| Category | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| admin | Customize The App Launcher | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/customize-the-app-launcher.md | You can add your own custom tiles to Apps that point to SharePoint sites, extern 1. Enter a URL of website for the tile. This is the location where you want your users to go when they select the tile on the app launcher. Use HTTPS in the URL. > [!TIP] ->If you're creating a tile for a SharePoint site, navigate to that site, copy the URL, and paste it here. The URL of your default team site looks like this: `https://<company_name>.sharepoint.com`. + > If you're creating a tile for a SharePoint site, navigate to that site, copy the URL, and paste it here. The URL of your default team site looks like this: `https://<company_name>.sharepoint.com`. 1. Enter a URL of the image for the tile. The image appears on the My apps page and app launcher. > [!TIP]->The image should be 60x60 pixels and be available to everyone in your organization without requiring authentication. + > The image should be 60x60 pixels and be available to everyone in your organization without requiring authentication. 1. Enter a description for the tile. You see this when you select the tile on the My apps page and select **App details**. |
| business-premium | M365bp Mdb Maintain Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-mdb-maintain-environment.md | audience: Admin Previously updated : 08/25/2023 Last updated : 09/06/2023 ms.localizationpriority: medium - M365-Campaigns description: "Keep your systems, devices, user accounts, and security policies u # Monitor and maintain Microsoft 365 Business Premium and Defender for Business -After you have set up and configured [Microsoft 365 Business Premium](index.md) or [Microsoft Defender for Business](../security/defender-business/mdb-overview.md) (standalone), your next step is to prepare a plan for maintenance and operations. It's important to keep your systems, devices, user accounts, and security policies up to date to help protect against cyberattacks. You can use this article as a guide to prepare your plan. +After you have set up and configured [Microsoft 365 Business Premium](index.md) or the standalone version of [Microsoft Defender for Business](../security/defender-business/mdb-overview.md), your next step is to prepare a plan for maintenance and operations. It's important to keep your systems, devices, user accounts, and security policies up to date to help protect against cyberattacks. You can use this article as a guide to prepare your plan. -There are two main categories of tasks to perform, as listed in the following table:| Task type | Sections | +As you prepare your plan, you can organize the various tasks into two main categories, as listed in the following table: ++| Task type | Sections | ||| | **[Security tasks](#security-tasks)** | [Daily security tasks](#daily-security-tasks) <br/>[Weekly security tasks](#weekly-security-tasks)<br/>[Monthly security tasks](#monthly-security-tasks)<br/>[Security tasks to perform as needed](#security-tasks-to-perform-as-needed) | | **[General admin tasks](#general-admin-tasks)** | [Admin center tasks](#admin-center-tasks)<br/>[Users, groups, and passwords](#users-groups-and-passwords)<br/>[Email and calendars](#email-and-calendars)<br/>[Devices](#devices)<br/>[Devices](#devices)<br/>[Subscriptions and billing](#subscriptions-and-billing) | There are two main categories of tasks to perform, as listed in the following ta ## Security tasks Security tasks are typically performed by security administrators and security operators. - - [Learn more about admin roles](../admin/add-users/about-admin-roles.md) - [Assign security roles and permissions](../security/defender-business/mdb-roles-permissions.md) Security tasks are typically performed by security administrators and security o | **Run a scan or automated investigation** | Your security team can initiate a scan or an automated investigation on a device that has a high risk level or detected threats. Depending on the results of the scan or automated investigation, [remediation actions](#remediation-actions-for-devices) can occur automatically or upon approval.<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, choose **Assets** > **Devices**.<br/><br/>2. Select a device to open its flyout panel, and review the information that is displayed.<br/>- Select the ellipsis (...) to open the actions menu.<br/>- Select an action, such as **Run antivirus scan** or **Initiate Automated Investigation**. | + ### Weekly security tasks Security tasks are typically performed by security administrators and security o | **Improve your Secure Score for devices** | Improve your security configuration by remediating issues using the security recommendations list. As you do so, your Microsoft Secure Score for Devices improves and your organization becomes more resilient against cybersecurity threats and vulnerabilities going forward. It's always worth the time it takes to review and improve your score.<br/><br/>To check your secure score, follow these steps: <br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane select **Secure score**.<br/><br/>2. From the **Microsoft Secure Score for Devices** card in the Defender Vulnerability Management dashboard, select one of the categories. A list of recommendations related to that category displays, along with recommendations.<br/><br/>3.Select an item on the list to display details related to the recommendation.<br/><br/>4. Select **Remediation options**.<br/><br/>5. Read the description to understand the context of the issue and what to do next. Choose a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to an email for follow-up. A confirmation message tells you the remediation task has been created.<br/><br/>6. Send a follow-up email to your IT Administrator and allow for the time that you've allotted for the remediation to propagate in the system.<br/><br/>7. Return to the Microsoft Secure Score for Devices card on the dashboard. The number of security controls recommendations has decreased as a result of your actions.<br/><br/>8. Select **Security controls** to go back to the Security recommendations page. The item that you addressed isn't listed there anymore, which results in your Microsoft secure score improving. | + ### Monthly security tasks Security tasks are typically performed by security administrators and security o | **Explore the Learning hub** | Use the Learning hub to increase your knowledge of cybersecurity threats and how to address them. We recommend exploring the resources that are offered, especially in the Microsoft 365 Defender and Endpoints sections.<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, choose **Learning hub**.<br/><br/>2. Select an area, such as **Microsoft 365 Defender** or **Endpoints**.<br/><br/>3. Select an item to learn more about each concept. <br/><br/>Some resources in the Learning hub might cover functionality that isn't included in Defender for Business. For example, advanced hunting capabilities are included in enterprise subscriptions, such as Defender for Endpoint Plan 2 or Microsoft 365 Defender, but not in Defender for Business. [Compare security features in Microsoft 365 plans for small and medium-sized businesses](../security/defender-business/compare-mdb-m365-plans.md). | + ### Security tasks to perform as needed Security tasks are typically performed by security administrators and security o | **Remediate an item** | Defender for Business includes several [remediation actions](#remediation-actions-for-devices). Some actions are taken automatically, and others await approval by your security team.<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, go to **Assets** > **Devices**.<br/><br/>2. Select a device, such as one with a high risk level or exposure level. A flyout pane opens and displays more information about alerts and incidents generated for that item.<br/><br/>3. On the flyout, view the information that is displayed. Select the ellipsis (...) to open a menu that lists available actions.<br/><br/>4. Select an available action. For example, you might choose **Run antivirus scan**, which will cause Microsoft Defender Antivirus to start a quick scan on the device. Or, you could select **Initiate Automated Investigation** to trigger an automated investigation on the device. | + ### Remediation actions for devices |
| frontline | Browser Join | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/browser-join.md | Currently, browser join is available for appointments that are scheduled through - [The Bookings app](https://support.microsoft.com/office/what-is-bookings-42d4e852-8e99-4d8f-9b70-d7fc93973cb5) - Microsoft Teams Electronic Health Record (EHR) connector - - Integration with [Cerner EHR](ehr-admin-cerner.md) + - Integration with [Oracle Health EHR](ehr-admin-oracle-health.md) - Integration with [Epic EHR](ehr-admin-epic.md) ## Set up browser join On the **Bookings schedule** tab of the Virtual Appointments app or in the Booki No setup is needed by you or your staff! -**Integration with Cerner EHR**: The Teams EHR connector supports patients joining virtual appointments through a link in the SMS text message. At the time of the appointment, patients can join by tapping the link in the SMS text message, and Teams opens in a browser. +**Integration with Oracle Health EHR**: The Teams EHR connector supports patients joining virtual appointments through a link in the SMS text message. At the time of the appointment, patients can join by tapping the link in the SMS text message, and Teams opens in a browser. **Integration with Epic EHR**: The Teams EHR connector supports patients joining virtual appointments through MyChart web and mobile. At the time of the appointment, patients can start the appointment from MyChart by using the **Begin virtual visit** button, and Teams opens in a browser. |
| frontline | Ehr Connector Report | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/ehr-connector-report.md | Choose **View details** to view the report. To purchase more licenses, choose ** ## Related articles -- [Virtual Appointments with Teams - Integration into Cerner EHR](ehr-admin-cerner.md)+- [Virtual Appointments with Teams - Integration into Oracle Health EHR](ehr-admin-oracle-health.md) - [Virtual Appointments with Teams - Integration into Epic EHR](ehr-admin-epic.md) |
| frontline | Virtual Appointments Usage Report | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/virtual-appointments-usage-report.md | This tab shows appointments scheduled through Bookings. ### EHR -You'll see this tab if you have a license that includes the Teams EHR connector. To learn more, see [Integration into Cerner EHR](ehr-admin-cerner.md) or [Integration into Epic EHR](ehr-admin-epic.md). +You'll see this tab if you have a license that includes the Teams EHR connector. To learn more, see [Integration into Oracle Health EHR](ehr-admin-oracle-health.md) or [Integration into Epic EHR](ehr-admin-epic.md). :::image type="content" source="media/va-usage-report-ehr.png" alt-text="Screenshot of the EHR tab of the Virtual Appointments usage report showing numbered callouts." lightbox="media/va-usage-report-ehr.png"::: You'll see this tab if you have a license that includes the Teams EHR connector. - [Advanced Virtual Appointments activity report](advanced-virtual-appointments-activity-report.md) - [Virtual Appointments with Teams - Integration into Epic EHR](ehr-admin-epic.md)-- [Virtual Appointments with Teams - Integration into Cerner EHR](ehr-admin-cerner.md)+- [Virtual Appointments with Teams - Integration into Oracle Health EHR](ehr-admin-oracle-health.md) - [Teams Premium licensing](/microsoftteams/teams-add-on-licensing/licensing-enhance-teams) |
| frontline | Virtual Appointments | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/virtual-appointments.md | If your healthcare organization uses an EHR system, you can use the Teams EHR co After you set up the Teams EHR connector, clinicians can launch visits with patients and consultations with other providers in Teams directly from the EHR system. -Currently, the Teams EHR connector supports integration with the Cerner EHR system and Epic EHR system. To learn more, see: +Currently, the Teams EHR connector supports integration with the Oracle Health EHR system and Epic EHR system. To learn more, see: -- [Virtual Appointments with Teams - Integration into Cerner EHR](ehr-admin-cerner.md)+- [Virtual Appointments with Teams - Integration into Oracle Health EHR](ehr-admin-oracle-health.md) - [Virtual Appointments with Teams - Integration into Epic EHR](ehr-admin-epic.md) ## Virtual appointment meeting template |
| security | Configure Remediation Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus.md | Title: Configure remediation for Microsoft Defender Antivirus detections description: Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder -keywords: remediation, fix, remove, threats, quarantine, scan, restore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium Previously updated : 06/06/2023 Last updated : 09/06/2023 search.appverid: met150 **Platforms** - Windows -When Microsoft Defender Antivirus runs a scan, it attempts to remediate or remove threats that are detected. You can configure how Microsoft Defender Antivirus should address certain threats, whether a restore point should be created before remediating, and when threats should be removed. +When Microsoft Defender Antivirus runs a scan, it attempts to remediate or remove threats that are detected. Remediation actions can include removing a file, sending it to quarantine, or allowing it to remain. This article includes information and links to resources about specifying what actions should be taken when threats are detected on devices. You can choose from several methods, such as: -This article describes how to configure these settings by using Group Policy, but you can also use [Microsoft Endpoint Configuration Manager](/configmgr/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](/intune/device-restrictions-configure). +- [Microsoft Intune](#configure-remediation-options-using-intune) +- [Microsoft Configuration Manager](#configure-remediation-options-using-configuration-manager) +- [Group Policy](#configure-remediation-options-using-group-policy) +- [PowerShell or Windows Management Instrumentation (WMI)](#configure-remediation-options-using-powershell-or-wmi) -You can also use the [`Set-MpPreference` PowerShell cmdlet](/powershell/module/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal) to configure these settings. +> [!IMPORTANT] +> Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed. +> +> If you are certain Microsoft Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Microsoft Defender Antivirus](restore-quarantined-files-microsoft-defender-antivirus.md). To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md). -## Configure remediation options +Also see [Configure remediation-required scheduled full Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md#remed) for more remediation-related settings. -1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. +## Configure remediation options using Intune -2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**. +1. As a global or security administrator, go to the [Intune admin center](https://intune.microsoft.com/) and sign in. -3. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus**. +2. Under **Manage**, choose **Antivirus**. -4. Using the table below, select a location, and then edit the policy as needed. +3. Either create a new policy, or edit an existing policy using the following settings: -5. Select **OK**. + - Platform: **Windows 10, Windows 11, and Windows Server** + - Profile: **Microsoft Defender Antivirus** -|Setting|Description|Default setting (if not configured)| -|||| -|Scan <br/>Create a system restore point.|A system restore point is created each day before cleaning or scanning is attempted. |Disabled| -|Scan<br/>Turn on removal of items from scan history folder.|Specify how many days items should be kept in the scan history.|30 days| -|Root<br/>Turn off routine remediation.|Specify whether Microsoft Defender Antivirus automatically remediates threats, or whether to prompt the user.|Disabled. Threats are remediated automatically.| -|Quarantine<br/>Configure removal of items from Quarantine folder.|Specify how many days items should be kept in quarantine before being removed.|Items are kept in the quarantine folder indefinitely and are not automatically removed. | -|Threats<br/>Specify threat alert levels at which default action should not be taken when detected.|Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored). |Not applicable| -|Threats<br/>Specify threats upon which default action should not be taken when detected.|Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored.|Not applicable| +4. For configuration settings, expand **Defender**, scroll down to **Allow On Access Protection**. and set it to **Allowed**. -> [!IMPORTANT] -> Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed. -> -> If you are certain Microsoft Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Microsoft Defender Antivirus](restore-quarantined-files-microsoft-defender-antivirus.md). To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md). +5. Under **Allow On Access Protection**, select a remediation action for each level: -Also see [Configure remediation-required scheduled full Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md#remed) for more remediation-related settings. + - High severity threats + - Severe threats + - Moderate severity threats + - Low severity threats ++6. Specify the device groups that should receive this policy (such as **All Devices**). ++7. Review your settings, and then choose **Save**. ++For more information about antivirus policies in Intune, see [Antivirus policy for endpoint security in Intune](/mem/intune/protect/endpoint-security-antivirus-policy). -> [!TIP] -> If you're looking for Antivirus related information for other platforms, see: -> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md) -> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md) -> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos) -> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md) -> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) -> - [Configure Defender for Endpoint on Android features](android-configure.md) -> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) +## Configure remediation options using Configuration Manager ++If you're using Configuration Manager, see the following articles: ++- [Configure Endpoint Protection in Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-protection-configure) +- [Default Actions Settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#default-actions-settings) ++## Configure remediation options using Group Policy ++1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), and edit the Group Policy Object you want to configure. ++2. In the **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**. ++3. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus**. ++4. Using the following table, edit the policy as needed. ++ |Setting|Description|Default setting (if not configured)| + |||| + |Scan <br/>Create a system restore point.|A system restore point is created each day before cleaning or scanning is attempted. |Disabled| + |Scan<br/>Turn on removal of items from scan history folder.|Specify how many days items should be kept in the scan history.|30 days| + |Root<br/>Turn off routine remediation.|Specify whether Microsoft Defender Antivirus automatically remediates threats, or whether to prompt the user.|Disabled. Threats are remediated automatically.| + |Quarantine<br/>Configure removal of items from Quarantine folder.|Specify how many days items should be kept in quarantine before being removed.|Items are kept in the quarantine folder indefinitely and aren't automatically removed. | + |Threats<br/>Specify threat alert levels at which default action shouldn't be taken when detected.|Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored). |Not applicable| + |Threats<br/>Specify threats upon which default action shouldn't be taken when detected.|Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored.|Not applicable| ++5. Select **OK**. ++## Configure remediation options using PowerShell or WMI ++You can also use the [`Set-MpPreference` PowerShell cmdlet](/powershell/module/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal) to configure these settings. ## See also -- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)-- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md)-- [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)-- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md)-- [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)-- [Configure end-user Microsoft Defender Antivirus interaction](configure-end-user-interaction-microsoft-defender-antivirus.md)-- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)+- [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md) +- [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) +- [Configure Defender for Endpoint on Android features](android-configure.md) +- [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) + [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
| security | Device Health Microsoft Defender Antivirus Health | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-health-microsoft-defender-antivirus-health.md | Title: Device health Microsoft Defender Antivirus health report description: Use the Microsoft Defender Antivirus report to track antivirus status and Microsoft Defender Antivirus engine, intelligence, and platform versions. -keywords: Microsoft Defender Antivirus report, engine version, intelligence version, and platform versions, antivirus -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security localization_priority: Normal Following are up-to-date definitions for engine and platform: | The engine/platform on the device is considered: | Situation | |:|:|-| **up to date** | If the device communicated with the Defender report event ('Signature refresh time') within last seven days, and the Engine or Platform version build time is within last 60 days. | -| **out-of-date** | If the device communicated with the Defender report event ('Signature refresh time') within last seven days, but Engine or Platform version build time is older than 60 days. | +| **up to date** | If the device communicated with the Defender report event ('Signature refresh time') within last seven days, and the Engine or Platform build version is greater than or equal to (`>=`) the most recent monthly release version. | +| **out-of-date** | If the device communicated with the Defender report event ('Signature refresh time') within last seven days, but Engine or Platform build version is less than (`<`) the most recent monthly release version. | | **unknown (no data available)** | If the device hasn't communicated with the report event ('Signature refresh time') for more than seven days. | Following is the definitions for up-to-date security intelligence: |
| security | Enable Troubleshooting Mode | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode.md | Title: Get started with troubleshooting mode in Microsoft Defender for Endpoint description: Turn on the Microsoft Defender for Endpoint troubleshooting mode to address various antivirus issues. -search.product: eADQiWindows 10XVcnh search.appverid: met150 During troubleshooting mode, you can use the PowerShell command `Set-MPPreferenc - Admins can also review the changes in settings that take place during Troubleshooting mode in **Event Viewer** on the device page. -- Troubleshooting mode automatically turns off after reaching the expiration time (it lasts for 3 hours). After expiration, all policy-managed configurations become read-only again and revert back to how the device was configured before enabling troubleshooting mode.+- Troubleshooting mode automatically turns off after reaching the expiration time (it lasts for 4 hours). After expiration, all policy-managed configurations become read-only again and revert back to how the device was configured before enabling troubleshooting mode. - It could take up to 15 minutes from the time the command is sent from Microsoft 365 Defender to when it becomes active on the device. DeviceEvents ```kusto DeviceEvents-| where Timestamp > ago(3h) // troubleshooting mode automatically disables after 3 hours +| where Timestamp > ago(3h) // troubleshooting mode automatically disables after 4 hours | where ActionType == "AntivirusTroubleshootModeEvent" | extend _tsmodeproperties = parse_json(AdditionalFields) | where _tsmodeproperties.TroubleshootingStateChangeReason contains "started" |
| security | Enable Update Mdav To Latest Ws | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-update-mdav-to-latest-ws.md | ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -+ ms.localizationpriority: high Last updated 02/16/2023 |
| security | Mac Support Sys Ext | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-sys-ext.md | Last updated 06/07/2023 - [Microsoft Defender for Endpoint Plan 2](defender-endpoint-plan-1-2.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md) -> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/get-started/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https%3a%2f%2faka.ms%2fMDEp2OpenTrial%3focid%3ddocs-wdatp-exposedapis-abovefoldlink&brandingId=28b276fb-d2a0-4379-a7c0-57dce33da0f9&ali=1&bac=1&signedinuser=v-smandalika%40microsoft.com) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/get-started/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https%3a%2f%2faka.ms%2fMDEp2OpenTrial%3focid%3ddocs-wdatp-exposedapis-abovefoldlink&brandingId=28b276fb-d2a0-4379-a7c0-57dce33da0f9&ali=1&bac=1) You can submit feedback by opening Microsoft Defender for Endpoint on Mac on your device and by navigating to **Help > Send feedback**. |
| security | Manage Profiles Approve Sys Extensions Intune | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-profiles-approve-sys-extensions-intune.md | |
| security | Manage Sys Extensions Manual Deployment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-sys-extensions-manual-deployment.md | |
| security | Manage Sys Extensions Other Mdm | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-sys-extensions-other-mdm.md | |
| security | Manage Sys Extensions Using Jamf | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-sys-extensions-using-jamf.md | |
| security | Microsoft Defender Antivirus Compatibility | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility.md | description: Learn about Microsoft Defender Antivirus with other security produc ms.localizationpriority: medium Previously updated : 09/01/2023 Last updated : 09/06/2023 Whether Microsoft Defender Antivirus runs in active mode, passive mode, or is di - Which version of Windows is installed on an endpoint - Whether Microsoft Defender Antivirus is the primary antivirus/antimalware solution on the endpoint - Whether the endpoint is onboarded to Defender for Endpoint-- Whether Smart App Control is turned on or is in evaluation mode. (See [What is Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003)?) The following table summarizes the state of Microsoft Defender Antivirus in several scenarios. -|Antivirus/antimalware solution | Onboarded to Defender for Endpoint? | Smart App Control State | Microsoft Defender Antivirus state | +| Antivirus/antimalware solution | Onboarded to Defender for Endpoint? | Microsoft Defender Antivirus state | Smart App Control State | |||||-| Microsoft Defender Antivirus | Yes | N/A <br/>Smart App Control is a consumer-only product | Active mode | -| Microsoft Defender Antivirus | No | Off or Evaluation | Active mode | -| Microsoft Defender Antivirus | No | On | Passive mode (automatically) | -| A non-Microsoft antivirus/antimalware solution | Yes | N/A <br/>Smart App Control is a consumer-only product | Passive mode (automatically) | -| A non-Microsoft antivirus/antimalware solution | No | Evaluation or On | Passive mode (automatically) | +| Microsoft Defender Antivirus | Yes | Active mode | N/A | +| Microsoft Defender Antivirus | No | Active mode | On, Evaluation, or Off | +| A non-Microsoft antivirus/antimalware solution | Yes | Passive mode (automatically) | N/A | +| A non-Microsoft antivirus/antimalware solution | No | Disabled (automatically) | Evaluation or On | ++> [!NOTE] +> Smart App Control is a consumer-only product that's used on new Windows 11 installs. It can run alongside your antivirus software and block apps that are considered to be malicious or untrusted. [Learn more about Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003). ## Windows Server and passive mode Defender for Endpoint affects whether Microsoft Defender Antivirus can run in pa 1. In general, when Microsoft Defender Antivirus is in passive mode, real-time protection doesn't provide any blocking or enforcement, even though it's enabled and in passive mode. -2. When Microsoft Defender Antivirus is in passive mode, scans aren't scheduled. If scans *are* scheduled in your configuration, the schedule is ignored. However, catchup scans continue to occur unless they are disabled. Scan tasks that are set up in Windows Task Scheduler continue to run according to their schedule. If you have scheduled tasks, you can remove them, if preferred. +2. When Microsoft Defender Antivirus is in passive mode, scans aren't scheduled. If scans *are* scheduled in your configuration, the schedule is ignored. However, catchup scans continue to occur unless they're disabled. Scan tasks that are set up in Windows Task Scheduler continue to run according to their schedule. If you have scheduled tasks, you can remove them, if preferred. 3. When Microsoft Defender Antivirus is in passive mode, it doesn't remediate threats. However, [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md) can remediate threats. In this case, you might see alerts showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode. |
| security | Windows Whatsnew | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/windows-whatsnew.md | |
| security | M365d Time Zone | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-time-zone.md | Microsoft 365 Defender can display date and time information using either your l - Advanced hunting results - Identity timeline -To set the time zone for these features, go to **Settings** > **Microsoft 365 Defender** > **Time zone**. +To set the time zone for these features, go to **Settings** > **Security center** > **Time zone** > [!NOTE] > The custom time range filter in advanced hunting remains in UTC regardless of the time zone setting. |
| security | Responding To A Compromised Email Account | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account.md | Title: Responding to a Compromised Email Account f1.keywords: - NOCSH + - Hijacked account + - Hacked account + - Compromised account |