Default Grant type: Client Credentials
+
+ - Token URL: `https://login.microsoftonline.com/{microsoft-365-tenant-name}/oauth2/token`
+
+ - Redirect URL: `https://{service-now-instance-name}.service-now.com/auth_redirect.do`
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image6.png" alt-text="Graphical user interface, application Description automatically generated":::
+
+3. \[The person who is a ServiceNow admin\] Set up Inbound OAuth Provider.
+
+ 1. If the scope is not set to **Global**, open **Settings** > **Developer** > **Applications** to switch to **Global**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image5.png" alt-text="Graphical user interface, application Description automatically generated":::
+
+ 1. Go to **System OAuth** > **Application Registry**.
+
+ 1. Create a new application by selecting **Create an OAuth API endpoint for external clients**. Name the inbound OAuth provider and leave other fields at their defaults.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image7.png" alt-text="Graphical user interface, application Description automatically generated":::
+
+4. \[The person who is a ServiceNow admin\] Create integration users.
+
+ You must specify an integration user. If you donΓÇÖt have an existing integration user or if you want to create one specific for this integration, go to **Organization** > **Users** to create a new user.
+
+ If you're creating a new integration user, check the box **Web service access only**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image8.png" alt-text="Graphical user interface, application Description automatically generated":::
+
+### \[Optional\] Allow the serviceΓÇÖs IPs of Microsoft 365 support integration
+
+If your company is limiting internet access with your own policies, enable network access for the service of Microsoft 365 support integration by allowing the IP addresses below for both inbound and outbound API access.
+
+- 52.149.152.32
+
+- 40.83.232.243
+
+- 40.83.114.39
+
+- 13.76.138.31
+
+- 13.79.229.170
+
+- 20.105.151.142
+
+> [!NOTE]
+> This terminal command lists all active IPs of the service for Microsoft 365 support integration:
+> `nslookup connector.rave.microsoft.com`
+
+### Set up Microsoft 365 support integration application
+
+The Microsoft 365 support integration application can be set up under Microsoft 365 support.
+
+These steps are required to set up the integration between your ServiceNow instance and Microsoft 365 support.
+
+1. \[The person who is a ServiceNow admin\] Switch the scope to Microsoft 365 support integration.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image9.png" alt-text="Graphical user interface, table Description automatically generated":::
+
+2. \[The person who is a ServiceNow admin\] Go to Microsoft 365 support > **Setup** to open the integration flow.
+
+ > [!NOTE]
+ > If you see the error "Read operation against 'oauth\_entity' from scope 'x\_mioms\_m365\_assis' has been refused due to the table's cross-scope access policy," it was caused by your table access policy. You must make sure **All application scopes** > **Can read** is checked for the table oauth\_entity.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image10.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+3. \[The person who is a ServiceNow admin\] Select **Agree** to agree to the consent
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image11.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+4. \[The person who is a ServiceNow admin\] Set up Outbound OAuth Provider.
+
+ Select the OAuth profile for Outbound OAuth Provider created in [Prerequisites (Basic Authentication)](#prerequisites-basic-authentication) step \#2 and select **Next**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image12.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+5. \[The person who is a ServiceNow admin\] Set up Inbound OAuth Provider.
+
+ - Uncheck **Skip current step**.
+
+ - Uncheck **External OIDC Auth Token**.
+
+ - Select OAuth Client created in [Prerequisites (Basic Authentication)](#prerequisites-basic-authentication) step \#3 and select **Next**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image13.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+6. \[The person who is a ServiceNow admin\] Set up inbound call integration user.
+
+ - Uncheck **Skip current step**.
+
+ - Select the integration user created in [Prerequisites (Basic Authentication)](#prerequisites-basic-authentication) step \#4 and select **Next**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image14.png" alt-text="Graphical user interface, text, application Description automatically generated":::
+
+7. \[The person who is a ServiceNow admin\] Set up Repository ID.
+
+ Specify the repository ID, and then select **Next**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image15.png" alt-text="Graphical user interface, text, application Description automatically generated":::
+
+8. \[The person who is a ServiceNow admin\] Set up Application settings.
+
+ Select the following settings, and then select **Next**.
+
+ - SSO with Microsoft 365: Check whether the ServiceNow instance is set up as SSO with Microsoft 365 tenants, otherwise uncheck it.
+
+ - Microsoft 365 admin email: The email of Microsoft 365 admin user who is contacted when Microsoft 365 support cases are created.
+
+ - Test Environment: Check the box to indicate a test phase to avoid Microsoft support agents contacting you to address the issue. If you're ready to move forward officially with Microsoft 365 support integration, uncheck the box.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image16.png" alt-text="Graphical user interface, text, application Description automatically generated":::
+
+9. \[The person who is Helpdesk Admin or Service Request Admin in Microsoft 365 tenants\] Complete Integration.
+
+ 1. Check the information below to make sure it's correct.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image17.png" alt-text="Graphical user interface, text, application Description automatically generated":::
+
+ 1. Go to Microsoft 365 [Admin Portal](https://admin.microsoft.com/) > **Settings** > **Org settings** > **Organization profiles**.
+
+ 1. Set up support integration settings:
+
+ 1. In the **Basic information** tab, select internal support tool **Service Now** and type **Outbound App ID** as the value of Application ID on the page Step - 6 Complete, which was created in [Prerequisites (Basic Authentication)](#prerequisites-basic-authentication) step \#1.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image18.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. In the tab **Repositories**, select **Add a repository** to create a new repository with the following settings:
+
+ - Repository: The **Repository ID** value from page Step - 6 Complete the integration.
+
+ - Endpoint: The **Endpoint** value from page Step - 6 Complete the integration.
+
+ - Authentication type: Select **Basic Auth**.
+
+ - Client ID: The **Client ID** value from page Step - 6 Complete the integration.
+
+ - Client secret: The secret of the inbound OAuth provider that was created in [Prerequisites (Basic Authentication)](#prerequisites-basic-authentication) step \#3.
+
+ - Refresh token expiry: 864000
+
+ - Rest username: The **User Name** value from page Step - 6 Complete the integration.
+
+ - Rest user password: The password of the integration user that was created in [Prerequisites (Basic Authentication)](#prerequisites-basic-authentication) step \#4.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image19.png" alt-text="Graphical user interface, application Description automatically generate":::
+
+ 1. Go back and select the button to save the integration.
+
+ 1. Select **Next** to complete the integration.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image20.png" alt-text="Graphical user interface, application, website Description automatically generated":::
+
+10. \[The person who is a ServiceNow admin\] Enable Microsoft 365 support integration for an existing user.
+
+ Microsoft 365 support integration is enabled only for the user with one of these roles:
+
+ - x\_mioms\_m365\_assis.insights\_user
+
+ - x\_mioms\_m365\_assis.administrator
+
+ > [!NOTE]
+ > The user with the role x\_mioms\_m365\_assis.insights\_user role can see Service Health Incidents, Recommended Solutions. The user with the role x\_mioms\_m365\_assis.administrator can also open a case with Microsoft 365 support.
+
+11. \[Optional\] \[The user with role x_mioms_m365_assis.administrator\] Link Microsoft 365 Admin account.
+
+ If any user has the role x\_mioms\_m365\_assis.administrator and is using different Microsoft 365 accounts to manage a Microsoft 365 support case, they must go to Microsoft 365 support > Link Account to set up their Microsoft 365 admin email.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image21.png" alt-text="Graphical user interface, text, application Description automatically generated":::
+
+## Set up Microsoft 365 support integration with AAD OAuth Token
+
+### Prerequisites (AAD OAuth Token)
+
+These prerequisite steps are necessary to set up the Microsoft 365 support integration:
+
+1. \[The person who can create AAD applications\] Create an AAD Application for Outbound under your Microsoft 365 tenant.
+
+ 1. Log on [Azure Portal](https://portal.azure.com/) with Microsoft 365 tenant credentials.
+
+ 1. Go to the **App registrations** page and create a new application.
+
+ Select **Accounts in this organizational directory only ({microsoft-365-tenant-name} only ΓÇô Single tenant**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image3.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. Add redirect URL: `https://{your-servicenow-instance}.service-now.com/auth_redirect.do`.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image4.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. Get Client ID of the application and create App Secret.
+
+2. \[The person who can create AAD applications\] Create AAD Application for Rest API under your Microsoft 365 tenant.
+
+ 1. Log on to the [Azure Portal](https://portal.azure.com/) with your Microsoft 365 tenant credentials.
+
+ 1. Go to **App registrations** and create a new application.
+
+ Select **Accounts in this organizational directory only ({microsoft-365-tenant-name} only ΓÇô Single tenant**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image22.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. Get the application Client ID and create App Secret.
+
+3. \[The person who can create AAD applications\] Create AAD Application for Rest User under your Microsoft 365 tenant.
+
+ 1. Log on to the [Azure Portal](https://portal.azure.com/) with your Microsoft 365 tenant credentials.
+
+ 1. Go to the **App registrations** page and create a new application.
+
+ Select **Accounts in this organizational directory only ({microsoft-365-tenant-name} only ΓÇô Single tenant**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image23.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. Get the application Client ID and create an App Secret.
+
+4. \[The person who is a ServiceNow admin\] Set up Outbound OAuth Provider in ServiceNow.
+
+ 1. If the scope is not set to **Global**, open **Settings** > **Developer** > **Applications** to switch to **Global**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image5.png" alt-text="Graphical user interface, text, application, chat or text message Description automatically generated":::
+
+ 1. Go to **System OAuth** > **Application Registry**.
+
+ 1. Create a new application with the values below by selecting **Connect to a third party OAuth Provider**.
+
+ - Client ID: The Client ID of the application created in [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) step \#1.
+
+ - Client Secret: The App Secret of the application created in [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) step \#1.
+
+ - Default Grant type: Client Credentials.
+
+ - Token URL: `https://login.microsoftonline.com/{microsoft-365-tenant-name}/oauth2/token`
+
+ - Redirect URL: `https://{service-now-instance-name}.service-now.com/auth_redirect.do`
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image6.png" alt-text="Graphical user interface, application Description automatically generated":::
+
+5. \[The person who is a ServiceNow admin\] Configure OIDC provider in ServiceNow, refer to the [online documentation](https://docs.servicenow.com/bundle/quebec-platform-administration/page/administer/security/task/add-OIDC-entity.html).
+
+ 1. If the scope is not set to **Global**, open **Settings** > **Developer** > **Applications** to switch to **Global**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image5.png" alt-text="Graphical user interface, text, application, chat or text message Description automatically generated":::
+
+ 1. Go to **System OAuth** > **Application Registry**.
+
+ 1. Select **New** > **Create new Open ID Connect Provider**.
+
+ 1. In **OAuth OIDC Provider Configuration**, select **Search** and create a new OIDC provider configuration under ΓÇ£oidc\_provider\_configuration.listΓÇ¥ with these values:
+
+ - OIDC Provider: Contoso Azure
+
+ - OIDC Metadata URL: `https://login.microsoftonline.com/{microsoft-365-tenant-name}/.well-known/openid-configuration`
+
+ - UserClaim: **appId**
+
+ - User Field: **User ID**
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image24.png" alt-text="Graphical user interface, text, application Description automatically generated":::
+
+ 1. Create a new application by selecting **Configure an OIDC provider to verify ID tokens** with these values:
+
+ - Name: contoso\_application\_inbound\_api
+
+ - Client ID: The Client ID of the application created in [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) step \#2.
+
+ - Client Secret: The App Secret of the application created in [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) step \#2.
+
+ - OAuth OIDC Provider Configuration: The OIDC provider created in the last step.
+
+ - Redirect URL:
+ `https://{service-now-instance-name}.service-now.com/oauth_redirect.do`
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image25.png" alt-text="Graphical user interface, application Description automatically generated":::
+
+6. \[The person who is a ServiceNow admin\] Create Integration Users.
+
+ Navigate to **Organization** > **Users** to create a new user if there is no integration user. The value of **User ID** is the application Client ID created in step [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) \#3
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image26.png" alt-text="Graphical user interface, application Description automatically generated":::
+
+### \[Optional\] Allow the serviceΓÇÖs IPs of Microsoft 365 support integration
+
+If your company is limiting internet access with your own policies, enable network access for the service of Microsoft 365 support integration by allowing these IP addresses for both inbound and outbound API access:
+
+- 52.149.152.32
+
+- 40.83.232.243
+
+- 40.83.114.39
+
+- 13.76.138.31
+
+- 13.79.229.170
+
+- 20.105.151.142
+
+> [!NOTE]
+> This terminal command lists all active IPs of the service for Microsoft 365 support integration:
+> *nslookup connector.rave.microsoft.com*
+
+### Set up Microsoft 365 support integration
+
+The Microsoft 365 support integration application can be set up through the **Setup** under the Microsoft 365 support.
+
+These steps are necessary to set up the integration between your ServiceNow instance and Microsoft 365 support.
+
+1. \[The person who is a ServiceNow admin\] Switch the scope to Microsoft 365 support integration.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image9.png" alt-text="Graphical user interface, table Description automatically generated":::
+
+2. \[The person who is a ServiceNow admin\] Go to Microsoft 365 support > **Setup** to open the integration flow.
+
+ > [!NOTE]
+ > If you see the error "Read operation against 'oauth\_entity' from scope 'x\_mioms\_m365\_assis' has been refused due to the table's cross-scope access policy," it was caused by your table access policy. You must make sure **All application scopes** > **Can read** is checked for the table oauth\_entity.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image27.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+3. \[The person who is a ServiceNow admin\] Select **Agree** to agree to the consent.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image11.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+4. \[The person who is a ServiceNow admin\] Set up Outbound OAuth Provider.
+
+ Select OAuth profile for Outbound OAuth Provider created at [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) step \#4 and select **Next**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image12.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+5. \[The person who is a ServiceNow admin\] Set up Inbound OAuth Provider.
+
+ 1. Uncheck **Skip current step**.
+
+ 1. Check **External OIDC Auth Token**.
+
+ 1. Select the OAuth Client created at [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) step 5, and then select **Next**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image28.png" alt-text="Graphical user interface, text, application Description automatically generated":::
+
+6. \[The person who is a ServiceNow admin\] Set up Inbound Call Integration User.
+
+ 1. Uncheck **Skip current step**.
+
+ 1. Input the Client ID of the application that was created at [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) step \#3 and select **Next**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image39.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+7. \[The person who is a ServiceNow admin\] Set up the Repository ID.
+
+ Specify the repository ID and select **Next**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image15.png" alt-text="Graphical user interface, text, application Description automatically generated":::
+
+8. \[The person who is a ServiceNow admin\] Set up Application Settings.
+
+ Select the following settings, and then select **Next**.
+
+ - SSO with Microsoft 365: Check whether the ServiceNow instance is set up as SSO with Microsoft 365 tenants, otherwise uncheck it.
+
+ - Microsoft 365 admin email: The email of Microsoft 365 admin user who is contacted when Microsoft 365 support cases are created.
+
+ - Test Environment: Check the box to indicate a test phase to avoid Microsoft support agents contacting you to address the issue. If you're ready to move forward officially with Microsoft 365 support integration, uncheck the box.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image16.png" alt-text="Graphical user interface, text, application Description automatically generated":::
+
+ 1. Select **Next**.
+
+9. \[The person who is Helpdesk Admin or Service Request Admin in Microsoft 365 tenants\] Complete integration.
+
+ 1. Check the following information to make sure it's correct.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image40.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. Go to Microsoft 365 [Admin Portal](https://admin.microsoft.com) > **Settings** > **Org settings** > **Organization profiles**.
+
+ 1. Set up support integration settings.
+
+ 1. On the **basic information** tab, select **Service Now** as the internal support tool, and type **Outbound App ID** as the value of Application ID on the Step - 6 Complete the integration page, which was created in [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) step \#1.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image18.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. On the **Repositories** tab, select **Add a repository** to create a new repository with the following information:
+
+ - Repository: Use the **Repository ID** value from the Step - 6 Complete the integration page.
+
+ - Endpoint: The **Endpoint** value from the Step - 6 Complete the integration page.
+
+ - Authentication type: Select **AAD Auth**.
+
+ - Client Id: The **Client ID** value on the Step - 6 Complete the integration page, which is the Client ID of the application created in [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) step \#2.
+
+ - Rest username: The **User Name** value on the Step - 6 Complete the integration page, which is the **Client ID** of the application created in [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) step \#3.
+
+ - Rest user password: The App Secret of the application created in [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) step \#3.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image31.png" alt-text="Graphical user interface, application Description automatically generated":::
+
+ 1. Go back and select the button to save the integration.
+
+ 1. Select **Next** to complete the integration.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image32.png" alt-text="Graphical user interface, application Description automatically generated":::
+
+10. \[The person who is a ServiceNow admin\] Enable Microsoft 365 support integration for an existing user.
+
+ Microsoft 365 support integration is enabled only for users with the following roles:
+
+ - x\_mioms\_m365\_assis.insights\_user
+
+ - x\_mioms\_m365\_assis.administrator
+
+ > [!NOTE]
+ > The user with the role x\_mioms\_m365\_assis.insights\_user can see Service Health Incidents, Recommended Solutions. The user with the role x\_mioms\_m365\_assis.administrator also can open a case with Microsoft 365 support.
+
+11. **\[Optional\] \[The user with role x_mioms_m365_assis.administrator\] Link Microsoft 365 Admin account**
+
+ If any user has the role ΓÇ£x\_mioms\_m365\_assis.administratorΓÇ¥ and they're using different Microsoft 365 accounts to manage Microsoft support cases, they must go to Microsoft 365 support > Link Account to set up their Microsoft 365 admin email.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image21.png" alt-text="Graphical user interface, text, application Description automatically generated":::
+
+## Set up Microsoft 365 support integration for Insights ONLY
+
+### Prerequisites (Insights ONLY)
+
+These prerequisite steps are necessary to set up Microsoft 365 support integration:
+
+1. \[The person who can create AAD applications\] Create AAD Application under your Microsoft 365 tenant.
+
+ 1. Log on to the [Azure Portal](https://portal.azure.com/) with your Microsoft 365 tenant credentials.
+
+ 1. Go to the **App registrations** page and create a new application.
+
+ Select **Accounts in this organizational directory only ({microsoft-365-tenant-name} only ΓÇô Single tenant**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image3.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. Add redirect URL: `https://{your-servicenow-instance}.service-now.com/auth_redirect.do`
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image4.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. Get Client ID of the application and create an App Secret.
+
+1. \[The person who is a ServiceNow admin\] Set up Outbound OAuth Provider in ServiceNow.
+
+ 1. If the scope is not set to **Global**, open **Settings** > **Developer** > **Applications** to switch to **Global**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image5.png" alt-text="Graphical user interface, text, application, chat or text message Description automatically generated":::
+
+ 1. Go to **System OAuth** > **Application Registry**.
+
+ 1. Create a new application with the values below by selecting **Connect to a third party OAuth Provider**.
+
+ - Client ID: The **Client ID** of the application created in [Prerequisites (Insights ONLY)](#prerequisites-insights-only) step \#1
+
+ - Client Secret: The App Secret of the application created in [Prerequisites (Insights ONLY)](#prerequisites-insights-only) step \#1
+
+ - Default Grant type: Client Credentials
+
+ - Token URL: `https://login.microsoftonline.com/{microsoft-365-tenant-name}/oauth2/token`
+
+ - Redirect URL: `https://{servicenow-instance-name}.service-now.com/oauth_redirect.do`
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image6.png" alt-text="Graphical user interface, application Description automatically generated":::
+
+### Set up Microsoft 365 support integration
+
+The Microsoft 365 support integration application can be set up through **Setup** under Microsoft 365 support.
+
+The following steps are needed to set up the integration between your ServiceNow instance and Microsoft support.
+
+1. \[The person who is a ServiceNow admin\] Switch the scope to Microsoft 365 support integration.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image9.png" alt-text="Graphical user interface, table Description automatically generated":::
+
+2. \[The person who is a ServiceNow admin\] Go to Microsoft 365 support > **Setup** to open the integration flow.
+
+ > [!NOTE]
+ > If you see the error "Read operation against 'oauth\_entity' from scope 'x\_mioms\_m365\_assis' has been refused due to the table's cross-scope access policy," it was caused by your table access policy. You must make sure **All application scopes** > **Can read** is checked for the table oauth\_entity.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image27.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+3. \[The person who is a ServiceNow admin\] Select **Agree** to agree to the consent.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image11.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+4. \[The person who is a ServiceNow admin\] Set up Outbound OAuth Provider.
+
+ Select OAuth profile for Outbound OAuth Provider and select **Next**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image12.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+5. \[The person who is a ServiceNow admin\] Skip Inbound OAuth Provider.
+
+ Check **Skip current step**, and then select **Next**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image33.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+6. \[The person who is a ServiceNow admin\] Skip Integration User.
+
+ Check **Skip current step** and select **Next**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image34.png" alt-text="Graphical user interface, text, application Description automatically generated":::
+
+7. \[The person who is a ServiceNow admin\] Set up Repository ID.
+
+ Specify the repository ID and select **Next**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image15.png" alt-text="Graphical user interface, text, application Description automatically generated":::
+
+8. \[The person who is a ServiceNow admin\] Set up Application Settings.
+
+ Select the right settings and select **Next**.
+
+ - SSO with Microsoft 365: Check whether the ServiceNow instance is set up as SSO with Microsoft 365 tenants; otherwise uncheck it.
+
+ - Microsoft 365 Admin Email: The email of Microsoft 365 admin user to be contacted when Microsoft 365 support cases are created.
+
+ - Test Environment: Check the box to indicate a test phase to avoid Microsoft support agents contacting you to address the issue. If you're ready to move forward officially with Microsoft 365 support integration, uncheck the box.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image16.png" alt-text="Graphical user interface, text, application Description automatically generated":::
+
+9. \[The person who is Helpdesk Admin or Service Request Admin in Microsoft 365 tenants\] Complete Integration.
+
+ 1. Check the information here to make sure it's correct.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image35.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. Go to Microsoft 365 [Admin Portal](https://admin.microsoft.com) > **Settings** > **Org settings** > **Organization profiles**.
+
+ 1. Set up support integration settings with the information shown in setup flow.
+
+ 1. On the **basic information** tab, select **Service Now** as the internal support tool, and type **Outbound App ID** as the Application ID to issue an OAuth token.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image18.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. On the **Repositories** tab, select **Add a repository** to create a new repository with the following information:
+
+ - Repository: The **Repository ID** value from the Step - 6 Complete the integration page.
+
+ - Endpoint: The **Endpoint** value from the Step - 6 Complete the integration page.
+
+ - Authentication type: Select **AAD Auth**.
+
+ - Client ID: A random value, such as **ignored**.
+
+ - Rest username: A random value, such as **ignored**.
+
+ - Rest user password: A random value, such as **ignored**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image36.png" alt-text="Graphical user interface, application Description automatically generated":::
+
+ 1. Go back and select the button to save the integration.
+
+ 1. Select **Next** to complete the integration.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image37.png" alt-text="Graphical user interface, application Description automatically generated":::
+
+10. \[The person who is a ServiceNow admin\] Enable Microsoft 365 support integration for an existing user.
+
+ Microsoft 365 support integration is enabled only for these user roles:
+
+ - x\_mioms\_m365\_assis.insights\_user
+
+ - x\_mioms\_m365\_assis.administrator
+
+ > [!NOTE]
+ > The user with the role x_mioms_m365_assis.insights_user can see Service Health Incidents, Recommended Solutions. The user with the role x_mioms_m365_assis.administrator also can open a case with Microsoft 365 support. With Insights ONLY, no one should be assigned the role x_mioms_m365_assis.administrator.
+
+## Testing the configuration
+
+If your application requires successful communication with external systems, outline how to test the connection to ensure a successful configuration.
+
+Here are the steps to test the configuration of Microsoft 365 support integration:
+
+1. Log on to ServiceNow portal as admin.
+
+2. Open any incident.
+
+3. Focus on **Microsoft 365 support** tab, and select **Microsoft 365 Insights** to determine if the recommended solutions were retrieved successfully.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image38.png" alt-text="Graphical user interface, application, website Description automatically generated":::
+
+## Troubleshooting
+
+|#|Problem|Diagnostics action|
+| | | |
+|1|Can't see **Microsoft 365 support** tab|Verify the current view and **System Logs** > **All** with filter x_mioms_m365_assit|
+|2|Select **Microsoft recommended solutions** but get error "Please contact your ServiceNow admin and ask them to complete the setup steps for the app."|Check the error message on top of the form and **System Logs** > **All** with filter x_mioms_m365_assit|
+|3|Select **Microsoft recommended solutions** but get error "Please contact your ServiceNow admin and ask them to complete the final set up step for the app."|Check the error message on top of the form and **System Logs** > **All** with filter x_mioms_m365_assit|
+|4|Type the problem in search box and select **Microsoft recommended solutions** but get error "Please contact your ServiceNow admin and ask them to complete the setup steps for the app."|Check the error message on top of the form and **System Logs** > **All** with filter x_mioms_m365_assit|
+|5|Type problem in search box and select **Microsoft recommended solutions** but get error "Please contact your ServiceNow admin and ask them to complete the final set up step for the app."|Check the error message on top of the form and **System Logs** > **All** with filter x_mioms_m365_assit|
+|6|Select **Contact Microsoft support**, but get the error "Please contact your ServiceNow admin and ask them to complete the setup steps for the app."|Check the error message on top of the form and **System Logs** > **All** with filter x_mioms_m365_assit|
+|7|Select **Contact Microsoft support**, but get the error "Please contact your ServiceNow admin and ask them to complete the final set up step for the app."|Check the error message on top of the form and **System Logs** > **All** with filter x_mioms_m365_assit|
+|8|Select **Contact Microsoft support** but get the error "{EmailAddress} is not a valid Microsoft 365 admin account. You need Microsoft 365 admin privileges to open a service request. In the app, link the admin account."|Check the error message on top of the form and **System Logs** > **All** with filter x_mioms_m365_assit|
+|9|Select **Microsoft recommended solutions** but nothing shows up|Check **System Logs ΓÇô Outbound HTTP logs** with filter login.microsoftonline.com and connector.rave.microsoft.com|
+|10|Select **Microsoft recommended solutions** but get error "Please contact app support."|Check the error message on top of the form and **System Logs** > **All** with filter x_mioms_m365_assit|
+|11|Type problem in search box and select **Microsoft recommended solutions** but nothing shows up|Check **System Logs ΓÇô Outbound HTTP logs** with filter login.microsoftonline.com and connector.rave.microsoft.com|
+|12|Type problem in search box and select **Microsoft recommended solutions** but get error "Please contact app support."|Check the error message on top of the form and **System Logs** > **All** with filter x_mioms_m365_assit|
+|13|User selects **Contact Microsoft support**, but nothing happens|Check **System Logs ΓÇô Outbound HTTP logs** with filter login.microsoftonline.com and connector.rave.microsoft.com|
+|14|CanΓÇÖt see Microsoft recommended solution after reopening the incident|Check **System Logs** > **All** with filter x_mioms_m365_assit|
+|15|CanΓÇÖt see Microsoft cases when reopening the incident that was transferred to Microsoft support|Check **System Logs** > **All** with filter x_mioms_m365_assit|
+|16|Can't save ticket details, get error "Unable to save ticket details. Please contact App support."|Check the error message on top of form|
business-video Update Payment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/update-payment.md
description: "Learn how to update your payment method for Microsoft 365 for busi
You can easily update the payment method for your Microsoft 365 Business subscription. You can change details such as the credit card used, the name, or the address.
+## Before you begin
+
+You must be a Global or Billing admin to do the tasks in this article. For more information, see [About admin roles](/microsoft-365/admin/add-users/about-admin-roles).
+ ## Try it! 1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com).
compliance App Governance Anomaly Detection Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-anomaly-detection-alerts.md
This detection identifies that an App consented to high privilege scope, created
1. Review the scopes granted by the app.ΓÇ» 1. Review any inbox rule action created by the app.ΓÇ» 1. Review any SharePoint or OneDrive search activities done by the app.+
+### App made high volume of importance mail read and created inbox rule
+
+**Severity**: Medium 
+
+**MITRE IDs**: T1137, T1114
+
+This detection identifies that an App consented to high privilege scope, creates suspicious inbox rule and made a high volume of important mail read activities through Graph API. This can indicate an attempted breach of your organization, such as adversaries attempting to read high importance email from your organization through Graph API.ΓÇ»
+
+**TP or FP?**
+
+- **TP**: If you’re able to confirm that high volume of important email read through Graph API by an OAuth app with high privilege scope, and the app is delivered from unknown source. 
+
+ **Recommended Action**:ΓÇ» Disable and remove the App, reset the password, and remove the inbox rule.ΓÇ»
+
+- **FP**: If you’re able to confirm app has performed high volume of important email read through Graph API and created an inbox rule to a new or personal external email account for legitimate reasons. 
+
+ **Recommended Action**: Dismiss the alertΓÇ»
+
+**Understand the scope of the breach**
+
+1. Review all activities done by the app.ΓÇ»
+1. Review the scopes granted by the app.ΓÇ»
+1. Review any inbox rule action created by the app.ΓÇ»
+1. Review any high importance email read activity done by the app.ΓÇ»
compliance App Governance Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-get-started.md
To begin using the app governance add-on to Microsoft Cloud App Security, you ne
## Step 2: Sign up for free trial of app governance
-For new Microsoft 365 customers:
-
-1. At the top of this page, select the **Free Account** button.
-1. UnderΓÇ»**Try Microsoft 365 for business** select **Try 1 month free**.
-1. Complete the steps for the sign-up.
-1. Continue with the steps for existing Microsoft 365 customers.
- For existing Microsoft 365 customers: 1. Navigate to the [sign up page for the free trial](https://admin.microsoft.com/Commerce/Trial.aspx?OfferId=20be85b6-b196-402c-82b4-36b4e72862dc). 1. Complete the steps to add app governance. Sign-up is simple, as shown in the following graphic. +
+If you are not already a Microsoft 365 customer, you can sign up for a free trial:
+
+1. At the top of this page, select the **Free Account** button.
+1. UnderΓÇ»**Try Microsoft 365 for business** select **Try 1 month free**.
+1. Complete the steps for the sign-up.
## Step 3: Add integration with MCAS
One of the following administrator roles is required to see app governance pages
- Security Operator - Security Reader (read-only)
-> [!NOTE]
-> Only a Global Admin can activate the app governance free trial.
- Here are the capabilities for each role. | Role | Read the dashboard | Read all apps |Read policies | Create, update, or delete policies | Read alerts | Update alerts | Read settings | Update settings | Read Remediation | Update Remediation |
compliance Archive 17A 4 Blackberry Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-blackberry-data.md
The following overview explains the process of using a data connector to archive
- The user who creates the BlackBerry DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+- This data connector is available in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
+ ## Step 1: Set up a BlackBerry DataParser connector The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for BlackBerry data.
compliance Archive 17A 4 Bloomberg Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-bloomberg-data.md
The following overview explains the process of using a data connector to archive
- The user who creates the Bloomberg DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+- This data connector is available in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
+ ## Step 1: Set up a Bloomberg DataParser connector The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Bloomberg data.
compliance Archive 17A 4 Cisco Jabber Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-cisco-jabber-data.md
The following overview explains the process of using a data connector to archive
- The user who creates the Cisco Jabber DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+- This data connector is available in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
+ ## Step 1: Set up a Cisco Jabber DataParser connector The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Cisco Jabber data.
compliance Archive 17A 4 Factset Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-factset-data.md
The following overview explains the process of using a data connector to archive
- The user who creates the FactSet DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+- This data connector is available in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
+ ## Step 1: Set up a FactSet DataParser connector The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for FactSet data.
compliance Archive 17A 4 Fuze Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-fuze-data.md
The following overview explains the process of using a data connector to archive
- The user who creates the Fuze DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+- This data connector is available in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
+ ## Step 1: Set up a Fuze DataParser connector The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Fuze data.
compliance Archive 17A 4 Fxconnect Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-fxconnect-data.md
The following overview explains the process of using a data connector to archive
- The user who creates the FX Connect DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+- This data connector is available in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
+ ## Step 1: Set up a FX Connect DataParser connector The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for FX Connect data.
compliance Archive 17A 4 Ice Im Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-ice-im-data.md
The following overview explains the process of using a data connector to archive
- The user who creates the ICE DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+- This data connector is available in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
+ ## Step 1: Set up an ICE DataParser connector The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for ICE Connect Chat data.
compliance Archive 17A 4 Investedge Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-investedge-data.md
The following overview explains the process of using a data connector to archive
- The user who creates the InvestEdge DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+- This data connector is available in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
+ ## Step 1: Set up a InvestEdge DataParser connector The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for InvestEdge data.
compliance Archive 17A 4 Liveperson Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-liveperson-data.md
The following overview explains the process of using a data connector to archive
- The user who creates the LivePerson Conversational Cloud DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+- This data connector is available in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
+ ## Step 1: Set up a LivePerson Conversational Cloud DataParser connector The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for LivePerson Conversational Cloud data.
compliance Archive 17A 4 Quip Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-quip-data.md
The following overview explains the process of using a data connector to archive
- The user who creates the Quip DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+- This data connector is available in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
+ ## Step 1: Set up a Quip DataParser connector The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Quip data.
compliance Archive 17A 4 Refinitiv Messenger Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-refinitiv-messenger-data.md
localization_priority: Normal
-description: "Learn how to set up and use a 17a-4 Refinitiv Eikon Messenger DataParser connector to import and archive Refinitiv Eikon Messenger data in Microsoft 365."
+description: "Learn how to set up and use a 17a-4 Refinitiv Eikon Messenger DataParser connector to import and archive this data in Microsoft 365."
# Set up a connector to archive Refinitiv Eikon Messenger data
The following overview explains the process of using a data connector to archive
## Before you set up a connector -- Create a DataParser account for Microsoft connectors. To do this, contact [17a-4 LLC](https://www.17a-4.com/contact/). You need to sign into this account when you create the connector in Step 1.
+- Create a DataParser account for Microsoft connectors. To do create an account, contact [17a-4 LLC](https://www.17a-4.com/contact/). You will need to sign into this account when you create the connector in Step 1.
- The user who creates the Refinitiv Eikon Messenger DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+- This data connector is available in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP-compliant.
+ ## Step 1: Set up a Refinitiv Eikon Messenger DataParser connector The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Refinitiv Eikon Messenger data.
compliance Archive 17A 4 Servicenow Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-servicenow-data.md
The following overview explains the process of using a data connector to archive
- The user who creates the ServiceNow DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+- This data connector is available in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
+ ## Step 1: Set up a ServiceNow DataParser connector The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for ServiceNow data.
compliance Archive 17A 4 Skype For Business Server Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-skype-for-business-server-data.md
The following overview explains the process of using a data connector to archive
- The user who creates the Skype for Business Server DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+- This data connector is available in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
+ ## Step 1: Set up a Skype for Business Server DataParser connector The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Skype for Business Server data.
compliance Archive 17A 4 Slack Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-slack-data.md
The following overview explains the process of using a data connector to archive
- The user who creates the Slack DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+- This data connector is available in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
+ ## Step 1: Set up a Slack DataParser connector The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Slack data.
compliance Archive 17A 4 Sql Database Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-sql-database-data.md
The following overview explains the process of using a data connector to archive
- The user who creates the SQL DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+- This data connector is available in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
+ ## Step 1: Set up a SQL DataParser connector The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for SQL data.
compliance Archive 17A 4 Symphony Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-symphony-data.md
The following overview explains the process of using a data connector to archive
- The user who creates the Symphony DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+- This data connector is available in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
+ ## Step 1: Set up a Symphony DataParser connector The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Symphony data.
compliance Archive 17A 4 Webex Teams Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-webex-teams-data.md
The following overview explains the process of using a data connector to archive
- The user who creates the Cisco Webex DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+- This data connector is available in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
+ ## Step 1: Set up a Cisco Webex DataParser connector The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Cisco Webex data.
compliance Archive 17A 4 Zoom Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-zoom-data.md
The following overview explains the process of using a data connector to archive
- The user who creates the Zoom DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+- This data connector is available in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
+ ## Step 1: Set up a Zoom DataParser connector The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Zoom data.
compliance Archiving Third Party Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archiving-third-party-data.md
search.appverid:
ms.assetid: 0ce338d5-3666-4a18-86ab-c6910ff408cc - seo-marvel-apr2020
-description: "Learn how to import third-party data from social media platforms, instant messaging platforms, and document collaboration platforms to Microsoft 365 mailboxes."
+description: "Learn how to import and archive third-party data from social media platforms, instant messaging platforms, and document collaboration platforms to Microsoft 365 mailboxes."
# Archive third-party data in Microsoft 365
The table in this section lists the third-party data connectors available in par
Before you can archive third-party data in Microsoft 365, you have to work with 17a-4 LLC to set up their archiving service (called *DataParser*) for your organization. For more information, click the link in the **Third-party data** column to go the step-by-step instructions for creating a connector for that data type.
+17a-4 data connectors are also available in GCC environments in the Microsoft 365 US Government cloud. For more information, see the [Data connectors in the US Government cloud](#data-connectors-in-the-us-government-cloud) section in this article.
+ |Third-party data |Litigation hold|eDiscovery |Retention settings |Records management |Communication compliance |Insider risk management | |:|:|:|:|:|:|:| |[BlackBerry](archive-17a-4-blackberry-data.md) |![Check mark.](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
Some data connectors are available in the US Government cloud. The following sec
|CellTrust SL2 | Yes | No | No | |||||
+### 17a-4 data connectors
+
+|Data connector |GCC |GCC High |DoD |
+|:|:|:|:|
+|BlackBerry DataParser | Yes | No | No |
+|Bloomberg DataParser | Yes | No | No |
+|Cisco Jabber DataParser | Yes | No | No |
+|Cisco Webex DataParser | Yes | No | No |
+|FactSet DataParser | Yes | No | No |
+|Fuze DataParser | Yes | No | No |
+|FX Connect DataParser | Yes | No | No |
+|ICE DataParser | Yes | No | No |
+|InvestEdge DataParser | Yes | No | No |
+|LivePerson Conversational Cloud DataParser | Yes | No | No |
+|Quip DataParser | Yes | No | No |
+|Refinitiv Eikon Messenger DataParser | Yes | No | No |
+|ServiceNow DataParser | Yes | No | No |
+|Skype for Business Server DataParser | Yes | No | No |
+|Slack DataParser | Yes | No | No |
+|SQL DataParser | Yes | No | No |
+|Symphony DataParser | Yes | No | No |
+|Zoom DataParser | Yes | No | No |
+|||||
+ ## Working with a Microsoft partner to archive third-party data Another option for importing and archiving third-party data is for your organization to work with a Microsoft Partner. If a third-party data type isn't supported by the data connectors available in the Microsoft compliance center, you can work with a partner who can provide a custom connector that will be configured to extract items from the third-party data source on a regular basis and then connect to the Microsoft cloud by a third-party API and import those items to Microsoft 365. The partner connector also converts the content of an item from the third-party data source to an email message and then imports it to a mailbox in Microsoft 365.
compliance Compliance Easy Trials https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-easy-trials.md
+
+ Title: "About the Microsoft Compliance trial"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+++
+localization_priority: Priority
+search.appverid:
+- MOE150
+- MET150
+description: "About the Microsoft Compliance free trials."
++
+# About the free trial for Microsoft Compliance
+
+Microsoft compliance products protect your organization from internal threats rising from inappropriate permissions on files and emails, and ensures compliance with regulatory and policy requirements.
+
+A Microsoft E5 compliance trial is the easiest way to try the capabilities of Microsoft compliance products, and setting it up only takes a couple of clicks. After the trial setup is complete, all features of the Microsoft E5 license package are available for you to use for up to 90 days.
+
+## Terms and conditions
+
+See the [terms and conditions](terms-conditions.md) for the Microsoft 365 free trial.
+
+## Set up a Compliance trial
+
+You can sign-up for a trial in the Microsoft compliance center using the Trials link in the left navigation pane.
+
+## Licensing
+
+As part of the trial setup, the Microsoft E5 compliance licenses are automatically applied to the organization. The licenses are active for the first 90 days.
+
+## Permissions
+
+To start or end the trial, you need to be a member of the Global Administrator or Security Administrator roles in Azure Active Directory. For details, see About admin roles.
+
+## Additional information
+
+After you enroll in the trial, it might take up to 2 hours for the changes and updates to be available. And, admins must log out and log back in to see the changes.
+
+You can extend the trial within the last 15 days of the trial period. You are limited to a maximum of two trial periods. If you do not extend by the time your trial period ends, you must wait at least 30 days before signing up for a second trial.
+
+## Ending the trial
+
+Admins can disable the trial at any point by going to the compliance card.
+
+If you decide not to enroll in a feature that is part of the compliance trial, your trial data will be maintained for a period of time, usually 180 days, before being permanently deleted. You may continue to access the data gathered during the trial until that time.
+
+## Availability
+
+The Microsoft Compliance free trial is gradually rolling out to existing customers who meet specific criteria (including geography) who don't already have a Microsoft E5 license package.
+
+## Learn more about compliance
+
+Wondering what you can experience in your free trial? A Microsoft compliance trial includes the following:
+
+<!--
+- **application governance**
+
+ Application governance is an add-on for Microsoft Cloud App Security that monitors OAuth apps running in your Microsoft 365 tenant for excessive permissions and inappropriate access to files and email. [Learn more](app-governance-manage-app-governance.md)
+-->
+
+- **Audit**
+
+ Advanced Audit helps organizations to conduct forensic and compliance investigations by increasing audit log retention required to conduct an investigation, providing access to crucial events that help determine scope of compromise, and faster access to Office 365 Management Activity API. [Learn more](advanced-audit.md)
+
+- **Compliance Manager**
+
+ Compliance Manager can help you throughout your compliance journey, from taking inventory of your data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors. [Learn more](compliance-manager.md)
+
+- **Data Loss Prevention**
+
+ To comply with business standards and industry regulations, organizations need to protect sensitive info to prevent its inadvertent disclosure. Set up data loss prevention policies to identify, monitor, and automatically protect sensitive info across Microsoft 365. [Learn more](dlp-learn-about-dlp.md)
+
+- **eDiscovery**
+
+ Take advantage of an end-to-end workflow for preserving, collecting, analyzing, and exporting content that's responsive to your organization's internal and external investigations. Legal teams can also manage the entire legal hold notification process by communicating with custodians involved in a case. [Learn more](ediscovery.md)
+
+- **Information Protection**
+
+ Implement Microsoft Information Protection and sensitivity labels, to help you discover, classify, and protect your sensitive content wherever it lives or travels. [Learn more](information-protection.md)
+
+- **Insider Risk Management**
+
+ Leverage artificial intelligence to help you quickly identify, triage, and remediate internal risks. Using logs from Microsoft 365 and Azure services, you can define policies that monitor for risk signals, then take remediation actions such as promoting user education or initiating an an investigation. [Learn more](insider-risk-management-solution-overview.md)
+
+<!--
+- **privacy management**
+
+ Privacy management helps your organization understand and manage the personal data in your Microsoft 365 environment, remediate potential privacy risks, and fulfill subject rights requests. [Learn more](privacy-management.md)
+-->
+
+- **Records Management**
+
+ Use integrated Records Management features to automate the retention schedule for organizational regulatory, legal, and business-critical records. Get full content lifecycle support, from creation to collaboration, record declaration, retention, and disposition. [Learn more](records-management.md)
compliance Dlp Migrate Exo Policy To Unified Dlp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-migrate-exo-policy-to-unified-dlp.md
Title: "Migrate Exchange Online data loss prevention policies to Compliance center (preview)"
+ Title: "Migrate Exchange Online data loss prevention policies to Compliance center"
f1.keywords: - CSH
search.appverid:
description: "Learn how to plan for and migrate your Exchange online data loss prevention policies into Microsoft 365 DLP."
-# Migrate Exchange Online data loss prevention policies to Compliance center (preview)
+# Migrate Exchange Online data loss prevention policies to Compliance center
[Exchange Online data loss prevention (DLP) policies](/exchange/security-and-compliance/data-loss-prevention/data-loss-prevention) are being deprecated. [Much richer DLP functionality](dlp-learn-about-dlp.md), including Exchange Online DLP, is offered in the [Microsoft 365 Compliance center](https://compliance.microsoft.com/datalossprevention?viewid=policies). You can use the DLP policy migration wizard to help you bring your Exchange Online DLP policies over to the Compliance center where you'll manage them.
compliance Information Barriers Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-barriers-policies.md
In addition to the [required licenses and permissions](information-barriers.md#r
- No address book policies - Before you define and apply information barrier policies, make sure no Exchange address book policies are in place. Information barriers are based on address book policies, but the two kinds of policies are not compatible. If you do have such policies, make sure to [remove your address book policies](/exchange/address-books/address-book-policies/remove-an-address-book-policy) first. Once information barrier policies are enabled and you have hierarchical address book enabled, all users ***who are not included*** in an information barrier segment will see the [hierarchical address book](/exchange/address-books/hierarchical-address-books/hierarchical-address-books) in Exchange online. -- PowerShell - Currently, information barrier policies are defined and managed in the Office 365 Security & Compliance Center using PowerShell cmdlets. Although several examples are provided in this article, you'll need to be familiar with PowerShell cmdlets and parameters. You will also need the Azure PowerShell module.
+- PowerShell - Currently, information barrier policies are defined and managed in Security & Compliance Center PowerShell. Although several examples are provided in this article, you'll need to be familiar with PowerShell cmdlets and parameters. You will also need the Azure Active Directory PowerShell module.
- [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell)
- - [Install the Azure PowerShell module](/powershell/azure/install-az-ps)
+ - [Install Azure Active Directory PowerShell for Graph](/powershell/azure/active-directory/install-adv2)
-- Admin consent for information barriers in Microsoft Teams - When your IB policies are in place, they can remove non-IB compliance users from Groups (i.e. Teams channels, which are based on groups). This configuration helps ensure your organization remains compliant with policies and regulations. Use the following procedure to enable information barrier policies to work as expected in Microsoft Teams.
+- Admin consent for information barriers in Microsoft Teams - When your IB policies are in place, they can remove non-IB compliance users from Groups (i.e. Teams channels, which are based on groups). This configuration helps ensure your organization remains compliant with policies and regulations. Use the following procedure to enable information barrier policies to work as expected in Microsoft Teams.
- 1. Pre-requisite: Install Azure PowerShell from [Install Azure PowerShell](/powershell/azure/install-az-ps).
+ 1. Pre-requisite: [Install Azure Active Directory PowerShell for Graph](/powershell/azure/active-directory/install-adv2).
1. Run the following PowerShell cmdlets: ```powershell
- Connect-AzAccount -Tenant "<yourtenantdomain.com>" //for example: Connect-AzAccount -Tenant "Contoso.onmicrosoft.com"
+ Connect-AzureAD -Tenant "<yourtenantdomain.com>" //for example: Connect-AzureAD -Tenant "Contoso.onmicrosoft.com"
$appId="bcf62038-e005-436d-b970-2a472f8c1982" $sp=Get-AzureADServicePrincipal -Filter "appid eq '$($appid)'"
- if ($sp -eq $null) { New-AzureADServicePrincipal -ApplicationId $appId }
+ if ($sp -eq $null) { New-AzureADServicePrincipal -AppId $appId }
Start-Process "https://login.microsoftonline.com/common/adminconsent?client_id=$appId" ```
compliance Sensitivity Labels Coauthoring https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-coauthoring.md
Without this setting enabled for your tenant, users must check out an encrypted
In addition, enabling this functionality results in the [AutoSave](https://support.office.com/article/what-is-autosave-6d6bd723-ebfd-4e40-b5f6-ae6e8088f7a5) functionality being supported for these labeled and encrypted files.
-To read the initial release announcement, see the blog post [Announcing co-authoring on Microsoft Information Protection-encrypted documents and labeling updates](https://techcommunity.microsoft.com/t5/microsoft-security-and/announcing-co-authoring-on-microsoft-information-protection/ba-p/2164162).
+To read the release announcement, see the blog post [Co-authoring on Microsoft Information Protection encrypted documents is now generally available](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/co-authoring-on-microsoft-information-protection-encrypted/ba-p/2693718).
## Metadata changes for sensitivity labels
Make sure you understand the following prerequisites before you turn on this fea
- All apps, services, and operational tools in your tenant must support the new [labeling metadata](#metadata-changes-for-sensitivity-labels). If you use any of the following, check the minimum versions required: - **Azure Information Protection unified labeling client and scanner:**
- - Minimum version 2.12.62.0 that you can install from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=53018)
+ - Minimum version [2.12.62.0](/information-protection/rms-client/unifiedlabelingclient-version-release-history#version-212620) that you can install from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=53018)
- **OneDrive sync app for Windows or macOS:** - Minimum version of 19.002.0121.0008
compliance Terms Conditions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/terms-conditions.md
+
+ Title: "Microsoft 365 Compliance trial terms and conditions"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+++
+localization_priority: Priority
+search.appverid:
+- MOE150
+- MET150
+description: "Microsoft 365 Compliance trial terms and conditions."
++
+# Microsoft Compliance trial terms and conditions
+
+By participating in this free trial (ΓÇ£TrialΓÇ¥) of the [Microsoft Compliance Services], you agree to be bound by our [Online Services Terms](https://go.microsoft.com/fwlink/?linkid=2167203) and the following terms (ΓÇ£Trial TermsΓÇ¥), provided that in the event of a conflict the Trial Terms shall govern. The Trial period will be for ninety (90) days from the date you activate the Trial. Unless you purchase a subscription to Microsoft Compliance prior to the expiration or termination of your Trial period, you will no longer have access to (i) any data related to the features of the Trial that you entered into your account, and (ii) configurations or customizations made by you or for you using the features of the Trial. Microsoft reserves the right to terminate or modify the Trial and/or these Trial Terms at any time without prior notice and without liability. Trial offer is not available for customers in all regions and countries.
contentunderstanding Apply A Model https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/apply-a-model.md
Title: Apply a document understanding model to a document library
+ Title: Apply a document understanding model in Microsoft SharePoint Syntex
- enabler-strategic - m365initiative-syntex localization_priority: Normal
-description: Learn how to apply a published a model to a SharePoint document library.
+description: Learn how to apply a published a model to a SharePoint document library in Microsoft SharePoint Syntex.
# Apply a document understanding model in Microsoft SharePoint Syntex
description: Learn how to apply a published a model to a SharePoint document lib
</br>
-After publishing your document understanding model, you can apply it to one or more SharePoint document library in your Microsoft 365 tenant.
+After publishing your document understanding model, you can apply it to one or more SharePoint document libraries in your Microsoft 365 tenant.
> [!NOTE] > You are only able to apply the model to document libraries that you have access to.
-## Apply your model to a document library.
+## Apply your model to a document library
To apply your model to to a SharePoint document library:
-1. On model home page, on the **Apply model to libraries** tile, select **Publish model**. Or you can select **+Add Library** in the **Libraries with this model** section. </br>
+1. On model home page, on the **Apply model to libraries** tile, select **Apply model**. Or, in the **Where the model is applied** section, select **+Add library** .
- ![Add model to library.](../media/content-understanding/apply-to-library.png)</br>
+ ![Screenshot of Where the model is applied section with the Add library option highlighted.](../media/content-understanding/apply-to-library.png)
-2. You can then select the SharePoint site that contains the document library that you want to apply the model to. If the site does not show in the list, use the search box to find it.</br>
+2. You can then select the SharePoint site that contains the document library that you want to apply the model to. If the site does not show in the list, use the search box to find it.
- ![Select a site.](../media/content-understanding/site-search.png)</br>
+ ![Select a site.](../media/content-understanding/site-search.png)
> [!NOTE]
- > You must have *Manage List* permissions or *Edit* rights to the document library you are applying the model to.</br>
+ > You must have *Manage List* permissions or *Edit* rights to the document library you are applying the model to.
-3. After selecting the site, select the document library to which you want to apply the model. In the sample, select the *Documents* document library from the *Contoso Case Tracking* site.</br>
+3. After selecting the site, select the document library to which you want to apply the model. In the sample, select the *Documents* document library from the *Contoso Case Tracking* site.
- ![Select a doc library.](../media/content-understanding/select-doc-library.png)</br>
+ ![Select a doc library.](../media/content-understanding/select-doc-library.png)
-4. Since the model is associated to a content type, when you apply it to the library it will add the content type and its view with the labels you extracted showing as columns. This view is the library's default view by default, but you can optionally choose to not have it be the default view by selecting **Advanced settings** and deselecting **Set this new view as default**.</br>
+4. Because the model is associated to a content type, when you apply it to the library it will add the content type and its view with the labels you extracted showing as columns. By default, this view is the library's default view. However, you can optionally choose to not have it be the default view by selecting **Advanced settings** and clearing the **Set this new view as the default** checkbox.
- ![Library view.](../media/content-understanding/library-view.png)</br>
+ ![Library view.](../media/content-understanding/library-view.png)
-5. Select **Add** to apply the model to the library.
-6. On the model home page, in the **Libraries with this model** section, you should see the URL to the SharePoint site listed.</br>
+5. Select **Add** to apply the model to the library.
- ![Selected library.](../media/content-understanding/selected-library.png)</br>
+6. On the model home page, in the **Where the model is applied** section, you should see the name of the SharePoint site listed.
7. Go to your document library and make sure you are in the model's document library view. Notice that if you select the information button next to the document library name, a message notes that the document library has a model applied to it.
- ![Information view.](../media/content-understanding/info-du.png)</br>
+ ![Information view.](../media/content-understanding/info-du.png)
You can the select **View active models** to see details about any models that are applied to the document library. 8. In the **Active models** pane, you can see the models that are applied to the document library. Select a model to see more details about it, such as a description of the model, who published the model, and if the model applies a retention label to the files it classifies.
- ![Active models pane.](../media/content-understanding/active-models.png)</br>
+ ![Active models pane.](../media/content-understanding/active-models.png)
After applying the model to the document library, you can begin uploading documents to the site and see the results.
-The model identifies any files with modelΓÇÖs associated content type and lists them in your view. If your model has any extractors, the view displays columns for the data you are extracting from each file.
+The model identifies any files and folders with the modelΓÇÖs associated content type and lists them in your view. If your model has any extractors, the view displays columns for the data you are extracting from each file or folder.
-### Apply the model to files already in the document library
+## Apply the model to files and folder content already in the document library
-While an applied model processes all files uploaded to the document library after it is applied, you can also do the following to run the model on files that already exists in the document library prior to the model being applied:
+While an applied model processes all files and folder content uploaded to the document library after it is applied, you can also do the following to run the model on files and folder content that already exist in the document library prior to the model being applied:
-1. In your document library, select the files that you want to be processed by your model.
-2. After selecting your files, **Classify and extract** will appear in the document library ribbon. Select **Classify and extract**.
-3. The files you selected will be added to the queue to be processed.
+1. In your document library, select the files and folders that you want to be processed by your model.
- ![Classify and extract.](../media/content-understanding/extract-classify.png)</br>
+2. After selecting your files and folders, **Classify and extract** will appear in the document library ribbon. Select **Classify and extract**.
-> [!NOTE]
-> You can copy individual files to a library and apply them to a model, but not folders.
+ ![Screenshot showing the Classify and extract option.](../media/content-understanding/extract-classify.png)
+
+3. The files and folders you selected will be added to the queue to be processed.
-### The Classification Date field
+ > [!NOTE]
+ > You'll receive a message indicating how long classification might take. If you've selected only files, classification might take up to 30 minutes. If you've selected one or more folders, classification might take up to 24 hours.
-When a SharePoint Syntex document understanding or form processing model is applied to a document library, a <b> Classification date </b> field is included in the library schema. By default this field is empty, but when documents are processed and classified by a model, this field is updated with a date-time stamp of completion.
+### Classification Date field
- ![Classification date column.](../media/content-understanding/class-date-column.png)</br>
+When a SharePoint Syntex document understanding or form processing model is applied to a document library, the **Classification Date** field is included in the library schema. By default, this field is empty. However, when documents are processed and classified by a model, this field is updated with a date-time stamp of completion.
-The Classification date field is used by the [<b>When a file is classified by a content understanding model</b> trigger](/connectors/sharepointonline/#when-a-file-is-classified-by-a-content-understanding-model) to run a Power Automate flow after a Syntex content understanding model has finished processing a file and updated the "Classification date" field.
+ ![Screenshot of a document library showing the Classification Date column.](../media/content-understanding/class-date-column.png)
- ![Flow trigger.](../media/content-understanding/trigger.png)</br>
+The **Classification Date** field is used by the [**When a file is classified by a content understanding model**](/connectors/sharepointonline/#when-a-file-is-classified-by-a-content-understanding-model) trigger to run a Power Automate flow after a Syntex content understanding model has finished processing a file or folder and updated the **Classification Date** field.
-The <b>When a file is classified by a content understanding model</b> trigger can then be used to start another workflow using any extracted information from the file.
+ ![Flow trigger.](../media/content-understanding/trigger.png)
+
+The **When a file is classified by a content understanding model** trigger can then be used to start another workflow using any extracted information from the file or folder.
## See Also+ [Create a classifier](create-a-classifier.md) [Create an extractor](create-an-extractor.md)
security Microsoft 365 Security For Bdm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/Microsoft-365-security-for-bdm.md
audience: Admin -
+ms.technology: m365d
localization_priority: Normal - M365-security-compliance
As a first step, we recommend ensuring critical accounts in the environment are
|Recommendation |E3 |E5 | ||||
-|Enforce multi-factor authentication (MFA) for all administrative accounts.|![green check mark.](../media/green-check-mark.png)|![green check mark.](../media/green-check-mark.png)|
+|Enforce multifactor authentication (MFA) for all administrative accounts.|![green check mark.](../media/green-check-mark.png)|![green check mark.](../media/green-check-mark.png)|
|Implement Azure Active Directory (Azure AD) Privileged Identity Management (PIM) to apply just-in-time privileged access to Azure AD and Azure resources. You can also discover who has access and review privileged access.| | ![green check mark.](../media/green-check-mark.png)| |Implement privileged access management to manage granular access control over privileged admin tasks in Office 365. | | ![green check mark.](../media/green-check-mark.png)| |Configure and use Privileged Access Workstations (PAW) to administer services. Do not use the same workstations for browsing the Internet and checking email not related to your administrative account.| ![green check mark.](../media/green-check-mark.png)|![green check mark.](../media/green-check-mark.png) |
Known threats include malware, compromised accounts, and phishing. Some protecti
|Recommendation |E3 |E5 | |||| |**Setup multi-factor authentication and use recommended conditional access policies, including sign-in risk policies**. Microsoft recommends and has tested a set of policies that work together to protect all cloud apps, including Office 365 and Microsoft 365 services. See [Identity and device access configurations](./office-365-security/microsoft-365-policies-configurations.md). | |![green check mark.](../media/green-check-mark.png)|
-|**Require multi-factor authentication for all users**. If you don't have the licensing required to implement the recommended conditional access policies, at a minimum require multi-factor authentication for all users.|![green check mark.](../media/green-check-mark.png)|![green check mark.](../media/green-check-mark.png)|
+|**Require multi-factor authentication for all users**. If you don't have the licensing required to implement the recommended conditional access policies, at a minimum require multifactor authentication for all users.|![green check mark.](../media/green-check-mark.png)|![green check mark.](../media/green-check-mark.png)|
|**Raise the level of protection against malware in mail**. Your Office 365 or Microsoft 365 environment includes protection against malware, but you can increase this protection by blocking attachments with file types that are commonly used for malware.|![green check mark.](../media/green-check-mark.png)|![green check mark.](../media/green-check-mark.png)| |**Protect your email from targeted phishing attacks**. If you've configured one or more custom domains for your Office 365 or Microsoft 365 environment, you can configure targeted anti-phishing protection. Anti-phishing protection, part of Defender for Office 365, can help protect your organization from malicious impersonation-based phishing attacks and other phishing attacks. If you haven't configured a custom domain, you do not need to do this.| |![green check mark.](../media/green-check-mark.png)| |**Protect against ransomware attacks in email**. Ransomware takes away access to your data by encrypting files or locking computer screens. It then attempts to extort money from victims by asking for "ransom," usually in form of cryptocurrencies like Bitcoin, in exchange for returning access to your data. You can help defend against ransomware by creating one or more mail flow rules to block file extensions that are commonly used for ransomware, or to warn users who receive these attachments in email.|![green check mark.](../media/green-check-mark.png)|![green check mark.](../media/green-check-mark.png)|
The following diagram illustrates these capabilities.
Additional recommendations: - Secure partner channel communications like Emails using TLS. - Open Teams Federation only to Partners you communicate with.-- Do not add sender domains, individual senders, or source IPs to your allowlist as this allows these to bypass spam and malware checks ΓÇö A common practice with customers is adding their own accepted domains or a number of other domains where email flow issues may have been reported to the allowlist. Do not add domains in the Spam and Connection Filtering list as this potentially bypasses all spam checks.
+- Do not add sender domains, individual senders, or source IPs to your allowlist as this allows these to bypass spam and malware checks ΓÇö A common practice with customers is adding their own accepted domains or many other domains where email flow issues may have been reported to the allowlist. Do not add domains in the Spam and Connection Filtering list as this potentially bypasses all spam checks.
- Enable outbound spam notifications ΓÇö Enable outbound spam notifications to a distribution list internally to the Helpdesk or IT Admin team to report if any of the internal users are sending out Spam emails externally. This could be an indicator that the account has been compromised. - Disable Remote PowerShell for all users ΓÇö Remote PowerShell is mainly used by Admins to access services for administrative purposes or programmatic API access. We recommended disabling this option for non-Admin users to avoid reconnaissance unless they have a business requirement to access it. - Block access to the Microsoft Azure Management portal to all non-administrators. You can accomplish this by creating a conditional access rule to block all users, except for admins.
Additional recommendations:
## Assume breach
-While Microsoft takes every possible measure to prevent against threats and attacks, we recommend always working under the "Assume Breach" mindset. Even if an Attacker has managed to intrude into the environment, we need to make sure they are unable to exfiltrate data or identity information from the environment. For this reason, we recommend enabling protection against sensitive data leaks such as Social Security numbers, credit cards numbers, additional personal information, and other organizational level confidential information.
+While Microsoft takes every possible measure to prevent against threats and attacks, we recommend always working under the "Assume Breach" mindset. Even if an Attacker has managed to intrude into the environment, we need to make sure they are unable to exfiltrate data or identity information from the environment. For this reason, we recommend enabling protection against sensitive data leaks such as Social Security numbers, credit cards numbers, other personal information, and other organizational level confidential information.
The "Assume Breach" mindset requires implementing a zero trust network strategy, which means users are not fully trusted just because they are internal to the network. Instead, as part of authorization of what users can do, sets of conditions are specified, and when such conditions are met, certain controls are enforced. Conditions may include device health status, application being accessed, operations being performed, and user risk. For example, a device enrollment action should always trigger MFA authentication to ensure no rouge devices are added to your environment. A zero trust network strategy also requires that you know where your information is stored and apply appropriate controls for classification, protection, and retention. To effectively protect your most critical and sensitive assets you need to first identify where these are located and take inventory, which can be challenging. Next, work with your organization to define a governance strategy. Defining a classification schema for an organization and configuring policies, labels, and conditions require careful planning and preparation. It is important to realize that this is not an IT driven process. Be sure to work with your legal and compliance team to develop an appropriate classification and labeling schema for your organization's data.
-Microsoft 365 information protection capabilities can help you discover what information you have, where it is stored, and which information requires additional protection. Information protection is a continuous process and Microsoft 365 capabilities provide you with visibility into how users are using and distributing sensitive information, where your information is currently stored, and where it flows. You can also see how users handling information that is regulated to be sure the appropriate labels and protections are applied.
+Microsoft 365 information protection capabilities can help you discover what information you have, where it is stored, and which information requires extra protection. Information protection is a continuous process and Microsoft 365 capabilities provide you with visibility into how users are using and distributing sensitive information, where your information is currently stored, and where it flows. You can also see how users handling information that is regulated to be sure the appropriate labels and protections are applied.
|Recommendation |E3|E5 |
Microsoft 365 information protection capabilities can help you discover what inf
|**Disable anonymous external calendar sharing**. By default external anonymous calendar sharing is allowed. [Disable calendar sharing](/exchange/sharing/sharing-policies/modify-a-sharing-policy) to reduce potential leaks of sensitive information.|![green check mark.](../media/green-check-mark.png) |![green check mark.](../media/green-check-mark.png)| |**Configure data loss prevention policies for sensitive data**. Create a Data Loss Prevention Policy in the Security &amp; Compliance center to discover and protect sensitive data such as credit card numbers, Social Security numbers and bank account numbers. Microsoft 365 includes many predefined sensitive information types you can use in data loss prevention policies. You can also create your own sensitive information types for sensitive data that is custom to your environment. |![green check mark.](../media/green-check-mark.png)|![green check mark.](../media/green-check-mark.png)| |**Implement data classification and information protection policies**. Implement sensitivity labels and use these to classify and apply protection to sensitive data. You can also use these labels in data loss prevention policies. If you are using Azure Information Protection labels, we recommend that you avoid creating new labels in other admin centers.| |![green check mark.](../media/green-check-mark.png)|
-|**Protect data in third-party apps and services by using Cloud App Security**. Configure Cloud App Security policies to protect sensitive information across third-party cloud apps, such as Salesforce, Box, or Dropbox. You can use sensitive information types and the sensitivity labels you created in Cloud App Security policies and apply these across your SaaS apps. <br><br>Microsoft Cloud App Security allow you to enforce a wide range of automated processes. Policies can be set to provide continuous compliance scans, legal eDiscovery tasks, DLP for sensitive content shared publicly, and more. Cloud App Security can monitor any file type based on more than 20 metadata filters (for example, access level, file type). | |![green check mark.](../media/green-check-mark.png)|
+|**Protect data in third-party apps and services by using Cloud App Security**. Configure Cloud App Security policies to protect sensitive information across third-party cloud apps, such as Salesforce, Box, or Dropbox. You can use sensitive information types and the sensitivity labels you created in Cloud App Security policies and apply these across your SaaS apps. <br><br>Microsoft Cloud App Security allows you to enforce a wide range of automated processes. Policies can be set to provide continuous compliance scans, legal eDiscovery tasks, DLP for sensitive content shared publicly, and more. Cloud App Security can monitor any file type based on more than 20 metadata filters (for example, access level, file type). | |![green check mark.](../media/green-check-mark.png)|
|**Use [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview) to identify if users store sensitive information on their Windows devices**. | |![green check mark.](../media/green-check-mark.png)| |**Use [AIP Scanner](/azure/information-protection/deploy-aip-scanner) to identify and classify information across servers and file shares**. Use the AIP reporting tool to view the results and take appropriate actions.| |![green check mark.](../media/green-check-mark.png)|
security Onboard Windows 10 Multi Session Device https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/Onboard-Windows-10-multi-session-device.md
ms.mktglfcycl: manage
ms.sitesec: library ms.pagetype: security localization_priority: Normal-
+audience: ITPro
+ -+
-# Onboard Windows 10 multi-session devices in Azure Virtual Desktop
-6 minutes to read
+# Onboard Windows 10 multi-session devices in Azure Virtual Desktop
-Applies to:
-- Windows 10 multi-session running on Azure Virtual Desktop (AVD)
+6 minutes to read
+
+Applies to:
+
+- Windows 10 multi-session running on Azure Virtual Desktop (AVD)
Microsoft Defender for Endpoint supports monitoring both VDI and Azure Virtual Desktop sessions. Depending on your organization's needs, you might need to implement VDI or Azure Virtual Desktop sessions to help your employees access corporate data and apps from an unmanaged device, remote location, or similar scenario. With Microsoft Defender for Endpoint, you can monitor these virtual machines for anomalous activity.
- ## Before you begin
+## Before you begin
+ Familiarize yourself with the [considerations for non-persistent VDI](/microsoft-365/security/defender-endpoint/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). While [Azure Virtual Desktop](/azure/virtual-desktop/overview) doesn't provide non-persistence options, it does provide ways to use a golden Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment and thus impacts what entries are created and maintained in the Microsoft Defender for Endpoint portal, potentially reducing visibility for your security analysts. > [!NOTE]
-> Depending on your choice of onboarding method, devices can appear in Microsoft Defender for Endpoint portal as either:
-> - Single entry for each virtual desktop
-> - Multiple entries for each virtual desktop
+> Depending on your choice of onboarding method, devices can appear in Microsoft Defender for Endpoint portal as either:
+>
+> - Single entry for each virtual desktop
+> - Multiple entries for each virtual desktop
-Microsoft recommends onboarding Azure Virtual Desktop as a single entry per virtual desktop. This ensures that the investigation experience in the Microsoft Defender Endpoint portal is in the context of one device based on the machine name. Organizations that frequently delete and redeploy WVD hosts should strongly consider using this method as it prevents multiple objects for the same machine from being created in the Microsoft Defender for Endpoint portal. This can lead to confusion when investigating incidents. For test or non-volatile environments, you may opt to choose differently.
+Microsoft recommends onboarding Azure Virtual Desktop as a single entry per virtual desktop. This ensures that the investigation experience in the Microsoft Defender Endpoint portal is in the context of one device based on the machine name. Organizations that frequently delete and redeploy WVD hosts should strongly consider using this method as it prevents multiple objects for the same machine from being created in the Microsoft Defender for Endpoint portal. This can lead to confusion when investigating incidents. For test or non-volatile environments, you may opt to choose differently.
-Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script to the WVD golden image. This way, you can be sure that this onboarding script runs immediately at first boot. It's executed as a startup script at first boot on all the WVD machines that are provisioned from the WVD golden image. However, if you're using one of the gallery images without modification, place the script in a shared location and call it from either local or domain group policy.
+Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script to the WVD golden image. This way, you can be sure that this onboarding script runs immediately at first boot. It's executed as a startup script at first boot on all the WVD machines that are provisioned from the WVD golden image. However, if you're using one of the gallery images without modification, place the script in a shared location and call it from either local or domain group policy.
> [!NOTE] > The placement and configuration of the VDI onboarding startup script on the WVD golden image configures it as a startup script that runs when the WVD starts. It's NOT recommended to onboard the actual WVD golden image. Another consideration is the method used to run the script. It should run as early in the startup/provisioning process as possible to reduce the time between the machine being available to receive sessions and the device onboarding to the service. Below scenarios 1 & 2 take this into account. ### Scenarios+ There are several ways to onboard a WVD host machine: - Run the script in the golden image (or from a shared location) during startup.
There are several ways to onboard a WVD host machine:
- Through [Integration with Azure Defender](configure-server-endpoints.md#integration-with-azure-defender) #### *Scenario 1: Using local group policy*+ This scenario requires placing the script in a golden image and uses local group policy to run early in the boot process. Use the instructions in [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices).
Use the instructions in [Onboard non-persistent virtual desktop infrastructure (
Follow the instructions for a single entry for each device. #### *Scenario 2: Using domain group policy*+ This scenario uses a centrally located script and runs it using a domain-based group policy. You can also place the script in the golden image and run it in the same way.
-**Download the WindowsDefenderATPOnboardingPackage.zip file from the Windows Defender Security Center**
+##### Download the WindowsDefenderATPOnboardingPackage.zip file from the Windows Defender Security Center
-1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip)
+1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip)
- 1. In the Microsoft 365 Defender portal navigation pane, select **Settings** > **Endpoints** > **Onboarding** (under **Device Management**).
- 1. Select Windows 10 as the operating system.
- 1. In the **Deployment method** field, select VDI onboarding scripts for non-persistent endpoints.
- 1. Click **Download package** and save the .zip file.
+ 1. In the Microsoft 365 Defender portal navigation pane, select **Settings** \> **Endpoints** \> **Onboarding** (under **Device Management**).
+ 1. Select Windows 10 as the operating system.
+ 1. In the **Deployment method** field, select VDI onboarding scripts for non-persistent endpoints.
+ 1. Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called **OptionalParamsPolicy** and the files **WindowsDefenderATPOnboardingScript.cmd** and **Onboard-NonPersistentMachine.ps1**.
-**Use Group Policy management console to run the script when the virtual machine starts**
+##### Use Group Policy management console to run the script when the virtual machine starts
1. Open the Group Policy Management Console (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
-2. In the Group Policy Management Editor, go to **Computer configuration** \> **Preferences** \> **Control panel settings**.
+2. In the Group Policy Management Editor, go to **Computer configuration** \> **Preferences** \> **Control panel settings**.
-3. Right-click **Scheduled tasks**, click **New**, and then click **Immediate Task** (At least Windows 7).
+3. Right-click **Scheduled tasks**, click **New**, and then click **Immediate Task** (At least Windows 7).
-4. In the Task window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM. Click **Check Names** and then click OK. NT AUTHORITY\SYSTEM appears as the user account the task will run as.
+4. In the Task window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM. Click **Check Names** and then click OK. NT AUTHORITY\SYSTEM appears as the user account the task will run as.
-5. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
+5. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
-6. Go to the **Actions** tab and click **New**. Ensure that **Start a program** is selected in the Action field. Enter the following:
+6. Go to the **Actions** tab and click **New**. Ensure that **Start a program** is selected in the Action field. Enter the following:
`Action = "Start a program"`
For more information, see [Onboard Windows 10 devices using Configuration Manage
> If you plan to use [Attack Surface reduction Rules](attack-surface-reduction-rules.md), note that the rule "[Block process creations originating from PSExec and WMI commands](attack-surface-reduction-rules.md#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used, because that rule is incompatible with management through Microsoft Endpoint Configuration Manager. The rule blocks WMI commands that the Configuration Manager client uses to function correctly. > [!TIP]
-> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md).
+> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md).
-#### Tagging your machines when building your golden image
+#### Tagging your machines when building your golden image
-As part of your onboarding, you may want to consider setting a machine tag to can differentiate WVD machines more easily in the Microsoft Security Center. For more information, see
-[Add device tags by setting a registry key value](machine-tags.md#add-device-tags-by-setting-a-registry-key-value).
+As part of your onboarding, you may want to consider setting a machine tag to can differentiate WVD machines more easily in the Microsoft Security Center. For more information, see
+[Add device tags by setting a registry key value](machine-tags.md#add-device-tags-by-setting-a-registry-key-value).
-#### Other recommended configuration settings
+#### Other recommended configuration settings
-When building your golden image, you may want to configure initial protection settings as well. For more information, see [Other recommended configuration settings](configure-endpoints-gp.md#other-recommended-configuration-settings).
+When building your golden image, you may want to configure initial protection settings as well. For more information, see [Other recommended configuration settings](configure-endpoints-gp.md#other-recommended-configuration-settings).
-Also, if you're using FSlogix user profiles, we recommend you exclude the following files from always-on protection:
+Also, if you're using FSlogix user profiles, we recommend you exclude the following files from always-on protection:
-**Exclude Files:**
+**Exclude Files:**
`%ProgramFiles%\FSLogix\Apps\frxdrv.sys`
Also, if you're using FSlogix user profiles, we recommend you exclude the follow
`%ProgramFiles%\FSLogix\Apps\frxsvc.exe`
-#### Licensing requirements
+#### Licensing requirements
Note on licensing: When using Windows 10 Enterprise multi-session, depending on your requirements, you can choose to either have all users licensed through Microsoft Defender for Endpoint (per user), Windows Enterprise E5, Microsoft 365 Security, or Microsoft 365 E5, or have the VM licensed through Azure Defender. Licensing requirements for Microsoft Defender for endpoint can be found at: [Licensing requirements](minimum-requirements.md#licensing-requirements).
security Attack Surface Reduction Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules.md
Links to information about configuration management system versions referenced i
|Rule name | Intune | Microsoft Endpoint Manager |Microsoft Endpoint Configuration Manager |Group Policy<sup>[[1](#fn1)]<sup></sup> | PowerShell<sup>[[1](#fn1)]<sup></sup> | ||::|::|::|::|::|
-|[Block abuse of exploited vulnerable signed drivers](#block-abuse-of-exploited-vulnerable-signed-drivers) | Y | Y <br><br> MEM OMA-URI | | Y | Y |
-|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | Y | | Y | Y | Y |
-|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | Y | | Y <br><br> CB 1710 | Y | Y |
-|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | Y | | Y <br><br> CB 1802 | Y | Y |
-|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | Y | | Y <br><br> CB 1710 | Y | Y |
-|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | Y | | Y <br><br> CB 1802 | Y | Y |
-|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | Y | | Y <br><br> CB 1710 | Y | Y |
-|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | Y | | Y <br><br> CB 1710 | Y | Y |
-|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | Y | | Y <br><br> CB 1710 <br><br> | Y | Y |
-|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | Y | | Y <br><br> CB 1710 | Y | Y |
-|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | Y | | Y <br><br> CB 1710 | Y | Y |
-|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | | | | Y | Y |
-|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | Y | | | Y | Y |
-|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | Y | | Y <br><br> CB 1802 <br><br> | Y | Y |
-|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | Y | | Y <br><br> CB 1710 <br><br> | Y | Y |
-|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | Y | | Y <br><br> CB 1802 | Y | Y |
-| **Rule name** | **Intune** | **Microsoft Endpoint Manager** | **Microsoft Endpoint Configuration Manager** | **Group Policy** | **PowerShell** |
-
-(<a id="fn1">1</a>) You can configure attack surface reduction rules on a per-rule basis by using any rule's GUID.
+|[Block abuse of exploited vulnerable signed drivers](#block-abuse-of-exploited-vulnerable-signed-drivers) | ![supported.](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> MEM OMA-URI | | ![supported.](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> |
+|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | ![supported.](images/checkmark.png) | | ![supported](images/checkmark.png) | ![supported.](images/checkmark.png) <br><br> | ![supported.](images/checkmark.png) <br><br> |
+|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | ![supported.](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1710 | ![supported.](images/checkmark.png) <br><br> | ![supported.](images/checkmark.png) <br><br> |
+|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | ![supported.](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1802 | ![supported.](images/checkmark.png) <br><br> | ![supported.](images/checkmark.png) <br><br> |
+|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | ![supported.](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1710 | ![supported](images/checkmark.png) | ![supported.](images/checkmark.png) <br><br> |
+|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | ![supported.](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1802 | ![supported.](images/checkmark.png) <br><br> | ![supported.](images/checkmark.png) <br><br> |
+|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | ![supported.](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1710 | ![supported.](images/checkmark.png) <br><br> | ![supported.](images/checkmark.png) <br><br> |
+|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | ![supported.](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1710 | ![supported.](images/checkmark.png) <br><br> | ![supported.](images/checkmark.png) <br><br> |
+|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | ![supported.](images/checkmark.png) <br><br> | | ![supported](images/checkmark.png) <br><br> CB 1710 <br><br> | ![supported.](images/checkmark.png) <br><br> | ![supported.](images/checkmark.png) <br><br> |
+|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | ![supported.](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1710 | ![supported.](images/checkmark.png) <br><br> | ![supported.](images/checkmark.png) <br><br> |
+|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | ![supported.](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1710 | ![supported.](images/checkmark.png) <br><br> | ![supported.](images/checkmark.png) <br><br> |
+|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | | | |![supported.](images/checkmark.png) <br><br> | ![supported.](images/checkmark.png) <br><br> |
+|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | ![supported](images/checkmark.png) | | | ![supported.](images/checkmark.png) <br><br> | ![supported.](images/checkmark.png) <br><br> |
+|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | ![supported.](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1802 <br><br> | ![supported.](images/checkmark.png) <br><br> | ![supported.](images/checkmark.png) <br><br> |
+|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | ![supported.](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1710 <br><br> | ![supported.](images/checkmark.png) <br><br> | ![supported.](images/checkmark.png) <br><br> |
+|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | ![supported.](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1802 | ![supported.](images/checkmark.png) <br><br> | ![supported.](images/checkmark.png) <br><br> |
+
+ (<a id="fn1">1</a>) You can configure attack surface reduction rules on a per-rule basis by using any rule's GUID.
- [Configuration Manager CB 1710](/configmgr/core/servers/manage/updates) - [Configuration Manager CB 1802](/configmgr/core/servers/manage/updates)
security Configure Advanced Scan Types Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus.md
ms.technology: mde Previously updated : 05/26/2021 Last updated : 09/14/2021
For details on configuring Microsoft Endpoint Manager (current branch), see [How
### Settings and locations
-<br>
-
-****
- |Policy item and location|Default setting (if not configured)|PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class| |||| |Email scanning <p> **Scan** \> **Turn on e-mail scanning**<p>See [Email scanning limitations](#email-scanning-limitations) (in this article)|Disabled|`-DisableEmailScanning`|
For details on configuring Microsoft Endpoint Manager (current branch), see [How
|Specify the maximum CPU load (as a percentage) during a scan. <p> **Scan** \> **Specify the maximum percentage of CPU utilization during a scan**|50|`-ScanAvgCPULoadFactor` <p>**NOTE**: The maximum CPU load is not a hard limit, but is guidance for the scanning engine to not exceed the maximum on average. Manually run scans will ignore this setting and run without any CPU limits.| |Specify the maximum size (in kilobytes) of archive files that should be scanned. <p> **Scan** \> **Specify the maximum size of archive files to be scanned**|No limit|Not available <p>The default value of 0 applies no limit| |Configure low CPU priority for scheduled scans <p> **Scan** \> **Configure low CPU priority for scheduled scans**|Disabled|Not available|
-|
> [!NOTE] > If real-time protection is turned on, files are scanned before they are accessed and executed. The scanning scope includes all files, including files on mounted removable media, such as USB drives. If the device performing the scan has real-time protection or on-access protection turned on, the scan will also include network shares.
security Configure Extension File Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md
Previously updated : 08/27/2021 Last updated : 09/14/2021 # Configure and validate exclusions based on file extension and folder location
To exclude certain files from Microsoft Defender Antivirus scans, you modify you
> > Automatic exclusions apply only to Windows Server 2016 and later. These exclusions are not visible in the Windows Security app and in PowerShell.
-The following table lists some examples of exclusions based on file extension and folder location.
-
-<br>
-
-****
+The following table lists some examples of exclusions based on file extension and folder location.
+<br/><br/>
|Exclusion|Examples|Exclusion list| ||||
You can use the asterisk `*`, question mark `?`, or environment variables (such
The following table describes how the wildcards can be used and provides some examples.
-<br>
+<br/><br/>
|Wildcard|Examples| |||
The following table describes how the wildcards can be used and provides some ex
### System environment variables
-The following table lists and describes the system account environment variables.
-
+The following table lists and describes the system account environment variables.<br/><br/>
|This system environment variable...|Redirects to this| |||
security Configure Local Policy Overrides Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-local-policy-overrides-microsoft-defender-antivirus.md
Previously updated : 02/13/2020 Last updated : 09/14/2021
To configure these settings:
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below.
+3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** and then the **Location** specified in the table of settings (in this article).
4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. 5. Deploy the Group Policy Object as usual.
-Location|Setting|Article
-|||
-MAPS|Configure local setting override for reporting to Microsoft MAPS|[Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
-Quarantine|Configure local setting override for the removal of items from Quarantine folder|[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md)
-Real-time protection|Configure local setting override for monitoring file and program activity on your computer|[Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
-Real-time protection|Configure local setting override for monitoring for incoming and outgoing file activity|[Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
-Real-time protection|Configure local setting override for scanning all downloaded files and attachments|[Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
-Real-time protection|Configure local setting override for turn on behavior monitoring|[Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
-Real-time protection|Configure local setting override to turn on real-time protection|[Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
-Remediation|Configure local setting override for the time of day to run a scheduled full scan to complete remediation|[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md)
-Scan|Configure local setting override for maximum percentage of CPU utilization|[Configure and run scans](run-scan-microsoft-defender-antivirus.md)
-Scan|Configure local setting override for schedule scan day|[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-Scan|Configure local setting override for scheduled quick scan time|[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-Scan|Configure local setting override for scheduled scan time|[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-Scan|Configure local setting override for the scan type to use for a scheduled scan|[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+## Table of settings
+
+<br/><br/>
+
+| Location | Setting | Article |
+|||||
+| MAPS |Configure local setting override for reporting to Microsoft MAPS|[Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) |
+| Quarantine|Configure local setting override for the removal of items from Quarantine folder|[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) |
+| Real-time protection|Configure local setting override for monitoring file and program activity on your computer|[Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) |
+| Real-time protection|Configure local setting override for monitoring for incoming and outgoing file activity | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) |
+| Real-time protection|Configure local setting override for scanning all downloaded files and attachments|[Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) |
+| Real-time protection|Configure local setting override for turn on behavior monitoring|[Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) |
+| Real-time protection|Configure local setting override to turn on real-time protection|[Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) |
+| Remediation|Configure local setting override for the time of day to run a scheduled full scan to complete remediation|[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) |
+| Scan|Configure local setting override for maximum percentage of CPU utilization|[Configure and run scans](run-scan-microsoft-defender-antivirus.md) |
+| Scan|Configure local setting override for schedule scan day|[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) |
+| Scan|Configure local setting override for scheduled quick scan time|[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) |
+| Scan|Configure local setting override for scheduled scan time|[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) |
+| Scan|Configure local setting override for the scan type to use for a scheduled scan|[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) |
<a id="merge-lists"></a>
security Configure Network Connections Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md
The table in this section lists the services and their associated website addres
Make sure that there are no firewall or network filtering rules denying access to these URLs. Otherwise, you might need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). The URLs in the following table use port 443 for communication.
-<br>
-
-****
+<br/><br/>
|Service and description|URL| |||
security Configure Process Opened File Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
This article describes how to configure exclusion lists.
## Examples of exclusions
-<br>
-
-****
+<br/><br/>
|Exclusion|Example| ||| |Any file on the machine that is opened by any process with a specific file name|Specifying `test.exe` would exclude files opened by: <p>`c:\sample\test.exe` <p> `d:\internal\files\test.exe`| |Any file on the machine that is opened by any process under a specific folder|Specifying `c:\test\sample\*` would exclude files opened by: <p> `c:\test\sample\test.exe` <p> `c:\test\sample\test2.exe` <p> `c:\test\sample\utility.exe`| |Any file on the machine that is opened by a specific process in a specific folder|Specifying `c:\test\process.exe` would exclude files only opened by `c:\test\process.exe`|
-|
When you add a process to the process exclusion list, Microsoft Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md).
The format for the cmdlets is:
The following are allowed as the \<cmdlet\>:
-<br>
-
-****
+<br/><br/>
|Configuration action|PowerShell cmdlet| ||| |Create or overwrite the list|`Set-MpPreference`| |Add to the list|`Add-MpPreference`| |Remove items from the list|`Remove-MpPreference`|
-|
> [!IMPORTANT] > If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
In particular, you cannot use the question mark (`?`) wildcard, and the asterisk
The following table describes how the wildcards can be used in the process exclusion list:
-<br>
-
-****
+<br/><br/>
|Wildcard|Example use|Example matches| |||| |`*` (asterisk) <p> Replaces any number of characters|`C:\MyData\*`|Any file opened by `C:\MyData\file.exe`| |Environment variables <p> The defined variable is populated as a path when the exclusion is evaluated|`%ALLUSERSPROFILE%\CustomLogFiles\file.exe`|Any file opened by `C:\ProgramData\CustomLogFiles\file.exe`|
-|
## Review the list of exclusions
security Configure Protection Features Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus.md
Microsoft Defender Antivirus uses several methods to provide threat protection: -- Cloud-delivered protection for near-instant detection and blocking of new and emerging threats
+- Cloud protection for near-instant detection and blocking of new and emerging threats
- Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time protection") - Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research
You can configure how Microsoft Defender Antivirus uses these methods with Group
This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware.
-See [Use next-gen Microsoft Defender Antivirus technologies through cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md) for how to enable and configure Microsoft Defender Antivirus cloud-delivered protection.
+See [Use next-gen Microsoft Defender Antivirus technologies through cloud protection](cloud-protection-microsoft-defender-antivirus.md) for how to enable and configure Microsoft Defender Antivirus cloud protection.
## In this section
- Topic|Description
-|
-[Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)|Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps
-[Enable and configure Microsoft Defender Antivirus protection capabilities](configure-real-time-protection-microsoft-defender-antivirus.md)|Enable and configure real-time protection, heuristics, and other always-on Microsoft Defender Antivirus monitoring features
+| Topic|Description |
+|||
+| [Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)| Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps |
+| [Enable and configure Microsoft Defender Antivirus protection capabilities](configure-real-time-protection-microsoft-defender-antivirus.md)|Enable and configure real-time protection, heuristics, and other always-on Microsoft Defender Antivirus monitoring features |
security Configure Real Time Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus.md
To enable and configure always-on protection:
1. In the **Microsoft Defender Antivirus** details pane on right, double-click the policy setting as specified in the following table:
- <br>
-
- ****
+ <br/><br/>
|Setting|Default setting| ||| |Allow antimalware service to start up with normal priority <p> You can lower the priority of the Microsoft Defender Antivirus engine. Lowering the priority might be useful in cases where you want to have as lean a startup process as possible; however, taking this action could affect endpoint protection. Proceed with caution.|Enabled |Allow antimalware service to remain running always <p> If protection updates have been disabled, you can set Microsoft Defender Antivirus to still run. Disabling protection updates reduces endpoint protection.|Disabled|
- |
2. Configure the setting as appropriate, and select **OK**.
To enable and configure always-on protection:
![Microsoft Defender Antivirus Scan options](images/gpedit-windows-defender-antivirus-scan.png) 2. In the **Scan** details pane on right, double-click the policy setting as specified in the following table:--
- <br>
-
- ****
+ <br/><br/>
|Setting|Default setting| ||| |Turn on heuristics <p> Heuristic protection will disable or block suspicious activity immediately before the Microsoft Defender Antivirus engine is asked to detect the activity.|Enabled|
- |
+ 3. Configure the setting as appropriate, and select **OK**.
To enable and configure always-on protection:
### Real-time protection policy settings
-<br>
-
-****
- |Setting|Default setting| ||| |Turn on behavior monitoring <p> The antivirus engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity.|Enabled|
To enable and configure always-on protection:
|Configure local setting override to turn on real-time protection <p> Configure a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.|Enabled| |Configure local setting override for monitoring for incoming and outgoing file activity <p> Configure a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.|Enabled| |Configure monitoring for incoming and outgoing file and program activity <p> Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This action is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes.|Enabled (both directions)|
-|
## Disable real-time protection in Group Policy
security Configure Remediation Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus.md
You can also use the [`Set-MpPreference` PowerShell cmdlet](/powershell/module/d
5. Select **OK**.
-<br>
-
-****
+<br/><br/>
|Location|Setting|Description|Default setting (if not configured)| |||||
You can also use the [`Set-MpPreference` PowerShell cmdlet](/powershell/module/d
|Quarantine|Configure removal of items from Quarantine folder|Specify how many days items should be kept in quarantine before being removed|90 days| |Threats|Specify threat alert levels at which default action should not be taken when detected|Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored)|Not applicable| |Threats|Specify threats upon which default action should not be taken when detected|Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored|Not applicable|
-|
> [!IMPORTANT] > Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.
security Configure Server Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus.md
Because Microsoft Defender Antivirus is built into Windows Server 2016 and later
This article includes the following sections:
-<br>
-
-****
+<br/><br/>
|Section|Description| ||| |[Automatic exclusions on Windows Server 2016 or later](#automatic-exclusions-on-windows-server-2016-or-later)|Describes the two main types of automatic exclusions and includes a detailed list of automatic exclusions| |[Opting out of automatic exclusions](#opting-out-of-automatic-exclusions)|Includes important considerations and procedures describing how to opt out of automatic exclusions| |[Defining custom exclusions](#defining-custom-exclusions)|Provides links to how-to information for defining custom exclusions|
-|
> [!IMPORTANT] > Keep the following points in mind:
This section lists the default exclusions for all roles in Windows Server 2016 a
The following table lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role.
-<br>
-
-****
+<br><br/>
|Exclusion type|Specifics| ||| |File types|`*.vhd` <br/> `*.vhdx` <br/> `*.avhd` <br/> `*.avhdx` <br/> `*.vsv` <br/> `*.iso` <br/> `*.rct` <br/> `*.vmcx` <br/> `*.vmrs`| |Folders|`%ProgramData%\Microsoft\Windows\Hyper-V` <br/> `%ProgramFiles%\Hyper-V` <br/> `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots` <br/> `%Public%\Documents\Hyper-V\Virtual Hard Disks`| |Processes|`%systemroot%\System32\Vmms.exe` <br/> `%systemroot%\System32\Vmwp.exe`|
-|
##### SYSVOL files
security Controlled Folders https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/controlled-folders.md
You can review the Windows event log to see events that are created when control
The following table shows events related to controlled folder access:
-<br>
-
-****
+<br/><br/>
|Event ID|Description| ||| |5007|Event when settings are changed| |1124|Audited controlled folder access event| |1123|Blocked controlled folder access event|
-|
## View or change the list of protected folders
security Defender Endpoint False Positives Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives.md
Before you classify or suppress an alert, determine whether the alert is accurat
4. Depending on the alert status, take the steps described in the following table:
-<br>
-
-****
+<br/>
|Alert status|What to do| ||| |The alert is accurate|Assign the alert, and then [investigate it](investigate-alerts.md) further.| |The alert is a false positive|<ol><li>[Classify the alert](#classify-an-alert) as a false positive.</li><li>[Suppress the alert](#suppress-an-alert).</li><li>[Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint.</li><li>[Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis).</li></ol>| |The alert is accurate, but benign (unimportant)|[Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert).|
-|||
### Classify an alert
security Defender Endpoint Plan 1 2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1-2.md
Microsoft Defender for Endpoint is an enterprise endpoint security platform desi
## Compare Defender for Endpoint plans
-The following table describes what's included in each plan at a high level.
+The following table describes what's included in each plan at a high level. <br/><br/>
| [Defender for Endpoint Plan 1](defender-endpoint-plan-1.md) <br/>(preview) | [Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) <br/>(available now) | |:|:|
security Deploy Manage Report Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-manage-report-microsoft-defender-antivirus.md
Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by
3. <span id="fn3" />Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Microsoft Defender Antivirus features](configure-notifications-microsoft-defender-antivirus.md) section in this library. [(Return to table)](#ref2)
-[Endpoint Protection point site system role]: /configmgr/protect/deploy-use/endpoint-protection-site-role
-[default and customized antimalware policies]: /configmgr/protect/deploy-use/endpoint-antimalware-policies
-[client management]: /configmgr/core/clients/manage/manage-clients
-[enable Endpoint Protection with custom client settings]: /configmgr/protect/deploy-use/endpoint-protection-configure-client
-[Configuration Manager Monitoring workspace]: /configmgr/protect/deploy-use/monitor-endpoint-protection
-[email alerts]: /configmgr/protect/deploy-use/endpoint-configure-alerts
-[Deploy the Microsoft Intune client to endpoints]: /intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune
-[custom Intune policy]: /intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection
- [custom Intune policy]: /intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection
-[manage tasks]: /intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#choose-management-tasks-for-endpoint-protection
-[Monitor endpoint protection in the Microsoft Intune administration console]: /intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection
-[Set method of the MSFT_MpPreference class]: /previous-versions/windows/desktop/defender/set-msft-mppreference
-[Update method of the MSFT_MpSignature class]: /previous-versions/windows/desktop/defender/set-msft-mppreference
-[MSFT_MpComputerStatus]: /previous-versions/windows/desktop/defender/msft-mpcomputerstatus
-[Windows Defender WMIv2 Provider]: /previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal
-[Set-MpPreference]: https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference.md
-[Update-MpSignature]: /powershell/module/defender/update-mpsignature
-[Get- cmdlets available in the Defender module]: /powershell/module/defender/
-[Configure update options for Microsoft Defender Antivirus]: manage-updates-baselines-microsoft-defender-antivirus.md
-[Configure Windows Defender features]: configure-microsoft-defender-antivirus-features.md
-[Group Policies to determine if any settings or policies are not applied]: /previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771389(v=ws.11)
-[Possibly infected devices]: /azure/active-directory/active-directory-reporting-sign-ins-from-possibly-infected-devices
-[Microsoft Defender Antivirus events]: troubleshoot-microsoft-defender-antivirus.md
- ## In this section Topic | Description
security Device Control Removable Storage Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-protection.md
Device control removable storage protection in Microsoft Defender for Endpoint p
Microsoft Defender for Endpoint Device Control Removable Storage Protection allows you to restrict the removable storage access based on the properties described in the table below:
-<br>
-
-****
+<br/><br/>
|Property Name|Applicable Policies|Applies to Operating Systems|Description| |||||
Microsoft Defender for Endpoint Device Control Removable Storage Protection allo
|Friendly Name|[Removable storage Access Control](device-control-removable-storage-access-control.md)|Windows|A string attached to the device, for example, Generic Flash Disk USB Device| |Vendor ID / Product ID|[Removable storage Access Control](device-control-removable-storage-access-control.md)|Windows <p> macOS|Vendor ID is the four-digit vendor code that the USB committee assigns to the vendor. Product ID is the four-digit product code that the vendor assigns to the device; Support wildcard.| |Serial NumberId|[Removable storage Access Control](device-control-removable-storage-access-control.md)|Windows <p> macOS |For example, <SerialNumberId>002324B534BCB431B000058A</SerialNumberId>|
-|
security Edr In Block Mode https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/edr-in-block-mode.md
The following image shows an instance of unwanted software that was detected and
## Requirements for EDR in block mode
-<br>
-
-****
- |Requirement|Details| ||| |Permissions|You must have either the Global Administrator or Security Administrator role assigned in [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). For more information, see [Basic permissions](basic-permissions.md).|
The following image shows an instance of unwanted software that was detected and
|Cloud-delivered protection|Microsoft Defender Antivirus must be configured such that [cloud-delivered protection is enabled](enable-cloud-protection-microsoft-defender-antivirus.md).| |Microsoft Defender Antivirus platform|Devices must be up to date. To confirm, using PowerShell, run the [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. <p> To learn more, see [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).| |Microsoft Defender Antivirus engine|Devices must be up to date. To confirm, using PowerShell, run the [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. <p> To learn more, see [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).|
-|
> [!IMPORTANT] > To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your [exclusions are configured](configure-exclusions-microsoft-defender-antivirus.md). EDR in block mode respects exclusions that are defined for Microsoft Defender Antivirus, but not [indicators](manage-indicators.md) that are defined for Microsoft Defender for Endpoint.
For more information, see [Microsoft Defender Antivirus compatibility](microsoft
To confirm whether Microsoft Defender Antivirus is running in active or passive mode, you can use Command Prompt or PowerShell on a device running Windows.
-<br>
-
-****
+<br/><br/>
|Method|Procedure| ||| |PowerShell|<ol><li>Select the Start menu, begin typing `PowerShell`, and then open Windows PowerShell in the results.</li><li>Type `Get-MpComputerStatus`.</li><li>In the list of results, in the **AMRunningMode** row, look for one of the following values:<ul><li>`Normal`</li><li>`Passive Mode`</li></ul></li></ol> <p> To learn more, see [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus).| |Command Prompt|<ol><li>Select the Start menu, begin typing `Command Prompt`, and then open Windows Command Prompt in the results.</li><li>Type `sc query windefend`.</li><li>In the list of results, in the **STATE** row, confirm that the service is running.</li></ol>|
-|
### How do I confirm that EDR in block mode is turned on with Microsoft Defender Antivirus in passive mode?
security Enable Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction.md
You can use Microsoft Endpoint Manager (MEM) OMA-URI to configure custom ASR rul
- In **Name**, type a name for the rule. - In **Description**, type a brief description.
- - In **OMA-URI**, type or paste the specific OMA-URI link for the rule that you are adding.
+ - In **OMA-URI**, type or paste the specific OMA-URI link for the rule that you are adding. Refer to the MEM section earlier in this topic for the OMA-URI to use for this example rule. For ASR rule GUIDS, see [Per rule descriptions](attack-surface-reduction-rules.md#per-rule-descriptions) in the topic: Attack surface reduction rules.
- In **Data type**, select **String**. - In **Value**, type or paste the GUID value, the \= sign and the State value with no spaces (_GUID=StateValue_). Where: {0 : Disable (Disable the ASR rule)}, {1 : Block (Enable the ASR rule)}, {2 : Audit (Evaluate how the ASR rule would impact your organization if enabled)}, {6 : Warn (Enable the ASR rule but allow the end-user to bypass the block)}
security Enable Exploit Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-exploit-protection.md
If you need to restore the mitigation back to the system default, you need to in
Set-Processmitigation -Name test.exe -Remove -Disable DEP ```
-The following table lists the individual **Mitigations** (and **Audits**, when available) to be used with the `-Enable` or `-Disable` cmdlet parameters.
+The following table lists the individual **Mitigations** (and **Audits**, when available) to be used with the `-Enable` or `-Disable` cmdlet parameters.<br/><br/>
|Mitigation type|Applies to|Mitigation cmdlet parameter keyword|Audit mode cmdlet parameter| |||||
security Evaluate Exploit Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-exploit-protection.md
You can disable **audit mode** by replacing `-Enable` with `-Disable`.
## Review exploit protection audit events
-To review which apps would have been blocked, open Event Viewer and filter for the following events in the Security-Mitigations log.
+To review which apps would have been blocked, open Event Viewer and filter for the following events in the Security-Mitigations log.<br/><br/>
|Feature|Provider/source|Event ID|Description| |||--||
security Event Error Codes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/event-error-codes.md
For example, if devices aren't appearing in the **Devices list**, you might need
|26|Microsoft Defender for Endpoint service failed to set the onboarding status in the registry. Failure code: `variable`.|The device didn't onboard correctly. <p> It will report to the portal, however the service may not appear as registered in SCCM or the registry.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows 10 devices](configure-endpoints.md).| |27|Microsoft Defender for Endpoint service failed to enable SENSE aware mode in Microsoft Defender Antivirus. Onboarding process failed. Failure code: `variable`.|Normally, Microsoft Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Defender for Endpoint.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows 10 devices](configure-endpoints.md). <p> Ensure real-time antimalware protection is running properly.| |28|Microsoft Defender for Endpoint Connected User Experiences and Telemetry service registration failed. Failure code: `variable`.|An error occurred with the Windows telemetry service.|[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy). <p> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows 10 devices](configure-endpoints.md).|
- |29|Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3|This event occurs when the system can&#39;t read the offboarding parameters.|Ensure the device has Internet access, then run the entire offboarding process again. Ensure the offboarding package hasn't expired.|
+ |29|Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3|This event occurs when the system can't read the offboarding parameters.|Ensure the device has Internet access, then run the entire offboarding process again. Ensure the offboarding package hasn't expired.|
|30|Microsoft Defender for Endpoint service failed to disable SENSE aware mode in Microsoft Defender Antivirus. Failure code: `variable`.|Normally, Microsoft Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Defender for Endpoint.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows 10 devices](configure-endpoints.md). <p> Ensure real-time antimalware protection is running properly.| |31|Microsoft Defender for Endpoint Connected User Experiences and Telemetry service unregistration failed. Failure code: `variable`.|An error occurred with the Windows telemetry service during onboarding. The offboarding process continues.|[Check for errors with the Windows telemetry service](troubleshoot-onboarding.md#ensure-the-diagnostic-data-service-is-enabled).| |32|Microsoft Defender for Endpoint service failed to request to stop itself after offboarding process. Failure code: %1|An error occurred during offboarding.|Reboot the device.|
security Exploit Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exploit-protection.md
DeviceEvents
## Review exploit protection events in Windows Event Viewer
-You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:
+You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:<br/><br/>
|Provider/source | Event ID | Description| |:|:|:|
You can review the Windows event log to see events that are created when exploit
The mitigations available in EMET are included natively in Windows 10 (starting with version 1709) and Windows Server (starting with version 1803), under [Exploit protection](exploit-protection.md).
-The table in this section indicates the availability and support of native mitigations between EMET and exploit protection.
+The table in this section indicates the availability and support of native mitigations between EMET and exploit protection.<br/><br/>
|Mitigation | Available under exploit protection | Available in EMET | |:|:|:|
security Manage Atp Post Migration Configuration Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-atp-post-migration-configuration-manager.md
We recommend using We recommend using [Microsoft Endpoint Manager](/mem), which
|**Choose methods for updating antimalware updates** on your organization's devices <p> *With Endpoint Protection in Configuration Manager, you can choose from several methods to keep antimalware definitions up to date on your organization's devices.*|[Configure definition updates for Endpoint Protection](/mem/configmgr/protect/deploy-use/endpoint-definition-updates) <p> [Use Configuration Manager to deliver definition updates](/mem/configmgr/protect/deploy-use/endpoint-definitions-configmgr)| |**Enable Network Protection** to help prevent employees from using apps that malicious content on the Internet <p> *We recommend using [audit mode](/microsoft-365/security/defender-endpoint/evaluate-network-protection) at first for network protection in a test environment to see which apps would be blocked before rolling out.*|[Turn on network protection with Configuration Manager](/microsoft-365/security/defender-endpoint/enable-network-protection#microsoft-endpoint-configuration-manager)| |**Configure controlled folder access** to protect against ransomware <p> *Controlled folder access is also referred to as antiransomware protection.*|[Endpoint protection: Controlled folder access](/mem/intune/protect/endpoint-protection-windows-10#controlled-folder-access) <p> [Enable controlled folder access in Microsoft Endpoint Configuration Manage](/microsoft-365/security/defender-endpoint/enable-controlled-folders#microsoft-endpoint-configuration-manager)|
-|||
## Configure your Microsoft 365 Defender portal
security Manage Atp Post Migration Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-atp-post-migration-intune.md
This article describes how to find your Microsoft Defender for Endpoint settings
The following table lists various tasks you can perform to configure Microsoft Defender for Endpoint with Intune. You don't have to configure everything all at once; choose a task, read the corresponding resources, and then proceed.
-<br>
-
-****
+<br/><br/>
|Task|Resources to learn more| |||
The following table lists various tasks you can perform to configure Microsoft D
|**Configure Microsoft Defender Credential Guard** to protect against credential theft attacks|For Windows 10, Windows Server 2016, and Windows Server 2019, see [Endpoint protection: Microsoft Defender Credential Guard](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-credential-guard) <p> For Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1, and Windows Server 2012 R2, see [Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Versions 1 and 2](https://www.microsoft.com/download/details.aspx?id=36036)| |**Configure Microsoft Defender Application Control** to choose whether to audit or trust apps on your organization's devices <p> *Microsoft Defender Application Control is also referred to as [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).*|[Deploy Microsoft Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) <p> [Endpoint protection: Microsoft Defender Application Control](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-application-control) <p> [AppLocker CSP](/windows/client-management/mdm/applocker-csp)| |**Configure device control and USB peripherals access** to help prevent threats in unauthorized peripherals from compromising your devices|[Control USB devices and other removable media using Microsoft Defender for Endpoint and Intune](/windows/security/threat-protection/device-control/control-usb-devices-using-intune)|
-|||
## Configure your Microsoft 365 Defender portal
security Manage Atp Post Migration Other Tools https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-atp-post-migration-other-tools.md
You can manage some Microsoft Defender Antivirus settings on devices with [Power
## Configure Microsoft Defender for Endpoint with PowerShell
-You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules.
+You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules.<br/><br/>
|Task|Resources to learn more| |||
WMI is a scripting interface that allows you to retrieve, modify, and update set
## Configure Microsoft Defender for Endpoint with Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe)
-On an individual device, you can run a scan, start diagnostic tracing, check for security intelligence updates, and more using the mpcmdrun.exe command-line tool. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. Run it from a command prompt.
+On an individual device, you can run a scan, start diagnostic tracing, check for security intelligence updates, and more using the mpcmdrun.exe command-line tool. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. Run it from a command prompt.<br/><br/>
|Task|Resources to learn more| |||
security Manage Atp Post Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-atp-post-migration.md
After you have moved from your previous endpoint protection and antivirus soluti
The following table lists various tools/methods you can use, with links to learn more.
-<br>
-
-****
+<br/><br/>
|Tool/Method|Description| |||
The following table lists various tools/methods you can use, with links to learn
|**[Microsoft Endpoint Configuration Manager](/mem/configmgr/core/understand/introduction)**|Microsoft Endpoint Manager (Configuration Manager), formerly known as System Center Configuration Manager, is a component of [Microsoft Endpoint Manager](/mem/endpoint-manager-overview). Configuration Manager is a powerful tool to manage your users, devices, and software. <p> See [Manage Microsoft Defender for Endpoint with Configuration Manager](manage-atp-post-migration-configuration-manager.md).| |**[Group Policy Objects in Azure Active Directory Domain Services](/azure/active-directory-domain-services/manage-group-policy)**|[Azure Active Directory Domain Services](/azure/active-directory-domain-services/overview) includes built-in Group Policy Objects for users and devices. You can customize the built-in Group Policy Objects as needed for your environment, as well as create custom Group Policy Objects and organizational units (OUs). <p> See [Manage Microsoft Defender for Endpoint with Group Policy Objects](manage-atp-post-migration-group-policy-objects.md).| |**[PowerShell, WMI, and MPCmdRun.exe](manage-atp-post-migration-other-tools.md)**|*We recommend using Microsoft Endpoint Manager (which includes Intune and Configuration Manager) to manage threat protection features on your organization's devices. However, you can configure some settings, such as Microsoft Defender Antivirus settings on individual devices (endpoints) with PowerShell, WMI, or the MPCmdRun.exe tool.* <p> You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules. See [Configure Microsoft Defender for Endpoint with PowerShell](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-powershell). <p> You can use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus and exclusions. See [Configure Microsoft Defender for Endpoint with WMI](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-windows-management-instrumentation-wmi). <p> You can use the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) to manage Microsoft Defender Antivirus and exclusions, as well as validate connections between your network and the cloud. See [Configure Microsoft Defender for Endpoint with MPCmdRun.exe](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe).|
-|
## See also
security Manage Protection Updates Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus.md
To ensure the best level of protection, Microsoft Update allows for rapid releas
Each source has typical scenarios that depend on how your network is configured, in addition to how often they publish updates, as described in the following table:
-<br>
-
-****
+<br/><br/>
|Location|Sample scenario| |||
Each source has typical scenarios that depend on how your network is configured,
|File share|You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-microsoft-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.| |Microsoft Endpoint Manager|You are using Microsoft Endpoint Manager to update your endpoints.| |Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC)|[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively. <br/>Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-microsoft-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).|
-|
You can manage the order in which update sources are used with Group Policy, Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and WMI.
security Manage Updates Baselines Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md
During the technical support (only) phase, commercially reasonable support incid
### Platform version included with Windows 10 releases
-The below table provides the Microsoft Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases:
+The below table provides the Microsoft Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases:<br/><br/>
|Windows 10 release |Platform version |Engine version |Support phase | |:|:|:|:|
security Mde Plan1 Getting Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-plan1-getting-started.md
The card provides you with information at a glance, along with a link or button
### Navigation bar makes it easy to find alerts, the Action center, and more
-The navigation bar on the left side of the screen enables you to move easily between incidents, alerts, the Action center, reports, and settings. The following table describes the navigation bar.
+The navigation bar on the left side of the screen enables you to move easily between incidents, alerts, the Action center, reports, and settings. The following table describes the navigation bar.<br/><br/>
| Navigation bar item | Description | |:|:|
security Microsoft Defender Antivirus Compatibility https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility.md
ms.technology: mde Previously updated : 08/11/2021 Last updated : 09/14/2021 # Microsoft Defender Antivirus compatibility with other security products
This article describes what happens with Microsoft Defender Antivirus and a non-
This section describes what happens with Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware products on endpoints that are not onboarded to Defender for Endpoint. The following table summarizes what to expect:
-<br>
-
-****
+<br/><br/>
|Windows version|Primary antivirus/antimalware solution|Microsoft Defender Antivirus state| ||||| |Windows 10|Microsoft Defender Antivirus|Active mode| |Windows 10|A non-Microsoft antivirus/antimalware solution|Disabled mode (happens automatically)| |Windows Server 2016 <p> Windows Server, version 1803, or newer <p> Windows Server 2019|Microsoft Defender Antivirus|Active mode|
-|Windows Server 2016 <p> Windows Server, version 1803, or newer <p> Windows Server 2019|A non-Microsoft antivirus/antimalware solution|Disabled (set manually) <sup>[[1](#fn1)]<sup></sup>|
+|Windows Server 2016 <p> Windows Server, version 1803, or newer <p> Windows Server 2019|A non-Microsoft antivirus/antimalware solution|Disabled (set manually) <sup>[[1](#fn1)]</sup>|
(<a id="fn1">1</a>) On Windows Server, if you are running a non-Microsoft antivirus product, you can disable Microsoft Defender Antivirus by using Group Policy to turn off Microsoft Defender Antivirus, or by using the [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key. To use the registry key, navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`, and set or create a DWORD entry called `DisableAntiSpyware`. Set its value to `1` (which sets the registry key's value to *true*), and select **Hexadecimal** for its base.
This section describes what happens with Microsoft Defender Antivirus and non-Mi
If your organization is using a non-Microsoft antivirus/antimalware solution together with Defender for Endpoint, Microsoft Defender Antivirus can, depending on your operating system, run in passive mode.
-<br>
-
-****
+<br/><br/>
|Windows version|Primary antivirus/antimalware solution|Microsoft Defender Antivirus state| |||||
If your organization is using a non-Microsoft antivirus/antimalware solution tog
|Windows 10 or later|A non-Microsoft antivirus/antimalware solution|Passive mode (happens automatically)| |Windows Server 2016 <p> Windows Server, version 1803, or newer <p> Windows Server 2019|Microsoft Defender Antivirus|Active mode| |Windows Server, version 1803, or newer <p> Windows Server 2019|A non-Microsoft antivirus/antimalware solution|Passive mode (set manually) <sup>[[2](#fn2)]<sup></sup>|
-|Windows Server 2016|A non-Microsoft antivirus/antimalware solution|Disabled (set manually) <sup>[[3](#fn3)]<sup>|
+|Windows Server 2016|A non-Microsoft antivirus/antimalware solution|Disabled (set manually) <sup>[[3](#fn3)]</sup>|
(<a id="fn2">2</a>) On Windows Server, version 1803, or newer, or Windows Server 2019, when you install a non-Microsoft antivirus product, set Microsoft Defender Antivirus to passive mode manually. You can use the **ForceDefenderPassiveMode** registry key to perform this task. To use the registry key, navigate to `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`, and set or create a DWORD entry called `ForceDefenderPassiveMode`. Set its value to `1` (which sets the registry key's value to *true*), and select **Hexadecimal** for its base. For more information, see [Passive mode and Windows Server](microsoft-defender-antivirus-on-windows-server.md#passive-mode-and-windows-server).
The table in this section summarizes the features and capabilities that are acti
> [!IMPORTANT] > The following table is designed to be informational only. **Do not turn off capabilities**, such as real-time protection, cloud-delivered protection, or limited periodic scanning if you are using Microsoft Defender Antivirus in passive mode, or if you are using [EDR in block mode](edr-in-block-mode.md), which works behind the scenes to detect and remediate malicious artifacts that were detected post-breach.
-<br>
-
-****
+<br/><br/>
|Protection|Microsoft Defender Antivirus <p> Active mode|Microsoft Defender Antivirus <p> Passive mode|Microsoft Defender Antivirus <p> Disabled or uninstalled|[EDR in block mode](edr-in-block-mode.md)| ||||||
-|[Real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)|Yes|No <sup>[[5](#fn5)]<sup>|No|No|
+|[Real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)|Yes|No <sup>[[5](#fn5)]</sup>|No|No|
|[Limited periodic scanning availability](limited-periodic-scanning-microsoft-defender-antivirus.md)|No|No|Yes|No| |[File scanning and detection information](review-scan-results-microsoft-defender-antivirus.md)|Yes|Yes|No|Yes|
-|[Threat remediation](configure-remediation-microsoft-defender-antivirus.md)|Yes|See note <sup>[[6](#fn6)]<sup>|No|Yes|
+|[Threat remediation](configure-remediation-microsoft-defender-antivirus.md)|Yes|See note <sup>[[6](#fn6)]</sup>|No|Yes|
|[Security intelligence updates](manage-updates-baselines-microsoft-defender-antivirus.md)|Yes|Yes|No|Yes|
-||||||
(<a id="fn5">5</a>) In general, when Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode.
The table in this section summarizes the features and capabilities that are acti
You can use one of several methods to confirm the state of Microsoft Defender Antivirus, as described in the following table:
-<br>
-
-****
+<br/><br/>
|Method|Procedure| |||
-|Windows Security app|<ol><li>On a Windows device, open the Windows Security app.</li><li>Select **Virus & threat protection**.</li><li>Under **Who's protecting me?** select **Manage providers**.</li><li>On the **Security providers** page, under **Antivirus**, you should see **Microsoft Defender Antivirus is turned on**.</li></ol>|
-|Task Manager|<ol><li>On a Windows device, open the Task Manager app.</li><li>Select the **Details** tab.</li><li>Look for **MsMpEng.exe** in the list.</li></ol>|
-|Windows PowerShell <p> (To confirm that Microsoft Defender Antivirus is running)|<ol><li>On a Windows device, open Windows PowerShell</li><li>Run the following PowerShell cmdlet: `Get-Process`.</li><li>Review the results. You should see **MsMpEng.exe** if Microsoft Defender Antivirus is enabled.</li></ol>|
-|Windows PowerShell <p> (To confirm that antivirus protection is in place)|You can use the [Get-MpComputerStatus PowerShell cmdlet](/powershell/module/defender/get-mpcomputerstatus). <ol><li>On a Windows device, open Windows PowerShell.</li><li>Run following PowerShell cmdlet: `Get-MpComputerStatus|select AMRunningMode`.</li><li>Review the results. You should see either **Normal** or **Passive** if Microsoft Defender Antivirus is enabled on the endpoint.</li></ol>|
-|Command Prompt|<ol><li>On a Windows device, open Command Prompt.</li><li>Type `sc query windefend`, and then press Enter.</li><li>Review the results to confirm that Microsoft Defender Antivirus is running in passive mode.</li></ol>|
-|||
+|Windows Security app| 1. On a Windows device, open the Windows Security app.<br/>2. Select **Virus & threat protection**.<br/>3. Under **Who's protecting me?** select **Manage providers**.<br/>4. On the **Security providers** page, under **Antivirus**, you should see **Microsoft Defender Antivirus is turned on**.|
+|Task Manager| 1. On a Windows device, open the Task Manager app.<br/>2. Select the **Details** tab.<br/>3. Look for **MsMpEng.exe** in the list.|
+|Windows PowerShell <p> (To confirm that Microsoft Defender Antivirus is running)| 1. On a Windows device, open Windows PowerShell. <br/>2. Run the following PowerShell cmdlet: `Get-Process`.<br/>3. Review the results. You should see **MsMpEng.exe** if Microsoft Defender Antivirus is enabled.|
+|Windows PowerShell <p> (To confirm that antivirus protection is in place)| You can use the [Get-MpComputerStatus PowerShell cmdlet](/powershell/module/defender/get-mpcomputerstatus). <br/><br/>1. On a Windows device, open Windows PowerShell.<br/>2. Run following PowerShell cmdlet: `Get-MpComputerStatus|select AMRunningMode`.<br/>3. Review the results. You should see either **Normal** or **Passive** if Microsoft Defender Antivirus is enabled on the endpoint. |
+|Command Prompt| 1. On a Windows device, open Command Prompt.<br/>2. Type `sc query windefend`, and then press Enter.<br/>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
## More details about Microsoft Defender Antivirus states The table in this section describes various states you might see with Microsoft Defender Antivirus.
-<br>
-
-****
+<br/><br/>
-|Microsoft Defender Antivirus state|What happens|
+| State | What happens |
|||
-|Active mode|In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. Settings that are configured by using Configuration Manager, Group Policy, Microsoft Intune, or other management products will apply. Files are scanned, threats are remediated, and detection information is reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the endpoint itself).|
-|Passive mode|In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are *not* remediated by Microsoft Defender Antivirus. Threats can be remediated by [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md), however. <p> Files are scanned, and reports are provided for threat detections that are shared with the Defender for Endpoint service. You might see alerts in the [security center](microsoft-defender-security-center.md) showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode. <p> When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have a non-Microsoft antivirus product that is providing real-time protection from malware. <p> For optimal security layered defense and detection efficacy, make sure to get your antivirus and antimwalware updates, even if Microsoft Defender Antivirus is running in passive mode. See [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md). <p> **NOTE**: Passive mode is not supported on Windows Server 2016.|
-|Disabled <p> or <p> Uninstalled|When disabled or uninstalled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. <p> Disabling or uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution. <p> In cases where Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the non-Microsoft antivirus/antimalware product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. The automatic re-enabling of Microsoft Defender Antivirus helps to ensure that antivirus protection is maintained on your endpoints. <p> You might also use [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which works with the Microsoft Defender Antivirus engine to periodically check for threats if you are using a non-Microsoft antivirus app.|
-|||
+| Active mode | In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. Settings that are configured by using Configuration Manager, Group Policy, Microsoft Intune, or other management products will apply. Files are scanned, threats are remediated, and detection information is reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the endpoint itself). |
+| Passive mode | In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are *not* remediated by Microsoft Defender Antivirus. Threats can be remediated by [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md), however. <p> Files are scanned, and reports are provided for threat detections that are shared with the Defender for Endpoint service. You might see alerts in the [security center](microsoft-defender-security-center.md) showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode. <p> When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have a non-Microsoft antivirus product that is providing real-time protection from malware. <p> For optimal security layered defense and detection efficacy, make sure to get your antivirus and antimwalware updates, even if Microsoft Defender Antivirus is running in passive mode. See [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md). <p> **NOTE**: Passive mode is not supported on Windows Server 2016. |
+| Disabled <p> or <p> Uninstalled | When disabled or uninstalled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. <p> Disabling or uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution. <p> In cases where Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the non-Microsoft antivirus/antimalware product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. The automatic re-enabling of Microsoft Defender Antivirus helps to ensure that antivirus protection is maintained on your endpoints. <p> You might also use [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which works with the Microsoft Defender Antivirus engine to periodically check for threats if you are using a non-Microsoft antivirus app. |
+ ## See also
security Microsoft Defender Antivirus On Windows Server https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md
To get updated antimalware security intelligence, you must have the Windows Upda
By default, Windows Update does not download and install updates automatically on Windows Server 2019 or Windows Server 2016. You can change this configuration by using one of the following methods:
-<br>
-
-****
+<br/><br/>
|Method|Description| ||| |**Windows Update** in Control Panel|**Install updates automatically** results in all updates being automatically installed, including Windows Defender Security intelligence updates. <p> **Download updates but let me choose whether to install them** allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed.| |**Group Policy**|You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: **Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates**| |The **AUOptions** registry key|The following two values allow Windows Update to automatically download and install Security intelligence updates: <p> **4** - **Install updates automatically**. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates. <p> **3** - **Download updates but let me choose whether to install them**. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed.|
-|
To ensure that protection from malware is maintained, we recommend that you enable the following
security Microsoft Defender Security Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-security-center.md
Microsoft Defender Security Center is the portal where you can access Microsoft
## In this section
-Topic | Description
-:|:
-Get started | Learn about the minimum requirements, validate licensing and complete setup, know about preview features, understand data storage and privacy, and how to assign user access to the portal.
-[Onboard devices](onboard-configure.md) | Learn about onboarding client, server, and non-Windows devices. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues.
-[Understand the portal](use.md) | Understand the Security operations, Secure Score, and Threat analytics dashboards as well as how to navigate the portal.
-Investigate and remediate threats | Investigate alerts, devices, and take response actions to remediate threats.
-API and SIEM support | Use the supported APIs to pull and create custom alerts, or automate workflows. Use the supported SIEM tools to pull alerts from Microsoft Defender Security Center.
-Reporting | Create and build Power BI reports using Microsoft Defender for Endpoint data.
-Check service health and sensor state | Verify that the service is running and check the sensor state on devices.
-[Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure general settings, turn on the preview experience, notifications, and enable other features.
-[Access the Microsoft Defender for Endpoint Community Center](community.md) | Access the Microsoft Defender for Endpoint Community Center to learn, collaborate, and share experiences about the product.
-[Troubleshoot service issues](troubleshoot-mdatp.md) | This section addresses issues that might arise as you use the Microsoft Defender for Endpoint service.
+<br>
+
+****
+
+|Topic|Description|
+|||
+|Get started|Learn about the minimum requirements, validate licensing and complete setup, know about preview features, understand data storage and privacy, and how to assign user access to the portal.|
+|[Onboard devices](onboard-configure.md)|Learn about onboarding client, server, and non-Windows devices. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues.|
+|[Understand the portal](use.md)|Understand the Security operations, Secure Score, and Threat analytics dashboards as well as how to navigate the portal.|
+|Investigate and remediate threats|Investigate alerts, devices, and take response actions to remediate threats.|
+|API and SIEM support|Use the supported APIs to pull and create custom alerts, or automate workflows. Use the supported SIEM tools to pull alerts from Microsoft Defender Security Center.|
+|Reporting|Create and build Power BI reports using Microsoft Defender for Endpoint data.|
+|Check service health and sensor state|Verify that the service is running and check the sensor state on devices.|
+|[Configure Microsoft Defender Security Center settings](preferences-setup.md)|Configure general settings, turn on the preview experience, notifications, and enable other features.|
+|[Access the Microsoft Defender for Endpoint Community Center](community.md)|Access the Microsoft Defender for Endpoint Community Center to learn, collaborate, and share experiences about the product.|
+|[Troubleshoot service issues](troubleshoot-mdatp.md)|This section addresses issues that might arise as you use the Microsoft Defender for Endpoint service.|
+|
security Migrating Asr Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migrating-asr-rules.md
This article helps you to map common rules to Microsoft Defender for Endpoint.
## Scenarios when migrating from a third-party HIPS product to ASR rules
-### Block creation of specific files and registry keys
+### Block creation of specific files
- **Applies to**- All processes - **Operation**- File Creation
This article helps you to map common rules to Microsoft Defender for Endpoint.
- **Attack Surface Reduction rules**- ASR rules block the attack techniques and not the Indicators of Compromise (IOC). Blocking a specific file extension isn't always useful, as it doesn't prevent a device from compromise. It only partially thwarts an attack until attackers create a new type of extension for the payload. - **Other recommended features**- Having Microsoft Defender AV enabled, along with Cloud Protection and Behavior Analysis is highly recommended. We recommend that you use other prevention, such as the ASR rule "Use advanced protection against ransomware". This provides a greater level of protection against ransomware attacks. Furthermore, many of these registry keys are monitored by Microsoft Defender for Endpoint, such as ASEP techniques, which will trigger specific alerts. The registry keys used require a minimum of Local Admin or Trusted Installer privileges can be modified. Using a locked down environment, with minimum administrative accounts or rights, is recommended. Other system configurations can be enabled, including "Disable SeDebug for non-required roles" that are part of our wider security recommendations.
-### Block creation of specific files and registry keys
+### Block creation of specific registry keys
- **Applies to**- All Processes - **Processes**- N/A
This article helps you to map common rules to Microsoft Defender for Endpoint.
- **Attack Surface Reduction rules**- ASR rules have a built-in rule to prevent Office communication apps (Outlook, Skype, and Teams) from launching child processes: "Block Office communication application from creating child processes", GUID "26190899-1602-49e8-8b27-eb1d0a1ce869". - **Other recommended features**- We recommend enabling PowerShell constrained language mode to minimize the attack surface from PowerShell.
+### Block Office Apps from launching child processes
-### Block Office Apps from launching child processes and from creating executable content
--- **Applies to**- Office
+- **Applies to**- Office
- **Processes**- winword.exe, powerpnt.exe, excel.exe - **Operation**- Process Execution - **Examples of Files/Folders, Registry Keys/Values, Processes, Services**- powershell.exe, cmd.exe, wscript.exe, mshta.exe, EQNEDT32.EXE, regsrv32.exe - **Attack Surface Reduction rules**- ASR rules have a built-in rule to prevent Office apps from launching child processes: "Block all Office applications from creating child processes", GUID "d4f940ab-401b-4efc-aadc-ad5f3c50688a". - **Other recommended features**- N/A
-
-### Block Office Apps from launching child processes and from creating executable content
+
+### Block Office Apps from creating executable content
- **Applies to**- Office - **Processes**- winword.exe, powerpnt.exe, excel.exe
This article helps you to map common rules to Microsoft Defender for Endpoint.
- **Attack Surface Reduction rules**- ASR rules allow blocking Adobe Reader from launching child processes. The rule name is "Block Adobe Reader from creating child processes", GUID "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c". - **Other recommended features**- N/A - ### Block download or creation of executable content -- **Applies to**- CertUtil: Block download or creation of executable
+- **Applies to**- CertUtil: Block download or creation of executable
- **Processes**- certutil.exe - **Operation**- File Creation - **Examples of Files/Folders, Registry Keys/Values, Processes, Services**- *.exe - **Attack Surface Reduction rules**- ASR rules don't support these scenarios because they're a part of Microsoft Defender Antivirus protection. - **Other recommended features**- Microsoft Defender AV prevents CertUtil from creating or downloading executable content. - ### Block processes from stopping critical System components - **Applies to**- All Processes
This article helps you to map common rules to Microsoft Defender for Endpoint.
- **Examples of Files/Folders, Registry Keys/Values, Processes, Services**- tor.exe, bittorrent.exe, cmd.exe, powershell.exe, and more - **Attack Surface Reduction rules**- Overall, ASR rules aren't designed to function as an Application manager. - **Other recommended features**- To prevent users from launching specific processes or programs, it's recommended to use Windows Defender Application Control. Microsoft Defender for Endpoint File and Cert indicators, can be used in an Incident Response scenario (shouldn't be seen as an application control mechanism).
-
+ ### Block unauthorized changes to Microsoft Defender Antivirus configurations - **Applies to**- All Processes
security Migration Guides https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migration-guides.md
ms.technology: mde
If you're considering moving to Defender for Endpoint, we have guidance to help. In the following table, review the scenarios. Select the scenario that best represents your situation, and see the recommended guidance.
-| Scenario | Guidance |
-|:-|:-|
-| You don't have an endpoint protection solution in place yet, and you want to know more about Defender for Endpoint. You want to see how Defender for Endpoint works before rolling it out in your environment. | [Microsoft Defender for Endpoint evaluation lab](evaluation-lab.md) |
-| You already have Defender for Endpoint, and you want some help getting everything set up and configured. | [Microsoft Defender for Endpoint deployment guide](deployment-phases.md) |
-| You're planning to switch from a non-Microsoft endpoint protection solution to Defender for Endpoint and Microsoft Defender Antivirus. You want to get an overview of the migration process and how to make the switch. |[Make the switch to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md) |
-| You've already migrated or onboarded to Defender for Endpoint. You want some help with next steps, such as managing your security settings, configuring more features, or fine-tuning your security policies. | [Manage Microsoft Defender for Endpoint, post-migration](manage-atp-post-migration.md) |
+<br>
+****
+
+|Scenario|Guidance|
+|||
+|You don't have an endpoint protection solution in place yet, and you want to know more about Defender for Endpoint. You want to see how Defender for Endpoint works before rolling it out in your environment.|[Microsoft Defender for Endpoint evaluation lab](evaluation-lab.md)|
+|You already have Defender for Endpoint, and you want some help getting everything set up and configured.|[Microsoft Defender for Endpoint deployment guide](deployment-phases.md)|
+|You're planning to switch from a non-Microsoft endpoint protection solution to Defender for Endpoint and Microsoft Defender Antivirus. You want to get an overview of the migration process and how to make the switch.|[Make the switch to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md)|
+|You've already migrated or onboarded to Defender for Endpoint. You want some help with next steps, such as managing your security settings, configuring more features, or fine-tuning your security policies.|[Manage Microsoft Defender for Endpoint, post-migration](manage-atp-post-migration.md)|
+|
## Do you have feedback for us?
security Minimum Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/minimum-requirements.md
ms.technology: mde
There are some minimum requirements for onboarding devices to the service. Learn about the licensing, hardware and software requirements, and other configuration settings to onboard devices to the service. > [!TIP]
+>
> - This article describes the minimum requirements for Microsoft Defender for Endpoint Plan 2. If you are looking for information about Defender for Endpoint Plan 1 (preview), see [Requirements for Defender for Endpoint Plan 1 (preview)](mde-p1-setup-configuration.md#review-the-requirements). > - Learn about the latest enhancements in Defender for Endpoint: [Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced). > - Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
Microsoft Defender for Endpoint for servers requires one of the following licens
> [!NOTE] > Customers may acquire server licenses (one per covered server Operating System Environment (OSE)) for Microsoft Defender for Endpoint for Servers if they have a combined minimum of 50 licenses for one or more of the following user licenses: >
-> * Microsoft Defender for Endpoint
-> * Windows E5/A5
-> * Microsoft 365 E5/A5
-> * Microsoft 365 E5/A5 Security
+> - Microsoft Defender for Endpoint
+> - Windows E5/A5
+> - Microsoft 365 E5/A5
+> - Microsoft 365 E5/A5 Security
For detailed licensing information, see the [Product Terms site](https://www.microsoft.com/licensing/terms/) and work with your account team to learn more about the terms and conditions. For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare). -- ## Browser requirements Access to Defender for Endpoint is done through a browser, supporting the following browsers:
Access to Defender for Endpoint is done through a browser, supporting the follow
> [!NOTE] > While other browsers might work, the mentioned browsers are the ones supported. - ## Hardware and software requirements ### Supported Windows versions
The hardware requirements for Defender for Endpoint on devices are the same for
> > For virtual environments, we recommend using Windows 10 Enterprise LTSC 2019 or later. - ### Other supported operating systems - [Android](microsoft-defender-endpoint-android.md)
The hardware requirements for Defender for Endpoint on devices are the same for
> [!NOTE] > You'll need to confirm the Linux distributions and versions of Android, iOS, and macOS are compatible with Defender for Endpoint for the integration to work. -- ### Network and data storage and configuration requirements When you run the onboarding wizard for the first time, you must choose where your Microsoft Defender for Endpoint-related information is stored: in the European Union, the United Kingdom, or the United States datacenter. > [!NOTE]
+>
> - You cannot change your data storage location after the first-time setup. > - Review the [Microsoft Defender for Endpoint data storage and privacy](data-storage-privacy.md) for more information on where and how Microsoft stores your data. - ### Diagnostic data settings > [!NOTE]
When you run the onboarding wizard for the first time, you must choose where you
Make sure that the diagnostic data service is enabled on all the devices in your organization. By default, this service is enabled. It's good practice to check to ensure that you'll get sensor data from them.
-**Use the command line to check the Windows 10 diagnostic data service startup type**:
+#### Use the command line to check the Windows 10 diagnostic data service startup type
1. Open an elevated command-line prompt on the device:-
- 1. Go to **Start** and type **cmd**.
-
- 1. Right-click **Command prompt** and select **Run as administrator**.
+ 1. Go to **Start** and type **cmd**.
+ 2. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
By default, this service is enabled. It's good practice to check to ensure that
![Result of the sc query command for diagtrack.](images/windefatp-sc-qc-diagtrack.png) - You'll need to set the service to automatically start if the **START_TYPE** isn't set to **AUTO_START**.
+#### Use the command line to set the Windows 10 diagnostic data service to automatically start
-**Use the command line to set the Windows 10 diagnostic data service to automatically start:**
-
-1. Open an elevated command-line prompt on the endpoint:
-
+1. Open an elevated command-line prompt on the endpoint:
1. Go to **Start** and type **cmd**.
+ 2. Right-click **Command prompt** and select **Run as administrator**.
- 1. Right-click **Command prompt** and select **Run as administrator**.
-
-2. Enter the following command, and press **Enter**:
+2. Enter the following command, and press **Enter**:
```console sc config diagtrack start=auto ```
-3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
+3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
```console sc qc diagtrack ``` - #### Internet connectivity Internet connectivity on devices is required either directly or through proxy.
For more information on additional proxy configuration settings, see [Configure
Before you onboard devices, the diagnostic data service must be enabled. The service is enabled by default in Windows 10. - ## Microsoft Defender Antivirus configuration requirement The Defender for Endpoint agent depends on the ability of Microsoft Defender Antivirus to scan files and provide information about them.
If you're onboarding servers and Microsoft Defender Antivirus isn't the active a
> [!NOTE] > Your regular group policy doesn't apply to Tamper Protection, and changes to Microsoft Defender Antivirus settings will be ignored when Tamper Protection is on. - ## Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled If you're running Microsoft Defender Antivirus as the primary antimalware product on your devices, the Defender for Endpoint agent will successfully onboard. If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Manager (current branch), you'll need to ensure the Microsoft Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy). - ## Related topics - [Set up Microsoft Defender for Endpoint deployment](production-deployment.md)
security Network Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-devices.md
localization_priority: Normal audience: ITPro-+ - m365-security-compliance - m365initiative-defender-endpoint
ms.technology: mde
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-portaloverview-abovefoldlink)
-> [!NOTE]
+> [!NOTE]
> The [Network device discovery and vulnerability assessments](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/network-device-discovery-and-vulnerability-assessments/ba-p/2267548) Blog \(published 04-13-2021\) provides insights into the new **Network device discovery** capabilities in Defender for Endpoint. This article provides an overview of the challenge that **Network device discovery** is designed to address, and detailed information about how get started using these new capabilities.
-Network discovery capabilities are available in the **Device inventory** section of the Microsoft 365 security center and Microsoft 365 Defender consoles.
+Network discovery capabilities are available in the **Device inventory** section of the Microsoft 365 security center and Microsoft 365 Defender consoles.
-A designated Microsoft Defender for Endpoint device will be used on each network segment to perform periodic authenticated scans of preconfigured network devices. Once discovered, Defender for Endpoint's threat and vulnerability management capabilities provide integrated workflows to secure discovered switches, routers, WLAN controllers, firewalls, and VPN gateways.
+A designated Microsoft Defender for Endpoint device will be used on each network segment to perform periodic authenticated scans of preconfigured network devices. Once discovered, Defender for Endpoint's threat and vulnerability management capabilities provide integrated workflows to secure discovered switches, routers, WLAN controllers, firewalls, and VPN gateways.
Once the network devices are discovered and classified, security administrators will be able to receive the latest security recommendations and review recently discovered vulnerabilities on network devices deployed across their organizations.
There will be two types of devices to keep in mind:
- **Assessment device**: A device that's already onboarded that you'll use to scan the network devices. - **Network devices**: The network devices you plan to scan and onboard.
-### Vulnerability management for network devices
+### Vulnerability management for network devices
-Once the network devices are discovered and classified, security administrators will be able to receive the latest security recommendations and review recently discovered vulnerabilities on network devices deployed across their organizations.
+Once the network devices are discovered and classified, security administrators will be able to receive the latest security recommendations and review recently discovered vulnerabilities on network devices deployed across their organizations.
## Operating systems that are supported
More networking vendors and OS will be added over time, based on data gathered f
Your first step is to select a device that will perform the authenticated network scans.
-1. Decide on a Defender for Endpoint onboarded device (client or server) that has a network connection to the management port for the network devices you plan on scanning.
+1. Decide on a Defender for Endpoint onboarded device (client or server) that has a network connection to the management port for the network devices you plan on scanning.
2. SNMP traffic between the Defender for Endpoint assessment device and the targeted network devices must be allowed (for example, by the Firewall).
-3. Decide which network devices will be assessed for vulnerabilities (for example: a Cisco switch or a Palo Alto Networks firewall).
+3. Decide which network devices will be assessed for vulnerabilities (for example: a Cisco switch or a Palo Alto Networks firewall).
4. Make sure SNMP read-only is enabled on all configured network devices to allow the Defender for Endpoint assessment device to query the configured network devices. 'SNMP write' isn't needed for the proper functionality of this feature. 5. Obtain the IP addresses of the network devices to be scanned (or the subnets where these devices are deployed).
-6. Obtain the SNMP credentials of the network devices (for example: Community String, noAuthNoPriv, authNoPriv, authPriv). You'll be required to provide the credentials when configuring a new assessment job.
+6. Obtain the SNMP credentials of the network devices (for example: Community String, noAuthNoPriv, authNoPriv, authPriv). You'll be required to provide the credentials when configuring a new assessment job.
7. Proxy client configuration: No extra configuration is required other than the Defender for Endpoint device proxy requirements. 8. To allow the network scanner to be authenticated and work properly, it's essential that you add the following domains/URLs:
- - login.windows.net
- - *.security.microsoft.com
+ - login.windows.net
+ - \*.security.microsoft.com
- login.microsoftonline.com
- - *.blob.core.windows.net/networkscannerstable/ *
+ - \*.blob.core.windows.net/networkscannerstable/\*
> [!NOTE] > Not all URLs are specified in the Defender for Endpoint documented list of allowed data collection. ## Permissions
-To configure assessment jobs, the following user permission option is required: **Manage security settings in Security Center**. You can find the permission by going to **Settings** > **Roles**. For more information, see [Create and manage roles for role-based access control](user-roles.md).
+To configure assessment jobs, the following user permission option is required: **Manage security settings in Security Center**. You can find the permission by going to **Settings** \> **Roles**. For more information, see [Create and manage roles for role-based access control](user-roles.md).
## Install the network scanner
-1. Go to **Microsoft 365 security** > **Settings** > **Endpoints** > **Assessment jobs** (under **Network assessments**).
+1. Go to **Microsoft 365 security** \> **Settings** \> **Endpoints** \> **Assessment jobs** (under **Network assessments**).
1. In the Microsoft 365 Defender portal, go to Settings > Assessment jobs page. 2. Download the network scanner and install it on the designated Defender for Endpoint assessment device.
To complete the network scanner registration process:
3. When finished, you should see a message confirming you have signed in.
-## Configure a new assessment job
+## Configure a new assessment job
In the Assessment jobs page in **Settings**, select **Add network assessment job**. Follow the set-up process to choose network devices to be scanned regularly and added to the device inventory.
Adding a network assessment job steps:
1. Choose an 'Assessment job' name and the 'Assessment device' on which the network scanner was installed. This device will perform the periodic authenticated scans.
-2. Add IP addresses of target network devices to be scanned (or the subnets where these devices are deployed).
+2. Add IP addresses of target network devices to be scanned (or the subnets where these devices are deployed).
-3. Add required SNMP credentials of the target network devices.
+3. Add required SNMP credentials of the target network devices.
-4. Save the newly configured network assessment job to start the periodic network scan.
+4. Save the newly configured network assessment job to start the periodic network scan.
### Scan and add network devices
During the set-up process, you can perform a one time test scan to verify that:
- There is connectivity between the Defender for Endpoint assessment device and the configured target network devices. - The configured SNMP credentials are correct.
-Each assessment device can support up to 1,500 successful IP addresses scan. For example, if you scan 10 different subnets where only 100 IP addresses return successful results, you will be able to scan 1,400 IP additional addresses from other subnets on the same assessment device.
+Each assessment device can support up to 1,500 successful IP addresses scan. For example, if you scan 10 different subnets where only 100 IP addresses return successful results, you will be able to scan 1,400 IP additional addresses from other subnets on the same assessment device.
If there are multiple IP address ranges/subnets to scan, the test scan results will take several minutes to show up. A test scan will be available for up to 1,024 addresses.
Verify that the required URLs are added to the allowed domains in your firewall.
The scan results should be updated a few hours after the initial scan that took place after completing the assessment job configuration.
-If devices are still not shown, verify that the service 'MdatpNetworkScanService' is running on your assessment devices, on which you installed the network scanner, and perform a "Run scan" in the relevant assessment job configuration.
+If devices are still not shown, verify that the service 'MdatpNetworkScanService' is running on your assessment devices, on which you installed the network scanner, and perform a "Run scan" in the relevant assessment job configuration.
-If you still don't get results after 5 minutes, restart the service.
+If you still don't get results after 5 minutes, restart the service.
### Devices last seen time is longer than 24 hours
security Next Gen Threat And Vuln Mgt https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-portaloverview-abovefoldlink) Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat and vulnerability management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
Discover vulnerabilities and misconfigurations in real time with sensors, and wi
Watch this video for a quick overview of threat and vulnerability management.
->[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4mLsn]
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4mLsn]
## Bridging the workflow gaps
Threat and vulnerability management allows security administrators and IT admini
Watch this video for a comprehensive walk-through of threat and vulnerability management.
->[!VIDEO https://aka.ms/MDATP-TVM-Interactive-Guide]
+> [!VIDEO https://aka.ms/MDATP-TVM-Interactive-Guide]
## Navigation pane
-Area | Description
-:|:
-**Dashboard** | Get a high-level view of the organization exposure score, Microsoft Secure Score for Devices, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data.
-[**Security recommendations**](tvm-security-recommendation.md) | See the list of security recommendations and related threat information. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Defender for Endpoint.
-[**Remediation**](tvm-remediation.md) | See remediation activities you've created and recommendation exceptions.
-[**Software inventory**](tvm-software-inventory.md) | See the list of vulnerable software in your organization, along with weakness and threat information.
-[**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures (CVEs) in your organization.
-[**Event timeline**](threat-and-vuln-mgt-event-timeline.md) | View events that may impact your organization's risk.
+<br>
+
+****
+
+|Area|Description|
+|||
+|**Dashboard**|Get a high-level view of the organization exposure score, Microsoft Secure Score for Devices, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data.|
+|[**Security recommendations**](tvm-security-recommendation.md)|See the list of security recommendations and related threat information. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Defender for Endpoint.|
+|[**Remediation**](tvm-remediation.md)|See remediation activities you've created and recommendation exceptions.|
+|[**Software inventory**](tvm-software-inventory.md)|See the list of vulnerable software in your organization, along with weakness and threat information.|
+|[**Weaknesses**](tvm-weaknesses.md)|See the list of common vulnerabilities and exposures (CVEs) in your organization.|
+|[**Event timeline**](threat-and-vuln-mgt-event-timeline.md)|View events that may impact your organization's risk.|
+|||
## APIs
security Next Generation Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/next-generation-protection.md
Visit the [Microsoft Defender for Endpoint demo website](https://demo.wd.microso
For information on how to configure next-generation protection services, see [Configure Microsoft Defender Antivirus features](configure-microsoft-defender-antivirus-features.md).
-> [!Note]
+> [!NOTE]
> Configuration and management is largely the same in Windows Server as in Windows clients. However, there are some differences. To learn more, see [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md).
security Non Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/non-windows.md
localization_priority: Normal audience: ITPro-+ - M365-security-compliance - m365solution-evalutatemtp
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
-Microsoft has been on a journey to extend its industry leading endpoint security
-capabilities beyond Windows and Windows Server to macOS, Linux, Android, and iOS.
-
-Organizations face threats across a variety of platforms and devices. Our teams
-have committed to building security solutions not just *for* Microsoft, but also
-*from* Microsoft to enable our customers to protect and secure their
-heterogenous environments. We're listening to customer feedback and partnering
-closely with our customers to build solutions that meet their needs.
+Microsoft has been on a journey to extend its industry leading endpoint security capabilities beyond Windows and Windows Server to macOS, Linux, Android, and iOS.
-With Microsoft Defender for Endpoint, customers benefit from a unified view of all
-threats and alerts in the Microsoft Defender Security Center, across Windows and
-non-Windows platforms, enabling them to get a full picture of what's happening
-in their environment, which empowers them to more quickly assess and respond to
-threats.
+Organizations face threats across a variety of platforms and devices. Our teams have committed to building security solutions not just *for* Microsoft, but also *from* Microsoft to enable our customers to protect and secure their heterogenous environments. We're listening to customer feedback and partnering closely with our customers to build solutions that meet their needs.
-## Microsoft Defender for Endpoint on macOS
+With Microsoft Defender for Endpoint, customers benefit from a unified view of all threats and alerts in the Microsoft Defender Security Center, across Windows and non-Windows platforms, enabling them to get a full picture of what's happening in their environment, which empowers them to more quickly assess and respond to threats.
-Microsoft Defender for Endpoint on macOS offers antivirus, endpoint detection and response (EDR), and vulnerability management capabilities for the three
-latest released versions of macOS. Customers can deploy and manage the solution
-through Microsoft Endpoint Manager and Jamf. Just like with Microsoft Office
-applications on macOS, Microsoft Auto Update is used to manage Microsoft
-Defender for Endpoint on Mac updates. For information about the key features and
-benefits, read our
-[announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/macOS).
+## Microsoft Defender for Endpoint on macOS
-For more details on how to get started, visit the Defender for Endpoint on macOS
-[documentation](microsoft-defender-endpoint-mac.md).
+Microsoft Defender for Endpoint on macOS offers antivirus, endpoint detection and response (EDR), and vulnerability management capabilities for the three latest released versions of macOS. Customers can deploy and manage the solution through Microsoft Endpoint Manager and Jamf. Just like with Microsoft Office applications on macOS, Microsoft Auto Update is used to manage Microsoft Defender for Endpoint on Mac updates. For information about the key features and benefits, read our [announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/macOS).
->[!NOTE]
->The following capabilities are not currently supported on macOS endpoints:
->- Data loss prevention
->- Live response
+For more details on how to get started, visit the Defender for Endpoint on macOS [documentation](microsoft-defender-endpoint-mac.md).
+> [!NOTE]
+> The following capabilities are not currently supported on macOS endpoints:
+>
+> - Data loss prevention
+> - Live response
## Microsoft Defender for Endpoint on Linux
-Microsoft Defender for Endpoint on Linux offers preventative (AV), endpoint detection and response (EDR), and vulnerability management capabilities for Linux
-servers. This includes a full command line experience to configure and manage
-the agent, initiate scans, and manage threats. We support recent versions of the
-six most common Linux Server distributions: RHEL 7.2+, CentOS Linux 7.2+, Ubuntu
-16 LTS, or higher LTS, SLES 12+, Debian 9+, and Oracle Linux 7.2. Microsoft
-Defender for Endpoint on Linux can be deployed and configured using Puppet, Ansible, or
-using your existing Linux configuration management tool. For information about
-the key features and benefits, read our
+Microsoft Defender for Endpoint on Linux offers preventative (AV), endpoint detection and response (EDR), and vulnerability management capabilities for Linux servers. This includes a full command line experience to configure and manage the agent, initiate scans, and manage threats. We support recent versions of the six most common Linux Server distributions: RHEL 7.2+, CentOS Linux 7.2+, Ubuntu 16 LTS, or higher LTS, SLES 12+, Debian 9+, and Oracle Linux 7.2. Microsoft Defender for Endpoint on Linux can be deployed and configured using Puppet, Ansible, or using your existing Linux configuration management tool. For information about the key features and benefits, read our
[announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/Linux).
-For more details on how to get started, visit the Microsoft Defender for Endpoint on
-Linux
-[documentation](microsoft-defender-endpoint-linux.md).
+For more details on how to get started, visit the Microsoft Defender for Endpoint on Linux [documentation](microsoft-defender-endpoint-linux.md).
->[!NOTE]
->The following capabilities are not currently supported on Linux endpoints:
->- Data loss prevention
->- Live response
+> [!NOTE]
+> The following capabilities are not currently supported on Linux endpoints:
+>
+> - Data loss prevention
+> - Live response
+> [!NOTE]
+> The following capabilities are not currently supported on Linux endpoints:
+>
+> - Data loss prevention
+> - Live response
+> - SIEM
## Microsoft Defender for Endpoint on Android
-Microsoft Defender for Endpoint on Android is our mobile threat defense solution for
-devices running Android 6.0 and higher. Both Android Enterprise (Work Profile)
-and Device Administrator modes are supported. On Android, we offer web
-protection, which includes anti-phishing, blocking of unsafe connections, and
-setting of custom indicators. The solution scans for malware and potentially
-unwanted applications (PUA) and offers additional breach prevention capabilities
-through integration with Microsoft Endpoint Manager and Conditional Access. For
-information about the key features and benefits, read our
-[announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/Android).
+Microsoft Defender for Endpoint on Android is our mobile threat defense solution for devices running Android 6.0 and higher. Both Android Enterprise (Work Profile) and Device Administrator modes are supported. On Android, we offer web protection, which includes anti-phishing, blocking of unsafe connections, and setting of custom indicators. The solution scans for malware and potentially unwanted applications (PUA) and offers additional breach prevention capabilities through integration with Microsoft Endpoint Manager and Conditional Access. For information about the key features and benefits, read our [announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/Android).
-For more details on how to get started, visit the Microsoft Defender for Endpoint on
-Android
-[documentation](microsoft-defender-endpoint-android.md).
+For more details on how to get started, visit the Microsoft Defender for Endpoint on Android [documentation](microsoft-defender-endpoint-android.md).
## Microsoft Defender for Endpoint on iOS
-Microsoft Defender for Endpoint on iOS is our mobile threat defense solution for devices
-running iOS 11.0 and higher. Devices that are registered within a customer's tenant (enrolled or unenrolled) are supported. Both supervised and unsupervised enrolled devices are supported. On iOS, we offer web protection, which includes anti-phishing, blocking unsafe connections and
-setting custom indicators, and jailbreak detection. For more information about the key features and benefits,
-read our [announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog/label-name/iOS).
+Microsoft Defender for Endpoint on iOS is our mobile threat defense solution for devices running iOS 11.0 and higher. Devices that are registered within a customer's tenant (enrolled or unenrolled) are supported. Both supervised and unsupervised enrolled devices are supported. On iOS, we offer web protection, which includes anti-phishing, blocking unsafe connections and setting custom indicators, and jailbreak detection. For more information about the key features and benefits, read our [announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog/label-name/iOS).
-For more details on how to get started, visit the Microsoft Defender for Endpoint
-on iOS [documentation](microsoft-defender-endpoint-ios.md).
+For more details on how to get started, visit the Microsoft Defender for Endpoint on iOS [documentation](microsoft-defender-endpoint-ios.md).
-## Licensing requirements
+## Licensing requirements
-Eligible Licensed Users may use Microsoft Defender for Endpoint on up to five concurrent
-devices. Microsoft Defender for Endpoint is also available for purchase from a Cloud
-Solution Provider (CSP).
+Eligible Licensed Users may use Microsoft Defender for Endpoint on up to five concurrent devices. Microsoft Defender for Endpoint is also available for purchase from a Cloud Solution Provider (CSP).
-Customers can obtain Microsoft Defender for Endpoint on macOS through a standalone
-Microsoft Defender for Endpoint license, as part of Microsoft 365 A5/E5, or Microsoft 365
-Security.
+Customers can obtain Microsoft Defender for Endpoint on macOS through a standalone Microsoft Defender for Endpoint license, as part of Microsoft 365 A5/E5, or Microsoft 365 Security.
-Recently announced capabilities of Microsoft Defender for Endpoint on Android and iOS
-are included in the above mentioned offers as part of the five qualified
-devices for eligible licensed users.
+Recently announced capabilities of Microsoft Defender for Endpoint on Android and iOS are included in the above mentioned offers as part of the five qualified devices for eligible licensed users.
-Defender for Endpoint on Linux is available through the Defender for Endpoint
-Server SKU that is available for both commercial and education customers.
+Defender for Endpoint on Linux is available through the Defender for Endpoint Server SKU that is available for both commercial and education customers.
-Please contact your account team or CSP for pricing and additional eligibility
-requirements.
+Please contact your account team or CSP for pricing and additional eligibility requirements.
security Offboard Machine Api https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/offboard-machine-api.md
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) -- [!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)]
Offboard device from Defender for Endpoint.
- Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+ [!include[Machine actions note](../../includes/machineactionsnote.md)]
->[!Note]
+> [!NOTE]
> This API is supported on Windows 10, version 1703 and later, or Windows Server 2019 and later.
+>
> This API is not supported on MacOS or Linux devices. ## Permissions
Offboard device from Defender for Endpoint.
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md) Permission type|Permission|Permission display name
-:|:|:
+||
Application|Machine.Offboard|'Offboard machine' Delegated (work or school account)|Machine.Offboard|'Offboard machine'
POST https://api.securitycenter.microsoft.com/api/machines/{id}/offboard
## Request headers Name|Type|Description
-:|:|:
+||
Authorization|String|Bearer {token}. **Required**. Content-Type|string|application/json. **Required**.
Content-Type|string|application/json. **Required**.
In the request body, supply a JSON object with the following parameters: Parameter|Type|Description
-:|:|:
+||
Comment|String|Comment to associate with the action. **Required**. ## Response
security Offboard Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/offboard-machines.md
ms.technology: mde
Follow the corresponding instructions depending on your preferred deployment method.
->[!NOTE]
-> The status of a device will be switched to [Inactive](fix-unhealthy-sensors.md#inactive-devices) 7 days after offboarding. <br>
-> Offboarded devices' data (such as Timeline, Alerts, Vulnerabilities, etc.) will remain in the portal until the configured [retention period](data-storage-privacy.md#how-long-will-microsoft-store-my-data-what-is-microsofts-data-retention-policy) expires. <br>
+> [!NOTE]
+> The status of a device will be switched to [Inactive](fix-unhealthy-sensors.md#inactive-devices) 7 days after offboarding.
+>
+> Offboarded devices' data (such as Timeline, Alerts, Vulnerabilities, etc.) will remain in the portal until the configured [retention period](data-storage-privacy.md#how-long-will-microsoft-store-my-data-what-is-microsofts-data-retention-policy) expires.
+>
> The device's profile (without data) will remain in the [Devices List](machines-view-overview.md) for no longer than 180 days.
-> In addition, devices that are not active in the last 30 days are not factored in on the data that reflects your organization's threat and vulnerability management [exposure score](tvm-exposure-score.md) and Microsoft Secure Score for Devices. <br>
-> To view only active devices, you can filter by [health state](machines-view-overview.md#health-state), [device tags](machine-tags.md) or [machine groups](machine-groups.md).
+>
+> In addition, devices that are not active in the last 30 days are not factored in on the data that reflects your organization's threat and vulnerability management [exposure score](tvm-exposure-score.md) and Microsoft Secure Score for Devices.
+>
+> To view only active devices, you can filter by [health state](machines-view-overview.md#health-state), [device tags](machine-tags.md) or [machine groups](machine-groups.md).
## Offboard Windows 10 devices+ - [Offboard devices using a local script](configure-endpoints-script.md#offboard-devices-using-a-local-script) - [Offboard devices using Group Policy](configure-endpoints-gp.md#offboard-devices-using-group-policy) - [Offboard devices using Mobile Device Management tools](configure-endpoints-mdm.md#offboard-and-monitor-devices-using-mobile-device-management-tools) ## Offboard Servers+ - [Offboard servers](configure-server-endpoints.md#offboard-windows-servers) ## Offboard non-Windows devices-- [Offboard non-Windows devices](configure-endpoints-non-windows.md#offboard-non-windows-devices)
+- [Offboard non-Windows devices](configure-endpoints-non-windows.md#offboard-non-windows-devices)
security Onboard Downlevel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-downlevel.md
ms.technology: mde
- Windows 8.1 Pro - Windows 8.1 Enterprise - > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-downlevel-abovefoldlink) Defender for Endpoint extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions.
To onboard down-level Windows client endpoints to Defender for Endpoint, you'll
> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint endpoint](run-detection-test.md). ## Configure and update System Center Endpoint Protection clients+ > [!IMPORTANT] > This step is required only if your organization uses System Center Endpoint Protection (SCEP).
Defender for Endpoint integrates with System Center Endpoint Protection to provi
The following steps are required to enable this integration: -- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie)
+- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie)
- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting - Configure your network to allow connections to the Microsoft Defender Antivirus cloud. For more information, see [Allow connections to the Microsoft Defender Antivirus cloud](/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud)
The following steps are required to enable this integration:
Review the following details to verify minimum system requirements: - Install the [February 2018 monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
-
+ > [!NOTE] > Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
Once completed, you should see onboarded endpoints in the portal within an hour.
- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Defender for Endpoint service URLs](/microsoft-365/security/defender-endpoint/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). ## Run a detection test to verify onboarding+ After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md). ## Offboard client endpoints
security Onboard Offline Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-offline-machines.md
For more information about onboarding methods, see the following articles:
- [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-for-endpoint) point to Defender for Endpoint Workspace key & ID - Offline devices in the same network of Azure Log Analytics
- - Configure MMA to point to:
- - Azure Log Analytics IP as a proxy
- - Defender for Endpoint workspace key & ID
+ - Configure MMA to point to:
+ - Azure Log Analytics IP as a proxy
+ - Defender for Endpoint workspace key & ID
## Azure virtual machines-- Configure and enable [Azure Log Analytics workspace](/azure/azure-monitor/platform/gateway)
- - Setup Azure Log Analytics Gateway (formerly known as OMS Gateway) to act as proxy or hub:
- - [Azure Log Analytics Gateway](/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
- - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-for-endpoint) point to Defender for Endpoint Workspace key & ID
+- Configure and enable [Azure Log Analytics workspace](/azure/azure-monitor/platform/gateway)
+ - Setup Azure Log Analytics Gateway (formerly known as OMS Gateway) to act as proxy or hub:
+ - [Azure Log Analytics Gateway](/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
+ - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-for-endpoint) point to Defender for Endpoint Workspace key & ID
- Offline Azure VMs in the same network of OMS Gateway - Configure Azure Log Analytics IP as a proxy - Azure Log Analytics Workspace Key & ID- - Azure Defender - [Security Policy \> Log Analytics Workspace](/azure/security-center/security-center-wdatp#enable-windows-defender-atp-integration) - [Threat Detection \> Allow Defender for Endpoint to access my data](/azure/security-center/security-center-wdatp#enable-windows-defender-atp-integration)
security Overview Client Analyzer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-client-analyzer.md
ms.localizationpriority: medium audience: ITPro--- M365-security-compliance -- m365initiative-m365-defender +
+- M365-security-compliance
+- m365initiative-m365-defender
ms.technology: m365d
-# Troubleshoot sensor health using Microsoft Defender for Endpoint Client Analyzer
+# Troubleshoot sensor health using Microsoft Defender for Endpoint Client Analyzer
**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-The Microsoft Defender for Endpoint Client Analyzer (MDECA) can be useful when
-diagnosing sensor health or reliability issues on [onboarded
-devices](/microsoft-365/security/defender-endpoint/onboard-configure)
-running either Windows, Linux, or macOS. For example, you may want to run the
-analyzer on a machine that appears to be unhealthy according to the displayed
-[sensor health
-status](/microsoft-365/security/defender-endpoint/fix-unhealthy-sensors)
-(Inactive, No Sensor Data or Impaired Communications) in the security
-portal.
-
-Besides obvious sensor health issues, MDECA can collect other traces, logs,
-and diagnostic information for troubleshooting complex scenarios such
-as:
-Application compatibility (AppCompat), performance, network connectivity, or
-unexpected behavior related to [Endpoint Data Loss
-Prevention](/microsoft-365/compliance/endpoint-dlp-learn-about).
+The Microsoft Defender for Endpoint Client Analyzer (MDECA) can be useful when diagnosing sensor health or reliability issues on [onboarded devices](/microsoft-365/security/defender-endpoint/onboard-configure) running either Windows, Linux, or macOS. For example, you may want to run the analyzer on a machine that appears to be unhealthy according to the displayed [sensor health status](/microsoft-365/security/defender-endpoint/fix-unhealthy-sensors) (Inactive, No Sensor Data or Impaired Communications) in the security portal.
-## Privacy notice
+Besides obvious sensor health issues, MDECA can collect other traces, logs, and diagnostic information for troubleshooting complex scenarios such as:
+
+- Application compatibility (AppCompat), performance, network connectivity, or
+- Unexpected behavior related to [Endpoint Data Loss Prevention](/microsoft-365/compliance/endpoint-dlp-learn-about).
+## Privacy notice
-- The Microsoft Defender for Endpoint Client Analyzer tool is regularly used
- by Microsoft Customer Support Services (CSS) to collect information that
- will help troubleshoot issues you may be experiencing with Microsoft
- Defender for Endpoint.
+- The Microsoft Defender for Endpoint Client Analyzer tool is regularly used by Microsoft Customer Support Services (CSS) to collect information that will help troubleshoot issues you may be experiencing with Microsoft Defender for Endpoint.
-- The collected data may contain Personally Identifiable Information (PII)
- and/or sensitive data, such as (but not limited to) IP addresses, PC names,
- and usernames.
+- The collected data may contain Personally Identifiable Information (PII) and/or sensitive data, such as (but not limited to) IP addresses, PC names, and usernames.
-- Once data collection is complete, the tool saves the data locally on the
- machine within a subfolder and compressed zip file.
+- Once data collection is complete, the tool saves the data locally on the machine within a subfolder and compressed zip file.
-- No data is automatically sent to Microsoft. If you are using the tool during
- collaboration on a support issue, you may be asked to send the compressed
- data to Microsoft CSS using Secure File Exchange to facilitate the investigation of the issue.
+- No data is automatically sent to Microsoft. If you are using the tool during collaboration on a support issue, you may be asked to send the compressed data to Microsoft CSS using Secure File Exchange to facilitate the investigation of the issue.
-For more information about Secure File Exchange, see [How to use Secure File Exchange to exchange files with Microsoft Support](/troubleshoot/azure/general/secure-file-exchange-transfer-files)
+For more information about Secure File Exchange, see [How to use Secure File Exchange to exchange files with Microsoft Support](/troubleshoot/azure/general/secure-file-exchange-transfer-files)
For more information about our privacy statement, see [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement). ## Requirements -- Before running the analyzer, we recommend ensuring your proxy or firewall
- configuration allows access to [Microsoft Defender for Endpoint service
- URLs](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server).
--- The analyzer can run on supported editions of
- [Windows](minimum-requirements.md#supported-windows-versions),
- [Linux](microsoft-defender-endpoint-linux.md#system-requirements),
- or
- [macOS](microsoft-defender-endpoint-mac.md#system-requirements)
- either before of after onboarding to Microsoft Defender for Endpoint.
--- For Windows devices, if you are running the analyzer directly on specific machines and not
- remotely via [Live
- Response](/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log),
- then SysInternals
- [PsExec.exe](/sysinternals/downloads/psexec)
- should be allowed (at least temporarily) to run.
- The analyzer calls into PsExec.exe tool to run cloud connectivity checks as
- Local System and emulate the behavior of the SENSE service.
+- Before running the analyzer, we recommend ensuring your proxy or firewall configuration allows access to [Microsoft Defender for Endpoint service URLs](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server).
+
+- The analyzer can run on supported editions of [Windows](minimum-requirements.md#supported-windows-versions), [Linux](microsoft-defender-endpoint-linux.md#system-requirements), or [macOS](microsoft-defender-endpoint-mac.md#system-requirements) either before of after onboarding to Microsoft Defender for Endpoint.
+
+- For Windows devices, if you are running the analyzer directly on specific machines and not remotely via [Live Response](/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log), then SysInternals [PsExec.exe](/sysinternals/downloads/psexec) should be allowed (at least temporarily) to run. The analyzer calls into PsExec.exe tool to run cloud connectivity checks as Local System and emulate the behavior of the SENSE service.
> [!NOTE]
- > On Windows devices, if you use Attack Surface Reduction (ASR) rule [Block process creations
- originating from PSExec and WMI
- commands](attack-surface-reduction-rules.md#block-process-creations-originating-from-psexec-and-wmi-commands),
- then may want to temporarily disable the rule or [configure an exclusion to
- the ASR
- rule](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules)
- to allow the analyzer to run connectivity checks to cloud as expected.
+ > On Windows devices, if you use Attack Surface Reduction (ASR) rule [Block process creations originating from PSExec and WMI commands](attack-surface-reduction-rules.md#block-process-creations-originating-from-psexec-and-wmi-commands), then may want to temporarily disable the rule or [configure an exclusion to the ASR rule](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) to allow the analyzer to run connectivity checks to cloud as expected.
security Overview Hardware Based Isolation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-hardware-based-isolation.md
Title: Hardware-based isolation (Windows 10)-+ description: Learn about how hardware-based isolation in Windows 10 helps to combat malware. search.appverid: met150 ms.prod: m365-security
ms.technology: mde
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
+Hardware-based isolation helps protect system integrity in Windows 10 and is integrated with Microsoft Defender for Endpoint.
-Hardware-based isolation helps protect system integrity in Windows 10 and is integrated with Microsoft Defender for Endpoint.
+<br>
-| Feature | Description |
-||-|
-| [Windows Defender Application Guard](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md) | Application Guard protects your device from advanced attacks while keeping you productive. Using a unique hardware-based isolation approach, the goal is to isolate untrusted websites and PDF documents inside a lightweight container that is separated from the operating system via the native Windows Hypervisor. If an untrusted site or PDF document turns out to be malicious, it still remains contained within Application Guard's secure container, keeping the desktop PC protected and the attacker away from your enterprise data. |
-| [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) | System Guard protects and maintains the integrity of the system as it starts and after it's running, and validates system integrity by using attestation. |
+****
+|Feature|Description|
+|||
+|[Windows Defender Application Guard](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md)|Application Guard protects your device from advanced attacks while keeping you productive. Using a unique hardware-based isolation approach, the goal is to isolate untrusted websites and PDF documents inside a lightweight container that is separated from the operating system via the native Windows Hypervisor. If an untrusted site or PDF document turns out to be malicious, it still remains contained within Application Guard's secure container, keeping the desktop PC protected and the attacker away from your enterprise data.|
+|[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)|System Guard protects and maintains the integrity of the system as it starts and after it's running, and validates system integrity by using attestation.|
+|
security Partner Applications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/partner-applications.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) Defender for Endpoint supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform.
Logo|Partner name|Description
## SIEM integration
-Defender for Endpoint supports SIEM integration through various of methods. This can include specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management. For more information, see [Enable SIEM integration](enable-siem-integration.md).
+Defender for Endpoint supports SIEM integration through various of methods. This can include specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management. For more information, see [Enable SIEM integration](enable-siem-integration.md).
## Ticketing and IT service management
External alerts can be pushed to Defender for Endpoint. These alerts are shown s
You can use threat-intelligence from providers and aggregators to maintain and use indicators of compromise (IOCs).
-Defender for Endpoint allows you to integrate with these solutions and act on IoCs by correlating rich telemetry to create alerts. You can also use prevention and automated response capabilities to block execution and take remediation actions when there's a match.
+Defender for Endpoint allows you to integrate with these solutions and act on IoCs by correlating rich telemetry to create alerts. You can also use prevention and automated response capabilities to block execution and take remediation actions when there's a match.
Defender for Endpoint currently supports IOC matching and remediation for file and network indicators. Blocking is supported for file indicators.
security Prevent Changes To Security Settings With Tamper Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md
Tamper protection doesn't prevent you from viewing your security settings. And,
### What do you want to do?
-| To perform this task... | See this section... |
-|:|:|
-| Manage tamper protection across your tenant <p>Use the Microsoft 365 Defender portal to turn tamper protection on or off | [Manage tamper protection for your organization using the Microsoft 365 Defender](#manage-tamper-protection-for-your-organization-using-the-microsoft-365-defender-portal) |
-| Fine-tune tamper protection settings in your organization <p>Use Intune (Microsoft Endpoint Manager) to turn tamper protection on or off. You can configure tamper protection for some or all users with this method. | [Manage tamper protection for your organization using Intune](#manage-tamper-protection-for-your-organization-using-intune) |
-| Turn tamper protection on (or off) for your organization with Configuration Manager | [Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006) |
-| Turn tamper protection on (or off) for an individual device | [Manage tamper protection on an individual device](#manage-tamper-protection-on-an-individual-device) |
-| View details about tampering attempts on devices | [View information about tampering attempts](#view-information-about-tampering-attempts) |
-| Review your security recommendations | [Review security recommendations](#review-your-security-recommendations) |
-| Review the list of frequently asked questions (FAQs) | [Browse the FAQs](#view-information-about-tampering-attempts) |
-
-Depending on the method or management tool you use to enable tamper protection, there might be a dependency on cloud-delivered protection.
+<br>
+
+****
+
+|To perform this task...|See this section...|
+|||
+|Manage tamper protection across your tenant <p> Use the Microsoft 365 Defender portal to turn tamper protection on or off|[Manage tamper protection for your organization using the Microsoft 365 Defender](#manage-tamper-protection-for-your-organization-using-the-microsoft-365-defender-portal)|
+|Fine-tune tamper protection settings in your organization <p> Use Intune (Microsoft Endpoint Manager) to turn tamper protection on or off. You can configure tamper protection for some or all users with this method.|[Manage tamper protection for your organization using Intune](#manage-tamper-protection-for-your-organization-using-intune)|
+|Turn tamper protection on (or off) for your organization with Configuration Manager|[Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006)|
+|Turn tamper protection on (or off) for an individual device|[Manage tamper protection on an individual device](#manage-tamper-protection-on-an-individual-device)|
+|View details about tampering attempts on devices|[View information about tampering attempts](#view-information-about-tampering-attempts)|
+|Review your security recommendations|[Review security recommendations](#review-your-security-recommendations)|
+|Review the list of frequently asked questions (FAQs)|[Browse the FAQs](#view-information-about-tampering-attempts)|
+|
+
+Depending on the method or management tool you use to enable tamper protection, there might be a dependency on cloud-delivered protection.
The following table provides details on the methods, tools, and dependencies.
-| How tamper protection is enabled | Dependency on cloud-delivered protection (MAPS) |
-|:-|:-|
-| Microsoft Intune | No |
-| Microsoft Endpoint Configuration Manager + Tenant Attach | No |
-| Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) | Yes |
+<br>
+
+****
+
+|How tamper protection is enabled|Dependency on cloud-delivered protection (MAPS)|
+|||
+|Microsoft Intune|No|
+|Microsoft Endpoint Configuration Manager + Tenant Attach|No|
+|Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com))|Yes|
+|
## Manage tamper protection for your organization using the Microsoft 365 Defender portal Tamper protection can be turned on or off for your tenant using the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). Here are a few points to keep in mind: -- Currently, the option to manage tamper protection in the Microsoft 365 Defender portal is on by default for new deployments. For existing deployments, tamper protection is available on an opt-in basis. To opt in, in the Microsoft 365 Defender portal, choose **Settings** > **Endpoints** > **Advanced features** > **Tamper protection**.
+- Currently, the option to manage tamper protection in the Microsoft 365 Defender portal is on by default for new deployments. For existing deployments, tamper protection is available on an opt-in basis. To opt in, in the Microsoft 365 Defender portal, choose **Settings** \> **Endpoints** \> **Advanced features** \> **Tamper protection**.
- When you use the Microsoft 365 Defender portal to manage tamper protection, you do not have to use Intune or the tenant attach method. - When you manage tamper protection in the Microsoft 365 Defender portal, the setting is applied tenant wide, affecting all of your devices that are running Windows 10, Windows Server 2016, or Windows Server 2019. To fine-tune tamper protection (such as having tamper protection on for some devices but off for others), use either [Intune](#manage-tamper-protection-for-your-organization-using-intune) or [Configuration Manager with tenant attach](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006). -- If you have a hybrid environment, tamper protection settings configured in Intune take precedence over settings configured in the Microsoft 365 Defender portal.
+- If you have a hybrid environment, tamper protection settings configured in Intune take precedence over settings configured in the Microsoft 365 Defender portal.
### Requirements for managing tamper protection in the Microsoft 365 Defender portal - You must have appropriate [permissions](/microsoft-365/security/defender-endpoint/assign-portal-access) assigned, such as global admin, security admin, or security operations. - Your Windows devices must be running one of the following versions of Windows:
+ - Windows 10
+ - [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
+ - Windows Server, version [1803](/windows/release-health/status-windows-10-1803) or later
+ - [Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016)
- - Windows 10
- - [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
- - Windows Server, version [1803](/windows/release-health/status-windows-10-1803) or later
- - [Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016)
-
For more information about releases, see [Windows 10 release information](/windows/release-health/release-information). - Your devices must be [onboarded to Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/onboarding).
Tamper protection can be turned on or off for your tenant using the Microsoft 36
1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
-2. Choose **Settings** > **Endpoints**.
+2. Choose **Settings** \> **Endpoints**.
-3. Go to **General** > **Advanced features**, and then turn tamper protection on.
+3. Go to **General** \> **Advanced features**, and then turn tamper protection on.
## Manage tamper protection for your organization using Intune
If you are part of your organization's security team, and your subscription incl
1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) and sign in.
-2. Select **Devices** > **Configuration Profiles**.
+2. Select **Devices** \> **Configuration Profiles**.
3. Create a profile that includes the following settings:
If you are part of your organization's security team, and your subscription incl
### Are you using Windows Server 2016, or Windows version 1709, 1803, or 1809?
-If you are using Windows Server 2016, Windows 10 version 1709, 1803, or [1809](/windows/release-health/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. Instead, you can use PowerShell to determine whether tamper protection is enabled.
-
+If you are using Windows Server 2016, Windows 10 version 1709, 1803, or [1809](/windows/release-health/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. Instead, you can use PowerShell to determine whether tamper protection is enabled.
+ On Windows Server 2016, the Settings app will not accurately reflect the status of real-time protection when tamper protection is enabled.
-
+ #### Use PowerShell to determine whether tamper protection and real-time protection are turned on 1. Open the Windows PowerShell app.
If you're using [version 2006 of Configuration Manager](/mem/configmgr/core/plan
1. Set up tenant attach. To learn more, see [Microsoft Endpoint Manager tenant attach: Device sync and device actions](/mem/configmgr/tenant-attach/device-sync-actions).
-2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Antivirus**, and then choose **+ Create Policy**.
+2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** \> **Antivirus**, and then choose **+ Create Policy**.
- - In the **Platform** list, select **Windows 10 and Windows Server (ConfigMgr)**.
- - In the **Profile** list, select **Windows Security experience (preview)**. <br/>
+ - In the **Platform** list, select **Windows 10 and Windows Server (ConfigMgr)**.
+ - In the **Profile** list, select **Windows Security experience (preview)**.
3. Deploy the policy to your device collection.
-### Need help with this method?
+### Need help with this method?
See the following resources:
Here's what you see in the Windows Security app:
1. Select **Start**, and start typing *Security*. In the search results, select **Windows Security**.
-2. Select **Virus & threat protection** > **Virus & threat protection settings**.
+2. Select **Virus & threat protection** \> **Virus & threat protection settings**.
3. Set **Tamper Protection** to **On** or **Off**.
No. Non-Microsoft antivirus offerings will continue to register with the Windows
### What happens if Microsoft Defender Antivirus is not active on a device?
-Devices that are onboarded to Microsoft Defender for Endpoint will have Microsoft Defender Antivirus running in passive mode. In these cases, tamper protection will continue to protect the service and its features.
+Devices that are onboarded to Microsoft Defender for Endpoint will have Microsoft Defender Antivirus running in passive mode. In these cases, tamper protection will continue to protect the service and its features.
### How do I turn tamper protection on or off? If you are a home user, see [Manage tamper protection on an individual device](#manage-tamper-protection-on-an-individual-device).
-If you are an organization using [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See the following sections of this article:
+If you are an organization using [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See the following sections of this article:
- [Manage tamper protection using Intune](#manage-tamper-protection-for-your-organization-using-intune) - [Manage tamper protection using Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006)-- [Manage tamper protection using the Microsoft 365 Defender portal](#manage-tamper-protection-for-your-organization-using-the-microsoft-365-defender-portal)
+- [Manage tamper protection using the Microsoft 365 Defender portal](#manage-tamper-protection-for-your-organization-using-the-microsoft-365-defender-portal)
### How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus with Group Policy?
-Group policy doesnΓÇÖt apply to tamper protection. Changes made to Microsoft Defender Antivirus settings are ignored when tamper protection is on.
+Group policy doesnΓÇÖt apply to tamper protection. Changes made to Microsoft Defender Antivirus settings are ignored when tamper protection is on.
### If we use Microsoft Intune to configure tamper protection, does it apply only to the entire organization?
You have flexibility in configuring tamper protection with Intune. You can targe
### Can I configure Tamper Protection with Microsoft Endpoint Configuration Manager? If you are using tenant attach, you can use Microsoft Endpoint Configuration Manager. See the following resources:+ - [Manage tamper protection for your organization with Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006) - [Tech Community blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin)
No. Local admins cannot change or modify tamper protection settings.
### What happens if my device is onboarded with Microsoft Defender for Endpoint and then goes into an off-boarded state?
-If a device is off-boarded from Microsoft Defender for Endpoint, tamper protection is turned on, which is the default state for unmanaged devices.
+If a device is off-boarded from Microsoft Defender for Endpoint, tamper protection is turned on, which is the default state for unmanaged devices.
### If the status of tamper protection changes, are alerts shown in the Microsoft 365 Defender portal?
Yes. The alert is shown in [https://security.microsoft.com](https://security.mic
Your security operations team can also use hunting queries, such as the following example:
-`DeviceAlertEvents | where Title == "Tamper Protection bypass"`
+`DeviceAlertEvents|where Title == "Tamper Protection bypass"`
[View information about tampering attempts](#view-information-about-tampering-attempts).
security Prevent End User Interaction Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus.md
Last updated 09/03/2018-+ ms.technology: mde
With the setting set to **Disabled** or not configured:
:::image type="content" source="../../media/wdav-headless-mode-1703.png" alt-text="Screenshot of Windows Security with shield icon and threat protection sections.":::
->[!NOTE]
->Hiding the interface will also prevent Microsoft Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender for Endpoint notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
+> [!NOTE]
+> Hiding the interface will also prevent Microsoft Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender for Endpoint notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning that says, "Your system administrator has restricted access to this app."
In earlier versions of Windows 10, the setting will hide the Windows Defender cl
4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Client interface**.
-5. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**.
+5. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**.
See [Prevent users from locally modifying policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) for more options on preventing users form modifying protection on their PCs.
You can prevent users from pausing scans, which can be helpful to ensure schedul
3. Click **Administrative templates**.
-4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Scan**.
+4. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Scan**.
-5. Double-click the **Allow users to pause scan** setting and set the option to **Disabled**. Click **OK**.
+5. Double-click the **Allow users to pause scan** setting and set the option to **Disabled**. Click **OK**.
## Related articles - [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)- - [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)- - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Preview Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/preview-settings.md
ms.technology: mde
Turn on the preview experience setting to be among the first to try upcoming features.
-1. In the navigation pane, select **Settings** > **Endpoints** > **Advanced features**.
+1. In the navigation pane, select **Settings** \> **Endpoints** \> **Advanced features**.
:::image type="content" source="../../media/atp-preview-features-new.png" alt-text="settings and preview experience image.":::
security Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/preview.md
localization_priority: Normal audience: ITPro-+ - m365-security-compliance - m365initiative-defender-endpoint
When working with features in public preview, these features:
- Are fully supported by Microsoft. - May only be available in selected geographic regions or cloud environments. For example, the feature may not exist in the government cloud. - Individual features in preview may have more usage and support restrictions. If so, this information is typically noted in the feature documentation.-- The preview versions are provided with a standard support level, and can be used for production environments.
+- The preview versions are provided with a standard support level, and can be used for production environments.
## Turn on preview features
You'll have access to upcoming features that you can provide feedback on to help
Turn on the preview experience setting to be among the first to try upcoming features.
-1. In the navigation pane, select **Settings** > **Endpoints** > **Advanced features** > **Preview features**.
+1. In the navigation pane, select **Settings** \> **Endpoints** \> **Advanced features** \> **Preview features**.
2. Toggle the setting between **On** and **Off** and select **Save preferences**. > [!TIP]
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-preview-belowfoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-preview-belowfoldlink)
security Production Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/production-deployment.md
localization_priority: Normal audience: ITPro-+ - M365-security-compliance - m365solution-endpointprotect - m365solution-scenario
Checking for the license state and whether it got properly provisioned, can be d
![Image of Azure Licensing page.](images/atp-licensing-azure-portal.png)
-1. Alternately, in the admin center, navigate to **Billing** > **Subscriptions**.
+1. Alternately, in the admin center, navigate to **Billing** \> **Subscriptions**.
On the screen, you'll see all the provisioned licenses and their current **Status**.
Configure a registry-based static proxy to allow only Microsoft Defender for End
1. Open the Group Policy Management Console. 2. Create a policy or edit an existing policy based off the organizational practices.
-3. Edit the Group Policy and navigate to **Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service**.
+3. Edit the Group Policy and navigate to **Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service**.
![Image of Group Policy configuration.](images/atp-gpo-proxy1.png)
You can find the Azure IP ranges in [Azure IP Ranges and Service Tags - Public C
> [!NOTE] > As a cloud-based solution, the IP address ranges can change. It's recommended you move to DNS-based rules.-
-> [!NOTE]
+>
> If you are a US Government customer, please see the corresponding section in the [Defender for Endpoint for US Government](gov.md#service-backend-ip-ranges) page. ## Next step
security Pull Alerts Using Rest Api https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/pull-alerts-using-rest-api.md
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
->[!Note]
->- [Microsoft Defender for Endpoint Alert](alerts.md) is composed from one or more detections.
->- [Microsoft Defender for Endpoint Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
->-The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
+> [!NOTE]
+>
+> - [Microsoft Defender for Endpoint Alert](alerts.md) is composed from one or more detections.
+> - [Microsoft Defender for Endpoint Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
+> s-The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
Microsoft Defender for Endpoint supports the OAuth 2.0 protocol to pull detections from the API. In general, the OAuth 2.0 protocol supports four types of flows:+ - Authorization grant flow - Implicit flow - Client credentials flow
The _Client credential flow_ uses client credentials to authenticate against the
Use the following method in the Microsoft Defender for Endpoint API to pull detections in JSON format.
->[!NOTE]
->Microsoft Defender Security Center merges similar alert detections into a single alert. This API pulls alert detections in its raw form based on the query parameters you set, enabling you to apply your own grouping and filtering.
+> [!NOTE]
+> Microsoft Defender Security Center merges similar alert detections into a single alert. This API pulls alert detections in its raw form based on the query parameters you set, enabling you to apply your own grouping and filtering.
## Before you begin+ - Before calling the Microsoft Defender for Endpoint endpoint to pull detections, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Microsoft Defender for Endpoint](enable-siem-integration.md). - Take note of the following values in your Azure application registration. You need these values to configure the OAuth flow in your service or daemon app:
Use the following method in the Microsoft Defender for Endpoint API to pull dete
- Find this value by clicking **View Endpoints** at the bottom of the Azure Management Portal in your app's page. The endpoint will look like `https://login.microsoftonline.com/{tenantId}/oauth2/token`. ## Get an access token+ Before creating calls to the endpoint, you'll need to get an access token. You'll use the access token to access the protected resource, which is detections in Microsoft Defender for Endpoint.
You'll use the access token to access the protected resource, which is detection
To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request: ```http- POST /72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token HTTP/1.1 Host: login.microsoftonline.com Content-Type: application/x-www-form-urlencoded resource=https%3A%2F%2Fgraph.windows.net&client_id=35e0f735-5fe4-4693-9e68-3de80f1d3745&client_secret=IKXc6PxB2eoFNJ%2FIT%2Bl2JZZD9d9032VXz6Ul3D2WyUQ%3D&grant_type=client_credentials ```+ The response will include an access token and expiry information. ```json
The response will include an access token and expiry information.
"access_token":"eyJ0eXaioJJOIneiowiouqSuzNiZ345FYOVkaJL0625TueyaJasjhIjEnbMlWqP..." } ```+ You can now use the value in the *access_token* field in a request to the Defender for Endpoint API. ## Request+ With an access token, your app can make authenticated requests to the Microsoft Defender for Endpoint API. Your app must append the access token to the Authorization header of each request. ### Request syntax
-Method | Request URI
-:|:|
-GET| Use the URI applicable for your region. <br><br> **For EU**: `https://wdatp-alertexporter-eu.windows.com/api/alerts` </br> **For US**: `https://wdatp-alertexporter-us.windows.com/api/alerts` <br> **For UK**: `https://wdatp-alertexporter-uk.windows.com/api/alerts`
+
+Method|Request URI
+|
+GET|Use the URI applicable for your region. <p> **For EU**: `https://wdatp-alertexporter-eu.windows.com/api/alerts` <p> **For US**: `https://wdatp-alertexporter-us.windows.com/api/alerts` <p> **For UK**: `https://wdatp-alertexporter-uk.windows.com/api/alerts`
### Request header
-Header | Type | Description|
-:--|:--|:--
-Authorization | string | Required. The Azure AD access token in the form **Bearer** &lt;*token*&gt;. |
+
+Header|Type|Description|
+||
+Authorization|string|Required. The Azure AD access token in the form **Bearer** &lt;*token*&gt;.|
### Request parameters Use optional query parameters to specify and control the amount of data returned in a response. If you call this method without parameters, the response contains all the alerts in your organization in the last 2 hours.
-Name | Value| Description
-:|:|:
-sinceTimeUtc | DateTime | Defines the lower time bound alerts are retrieved from, based on field: <br> `LastProcessedTimeUtc` <br> The time range will be: from sinceTimeUtc time to current time. <br><br> **NOTE**: When not specified, all alerts generated in the last two hours are retrieved.
-untilTimeUtc | DateTime | Defines the upper time bound alerts are retrieved. <br> The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time. <br><br> **NOTE**: When not specified, the default value will be the current time.
-ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time. <br><br> Value should be set according to **ISO 8601** duration format <br> Example: `ago=PT10M` will pull alerts received in the last 10 minutes.
-limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.<br><br> **NOTE**: When not specified, all alerts available in the time range will be retrieved.
-machinegroups | string | Specifies device groups to pull alerts from. <br><br> **NOTE**: When not specified, alerts from all device groups will be retrieved. <br><br> Example: <br><br> ```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts/?machinegroups=UKMachines&machinegroups=FranceMachines```
-DeviceCreatedMachineTags | string | Single device tag from the registry.
-CloudCreatedMachineTags | string | Device tags that were created in Microsoft Defender Security Center.
+Name|Value|Description
+||
+sinceTimeUtc|DateTime|Defines the lower time bound alerts are retrieved from, based on field: <p> `LastProcessedTimeUtc` <p> The time range will be: from sinceTimeUtc time to current time. <p> **NOTE**: When not specified, all alerts generated in the last two hours are retrieved.
+untilTimeUtc|DateTime|Defines the upper time bound alerts are retrieved. <p> The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time. <p> **NOTE**: When not specified, the default value will be the current time.
+ago|string|Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time. <p> Value should be set according to **ISO 8601** duration format <p> Example: `ago=PT10M` will pull alerts received in the last 10 minutes.
+limit|int|Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.<p> **NOTE**: When not specified, all alerts available in the time range will be retrieved.
+machinegroups|string|Specifies device groups to pull alerts from. <p> **NOTE**: When not specified, alerts from all device groups will be retrieved. <p> Example: <br><br> `https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts/?machinegroups=UKMachines&machinegroups=FranceMachines`
+DeviceCreatedMachineTags|string|Single device tag from the registry.
+CloudCreatedMachineTags|string|Device tags that were created in Microsoft Defender Security Center.
### Request example+ The following example demonstrates how to retrieve all the detections in your organization. ```http
Authorization: Bearer <your access token>
``` ## Response+ The return value is an array of alert objects in JSON format. Here is an example return value:
-```json
+```json
[
-{
+{
"AlertTime": "2020-09-30T14:09:20.35743Z", "ComputerDnsName": "mymachine1.domain.com", "AlertTitle": "Suspicious File Activity",
Here is an example return value:
``` ## Code examples+ ### Get access token+ The following code examples demonstrate how to obtain an access token for calling the Microsoft Defender for Endpoint SIEM API. ```csharp
oAuthUri="https://login.microsoftonline.com/$tenantId/oauth2/token"
scriptDir=$(pwd) apiResponse=$(curl -s X POST "$oAuthUri" -d "resource=$resourceAppIdUri&client_id=$appId&client_secret=$appSecret&\
- grant_type=client_credentials" | cut -d "{" -f2 | cut -d "}" -f1)
+ grant_type=client_credentials"|cut -d "{" -f2|cut -d "}" -f1)
IFS="," apiResponseArr=($apiResponse) IFS=":" tokenArr=(${apiResponseArr[6]})
-echo ${tokenArr[1]} | cut -d "\"" -f2 | cut -d "\"" -f1 >> $scriptDir/LatestSIEM-token.txt
+echo ${tokenArr[1]}|cut -d "\"" -f2|cut -d "\"" -f1 >> $scriptDir/LatestSIEM-token.txt
``` ### Use token to connect to the detections endpoint+ The following code examples demonstrate how to use an access token for calling the Defender for Endpoint SIEM API to get alerts. ```csharp
$dateTime = (Get-Date).ToUniversalTime().AddHours(-200).ToString("o")
$url = 'https://wdatp-alertexporter-us.windows.com/api/alerts?limit=20&sinceTimeUtc=2020-01-01T00:00:00.000' #Set the WebRequest headers
-$headers = @{
+$headers = @{
'Content-Type' = 'application/json' Accept = 'application/json'
- Authorization = "Bearer $token"
+ Authorization = "Bearer $token"
}
-#Send the webrequest and get the results.
+#Send the webrequest and get the results.
$response = Invoke-WebRequest -Method Get -Uri $url -Headers $headers -ErrorAction Stop $response Write-Host
-#Extract the alerts from the results. This works for SIEM API:
-$alerts = $response.Content | ConvertFrom-Json | ConvertTo-Json
+#Extract the alerts from the results. This works for SIEM API:
+$alerts = $response.Content|ConvertFrom-Json|ConvertTo-Json
#Get string with the execution time. We concatenate that string to the output file to avoid overwrite the file
-$dateTimeForFileName = Get-Date -Format o | foreach {$_ -replace ":", "."}
+$dateTimeForFileName = Get-Date -Format o|foreach {$_ -replace ":", "."}
#Save the result as json and as csv
-$outputJsonPath = "$scriptDir\Latest Alerts $dateTimeForFileName.json"
+$outputJsonPath = "$scriptDir\Latest Alerts $dateTimeForFileName.json"
$outputCsvPath = "$scriptDir\Latest Alerts $dateTimeForFileName.csv" Out-File -FilePath $outputJsonPath -InputObject $alerts
-Get-Content -Path $outputJsonPath -Raw | ConvertFrom-Json | Select-Object -ExpandProperty value | Export-CSV $outputCsvPath -NoTypeInformation
+Get-Content -Path $outputJsonPath -Raw|ConvertFrom-Json|Select-Object -ExpandProperty value|Export-CSV $outputCsvPath -NoTypeInformation
``` ```Bash
url='https://wdatp-alertexporter-us.windows.com/api/alerts?limit=20&sinceTimeUtc
#send web requst to API and echo JSON content apiResponse=$(curl -s X GET "$url" -H "Content-Type: application/json" -H "Accept: application/json"\
- -H "Authorization: Bearer $token" | cut -d "[" -f2 | cut -d "]" -f1)
+ -H "Authorization: Bearer $token"|cut -d "[" -f2|cut -d "]" -f1)
echo "If you see Alert info in JSON format, congratulations you accessed the MDATP SIEM API!" echo echo $apiResponse ``` ## Error codes+ The Microsoft Defender for Endpoint REST API returns the following error codes caused by an invalid request.
-HTTP error code | Description
-:|:
-401 | Malformed request or invalid token.
-403 | Unauthorized exception - any of the domains is not managed by the tenant administrator or tenant state is deleted.
-500 | Error in the service.
+HTTP error code|Description
+|
+401|Malformed request or invalid token.
+403|Unauthorized exception - any of the domains is not managed by the tenant administrator or tenant state is deleted.
+500|Error in the service.
## Related topics+ - [Enable SIEM integration in Microsoft Defender for Endpoint](enable-siem-integration.md) - [Configure ArcSight to pull Microsoft Defender for Endpoint detections](configure-arcsight.md) - [Pull detections to your SIEM tools](configure-siem.md)
security Raw Data Export Storage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/raw-data-export-storage.md
5. Choose **Forward events to Azure Storage**.
-6. Type your **Storage Account Resource ID**. In order to get your **Storage Account Resource ID**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) > properties tab > copy the text under **Storage account resource ID**:
+6. Type your **Storage Account Resource ID**. In order to get your **Storage Account Resource ID**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) \> properties tab \> copy the text under **Storage account resource ID**:
![Image of event hub resource ID1.](images/storage-account-resource-id.png)
## The schema of the events in the Storage account -- A blob container will be created for each event type:
+- A blob container will be created for each event type:
![Image of event hub resource ID2.](images/storage-account-event-schema.png) -- The schema of each row in a blob is the following JSON:
+- The schema of each row in a blob is the following JSON:
- ```
+ ```json
{ "time": "<The time WDATP received the event>" "tenantId": "<Your tenant ID>" "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>" "properties": { <WDATP Advanced Hunting event as Json> }
- }
+ }
``` - Each blob contains multiple rows.
In order to get the data types for our events properties do the following:
1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) and go to [Advanced Hunting page](https://securitycenter.windows.com/hunting-package).
-2. Run the following query to get the data types mapping for each event:
+2. Run the following query to get the data types mapping for each event:
``` {EventType} | getschema
- | project ColumnName, ColumnType
+ | project ColumnName, ColumnType
``` -- Here is an example for Device Info event:
+- Here is an example for Device Info event:
![Image of event hub resource ID3.](images/machine-info-datatype-example.png) ## Related topics+ - [Overview of Advanced Hunting](advanced-hunting-overview.md) - [Microsoft Defender for Endpoint Streaming API](raw-data-export.md) - [Stream Microsoft Defender for Endpoint events to your Azure storage account](raw-data-export-storage.md)
security Report Monitor Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus.md
Last updated 12/07/2020-+ ms.technology: mde
Microsoft Defender Antivirus is built into Windows 10, Windows Server 2019, and Windows Server 2016. Microsoft Defender Antivirus is of your next-generation protection in Microsoft Defender for Endpoint. Next-generation protection helps protect your devices from software threats like viruses, malware, and spyware across email, apps, the cloud, and the web.
-With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Manager to [monitor Microsoft Defender Antivirus](/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](/intune/introduction-intune).
+With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Manager to [monitor Microsoft Defender Antivirus](/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](/intune/introduction-intune).
Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Microsoft Defender Antivirus issues, including protection updates and real-time protection settings.
-If you have a third-party security information and event management (SIEM) server, you can also consume [Windows Defender client events](/windows/win32/events/windows-events).
+If you have a third-party security information and event management (SIEM) server, you can also consume [Windows Defender client events](/windows/win32/events/windows-events).
-Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](/windows/whats-new/whats-new-windows-10-version-1507-and-1511), also see the [Security auditing](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-microsoft-defender-antivirus.md).
+Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](/windows/whats-new/whats-new-windows-10-version-1507-and-1511), also see the [Security auditing](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-microsoft-defender-antivirus.md).
-These events can be centrally aggregated using the [Windows event collector](/windows/win32/wec/windows-event-collector). Often, SIEM servers have connectors for Windows events, allowing you to correlate all security events in your SIEM server.
+These events can be centrally aggregated using the [Windows event collector](/windows/win32/wec/windows-event-collector). Often, SIEM servers have connectors for Windows events, allowing you to correlate all security events in your SIEM server.
You can also [monitor malware events using the Malware Assessment solution in Log Analytics](/azure/log-analytics/log-analytics-malware).
security Respond File Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-file-alerts.md
Some actions require certain permissions. The following table describes what act
**** |Permission|PE files|Non-PE files|
-|:|::|:-:|
+||::|::|
|View data|X|X| |Alerts investigation|&#x2611;|X| |Live response basic|X|X|
Files that have been quarantined by Microsoft Defender Antivirus or your securit
The location depends on your organization's geo settings (either EU, UK, or US). A quarantined file will only be collected once per organization. Learn more about Microsoft's data protection from the Service Trust Portal at https://aka.ms/STP.
-Having this setting turned on can help security teams examine potentially bad files and investigate incidents quickly and in a less risky way. However, if you need to turn this setting off, go to **Settings** > **Endpoints** > **Advanced features** > **Download quarantined files** to adjust the setting. [Learn more about advanced features](advanced-features.md)
+Having this setting turned on can help security teams examine potentially bad files and investigate incidents quickly and in a less risky way. However, if you need to turn this setting off, go to **Settings** \> **Endpoints** \> **Advanced features** \> **Download quarantined files** to adjust the setting. [Learn more about advanced features](advanced-features.md)
#### Backing up quarantined files
Users may be prompted to provide explicit consent before backing up the quaranti
This feature will not work if sample submission is turned off. If automatic sample submission is set to request permission from the user, only samples that the user agrees to send will be collected.
->[!IMPORTANT]
->Download quarantined file requirements:
->- Your organization uses Microsoft Defender Antivirus in active mode
->- Antivirus engine version is 1.1.17300.4 or later. See [Monthly platform and engine versions](manage-updates-baselines-microsoft-defender-antivirus.md#monthly-platform-and-engine-versions)
->- CloudΓÇôbased protection is enabled. See [Turn on cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
->- Sample submission is turned on
->- Devices have Windows 10 version 1703 or later, or Windows server 2016 or 2019
+> [!IMPORTANT]
+> Download quarantined file requirements:
+>
+> - Your organization uses Microsoft Defender Antivirus in active mode
+> - Antivirus engine version is 1.1.17300.4 or later. See [Monthly platform and engine versions](manage-updates-baselines-microsoft-defender-antivirus.md#monthly-platform-and-engine-versions)
+> - CloudΓÇôbased protection is enabled. See [Turn on cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
+> - Sample submission is turned on
+> - Devices have Windows 10 version 1703 or later, or Windows server 2016 or 2019
### Collect files
See [manage indicators](manage-indicators.md) for more details on blocking and r
To stop blocking a file, remove the indicator. You can do so via the **Edit Indicator** action on the file's profile page. This action will be visible in the same position as the **Add Indicator** action, before you added the indicator.
-You can also edit indicators from the **Settings** page, under **Rules** > **Indicators**. Indicators are listed in this area by their file's hash.
+You can also edit indicators from the **Settings** page, under **Rules** \> **Indicators**. Indicators are listed in this area by their file's hash.
## Consult a threat expert
Results of deep analysis are matched against threat intelligence and any matches
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the file's profile page.
-<br/><br/>
- > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4aAYy?rel=0] **Submit for deep analysis** is enabled when the file is available in the Defender for Endpoint backend sample collection, or if it was observed on a Windows 10 device that supports submitting to deep analysis.
security Respond Machine Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md
The package contains the following folders:
**** |Folder|Description|
-|:|:|
+|||
|Autoruns|Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker's persistency on the device. <p> <div class="alert"><b>NOTE:</b> If the registry key is not found, the file will contain the following message: "ERROR: The system was unable to find the specified registry key or value."<div>| |Installed programs|This .CSV file contains the list of installed programs that can help identify what is currently installed on the device. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509).| |Network connections|This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker's command and control (C&C) infrastructure, any lateral movement, or remote connections. <ul><li>ActiveNetConnections.txt: Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process.</li><li>Arp.txt: Displays the current address resolution protocol (ARP) cache tables for all interfaces. ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that might have been used to run an internal attack.</il><li>DnsCache.txt: Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections.</li><li>IpConfig.txt: Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.</li><li>FirewallExecutionLog.txt and pfirewall.log</li></ul>|
security Run Advanced Query Api https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-advanced-query-api.md
Title: Advanced Hunting API-+ description: Learn to use the advanced hunting API to run advanced queries on Microsoft Defender for Endpoint. Find out about limitations and see an example. keywords: apis, supported apis, advanced hunting, query search.product: eADQiWindows 10XVcnh
4. The maximal execution time of a single request is 10 minutes.
-5. 429 response will represent reaching quota limit either by number of requests or by CPU. Read response body to understand what limit has been reached.
+5. 429 response will represent reaching quota limit either by number of requests or by CPU. Read response body to understand what limit has been reached.
6. The maximum query result size of a single request cannot exceed 124 MB. If exceeded, HTTP 400 Bad Request with the message "Query execution has exceeded the allowed result size. Optimize your query by limiting the amount of results and try again" will appear.
POST https://api.securitycenter.microsoft.com/api/advancedqueries/run
```json {
- "Query":"DeviceProcessEvents
+ "Query":"DeviceProcessEvents
|where InitiatingProcessFileName =~ 'powershell.exe' |where ProcessCommandLine contains 'appdata' |project Timestamp, FileName, InitiatingProcessFileName, DeviceId
security Run Analyzer Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-analyzer-windows.md
ms.localizationpriority: medium audience: ITPro--- M365-security-compliance -- m365initiative-m365-defender +
+- M365-security-compliance
+- m365initiative-m365-defender
ms.technology: m365d
-# Run the client analyzer on Windows
+# Run the client analyzer on Windows
**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-1. Download the [MDE Client Analyzer tool](https://aka.ms/mdatpanalyzer) to the
- Windows machine you need to investigate.
+1. Download the [MDE Client Analyzer tool](https://aka.ms/mdatpanalyzer) to the Windows machine you need to investigate.
-2. Extract the contents of MDEClientAnalyzer.zip on the machine.
+2. Extract the contents of MDEClientAnalyzer.zip on the machine.
-3. Open an elevated command line:
+3. Open an elevated command line:
1. Go to **Start** and type **cmd**. 2. Right-click **Command prompt** and select **Run as administrator**.
-4. Enter the following command and press **Enter**:
+4. Enter the following command and press **Enter**:
-```
-HardDrivePath\MDEClientAnalyzer.cmd
-```
+ ```dos
+ HardDrivePath\MDEClientAnalyzer.cmd
+ ```
-**Replace HardDrivePath with the path to which the tool was extracted to, for example:**
+ **Replace HardDrivePath with the path to which the tool was extracted to, for example:**
-`C:\Work\tools\MDATPClientAnalyzer\MDEClientAnalyzer.cmd`
+ ```dos
+ C:\Work\tools\MDATPClientAnalyzer\MDEClientAnalyzer.cmd
+ ```
-In addition to the above, there is also an option to [collect the analyzer
-support logs using live
-response.](troubleshoot-collect-support-log.md).
+In addition to the above, there is also an option to [collect the analyzer support logs using live response.](troubleshoot-collect-support-log.md).
-> [!NOTE]
-> On windows 10, Windows Server 2019 or later OS editions, the client analyzer script calls into an executable file called `MDEClientAnalyzer.exe` to run the connectivity tests to cloud service URLs. <br> <br>
+> [!NOTE]
+> On windows 10, Windows Server 2019 or later OS editions, the client analyzer script calls into an executable file called `MDEClientAnalyzer.exe` to run the connectivity tests to cloud service URLs.
+>
> On Windows 8.1, Windows Server 2016 or previous OS editions, the client analyzer script calls into an executable file called `MDEClientAnalyzerPreviousVersion.exe` to run connectivity tests for Command and Control (CnC) URLs while also calling into Microsoft Monitoring Agent connectivity tool `TestCloudConnection.exe` for Cyber Data channel URLs. ## Result package contents on Windows
-> [!NOTE]
+> [!NOTE]
> The exact files captured may change depending on factors such as:
-> - The version of windows on which the analyzer is run.
-> - Event log channel availability on the machine.
-> - The start state of the EDR sensor (Sense is stopped if machine is not yet
- onboarded).
->- If an advanced troubleshooting parameter was used with the analyzer command.
+>
+> - The version of windows on which the analyzer is run.
+> - Event log channel availability on the machine.
+> - The start state of the EDR sensor (Sense is stopped if machine is not yet onboarded).
+> - If an advanced troubleshooting parameter was used with the analyzer command.
-By default, the unpacked MDEClientAnalyzerResult.zip file will contain the
-following items.
+By default, the unpacked MDEClientAnalyzerResult.zip file will contain the following items.
-- MDEClientAnalyzer.htm \| This is the main HTML output file, which will
- contain the findings and guidance that the analyzer script run on the
- machine can produce.
+- MDEClientAnalyzer.htm
-- SystemInfoLogs [Folder]
+ This is the main HTML output file, which will contain the findings and guidance that the analyzer script run on the machine can produce.
- - AddRemovePrograms.csv <br> Description: List of installed software
- collected from registry.
+- SystemInfoLogs \[Folder\]
+ - AddRemovePrograms.csv
-- AddRemoveProgramsWOW64.csv <br> Description: List of x86 installed software on
- x64 OS software collected from registry.
+ Description: List of x86 installed software on x64 OS software collected from registry.
- - CertValidate.log <br> Description: Detailed result from certificate
- revocation executed by calling into
- [CertUtil](/windows-server/administration/windows-commands/certutil).
+ - AddRemoveProgramsWOW64.csv
- - dsregcmd.txt <br> Description: Output from running
- [dsregcmd](/azure/active-directory/devices/troubleshoot-device-dsregcmd).
- This provides details about the Azure AD status of the machine.
+ Description: List of x86 installed software on x64 OS software collected from registry.
- - IFEO.txt <br> Description: Output of [Image File Execution
- Options](/previous-versions/windows/desktop/xperf/image-file-execution-options)
- configured on the machine
+ - CertValidate.log
- - MDEClientAnalyzer.txt <br> Description: This is verbose text file showing
- with details of the analyzer script execution.
+ Description: Detailed result from certificate revocation executed by calling into [CertUtil](/windows-server/administration/windows-commands/certutil).
- - MDEClientAnalyzer.xml <br> Description: XML format containing the analyzer
- script findings.
+ - dsregcmd.txt
- - RegOnboardedInfoCurrent.Json <br> Description: The onboarded machine
- information gathered in JSON format from the registry.
+ Description: Output from running [dsregcmd](/azure/active-directory/devices/troubleshoot-device-dsregcmd). This provides details about the Azure AD status of the machine.
- - RegOnboardingInfoPolicy.Json <br> Description: The onboarding policy
- configuration gathered in JSON format from the registry.
+ - IFEO.txt
- - SCHANNEL.txt <br> Description: Details about [SCHANNEL
- configuration](/windows-server/security/tls/manage-tls)
- applied to the machine such gathered from registry.
+ Description: Output of [Image File Execution Options](/previous-versions/windows/desktop/xperf/image-file-execution-options) configured on the machine
- - SessionManager.txt <br> Description: Session Manager specific settings
- gather from registry.
+ - MDEClientAnalyzer.txt
- - SSL_00010002.txt <br> Description: Details about [SSL
- configuration](/windows-server/security/tls/manage-tls)
- applied to the machine gathered from registry.
+ Description: This is verbose text file showing with details of the analyzer script execution.
-- EventLogs [Folder]
+ - MDEClientAnalyzer.xml
- - utc.evtx <br> Description: Export of DiagTrack event log
+ Description: XML format containing the analyzer script findings.
- - senseIR.evtx <br> Description: Export of the Automated Investigation event
- log
+ - RegOnboardedInfoCurrent.Json
- - sense.evtx <br> Description: Export of the Sensor main event log
+ Description: The onboarded machine information gathered in JSON format from the registry.
- - OperationsManager.evtx <br> Description: Export of the Microsoft
- Monitoring Agent event log
+ - RegOnboardingInfoPolicy.Json
+ Description: The onboarding policy configuration gathered in JSON format from the registry.
+
+ - SCHANNEL.txt
+
+ Description: Details about [SCHANNEL configuration](/windows-server/security/tls/manage-tls) applied to the machine such gathered from registry.
+
+ - SessionManager.txt
+
+ Description: Session Manager specific settings gather from registry.
+
+ - SSL_00010002.txt
+
+ Description: Details about [SSL configuration](/windows-server/security/tls/manage-tls) applied to the machine gathered from registry.
+
+- EventLogs [Folder]
+
+ - utc.evtx
+
+ Description: Export of DiagTrack event log
+
+ - senseIR.evtx
+
+ Description: Export of the Automated Investigation event log
+
+ - sense.evtx
+
+ Description: Export of the Sensor main event log
+
+ - OperationsManager.evtx
+
+ Description: Export of the Microsoft Monitoring Agent event log
## See also+ - [Client analyzer overview](overview-client-analyzer.md) - [Download and run the client analyzer](download-client-analyzer.md) - [Data collection for advanced troubleshooting on Windows](data-collection-analyzer.md)
security Run Detection Test https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-detection-test.md
localization_priority: Normal audience: ITPro-+ - m365-security-compliance - m365initiative-defender-endpoint ms.technology: mde
-# Run a detection test on a newly onboarded Microsoft Defender for Endpoint device
+# Run a detection test on a newly onboarded Microsoft Defender for Endpoint device
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
ms.technology: mde
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
-Onboarding devices is the method of adding devices to the Microsoft Defender for Endpoint service. It allows devices to report signals to the service.
+Onboarding devices is the method of adding devices to the Microsoft Defender for Endpoint service. It allows devices to report signals to the service.
-Verifying that a device has been successfully added to the service is an important step in the entire deployment process.
+Verifying that a device has been successfully added to the service is an important step in the entire deployment process.
## Verify onboarding using a detection test+ Run the following PowerShell script on a newly onboarded device to verify that it is properly reporting to the Defender for Endpoint service.
-1. Create a folder: 'C:\test-MDATP-test'.
+1. Create a folder: 'C:\test-MDATP-test'.
2. Open an elevated command-line prompt on the device and run the script: 1. Go to **Start** and type **cmd**.
Run the following PowerShell script on a newly onboarded device to verify that i
The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded device in approximately 10 minutes. ## Related topics+ - [Onboard Windows 10 devices](configure-endpoints.md) - [Onboard servers](configure-server-endpoints.md) - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](/microsoft-365/security/defender-endpoint/troubleshoot-onboarding)
security Run Live Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-live-response.md
localization_priority: normal audience: ITPro--- M365-security-compliance -- m365initiative-m365-defender +
+- M365-security-compliance
+- m365initiative-m365-defender
MS.technology: mde
-# Run live response commands on a device
+# Run live response commands on a device
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
Runs a sequence of live response commands on a device
## Limitations
-1. Rate limitations for this API are 10 calls per minute (additional requests
- are responded with HTTP 429).
+1. Rate limitations for this API are 10 calls per minute (additional requests are responded with HTTP 429).
-2. 25 concurrently running sessions (requests exceeding the throttling limit will receive a "429 - Too many requests" response).
+2. 25 concurrently running sessions (requests exceeding the throttling limit will receive a "429 - Too many requests" response).
-3. If the machine is not available, the session will be queued for up to 3 days.
+3. If the machine is not available, the session will be queued for up to 3 days.
-4. RunScript command timeouts after 10 minutes.
+4. RunScript command timeouts after 10 minutes.
-5. Live response commands cannot be queued up and can only be executed one at a time.
+5. Live response commands cannot be queued up and can only be executed one at a time.
-6. If the machine that you are trying to run this API call is in an RBAC device group that does not have an automated remediation level assigned to it, you'll need to at least enable the minimum Remediation Level for a given Device Group.
+6. If the machine that you are trying to run this API call is in an RBAC device group that does not have an automated remediation level assigned to it, you'll need to at least enable the minimum Remediation Level for a given Device Group.
-7. Multiple live response commands can be run on a single API call. However, when a live response command fails all the subsequent actions will not be
- executed.
+7. Multiple live response commands can be run on a single API call. However, when a live response command fails all the subsequent actions will not be executed.
## Minimum Requirements
Before you can initiate a session on a device, make sure you fulfill the followi
- **Windows Server 2019 - Only applicable for Public preview** - Version 1903 or (with [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384)) later - Version 1809 (with [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818))
-
+ ## Permissions
-One of the following permissions is required to call this API. To learn more,
-including how to choose permissions, see [Get started](apis-intro.md).
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md).
|Permission type|Permission|Permission display name| ||||
POST https://api.securitycenter.microsoft.com/API/machines/{machine_id}/runliver
|Comment|String|Comment to associate with the action.| |Commands|Array|Commands to run. Allowed values are PutFile, RunScript, GetFile.|
-**Commands**:
+## Commands
|Command Type|Parameters|Description| ||||
security Schedule Antivirus Scans Group Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-group-policy.md
This article describes how to configure scheduled scans using Group Policy. To l
## Configure antivirus scans using Group Policy
-1. On your Group Policy management machine, in the Group Policy Editor, go to **Computer configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Scan**.
+1. On your Group Policy management machine, in the Group Policy Editor, go to **Computer configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Scan**.
2. Right-click the Group Policy Object you want to configure, and then select **Edit**.
security Schedule Antivirus Scans https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scans.md
In addition to always-on, real-time protection and [on-demand antivirus](run-sca
## Keep the following points in mind -- By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default.
+- By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default.
- If a device is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Microsoft Defender Antivirus will run a full scan at the next scheduled time. ## Quick scan, full scan, and custom scan
-When you set up scheduled scans, you can specify whether the scan should be a full or quick scan. In most cases, a quick scan is recommended.
+When you set up scheduled scans, you can specify whether the scan should be a full or quick scan. In most cases, a quick scan is recommended.
-| Quick scan | Full scan | Custom scan |
-||||
-| (Recommended) A quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. <p>Combined with always-on, real-time protection, which reviews files when they are opened and closed, and whenever a user navigates to a folder, a quick scan helps provide strong protection against malware that starts with the system and kernel-level malware. <p>In most cases, a quick scan is sufficient and is the recommended option for scheduled scans. | A full scan starts by running a quick scan and then continues with a sequential file scan of all mounted fixed disks and removable/network drives (if the full scan is configured to do so). <p>A full scan can take a few hours or days to complete, depending on the amount and type of data that needs to be scanned.<p>When the full scan is complete, new security intelligence is available, and a new scan is then required to make sure that no other threats are detected with the new security intelligence. <p>Because of the time and resources involved in a full scan, in general, Microsoft does not recommend scheduling full scans. | A custom scan is a quick scan that runs on the files and folders you specify. For example, you can opt to scan a USB drive, or a specific folder on your device's local drive. <p> |
+<br>
+
+****
+
+|Quick scan|Full scan|Custom scan|
+||||
+|(Recommended) A quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. <p> Combined with always-on, real-time protection, which reviews files when they are opened and closed, and whenever a user navigates to a folder, a quick scan helps provide strong protection against malware that starts with the system and kernel-level malware. <p> In most cases, a quick scan is sufficient and is the recommended option for scheduled scans.|A full scan starts by running a quick scan and then continues with a sequential file scan of all mounted fixed disks and removable/network drives (if the full scan is configured to do so). <p> A full scan can take a few hours or days to complete, depending on the amount and type of data that needs to be scanned. <p> When the full scan is complete, new security intelligence is available, and a new scan is then required to make sure that no other threats are detected with the new security intelligence. <p> Because of the time and resources involved in a full scan, in general, Microsoft does not recommend scheduling full scans.|A custom scan is a quick scan that runs on the files and folders you specify. For example, you can opt to scan a USB drive, or a specific folder on your device's local drive.|
+|
> [!NOTE] > By default, quick scans run on mounted removable devices, such as USB drives.
When you set up scheduled scans, you can specify whether the scan should be a fu
Use the following table to choose a scan type.
-| Scenario | Recommended scan type |
-|||
-| You want to set up regular, scheduled scans | Quick scan <p>A quick scan checks the processes, memory, profiles, and certain locations on the device. Combined with [always-on real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md), a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. Real-time protection reviews files when they are opened and closed, and whenever a user navigates to a folder. |
-| Threats, such as malware, are detected on an individual device | Quick scan <p>In most cases, a quick scan will catch and clean up detected malware. |
-| You want to run an [on-demand scan](run-scan-microsoft-defender-antivirus.md) | Quick scan |
-| You want to make sure a portable device, such as a USB drive, does not contain malware | Custom scan <p>A custom scan enables you to select specific locations, folders, or files, and runs a quick scan. |
+<br>
+
+****
+
+|Scenario|Recommended scan type|
+|||
+|You want to set up regular, scheduled scans|Quick scan <p> A quick scan checks the processes, memory, profiles, and certain locations on the device. Combined with [always-on real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md), a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. Real-time protection reviews files when they are opened and closed, and whenever a user navigates to a folder.|
+|Threats, such as malware, are detected on an individual device|Quick scan <p> In most cases, a quick scan will catch and clean up detected malware.|
+|You want to run an [on-demand scan](run-scan-microsoft-defender-antivirus.md)|Quick scan|
+|You want to make sure a portable device, such as a USB drive, does not contain malware|Custom scan <p> A custom scan enables you to select specific locations, folders, or files, and runs a quick scan.|
+|
## What else do I need to know about quick and full scans?
Use the following table to choose a scan type.
- A full scan can detect malicious files that were not detected by other scans, such as a quick scan. However, a full scan can take a while and use valuable system resources to complete. -- If a device is offline for an extended period of time, a full scan can take longer to complete. -
+- If a device is offline for an extended period of time, a full scan can take longer to complete.
security Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/software.md
[!include[Improve request performance](../../includes/improve-request-performance.md)] - [!include[Prerelease information](../../includes/prerelease.md)] ## Methods
-Method |Return Type |Description
-:|:|:
-[List software](get-software.md) | Software collection | List the organizational software inventory.
-[Get software by Id](get-software-by-id.md) | Software | Get a specific software by its software ID.
-[List software version distribution](get-software-ver-distribution.md)| Distribution collection | List software version distribution by software ID.
-[List machines by software](get-machines-by-software.md)| MachineRef collection | Retrieve a list of devices that are associated with the software ID.
-[List vulnerabilities by software](get-vuln-by-software.md) | [Vulnerability](vulnerability.md) collection | Retrieve a list of vulnerabilities associated with the software ID.
-[Get missing KBs](get-missing-kbs-software.md) | KB collection | Get a list of missing KBs associated with the software ID
+<br>
+
+****
+
+|Method|Return Type|Description|
+||||
+|[List software](get-software.md)|Software collection|List the organizational software inventory.|
+|[Get software by Id](get-software-by-id.md)|Software|Get a specific software by its software ID.|
+|[List software version distribution](get-software-ver-distribution.md)|Distribution collection|List software version distribution by software ID.|
+|[List machines by software](get-machines-by-software.md)|MachineRef collection|Retrieve a list of devices that are associated with the software ID.|
+|[List vulnerabilities by software](get-vuln-by-software.md)|[Vulnerability](vulnerability.md) collection|Retrieve a list of vulnerabilities associated with the software ID.|
+|[Get missing KBs](get-missing-kbs-software.md)|KB collection|Get a list of missing KBs associated with the software ID|
+|
## Properties
-Property | Type | Description
-:|:|:
-id | String | Software ID
-Name | String | Software name
-Vendor | String | Software vendor name
-Weaknesses | Long | Number of discovered vulnerabilities
-publicExploit | Boolean | Public exploit exists for some of the vulnerabilities
-activeAlert | Boolean | Active alert is associated with this software
-exposedMachines | Long | Number of exposed devices
-impactScore | Double | Exposure score impact of this software
+<br>
+
+****
+
+|Property|Type|Description|
+||||
+|id|String|Software ID|
+|Name|String|Software name|
+|Vendor|String|Software vendor name|
+|Weaknesses|Long|Number of discovered vulnerabilities|
+|publicExploit|Boolean|Public exploit exists for some of the vulnerabilities|
+|activeAlert|Boolean|Active alert is associated with this software|
+|exposedMachines|Long|Number of exposed devices|
+|impactScore|Double|Exposure score impact of this software|
+|
security Specify Additional Definitions Network Traffic Inspection Mdav https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/specify-additional-definitions-network-traffic-inspection-mdav.md
localization_priority: Normal
Last updated 05/07/2021-+ ms.technology: mde
You can specify additional definition sets for network traffic inspection using
1. On your Group Policy management endpoint, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)).
-2. Go to **Windows Components** > **Microsoft Defender Antivirus** > **Network Inspection System**.
+2. Go to **Windows Components** \> **Microsoft Defender Antivirus** \> **Network Inspection System**.
-3. Select **Specify additional definition sets for network traffic inspection**. By default, this policy is set to **Not configured**.
+3. Select **Specify additional definition sets for network traffic inspection**. By default, this policy is set to **Not configured**.
4. To edit the policy, select the **edit policy setting** link. 5. Select **Enabled**, and then in the **Options** section, select **Show...**.
-6. Add entries to the list, and then select **OK**.
+6. Add entries to the list, and then select **OK**.
- Each entry must be listed as a name-value pair, where the name is a string representation of a definition set GUID. As an example, the definition set GUID to enable test security intelligence is defined as: `{b54b6ac9-a737-498e-9120-6616ad3bf590}`. The value is not used, so we recommend setting it to `0`.
+ Each entry must be listed as a name-value pair, where the name is a string representation of a definition set GUID. As an example, the definition set GUID to enable test security intelligence is defined as: `{b54b6ac9-a737-498e-9120-6616ad3bf590}`. The value is not used, so we recommend setting it to `0`.
7. Select **OK**, and then deploy your updated Group Policy Object. See [Group Policy Management Console](/windows/win32/srvnodes/group-policy). > [!TIP]
-> Are you using Group Policy Objects on premises? See how they translate in the cloud. [Analyze your on-premises group policy objects using Group Policy analytics in Microsoft Endpoint Manager - Preview](/mem/intune/configuration/group-policy-analytics).
-
+> Are you using Group Policy Objects on premises? See how they translate in the cloud. [Analyze your on-premises group policy objects using Group Policy analytics in Microsoft Endpoint Manager - Preview](/mem/intune/configuration/group-policy-analytics).
+ ## Related articles - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-
- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)- - [How to create and deploy antimalware policies: Cloud-protection service](/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
security Specify Cloud Protection Level Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus.md
Cloud protection works together with Microsoft Defender Antivirus to deliver pro
1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
-2. Choose **Endpoint security** > **Antivirus**.
+2. Choose **Endpoint security** \> **Antivirus**.
3. Select an antivirus profile. (If you don't have one yet, or if you want to create a new profile, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).
Cloud protection works together with Microsoft Defender Antivirus to deliver pro
- **High plus**: Uses the **High** level and applies extra protection measures (might affect client performance). - **Zero tolerance**: Blocks all unknown executables.
-6. Choose **Review + save**, and then choose **Save**.
+6. Choose **Review + save**, and then choose **Save**.
> [!TIP] > Need some help? See the following resources:
+>
> - [Configure Endpoint Protection](/mem/configmgr/protect/deploy-use/endpoint-protection-configure) > - [Add endpoint protection settings in Intune](/mem/intune/protect/endpoint-protection-configure)
-
## Use Group Policy to specify the level of cloud protection
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)).
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)).
2. Right-click the Group Policy Object you want to configure, and then select **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer Configuration** > **Administrative templates**.
-
-4. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus** > **MpEngine**.
+3. In the **Group Policy Management Editor** go to **Computer Configuration** \> **Administrative templates**.
-5. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
+4. Expand the tree to **Windows Components** \> **Microsoft Defender Antivirus** \> **MpEngine**.
+5. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
- **Default blocking level** provides strong detection without increasing the risk of detecting legitimate files. - **Moderate blocking level** provides moderate only for high confidence detections - **High blocking level** applies a strong level of detection while optimizing client performance (but can also give you a greater chance of false positives).
security Supported Response Apis https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/supported-response-apis.md
Title: Supported Microsoft Defender for Endpoint response APIs
-description: Learn about the specific response-related Microsoft Defender for Endpoint API calls.
+ Title: Supported Microsoft Defender for Endpoint response APIs
+description: Learn about the specific response-related Microsoft Defender for Endpoint API calls.
keywords: response apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file search.product: eADQiWindows 10XVcnh search.appverid: met150
localization_priority: Normal audience: ITPro-+
-# Supported Microsoft Defender for Endpoint query APIs
+# Supported Microsoft Defender for Endpoint query APIs
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
Learn about the supported response-related API calls you can run and details such as the required request headers, and expected response from the calls. ## In this section
-Topic | Description
-:|:
-Collect investigation package | Run this API to collect an investigation package from a device.
-Isolate device | Run this API to isolate a device from the network.
-Unisolate device | Remove a device from isolation.
-Restrict code execution | Run this API to contain an attack by stopping malicious processes. You can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
-Unrestrict code execution | Run this to reverse the restriction of applications policy after you have verified that the compromised device has been remediated.
-Run antivirus scan | Remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised device.
-Stop and quarantine file | Run this call to stop running processes, quarantine files, and delete persistency such as registry keys.
-Request sample | Run this call to request a sample of a file from a specific device. The file will be collected from the device and uploaded to a secure storage.
-Block file | Run this API to prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware.
-Unblock file | Allow a file run in the organization using Microsoft Defender Antivirus.
-Get package SAS URI | Run this API to get a URI that allows downloading an investigation package.
-Get MachineAction object | Run this API to get MachineAction object.
-Get MachineActions collection | Run this to get MachineAction collection.
-Get FileActions collection | Run this API to get FileActions collection.
-Get FileMachineAction object | Run this API to get FileMachineAction object.
-Get FileMachineActions collection | Run this API to get FileMachineAction collection.
+
+<br>
+
+****
+
+|Topic|Description|
+|||
+|Collect investigation package|Run this API to collect an investigation package from a device.|
+|Isolate device|Run this API to isolate a device from the network.|
+|Unisolate device|Remove a device from isolation.|
+|Restrict code execution|Run this API to contain an attack by stopping malicious processes. You can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.|
+|Unrestrict code execution|Run this to reverse the restriction of applications policy after you have verified that the compromised device has been remediated.|
+|Run antivirus scan|Remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised device.|
+|Stop and quarantine file|Run this call to stop running processes, quarantine files, and delete persistency such as registry keys.|
+|Request sample|Run this call to request a sample of a file from a specific device. The file will be collected from the device and uploaded to a secure storage.|
+|Block file|Run this API to prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware.|
+|Unblock file|Allow a file run in the organization using Microsoft Defender Antivirus.|
+|Get package SAS URI|Run this API to get a URI that allows downloading an investigation package.|
+|Get MachineAction object|Run this API to get MachineAction object.|
+|Get MachineActions collection|Run this to get MachineAction collection.|
+|Get FileActions collection|Run this API to get FileActions collection.|
+|Get FileMachineAction object|Run this API to get FileMachineAction object.|
+|Get FileMachineActions collection|Run this API to get FileMachineAction collection.|
+|
security Switch To Microsoft Defender Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-migration.md
localization_priority: Normal audience: ITPro-+ - M365-security-compliance - m365solution-migratetomdatp - m365solution-overview
The process of migrating to Defender for Endpoint can be divided into three phas
![MDE migration process.](images/phase-diagrams/migration-phases.png)
-|Phase |Description |
+|Phase|Description|
|--|--|
-|[Prepare for your migration](switch-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](switch-to-microsoft-defender-prepare.md): <br/>1. Update your organization's devices. <br/>2. Get Defender for Endpoint. <br/>3. Plan roles and permissions, and grant access to the Microsoft 365 Defender portal. <br/>4. Configure your device proxy and internet settings to enable communication between your organization's devices and Defender for Endpoint. |
-|[Set up Defender for Endpoint](switch-to-microsoft-defender-setup.md) |During [the **Setup** phase](switch-to-microsoft-defender-setup.md): <br/>1. Enable/reinstall Microsoft Defender Antivirus, and set it to passive mode. <br/>2. Configure Defender for Endpoint. <br/>3. Add Defender for Endpoint to the exclusion list for your existing solution. <br/>4. Add your existing solution to the exclusion list for Microsoft Defender Antivirus. <br/>5. Set up your device groups, collections, and organizational units. <br/>6. Configure your antimalware policies and real-time protection settings.|
-|[Onboard to Defender for Endpoint](switch-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](switch-to-microsoft-defender-onboard.md): <br/>1. Onboard your devices to Defender for Endpoint. <br/>2. Run a detection test. <br/>3. Confirm that Microsoft Defender Antivirus is running in passive mode. <br/>4. Get updates for Microsoft Defender Antivirus. <br/>5. Uninstall your existing endpoint protection solution. <br/>6. Make sure that Defender for Endpoint working correctly. |
+|[Prepare for your migration](switch-to-microsoft-defender-prepare.md)|During [the **Prepare** phase](switch-to-microsoft-defender-prepare.md): <ol><li>Update your organization's devices.</li><li>Get Defender for Endpoint.</li><li>Plan roles and permissions, and grant access to the Microsoft 365 Defender portal.</li><li>Configure your device proxy and internet settings to enable communication between your organization's devices and Defender for Endpoint.</li></ol>|
+|[Set up Defender for Endpoint](switch-to-microsoft-defender-setup.md)|During [the **Setup** phase](switch-to-microsoft-defender-setup.md): <ol><li>Enable/reinstall Microsoft Defender Antivirus, and set it to passive mode.</li><li> Configure Defender for Endpoint.</li><li>Add Defender for Endpoint to the exclusion list for your existing solution.</li><li>Add your existing solution to the exclusion list for Microsoft Defender Antivirus.</li><li>Set up your device groups, collections, and organizational units.</li><li>Configure your antimalware policies and real-time protection settings.</li></ol>|
+|[Onboard to Defender for Endpoint](switch-to-microsoft-defender-onboard.md)|During [the **Onboard** phase](switch-to-microsoft-defender-onboard.md): <ol><li>Onboard your devices to Defender for Endpoint.</li><li>Run a detection test.</li><li>Confirm that Microsoft Defender Antivirus is running in passive mode.</li><li>Get updates for Microsoft Defender Antivirus.</li><li>Uninstall your existing endpoint protection solution.</li><li>Make sure that Defender for Endpoint working correctly.</li></ol>|
## What's included in Microsoft Defender for Endpoint?
-In this migration guide, we focus on [next-generation protection](microsoft-defender-antivirus-in-windows-10.md) and [endpoint detection and response](overview-endpoint-detection-response.md) capabilities as a starting point for moving to Defender for Endpoint. However, Defender for Endpoint includes much more than antivirus and endpoint protection. Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Defender for Endpoint.
+In this migration guide, we focus on [next-generation protection](microsoft-defender-antivirus-in-windows-10.md) and [endpoint detection and response](overview-endpoint-detection-response.md) capabilities as a starting point for moving to Defender for Endpoint. However, Defender for Endpoint includes much more than antivirus and endpoint protection. Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Defender for Endpoint.
-| Feature/Capability | Description |
+<br/><br/>
+
+|Feature/Capability|Description|
|||
-| [Threat & vulnerability management](next-gen-threat-and-vuln-mgt.md) | Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices). |
-| [Attack surface reduction](overview-attack-surface-reduction.md) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. |
-| [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. |
-| [Endpoint detection and response](overview-endpoint-detection-response.md) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. |
-| [Advanced hunting](advanced-hunting-overview.md) | Advanced hunting capabilities enable your security operations team to locate indicators and entities of known or potential threats. |
-| [Behavioral blocking and containment](behavioral-blocking-containment.md) | Behavioral blocking and containment capabilities help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. |
-| [Automated investigation and remediation](automated-investigations.md) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. |
-| [Threat hunting service](microsoft-threat-experts.md) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. |
+|[Threat & vulnerability management](next-gen-threat-and-vuln-mgt.md)|Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices).|
+|[Attack surface reduction](overview-attack-surface-reduction.md)|Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks.|
+|[Next-generation protection](microsoft-defender-antivirus-in-windows-10.md)|Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware.|
+|[Endpoint detection and response](overview-endpoint-detection-response.md)|Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches.|
+|[Advanced hunting](advanced-hunting-overview.md)|Advanced hunting capabilities enable your security operations team to locate indicators and entities of known or potential threats.|
+|[Behavioral blocking and containment](behavioral-blocking-containment.md)|Behavioral blocking and containment capabilities help identify and stop threats, based on their behaviors and process trees even when the threat has started execution.|
+|[Automated investigation and remediation](automated-investigations.md)|Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches.|
+|[Threat hunting service](microsoft-threat-experts.md) (Microsoft Threat Experts)|Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed.|
**Want to learn more? See [Defender for Endpoint](microsoft-defender-endpoint.md).**
security Switch To Microsoft Defender Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-onboard.md
localization_priority: Normal audience: ITPro-+ - M365-security-compliance - m365solution-migratetomdatp - m365solution-mcafeemigrate
|--|--|--| || |*You are here!* | - **Welcome to Phase 3 of [switching to Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps: 1. [Onboard devices to Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint). 2. [Run a detection test](#run-a-detection-test). 3. [Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode-on-your-endpoints). 4. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).
-5. [Uninstall your non-Microsoft solution](#uninstall-your-non-microsoft-solution).
+5. [Uninstall your non-Microsoft solution](#uninstall-your-non-microsoft-solution).
6. [Make sure Defender for Endpoint is working correctly](#make-sure-defender-for-endpoint-is-working-correctly). ## Onboard devices to Microsoft Defender for Endpoint 1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
-2. Choose **Settings** > **Endpoints** > **Onboarding** (under **Device management**).
+2. Choose **Settings** \> **Endpoints** \> **Onboarding** (under **Device management**).
-3. In the **Select operating system to start onboarding process** list, select an operating system.
+3. In the **Select operating system to start onboarding process** list, select an operating system.
4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods) (in this article).
> If something goes wrong while onboarding, see [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md). That article describes how to resolve onboarding issues and common errors on endpoints. ### Onboarding methods
-
+ Deployment methods vary, depending on operating system and preferred methods. The following table lists resources to help you onboard to Defender for Endpoint:
-|Operating systems |Methods |
-|||
-| Windows 10 | [Group Policy](configure-endpoints-gp.md)<br/>[Configuration Manager](configure-endpoints-sccm.md)<br/>[Mobile Device Management (Intune)](configure-endpoints-mdm.md)<br/>[Local script](configure-endpoints-script.md)<br/><br/>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-| Windows 8.1 Enterprise <br/>Windows 8.1 Pro <br/>Windows 7 SP1 Enterprise <br/>Windows 7 SP1 Pro | [Microsoft Monitoring Agent](onboard-downlevel.md)<br/><br/>**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](/azure/azure-monitor/platform/log-analytics-agent). |
-| Windows Server 2019 and later <br/>Windows Server 2019 core edition <br/>Windows Server version 1803, and later | [Local script](configure-endpoints-script.md) <br/>[Group Policy](configure-endpoints-gp.md) <br/>[Configuration Manager](configure-endpoints-sccm.md) <br/>[System Center Configuration Manager](configure-endpoints-sccm.md) <br/>[VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md) <br/><br/>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-| Windows Server 2016 <br/>Windows Server 2012 R2 <br/>Windows Server 2008 R2 SP1 | [Microsoft 365 Defender portal](configure-server-endpoints.md)<br/>[Azure Defender](/azure/security-center/security-center-wdatp) |
-| macOS: 11.3.1 (Big Sur); 10.15 (Catalina); 10.14 (Mojave) | [Onboard non-Windows devices](configure-endpoints-non-windows.md) |
-| iOS | [Onboard non-Windows devices](configure-endpoints-non-windows.md) |
-| Linux: RHEL 7.2+; CentOS Linux 7.2+; Ubuntu 16 LTS, or higher LTS; SLES 12+; Debian 9+; Oracle Linux 7.2 | [Onboard non-Windows devices](configure-endpoints-non-windows.md) |
+<br/><br/>
+
+|Operating systems|Methods|
+|||
+|Windows 10|[Group Policy](configure-endpoints-gp.md) <p> [Configuration Manager](configure-endpoints-sccm.md) <p> [Mobile Device Management (Intune)](configure-endpoints-mdm.md) <p> [Local script](configure-endpoints-script.md) <p> **NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune.|
+|Windows 8.1 Enterprise <p> Windows 8.1 Pro <p> Windows 7 SP1 Enterprise <p> Windows 7 SP1 Pro|[Microsoft Monitoring Agent](onboard-downlevel.md) <p> **NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](/azure/azure-monitor/platform/log-analytics-agent).|
+|Windows Server 2019 and later <p> Windows Server 2019 core edition <p> Windows Server version 1803, and later|[Local script](configure-endpoints-script.md) <p> [Group Policy](configure-endpoints-gp.md) <p> [Configuration Manager](configure-endpoints-sccm.md) <p> [System Center Configuration Manager](configure-endpoints-sccm.md) <p> [VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md) <p> **NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune.|
+|Windows Server 2016 <p> Windows Server 2012 R2 <p> Windows Server 2008 R2 SP1|[Microsoft 365 Defender portal](configure-server-endpoints.md) <p> [Azure Defender](/azure/security-center/security-center-wdatp)|
+|macOS: 11.3.1 (Big Sur); 10.15 (Catalina); 10.14 (Mojave)|[Onboard non-Windows devices](configure-endpoints-non-windows.md)|
+|iOS|[Onboard non-Windows devices](configure-endpoints-non-windows.md)|
+|Linux: RHEL 7.2+; CentOS Linux 7.2+; Ubuntu 16 LTS, or higher LTS; SLES 12+; Debian 9+; Oracle Linux 7.2|[Onboard non-Windows devices](configure-endpoints-non-windows.md)|
## Run a detection test To verify that your onboarded devices are properly connected to Defender for Endpoint, you can run a detection test.
-|Operating system |Guidance |
-|||
-| Windows 10 <br/> Windows Server 2019<br/> Windows Server, version 1803, or later<br/> Windows Server 2016<br/> Windows Server 2012 R2 | See [Run a detection test](run-detection-test.md). <br/><br/>Visit the Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
-| macOS: 11.3.1 (Big Sur); 10.15 (Catalina); 10.14 (Mojave) | Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy). <br/><br/>For more information, see [Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md). |
-| Linux: RHEL 7.2+; CentOS Linux 7.2+; Ubuntu 16 LTS, or higher LTS; SLES 12+; Debian 9+; Oracle Linux 7.2 | 1. Run the following command, and look for a result of **1**: <br/>`mdatp health --field real_time_protection_enabled`. <br/> 2. Open a Terminal window, and run the following command: <br/>`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`. <br/> 3. Run the following command to list any detected threats: <br/>`mdatp threat list`. <br/><br/>For more information, see [Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md). |
+<br/><br/>
+
+|Operating system|Guidance|
+|||
+|Windows 10 <p> Windows Server 2019 <p> Windows Server, version 1803, or later <p> Windows Server 2016 <p> Windows Server 2012 R2|See [Run a detection test](run-detection-test.md). <p> Visit the Defender for Endpoint demo scenarios site (<https://demo.wd.microsoft.com>) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario.|
+|macOS: 11.3.1 (Big Sur); 10.15 (Catalina); 10.14 (Mojave)|Download and use the DIY app at <https://aka.ms/mdatpmacosdiy>. <p> For more information, see [Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md).|
+|Linux: RHEL 7.2+; CentOS Linux 7.2+; Ubuntu 16 LTS, or higher LTS; SLES 12+; Debian 9+; Oracle Linux 7.2|<ol><li>Run the following command, and look for a result of **1**: `mdatp health --field real_time_protection_enabled`.</li><li>Open a Terminal window, and run the following command: `curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.</li><li>Run the following command to list any detected threats: `mdatp threat list`.</li></ol> <p> For more information, see [Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md).|
## Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints Now that your endpoints have been onboarded to Defender for Endpoint, your next step is to make sure Microsoft Defender Antivirus is running in passive mode. You can use one of several methods, as described in the following table:
-| Method | What to do |
-|:-|:-|
-|Command Prompt | 1. On a Windows device, open Command Prompt. <br/> 2. Type `sc query windefend`, and then press Enter. <br/> 3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-| PowerShell | 1. On a Windows device, open Windows PowerShell as an administrator. <br/> 2. Run following PowerShell cmdlet: `Get-MpComputerStatus | select AMRunningMode`. <br/> Review the results. You should see **Passive mode**. |
-| Windows Security app | 1. On a Windows device, open the Windows Security app. <br/>2. Select **Virus & threat protection**.<br/>3. Under **Who's protecting me?** select **Manage providers**. <br/>4. On the **Security providers** page, under **Antivirus**, you should see **Microsoft Defender Antivirus is turned on**. |
-| Task Manager | 1. On a Windows device, open the Task Manager app. <br/>2. Select the **Details** tab.<br/>3. Look for **MsMpEng.exe** in the list. |
+<br/><br/>
+
+|Method|What to do|
+|||
+|Command Prompt|<ol><li>On a Windows device, open Command Prompt.</li><li>Type `sc query windefend`, and then press Enter.</li><li>Review the results to confirm that Microsoft Defender Antivirus is running in passive mode.</li></ol>|
+|PowerShell|<ol><li>On a Windows device, open Windows PowerShell as an administrator.</li><li>Run following PowerShell cmdlet: `Get-MpComputerStatus|select AMRunningMode`.</li></ol> <p> Review the results. You should see **Passive mode**.|
+|Windows Security app|<ol><li>On a Windows device, open the Windows Security app.</li><li>Select **Virus & threat protection**.</li><li>Under **Who's protecting me?** select **Manage providers**.</li><li>On the **Security providers** page, under **Antivirus**, you should see **Microsoft Defender Antivirus is turned on**.</li></ol>|
+|Task Manager|<ol><li>On a Windows device, open the Task Manager app.</li><li>Select the **Details** tab.</li><li>Look for **MsMpEng.exe** in the list.</li></ol>|
> [!NOTE] > You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
Now that your endpoints have been onboarded to Defender for Endpoint, your next
To set Microsoft Defender Antivirus to passive mode on Windows Server, version 1803 or newer, or Windows Server 2019, follow these steps:
-1. Open Registry Editor, and then navigate to <br/>
+1. Open Registry Editor, and then navigate to:
+ `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`. 2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings:
To set Microsoft Defender Antivirus to passive mode on Windows Server, version 1
> [!NOTE] > You can use other methods to set the registry key, such as the following:
->- [Group Policy Preference](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
->- [Local Group Policy Object tool](/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool)
->- [A package in Configuration Manager](/mem/configmgr/apps/deploy-use/packages-and-programs)
+>
+> - [Group Policy Preference](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
+> - [Local Group Policy Object tool](/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool)
+> - [A package in Configuration Manager](/mem/configmgr/apps/deploy-use/packages-and-programs)
### Start Microsoft Defender Antivirus on Windows Server 2016
To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus
If at this point you have: -- Onboarded your organization's devices to Defender for Endpoint, and -- Microsoft Defender Antivirus is installed and enabled,
+- Onboarded your organization's devices to Defender for Endpoint, and
+- Microsoft Defender Antivirus is installed and enabled,
Then your next step is to uninstall your non-Microsoft antivirus, antimalware, and endpoint protection solution. When you uninstall your non-Microsoft solution, Microsoft Defender Antivirus switches from passive mode to active mode. In most cases, this happens automatically.
-To get help with uninstalling your non-Microsoft solution, contact their technical support team.
+To get help with uninstalling your non-Microsoft solution, contact their technical support team.
## Make sure Defender for Endpoint is working correctly
Now that you have onboarded to Defender for Endpoint, and you have uninstalled y
## Next steps
-**Congratulations**! You have completed your [migration to Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)!
+**Congratulations**! You have completed your [migration to Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)!
-- [Visit your security operations dashboard](security-operations-dashboard.md) in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).
+- [Visit your security operations dashboard](security-operations-dashboard.md) in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).
- [Manage Defender for Endpoint, post migration](manage-atp-post-migration.md).
security Switch To Microsoft Defender Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-prepare.md
localization_priority: Normal audience: ITPro-+ - M365-security-compliance - m365solution-migratetomdatp - m365solution-mcafeemigrate
|--|--|--| |*You are here!*| | |
-**Welcome to the Prepare phase of [switching to Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**.
+**Welcome to the Prepare phase of [switching to Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**.
This migration phase includes the following steps:
As a best practice, keep your organization's devices and endpoints up to date. M
### Make sure your existing solution is up to date
-Keep your existing endpoint protection solution up to date, and make sure that your organization's devices have the latest security updates.
+Keep your existing endpoint protection solution up to date, and make sure that your organization's devices have the latest security updates.
Need help? See your solution provider's documentation.
Need help? See your solution provider's documentation.
Need help updating your organization's devices? See the following resources:
-|OS | Resource |
-|:--|:--|
-|Windows |[Microsoft Update](https://www.update.microsoft.com) |
-|macOS | [How to update the software on your Mac](https://support.apple.com/HT201541)|
-|iOS |[Update your iPhone, iPad, or iPod touch](https://support.apple.com/HT204204)|
-|Android |[Check & update your Android version](https://support.google.com/android/answer/7680439) |
-|Linux | [Linux 101: Updating Your System](https://www.linux.com/training-tutorials/linux-101-updating-your-system) |
+<br/><br/>
+
+|OS|Resource|
+|||
+|Windows|[Microsoft Update](https://www.update.microsoft.com)|
+|macOS|[How to update the software on your Mac](https://support.apple.com/HT201541)|
+|iOS|[Update your iPhone, iPad, or iPod touch](https://support.apple.com/HT204204)|
+|Android|[Check & update your Android version](https://support.google.com/android/answer/7680439)|
+|Linux|[Linux 101: Updating Your System](https://www.linux.com/training-tutorials/linux-101-updating-your-system)|
## Get Microsoft Defender for Endpoint Now that you've updated your organization's devices, the next step is to get Defender for Endpoint, assign licenses, and make sure the service is provisioned.
-1. Buy or try Defender for Endpoint today. [Start a free trial or request a quote](https://aka.ms/mdatp).
+1. Buy or try Defender for Endpoint today. [Start a free trial or request a quote](https://aka.ms/mdatp).
2. Verify that your licenses are properly provisioned. [Check your license state](production-deployment.md#check-license-state). 3. Set up your dedicated cloud instance of Defender for Endpoint. See [Defender for Endpoint setup: Tenant configuration](production-deployment.md#tenant-configuration). 4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Defender for Endpoint setup: Network configuration](production-deployment.md#network-configuration).
-
-At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).
+
+At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).
> [!NOTE] > The Microsoft 365 Defender portal is sometimes referred to as the Defender for Endpoint portal, and can be accessed at [https://security.microsoft.com](https://security.microsoft.com). The former Microsoft Defender Security Center (https://securitycenter.windows.com) will soon redirect to the Microsoft 365 Defender portal. To learn more, see [Microsoft 365 Defender portal overview](portal-overview.md).
Permissions to the Microsoft 365 Defender portal can be granted by using either
To enable communication between your devices and Defender for Endpoint, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
-| Capabilities | Operating System | Resources |
-|:--|:--|:--|
-| [Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) | [Windows 10](/windows/release-health/release-information) <br/>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<br/>[Windows Server 1803, or later](/windows-server/get-started/whats-new-in-windows-server-1803) | [Configure machine proxy and internet connectivity settings](configure-proxy-internet.md) |
-| EDR | [Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016) <br/>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/>[Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<br/>[Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/>[Windows 7 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](onboard-downlevel.md#configure-proxy-and-internet-connectivity-settings) |
-| EDR | macOS: 11.3.1 (Big Sur); 10.15 (Catalina); 10.14 (Mojave) | [Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
-| [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md) | [Windows 10](/windows/release-health/release-information) <br/>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<br/>[Windows Server 1803, or later](/windows-server/get-started/whats-new-in-windows-server-1803) <br/>[Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016) | [Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md) |
-| Antivirus | macOS: 11.3.1 (Big Sur); 10.15 (Catalina); 10.14 (Mojave) | [Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
-| Antivirus | Linux: RHEL 7.2+; CentOS Linux 7.2+; Ubuntu 16 LTS, or higher LTS; SLES 12+; Debian 9+; Oracle Linux 7.2 | [Defender for Endpoint on Linux: Network connections](microsoft-defender-endpoint-linux.md#network-connections) |
+<br/><br/>
+
+|Capabilities|Operating System|Resources|
+||||
+|[Endpoint detection and response](overview-endpoint-detection-response.md) (EDR)|[Windows 10](/windows/release-health/release-information) <p> [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019) <p> [Windows Server 1803, or later](/windows-server/get-started/whats-new-in-windows-server-1803)|[Configure machine proxy and internet connectivity settings](configure-proxy-internet.md)|
+|EDR|[Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016) <p> [Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2) <p> [Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) <p> [Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2) <p> [Windows 7 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)|[Configure proxy and internet connectivity settings](onboard-downlevel.md#configure-proxy-and-internet-connectivity-settings)|
+|EDR|macOS: 11.3.1 (Big Sur); 10.15 (Catalina); 10.14 (Mojave)|[Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections)|
+|[Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md)|[Windows 10](/windows/release-health/release-information) <p> [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019) <p> [Windows Server 1803, or later](/windows-server/get-started/whats-new-in-windows-server-1803) <p> [Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016)|[Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md)|
+|Antivirus|macOS: 11.3.1 (Big Sur); 10.15 (Catalina); 10.14 (Mojave)|[Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections)|
+|Antivirus|Linux: RHEL 7.2+; CentOS Linux 7.2+; Ubuntu 16 LTS, or higher LTS; SLES 12+; Debian 9+; Oracle Linux 7.2|[Defender for Endpoint on Linux: Network connections](microsoft-defender-endpoint-linux.md#network-connections)|
## Next step
security Techniques Device Timeline https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/techniques-device-timeline.md
ms.technology: mde
# Techniques in the device timeline - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - You can gain more insight in an investigation by analyzing the events that happened on a specific device. First, select the device of interest from the [Devices list](machines-view-overview.md). On the device page, you can select the **Timeline** tab to view all the events that occurred on the device. ## Understand techniques in the timeline
->[!IMPORTANT]
->Some information relates to a prereleased product feature in public preview which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+> [!IMPORTANT]
+> Some information relates to a prereleased product feature in public preview which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-In Microsoft Defender for Endpoint, **Techniques** are an additional data type in the event timeline. Techniques provide more insight on activities associated with [MITRE ATT&CK](https://attack.mitre.org/) techniques or sub-techniques.
+In Microsoft Defender for Endpoint, **Techniques** are an additional data type in the event timeline. Techniques provide more insight on activities associated with [MITRE ATT&CK](https://attack.mitre.org/) techniques or sub-techniques.
This feature simplifies the investigation experience by helping analysts understand the activities that were observed on a device. Analysts can then decide to investigate further.
-For public preview, Techniques are available by default and shown together with events when a device's timeline is viewed.
+For public preview, Techniques are available by default and shown together with events when a device's timeline is viewed.
![Techniques in device timeline screenshot.](images/device-timeline-2.png)
-Techniques are highlighted in bold text and appear with a blue icon on the left. The corresponding MITRE ATT&CK ID and technique name also appear as tags under Additional information.
+Techniques are highlighted in bold text and appear with a blue icon on the left. The corresponding MITRE ATT&CK ID and technique name also appear as tags under Additional information.
Search and Export options are also available for Techniques. ## Investigate using the side pane
-Select a Technique to open its corresponding side pane. Here you can see additional information and insights like related ATT&CK techniques, tactics, and descriptions.
+Select a Technique to open its corresponding side pane. Here you can see additional information and insights like related ATT&CK techniques, tactics, and descriptions.
Select the specific *Attack technique* to open the related ATT&CK technique page where you can find more information about it.
You can do the same for command lines.
![Copy command line.](images/techniques-side-pane-command.png) - ## Investigate related events To use [advanced hunting](advanced-hunting-overview.md) to find events related to the selected Technique, select **Hunt for related events**. This leads to the advanced hunting page with a query to find events related to the Technique. ![Hunt for related events.](images/techniques-hunt-for-related-events.png)
->[!NOTE]
->Querying using the **Hunt for related events** button from a Technique side pane displays all the events related to the identified technique but does not include the Technique itself in the query results.
-
+> [!NOTE]
+> Querying using the **Hunt for related events** button from a Technique side pane displays all the events related to the identified technique but does not include the Technique itself in the query results.
## Customize your device timeline
-On the upper right-hand side of the device timeline, you can choose a date range to limit the number of events and techniques in the timeline.
+On the upper right-hand side of the device timeline, you can choose a date range to limit the number of events and techniques in the timeline.
You can customize which columns to expose. You can also filter for flagged events by data type or by event group. ### Choose columns to expose+ You can choose which columns to expose in the timeline by selecting the **Choose columns** button. ![Customize columns.](images/filter-customize-columns.png)
To view only either events or techniques, select **Filters** from the device tim
![Filters screenshot.](images/device-timeline-filters.png) -- ## See also-- [View and organize the Devices list](machines-view-overview.md)-- [Microsoft Defender for Endpoint device timeline event flags](device-timeline-event-flag.md) -
-
+- [View and organize the Devices list](machines-view-overview.md)
+- [Microsoft Defender for Endpoint device timeline event flags](device-timeline-event-flag.md)
security Threat Protection Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-protection-integration.md
ms.technology: mde
Microsoft Defender for Endpoint directly integrates with various Microsoft solutions. ### Azure Defender+ Microsoft Defender for Endpoint provides a comprehensive server protection solution, including endpoint detection and response (EDR) capabilities on Windows Servers. ### Azure Sentinel+ The Microsoft Defender for Endpoint connector lets you stream alerts from Microsoft Defender for Endpoint into Azure Sentinel. This will enable you to more comprehensively analyze security events across your organization and build playbooks for effective and immediate response. ### Azure Information Protection+ We recently deprecated the Azure Information Protection integration as our Endpoint DLP capabilities incorporate an improved discovery and protection solution for sensitive data stored on endpoint devices that facilitates greater visibility and integration between solutions. This was announced in the following [blog](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/protecting-sensitive-information-on-devices/ba-p/2143555). We recommend that customers move to using Endpoint DLP. ### Conditional Access
-Microsoft Defender for Endpoint's dynamic device risk score is integrated into the Conditional Access evaluation, ensuring that only secure devices have access to resources.
+
+Microsoft Defender for Endpoint's dynamic device risk score is integrated into the Conditional Access evaluation, ensuring that only secure devices have access to resources.
### Microsoft Cloud App Security+ Microsoft Cloud App Security leverages Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender for Endpoint monitored devices. ### Microsoft Defender for Identity+ Suspicious activities are processes running under a user context. The integration between Microsoft Defender for Endpoint and Microsoft Defender for Identity provides the flexibility of conducting cyber security investigation across activities and identities. ### Microsoft Defender for Office
-[Defender for Office 365](/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through Safe Links, Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Microsoft Defender for Office 365 and Microsoft Defender for Endpoint enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked.
->[!NOTE]
+[Defender for Office 365](/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through Safe Links, Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Microsoft Defender for Office 365 and Microsoft Defender for Endpoint enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked.
+
+> [!NOTE]
> Defender for Office 365 data is displayed for events within the last 30 days. For alerts, Defender for Office 365 data is displayed based on first activity time. After that, the data is no longer available in Defender for Office 365. ### Skype for Business+ The Skype for Business integration provides a way for analysts to communicate with a potentially compromised user or device owner through a simple button from the portal. ## Microsoft 365 Defender
-With Microsoft 365 Defender, Microsoft Defender for Endpoint, and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.
-
-[Learn more about Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender)
+With Microsoft 365 Defender, Microsoft Defender for Endpoint, and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.
+
+[Learn more about Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender)
## Related topics+ - [Configure integration and other advanced features](advanced-features.md) - [Microsoft 365 Defender overview](/microsoft-365/security/defender/microsoft-threat-protection) - [Turn on Microsoft 365 Defender](/microsoft-365/security/defender/mtp-enable)
security Threat Protection Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-protection-reports.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-pullalerts-abovefoldlink) The threat protection report provides high-level information about alerts generated in your organization. The report includes trending information showing the detection sources, categories, severities, statuses, classifications, and determinations of alerts across time.
The dashboard is structured into two sections:
![Image of the threat protection report.](images/threat-protection-reports.png)
-Section | Description
-:|:
-1 | Alerts trends
-2 | Alert summary
+Section|Description
+|
+1|Alerts trends
+2|Alert summary
## Alert trends By default, the alert trends display alert information from the 30-day period ending in the latest full day. To gain better perspective on trends occurring in your organization, you can fine-tune the reporting period by adjusting the time period shown. To adjust the time period, select a time range from the drop-down options:
By default, the alert trends display alert information from the 30-day period en
- 6 months - Custom
->[!NOTE]
->These filters are only applied on the alert trends section. It doesn't affect the alert summary section.
-
+> [!NOTE]
+> These filters are only applied on the alert trends section. It doesn't affect the alert summary section.
## Alert summary+ While the alert trends shows trending alert information, the alert summary shows alert information scoped to the current day.
- The alert summary allows you to drill down to a particular alert queue with the corresponding filter applied to it. For example, clicking on the EDR bar in the Detection sources card will bring you the alerts queue with results showing only alerts generated from EDR detections.
+ The alert summary allows you to drill down to a particular alert queue with the corresponding filter applied to it. For example, clicking on the EDR bar in the Detection sources card will bring you the alerts queue with results showing only alerts generated from EDR detections.
->[!NOTE]
->The data reflected in the summary section is scoped to 180 days prior to the current date. For example if today's date is November 5, 2019, the data on the summary section will reflect numbers starting from May 5, 2019 to November 5, 2019.<br>
-> The filter applied on the trends section is not applied on the summary section.
+> [!NOTE]
+> The data reflected in the summary section is scoped to 180 days prior to the current date. For example if today's date is November 5, 2019, the data on the summary section will reflect numbers starting from May 5, 2019 to November 5, 2019.
+>
+> The filter applied on the trends section is not applied on the summary section.
## Alert attributes+ The report is made up of cards that display the following alert attributes: - **Detection sources**: shows information about the sensors and detection technologies that provide the data used by Microsoft Defender for Endpoint to trigger alerts.- - **Threat categories**: shows the types of threat or attack activity that triggered alerts, indicating possible focus areas for your security operations.- - **Severity**: shows the severity level of alerts, indicating the collective potential impact of threats to your organization and the level of response needed to address them.--- **Status**: shows the resolution status of alerts, indicating the efficiency of your manual alert responses and of automated remediation (if enabled). -
+- **Status**: shows the resolution status of alerts, indicating the efficiency of your manual alert responses and of automated remediation (if enabled).
- **Classification & determination**: shows how you have classified alerts upon resolution, whether you have classified them as actual threats (true alerts) or as incorrect detections (false alerts). These cards also show the determination of resolved alerts, providing additional insight like the types of actual threats found or the legitimate activities that were incorrectly detected. ## Filter data Use the provided filters to include or exclude alerts with certain attributes.
->[!NOTE]
->These filters apply to **all** the cards in the report.
+> [!NOTE]
+> These filters apply to **all** the cards in the report.
For example, to show data about high-severity alerts only:
-1. Under **Incidents & alerts** > **Alerts** > **Filters > Severity**, select **High**.
+1. Under **Incidents & alerts** \> **Alerts** \> **Filters > Severity**, select **High**.
2. Ensure that all other options under **Severity** are deselected. 3. Select **Apply**. ## Related topic+ - [Device health and compliance report](machine-reports.md)
security Troubleshoot Asr Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules.md
localization_priority: Normal
audience: ITPro -+
With advanced hunting you can shape the queries to your liking, so that you can
An alternative to advanced hunting, but with a narrower scope, is the Microsoft Defender for Endpoint machine timeline. You can view all the collected events of a device, for the past six months, in the Microsoft 365 Defender, by going to the Machines list, select a given machine, and then click on the Timeline tab.
-Pictured below is a screenshot of the Timeline view of these events on a given endpoint. From this view, you can filter the events list based on any of the Event Groups along the right-side pane. You can also enable or disable Flagged and Verbose events while viewing alerts and scrolling through the historical timeline.
+Pictured below is a screenshot of the Timeline view of these events on a given endpoint. From this view, you can filter the events list based on any of the Event Groups along the right-side pane. You can also enable or disable Flagged and Verbose events while viewing alerts and scrolling through the historical timeline.
:::image type="content" source="images/mic-sec-def-timelinenew.png" lightbox="images/mic-sec-def-timelinenew.png" alt-text="Microsoft 365 Defender timeline.":::
Get-MPPreference | Select-Object -ExpandProperty**AttackSurfaceReductionRules_Ac
ASR rule events can be viewed within the Windows Defender log.
-To access it, open Windows Event Viewer, and browse to **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational**.
+To access it, open Windows Event Viewer, and browse to **Applications and Services Logs** \> **Microsoft** \> **Windows** \> **Windows Defender** \> **Operational**.
:::image type="content" source="images/eventviewerscrnew.png" lightbox="images/eventviewerscrnew.png" alt-text="event viewer scr.":::
security Troubleshoot Asr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-asr.md
audience: ITPro
Last updated 03/27/2019-+ ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-pullalerts-abovefoldlink) - When you use [attack surface reduction rules](attack-surface-reduction.md) you may run into issues, such as: - A rule blocks a file, process, or performs some other action that it shouldn't (false positive)- - A rule doesn't work as described, or doesn't block a file or process that it should (false negative) There are four steps to troubleshooting these problems: 1. [Confirm prerequisites](#confirm-prerequisites)- 2. [Use audit mode to test the rule](#use-audit-mode-to-test-the-rule)- 3. [Add exclusions for the specified rule](#add-exclusions-for-a-false-positive) (for false positives)- 4. [Submit support logs](#collect-diagnostic-data-for-file-submissions) ## Confirm prerequisites
If the attack surface reduction rule is blocking something that it shouldn't blo
To add an exclusion, see [Customize Attack surface reduction](customize-attack-surface-reduction.md).
->[!IMPORTANT]
->You can specify individual files and folders to be excluded, but you cannot specify individual rules.
->This means any files or folders that are excluded will be excluded from all ASR rules.
+> [!IMPORTANT]
+> You can specify individual files and folders to be excluded, but you cannot specify individual rules.
+> This means any files or folders that are excluded will be excluded from all ASR rules.
## Report a false positive or false negative
When you report a problem with attack surface reduction rules, you're asked to c
## Related articles - [Attack surface reduction rules](attack-surface-reduction.md)- - [Enable attack surface reduction rules](enable-attack-surface-reduction.md)- - [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
security Troubleshoot Live Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-live-response.md
If while trying to take an action during a live response session, you encounter
1. Copy the following script code snippet and save it as a PS1 file: ```powershell
- $copied_file_path=$args[0]
+ $copied_file_path=$args[0]
$action=Copy-Item $copied_file_path -Destination $env:TEMP -PassThru -ErrorAction silentlyContinue
-
+ if ($action){ Write-Host "You copied the file specified in $copied_file_path to $env:TEMP Succesfully" }
-
+ else{ Write-Output "Error occoured while trying to copy a file, details:" Write-Output $error[0].exception.message
-
+ } ```
security Troubleshoot Microsoft Defender Antivirus When Migrating https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating.md
You can find help here if you encounter issues while migrating from a third-part
Open the Event viewer app by selecting the **Search** icon in the taskbar, and searching for *event viewer*.
-Information about Microsoft Defender Antivirus can be found under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender**.
+Information about Microsoft Defender Antivirus can be found under **Applications and Services Logs** \> **Microsoft** \> **Windows** \> **Windows Defender**.
From there, select **Open** underneath **Operational**.
This issue can manifest in the form of several different event IDs, all of whic
Event ID|Log name|Description|Source ||| 15|Application|Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_OFF.|Security Center
-5007|Microsoft-Windows-Windows Defender/Operational|Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. <p> **Old value:** Default\IsServiceRunning = 0x0 p> **New value:** HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1|Windows Defender
+5007|Microsoft-Windows-Windows Defender/Operational|Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. <p> **Old value:** Default\IsServiceRunning = 0x0 <p> **New value:** HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1|Windows Defender
5010|Microsoft-Windows-Windows Defender/Operational|Windows Defender Antivirus scanning for spyware and other potentially unwanted software is disabled.|Windows Defender ### How to tell if Microsoft Defender Antivirus won't start because a third-party antivirus is installed
On a Windows 10 device, if you are not using Microsoft Defender for Endpoint, an
To open the Services app, select the **Search** icon from the taskbar and search for *services*. You can also open the app from the command-line by typing *services.msc*.
-Information about Microsoft Defender Antivirus will be listed within the Services app under **Windows Defender** > **Operational**. The antivirus service name is *Windows Defender Antivirus Service*.
+Information about Microsoft Defender Antivirus will be listed within the Services app under **Windows Defender** \> **Operational**. The antivirus service name is *Windows Defender Antivirus Service*.
While checking the app, you may see that *Windows Defender Antivirus Service* is set to manual, but when you try to start this service manually, you get a warning stating, *The Windows Defender Antivirus Service service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.*
security Troubleshoot Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus.md
Last updated 09/11/2018-+ ms.technology: mde
The tables list:
> [!TIP] > You can also visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
->
+>
> - Cloud-delivered protection > - Fast learning (including Block at first sight) > - Potentially unwanted application blocking
Microsoft Defender Antivirus records event IDs in the Windows event log.
You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Microsoft Defender Antivirus client event IDs](troubleshoot-microsoft-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints.
-The table in this section lists the main Microsoft Defender Antivirus event IDs and, where possible, provides suggested solutions to fix or resolve the error.
+The table in this section lists the main Microsoft Defender Antivirus event IDs and, where possible, provides suggested solutions to fix or resolve the error.
## To view a Microsoft Defender Antivirus event
-1. Open **Event Viewer**.
-2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
-3. Double-click on **Operational**.
-4. In the details pane, view the list of individual events to find your event.
-5. Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs.
+1. Open **Event Viewer**.
+2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
+3. Double-click on **Operational**.
+4. In the details pane, view the list of individual events to find your event.
+5. Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs.
-<table>
+<table>
<tr> <th colspan="2" >Event ID: 1000</th> </tr>
Symbolic name:
Message: </td> <td >
-<b>An antimalware scan failed.
+<b>An antimalware scan failed.
</b> </td> </tr>
The above context applies to the following client and server versions:
</tr> <tr> <td>
-Client Operating System
+Client Operating System
</td> <td> Windows Vista (Service Pack 1, or Service Pack 2), Windows 7 and later
Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Se
User action: </td> <td >
-No action is necessary. Microsoft Defender Antivirus removed or quarantined a threat.
+No action is necessary. Microsoft Defender Antivirus removed or quarantined a threat.
</td> </tr> <tr>
Antivirus client health report.
<dt>Antispyware signature creation time: ?&lt;Antispyware signature creation time&gt;</dt> <dt>Last quick scan start time: ?&lt;Last quick scan start time&gt;</dt> <dt>Last quick scan end time: ?&lt;Last quick scan end time&gt;</dt>
-<dt>Last quick scan source: &lt;Last quick scan source&gt; (0 = scan didn&#39;t run, 1 = user initiated, 2 = system initiated)</dt>
+<dt>Last quick scan source: &lt;Last quick scan source&gt; (0 = scan didn't run, 1 = user initiated, 2 = system initiated)</dt>
<dt>Last full scan start time: ?&lt;Last full scan start time&gt;</dt> <dt>Last full scan end time: ?&lt;Last full scan end time&gt;</dt>
-<dt>Last full scan source: &lt;Last full scan source&gt; (0 = scan didn&#39;t run, 1 = user initiated, 2 = system initiated)</dt>
+<dt>Last full scan source: &lt;Last full scan source&gt; (0 = scan didn't run, 1 = user initiated, 2 = system initiated)</dt>
<dt>Product status: For internal troubleshooting </dl> </td>
Symbolic name:
Message: </td> <td >
-<b>The security intelligence update failed.
+<b>The security intelligence update failed.
</b> </td> </tr>
User action:
</td> <td > Check your Internet connectivity settings.
-The Microsoft Defender Antivirus client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue.
+The Microsoft Defender Antivirus client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue.
</td> </tr> <tr>
Description of the error. </dt>
User action: </td> <td >
-You should restart the system then run a full scan because it&#39;s possible the system was not protected for some time.
-The Microsoft Defender Antivirus client&#39;s real-time protection feature encountered an error because one of the services failed to start.
-If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure.
+You should restart the system then run a full scan because it's possible the system was not protected for some time.
+The Microsoft Defender Antivirus client's real-time protection feature encountered an error because one of the services failed to start.
+If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure.
</td> </tr> <tr>
Microsoft Defender Antivirus Real-time Protection has restarted a feature. It is
User action: </td> <td >
-The real-time protection feature has restarted. If this event happens again, contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+The real-time protection feature has restarted. If this event happens again, contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
</td> </tr> <tr>
Message:
Description: </td> <td >
-Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was disabled.
+Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was disabled.
</td> </tr> <tr>
Message:
Description: </td> <td >
-Microsoft Defender Antivirus scanning for viruses has been enabled.
+Microsoft Defender Antivirus scanning for viruses has been enabled.
</td> </tr> <tr>
Message:
Description: </td> <td >
-Microsoft Defender Antivirus scanning for viruses is disabled.
+Microsoft Defender Antivirus scanning for viruses is disabled.
</td> </tr> <tr>
Description of the error. </dt>
## Microsoft Defender Antivirus client error codes If Microsoft Defender Antivirus experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update. This section provides the following information about Microsoft Defender Antivirus client errors.-- The error code-- The possible reason for the error-- Advice on what to do now
+- The error code
+- The possible reason for the error
+- Advice on what to do now
Use the information in these tables to help troubleshoot Microsoft Defender Antivirus error codes.
-<table>
+<table>
<tr> <th colspan="2">Error code: 0x80508007</th> </tr>
Use the information in these tables to help troubleshoot Microsoft Defender Anti
Possible reason </td> <td>
-This error indicates that you might have run out of memory.
+This error indicates that you might have run out of memory.
</td> </tr> <tr>
This error indicates that you might have run out of memory.
<ol> <li>Check the available memory on your device.</li> <li>Close any unused applications that are running to free up memory on your device.</li>
-<li>Restart the device and run the scan again.
+<li>Restart the device and run the scan again.
</li> </ol> </td>
Note: The size of the definitions file downloaded from the site can exceed 60 MB
<tr> <th colspan="2">Error code: 0x80508020</th> </tr><tr><td>Message</td>
-<td><b>ERR_MP_BAD_CONFIGURATION
+<td><b>ERR_MP_BAD_CONFIGURATION
</b> </td></tr><tr><td>Possible reason</td> <td>
-This error indicates that there might be an engine configuration error; commonly, this is related to input
-data that does not allow the engine to function properly.
+This error indicates that there might be an engine configuration error; commonly, this is related to input
+data that does not allow the engine to function properly.
</td> </tr> <tr>
-<th colspan="2">Error code: 0x805080211
+<th colspan="2">Error code: 0x805080211
</th> </tr><tr><td>Message</td>
-<td><b>ERR_MP_QUARANTINE_FAILED
+<td><b>ERR_MP_QUARANTINE_FAILED
</b> </td></tr><tr><td>Possible reason</td> <td>
-This error indicates that Microsoft Defender Antivirus failed to quarantine a threat.
+This error indicates that Microsoft Defender Antivirus failed to quarantine a threat.
</td> </tr> <tr>
-<th colspan="2">Error code: 0x80508022
+<th colspan="2">Error code: 0x80508022
</th> </tr><tr><td>Message</td>
-<td><b>ERR_MP_REBOOT_REQUIRED
+<td><b>ERR_MP_REBOOT_REQUIRED
</b> </td></tr><tr><td>Possible reason</td> <td>
-This error indicates that a reboot is required to complete threat removal.
+This error indicates that a reboot is required to complete threat removal.
</td> </tr> <tr> <th colspan="2">
-0x80508023
+0x80508023
</th> </tr><tr><td>Message</td>
-<td><b>ERR_MP_THREAT_NOT_FOUND
+<td><b>ERR_MP_THREAT_NOT_FOUND
</b> </td></tr><tr><td>Possible reason</td> <td>
-This error indicates that the threat might no longer be present on the media, or malware might be stopping you from scanning your device.
+This error indicates that the threat might no longer be present on the media, or malware might be stopping you from scanning your device.
</tr><tr><td>Resolution </td> <td>
-Run the <a href="https://www.microsoft.com/security/scanner/default.aspx">Microsoft Safety Scanner</a> then update your security software and try again.
+Run the <a href="https://www.microsoft.com/security/scanner/default.aspx">Microsoft Safety Scanner</a> then update your security software and try again.
</td> </tr> <tr> <th colspan="2">Error code: 0x80508024 </th></tr> <tr> <td>Message</td>
-<td><b>ERR_MP_FULL_SCAN_REQUIRED
+<td><b>ERR_MP_FULL_SCAN_REQUIRED
</b> </td></tr><tr><td>Possible reason</td> <td>
-This error indicates that a full system scan might be required.
+This error indicates that a full system scan might be required.
</td></tr> <tr> <td>Resolution</td><td>
-Run a full system scan.
+Run a full system scan.
</td> </tr> <tr>
-<th colspan="2">Error code: 0x80508025
+<th colspan="2">Error code: 0x80508025
</th> </tr><tr><td>Message</td>
-<td><b>ERR_MP_MANUAL_STEPS_REQUIRED
+<td><b>ERR_MP_MANUAL_STEPS_REQUIRED
</b> </td></tr><tr><td>Possible reason</td> <td>
-This error indicates that manual steps are required to complete threat removal.
+This error indicates that manual steps are required to complete threat removal.
</td></tr><tr><td>Resolution</td><td> Follow the manual remediation steps outlined in the <a href="https://www.microsoft.com/security/portal/threat/Threats.aspx">Microsoft Malware Protection Encyclopedia</a>. You can find a threat-specific link in the event history.<br/></td> </tr> <tr>
-<th colspan="2">Error code: 0x80508026
+<th colspan="2">Error code: 0x80508026
</th> </tr><tr><td>Message</td>
-<td><b>ERR_MP_REMOVE_NOT_SUPPORTED
+<td><b>ERR_MP_REMOVE_NOT_SUPPORTED
</b> </td></tr><tr><td>Possible reason</td> <td>
-This error indicates that removal inside the container type might not be not supported.
+This error indicates that removal inside the container type might not be not supported.
</td></tr><tr><td>Resolution</td><td>
-Microsoft Defender Antivirus is not able to remediate threats detected inside the archive. Consider manually removing the detected resources.
+Microsoft Defender Antivirus is not able to remediate threats detected inside the archive. Consider manually removing the detected resources.
</td> </tr> <tr>
-<th colspan="2">Error code: 0x80508027
+<th colspan="2">Error code: 0x80508027
</th> </tr><tr><td>Message</td>
-<td><b>ERR_MP_REMOVE_LOW_MEDIUM_DISABLED
+<td><b>ERR_MP_REMOVE_LOW_MEDIUM_DISABLED
</b> </td></tr><tr><td>Possible reason</td> <td>
-This error indicates that removal of low and medium threats might be disabled.
+This error indicates that removal of low and medium threats might be disabled.
</td></tr><tr><td>Resolution</td><td>
-Check the detected threats and resolve them as required.
+Check the detected threats and resolve them as required.
</td> </tr> <tr>
-<th colspan="2">Error code: 0x80508029
+<th colspan="2">Error code: 0x80508029
</th> </tr><tr><td>Message</td>
-<td><b>ERROR_MP_RESCAN_REQUIRED
+<td><b>ERROR_MP_RESCAN_REQUIRED
</b> </td></tr><tr><td>Possible reason</td> <td>
-This error indicates a rescan of the threat is required.
+This error indicates a rescan of the threat is required.
</td></tr><tr><td>Resolution</td><td>
-Run a full system scan.
+Run a full system scan.
</td> </tr> <tr>
-<th colspan="2">Error code: 0x80508030
+<th colspan="2">Error code: 0x80508030
</th> </tr><tr><td>Message</td>
-<td><b>ERROR_MP_CALLISTO_REQUIRED
+<td><b>ERROR_MP_CALLISTO_REQUIRED
</b> </td></tr><tr><td>Possible reason</td> <td>
-This error indicates that an offline scan is required.
+This error indicates that an offline scan is required.
</td></tr><tr><td>Resolution</td><td> Run offline Microsoft Defender Antivirus. You can read about how to do this in the <a href="https://windows.microsoft.com/windows/what-is-windows-defender-offline">offline Microsoft Defender Antivirus article</a>. </td> </tr> <tr>
-<th colspan="2">Error code: 0x80508031
+<th colspan="2">Error code: 0x80508031
</th> </tr><tr><td>Message</td> <td><b>ERROR_MP_PLATFORM_OUTDATED<br/></b> </td></tr><tr><td>Possible reason</td> <td>
-This error indicates that Microsoft Defender Antivirus does not support the current version of the platform and requires a new version of the platform.
+This error indicates that Microsoft Defender Antivirus does not support the current version of the platform and requires a new version of the platform.
</td></tr><tr><td>Resolution</td><td> You can only use Microsoft Defender Antivirus in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use <a href="https://www.microsoft.com/server-cloud/system-center/endpoint-protection-2012.aspx">System Center Endpoint Protection</a>.<br/></td> </tr>
The following error codes are used during internal testing of Microsoft Defender
If you see these errors, you can try to [update definitions](manage-updates-baselines-microsoft-defender-antivirus.md) and force a rescan directly on the endpoint.
-<table>
+<table>
<tr> <th colspan="3">Internal error codes</th> </tr>
If you see these errors, you can try to [update definitions](manage-updates-base
0x80501004 </td> <td>
-<b>ERROR_MP_NO_INTERNET_CONN
+<b>ERROR_MP_NO_INTERNET_CONN
</b> </td> <td>
This is an internal error. The cause is not clearly defined.
<b>ERR_MP_REMOVE_FAILED</b> </td> <td>
-This is an internal error. It might be triggered when malware removal is not successful.
+This is an internal error. It might be triggered when malware removal is not successful.
</td> </tr> <tr> <td>
-0x80508018
+0x80508018
</td> <td>
-<b>ERR_MP_SCAN_ABORTED
+<b>ERR_MP_SCAN_ABORTED
</b> </td> <td>
-This is an internal error. It might have triggered when a scan fails to complete.
+This is an internal error. It might have triggered when a scan fails to complete.
</td> </tr> </table>
This is an internal error. It might have triggered when a scan fails to complete
## Related topics - [Report on Microsoft Defender Antivirus protection](report-monitor-microsoft-defender-antivirus.md)-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Troubleshoot Reporting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-reporting.md
-+ ms.technology: mde
You can use Microsoft Defender Antivirus with Update Compliance. You'll see stat
When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of devices or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Microsoft Defender Antivirus, you might encounter problems or issues. Typically, the most common indicators of a problem are:+ - You only see a small number or subset of all the devices you were expecting to see - You do not see any devices at all - The reports and information you do see is outdated (older than a few days)
-For common error codes and event IDs related to the Microsoft Defender Antivirus service that are not related to Update Compliance, see [Microsoft Defender Antivirus events](troubleshoot-microsoft-defender-antivirus.md).
+For common error codes and event IDs related to the Microsoft Defender Antivirus service that are not related to Update Compliance, see [Microsoft Defender Antivirus events](troubleshoot-microsoft-defender-antivirus.md).
There are three steps to troubleshooting these problems:
There are three steps to troubleshooting these problems:
2. Check your connectivity to the Windows Defender cloud-based service 3. Submit support logs
->[!IMPORTANT]
->It typically takes 3 days for devices to start appearing in Update Compliance.
-
+> [!IMPORTANT]
+> It typically takes 3 days for devices to start appearing in Update Compliance.
## Confirm prerequisites In order for devices to properly show up in Update Compliance, you have to meet certain prerequisites for both the Update Compliance service and for Microsoft Defender Antivirus: >[!div class="checklist"]
->- Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender Antivirus to disable itself](microsoft-defender-antivirus-compatibility.md) and the endpoint will not be reported in Update Compliance.
+>
+> - Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender Antivirus to disable itself](microsoft-defender-antivirus-compatibility.md) and the endpoint will not be reported in Update Compliance.
> - [Cloud-delivered protection is enabled](enable-cloud-protection-microsoft-defender-antivirus.md). > - Endpoints can [connect to the Microsoft Defender Antivirus cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud) > - If the endpoint is running Windows 10 version 1607 or earlier, [Windows 10 diagnostic data must be set to the Enhanced level](/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level).
In order for devices to properly show up in Update Compliance, you have to meet
If the above prerequisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us. > [!div class="nextstepaction"]
-> [Collect diagnostic data for Update Compliance troubleshooting](collect-diagnostic-data.md)
+> [Collect diagnostic data for Update Compliance troubleshooting](collect-diagnostic-data.md)
## Related topics - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)-- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
+- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
security Tune Performance Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus.md
For examples that describe the process of "export" and "convert" through sample
Microsoft Defender Antivirus performance analyzer has the following prerequisites: - Supported Windows versions: Windows 10, Windows 11, and Windows Server 2016 and above-- Platform Version: 4.18.2108.X+
+- Platform Version: 4.18.2108.7+
- PowerShell Version: PowerShell Version 5.1 ## PowerShell reference
security Use Group Policy Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus.md
In general, you can use the following procedure to configure or change Microsoft
The following table in this topic lists the Group Policy settings available in Windows 10, version 1703, and provides links to the appropriate topic in this documentation library (where applicable). > [!TIP]
-> [Download the Group Policy Settings Reference Spreadsheet for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/101451). This spreadsheet lists the policy settings for computer and user configurations that are included in the Administrative template files delivered with for Windows 10 May 2020 Update (2004). You can configure refer to the spreadsheet when you edit Group Policy Objects.
+> [Download the Group Policy Settings Reference Spreadsheet for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/101451). This spreadsheet lists the policy settings for computer and user configurations that are included in the Administrative template files delivered with for Windows 10 May 2020 Update (2004). You can configure refer to the spreadsheet when you edit Group Policy Objects.<br/><br/>
| Location | Setting | Article | |:|:|:|
security Streaming Api https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/streaming-api.md
Topic | Description
:|: [Stream events to Azure Event Hubs](streaming-api-event-hub.md)| Learn about enabling the streaming API in your tenant and configure Microsoft 365 Defender to stream [Advanced Hunting](../defender/advanced-hunting-overview.md) to Event Hubs. [Stream events to your Azure storage account](streaming-api-storage.md)| Learn about enabling the streaming API in your tenant and configure Microsoft 365 Defender to stream [Advanced Hunting](advanced-hunting-overview.md) to your Azure storage account.
+[Supported event types](supported-event-types.md) | Learn which Advanced Hunting event types the Streaming API supports.
## Related topics
security Supported Event Types https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/supported-event-types.md
+
+ Title: Microsoft 365 Defender event types supported in Event Streaming API
+description: Learn which hunting event types (tables) are supported by the streaming API
+keywords: raw data export, Streaming API, API, Event hubs, Azure storage, storage account, Hunting, raw data sharing
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+localization_priority: Normal
+
+audience: ITPro
++
+ms.technology: mde
++
+# Supported Microsoft 365 Defender event types in event streaming API
++
+**Applies to:**
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+++
+The Event Streaming API is constantly being expanded to support more event types. Learn which Hunting tables are generally available, currently in public preview, or not yet supported.
+**New - Email event types/tables are now GA**
+
+## Hunting tables support status in Event Streaming API
+
+| Table name | Status |
+||-|
+| **[AlertEvidence](advanced-hunting-alertevidence-table.md)** | GA |
+| **[AlertInfo](advanced-hunting-alertinfo-table.md)** | GA |
+| **[CloudAppEvents](advanced-hunting-cloudappevents-table.md)** | Not yet supported |
+| **[DeviceEvents](advanced-hunting-deviceevents-table.md)** |GA |
+| **[DeviceFileCertificateInfo](advanced-hunting-DeviceFileCertificateInfo-table.md)** |GA |
+| **[DeviceFileEvents](advanced-hunting-devicefileevents-table.md)** | GA |
+| **[DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)** | GA |
+| **[DeviceInfo](advanced-hunting-deviceinfo-table.md)** | GA |
+| **[DeviceLogonEvents](advanced-hunting-devicelogonevents-table.md)** | GA |
+| **[DeviceNetworkEvents](advanced-hunting-devicenetworkevents-table.md)** |GA |
+| **[DeviceNetworkInfo](advanced-hunting-devicenetworkinfo-table.md)** | GA |
+| **[DeviceProcessEvents](advanced-hunting-deviceprocessevents-table.md)** | GA |
+| **[DeviceRegistryEvents](advanced-hunting-deviceregistryevents-table.md)** | GA |
+| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-devicetvmsecureconfigurationassessment-table.md)** | GA |
+| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)** | GA |
+| **[DeviceTvmSoftwareInventory](advanced-hunting-devicetvmsoftwareinventory-table.md)** | GA |
+| **[DeviceTvmSoftwareVulnerabilities](advanced-hunting-devicetvmsoftwarevulnerabilities-table.md)** | GA |
+| **[DeviceTvmSoftwareVulnerabilitiesKB](advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md)** | GA |
+| **[EmailAttachmentInfo](advanced-hunting-emailattachmentinfo-table.md)** | GA |
+| **[EmailEvents](advanced-hunting-emailevents-table.md)** | GA |
+| **[EmailPostDeliveryEvents](advanced-hunting-emailpostdeliveryevents-table.md)** | GA |
+| **[EmailUrlInfo](advanced-hunting-emailurlinfo-table.md)** | GA |
+| **[IdentityDirectoryEvents](advanced-hunting-identitydirectoryevents-table.md)** | Not yet supported |
+| **[IdentityInfo](advanced-hunting-identityinfo-table.md)** |Not yet supported|
+| **[IdentityLogonEvents](advanced-hunting-identitylogonevents-table.md)** | Not yet supported |
+| **[IdentityQueryEvents](advanced-hunting-identityqueryevents-table.md)** | Not yet supported |
+
security About Defender For Office 365 Trial https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/about-defender-for-office-365-trial.md
audience: Admin -
+ms.technology: mdo
localization_priority: Normal search.appverid: - MET150
security Admin Review Reported Message https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-review-reported-message.md
audience: Admin - localization_priority: Normal - M365-security-compliance
security Admin Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-submission.md
f1.keywords:
Previously updated : audience: ITPro localization_priority: Normal
security Advanced Spam Filtering Asf Options https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/advanced-spam-filtering-asf-options.md
f1.keywords:
Previously updated : audience: ITPro localization_priority: Normal
security Backscatter Messages And Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/backscatter-messages-and-eop.md
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-*Backscatter* is non-delivery reports (also known as NDRs or bounce messages) you receive for messages that you didn't send. Spammers forge (spoof) the From: address of their messages, and they often use real email addresses to lend credibility to their messages. So, when spammers inevitably send messages to non-existent recipients (spam is a high-volume operation), the destination email server is essentially tricked into returning the undeliverable message in an NDR to the forged sender in the From: address.
+*Backscatter* is non-delivery reports (also known as NDRs or bounce messages) that you receive for messages that you didn't send. Backscatter is caused by spammers forging (spoofing) the From address (also known as the `5322.From` or P2 address) in their messages. Spammers will often use real email addresses as the From address to lend credibility to their messages. When spam is sent to a non-existent recipient, the destination email server is essentially tricked into returning the undeliverable message in an NDR to the forged sender in the From address.
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP makes every effort to identify and silently drop messages from dubious sources without generating an NDR. But, based on the sheer volume email flowing through the service, there's always the possibility that EOP will unintentionally send backscatter.
-Backscatterer.org maintains a block list (also known as a DNS block list or DNSBL) of email servers that were responsible for sending backscatter, and EOP servers might appear on this list. But, we don't try to remove ourselves from the Backscatterer.org block list because it isn't a list of spammers (by their own admission).
+Backscatterer.org maintains a blocklist (also known as a DNS blocklist or DNSBL) of email servers that were responsible for sending backscatter, and EOP servers might appear on this list. But, we don't try to remove ourselves from the Backscatterer.org blocklist because (by their own admission) their list isn't a list of spammers.
> [!TIP]
-> The Backscatter.org website (<http://www.backscatterer.org/?target=usage>) recommends using their service to check incoming email in Safe mode instead of Reject mode (large email services almost always send some backscatter).
+> The Backscatterer.org website (<http://www.backscatterer.org/?target=usage>) recommends using their service in Safe mode instead of Reject mode, because large email services almost always send some backscatter.
security Defender For Office 365 Trial Terms And Conditions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/defender-for-office-365-trial-terms-and-conditions.md
audience: Admin -
+ms.technology: mdo
localization_priority: Normal search.appverid: - MET150
security Mdo Email Entity Page https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-email-entity-page.md
Last updated 01/21/2021 audience: ITPro -
+ms.technology: mdo
localization_priority: Normal search.appverid:
security Microsoft Message Phishing Report Terms https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/microsoft-message-phishing-report-terms.md
Title: Microsoft Report Message and Report Phishing Add-In license terms
description: Describes the Microsoft Report Message and Report Phishing Add-In license terms keywords: microsoft, report, phishing, security, scam, hack, license, terms, application, use, installation, service, feedback search.product: eADQiWindows 10XVcnh
+ms.technology: mdo
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security
If you comply with these license terms, you have the rights below. By using the
1. **INSTALLATION AND USE RIGHTS** 1. **General.** You may install and use any number of copies of the software.
- 1. **Third Party Software.** The software may include third party applications that Microsoft, not the third party, licenses to you under this agreement. Any included notices for third party applications are for your information only.
+ 1. **Third Party Software.** The software may include third-party applications that Microsoft, not the third party, licenses to you under this agreement. Any included notices for third-party applications are for your information only.
1. **Microsoft Services Agreement.** Some features of the software provide access to, or rely on, online services. The use of those services (but not the software) is governed by the separate terms and privacy policies in the Microsoft Services Agreement at <https://www.microsoft.com/servicesagreement/>. Please read them. The services may not be available in all regions. 2. **DATA COLLECTION.** The software may collect information about you and your use of the software and send that to Microsoft. Microsoft may use this information to provide services and improve MicrosoftΓÇÖs products and services. Your opt-out rights, if any, are described in the product documentation. Some features in the software may enable collection of data from users of your applications that access or use the software.
If you comply with these license terms, you have the rights below. By using the
3. **SCOPE OF LICENSE.** The software is licensed, not sold. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you will not (and have no right to): 1. work around any technical limitations in the software that only allow you to use it in certain ways;
- 1. reverse engineer, decompile or disassemble the software;
+ 1. reverse engineer, decompile, or disassemble the software;
1. remove, minimize, block, or modify any notices of Microsoft or its suppliers in the software; 1. use the software for commercial, non-profit, or revenue-generating activities; 1. use the software in any way that is against the law or to create or propagate malware; or
If you comply with these license terms, you have the rights below. By using the
*In English (no further French translation provided in this section):* For example, if you acquired the software in one of the below regions, or mandatory country law applies, then the following provisions apply to you: 1. **Australia.** You have statutory guarantees under the Australian Consumer Law and nothing in this agreement is intended to affect those rights.
- 1. **Canada.** If you acquired this software in Canada, you may stop receiving updates by turning off the automatic update feature, disconnecting your device from the Internet (if and when you re-connect to the Internet, however, the software will resume checking for and installing updates), or uninstalling the software. The product documentation, if any, may also specify how to turn off updates for your specific device or software.
+ 1. **Canada.** If you acquired this software in Canada, you may stop receiving updates by turning off the automatic update feature, disconnecting your device from the Internet (if and when you reconnect to the Internet, however, the software will resume checking for and installing updates), or uninstalling the software. The product documentation, if any, may also specify how to turn off updates for your specific device or software.
1. **Germany and Austria.** 1. **Warranty.** The properly licensed software will perform substantially as described in any Microsoft materials that accompany the software. However, Microsoft gives no contractual guarantee in relation to the licensed software. 1. **Limitation of Liability.** In case of intentional conduct, gross negligence, claims based on the Product Liability Act, as well as, in case of death or personal or physical injury, Microsoft is liable according to the statutory law.
If you comply with these license terms, you have the rights below. By using the
*En Français*: **EXONÉRATION DE GARANTIE.** Le logiciel visé par une licence est offert « tel quel ». Toute utilisation de ce logiciel est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection des consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.
-12. *In English:* **LIMITATION ON AND EXCLUSION OF DAMAGES.** If you have any basis for recovering damages despite the preceding disclaimer of warranty, you can recover from Microsoft and its suppliers only direct damages up to U.S. $5.00. You cannot recover any other damages, including consequential, lost profits, special, indirect or incidental damages.
+12. *In English:* **LIMITATION ON AND EXCLUSION OF DAMAGES.** If you have any basis for recovering damages despite the preceding disclaimer of warranty, you can recover from Microsoft and its suppliers only direct damages up to U.S. $5.00. You cannot recover any other damages, including consequential, lost profits, special, indirect, or incidental damages.
- This limitation applies to (a) anything related to the software, services, content (including code) on third party Internet sites, or third party applications; and (b) claims for breach of contract, warranty, guarantee, or condition; strict liability, negligence, or other tort; or any other claim; in each case to the extent permitted by applicable law.
+ This limitation applies to (a) anything related to the software, services, content (including code) on third-party Internet sites, or third-party applications; and (b) claims for breach of contract, warranty, guarantee, or condition; strict liability, negligence, or other tort; or any other claim; in each case to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your state, province, or country may not allow the exclusion or limitation of incidental, consequential, or other damages.
security Siem Integration With Office 365 Ti https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/siem-integration-with-office-365-ti.md
The SIEM server or other similar system polls the **audit.general** workload to
### AuditLogRecordType
-The following table summarizes the values of **AuditLogRecordType** that are relevant for Microsoft Defender for Office 365 events:
+The following table summarizes the values of **AuditLogRecordType** that are relevant for Microsoft Defender for Office 365 events:<br/><br/>
| Value | Member name | Description | ||||
The following table summarizes the values of **AuditLogRecordType** that are rel
| 41| ThreatIntelligenceUrl | Safe Links time-of-block and block override events from Microsoft Defender for Office 365. | | 47| ThreatIntelligenceAtpContent | Phishing and malware events for files in SharePoint Online, OneDrive for Business, and Microsoft Teams, from Microsoft Defender for Office 365. | | 64| AirInvestigation | Automated investigation and response events, such as investigation details and relevant artifacts, from Microsoft Defender for Office 365 Plan 2. |
-|
> [!IMPORTANT] > You must have either the global administrator or Security Administrator role assigned in the Microsoft 365 Defender portal to set up SIEM integration with Microsoft Defender for Office 365. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
security Siem Server Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/siem-server-integration.md
Whether you need a SIEM server depends on many factors, such as your organizatio
A SIEM server can receive data from a wide variety of Microsoft 365 services and applications. The following table lists several Microsoft 365 services and applications, along with SIEM server inputs and resources to learn more.
-<br>
-
-****
+<br/><br/>
|Microsoft 365 Service or Application|SIEM server inputs/methods|Resources to learn more| |||| |[Microsoft Defender for Office 365](defender-for-office-365.md)|Audit logs|[SIEM integration with Microsoft Defender for Office 365](siem-integration-with-office-365-ti.md)| |[Microsoft Defender for Endpoint](/windows/security/threat-protection/)|HTTPS endpoint hosted in Azure <p> REST API|[Pull alerts to your SIEM tools](../defender-endpoint/configure-siem.md)| |[Microsoft Cloud App Security](/cloud-app-security/what-is-cloud-app-security)|Log integration|[SIEM integration with Microsoft Cloud App Security](/cloud-app-security/siem)|
-|
> [!TIP] > Take a look at [Azure Sentinel](/azure/sentinel/overview). Azure Sentinel comes with connectors for Microsoft solutions. These connectors are available "out of the box" and provide for real-time integration. You can use Azure Sentinel with your Microsoft 365 Defender solutions and Microsoft 365 services, including Office 365, Azure AD, Microsoft Defender for Identity, Microsoft Cloud App Security, and more.
security Top Security Tasks For Remote Work https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/top-security-tasks-for-remote-work.md
audience: Admin -
+ms.technology: m365d
localization_priority: Normal search.appverid: - MET150
solutions Deploy Threat Protection Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/deploy-threat-protection-configure.md
Microsoft 365 Defender unifies alerts, incidents, automated investigation and re
[Microsoft Defender for Office 365](../security/office-365-security/defender-for-office-365.md) safeguards your organization against malicious threats in email messages (attachments and URLs), Office documents, and collaboration tools. The following table lists Microsoft Defender for Office 365 features and capabilities that are included in Microsoft 365 E5:
-<br>
-
-****
+<br/><br/>
|Configuration, protection, and detection capabilities|Automation, investigation, remediation, and education capabilities| ||| |[Safe Attachments](../security/office-365-security/safe-attachments.md) <p> [Safe Links](../security/office-365-security/safe-links.md) <p> [Safe Documents](../security/office-365-security/safe-docs.md) <p> [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](../security/office-365-security/mdo-for-spo-odb-and-teams.md) <p> [Anti-phishing protection in Microsoft 365](../security/office-365-security/anti-phishing-protection.md)|[Threat Trackers](../security/office-365-security/threat-trackers.md) <p> [Threat Explorer](../security/office-365-security/threat-explorer.md) <p> [Automated investigation and response](../security/office-365-security/office-365-air.md) <p> [Attack simulation training](../security/office-365-security/attack-simulation-training.md)|
-|
With Microsoft Defender for Office 365, people across your organization can communicate and collaborate more securely, with threat protection for their email content and Office documents.
The Harvard Kennedy School [Cybersecurity Campaign Handbook](https://go.microsof
Microsoft 365 provides the following resources to help inform users in your organization:
-<br>
-
-****
+<br/><br/>
|Concept|Resources| ||| |Microsoft 365|[Customizable learning pathways](/office365/customlearning/) <p> These resources can help you put together training for end users in your organization| |Microsoft 365 security|[Learning module: Secure your organization with built-in, intelligent security from Microsoft 365](/learn/modules/security-with-microsoft-365) <p> This module enables you to describe how Microsoft 365 security features work together and to articulate the benefits of these security features.| |Multi-factor authentication|[Two-step verification: What is the additional verification page?](/azure/active-directory/user-help/multi-factor-authentication-end-user-first-time) <p> This article helps end users understand what multi-factor authentication is and why it's being used at your organization.|
-|
In addition to this guidance, Microsoft recommends that your users take the actions described in this article: [Protect your account and devices from hackers and malware](https://support.office.com/article/066d6216-a56b-4f90-9af3-b3a1e9a327d6.aspx). These actions include:
solutions Deploy Threat Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/deploy-threat-protection.md
Watch this video for an overview of the deployment process.
<br><br> > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4vsI7]
-The following table describes the various solutions/capabilities to configure and what they do.
+The following table describes the various solutions/capabilities to configure and what they do.<br/><br/>
|Step |Solution/capabilities |Description | |--|||