Updates from: 07/27/2021 03:10:33
Category Microsoft Docs article Related commit history on GitHub Change details
business-video Get Help Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/get-help-support.md
Start by [checking the current health of your services](../enterprise/view-servi
Save time by starting your service request online. We'll help you find a solution or connect you to technical support.
-1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a>. If you get a message that says you don't have permission to access this page or perform this action, then you aren't an admin. (For more information, see [Who has admin permissions in my business?](admin-center-overview.md#who-has-admin-permissions-in-my-business).)
+1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2166757" target="_blank">https://admin.microsoft.com</a>. If you get a message that says you don't have permission to access this page or perform this action, then you aren't an admin. (For more information, see [Who has admin permissions in my business?](admin-center-overview.md#who-has-admin-permissions-in-my-business).)
-2. Select the **Need help?** button.
+1. If the results don't help, select **Contact support**.
-3. In the **Need help?** pane, tell us what you need help with, and then press **Enter**.
-
-4. If the results don't help, select **Contact support**.
-
-5. Enter a description of your issue, confirm your contact number and email address, select your preferred contact method, and then select **Contact me**. The expected wait time is indicated in the **Need help?** pane.
+1. Enter a description of your issue, confirm your contact number and email address, select your preferred contact method, and then select **Contact me**. The expected wait time is indicated in the **Need help?** pane.
## Phone support
compliance App Governance Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-get-started.md
If you did not participate in private preview and would like to cancel your tria
1. Navigate to the app governance trial, click the three dots, and select **Cancel subscription**. 1. In the resulting fly-out pane, provide a reason for cancellation, any additional feedback, and select **Cancel subscription**. 1. Select **Cancel subscription** in the resulting pop up screen. Your trial is cancelled, you will lose access to app governance, and your app governance data will be deleted (log data that is used to create the app governance insights and detections - no emails or other files will be affected).+
+## Known issues for the public preview
+
+The app governance team has identified the following known issues for the preview:
+
+- 2-way sync between Microsoft Defender and app governance alerts ΓÇô currently alerts resolved in Defender will have to be manually resolved in app governance as well.
+- Priority accounts insights in App Users and Usage tabs will not work as expected for certain users.
compliance Classifier Learn About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/classifier-learn-about.md
Last updated
audience: Admin
-localization_priority: None
+localization_priority: Normal
- M365-security-compliance - m365solution-mip
search.appverid: - MOE150 - MET150
-description: "A Microsoft 365 trainable classifier is a tool you can train to recognize various types of content by giving it positive and negative samples to look at. Once the classifier is trained, you confirm that its results are accurate. Then you use it to search through your organization's content and classify it to apply retention or sensitivity labels or include it in data loss prevention (DLP) or retention policies."
+description: "A Microsoft 365 trainable classifier is a tool you can train to recognize various types of content for labling or policy application by giving it positive and negative samples to look at."
# Learn about trainable classifiers
Microsoft 365 comes with five pre-trained classifiers:
- **Harassment**: detects a specific category of offensive language text items related to offensive conduct targeting one or multiple individuals based on the following traits: race, ethnicity, religion, national origin, gender, sexual orientation, age, disability - **Profanity**: detects a specific category of offensive language text items that contain expressions that embarrass most people - **Threat**: detects a specific category of offensive language text items related to threats to commit violence or do physical harm or damage to a person or property
+- **Discrimination**: detects explicit discriminatory language and is particularly sensitive to discriminatory language against the African American/Black communities when compared to other communities.
+
+> [!IMPORTANT]
+> The Discrimination trainable classifier is only available as public preview to customers whose Microsoft 365 tenants are homed in North America data centers. To see where your Microsoft 365 tenant is homed open the Microsoft 365 Admin center and navigate to **Settings** > **Org settings** > **Organizational profile** > **Data location**.
These appear in the **Microsoft 365 compliance center** > **Data classification** > **Trainable classifiers** view with the status of `Ready to use`. ![classifiers-pre-trained-classifiers](../media/classifiers-ready-to-use-classifiers.png) > [!IMPORTANT]
-> Please note that the offensive language, harassment, profanity, and threat classifiers only work with searchable text are not exhaustive or complete. Further, language and cultural standards continually change, and in light of these realities, Microsoft reserves the right to update these classifiers in its discretion. While the classifiers may assist your organization in monitoring offensive and other language used, the classifiers do not address consequences of such language and are not intended to provide your organization's sole means of monitoring or responding to the use of such language. Your organization, and not Microsoft or its subsidiaries, remains responsible for all decisions related to monitoring, enforcement, blocking, removal and retention of any content identified by a pre-trained classifier.
+> Please note the offensive language, harassment, profanity, discrimination, and threat classifiers only work with searchable text and are not an exhaustive or complete list of terms or language across these areas. Further, language and cultural standards continually change, and in light of these realities, Microsoft reserves the right to update these classifiers in its discretion. While classifiers may assist your organization in detecting these areas, classifiers are not intended to provide your organization's sole means of detecting or addressing the use of such language. Your organization, not Microsoft or its subsidiaries, remains responsible for all decisions related to monitoring, scanning, blocking, removal, and retention of any content identified by a pre-trained classifier, including compliance with local privacy and other applicable laws. Microsoft encourages consulting with legal counsel before deployment and use.
+ ### Custom classifiers
compliance Insider Risk Management Activities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-activities.md
Depending on the number and type of active insider risk management policies in y
To search the alert name for a specific word, select the **Search** control and type the word to search. The search results display any policy alert containing the word defined in the search.
+## Dismiss multiple alerts (preview)
+
+It may help save triage time for analysts and investigators to immediately dismiss multiple alerts at once. The **Dismiss alerts** command bar option allows you to select one or more alerts with a *Needs review* status on the dashboard and quickly dismiss these alerts as benign as appropriate in your triage process. You can select up to 400 alerts to dismiss at one time.
+
+To dismiss an insider risk alert, complete the following steps:
+
+1. In the [Microsoft 365 compliance center](https://compliance.microsoft.com), go to **Insider risk management** and select the **Alerts** tab.
+2. On the **Alerts dashboard**, select the alert (or alerts) with a *Needs review* status that you want to dismiss.
+3. On the Alerts command bar, select **Dismiss alerts**.
+4. On the **Dismiss alerts** detail pane, you can review the user and policy details associated with the selected alerts.
+5. Select **Dismiss alerts** to resolve the alerts as benign or select **Cancel** to close the details pane without dismissing the alerts.
+ ## Triage alerts To triage an insider risk alert, complete the following steps:
contentunderstanding Rename A Model https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/rename-a-model.md
Title: "Rename a model in Microsoft SharePoint Syntex"
+ Title: Rename a model in Microsoft SharePoint Syntex
- enabler-strategic - m365initiative-syntex localization_priority: Priority
-description: "Learn how and why to rename a model in Microsoft SharePoint Syntex."
+description: Learn how and why to rename a model in Microsoft SharePoint Syntex.
# Rename a model in Microsoft SharePoint Syntex
contentunderstanding Rename An Extractor https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/rename-an-extractor.md
Title: "Rename an extractor in Microsoft SharePoint Syntex"
+ Title: Rename an extractor in Microsoft SharePoint Syntex
- enabler-strategic - m365initiative-syntex localization_priority: Priority
-description: "Learn how and why to rename an extractor in Microsoft SharePoint Syntex."
+description: Learn how and why to rename an extractor in Microsoft SharePoint Syntex.
# Rename an extractor in Microsoft SharePoint Syntex
enterprise Lang Service Health https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/lang-service-health.md
+
+ Title: "Language translation for Service health dashboard"
+++
+audience: Admin
++
+localization_priority: Normal
+f1.keywords:
+- CSH
+
+- Adm_O365
+- 'O365P_ServiceHealthModern'
+- 'O365M_ServiceHealthModern'
+- 'O365E_ViewStatusServices'
+- 'O365E_ServiceHealthModern'
+- 'seo-marvel-apr2020'
+
+- Ent_O365
+- M365-subscription-management
+search.appverid:
+- MET150
+- MOE150
+- BCS160
+- IWA160
+description: "Service health dashboard posts are in English only but can be displayed automatically in the language you specify for Microsoft 365."
++
+# Language translation for Service health dashboard
+
+Service health dashboard posts are written in English-only due to the timeliness of the information we are posting, but can be automatically displayed in the language specified by your personal language settings for Microsoft 365. If you set your preferred language to anything other than English, you'll see an option in the Service health dashboard to automatically translate posts. The messages are machine translated to your preferred language, meaning that a computer did the translation. This option controls the default view, but you can also use the drop-down menu to translate and display posts in any of the languages we support for translation. If you select English, we'll revert the message to the original English version.
+
+## Before you begin
+
+> [!IMPORTANT]
+> Before you can choose your language settings, you have to set your preferred language. No translation options are shown when your language is set to English. You can't specify a preferred language for others, each person has to change this setting for themselves.
+
+## Set your preferred language
+
+1. Go to the Microsoft 365 admin center [https://admin.microsoft.com](https://go.microsoft.com/fwlink/p/?linkid=2024339), or home page, select the settings icon in the upper-right corner of the page.
+
+1. Under **Language and time zone**, select **View all** to show the available options. Select your desired language from the drop-down menu, and then select **Save**. Microsoft 365 will try to refresh and display the new language. If that doesn't happen immediately or if it seems that it's taking too long, you can either refresh your browser or sign out and then sign back in.
+
+## Machine translation in Service health dashboard
+
+When your preferred language isn't set to English, the translation options are available.
+
+To set Service health dashboard posts to automatically machine-translate and display in your preferred language, go to Health > Service health dashboard. You'll see a switch at the top of the view to toggle automatic translation on or off. When this setting is off, posts are shown in English. When this setting is on, messages display in your preferred language. The setting you choose will persist for each visit.
+
+## Related topics
+
+[How to check Microsoft 365 service health](view-service-health.md)
+
+[How to check Windows release health on admin center](/windows/deployment/update/check-release-health)
+
+[Message center Preferences](../admin/manage/message-center.md?preserve-view=true&view=o365-worldwide#preferences)
enterprise View Service Health https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/view-service-health.md
The advisory or incident summary provides the following information:
### Translate service health details
-We use machine translation to automatically display messages in your preferred language. Read [Language translation for Message center posts](/microsoft-365/admin/manage/language-translation-for-message-center-posts) for more information on how to set your language.
+We use machine translation to automatically display messages in your preferred language. Read [Language translation for Service health dashboard](lang-service-health.md) for more information on how to set your language.
### Definitions
knowledge Create A Topic https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/create-a-topic.md
Title: 'Create a new topic in Microsoft Viva Topics'
-description: 'How to create a new topic in Microsoft Viva Topics.'
--
+ Title: Create a new topic in Microsoft Viva Topics
++ audience: admin
search.appverid: localization_priority: Normal-
+description: Learn how to create a new topic in Microsoft Viva Topics.
knowledge Edit A Topic https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/edit-a-topic.md
Title: Edit an existing topic in Microsoft Viva Topics- + audience: admin
Knowledge managers can also edit topics directly from the **Manage topics** page
You can change a suggested site to a pinned site by selecting the pinned icon. -
-<!
-
-7. The <b>Related sites</b> section shows sites that have information about the topic.
-
- ![Related sites section](../media/knowledge-management/related-sites.png)</br>
-
- You can add a related site by selecting <b>Add</b> and then either searching for the site, or selecting it from your list of Frequent or Recent sites.</br>
-
- ![Select a site](../media/knowledge-management/sites.png)</br>
-
-8. The <b>Related topics</b> section shows connections that exists between topics. You can add a connection to a different topic by selecting the <b>Connect to a related topic</b> button, and then typing the name of the related topic, and selecting it from the search results.
-
- ![Related topics section](../media/knowledge-management/related-topic.png)</br>
-
- You can then give a description of how the topics are related, and select <b>Update</b>.</br>
-
- ![Related topics description](../media/knowledge-management/related-topics-update.png)</br>
-
- The related topic you added will display as a connected topic.
-
- ![Related topics connected](../media/knowledge-management/related-topics-final.png)</br>
-
- To remove a related topic, select the topic you want to remove, then select the <b>Remove topic</b> icon.</br>
-
- ![Remove related topic](../media/knowledge-management/remove-related.png)</br>
-
- Then select <b>Remove</b>.</br>
-
- ![Confirm remove](../media/knowledge-management/remove-related-confirm.png)</br>
-
->
-
-9. You can also add static items to the page ΓÇö such as text, images, or links - by selecting the canvas icon, which you can find below the short description. Selecting it will open the SharePoint toolbox from which you can choose the item you want to add to the page.
+9. You can also add static items to the page ΓÇö such as text, images, or links ΓÇö by selecting the canvas icon, which you can find below the short description. Selecting it will open the SharePoint toolbox from which you can choose the item you want to add to the page.
![Screenshot showing the Canvas icon.](../media/knowledge-management/webpart-library.png) - 10. Select **Publish** or **Republish** to save your changes. **Republish** will be your available option if the topic has been published previously.
knowledge Get Started With Viva Topics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/get-started-with-viva-topics.md
Title: "Get started with Microsoft Viva Topics"--
+ Title: Get started with Microsoft Viva Topics
++ audience: admin search.appverid: localization_priority: None
-description: "Learn about Viva Topics."
+description: Learn about new ways to discover and explore information in Microsoft Viva Topics.
# Get started with Microsoft Viva Topics
How do you find the people and resources important to your work? When you share
Viva Topics empowers you to:
-1. Discover important topics highlighted in content.
+- Discover important topics highlighted in content.
-2. Find people and content connected to important topics.
-
-3. Improve the network by adding topic definitions, editing connections, and more.
+- Find people and content connected to important topics.
+- Improve the network by adding topic definitions, editing connections, and more.
## Discover important topics highlighted in related content
-As you read content stored in Microsoft 365, topics will be highlighted inline. When you hover over the topic name, youΓÇÖll see more information shown in a topic card. You may see a prompt to provide feedback on topic cards and topic pages. When you give feedback on topics, you improve the experience for yourself and others.
+As you read content stored in Microsoft 365, topics will be highlighted inline. When you hover over the topic name, youΓÇÖll see more information shown in a topic card. You might see a prompt to provide feedback on topic cards and topic pages. When you give feedback on topics, you improve the experience for yourself and others.
Topics will introduce topic highlights gradually across the service. At first, youΓÇÖll see highlights in SharePoint news and pages. - ## Find people and content connected to important topics
-Topic cards provide a summary of the information on a topic. The description, people, and resources shown may have been automatically identified. Select the topic name to see the full information on the topic, including the associated people and resources.
-
-Only the resources that have been shared with you will be shown to you. Others may see a different summary or may not see the topic highlighted if the resources haven't been shared with them.
--
+Topic cards provide a summary of the information on a topic. The description, people, and resources shown might have been automatically identified. Select the topic name to see the full information on the topic, including the associated people and resources.
-## Improve the network by adding topic definitions, editing connections and more
+Only the resources that have been shared with you will be shown to you. Others might see a different summary or might not see the topic highlighted if the resources haven't been shared with them.
-Topic pages provide the full detail on a topic and can be curated by anyone designated by your organization. While the topic card shows only two people and resources, youΓÇÖll see the full list on the topic page. Edit the page to improve the description or update the connections to people and resources. While everyone can provide feedback to improve the network, your organization may restrict who can edit topics directly. Only people who the resources have been shared with will see the topics and resources.
+## Improve the network by adding topic definitions, editing connections, and more
+Topic pages provide the full detail on a topic and can be curated by anyone designated by your organization. While the topic card shows only two people and resources, youΓÇÖll see the full list on the topic page. Edit the page to improve the description or update the connections to people and resources. While everyone can provide feedback to improve the network, your organization might restrict who can edit topics directly. Only people who the resources have been shared with will see the topics and resources.
## See also [Microsoft Viva Topics overview](topic-experiences-overview.md)</br>
lighthouse M365 Lighthouse Sign Up https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-sign-up.md
description: "For Managed Service Providers (MSPs), learn how to sign up for Mic
1. Select **Buy**. > [!NOTE]
- > Microsoft 365 Lighthouse requires one license for the tenant. No additional per-user licenses are required.
+ > Microsoft 365 Lighthouse requires one license for the partner tenant only. No additional per-user licenses are required for the partner, and no Microsoft 365 Lighthouse licenses are required in any customer tenant.
To verify that Microsoft 365 Lighthouse was successfully added to your tenant, look for Microsoft 365 Lighthouse under **Billing > Your Products** in the Microsoft 365 admin center.
description: "For Managed Service Providers (MSPs), learn how to sign up for Mic
## Related content [Overview of Microsoft 365 Lighthouse](m365-lighthouse-overview.md) (article)\
-[Microsoft 365 Lighthouse FAQ](m365-lighthouse-faq.yml) (article)
+[Microsoft 365 Lighthouse FAQ](m365-lighthouse-faq.yml) (article)
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
#### [Cloud-delivered protection and Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md) ##### [Turn on cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) ##### [Specify the cloud-delivered protection level](specify-cloud-protection-level-microsoft-defender-antivirus.md)
+##### [Cloud-delivered protection Microsoft Defender Antivirus sample submission](cloud-protection-microsoft-antivirus-sample-submission.md)
#### [Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md) #### [Protect security settings with tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) #### [Turn on block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)
security Access Mssp Portal https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/access-mssp-portal.md
ms.technology: mde
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
->[!NOTE]
->These set of steps are directed towards the MSSP.
+> [!NOTE]
+> These set of steps are directed towards the MSSP.
By default, MSSP customers access their Microsoft 365 Defender tenant through the following URL: `https://securitycenter.windows.com/`.
-
-MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal.
+
+MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal.
In general, MSSPs will need to be added to each of the MSSP customer's Azure AD that they intend to manage. Use the following steps to obtain the MSSP customer tenant ID and then use the ID to access the tenant-specific URL:
-1. As an MSSP, log in to Azure AD with your credentials.
+1. As an MSSP, log in to Azure AD with your credentials.
2. Switch directory to the MSSP customer's tenant.
-3. Select **Azure Active Directory > Properties**. You'll find the tenant ID in the Directory ID field.
+3. Select **Azure Active Directory > Properties**. You'll find the tenant ID in the Directory ID field.
4. Access the MSSP customer portal by replacing the `customer_tenant_id` value in the following URL: `https://securitycenter.windows.com/?tid=customer_tenant_id`. - ## Related topics+ - [Grant MSSP access to the portal](grant-mssp-access.md) - [Configure alert notifications](configure-mssp-notifications.md) - [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
security Add Or Remove Machine Tags https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/add-or-remove-machine-tags.md
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Adds or remove tag to a specific [Machine](machine.md).
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. - ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+Application|Machine.ReadWrite.All|'Read and write all machine information'
+Delegated (work or school account)|Machine.ReadWrite|'Read and write machine information'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials: >
->- The user needs to have at least the following role permission: 'Manage security setting'. For more (See [Create and manage roles](user-roles.md) for more information)
->- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
+> - The user needs to have at least the following role permission: 'Manage security setting'. For more (See [Create and manage roles](user-roles.md) for more information)
+> - User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
## HTTP request
POST https://api.securitycenter.microsoft.com/api/machines/{id}/tags
## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
+Authorization|String|Bearer {token}. **Required**.
+Content-Type|string|application/json. **Required**.
## Request body In the request body, supply a JSON object with the following parameters:
-Parameter | Type | Description
+Parameter|Type|Description
:|:|:
-Value | String | The tag name. **Required**.
-Action | Enum | Add or Remove. Allowed values are: 'Add' or 'Remove'. **Required**.
-
+Value|String|The tag name. **Required**.
+Action|Enum|Add or Remove. Allowed values are: 'Add' or 'Remove'. **Required**.
## Response
If successful, this method returns 200 - Ok response code and the updated Machin
## Example
-**Request**
+### Request
Here is an example of a request that adds machine tag.
security Advanced Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-features.md
When you enable Intune integration, Intune will automatically create a classic C
> [!NOTE] > The classic CA policy created by Intune is distinct from modern [Conditional Access policies](/azure/active-directory/conditional-access/overview/), which are used for configuring endpoints. - ## Device discovery+ Helps you find unmanaged devices connected to your corporate network without the need for extra appliances or cumbersome process changes. Using onboarded devices, you can find unmanaged devices in your network and assess vulnerabilities and risks. For more information, see [Device discovery](device-discovery.md). > [!NOTE]
Learn about new features in the Defender for Endpoint preview release. Try upcom
You'll have access to upcoming features, which you can provide feedback on to help improve the overall experience before features are generally available.
+## Download quarantined files
+
+Backup quarantined files in a secure and compliant location so they can be downloaded directly from quarantine. The **Download file** button will always be available in the file page. This setting is turned on by default. [Learn more about requirements](respond-file-alerts.md#download-quarantined-files)
+ ## Related topics - [Update data retention settings](data-retention-settings.md)
security Advanced Hunting Devicealertevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-devicealertevents-table.md
ms.technology: mde
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The `DeviceAlertEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about alerts in Microsoft Defender Security Center. Use this reference to construct queries that return information from the table. For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-| Column name | Data type | Description |
-|-|--|-|
-| `AlertId` | string | Unique identifier for the alert |
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `Severity` | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
-| `Category` | string | Type of threat indicator or breach activity identified by the alert |
-| `Title` | string | Title of the alert |
-| `FileName` | string | Name of the file that the recorded action was applied to |
-| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
-| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
-| `RemoteIP` | string | IP address that was being connected to |
-| `AttackTechniques` | string | MITRE ATT&CK techniques associated with the activity that triggered the alert |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| `Table` | string | Table that contains the details of the event |
+|Column name|Data type|Description|
+||||
+|`AlertId`|string|Unique identifier for the alert|
+|`Timestamp`|datetime|Date and time when the event was recorded|
+|`DeviceId`|string|Unique identifier for the device in the service|
+|`DeviceName`|string|Fully qualified domain name (FQDN) of the device|
+|`Severity`|string|Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert|
+|`Category`|string|Type of threat indicator or breach activity identified by the alert|
+|`Title`|string|Title of the alert|
+|`FileName`|string|Name of the file that the recorded action was applied to|
+|`SHA1`|string|SHA-1 of the file that the recorded action was applied to|
+|`RemoteUrl`|string|URL or fully qualified domain name (FQDN) that was being connected to|
+|`RemoteIP`|string|IP address that was being connected to|
+|`AttackTechniques`|string|MITRE ATT&CK techniques associated with the activity that triggered the alert|
+|`ReportId`|long|Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns|
+|`Table`|string|Table that contains the details of the event|
## Related topics+ - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md) - [Understand the schema](advanced-hunting-schema-reference.md)
security Advanced Hunting Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-overview.md
ms.technology: mde
**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats. Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast.
-<br />
-<br />
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqo]
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4bGqo]
You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings.
->[!TIP]
->Use [advanced hunting in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-overview) to hunt for threats using data from Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity. [Turn on Microsoft 365 Defender](/microsoft-365/security/defender/m365d-enable).<br><br>
+> [!TIP]
+> Use [advanced hunting in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-overview) to hunt for threats using data from Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity. [Turn on Microsoft 365 Defender](/microsoft-365/security/defender/m365d-enable).
+ Learn more about how to move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](/microsoft-365/security/defender/advanced-hunting-migrate-from-mde). ## Get started with advanced hunting
Go through the following steps to ramp up your advanced hunting knowledge.
We recommend going through several steps to quickly get up and running with advanced hunting.
-| Learning goal | Description | Resource |
-|--|--|--|
-| **Learn the language** | Advanced hunting is based on [Kusto query language](/azure/kusto/query/), supporting the same syntax and operators. Start learning the query language by running your first query. | [Query language overview](advanced-hunting-query-language.md) |
-| **Learn how to use the query results** | Learn about charts and various ways you can view or export your results. Explore how you can quickly tweak queries and drill down to get richer information. | [Work with query results](advanced-hunting-query-results.md) |
-| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. Learn where to look for data when constructing your queries. | [Schema reference](advanced-hunting-schema-reference.md) |
-| **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) |
-| **Optimize queries and handle errors** | Understand how to create efficient and error-free queries. | - [Query best practices](advanced-hunting-best-practices.md)<br>- [Handle errors](advanced-hunting-errors.md) |
-| **Get the most complete coverage** | Use audit settings to provide better data coverage for your organization. | - [Extend advanced hunting coverage](advanced-hunting-extend-data.md) |
-| **Run a quick investigation** | Quickly run an advanced hunting query to investigate suspicious activity. | - [Quickly hunt for entity or event information with *go hunt*](advanced-hunting-go-hunt.md) |
-| **Contain threats and address compromises** | Respond to attacks by quarantining files, restricting app execution, and other actions | - [Take action on advanced hunting query results](advanced-hunting-take-action.md) |
-| **Create custom detection rules** | Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically. | - [Custom detections overview](overview-custom-detections.md)<br>- [Custom detection rules](custom-detection-rules.md) |
+<br>
+
+****
+
+|Learning goal|Description|Resource|
+||||
+|**Learn the language**|Advanced hunting is based on [Kusto query language](/azure/kusto/query/), supporting the same syntax and operators. Start learning the query language by running your first query.|[Query language overview](advanced-hunting-query-language.md)|
+|**Learn how to use the query results**|Learn about charts and various ways you can view or export your results. Explore how you can quickly tweak queries and drill down to get richer information.|[Work with query results](advanced-hunting-query-results.md)|
+|**Understand the schema**|Get a good, high-level understanding of the tables in the schema and their columns. Learn where to look for data when constructing your queries.|[Schema reference](advanced-hunting-schema-reference.md)|
+|**Use predefined queries**|Explore collections of predefined queries covering different threat hunting scenarios.|[Shared queries](advanced-hunting-shared-queries.md)|
+|**Optimize queries and handle errors**|Understand how to create efficient and error-free queries.|- [Query best practices](advanced-hunting-best-practices.md)<br>- [Handle errors](advanced-hunting-errors.md)|
+|**Get the most complete coverage**|Use audit settings to provide better data coverage for your organization.|- [Extend advanced hunting coverage](advanced-hunting-extend-data.md)|
+|**Run a quick investigation**|Quickly run an advanced hunting query to investigate suspicious activity.|- [Quickly hunt for entity or event information with *go hunt*](advanced-hunting-go-hunt.md)|
+|**Contain threats and address compromises**|Respond to attacks by quarantining files, restricting app execution, and other actions|- [Take action on advanced hunting query results](advanced-hunting-take-action.md)|
+|**Create custom detection rules**|Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically.|- [Custom detections overview](overview-custom-detections.md)<br>- [Custom detection rules](custom-detection-rules.md)|
+|
+ ## Data freshness and update frequency Advanced hunting data can be categorized into two distinct types, each consolidated differently. -- **Event or activity data**ΓÇöpopulates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Defender for Endpoint.-- **Entity data**ΓÇöpopulates tables with consolidated information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
+- **Event or activity data**: Populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Defender for Endpoint.
+- **Entity data**: Populates tables with consolidated information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
## Time zone
security Advanced Hunting Schema Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-schema-reference.md
ms.technology: mde
**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)] The [advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about devices and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema. ## Get schema information in the security center+ While constructing queries, use the built-in schema reference to quickly get the following information about each table in the schema: -- **Tables description**ΓÇötype of data contained in the table and the source of that data.-- **Columns**ΓÇöall the columns in the table.-- **Action types**ΓÇöpossible values in the `ActionType` column representing the event types supported by the table. This is provided only for tables that contain event information.-- **Sample query**ΓÇöexample queries that feature how the table can be utilized.
+- **Tables description**: Type of data contained in the table and the source of that data.
+- **Columns**: All the columns in the table.
+- **Action types**: Possible values in the `ActionType` column representing the event types supported by the table. This is provided only for tables that contain event information.
+- **Sample query**: Example queries that feature how the table can be utilized.
### Access the schema reference+ To quickly access the schema reference, select the **View reference** action next to the table name in the schema representation. You can also select **Schema reference** to search for a table. ![Image showing how to access in-portal schema reference](images/ah-reference.png)
The following reference lists all the tables in the advanced hunting schema. Eac
Table and column names are also listed within the Microsoft Defender Security Center, in the schema representation on the advanced hunting screen.
-| Table name | Description |
-||-|
-| **[DeviceAlertEvents](advanced-hunting-devicealertevents-table.md)** | Alerts on Microsoft Defender Security Center |
-| **[DeviceInfo](advanced-hunting-deviceinfo-table.md)** | Device information, including OS information |
-| **[DeviceNetworkInfo](advanced-hunting-devicenetworkinfo-table.md)** | Network properties of devices, including adapters, IP and MAC addresses, as well as connected networks and domains |
-| **[DeviceProcessEvents](advanced-hunting-deviceprocessevents-table.md)** | Process creation and related events |
-| **[DeviceNetworkEvents](advanced-hunting-devicenetworkevents-table.md)** | Network connection and related events |
-| **[DeviceFileEvents](advanced-hunting-devicefileevents-table.md)** | File creation, modification, and other file system events |
-| **[DeviceRegistryEvents](advanced-hunting-deviceregistryevents-table.md)** | Creation and modification of registry entries |
-| **[DeviceLogonEvents](advanced-hunting-devicelogonevents-table.md)** | Sign-ins and other authentication events |
-| **[DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)** | DLL loading events |
-| **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Microsoft Defender Antivirus and exploit protection |
-| **[DeviceFileCertificateInfo](advanced-hunting-devicefilecertificateinfo-table.md)** | Certificate information of signed files obtained from certificate verification events on endpoints |
-| **[DeviceTvmSoftwareInventory](advanced-hunting-devicetvmsoftwareinventory-table.md)** | Inventory of software installed on devices, including their version information and end-of-support status |
-| **[DeviceTvmSoftwareVulnerabilities](advanced-hunting-devicetvmsoftwarevulnerabilities-table.md)** | Software vulnerabilities found on devices and the list of available security updates that address each vulnerability |
-| **[DeviceTvmSoftwareVulnerabilitiesKB](advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available |
-| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-devicetvmsecureconfigurationassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices |
-| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)** | Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks |
-
->[!TIP]
->Use [advanced hunting in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-overview) to hunt for threats using data from Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity. [Turn on Microsoft 365 Defender](/microsoft-365/security/defender/m365d-enable)<br><br>
+<br>
+
+****
+
+|Table name|Description|
+|||
+|**[DeviceAlertEvents](advanced-hunting-devicealertevents-table.md)**|Alerts on Microsoft Defender Security Center|
+|**[DeviceInfo](advanced-hunting-deviceinfo-table.md)**|Device information, including OS information|
+|**[DeviceNetworkInfo](advanced-hunting-devicenetworkinfo-table.md)**|Network properties of devices, including adapters, IP and MAC addresses, as well as connected networks and domains|
+|**[DeviceProcessEvents](advanced-hunting-deviceprocessevents-table.md)**|Process creation and related events|
+|**[DeviceNetworkEvents](advanced-hunting-devicenetworkevents-table.md)**|Network connection and related events|
+|**[DeviceFileEvents](advanced-hunting-devicefileevents-table.md)**|File creation, modification, and other file system events|
+|**[DeviceRegistryEvents](advanced-hunting-deviceregistryevents-table.md)**|Creation and modification of registry entries|
+|**[DeviceLogonEvents](advanced-hunting-devicelogonevents-table.md)**|Sign-ins and other authentication events|
+|**[DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)**|DLL loading events|
+|**[DeviceEvents](advanced-hunting-deviceevents-table.md)**|Multiple event types, including events triggered by security controls such as Microsoft Defender Antivirus and exploit protection|
+|**[DeviceFileCertificateInfo](advanced-hunting-devicefilecertificateinfo-table.md)**|Certificate information of signed files obtained from certificate verification events on endpoints|
+|**[DeviceTvmSoftwareInventory](advanced-hunting-devicetvmsoftwareinventory-table.md)**|Inventory of software installed on devices, including their version information and end-of-support status|
+|**[DeviceTvmSoftwareVulnerabilities](advanced-hunting-devicetvmsoftwarevulnerabilities-table.md)**|Software vulnerabilities found on devices and the list of available security updates that address each vulnerability|
+|**[DeviceTvmSoftwareVulnerabilitiesKB](advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md)**|Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available|
+|**[DeviceTvmSecureConfigurationAssessment](advanced-hunting-devicetvmsecureconfigurationassessment-table.md)**|Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices|
+|**[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)**|Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks|
+|
+
+> [!TIP]
+> Use [advanced hunting in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-overview) to hunt for threats using data from Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity. [Turn on Microsoft 365 Defender](/microsoft-365/security/defender/m365d-enable).
+ Learn more about how to move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](/microsoft-365/security/defender/advanced-hunting-migrate-from-mde). ## Related topics+ - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md) - [Work with query results](advanced-hunting-query-results.md)
security Alerts Queue https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/alerts-queue.md
ms.technology: mde
**Applies to:** - [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-alertsq-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-alertsq-abovefoldlink)
The **Alerts queue** shows a list of alerts that were flagged from devices in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view. The most recent alerts are showed at the top of the list helping you see the most recent alerts first.
security Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/alerts.md
**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
security Android Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-intune.md
Defender for Endpoint supports Device configuration policies for managed devices
Custom VPN in this case is Defender for Endpoint VPN which is used to provide the Web Protection feature. > [!NOTE]
- > Microsoft Defender for Endpoint app must be installed on userΓÇÖs device, in order to functioning of auto setup of this VPN.
+ > Microsoft Defender for Endpoint app must be installed on user's device, in order to functioning of auto setup of this VPN.
- Enter **Package ID** of the Microsoft Defender for Endpoint app in Google Play store. For the Defender app URL <https://play.google.com/store/apps/details?id=com.microsoft.scmx>, Package ID is **com.microsoft.scmx** - **Lockdown mode** Not configured (Default)
security Android Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-privacy.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Defender for Endpoint on Android collects information from your configured Android devices and stores it in the same tenant where you have Defender for Endpoint. The information is collected to help keep Defender for Endpoint for Android secure, up-to-date, performing as expected, and to support the service.
Information is collected to help keep Defender for Endpoint for Android secure,
For more information on most common privacy questions about Microsoft Defender for Endpoint on Android and iOS mobile devices, see [Microsoft Defender for Endpoint and your privacy on Android and iOS mobile devices](https://support.microsoft.com/topic/microsoft-defender-for-endpoint-and-your-privacy-on-android-and-ios-mobile-devices-4109bc54-8ec5-4433-9c33-d359b75ac22a).
-## Required Data
+## Required Data
Required data consists of data that is necessary to make Defender for Endpoint for Android work as expected. This data is essential to the operation of the
apps. Here's a list of the types of data being collected:
Information about **malicious** Android application packages (APKs) on the device including -- Install source-- Storage location (file path) of the APK-- Time of install, size of APK and permissions
+- Install source
+- Storage location (file path) of the APK
+- Time of install, size of APK and permissions
### Web page / Network information
Information about **malicious** Android application packages (APKs) on the devic
- Connection information - Protocol type (such as HTTP, HTTPS, etc.) - ### Device and account information -- Device information such as date & time, Android version, OEM model, CPU
- info, and Device identifier
+- Device information such as date & time, Android version, OEM model, CPU info, and Device identifier.
- Device identifier is one of the below:
- - Wi-Fi adapter MAC address
- - [Android
- ID](https://developer.android.com/reference/android/provider/Settings.Secure#ANDROID_ID)
- (as generated by Android at the time of first boot of the device)
- - Randomly generated globally unique identifier (GUID)
+ - Wi-Fi adapter MAC address
+ - [Android ID](https://developer.android.com/reference/android/provider/Settings.Secure#ANDROID_ID) (as generated by Android at the time of first boot of the device).
+ - Randomly generated globally unique identifier (GUID).
- Tenant, Device and User information
- - Azure Active Directory (AD) Device ID and Azure User ID: Uniquely
- identifies the device, User respectively at Azure Active directory.
-
- - Azure tenant ID - GUID that identifies your organization within
- Azure Active Directory
-
- - Microsoft Defender for Endpoint org ID - Unique identifier associated with
- the enterprise that the device belongs to. Allows Microsoft to
- identify whether issues are impacting a select set of enterprises
- and how many enterprises are impacted 
-
- - User Principal Name ΓÇô Email ID of the user
+ - Azure Active Directory (AD) Device ID and Azure User ID: Uniquely identifies the device, User respectively at Azure Active directory.
+ - Azure tenant ID: GUID that identifies your organization within Azure Active Directory.
+ - Microsoft Defender for Endpoint org ID: Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted.
+ - User Principal Name: Email ID of the user
### Product and service usage data The following information is collected only for Microsoft Defender for Endpoint app installed on the device. -- App package info, including name, version, and app upgrade status--- Actions performed in the app--- Threat detection information, such as threat name, category, etc.--- Crash report logs generated by Android
+- App package info, including name, version, and app upgrade status.
+- Actions performed in the app.
+- Threat detection information, such as threat name, category, etc.
+- Crash report logs generated by Android.
## Optional Data
data is additional data that helps us make product improvements and provides
enhanced information to help us detect, diagnose, and fix issues. Optional diagnostic data includes: -- App, CPU, and network usage--- State of the device from the app perspective, including scan status, scan
- timings, app permissions granted, and upgrade status
--- Features configured by the admin--- Basic information about the browsers on the device
+- App, CPU, and network usage.
+- State of the device from the app perspective, including scan status, scan timings, app permissions granted, and upgrade status.
+- Features configured by the admin.
+- Basic information about the browsers on the device.
**Feedback Data** is collected through in-app feedback provided by the user -- The userΓÇÖs email address, if they choose to provide it--- Feedback type (smile, frown, idea) and any feedback comments submitted by
- the user
+- The user's email address, if they choose to provide it.
+- Feedback type (smile, frown, idea) and any feedback comments submitted by the user.
security Android Support Signin https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-support-signin.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
When onboarding a device, you might see sign in issues after the app is installed.
security Android Terms https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-terms.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER FOR ENDPOINT
security Api Microsoft Flow https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-microsoft-flow.md
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Automating security procedures is a standard requirement for every modern Security Operations Center. The lack of professional cyber defenders forces SOC to work in the most efficient way and automation is a must. Microsoft Power Automate supports different connectors that were built exactly for that. You can build an end-to-end procedure automation within a few minutes.
security Api Portal Mapping https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-portal-mapping.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink)
Understand what data fields are exposed as part of the detections API and how they map to Microsoft 365 Defender.
->[!Note]
->- [Defender for Endpoint Alert](alerts.md) is composed from one or more detections.
->- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Device and its related **Alert** details.
->- The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
+> [!NOTE]
+>
+> - [Defender for Endpoint Alert](alerts.md) is composed from one or more detections.
+> - **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Device and its related **Alert** details.
+> - The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
## Detections API fields and portal mapping+ The following table lists the available fields exposed in the detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
-The ArcSight field column contains the default mapping between the Defender for Endpoint fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md).
+The ArcSight field column contains the default mapping between the Defender for Endpoint fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md).
Field numbers match the numbers in the images below. > [!div class="mx-tableFixed"]
->
-> | Portal label | SIEM field name | ArcSight field | Example value | Description |
-> ||-|||--|
-> | 1 | AlertTitle | name | Microsoft Defender AV detected 'Mikatz' high-severity malware | Value available for every Detection. |
-> | 2 | Severity | deviceSeverity | High | Value available for every Detection. |
-> | 3 | Category | deviceEventCategory | Malware | Value available for every Detection. |
-> | 4 | Detection source | sourceServiceName | Antivirus | Microsoft Defender Antivirus or Defender for Endpoint. Value available for every Detection. |
-> | 5 | MachineName | sourceHostName | desktop-4a5ngd6 | Value available for every Detection. |
-> | 6 | FileName | fileName | Robocopy.exe | Available for detections associated with a file or process. |
-> | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for detections associated with a file or process. |
-> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Defender for Endpoint behavioral based detections. |
-> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Defender for Endpoint behavioral based detections. |
-> | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for detections associated with a file or process. |
-> | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Microsoft Defender AV detections. |
-> | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Microsoft Defender AV detections. |
-> | 13 | ThreatName | deviceCustomString1 | HackTool:Win32/Mikatz!dha | Available for Microsoft Defender AV detections. |
-> | 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for detections associated to network events. For example, 'Communication to a malicious network destination'. |
-> | 15 | Url | requestUrl | down.esales360.cn | Available for detections associated to network events. For example, 'Communication to a malicious network destination'. |
-> | 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Microsoft Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE. |
-> | 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Microsoft Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE. |
-> | 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every Detection. |
-> | 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every Detection. |
-> | 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the event occurred. Value available for every Detection. |
-> | 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined devices. Value available for every Detection. |
-> | 22 | Actor | deviceCustomString4 | BORON | Available for alerts related to a known actor group. |
-> | 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The device fully qualified domain name. Value available for every Detection. |
-> | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For devices on Windows 10 version 1607, the domain information will not be available. |
-> | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. |
-> | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. |
-| | LinkToMTP | No mapping | `https://securitycenter.windows.com/alert/da637370718981685665_16349121` | Value available for every Detection.
-| | IncidentLinkToMTP | No mapping | `"https://securitycenter.windows.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection.
-| | IncidentLinkToWDATP | No mapping | `https://securitycenter.windows.com/preferences2/integration/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection.
-> | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved. |
-> | | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. |
-> | | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Microsoft Defender ATP'. |
-> | | Not part of the schema | deviceVersion | | Static value in the ArcSight mapping - '2.0', used to identify the mapping versions. |
-
+>
+> |Portal label|SIEM field name|ArcSight field|Example value|Description|
+> ||||||
+> |1|AlertTitle|name|Microsoft Defender AV detected 'Mikatz' high-severity malware|Value available for every Detection.|
+> |2|Severity|deviceSeverity|High|Value available for every Detection.|
+> |3|Category|deviceEventCategory|Malware|Value available for every Detection.|
+> |4|Detection source|sourceServiceName|Antivirus|Microsoft Defender Antivirus or Defender for Endpoint. Value available for every Detection.|
+> |5|MachineName|sourceHostName|desktop-4a5ngd6|Value available for every Detection.|
+> |6|FileName|fileName|Robocopy.exe|Available for detections associated with a file or process.|
+> |7|FilePath|filePath|C:\Windows\System32\Robocopy.exe|Available for detections associated with a file or process.|
+> |8|UserDomain|sourceNtDomain|CONTOSO|The domain of the user context running the activity, available for Defender for Endpoint behavioral based detections.|
+> |9|UserName|sourceUserName|liz.bean|The user context running the activity, available for Defender for Endpoint behavioral based detections.|
+> |10|Sha1|fileHash|3da065e07b990034e9db7842167f70b63aa5329|Available for detections associated with a file or process.|
+> |11|Sha256|deviceCustomString6|ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5|Available for Microsoft Defender AV detections.|
+> |12|Md5|deviceCustomString5|db979c04a99b96d370988325bb5a8b21|Available for Microsoft Defender AV detections.|
+> |13|ThreatName|deviceCustomString1|HackTool:Win32/Mikatz!dha|Available for Microsoft Defender AV detections.|
+> |14|IpAddress|sourceAddress|218.90.204.141|Available for detections associated to network events. For example, 'Communication to a malicious network destination'.|
+> |15|Url|requestUrl|down.esales360.cn|Available for detections associated to network events. For example, 'Communication to a malicious network destination'.|
+> |16|RemediationIsSuccess|deviceCustomNumber2|TRUE|Available for Microsoft Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE.|
+> |17|WasExecutingWhileDetected|deviceCustomNumber1|FALSE|Available for Microsoft Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE.|
+> |18|AlertId|externalId|636210704265059241_673569822|Value available for every Detection.|
+> |19|LinkToWDATP|flexString1|`https://securitycenter.windows.com/alert/636210704265059241_673569822`|Value available for every Detection.|
+> |20|AlertTime|deviceReceiptTime|2017-05-07T01:56:59.3191352Z|The time the event occurred. Value available for every Detection.|
+> |21|MachineDomain|sourceDnsDomain|contoso.com|Domain name not relevant for AAD joined devices. Value available for every Detection.|
+> |22|Actor|deviceCustomString4|BORON|Available for alerts related to a known actor group.|
+> |21+5|ComputerDnsName|No mapping|liz-bean.contoso.com|The device fully qualified domain name. Value available for every Detection.|
+> ||LogOnUsers|sourceUserId|contoso\liz-bean; contoso\jay-hardee|The domain and user of the interactive logon users at the time of the event. Note: For devices on Windows 10 version 1607, the domain information will not be available.|
+> ||InternalIPv4List|No mapping|192.168.1.7, 10.1.14.1|List of IPV4 internal IPs for active network interfaces.|
+> ||InternalIPv6List|No mapping|fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C|List of IPV6 internal IPs for active network interfaces.|
+||LinkToMTP|No mapping|`https://securitycenter.windows.com/alert/da637370718981685665_16349121`|Value available for every Detection.
+||IncidentLinkToMTP|No mapping|`"https://securitycenter.windows.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM`|Value available for every Detection.
+||IncidentLinkToWDATP|No mapping|`https://securitycenter.windows.com/preferences2/integration/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM`|Value available for every Detection.
+> |Internal field|LastProcessedTimeUtc|No mapping|2017-05-07T01:56:58.9936648Z|Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved.|
+> ||Not part of the schema|deviceVendor||Static value in the ArcSight mapping - 'Microsoft'.|
+> ||Not part of the schema|deviceProduct||Static value in the ArcSight mapping - 'Microsoft Defender ATP'.|
+> ||Not part of the schema|deviceVersion||Static value in the ArcSight mapping - '2.0', used to identify the mapping versions.|
:::image type="content" alt-text="Image of alert with numbers." source="images/atp-alert-page.png" lightbox="images/atp-alert-page.png":::
Field numbers match the numbers in the images below.
:::image type="content" alt-text="Image actor alert." source="images/atp-mapping7.png" lightbox="images/atp-mapping7.png"::: - ## Related topics+ - [Enable SIEM integration in Microsoft Defender for Endpoint](enable-siem-integration.md) - [Configure ArcSight to pull Microsoft Defender for Endpoint detections](configure-arcsight.md) - [Pull Microsoft Defender for Endpoint detections using REST API](pull-alerts-using-rest-api.md)
security Api Terms Of Use https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-terms-of-use.md
Defender for Endpoint APIs are governed by [Microsoft API License and Terms of u
### Throttling limits
-Name | Calls | Renewal period
+Name|Calls|Renewal period
:|:|:
-API calls per connection | 100 | 60 seconds
-
+API calls per connection|100|60 seconds
## Legal Notices Microsoft and any contributors grant you a license to the Microsoft documentation and other content in this repository under the Creative Commons Attribution 4.0 International Public License, see the LICENSE file.
-Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the documentation may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries. The licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks. Microsoft's general trademark guidelines can be found at https://go.microsoft.com/fwlink/?LinkID=254653.
+Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the documentation may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries. The licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks. Microsoft's general trademark guidelines can be found at <https://go.microsoft.com/fwlink/p/?LinkID=254653>.
+
+Privacy information can be found at <https://privacy.microsoft.com/>.
-Privacy information can be found at https://privacy.microsoft.com/en-us/
Microsoft and any contributors reserve all others rights, whether under their respective copyrights, patents, or trademarks, whether by implication, estoppel or otherwise.
security Apis Intro https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/apis-intro.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)-
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). Watch this video for a quick overview of Defender for Endpoint's APIs.
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4d73M]
+>[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4d73M]
-In general, youΓÇÖll need to take the following steps to use the APIs:
+In general, you'll need to take the following steps to use the APIs:
- Create an [AAD application](/microsoft-365/security/defender-endpoint/exposed-apis-create-app-nativeapp) - Get an access token using this application
security Assign Portal Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/assign-portal-access.md
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
Defender for Endpoint supports two ways to manage permissions:
security Attack Simulations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-simulations.md
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink)
->[!TIP]
->- Learn about the latest enhancements in Microsoft Defender for Endpoint: [What's new in Defender for Endpoint?](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
->- Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
+> [!TIP]
+>
+> - Learn about the latest enhancements in Microsoft Defender for Endpoint: [What's new in Defender for Endpoint?](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
+> - Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
You might want to experience Defender for Endpoint before you onboard more than a few devices to the service. To do this, you can run controlled attack simulations on a few test devices. After running the simulated attacks, you can review how Defender for Endpoint surfaces malicious activity and explore how it enables an efficient response. ## Before you begin
-To run any of the provided simulations, you need at least [one onboarded device](onboard-configure.md).
+To run any of the provided simulations, you need at least [one onboarded device](onboard-configure.md).
Read the walkthrough document provided with each attack scenario. Each document includes OS and application requirements as well as detailed instructions that are specific to an attack scenario. ## Run a simulation 1. In **Endpoints** > **Evaluation & tutorials** > **Tutorials & simulations**, select which of the available attack scenarios you would like to simulate:- - **Scenario 1: Document drops backdoor** - simulates delivery of a socially engineered lure document. The document launches a specially crafted backdoor that gives attackers control.- - **Scenario 2: PowerShell script in fileless attack** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and device learning detection of malicious memory activity.
-
- **Scenario 3: Automated incident response** - triggers automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity. 2. Download and read the corresponding walkthrough document provided with your selected scenario.
Read the walkthrough document provided with each attack scenario. Each document
> [!NOTE] > Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test device.
->
->
+>
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink) - ## Related topics - [Onboard devices](onboard-configure.md)
security Attack Surface Reduction Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules.md
The **Block abuse of exploited vulnerable signed drivers** rule does not block a
> > You can also configure this rule using [PowerShell](enable-attack-surface-reduction.md#powershell). >
-> To have a driver examined, use this Web site to [Submit a driver for analysis](https://www.microsoft.com/en-us/wdsi/driversubmission).
+> To have a driver examined, use this Web site to [Submit a driver for analysis](https://www.microsoft.com/wdsi/driversubmission).
Intune Name: `Block abuse of exploited vulnerable signed drivers`
security Automated Investigations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/automated-investigations.md
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-Want to see how it works? Watch the following video: <br/><br/>
+Want to see how it works? Watch the following video:
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4bOeh]
The technology in automated investigation uses various inspection algorithms and
This article provides an overview of AIR and includes links to next steps and additional resources. > [!TIP]
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink).
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
## How the automated investigation starts An automated investigation can start when an alert is triggered or when a security operator initiates the investigation.
-|Situation |What happens |
-|||
-|An alert is triggered | In general, an automated investigation starts when an [alert](review-alerts.md) is triggered, and an [incident](view-incidents-queue.md) is created. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and incident is created. An automated investigation process begins on the device. As other alerts are generated because of the same file on other devices, they are added to the associated incident and to the automated investigation. |
-|An investigation is started manually | An automated investigation can be started manually by your security operations team. For example, suppose a security operator is reviewing a list of devices and notices that a device has a high risk level. The security operator can select the device in the list to open its flyout, and then select **Initiate Automated Investigation**. |
+|Situation|What happens|
+|||
+|An alert is triggered|In general, an automated investigation starts when an [alert](review-alerts.md) is triggered, and an [incident](view-incidents-queue.md) is created. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and incident is created. An automated investigation process begins on the device. As other alerts are generated because of the same file on other devices, they are added to the associated incident and to the automated investigation.|
+|An investigation is started manually|An automated investigation can be started manually by your security operations team. For example, suppose a security operator is reviewing a list of devices and notices that a device has a high risk level. The security operator can select the device in the list to open its flyout, and then select **Initiate Automated Investigation**.|
## How an automated investigation expands its scope
If an incriminated entity is seen in another device, the automated investigation
## How threats are remediated
-As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be
+As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be:
+ - *Malicious*;-- *Suspicious*; or -- *No threats found*.
+- *Suspicious*; or
+- *No threats found*.
As verdicts are reached, automated investigations can result in one or more remediation actions. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. To learn more, see [Remediation actions](manage-auto-investigation.md#remediation-actions).
All remediation actions, whether pending or completed, are tracked in the [Actio
> [!TIP] > Check out the new, unified investigation page in the Microsoft 365 security center. To learn more, see [(NEW!) Unified investigation page](/microsoft-365/security/defender/m365d-autoir-results#new-unified-investigation-page). - ## Requirements for AIR Your organization must have Defender for Endpoint (see [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md)). Currently, AIR only supports the following OS versions:+ - Windows Server 2019 - Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later - Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later
security Batch Update Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/batch-update-alerts.md
ms.technology: mde
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
POST /api/alerts/batchUpdate
## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|: Authorization | String | Bearer {token}. **Required**. Content-Type | String | application/json. **Required**.
security Behavioral Blocking Containment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/behavioral-blocking-containment.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
## Overview
security Cancel Machine Action https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cancel-machine-action.md
MS.technology: mde
-# Cancel machine action API
+# Cancel machine action API
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
[!include[Prerelease information](../../includes/prerelease.md)]
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Cancel an already launched machine action that are not yet in final state (compl
## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per
- hour.
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions
One of the following permissions is required to call this API. To learn more,
including how to choose permissions, see [Get started](apis-intro.md).
-| Permission type | Permission | Permission display name |
-|-|-|-|
-| <br>Application | <br>Machine.CollectForensic<br> Machine.Isolate <br>Machine.RestrictExecution<br> Machine.Scan<br> Machine.Offboard<br> Machine.StopAndQuarantine<br> Machine.LiveResponse | Collect forensics <br>Isolate machine<br>Restrict code execution<br> Scan machine<br> Offboard machine<br> Stop And Quarantine<br> Run live response on a specific machine |
-| <br>Delegated (work or school account) | Machine.CollectForensic<br> Machine.Isolate <br>Machine.RestrictExecution<br> Machine.Scan<br> Machine.Offboard<br> Machine.StopAndQuarantineMachine.LiveResponse | Collect forensics<br> Isolate machine<br> Restrict code execution<br> Scan machine<br>Offboard machine<br> Stop And Quarantine<br> Run live response on a specific machine |
+|Permission type|Permission|Permission display name|
+||||
+|Application|Machine.CollectForensic <br> Machine.Isolate <br> Machine.RestrictExecution <br> Machine.Scan <br> Machine.Offboard <br> Machine.StopAndQuarantine <br> Machine.LiveResponse|Collect forensics <br>Isolate machine<br>Restrict code execution<br> Scan machine<br> Offboard machine<br> Stop And Quarantine<br> Run live response on a specific machine|
+|Delegated (work or school account)|Machine.CollectForensic<br> Machine.Isolate <br>Machine.RestrictExecution<br> Machine.Scan<br> Machine.Offboard<br> Machine.StopAndQuarantineMachine.LiveResponse|Collect forensics<br> Isolate machine<br> Restrict code execution<br> Scan machine<br>Offboard machine<br> Stop And Quarantine<br> Run live response on a specific machine|
## HTTP request
POST https://api.securitycenter.microsoft.com/api/machineactions/<machineactioni
## Request headers
-| Name | Type | Description |
-||-||
-| Authorization | String | Bearer {token}. Required. |
-| Content-Type | string | application/json. Required. |
+|Name|Type|Description|
+||||
+|Authorization|String|Bearer {token}. Required.|
+|Content-Type|string|application/json. Required.|
## Request body
-| Parameter | Type | Description |
-||-|-|
-| Comment | String | Comment to associate with the cancellation action. |
+|Parameter|Type|Description|
+||||
+|Comment|String|Comment to associate with the cancellation action.|
## Response
Found.
## Example
-**Request**
+### Request
Here is an example of the request.
POST
https://api.securitycenter.microsoft.com/api/machineactions/988cc94e-7a8f-4b28-ab65-54970c5d5018/cancel ``` - ```JSON { "Comment": "Machine action was canceled by automation"
https://api.securitycenter.microsoft.com/api/machineactions/988cc94e-7a8f-4b28-a
## Related topic -- [Get machine action API](get-machineaction-object.md)
+- [Get machine action API](get-machineaction-object.md)
security Check Sensor Status https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/check-sensor-status.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-checksensor-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-checksensor-abovefoldlink)
-The **Devices with sensor issues** tile is found on the Security Operations dashboard. This tile provides information on the individual deviceΓÇÖs ability to provide sensor data and communicate with the Defender for Endpoint service. It reports how many devices require attention and helps you identify problematic devices and take action to correct known issues.
+The **Devices with sensor issues** tile is found on the Security Operations dashboard. This tile provides information on the individual device's ability to provide sensor data and communicate with the Defender for Endpoint service. It reports how many devices require attention and helps you identify problematic devices and take action to correct known issues.
There are two status indicators on the tile that provide information on the number of devices that are not reporting properly to the service: - **Misconfigured** - These devices might partially be reporting sensor data to the Defender for Endpoint service and might have configuration errors that need to be corrected.
security Cloud Protection Microsoft Antivirus Sample Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission.md
+
+ Title: Cloud-delivered protection Microsoft Defender Antivirus sample submission
+description: Learn about cloud-delivered protection and Microsoft Defender Antivirus
+keywords: Microsoft Defender Antivirus, next-generation technologies, antivirus sample submission, next-generation av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+localization_priority: Normal
+++++
+ms.technology: mde
+ Last updated : 07/22/2021++
+# Cloud-delivered protection antivirus sample submission
+
+Microsoft Defender for Endpoint Antivirus (Defender for Endpoint antivirus) uses many intelligent mechanisms for detecting malware. One of the most powerful capabilities is the ability to apply the power of the cloud to detect malware. Defender for Endpoint antivirus Cloud Protection works with Defender for Endpoint antivirus on the endpoint to make decisions and protect endpoints from new and emerging threats.
+
+## Microsoft Defender for Endpoint Antivirus cloud protection overview
+
+Cloud protection is enabled by default in Defender for Endpoint Antivirus. It is recommended that customers do not disable Cloud protection in Defender for Endpoint Antivirus. When cloud protection is enabled, you have the option of configuring what information Defender for Endpoint antivirus will provide to the cloud (including sample submission). Cloud-protection-enabled is useful when a high-confidence determination cannot be made based on other characteristics.
+Configuring Sample Submission raises questions about how it works; for example, how the data is stored and used. The three cloud protection sample submission options that raise the most questions are:
+
+- ΓÇ£Send safe samples automatically,ΓÇ¥ (the default behavior)
+- ΓÇ£Send all samples automatically,ΓÇ¥
+- ΓÇ£Do not send samples.ΓÇ¥
+
+For information about configuration options using Intune, Configuration Manager, GPO, or PowerShell, see [Turn on cloud-delivered protection in Microsoft Defender Antivirus](/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus).
+
+## Customer data, cloud protection, and sample submission
+
+When onboarding to Defender for Endpoint, Defender for Endpoint treats all file samples as customer data, honoring both the geo and data retention choices the customer selected. Geo and data retention choices are described here: [Microsoft Defender for Endpoint data storage and privacy](/security/defender-endpoint/data-storage-privacy#data-storage-location).
+The product has received multiple compliance certifications, demonstrating continued adherence to a sophisticated set of compliance controls:
+
+- ISO 27001
+- ISO 27018
+- SOC I, II, III
+- and PCI
+
+[Azure Compliance Offerings](https://docs.microsoft.com/azure/compliance/#compliance-offerings) provides more information on these certifications. All certification artifacts for Microsoft Defender for Endpoint can be found on MicrosoftΓÇÖs [Service Trust Portal](https://servicetrust.microsoft.com/) within each of the associated Azure Certification Reports.
+
+## Cloud Protection Mechanisms
+
+The Microsoft Intelligent Security Graph monitors threat data from a vast network of sensors. We layer cloud-based machine learning models that can make an assessment based on signals from the client and the vast network of sensors and data in the Intelligent Security Graph. This model gives Defender for Endpoint the ability to block many never-before seen threats.
+
+Defender for Endpoint antivirus and cloud protection automatically blocks most new, never-before-seen threats at first sight using the following methods:
+
+1. Lightweight client-based machine learning models, blocking new and unknown malware
+2. Local behavioral analysis, stopping file-based and file-less attacks
+3. High-precision antivirus, detecting common malware through generic and heuristic techniques
+4. Advanced cloud-based protection is provided for cases when Defender for Endpoint antivirus running on the endpoint needs more intelligence to verify the intent of a suspicious file.
+ 1. In the event Microsoft Defender for Endpoint antivirus cannot make a clear determination, file metadata is sent to the cloud protection service. Usually, the cloud protection service can determine whether the file is safe or malicious, within milliseconds.
+ - The cloud query of file metadata can be a result of behavior, mark of the web, or other characteristics where a clear verdict is not determined.
+ - A small metadata payload is sent, with the goal of reaching a clean vs malware verdict
+ - Metadata can include PE attributes, static file attributes, dynamic and contextual attributes, and more (Figure 1).
+ - Does not include personally identifiable information (PII). Information such as filenames, are hashed
+ - Can be synchronous or asynchronous. For synchronous, the file will not open until the cloud renders a verdict. For asynchronous, the file will open while the cloud performs its analysis.
+ 2. After examining the metadata, if Defender for Endpoint antivirus cloud protection cannot reach a conclusive verdict, it can request a sample of the file for further inspection. This request honors the settings configuration for sample submission:
+ 1. **Send safe samples automatically** (default)
+ - Safe samples are samples considered to not commonly contain PII data like: .bat, .scr, .dll, .exe.
+ - If file is likely to contain PII, the user will get a request to allow file sample submission.
+ - This is the default on Windows, MacOS and Linux.
+ 2. **Always Prompt**
+ - If configured, the user will always be prompted for consent before file submission
+ - This setting isn't available in MacOS cloud protection
+ 3. **Send all samples automatically**
+ - If configured, all samples will be sent automatically
+ - If you would like sample submission to include macros embedded in Word docs, you must choose ΓÇ£Send all samples automaticallyΓÇ¥
+ - This setting isn't available on MacOS cloud protection
+ 4. **Do not send**
+ - Prevents ΓÇ£block at first sightΓÇ¥ based on file sample analysis
+ - "Do not send" is the equivalent to the ΓÇ£DisabledΓÇ¥ setting in MacOS policy
+ - Metadata is sent for detections even when sample submission is disabled
+ 3. After metadata and/or files are submitted to the Defender for Endpoint cloud, you can use **samples**, **detonation**, or **big data analysis** machine learning models to reach a verdict. This model is illustrated in Figure 3. Turning off Cloud-delivered Protection will limit analysis to only what the client can provide through local machine learning models, and similar functions.
+
+Figure 1 - Examples of Metadata Sent to Microsoft Defender Cloud Protection
++++
+> [!Note]
+>
+> You may also have heard the phrase ΓÇ£Block at first sight (BAFS).ΓÇ¥ BAFSΓÇ¥ refers to the more extensive analysis that the cloud can provide, including things like detonation to provide a more accurate verdict. This can also include delaying the opening of a file that is under interrogation by cloud protection until a verdict is reached. If you disable ΓÇ£Sample Submission,ΓÇ¥ BAFS is disabled, and you cannot do the more extensive analysis and are limited to analyzing file metadata only.
+
+## Cloud Delivered Protection Levels
+
+Malware detection requires striking a balance between providing the strongest possible protection, while minimizing the number of false positives. Different environments may have tolerance for protection versus risk of false positive. Cloud-delivered protection levels allow the customer to define the tolerance level appropriate for the specific environment. When you enable Cloud Delivered Protection, the protection level is automatically configured to provide strong detection without increasing the risk of detecting legitimate files. If you want to configure a different protection level, see [Specify the cloud-delivered protection level for Microsoft Defender Antivirus - Windows security](/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus).
+
+> [!Note]
+>
+> Changing the protection level can result in a higher level of false positives and should be carefully evaluated before changing.
+
+## Other File Sample Submission Scenarios
+
+There are two more scenarios where Defender for Endpoint may request a file sample not related to the cloud protection settings discussed above.
+
+### Manual File Sample Collection by Security Admin from Defender for Endpoint Management Portal
+
+When onboarding devices to Microsoft Defender for Endpoint EDR there is a setting to enable sample collections from the device, which can be confused with the settings discussed above. This setting controls file sample collection from devices when requested through the Defender for Endpoint administrative portal; it is subject to the roles and permissions already established. This setting can allow or block file collection from the endpoint for features such as deep analysis in the Defender for Endpoint portal. If this setting is not configured, the default is to enable sample collection.
+
+[Additional Defender for Endpoint Configuration Settings](/configure-endpoints#additional-defender-for-endpoint-configuration-settings)
+
+### Automated Investigation and Response Content Analysis
+
+When Automated Investigations are running on devices (when configured to run automatically in response to an alert or manually run), files that are identified as suspicious can be collected from the endpoints for further inspection. The file content analysis feature for Automated Investigations can be disabled in the Defender for Endpoint portal. The file extension names can also be modified to add or remove extensions for other file types that will be automatically submitted during an automated investigation.
+
+[Manage automation file uploads](/manage-automation-file-uploads)
security Collect Investigation Package https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-investigation-package.md
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description Collect investigation package from a device.
Collect investigation package from a device.
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Machine.CollectForensics | 'Collect forensics'
-Delegated (work or school account) | Machine.CollectForensics | 'Collect forensics'
+Application|Machine.CollectForensics|'Collect forensics'
+Delegated (work or school account)|Machine.CollectForensics|'Collect forensics'
> [!NOTE] > When obtaining a token using user credentials:
POST https://api.securitycenter.microsoft.com/api/machines/{id}/collectInvestiga
## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
+Authorization|String|Bearer {token}. **Required**.
+Content-Type|string|application/json. **Required**.
## Request body In the request body, supply a JSON object with the following parameters:
-Parameter | Type | Description
+Parameter|Type|Description
:|:|:
-Comment | String | Comment to associate with the action. **Required**.
+Comment|String|Comment to associate with the action. **Required**.
## Response
security Common Errors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/common-errors.md
* The message is a free text that can be changed. * At the bottom of the page, you can find response examples.
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
Error code |HTTP status code |Message :|:|:
security Community https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/community.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
The Defender for Endpoint Community Center is a place where community members can learn, collaborate, and share experiences about the product.
security Conditional Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/conditional-access.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink)
Conditional Access is a capability that helps you better protect your users and enterprise information by making sure that only secure devices have access to applications.
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4byD1]
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4byD1]
With Conditional Access, you can control access to enterprise information based on the risk level of a device. This helps keep trusted users on trusted devices using trusted applications.
security Configure Arcsight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-arcsight.md
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink)
You'll need to install and configure some files and tools to use Micro Focus ArcSight so that it can pull Defender for Endpoint detections.
->[!Note]
+> [!NOTE]
+>
>- [Defender for Endpoint Alert](alerts.md) is composed from one or more detections >- [Defender for Endpoint Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
The following steps assume that you have completed all the required steps in [Be
- WDATP-connector.properties: C:\\*folder_location*\current\user\agent\flexagent\ > [!NOTE]
- >
> You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool. 4. After the installation of the core connector completes, the Connector Setup window opens. In the Connector Setup window, select **Add a Connector**.
The following steps assume that you have completed all the required steps in [Be
6. Type the following information in the parameter details form. All other values in the form are optional and can be left blank.
- <table>
- <tbody style="vertical-align:top;">
- <tr>
- <th>Field</th>
- <th>Value</th>
- </tr>
- <tr>
- <td>Configuration File</td>
- <td>Type in the name of the client property file. The name must match the file provided in the .zip that you downloaded.
- For example, if the configuration file in &quot;flexagent&quot; directory is named &quot;WDATP-Connector.jsonparser.properties&quot;, you must type &quot;WDATP-Connector&quot; as the name of the client property file.</td>
- </tr>
- <td>Events URL</td>
- <td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> <b>For EU</b>: https://<i></i>wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME <br>
- </br><b>For US:</b> https://<i></i>wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME <br> <br> <b>For UK</b>: https://<i></i>wdatp-alertexporter-uk.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME</td>
- <tr>
- <td>Authentication Type</td>
- <td>OAuth 2</td>
- </tr>
- <td>OAuth 2 Client Properties file</td>
- <td>Browse to the location of the <em>wdatp-connector.properties</em> file. The name must match the file provided in the .zip that you downloaded.</td>
- <tr>
- <td>Refresh Token</td>
- <td>You can obtain a refresh token in two ways: by generating a refresh token from the <b>SIEM settings</b> page or using the restutil tool. <br><br> For more information on generating a refresh token from the <b>Preferences setup</b> , see <a href="enable-siem-integration.md" data-raw-source="[Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md)">Enable SIEM integration in Defender for Endpoint</a>. </br> </br><b>Get your refresh token using the restutil tool:</b> </br> a. Open a command prompt. Navigate to C:\<em>folder_location</em>\current\bin where <em>folder_location</em> represents the location where you installed the tool. </br></br> b. Type: <code>arcsight restutil token -config</code> from the bin directory.For example: <b>arcsight restutil boxtoken -proxy proxy.location.hp.com:8080</b> A Web browser window will open. </br> </br>c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. </br> </br>d. A refresh token is shown in the command prompt. </br></br> e. Copy and paste it into the <b>Refresh Token</b> field.
- </td>
- </tr>
- </tr>
- </table><br/>
-
+ <br>
+
+ ****
+
+ |Field|Value|
+ |||
+ |Configuration File|Type in the name of the client property file. The name must match the file provided in the .zip that you downloaded. <p> For example, if the configuration file in "flexagent" directory is named "WDATP-Connector.jsonparser.properties", you must type "WDATP-Connector" as the name of the client property file.|
+ |Events URL|Depending on the location of your datacenter, select either the EU or the US URL: <ul><li>**For EU**: `https://<i></i>wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME`</li><li>**For US**: `https://<i></i>wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME`</li><li>**For UK**: `https://<i></i>wdatp-alertexporter-uk.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME`</li></ul>|
+ |Authentication Type|OAuth 2|
+ |OAuth 2 Client Properties file|Browse to the location of the *wdatp-connector.properties* file. The name must match the file provided in the .zip that you downloaded.|
+ |Refresh Token|You can obtain a refresh token in two ways: by generating a refresh token from the **SIEM settings** page or using the restutil tool. <p> For more information on generating a refresh token from the **Preferences setup** , see [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md). <p> **Get your refresh token using the restutil tool**: <ol><li>Open a command prompt. Navigate to C:\\*folder\_location*\current\bin where *folder\_location* represents the location where you installed the tool.</li><li>Type: `arcsight restutil token -config` from the bin directory. For example: **arcsight restutil boxtoken -proxy proxy.location.hp.com:8080**. A Web browser window will open.</li><li>Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials.</li><li>A refresh token is shown in the command prompt.</li><li>Copy and paste it into the **Refresh Token** field.|
+ |
+ 7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate. If the <code>redirect_uri</code> is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https.
-
+ If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate. 8. Continue with the connector setup by returning to the Micro Focus ArcSight Connector Setup window.
The following steps assume that you have completed all the required steps in [Be
You can now run queries in the Micro Focus ArcSight console.
-Defender for Endpoint detections will appear as discrete events, with "MicrosoftΓÇ¥ as the vendor and ΓÇ£Windows Defender ATPΓÇ¥ as the device name.
-
+Defender for Endpoint detections will appear as discrete events, with "Microsoft" as the vendor and "Windows Defender ATP" as the device name.
## Troubleshooting Micro Focus ArcSight connection
Defender for Endpoint detections will appear as discrete events, with "Microsoft
> Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window should appear. ## Related topics+ - [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md) - [Pull detections to your SIEM tools](/windows/security/threat-protection/microsoft-defender-atp/configure-siem) - [Pull Defender for Endpoint detections using REST API](pull-alerts-using-rest-api.md)
security Configure Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-attack-surface-reduction.md
Last updated 06/02/2021
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > [!TIP]
-> Want to experience Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink).
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
Defender for Endpoint includes several attack surface reduction capabilities. To learn more, see [Overview of attack surface reduction capabilities](overview-attack-surface-reduction.md). To configure attack surface reduction in your environment, follow these steps:
security Configure Automated Investigations Remediation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
-If your organization is using [Microsoft Defender for Endpoint](/windows/security/threat-protection/) (Defender for Endpoint), [automated investigation and remediation capabilities](/microsoft-365/security/defender-endpoint/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](/microsoft-365/security/defender-endpoint/automated-investigations).
+If your organization is using [Microsoft Defender for Endpoint](/windows/security/threat-protection/) (Defender for Endpoint), [automated investigation and remediation capabilities](/microsoft-365/security/defender-endpoint/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](/microsoft-365/security/defender-endpoint/automated-investigations).
-To configure automated investigation and remediation,
-1. [Turn on the features](#turn-on-automated-investigation-and-remediation); and
+To configure automated investigation and remediation:
+
+1. [Turn on the features](#turn-on-automated-investigation-and-remediation); and
2. [Set up device groups](#set-up-device-groups). ## Turn on automated investigation and remediation
-1. As a global administrator or security administrator, go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
+1. As a global administrator or security administrator, go to the Microsoft Defender Security Center (<https://securitycenter.windows.com>) and sign in.
2. In the navigation pane, choose **Settings**. 3. In the **General** section, select **Advanced features**. 4. Turn on both **Automated Investigation** and **Automatically resolve alerts**. ## Set up device groups
-1. In the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), on the **Settings** page, under **Permissions**, select **Device groups**.
+1. In the Microsoft Defender Security Center (<https://securitycenter.windows.com>), on the **Settings** page, under **Permissions**, select **Device groups**.
2. Select **+ Add device group**. 3. Create at least one device group, as follows: - Specify a name and description for the device group.
- - In the **Automation level list**, select a level, such as **Full ΓÇô remediate threats automatically**. The automation level determines whether remediation actions are taken automatically, or only upon approval. To learn more, see [Automation levels in automated investigation and remediation](automation-levels.md).
+ - In the **Automation level list**, select a level, such as **Full - remediate threats automatically**. The automation level determines whether remediation actions are taken automatically, or only upon approval. To learn more, see [Automation levels in automated investigation and remediation](automation-levels.md).
- In the **Members** section, use one or more conditions to identify and include devices. - On the **User access** tab, select the [Azure Active Directory groups](/azure/active-directory/fundamentals/active-directory-manage-groups?context=azure/active-directory/users-groups-roles/context/ugr-context) who should have access to the device group you're creating. 4. Select **Done** when you're finished setting up your device group.
security Configure Conditional Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-conditional-access.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
This section guides you through all the steps you need to take to properly implement Conditional Access.
-### Before you begin
->[!WARNING]
->It's important to note that Azure AD registered devices is not supported in this scenario.</br>
->Only Intune enrolled devices are supported.
+## Before you begin
+> [!WARNING]
+> It's important to note that Azure AD registered devices is not supported in this scenario.</br>
+> Only Intune enrolled devices are supported.
You need to make sure that all your devices are enrolled in Intune. You can use any of the following options to enroll devices in Intune: - - IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](/intune/windows-enroll#enable-windows-10-automatic-enrollment) - End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](/intune/quickstart-enroll-windows-device) - End-user alternative: For more information on joining an Azure AD domain, see [How to: Plan your Azure AD join implementation](/azure/active-directory/devices/azureadjoin-plan). -- There are steps you'll need to take in Microsoft 365 Defender, the Intune portal, and Azure AD portal. It's important to note the required roles to access these portals and implement Conditional access:+ - **Microsoft 365 Defender** - You'll need to sign into the portal with a global administrator role to turn on the integration.-- **Intune** - You'll need to sign in to the portal with security administrator rights with management permissions.
+- **Intune** - You'll need to sign in to the portal with security administrator rights with management permissions.
- **Azure AD portal** - You'll need to sign in as a global administrator, security administrator, or Conditional Access administrator. - > [!NOTE] > You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices. Take the following steps to enable Conditional Access:+ - Step 1: Turn on the Microsoft Intune connection from Microsoft 365 Defender - Step 2: Turn on the Defender for Endpoint integration in Intune - Step 3: Create the compliance policy in Intune - Step 4: Assign the policy - Step 5: Create an Azure AD Conditional Access policy - ### Step 1: Turn on the Microsoft Intune connection 1. In the navigation pane, select **Settings** > **Endpoints** > **General** > **Advanced features** > **Microsoft Intune connection**. 2. Toggle the Microsoft Intune setting to **On**. 3. Click **Save preferences**. - ### Step 2: Turn on the Defender for Endpoint integration in Intune+ 1. Sign in to the [Azure portal](https://portal.azure.com). 2. Select **Device compliance** > **Microsoft Defender ATP**. 3. Set **Connect Windows 10.0.15063+ devices to Microsoft Defender Advanced Threat Protection** to **On**. 4. Click **Save**. - ### Step 3: Create the compliance policy in Intune+ 1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**. 2. Select **Device compliance** > **Policies** > **Create policy**. 3. Enter a **Name** and **Description**.
Take the following steps to enable Conditional Access:
6. Select **OK**, and **Create** to save your changes (and create the policy). ### Step 4: Assign the policy+ 1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**. 2. Select **Device compliance** > **Policies**> select your Microsoft Defender for Endpoint compliance policy. 3. Select **Assignments**.
Take the following steps to enable Conditional Access:
5. To deploy the policy to the groups, select **Save**. The user devices targeted by the policy are evaluated for compliance. ### Step 5: Create an Azure AD Conditional Access policy+ 1. In the [Azure portal](https://portal.azure.com), open **Azure Active Directory** > **Conditional Access** > **New policy**. 2. Enter a policy **Name**, and select **Users and groups**. Use the Include or Exclude options to add your groups for the policy, and select **Done**. 3. Select **Cloud apps**, and choose which apps to protect. For example, choose **Select apps**, and select **Office 365 SharePoint Online** and **Office 365 Exchange Online**. Select **Done** to save your changes.
Take the following steps to enable Conditional Access:
For more information, see [Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](/intune/advanced-threat-protection).
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink)
security Configure Endpoints Gp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-gp.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink)
> [!NOTE] > To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.
For security reasons, the package used to Offboard devices will expire 30 days a
## Monitor device configuration
-With Group Policy there isnΓÇÖt an option to monitor deployment of policies on the devices. Monitoring can be done directly on the portal, or by using the different deployment tools.
+With Group Policy there isn't an option to monitor deployment of policies on the devices. Monitoring can be done directly on the portal, or by using the different deployment tools.
## Monitor devices using the portal
security Configure Endpoints Mdm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-mdm.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink)
You can use mobile device management (MDM) solutions to configure devices. Defender for Endpoint supports MDMs by providing OMA-URIs to create policies to manage devices. For more information on using Defender for Endpoint CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). ## Before you begin
-If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings won't be applied successfully.
+
+If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings won't be applied successfully.
For more information on enabling MDM with Microsoft Intune, see [Device enrollment (Microsoft Intune)](/mem/intune/enrollment/device-enrollment). ## Onboard devices using Microsoft Intune
-[![Image of the PDF showing onboarding devices to Defender for Endpoint using Microsoft Intune](images/onboard-intune.png) ](images/onboard-intune-big.png#lightbox)
+[![Image of the PDF showing onboarding devices to Defender for Endpoint using Microsoft Intune](images/onboard-intune.png)](images/onboard-intune-big.png#lightbox)
-Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Defender for Endpoint.
+Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Defender for Endpoint.
Follow the instructions from [Intune](/intune/advanced-threat-protection). For more information on using Defender for Endpoint CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). - > [!NOTE]
+>
> - The **Health Status for onboarded devices** policy uses read-only properties and can't be remediated. > - Configuration of diagnostic data reporting frequency is only available for devices on Windows 10, version 1703. -
->[!TIP]
+> [!TIP]
> After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md). -
-Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender for Endpoint.
+Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender for Endpoint.
## Offboard and monitor devices using Mobile Device Management tools+ For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you'll be notified of the packages expiry date and it will also be included in the package name. > [!NOTE] > Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions. - 1. Get the offboarding package from [Microsoft 365 Defender portal](https://security.microsoft.com/): 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Offboarding**.
For security reasons, the package used to Offboard devices will expire 30 days a
1. Select Windows 10 as the operating system. 1. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**.
-
+ 1. Click **Download package**, and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*. 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings.-
- OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding<br/>
- Date type: String<br/>
- Value: [Copy and paste the value from the content of the WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding file]
+ - OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding
+ - Date type: String
+ - Value: [Copy and paste the value from the content of the WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding file]
For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). - > [!NOTE] > The **Health Status for offboarded devices** policy uses read-only properties and can't be remediated.
For more information on Microsoft Intune policy settings see, [Windows 10 policy
> Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months. ## Related topics+ - [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md) - [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) - [Onboard Windows 10 devices using a local script](configure-endpoints-script.md)
security Configure Endpoints Non Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-non-windows.md
ms.technology: mde
- macOS - Linux
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-nonwindows-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-nonwindows-abovefoldlink)
Defender for Endpoint provides a centralized security operations experience for Windows and non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft 365 Defender and better protect your organization's network.
security Configure Endpoints Sccm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-sccm.md
ms.technology: mde
- Microsoft Endpoint Configuration Manager current branch - System Center 2012 R2 Configuration Manager
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink)
## Supported client operating systems
Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/publ
a. Choose a predefined device collection to deploy the package to. > [!NOTE]
-> Defender for Endpoint doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading.
+> Defender for Endpoint doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading.
->[!TIP]
+> [!TIP]
> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint device](run-detection-test.md). > > Note that it's possible to create a detection rule on a Configuration Manager application to continuously check if a device has been onboarded. An application is a different type of object than a package and program. > If a device is not yet onboarded (due to pending OOBE completion or any other reason), Configuration Manager will retry to onboard the device until the rule detects the status change.
->
+>
> This behavior can be accomplished by creating a detection rule checking if the "OnboardingState" registry value (of type REG_DWORD) = 1. > This registry value is located under "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status". For more information, see [Configure Detection Methods in System Center 2012 R2 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682159\(v=technet.10\)#step-4-configure-detection-methods-to-indicate-the-presence-of-the-deployment-type).
For more information, see [Configure Detection Methods in System Center 2012 R2
For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft 365 Defender to submit a file for deep analysis.
->[!NOTE]
->These configuration settings are typically done through Configuration Manager.
+> [!NOTE]
+> These configuration settings are typically done through Configuration Manager.
You can set a compliance rule for configuration item in Configuration Manager to change the sample share setting on a device.
-This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted devices to make sure theyΓÇÖre complaint.
+This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted devices to make sure they're complaint.
The configuration is set through the following registry key entry:
-```console
+```text
Path: "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" Name: "AllowSampleCollection" Value: 0 or 1 ```
-Where:<br>
-Key type is a D-WORD. <br>
-Possible values are:
-- 0 - doesn't allow sample sharing from this device-- 1 - allows sharing of all file types from this device
+Where Key type is a D-WORD. Possible values are:
-The default value in case the registry key doesnΓÇÖt exist is 1.
+- 0: Doesn't allow sample sharing from this device
+- 1: Allows sharing of all file types from this device
-For more information about System Center Configuration Manager Compliance, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)).
+The default value in case the registry key doesn't exist is 1.
+For more information about System Center Configuration Manager Compliance, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)).
## Other recommended configuration settings+ After onboarding devices to the service, it's important to take advantage of the included threat protection capabilities by enabling them with the following recommended configuration settings. ### Device collection configuration
-If you're using Endpoint Configuration Manager, version 2002 or later, you can choose to broaden the deployment to include servers or down-level clients.
+If you're using Endpoint Configuration Manager, version 2002 or later, you can choose to broaden the deployment to include servers or down-level clients.
### Next generation protection configuration+ The following configuration settings are recommended:
-**Scan** <br>
+#### Scan
+ - Scan removable storage devices such as USB drives: Yes
-**Real-time Protection** <br>
+#### Real-time Protection
+ - Enable Behavioral Monitoring: Yes - Enable protection against Potentially Unwanted Applications at download and prior to installation: Yes
-**Cloud Protection Service**
+#### Cloud Protection Service
+ - Cloud Protection Service membership type: Advanced membership
-**Attack surface reduction**
+#### Attack surface reduction
+ Configure all available rules to Audit.
->[!NOTE]
+> [!NOTE]
> Blocking these activities may interrupt legitimate business processes. The best approach is setting everything to audit, identifying which ones are safe to turn on, and then enabling those settings on endpoints which do not have false positive detections.
+#### Network protection
-**Network protection** <br>
-Prior to enabling network protection in audit or block mode, ensure that you've installed the antimalware platform update, which can be obtained from the [support page](https://support.microsoft.com/en-us/help/4560203/windows-defender-anti-malware-platform-binaries-are-missing).
+Prior to enabling network protection in audit or block mode, ensure that you've installed the antimalware platform update, which can be obtained from the [support page](https://support.microsoft.com/help/4560203/windows-defender-anti-malware-platform-binaries-are-missing).
+#### Controlled folder access
-**Controlled folder access**<br>
Enable the feature in audit mode for at least 30 days. After this period, review detections and create a list of applications that are allowed to write to protected directories. For more information, see [Evaluate controlled folder access](evaluate-controlled-folder-access.md). - ## Offboard devices using Configuration Manager For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package, you will be notified of the packages expiry date and it will also be included in the package name.
If you use Microsoft Endpoint Manager current branch, see [Create an offboarding
1. Get the offboarding package from [Microsoft 365 Defender portal](https://security.microsoft.com/):- 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Offboarding**.- 1. Select Windows 10 as the operating system.- 1. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**.
-
1. Select **Download package**, and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. 3. Deploy the package by following the steps in the [Packages and Programs in System Center 2012 R2 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699369\(v=technet.10\)) article.
- a. Choose a predefined device collection to deploy the package to.
+ Choose a predefined device collection to deploy the package to.
> [!IMPORTANT] > Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months. - ## Monitor device configuration If you're using Microsoft Endpoint Manager current branch, use the built-in Defender for Endpoint dashboard in the Configuration Manager console. For more information, see [Defender for Endpoint - Monitor](/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#monitor).
Value: "1"
For more information, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)). ## Related topics+ - [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md) - [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) - [Onboard Windows 10 devices using a local script](configure-endpoints-script.md)
security Configure Endpoints Script https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-script.md
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
You can also manually onboard individual devices to Defender for Endpoint. You might want to do this first when testing the service before you commit to onboarding all devices in your network.
You can manually configure the sample sharing setting on the device by using *re
The configuration is set through the following registry key entry: ```console
-Path: ΓÇ£HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat ProtectionΓÇ¥
+Path: "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection"
Name: "AllowSampleCollection" Value: 0 or 1 ```
Possible values are:
- 0 - doesn't allow sample sharing from this device - 1 - allows sharing of all file types from this device
-The default value in case the registry key doesnΓÇÖt exist is 1.
+The default value in case the registry key doesn't exist is 1.
## Offboard devices using a local script
security Configure Endpoints Vdi https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-vdi.md
ms.technology: mde
- Virtual desktop infrastructure (VDI) devices - Windows 10, Windows Server 2019, Windows Server 2008R2/2012R2/2016
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configvdi-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configvdi-abovefoldlink)
## Onboard non-persistent virtual desktop infrastructure (VDI) devices
The following steps will guide you through onboarding VDI devices and will highl
4. Depending on the method you'd like to implement, follow the appropriate steps:
- - For single entry for each device:
+ - For single entry for each device:
- Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. There's no need to specify the other file, as it will be triggered automatically.
+ Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. There's no need to specify the other file, as it will be triggered automatically.
- - For multiple entries for each device:
+ - For multiple entries for each device:
- Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`.
+ Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`.
5. Test your solution:
The following steps will guide you through onboarding VDI devices and will highl
1. Depending on the method you'd like to implement, follow the appropriate steps:
- - For single entry for each device:
+ - For single entry for each device:
- Check only one entry in Microsoft 365 Defender portal.
+ Check only one entry in Microsoft 365 Defender portal.
- - For multiple entries for each device:
+ - For multiple entries for each device:
+
+ Check multiple entries in Microsoft 365 Defender portal.
- Check multiple entries in Microsoft 365 Defender portal.
6. Click **Devices list** on the Navigation pane.
If offline servicing isn't a viable option for your non-persistent VDI environme
PsExec.exe -s cmd.exe cd "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber" del *.* /f /s /q
- REG DELETE ΓÇ£HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection" /v senseGuid /f
+ REG DELETE "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection" /v senseGuid /f
exit ```
security Configure Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints.md
ms.technology: mde
-# Onboarding tools and methods for Windows 10 devices
+# Onboarding tools and methods for Windows 10 devices in Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
ms.technology: mde
- [Microsoft 365 Endpoint data loss prevention (DLP)](/microsoft-365/compliance/endpoint-dlp-learn-about) - [Microsoft 365 Insider risk management](/microsoft-365/compliance/insider-risk-management)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
Devices in your organization must be configured so that the Defender for Endpoint service can get sensor data from them. There are various methods and deployment tools that you can use to configure the devices in your organization.
The following deployment tools and methods are supported:
- Local script ## In this section
-Topic | Description
-:|:
-[Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md) | Use Group Policy to deploy the configuration package on devices.
-[Onboard Windows devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) | You can use either use Microsoft Endpoint Manager (current branch) version 1606 or Microsoft Endpoint Manager (current branch) version 1602 or earlier to deploy the configuration package on devices.
-[Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on device.
-[Onboard Windows 10 devices using a local script](configure-endpoints-script.md) | Learn how to use the local script to deploy the configuration package on endpoints.
-[Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) | Learn how to use the configuration package to configure VDI devices.
+Topic|Description
+:|:
+[Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md)|Use Group Policy to deploy the configuration package on devices.
+[Onboard Windows devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)|You can use either use Microsoft Endpoint Manager (current branch) version 1606 or Microsoft Endpoint Manager (current branch) version 1602 or earlier to deploy the configuration package on devices.
+[Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md)|Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on device.
+[Onboard Windows 10 devices using a local script](configure-endpoints-script.md)|Learn how to use the local script to deploy the configuration package on endpoints.
+[Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md)|Learn how to use the configuration package to configure VDI devices.
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink)
security Configure Machines Asr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-asr.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink).
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
[Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent typical malware exploits. They control when and how potentially malicious code can run. For example, they can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, and block processes that run from USB drives.
security Configure Machines Onboarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-onboarding.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
Each onboarded device adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a device can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks. Before you can track and manage onboarding of devices:+ - [Enroll your devices to Intune management](configure-machines.md#enroll-devices-to-intune-management) - [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions)
Before you can track and manage onboarding of devices:
The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows 10 devices that have actually onboarded to Defender for Endpoint against the total number of Intune-managed Windows 10 devices.
-![Device configuration management Onboarding card](images/secconmgmt_onboarding_card.png)<br>
+![Device configuration management Onboarding card](images/secconmgmt_onboarding_card.png)
+ *Card showing onboarded devices compared to the total number of Intune-managed Windows 10 device*
->[!NOTE]
->If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that donΓÇÖt use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Defender for Endpoint onboarding and assign that profile to your devices.
+> [!NOTE]
+> If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that don't use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Defender for Endpoint onboarding and assign that profile to your devices.
## Onboard more devices with Intune profiles
Defender for Endpoint provides several convenient options for [onboarding Window
From the **Onboarding** card, select **Onboard more devices** to create and assign a profile on Intune. The link takes you to the device compliance page on Intune, which provides a similar overview of your onboarding state.
-![Microsoft Defender for Endpoint device compliance page on Intune device management](images/secconmgmt_onboarding_1deviceconfprofile.png)<br>
- *Microsoft Defender for Endpoint device compliance page on Intune device management*
+![Microsoft Defender for Endpoint device compliance page on Intune device management](images/secconmgmt_onboarding_1deviceconfprofile.png)
->[!TIP]
->Alternatively, you can navigate to the Defender for Endpoint onboarding compliance page in the [Microsoft Azure portal](https://portal.azure.com/) from **All services > Intune > Device compliance > Microsoft Defender ATP**.
+*Microsoft Defender for Endpoint device compliance page on Intune device management*
->[!NOTE]
+> [!TIP]
+> Alternatively, you can navigate to the Defender for Endpoint onboarding compliance page in the [Microsoft Azure portal](https://portal.azure.com/) from **All services > Intune > Device compliance > Microsoft Defender ATP**.
+
+> [!NOTE]
> If you want to view the most up-to-date device data, click on **List of devices without ATP sensor**. From the device compliance page, create a configuration profile specifically for the deployment of the Defender for Endpoint sensor and assign that profile to the devices you want to onboard. To do this, you can either:
From the device compliance page, create a configuration profile specifically for
For more information, [read about using Intune device configuration profiles to onboard devices to Defender for Endpoint](/intune/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile).
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
## Related topics+ - [Ensure your devices are configured properly](configure-machines.md) - [Increase compliance to the Defender for Endpoint security baseline](configure-machines-security-baseline.md) - [Optimize ASR rule deployment and detections](configure-machines-asr.md)
security Configure Machines Security Baseline https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-security-baseline.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
Security baselines ensure that security features are configured according to guidance from both security experts and expert Windows system administrators. When deployed, the Defender for Endpoint security baseline sets Defender for Endpoint security controls to provide optimal protection. To understand security baselines and how they are assigned on Intune using configuration profiles, [read this FAQ](/intune/security-baselines#q--a). Before you can deploy and track compliance to security baselines:+ - [Enroll your devices to Intune management](configure-machines.md#enroll-devices-to-intune-management) - [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions) ## Compare the Microsoft Defender for Endpoint and the Windows Intune security baselines+ The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure devices running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Microsoft Defender Antivirus. In contrast, the Defender for Endpoint baseline provides settings that optimize all the security controls in the Defender for Endpoint stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see: - [Windows security baseline settings for Intune](/intune/security-baseline-settings-windows)
The Windows Intune security baseline provides a comprehensive set of recommended
Ideally, devices onboarded to Defender for Endpoint are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Defender for Endpoint security baseline layered on top to optimally configure the Defender for Endpoint security controls. To benefit from the latest data on risks and threats and to minimize conflicts as baselines evolve, always apply the latest versions of the baselines across all products as soon as they are released.
->[!NOTE]
->The Defender for Endpoint security baseline has been optimized for physical devices and is currently not recommended for use on virtual machine (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments.
+> [!NOTE]
+> The Defender for Endpoint security baseline has been optimized for physical devices and is currently not recommended for use on virtual machine (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments.
## Monitor compliance to the Defender for Endpoint security baseline The **Security baseline** card on [device configuration management](configure-machines.md) provides an overview of compliance across Windows 10 devices that have been assigned the Defender for Endpoint security baseline.
-![Security baseline card](images/secconmgmt_baseline_card.png)<br>
+![Security baseline card](images/secconmgmt_baseline_card.png)
+ *Card showing compliance to the Defender for Endpoint security baseline* Each device is given one of the following status types: -- **Matches baseline**ΓÇödevice settings match all the settings in the baseline-- **Does not match baseline**ΓÇöat least one device setting doesn't match the baseline-- **Misconfigured**ΓÇöat least one baseline setting isn't properly configured on the device and is in a conflict, error, or pending state-- **Not applicable**ΓÇöAt least one baseline setting isn't applicable on the device
+- **Matches baseline**: Device settings match all the settings in the baseline.
+- **Does not match baseline**: At least one device setting doesn't match the baseline.
+- **Misconfigured**: At least one baseline setting isn't properly configured on the device and is in a conflict, error, or pending state.
+- **Not applicable**: At least one baseline setting isn't applicable on the device.
To review specific devices, select **Configure security baseline** on the card. This takes you to Intune device management. From there, select **Device status** for the names and statuses of the devices.
->[!NOTE]
->You might experience discrepancies in aggregated data displayed on the device configuration management page and those displayed on overview screens in Intune.
+> [!NOTE]
+> You might experience discrepancies in aggregated data displayed on the device configuration management page and those displayed on overview screens in Intune.
## Review and assign the Microsoft Defender for Endpoint security baseline
Device configuration management monitors baseline compliance only of Windows 10
1. Select **Configure security baseline** on the **Security baseline** card to go to Intune device management. A similar overview of baseline compliance is displayed.
- >[!TIP]
+ > [!TIP]
> Alternatively, you can navigate to the Defender for Endpoint security baseline in the Microsoft Azure portal from **All services > Intune > Device security > Security baselines > Microsoft Defender ATP baseline**. - 2. Create a new profile. ![Microsoft Defender for Endpoint security baseline overview on Intune](images/secconmgmt_baseline_intuneprofile1.png)<br>
Device configuration management monitors baseline compliance only of Windows 10
![Assigning the security baseline on Intune](images/secconmgmt_baseline_intuneprofile4.png)<br> *Creating the security baseline profile on Intune*
->[!TIP]
->Security baselines on Intune provide a convenient way to comprehensively secure and protect your devices. [Learn more about security baselines on Intune](/intune/security-baselines).
+> [!TIP]
+> Security baselines on Intune provide a convenient way to comprehensively secure and protect your devices. [Learn more about security baselines on Intune](/intune/security-baselines).
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
## Related topics+ - [Ensure your devices are configured properly](configure-machines.md) - [Get devices onboarded to Microsoft Defender for Endpoint](configure-machines-onboarding.md) - [Optimize ASR rule deployment and detections](configure-machines-asr.md)
security Configure Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
With properly configured devices, you can boost overall resilience against threats and enhance your capability to detect and respond to attacks. Security configuration management helps ensure that your devices:
With properly configured devices, you can boost overall resilience against threa
Click **Configuration management** from the navigation menu to open the Device configuration management page.
-![Security configuration management page](images/secconmgmt_main.png)<br>
+![Security configuration management page](images/secconmgmt_main.png)
+ *Device configuration management page* You can track configuration status at an organizational level and quickly take action in response to poor onboarding coverage, compliance issues, and poorly optimized attack surface mitigations through direct, deep links to device management pages on Microsoft Intune and Microsoft 365 security center. In doing so, you benefit from:+ - Comprehensive visibility of the events on your devices - Robust threat intelligence and powerful device learning technologies for processing raw events and identifying the breach activity and threat indicators - A full stack of security features configured to efficiently stop the installation of malicious implants, hijacking of system files and process, data exfiltration, and other threat activities
Device configuration management works closely with Intune device management to e
Before you can ensure your devices are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 devices. For more information about Intune enrollment options, read about [setting up enrollment for Windows devices](/intune/windows-enroll).
->[!NOTE]
->To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](/intune/licenses-assign).
+> [!NOTE]
+> To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](/intune/licenses-assign).
->[!TIP]
->To optimize device management through Intune, [connect Intune to Defender for Endpoint](/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune).
+> [!TIP]
+> To optimize device management through Intune, [connect Intune to Defender for Endpoint](/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune).
## Obtain required permissions+ By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage and assign the device configuration profiles needed for onboarding devices and deploying the security baseline. If you have been assigned other roles, ensure you have the necessary permissions:
If you have been assigned other roles, ensure you have the necessary permissions
- Read permissions to device compliance policies - Read permissions to the organization
-![Required permissions on intune](images/secconmgmt_intune_permissions.png)<br>
+![Required permissions on intune](images/secconmgmt_intune_permissions.png)
+ *Device configuration permissions on Intune*
->[!TIP]
->To learn more about assigning permissions on Intune, [read about creating custom roles](/intune/create-custom-role#to-create-a-custom-role).
+> [!TIP]
+> To learn more about assigning permissions on Intune, [read about creating custom roles](/intune/create-custom-role#to-create-a-custom-role).
## In this section
-Topic | Description
+
+Topic|Description
:|:
-[Get devices onboarded to Defender for Endpoint](configure-machines-onboarding.md)| Track onboarding status of Intune-managed devices and onboard more devices through Intune.
-[Increase compliance to the Defender for Endpoint security baseline](configure-machines-security-baseline.md) | Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed devices.
-[Optimize ASR rule deployment and detections](configure-machines-asr.md) | Review rule deployment and tweak detections using impact analysis tools in Microsoft 365 security center.
+[Get devices onboarded to Defender for Endpoint](configure-machines-onboarding.md)|Track onboarding status of Intune-managed devices and onboard more devices through Intune.
+[Increase compliance to the Defender for Endpoint security baseline](configure-machines-security-baseline.md)|Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed devices.
+[Optimize ASR rule deployment and detections](configure-machines-asr.md)|Review rule deployment and tweak detections using impact analysis tools in Microsoft 365 security center.
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
security Configure Microsoft Threat Experts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts.md
Title: Configure and manage Microsoft Threat Experts capabilities-+ description: Register to Microsoft Threats Experts to configure, manage, and use it in your daily security operations and security administration work. keywords: Microsoft Threat Experts, managed threat hunting service, MTE, Microsoft managed hunting service search.product: Windows 10
localization_priority: Normal audience: ITPro-+ - m365-security-compliance - m365initiative-defender-endpoint
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+
+## Before you begin
-## Before you begin
> [!NOTE] > Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to Microsoft Threat Experts - Targeted Attack Notification managed threat hunting service.
Ensure that you have Defender for Endpoint deployed in your environment with dev
If you're a Defender for Endpoint customer, you need to apply for **Microsoft Threat Experts - Targeted Attack Notifications** to get special insights and analysis to help identify the most critical threats, so you can respond to them quickly. Contact your account team or Microsoft representative to subscribe to **Microsoft Threat Experts - Experts on Demand** to consult with our threat experts on relevant detections and adversaries.
-## Apply for Microsoft Threat Experts - Targeted Attack Notifications service
-If you're already a Defender for Endpoint customer, you can apply through the Microsoft Defender Security Center.
+## Apply for Microsoft Threat Experts - Targeted Attack Notifications service
+
+If you're already a Defender for Endpoint customer, you can apply through the Microsoft Defender Security Center.
1. From the navigation pane, go to **Settings > General > Advanced features > Microsoft Threat Experts - Targeted Attack Notifications**.
If you're already a Defender for Endpoint customer, you can apply through the Mi
![Image of Microsoft Threat Experts application](images/mte-apply.png)
-4. Read the [privacy statement](https://privacy.microsoft.com/en-us/privacystatement), then click **Submit** when you're done. You will receive a welcome email once your application is approved.
+4. Read the [privacy statement](https://privacy.microsoft.com/privacystatement), then click **Submit** when you're done. You will receive a welcome email once your application is approved.
![Image of Microsoft Threat Experts application confirmation](images/mte-applicationconfirmation.png)
-When accepted, you will receive a welcome email and you will see the **Apply** button change to a toggle that is ΓÇ£onΓÇ¥. In case you want to take yourself out of the Targeted Attack Notifications service, slide the toggle ΓÇ£offΓÇ¥ and click **Save preferences** at the bottom of the page.
+When accepted, you will receive a welcome email and you will see the **Apply** button change to a toggle that is "on". In case you want to take yourself out of the Targeted Attack Notifications service, slide the toggle "off" and click **Save preferences** at the bottom of the page.
+
+## Where you'll see the targeted attack notifications from Microsoft Threat Experts
+
+You can receive targeted attack notification from Microsoft Threat Experts through the following medium:
-## Where you'll see the targeted attack notifications from Microsoft Threat Experts
-You can receive targeted attack notification from Microsoft Threat Experts through the following medium:
-- The Defender for Endpoint portal's **Incidents** page -- The Defender for Endpoint portal's **Alerts** dashboard
+- The Defender for Endpoint portal's **Incidents** page
+- The Defender for Endpoint portal's **Alerts** dashboard
- OData alerting [API](/windows/security/threat-protection/microsoft-defender-atp/get-alerts) and [REST API](/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api) - [DeviceAlertEvents](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table) table in Advanced hunting-- Your email, if you choose to configure it
+- Your email, if you choose to configure it
To receive targeted attack notifications through email, create an email notification rule.
-### Create an email notification rule
+### Create an email notification rule
+ You can create rules to send email notifications for notification recipients. See [Configure alert notifications](configure-email-notifications.md) to create, edit, delete, or troubleshoot email notification, for details.
-## View the targeted attack notification
-You'll start receiving targeted attack notification from Microsoft Threat Experts in your email after you have configured your system to receive email notification.
+## View the targeted attack notification
+
+You'll start receiving targeted attack notification from Microsoft Threat Experts in your email after you have configured your system to receive email notification.
-1. Click the link in the email to go to the corresponding alert context in the dashboard tagged with **Threat experts**.
+1. Click the link in the email to go to the corresponding alert context in the dashboard tagged with **Threat experts**.
-2. From the dashboard, select the same alert topic that you got from the email, to view the details.
+2. From the dashboard, select the same alert topic that you got from the email, to view the details.
## Subscribe to Microsoft Threat Experts - Experts on Demand
-This is available as a subscription service. If you're already a Defender for Endpoint customer, you can contact your Microsoft representative to subscribe to Microsoft Threat Experts - Experts on Demand.
-## Consult a Microsoft threat expert about suspicious cybersecurity activities in your organization
-You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised device, or a threat intelligence context that you see on your portal dashboard.
+This is available as a subscription service. If you're already a Defender for Endpoint customer, you can contact your Microsoft representative to subscribe to Microsoft Threat Experts - Experts on Demand.
+
+## Consult a Microsoft threat expert about suspicious cybersecurity activities in your organization
+
+You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised device, or a threat intelligence context that you see on your portal dashboard.
> [!NOTE]
+>
> - Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details. > - You need to have the **Manage security settings** permission in the Security Center portal to be able to submit a "Consult a threat expert" inquiry.
-1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or device is in view before you send an investigation request.
+1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or device is in view before you send an investigation request.
-2. From the upper right-hand menu, click the **?** icon. Then, select **Consult a threat expert**.
+2. From the upper right-hand menu, click the **?** icon. Then, select **Consult a threat expert**.
![Image of Microsoft Threat Experts Experts on Demand from the menu](images/mte-eod-menu.png)
You can partner with Microsoft Threat Experts who can be engaged directly from w
The **Inquiry topic** field is pre-populated with the link to the relevant page for your investigation request. For example, a link to the incident, alert, or device details page that you were at when you made the request.
-3. In the next field, provide enough information to give the Microsoft Threat Experts enough context to start the investigation.
-
+3. In the next field, provide enough information to give the Microsoft Threat Experts enough context to start the investigation.
+ 4. Enter the email address that you'd like to use to correspond with Microsoft Threat Experts. > [!NOTE]
-> If you would like to track the status of your Experts on Demand cases through Microsoft Services Hub, reach out to your Technical Account Manager.
+> If you would like to track the status of your Experts on Demand cases through Microsoft Services Hub, reach out to your Technical Account Manager.
Watch this video for a quick overview of the Microsoft Services Hub.
->[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4pk9f]
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4pk9f]
+## Sample investigation topics that you can consult with Microsoft Threat Experts - Experts on Demand
-
-## Sample investigation topics that you can consult with Microsoft Threat Experts - Experts on Demand
+### Alert information
-**Alert information**
- We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further?-- WeΓÇÖve observed two similar attacks, which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious PowerShell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference?-- I receive an odd alert today for abnormal number of failed logins from a high profile userΓÇÖs device. I cannot find any further evidence around these sign-in attempts. How can Defender for Endpoint see these attempts? What type of sign-ins are being monitored?-- Can you give more context or insights about this alert: ΓÇ£Suspicious behavior by a system utility was observedΓÇ¥.
+- We've observed two similar attacks, which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious PowerShell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference?
+- I receive an odd alert today for abnormal number of failed logins from a high profile user's device. I cannot find any further evidence around these sign-in attempts. How can Defender for Endpoint see these attempts? What type of sign-ins are being monitored?
+- Can you give more context or insights about this alert: "Suspicious behavior by a system utility was observed".
+
+### Possible machine compromise
-**Possible machine compromise**
-- Can you help answer why we see ΓÇ£Unknown process observed?ΓÇ¥ This message or alert is seen frequently on many devices. We appreciate any input to clarify whether this message or alert is related to malicious activity.
+- Can you help answer why we see "Unknown process observed?" This message or alert is seen frequently on many devices. We appreciate any input to clarify whether this message or alert is related to malicious activity.
- Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]?
-**Threat intelligence details**
+### Threat intelligence details
+ - We detected a phishing email that delivered a malicious Word document to a user. The malicious Word document caused a series of suspicious events, which triggered multiple Microsoft Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link?-- I recently saw a [social media reference, for example, Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Defender for Endpoint provides against this threat actor?
+- I recently saw a [social media reference, for example, Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Defender for Endpoint provides against this threat actor?
+
+### Microsoft Threat Experts' alert communications
-**Microsoft Threat ExpertsΓÇÖ alert communications**
- Can your incident response team help us address the targeted attack notification that we got?-- I received this targeted attack notification from Microsoft Threat Experts. We donΓÇÖt have our own incident response team. What can we do now, and how can we contain the incident?
+- I received this targeted attack notification from Microsoft Threat Experts. We don't have our own incident response team. What can we do now, and how can we contain the incident?
- I received a targeted attack notification from Microsoft Threat Experts. What data can you provide to us that we can pass on to our incident response team?
- >[!NOTE]
- >Microsoft Threat Experts is a managed cybersecurity hunting service and not an incident response service. However, the experts can seamlessly transition the investigation to Microsoft Cybersecurity Solutions Group (CSG)'s Detection and Response Team (DART) services, when necessary. You can also opt to engage with your own incident response team to address issues that requires an incident response.
+ > [!NOTE]
+ > Microsoft Threat Experts is a managed cybersecurity hunting service and not an incident response service. However, the experts can seamlessly transition the investigation to Microsoft Cybersecurity Solutions Group (CSG)'s Detection and Response Team (DART) services, when necessary. You can also opt to engage with your own incident response team to address issues that requires an incident response.
## Scenario
-### Receive a progress report about your managed hunting inquiry
-Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you about your **Consult a threat expert** inquiry within two days, to communicate the investigation status from the following categories:
-- More information is needed to continue with the investigation -- A file or several file samples are needed to determine the technical context -- Investigation requires more time -- Initial information was enough to conclude the investigation
+### Receive a progress report about your managed hunting inquiry
-It is crucial to respond in quickly to keep the investigation moving.
+Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you about your **Consult a threat expert** inquiry within two days, to communicate the investigation status from the following categories:
+
+- More information is needed to continue with the investigation
+- A file or several file samples are needed to determine the technical context
+- Investigation requires more time
+- Initial information was enough to conclude the investigation
+
+It is crucial to respond in quickly to keep the investigation moving.
## Related topic+ - [Microsoft Threat Experts overview](microsoft-threat-experts.md) - [Microsoft Threat Experts in Microsoft 365 Overview](/microsoft-365/security/mtp/microsoft-threat-experts)
security Configure Mssp Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-mssp-notifications.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
>[!NOTE]
security Configure Mssp Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-mssp-support.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
security Configure Proxy Internet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-proxy-internet.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
The Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Defender for Endpoint service.
The embedded Defender for Endpoint sensor runs in system context using the Local
The WinHTTP configuration setting is independent of the Windows Internet (WinINet) Internet browsing proxy settings and can only discover a proxy server by using the following discovery methods: - Auto-discovery methods:- - Transparent proxy- - Web Proxy Auto-discovery Protocol (WPAD) > [!NOTE]
The WinHTTP configuration setting is independent of the Windows Internet (WinINe
- Manual static proxy configuration: - Registry based configuration-
- - WinHTTP configured using netsh command ΓÇô Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
+ - WinHTTP configured using netsh command: Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
## Configure the proxy server manually using a registry-based static proxy
Configure a registry-based static proxy to allow only Defender for Endpoint sens
> [!NOTE] > When using this option on Windows 10 or Windows Server 2019, it is recommended to have the following (or later) build and cumulative update rollup: >
-> - Windows 10, version 1809 or Windows Server 2019 - https://support.microsoft.com/kb/5001384
-> - Windows 10, version 1909 - https://support.microsoft.com/kb/4601380
-> - Windows 10, version 2004 - https://support.microsoft.com/kb/4601382
-> - Windows 10, version 20H2 - https://support.microsoft.com/kb/4601382
+> - Windows 10, version 1809 or Windows Server 2019 - <https://support.microsoft.com/kb/5001384>
+> - Windows 10, version 1909 - <https://support.microsoft.com/kb/4601380>
+> - Windows 10, version 2004 - <https://support.microsoft.com/kb/4601382>
+> - Windows 10, version 20H2 - <https://support.microsoft.com/kb/4601382>
> > These updates improve the connectivity and reliability of the CnC (Command and Control) channel.
Use netsh to configure a system-wide static proxy.
> - Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-based static proxy configuration. 1. Open an elevated command-line:- 1. Go to **Start** and type **cmd**.- 1. Right-click **Command prompt** and select **Run as administrator**. 2. Enter the following command and press **Enter**:
If a proxy or firewall is blocking all traffic by default and allowing only spec
The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them.
-| Spreadsheet of domains list | Description |
-|:--|:--|
-|![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)<br/> | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br><br>[Download the spreadsheet here.](https://download.microsoft.com/download/8/e-urls.xlsx)
+<br>
+
+****
+|Spreadsheet of domains list|Description|
+|||
+|![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)|Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/8/e-urls.xlsx)|
+|
If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed in the above table from HTTPS scanning.
If a proxy or firewall is blocking anonymous traffic, as Defender for Endpoint s
The information below list the proxy and firewall configuration information required to communicate with Log Analytics agent (often referred to as Microsoft Monitoring Agent) for the previous versions of Windows such as Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016.
-|Agent Resource|Ports |Direction |Bypass HTTPS inspection|
-|||--|--|
-|*.ods.opinsights.azure.com |Port 443 |Outbound|Yes |
-|*.oms.opinsights.azure.com |Port 443 |Outbound|Yes |
-|*.blob.core.windows.net |Port 443 |Outbound|Yes |
-|*.azure-automation.net |Port 443 |Outbound|Yes |
+<br>
+
+****
+
+|Agent Resource|Ports|Direction|Bypass HTTPS inspection|
+|||||
+|*.ods.opinsights.azure.com|Port 443|Outbound|Yes|
+|*.oms.opinsights.azure.com|Port 443|Outbound|Yes|
+|*.blob.core.windows.net|Port 443|Outbound|Yes|
+|*.azure-automation.net|Port 443|Outbound|Yes|
> [!NOTE] > As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
Please see the following guidance to eliminate the wildcard (*) requirement for
2. Ensure the machine is successfully reporting into the Microsoft 365 Defender portal.
-3. Run the TestCloudConnection.exe tool from ΓÇ£C:\Program Files\Microsoft Monitoring Agent\AgentΓÇ¥ to validate the connectivity and to see the required URLs for your specific workspace.
+3. Run the TestCloudConnection.exe tool from "C:\Program Files\Microsoft Monitoring Agent\Agent" to validate the connectivity and to see the required URLs for your specific workspace.
4. Check the Microsoft Defender for Endpoint URLs list for the complete list of requirements for your region (please refer to the Service URLs [Spreadsheet](https://download.microsoft.com/download/8/e-urls.xlsx)).
Verify the proxy configuration completed successfully, that WinHTTP can discover
2. Extract the contents of MDATPClientAnalyzer.zip on the device. 3. Open an elevated command-line:- 1. Go to **Start** and type **cmd**.- 1. Right-click **Command prompt** and select **Run as administrator**. 4. Enter the following command and press **Enter**:
security Configure Server Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md
For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: [Configure and update
If your servers need to use a proxy to communicate with Defender for Endpoint, use one of the following methods to configure the MMA to use the proxy server: - [Configure the MMA to use a proxy server](/azure/azure-monitor/platform/agent-windows#install-agent-using-setup-wizard)- - [Configure Windows to use a proxy server for all connections](configure-proxy-internet.md) If a proxy or firewall is in use, please ensure that servers can access all of the Microsoft Defender for Endpoint service URLs directly and without SSL interception. For more information, see [enable access to Defender for Endpoint service URLs](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). Use of SSL interception will prevent the system from communicating with the Defender for Endpoint service.
Once completed, you should see onboarded Windows servers in the portal within an
In the Microsoft 365 Defender navigation pane, select **Settings** > **Endpoints** > **Device management** > **Onboarding**.
-2. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system.
+1. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system.
-3. Click **Onboard Servers in Azure Security Center**.
+2. Click **Onboard Servers in Azure Security Center**.
-4. Follow the onboarding instructions in [Microsoft Defender for Endpoint with Azure Defender](/azure/security-center/security-center-wdatp) and If you are using Azure ARC, Follow the onboarding instructions in [Enabling the Microsoft Defender for Endpoint integration](/azure/security-center/security-center-wdatp#enabling-the-microsoft-defender-for-endpoint-integration).
+3. Follow the onboarding instructions in [Microsoft Defender for Endpoint with Azure Defender](/azure/security-center/security-center-wdatp) and If you are using Azure ARC, Follow the onboarding instructions in [Enabling the Microsoft Defender for Endpoint integration](/azure/security-center/security-center-wdatp#enabling-the-microsoft-defender-for-endpoint-integration).
After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
Support for Windows Server provides deeper insight into server activities, cover
3. Run the following command to check if Microsoft Defender AV is installed:
- ```sc.exe query Windefend```
+ ```dos
+ sc.exe query Windefend
+ ```
If the result is 'The specified service doesn't exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).
The following capabilities are included in this integration:
- Server investigation - Azure Defender customers can access Microsoft 365 Defender to perform detailed investigation to uncover the scope of a potential breach. > [!IMPORTANT]
-> - When you use Azure Defender to monitor servers, a Defender for Endpoint tenant is automatically created (in the US for US users, in the EU for European and UK users).<br>
+>
+> - When you use Azure Defender to monitor servers, a Defender for Endpoint tenant is automatically created (in the US for US users, in the EU for European and UK users).
Data collected by Defender for Endpoint is stored in the geo-location of the tenant as identified during provisioning. > - If you use Defender for Endpoint before using Azure Defender, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Defender at a later time.
-> - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant. <br>
+> - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant.
+>
Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers. ## Configure and update System Center Endpoint Protection clients
You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2
- [Offboard and monitor devices using Mobile Device Management tools](configure-endpoints-mdm.md#offboard-and-monitor-devices-using-mobile-device-management-tools) - [Offboard devices using a local script](configure-endpoints-script.md#offboard-devices-using-a-local-script) - For other Windows server versions, you have two options to offboard Windows servers from the service: - Uninstall the MMA agent
To offboard the Windows server, you can use either of the following methods:
$AgentCfg.RemoveCloudWorkspace("WorkspaceID") # Reload the configuration and apply changes $AgentCfg.ReloadConfiguration()- ``` ## Onboarding Servers with no management solution
OPINSIGHTS_WORKSPACE_KEY=<your workspace key>== AcceptEndUserLicenseAgreement=1"
## Group Policy Configuration
-Create a new group policy specifically for onboarding devices such as ΓÇ£Microsoft Defender for Endpoint OnboardingΓÇ¥.
+Create a new group policy specifically for onboarding devices such as "Microsoft Defender for Endpoint Onboarding".
-- Create a Group Policy Folder named ΓÇ£c:\windows\MMAΓÇ¥
+- Create a Group Policy Folder named "c:\windows\MMA"
:::image type="content" source="images/grppolicyconfig1.png" alt-text="folders":::
Create a new group policy specifically for onboarding devices such as ΓÇ£Microso
:::image type="content" source="images/grppolicyconfig2.png" alt-text="group policy image1"::: It copies the files from DOMAIN\NETLOGON\MMA\filename to
-C:\windows\MMA\filename ΓÇô **so the installation files are local to the server**:
+C:\windows\MMA\filename - **so the installation files are local to the server**:
:::image type="content" source="images/deploymma.png" alt-text="deploy mma cmd":::
The name of the file to run here is c:\windows\MMA\DeployMMA.cmd.
Once the server is restarted as part of the start-up process it will install the Update for customer experience and diagnostic telemetry KB, and then install the MMA Agent, while setting the Workspace ID and Key, and the server will be onboarded. You could also use an **immediate task** to run the deployMMA.cmd if you don't want to reboot all the servers.
-This could be done in two phases. First create **the files and the folder in** GPO ΓÇô Give the system time to ensure the GPO has been applied, and all the servers have the install files. Then, add the immediate task. This will achieve the same result without requiring a reboot.
+This could be done in two phases. First create **the files and the folder in** GPO. Give the system time to ensure the GPO has been applied, and all the servers have the install files. Then, add the immediate task. This will achieve the same result without requiring a reboot.
As the Script has an exit method and wont re-run if the MMA is installed, you could also use a daily scheduled task to achieve the same result. Similar to a Configuration Manager compliance policy it will check daily to ensure the MMA is present.
For Windows Server 2008 R2 PS1, ensure that you fulfill the following requiremen
- Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework) Please check the KBs are present before onboarding Windows Server 2008 R2
-This process allows you to onboard all the servers if you donΓÇÖt have Configuration Manager managing Servers.
+This process allows you to onboard all the servers if you don't have Configuration Manager managing Servers.
## Related topics
security Configure Siem https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-siem.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
## Pull detections using security information and events management (SIEM) tools
security Configure Vulnerability Email Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-vulnerability-email-notifications.md
**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-emailconfig-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-emailconfig-abovefoldlink)
Configure Microsoft Defender for Endpoint to send email notifications to specified recipients for new vulnerability events. This feature enables you to identify a group of individuals who will immediately be informed and can act on the notifications based on the event. The vulnerability information comes from Defender for Endpoint's [threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) capability.
security Connected Applications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/connected-applications.md
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
Connected applications integrates with the Defender for Endpoint platform using APIs.
security Contact Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/contact-support.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
Defender for Endpoint has recently upgraded the support process to offer a more modern and advanced support experience.
Learn how to open support tickets by contacting Defender for Endpoint support.
> If you have a permier support contract with Microsoft, you will see the premier tag on the widget. If not, contact your Microsoft account manager. ### Contact support
-This option is available by clicking the icon that looks like a headset. You will then get the following page to submit your support case:
+This option is available by clicking the icon that looks like a headset. You will then get the following page to submit your support case: </br>
+
-![Image of the open a service request widget](images/contact-support-screen.png)
1. Fill in a title and description for the issue you are facing, as well as a phone number and email address where we may reach you.
security Control Usb Devices Using Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/control-usb-devices-using-intune.md
Microsoft recommends [a layered approach to securing removable media](https://ak
4. [Respond to threats](#respond-to-threats) from peripherals in real-time based on properties reported by each peripheral.
->[!Note]
->These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](/windows/security/information-protection/bitlocker/bitlocker-overview.md) and [Windows Information Protection](/windows/security/information-protection/create-wip-policy-using-intune-azure.md), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Microsoft Defender for Endpoint and Azure Information Protection.
+> [!NOTE]
+> These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](/windows/security/information-protection/bitlocker/bitlocker-overview.md) and [Windows Information Protection](/windows/security/information-protection/create-wip-policy-using-intune-azure.md), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Microsoft Defender for Endpoint and Azure Information Protection.
## Discover plug and play connected events
Sample Power BI report templates are available for Microsoft Defender for Endpoi
## Allow or block removable devices The following table describes the ways Microsoft Defender for Endpoint can allow or block removable devices based on granular configuration.
-| Control | Description |
-|-|-|
-| [Restrict USB drives and other peripherals](#restrict-usb-drives-and-other-peripherals) | You can allow/prevent users to install only the USB drives and other peripherals included on a list of authorized/unauthorized devices or device types. |
-| [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | You can't install or use removable storage. |
-| [Allow installation and usage of specifically approved peripherals](#allow-installation-and-usage-of-specifically-approved-peripherals) | You can only install and use approved peripherals that report specific properties in their firmware. |
-| [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | You can't install or use prohibited peripherals that report specific properties in their firmware. |
-| [Allow installation and usage of specifically approved peripherals with matching device instance IDs](#allow-installation-and-usage-of-specifically-approved-peripherals-with-matching-device-instance-ids) | You can only install and use approved peripherals that match any of these device instance IDs. |
-| [Prevent installation and usage of specifically prohibited peripherals with matching device instance IDs](#prevent-installation-and-usage-of-specifically-prohibited-peripherals-with-matching-device-instance-ids) | You can't install or use prohibited peripherals that match any of these device instance IDs. |
-| [Limit services that use Bluetooth](#limit-services-that-use-bluetooth) | You can limit the services that can use Bluetooth. |
-| [Use Microsoft Defender for Endpoint baseline settings](#use-microsoft-defender-for-endpoint-baseline-settings) | You can set the recommended configuration for ATP by using the Defender for Endpoint security baseline. |
+<br>
+
+****
+
+|Control|Description|
+|||
+|[Restrict USB drives and other peripherals](#restrict-usb-drives-and-other-peripherals)|You can allow/prevent users to install only the USB drives and other peripherals included on a list of authorized/unauthorized devices or device types.|
+|[Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage)|You can't install or use removable storage.|
+|[Allow installation and usage of specifically approved peripherals](#allow-installation-and-usage-of-specifically-approved-peripherals)|You can only install and use approved peripherals that report specific properties in their firmware.|
+|[Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals)|You can't install or use prohibited peripherals that report specific properties in their firmware.|
+|[Allow installation and usage of specifically approved peripherals with matching device instance IDs](#allow-installation-and-usage-of-specifically-approved-peripherals-with-matching-device-instance-ids)|You can only install and use approved peripherals that match any of these device instance IDs.|
+|[Prevent installation and usage of specifically prohibited peripherals with matching device instance IDs](#prevent-installation-and-usage-of-specifically-prohibited-peripherals-with-matching-device-instance-ids)|You can't install or use prohibited peripherals that match any of these device instance IDs.|
+|[Limit services that use Bluetooth](#limit-services-that-use-bluetooth)|You can limit the services that can use Bluetooth.|
+|[Use Microsoft Defender for Endpoint baseline settings](#use-microsoft-defender-for-endpoint-baseline-settings)|You can set the recommended configuration for ATP by using the Defender for Endpoint security baseline.|
+|
### Restrict USB drives and other peripherals To prevent malware infections or data loss, an organization may restrict USB drives and other peripherals. The following table describes the ways Microsoft Defender for Endpoint can help prevent installation and usage of USB drives and other peripherals.
-| Control | Description
-|-|-|
-| [Allow installation and usage of USB drives and other peripherals](#allow-installation-and-usage-of-usb-drives-and-other-peripherals) | Allow users to install only the USB drives and other peripherals included on a list of authorized devices or device types |
-| [Prevent installation and usage of USB drives and other peripherals](#prevent-installation-and-usage-of-usb-drives-and-other-peripherals) | Prevent users from installing USB drives and other peripherals included on a list of unauthorized devices and device types |
+<br>
+
+****
+
+|Control|Description
+|||
+|[Allow installation and usage of USB drives and other peripherals](#allow-installation-and-usage-of-usb-drives-and-other-peripherals)|Allow users to install only the USB drives and other peripherals included on a list of authorized devices or device types|
+|[Prevent installation and usage of USB drives and other peripherals](#prevent-installation-and-usage-of-usb-drives-and-other-peripherals)|Prevent users from installing USB drives and other peripherals included on a list of unauthorized devices and device types|
+|
All of the above controls can be set through the Intune [Administrative Templates](/intune/administrative-templates-windows). The relevant policies are located here in the Intune Administrator Templates: ![screenshot of list of Admin Templates](images/admintemplates.png)
->[!Note]
->Using Intune, you can apply device configuration policies to Azure AD user and/or device groups.
+> [!NOTE]
+> Using Intune, you can apply device configuration policies to Azure AD user and/or device groups.
The above policies can also be set through the [Device Installation CSP settings](/windows/client-management/mdm/policy-csp-deviceinstallation) and the [Device Installation GPOs](/previous-versions/dotnet/articles/bb530324(v=msdn.10)).-
-> [!Note]
+>
> Always test and refine these settings with a pilot group of users and devices first before applying them in production. For more information about controlling USB devices, see the [Microsoft Defender for Endpoint blog](https://www.microsoft.com/security/blog/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/).
For more information about controlling USB devices, see the [Microsoft Defender
One way to approach allowing installation and usage of USB drives and other peripherals is to start by allowing everything. Afterwards, you can start reducing the allowable USB drivers and other peripherals.
->[!Note]
->Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
+> [!NOTE]
+> Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
1. Enable **Prevent installation of devices not described by other policy settings** to all users. 2. Enable **Allow installation of devices using drivers that match these device setup classes** for all [device setup classes](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
For example:
1. Remove class USBDevice from the **Allow installation of devices using drivers that match these device setup**. 2. Add the device ID to allow in the **Allow installation of device that match any of these device IDs**. - #### Prevent installation and usage of USB drives and other peripherals If you want to prevent the installation of a device class or certain devices, you can use the prevent device installation policies:
If you want to prevent the installation of a device class or certain devices, yo
1. Enable **Prevent installation of devices that match any of these device IDs** and add these devices to the list. 2. Enable **Prevent installation of devices using drivers that match these device setup classes**.
-> [!Note]
+> [!NOTE]
> The prevent device installation policies take precedence over the allow device installation policies.
-The **Prevent installation of devices that match any of these device IDs** policy allows you to specify a list of devices that Windows is prevented from installing.
+The **Prevent installation of devices that match any of these device IDs** policy allows you to specify a list of devices that Windows is prevented from installing.
To prevent installation of devices that match any of these device IDs:
For information on vendor IDs, see [USB members](https://www.usb.org/members).
The following is an example for looking up a device vendor ID or product ID (which is part of the device ID) using PowerShell: ```powershell
-Get-WMIObject -Class Win32_DiskDrive |
-Select-Object -Property *
+Get-WMIObject -Class Win32_DiskDrive | Select-Object -Property *
```
-The **Prevent installation of devices using drivers that match these device setup classes** policy allows you to specify device setup classes that Windows is prevented from installing.
+The **Prevent installation of devices using drivers that match these device setup classes** policy allows you to specify device setup classes that Windows is prevented from installing.
-To prevent installation of particular classes of devices:
+To prevent installation of particular classes of devices:
1. Find the GUID of the device setup class from [System-Defined Device Setup Classes Available to Vendors](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
To prevent installation of particular classes of devices:
> ![Create device configuration profile](images/create-device-configuration-profile.png) 3. Use the following settings:- - Name: Type a name for the profile - Description: Type a description - Platform: Windows 10 and later
You can prevent installation of the prohibited peripherals with matching device
### Limit services that use Bluetooth
-Using Intune, you can limit the services that can use Bluetooth through the ["Bluetooth allowed services"](/windows/client-management/mdm/policy-csp-bluetooth#servicesallowedlist-usage-guide). The default state of "Bluetooth allowed services" settings means everything is allowed. As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and doesnΓÇÖt add the file transfer GUIDs, file transfer should be blocked.
+Using Intune, you can limit the services that can use Bluetooth through the ["Bluetooth allowed services"](/windows/client-management/mdm/policy-csp-bluetooth#servicesallowedlist-usage-guide). The default state of "Bluetooth allowed services" settings means everything is allowed. As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and doesn't add the file transfer GUIDs, file transfer should be blocked.
> [!div class="mx-imgBorder"] > ![screenshot of Bluetooth settings page](images/bluetooth.png)
Microsoft Defender for Endpoint can also prevent USB peripherals from being used
Note that if you block USB devices or any other device classes using the device installation policies, connected devices, such as phones, can still charge.
->[!NOTE]
->Always test and refine these settings with a pilot group of users and devices first before widely distributing to your organization.
+> [!NOTE]
+> Always test and refine these settings with a pilot group of users and devices first before widely distributing to your organization.
The following table describes the ways Microsoft Defender for Endpoint can help prevent threats from removable storage. For more information about controlling USB devices, see the [Microsoft Defender for Endpoint blog](https://aka.ms/devicecontrolblog).
-| Control | Description |
-|-|-|
-| [Enable Microsoft Defender Antivirus Scanning](#enable-microsoft-defender-antivirus-scanning) | Enable Microsoft Defender Antivirus scanning for real-time protection or scheduled scans.|
-| [Block untrusted and unsigned processes on USB peripherals](#block-untrusted-and-unsigned-processes-on-usb-peripherals) | Block USB files that are unsigned or untrusted. |
-| [Protect against Direct Memory Access (DMA) attacks](#protect-against-direct-memory-access-dma-attacks) | Configure settings to protect against DMA attacks. |
+<br>
->[!NOTE]
->Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
+****
+
+|Control|Description|
+|||
+|[Enable Microsoft Defender Antivirus Scanning](#enable-microsoft-defender-antivirus-scanning)|Enable Microsoft Defender Antivirus scanning for real-time protection or scheduled scans.|
+|[Block untrusted and unsigned processes on USB peripherals](#block-untrusted-and-unsigned-processes-on-usb-peripherals)|Block USB files that are unsigned or untrusted.|
+|[Protect against Direct Memory Access (DMA) attacks](#protect-against-direct-memory-access-dma-attacks)|Configure settings to protect against DMA attacks.|
+|
+
+> [!NOTE]
+> Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
### Enable Microsoft Defender Antivirus Scanning
Protecting authorized removable storage with Microsoft Defender Antivirus requir
- If scheduled scans are used, then you need to disable the DisableRemovableDriveScanning setting (enabled by default) to scan the removable device during a full scan. Removable devices are scanned during a quick or custom scan regardless of the DisableRemovableDriveScanning setting.
->[!NOTE]
->We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10 in **Device Restrictions** > **Configure** > **Microsoft Defender Antivirus** > **Real-time monitoring**.
+> [!NOTE]
+> We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10 in **Device Restrictions** > **Configure** > **Microsoft Defender Antivirus** > **Real-time monitoring**.
<!-- Need to build out point in the preceding note. -->
You can create custom alerts and response actions with the WDATP Connector and t
**Threat Scanning** on USB devices. **Restrict execution of all applications** on the machine except a predefined set+ MDATP connector is one of over 200 pre-defined connectors including Outlook, Teams, Slack, etc. Custom connectors can be built.+ - [More information on WDATP Connector Response Actions](/connectors/wdatp/) **Custom Detection Rules Response Action:**+ Both machine and file level actions can be applied.+ - [More information on Custom Detection Rules Response Actions](/microsoft-365/security/defender-endpoint/custom-detection-rules) For information on device control related advance hunting events and examples on how to create custom alerts, see [Advanced hunting updates: USB events, machine-level actions, and schema changes](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Advanced-hunting-updates-USB-events-machine-level-actions-and/ba-p/824152).
For information on device control related advance hunting events and examples on
## Respond to threats You can create custom alerts and automatic response actions with the [Microsoft Defender for Endpoint Custom Detection Rules](/microsoft-365/security/defender-endpoint/custom-detection-rules). Response actions within the custom detection cover both machine and file level actions. You can also create alerts and automatic response actions using [PowerApps](https://powerapps.microsoft.com/) and [Flow](https://flow.microsoft.com/) with the [Microsoft Defender for Endpoint connector](/connectors/wdatp/). The connector supports actions for investigation, threat scanning, and restricting running applications. It is one of over 200 pre-defined connectors including Outlook, Teams, Slack, and more. Custom connectors can also be built. See [Connectors](/connectors/) to learn more about connectors.
-
+ For example, using either approach, you can automatically have the Microsoft Defender Antivirus run when a USB device is mounted onto a machine. ## Related topics
security Controlled Folders https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/controlled-folders.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
## What is controlled folder access?
security Create Alert By Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/create-alert-by-reference.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
POST https://api.securitycenter.microsoft.com/api/alerts/CreateAlertByReference
## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|: Authorization | String | Bearer {token}. **Required**. Content-Type | String | application/json. **Required**.
security Customize Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-attack-surface-reduction.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
> [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
You can choose to exclude files and folders from being evaluated by attack surfa
For example, consider the ransomware rule:
-The ransomware rule is designed to help enterprise customers reduce risks of ransomware attacks while ensuring business continuity. By default, the ransomware rule errors on the side of caution and protect against files that haven't yet attained sufficient reputation and trust. To reemphasize, the ransomware rule only triggers on files that have not gained enough positive reputation and prevalence, based on usage metrics of millions of our customers. Usually, the blocks are self resolved, because each file's ΓÇ£reputation and trustΓÇ¥ values are incrementally upgraded as non-problematic usage increases.
+The ransomware rule is designed to help enterprise customers reduce risks of ransomware attacks while ensuring business continuity. By default, the ransomware rule errors on the side of caution and protect against files that haven't yet attained sufficient reputation and trust. To reemphasize, the ransomware rule only triggers on files that have not gained enough positive reputation and prevalence, based on usage metrics of millions of our customers. Usually, the blocks are self resolved, because each file's "reputation and trust" values are incrementally upgraded as non-problematic usage increases.
-In cases in which blocks arenΓÇÖt self resolved in a timely manner, customers can - _at their own risk_ - make use of either the self-service mechanism or an Indicator of Compromise (IOC)-based "allow list" capability to unblock the files themselves.
+In cases in which blocks aren't self resolved in a timely manner, customers can - _at their own risk_ - make use of either the self-service mechanism or an Indicator of Compromise (IOC)-based "allow list" capability to unblock the files themselves.
> [!WARNING] > Excluding or unblocking files or folders could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
security Customize Exploit Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-exploit-protection.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
security Data Retention Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-retention-settings.md
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-gensettings-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-gensettings-abovefoldlink)
During the onboarding process, a wizard takes you through the data storage and retention settings of Defender for Endpoint.
security Data Storage Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-storage-privacy.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
This section covers some of the most frequently asked questions regarding privacy and data handling for Defender for Endpoint.+ > [!NOTE] > This document explains the data storage and privacy details related to Defender for Endpoint. For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information. - ## What data does Microsoft Defender for Endpoint collect?
-Microsoft Defender for Endpoint will collect and store information from your configured devices in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes.
+Microsoft Defender for Endpoint will collect and store information from your configured devices in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes.
Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and device details (such as device identifiers, names, and the operating system version). Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578). This data enables Defender for Endpoint to:+ - Proactively identify indicators of attack (IOAs) in your organization - Generate alerts if a possible attack was detected - Provide your security operations with a view into devices, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network.
This data enables Defender for Endpoint to:
Microsoft does not use your data for advertising. ## Data protection and encryption
-The Defender for Endpoint service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure.
-There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Defender for Endpoint service, see [Azure encryption overview](/azure/security/security-azure-encryption-overview).
+The Defender for Endpoint service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure.
-In all scenarios, data is encrypted using 256-bit [AES encryption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum.
+There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Defender for Endpoint service, see [Azure encryption overview](/azure/security/security-azure-encryption-overview).
+In all scenarios, data is encrypted using 256-bit [AES encryption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum.
## Data storage location
Defender for Endpoint operates in the Microsoft Azure datacenters in the Europea
Customer data in pseudonymized form may also be stored in the central storage and processing systems in the United States.
-Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside.
+Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside.
## Is my data isolated from other customer data?+ Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides. ## How does Microsoft prevent malicious insider activities and abuse of high privilege roles?
Microsoft developers and administrators have, by design, been given sufficient p
- Combinations of controls that greatly enhance independent detection of malicious activity - Multiple levels of monitoring, logging, and reporting
-Additionally, Microsoft conducts background verification checks of certain operations personnel, and limits access to applications, systems, and network infrastructure in proportion to the level of background verification. Operations personnel follow a formal process when they are required to access a customerΓÇÖs account or related information in the performance of their duties.
+Additionally, Microsoft conducts background verification checks of certain operations personnel, and limits access to applications, systems, and network infrastructure in proportion to the level of background verification. Operations personnel follow a formal process when they are required to access a customer's account or related information in the performance of their duties.
Access to data for services deployed in Microsoft Azure Government data centers is only granted to operating personnel who have been screened and approved to handle data that is subject to certain government regulations and requirements, such as FedRAMP, NIST 800.171 (DIB), ITAR, IRS 1075, DoD L4, and CJIS. - ## Is data shared with other customers?
-No. Customer data is isolated from other customers and is not shared. However, insights on the data resulting from Microsoft processing, and which donΓÇÖt contain any customer-specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
-## How long will Microsoft store my data? What is MicrosoftΓÇÖs data retention policy?
-**At service onboarding**<br>
-By default, data is retained for 180 days; however, you can specify the data retention policy for your data. This determines how long Window Defender for Endpoint will store your data. ThereΓÇÖs a flexibility of choosing in the range of one month to six months to meet your companyΓÇÖs regulatory compliance needs.
+No. Customer data is isolated from other customers and is not shared. However, insights on the data resulting from Microsoft processing, and which don't contain any customer-specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
-**At contract termination or expiration**<br>
-Your data will be kept and will be available to you while the license is under grace period or suspended mode. At the end of this period, that data will be erased from MicrosoftΓÇÖs systems to make it unrecoverable, no later than 180 days from contract termination or expiration.
+## How long will Microsoft store my data? What is Microsoft's data retention policy?
-**Advanced Hunting data**<br>
-Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data.
+### At service onboarding
+
+By default, data is retained for 180 days; however, you can specify the data retention policy for your data. This determines how long Window Defender for Endpoint will store your data. There's a flexibility of choosing in the range of one month to six months to meet your company's regulatory compliance needs.
+
+### At contract termination or expiration
+Your data will be kept and will be available to you while the license is under grace period or suspended mode. At the end of this period, that data will be erased from Microsoft's systems to make it unrecoverable, no later than 180 days from contract termination or expiration.
+
+### Advanced Hunting data
+
+Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data.
## Can Microsoft help us maintain regulatory compliance?
By providing customers with compliant, independently verified services, Microsof
For more information on the Defender for Endpoint certification reports, see [Microsoft Trust Center](https://servicetrust.microsoft.com/).
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-datastorage-belowfoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-datastorage-belowfoldlink)
security Defender Compatibility https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-compatibility.md
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-defendercompat-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-defendercompat-abovefoldlink)
The Microsoft Defender for Endpoint agent depends on Microsoft Defender Antivirus for some capabilities such as file scanning.
security Defender Endpoint False Positives Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives.md
When you're done reviewing and undoing actions that were taken as a result of fa
You can roll back and remove a file from quarantine if you've determined that it's clean after an investigation. Run the following command on each device where the file was quarantined.
-1. Open an elevated commandΓÇôline prompt on the device:
+1. Open an elevated command-line prompt on the device:
1. Go to **Start** and type _cmd_.
- 2. RightΓÇôclick **Command prompt** and select **Run as administrator**.
+ 2. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**: ```console
- "ProgramFiles%\Windows Defender\MpCmdRun.exe" ΓÇôRestore ΓÇôName EUS:Win32/CustomEnterpriseBlock ΓÇôAll
+ "ProgramFiles%\Windows Defender\MpCmdRun.exe" -Restore -Name EUS:Win32/CustomEnterpriseBlock -All
``` > [!IMPORTANT]
security Delete Ti Indicator By Id https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/delete-ti-indicator-by-id.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Delete https://api.securitycenter.microsoft.com/api/indicators/{id}
## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|: Authorization | String | Bearer {token}. **Required**.
security Deployment Phases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-phases.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
Learn how to deploy Microsoft Defender for Endpoint so that your enterprise can take advantage of preventative protection, post-breach detection, automated investigation, and response.
security Deployment Rings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-rings.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
Deploying Microsoft Defender for Endpoint can be done using a ring-based deployment approach.
security Deployment Strategy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-strategy.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink)
Plan your Microsoft Defender for Endpoint deployment so that you can maximize the security capabilities within the suite and better protect your enterprise from cyber threats.
security Deployment Vdi Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md
This guide describes how to configure your VMs for optimal protection and perfor
You can also download the whitepaper [Microsoft Defender Antivirus on Virtual Desktop Infrastructure](https://demo.wd.microsoft.com/Content/wdav-testing-vdi-ssu.pdf), which looks at the new shared security intelligence update feature, alongside performance testing and guidance on how you can test antivirus performance on your own VDI. > [!IMPORTANT]
-> Although the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.<br/>There are performance and feature improvements to the way in which Microsoft Defender AV operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607.
+> Although the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.
+>
+> There are performance and feature improvements to the way in which Microsoft Defender AV operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607.
## Set up a dedicated VDI file share
-In Windows 10, version 1903, we introduced the shared security intelligence feature, which offloads the unpackaging of downloaded security intelligence updates onto a host machineΓÇöthus saving previous CPU, disk, and memory resources on individual machines. This feature has been backported and now works in Windows 10 version 1703 and above. You can set this feature with a Group Policy, or PowerShell.
+In Windows 10, version 1903, we introduced the shared security intelligence feature, which offloads the unpackaging of downloaded security intelligence updates onto a host machine, thus saving previous CPU, disk, and memory resources on individual machines. This feature has been backported and now works in Windows 10 version 1703 and above. You can set this feature with a Group Policy, or PowerShell.
### Use Group Policy to enable the shared security intelligence feature:
In Windows 10, version 1903, we introduced the shared security intelligence feat
### Use PowerShell to enable the shared security intelligence feature
-Use the following cmdlet to enable the feature. YouΓÇÖll need to then push this as you normally would push PowerShell-based configuration policies onto the VMs:
+Use the following cmdlet to enable the feature. You'll need to then push this as you normally would push PowerShell-based configuration policies onto the VMs:
```PowerShell Set-MpPreference -SharedSignaturesPath \\<shared location>\wdav-update
See the [Download and unpackage](#download-and-unpackage-the-latest-updates) sec
## Download and unpackage the latest updates
-Now you can get started on downloading and installing new updates. WeΓÇÖve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if youΓÇÖre familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those scripts).
+Now you can get started on downloading and installing new updates. We've created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you're familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those scripts).
```PowerShell $vdmpathbase = "$env:systemdrive\wdav-update\{00000000-0000-0000-0000-"
Invoke-WebRequest -Uri 'https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64'
cmd /c "cd $vdmpath & c: & mpam-fe.exe /x" ```
-You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then the VMs will receive the new update.
-We suggest starting with once a dayΓÇöbut you should experiment with increasing or decreasing the frequency to understand the impact.
+You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then the VMs will receive the new update.
+We suggest starting with once a day, but you should experiment with increasing or decreasing the frequency to understand the impact.
-Security intelligence packages are typically published once every three to four hours. Setting a frequency shorter than four hours isnΓÇÖt advised because it will increase the network overhead on your management machine for no benefit.
+Security intelligence packages are typically published once every three to four hours. Setting a frequency shorter than four hours isn't advised because it will increase the network overhead on your management machine for no benefit.
### Set a scheduled task to run the PowerShell script
-1. On the management machine, open the Start menu and type **Task Scheduler**. Open it and select **Create task…** on the side panel.
+1. On the management machine, open the Start menu and type **Task Scheduler**. Open it and select **Create task...** on the side panel.
-2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Select **New…** > **Daily**, and select **OK**.
+2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Select **New...** > **Daily**, and select **OK**.
-3. Go to the **Actions** tab. Select **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Select **OK**.
+3. Go to the **Actions** tab. Select **New...** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Select **OK**.
4. You can choose to configure additional settings if you wish. 5. Select **OK** to save the scheduled task.
-
+ You can initiate the update manually by right-clicking on the task and clicking **Run**. ### Download and unpackage manually
-If you would prefer to do everything manually, here's what to do to replicate the scriptΓÇÖs behavior:
+If you would prefer to do everything manually, here's what to do to replicate the script's behavior:
1. Create a new folder on the system root called `wdav_update` to store intelligence updates, for example, create the folder `c:\wdav_update`. 2. Create a subfolder under *wdav_update* with a GUID name, such as `{00000000-0000-0000-0000-000000000000}`
-Here's an example: `c:\wdav_update\{00000000-0000-0000-0000-000000000000}`
+ Here's an example: `c:\wdav_update\{00000000-0000-0000-0000-000000000000}`
> [!NOTE] > In the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time.
You can specify the type of scan that should be performed during a scheduled sca
3. Set the policy to **Enabled**, and then under **Options**, select **Quick scan**.
-4. Select **OK**.
+4. Select **OK**.
5. Deploy your Group Policy object as you usually do.
Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist
1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Client Interface**.
-2. Select **Suppress all notifications** and then edit the policy settings.
+2. Select **Suppress all notifications** and then edit the policy settings.
3. Set the policy to **Enabled**, and then select **OK**.
Suppressing notifications prevents notifications from Microsoft Defender Antivir
> [!TIP] > To open the Action Center on Windows 10, take one of the following steps:
+>
> - On the right end of the taskbar, select the Action Center icon. > - Press the Windows logo key button + A. > - On a touchscreen device, swipe in from the right edge of the screen.
This policy forces a scan if the VM has missed two or more consecutive scheduled
4. Click **OK**. 5. Deploy your Group Policy Object as you usually do.
-
+ This policy hides the entire Microsoft Defender Antivirus user interface from end users in your organization. ## Exclusions
For more information, see [Configure Microsoft Defender Antivirus exclusions on
## Additional resources - [Tech Community Blog: Configuring Microsoft Defender Antivirus for non-persistent VDI machines](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/configuring-microsoft-defender-antivirus-for-non-persistent-vdi/ba-p/1489633)-- [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS)-- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4)
+- [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/home?forum=winserverTS)
+- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4)
security Device Control Removable Storage Access Control https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control.md
Microsoft Defender for Endpoint Device Control Removable Storage Access Control
- auditing, allowing or preventing the read, write or execute access to removable storage with or without exclusion
-|Privilege |Permission |
-|||
-|Access | Read, Write, Execute |
-|Action Mode | Audit, Allow, Prevent |
-|CSP Support | Yes |
-|GPO Support | Yes |
-|User-based Support | Yes |
-|Machine-based Support | Yes |
+<br>
+
+****
+
+|Privilege|Permission|
+|||
+|Access|Read, Write, Execute|
+|Action Mode|Audit, Allow, Prevent|
+|CSP Support|Yes|
+|GPO Support|Yes|
+|User-based Support|Yes|
+|Machine-based Support|Yes|
+|
## Licensing
Deploy Removable Storage Access Control on Windows 10 devices that have antimalw
You can use the following properties to create a removable storage group:
-**Property name: Group Id**
+### Property name: Group Id
1. Description: [GUID](https://en.wikipedia.org/wiki/Universally_unique_identifier), a unique ID, represents the group and will be used in the policy.
-**Property name: DescriptorIdList**
-
-2. Description: List the device properties you want to use to cover in the group.
-For each device property, see **Device Properties** section above for more detail.
+### Property name: DescriptorIdList
-3. Options:
+1. Description: List the device properties you want to use to cover in the group. For each device property, see **Device Properties** section above for more detail.
+2. Options:
- PrimaryId - RemovableMediaDevices - CdRomDevices
For each device property, see **Device Properties** section above for more detai
- 0751_55E0: match this exact VID/PID pair - _55E0: match any media with PID=55E0 - 0751_: match any media with VID=0751
-
-**Property name: MatchType**
-1. Description: When there are multiple device properties being used in the DescriptorIDList, MatchType defines the relationship.
+### Property name: MatchType
+1. Description: When there are multiple device properties being used in the DescriptorIDList, MatchType defines the relationship.
2. Options:- - MatchAll: Any attributes under the DescriptorIdList will be **And** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will check to see whether the USB meets both values. - MatchAny: The attributes under the DescriptorIdList will be **Or** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will do the enforcement as long as the USB has either an identical **DeviceID** or **InstanceID** value. Following are the access control policy properties:
-**Property name: PolicyRuleId**
+### Property name: PolicyRuleId
1. Description: [GUID](https://en.wikipedia.org/wiki/Universally_unique_identifier), a unique ID, represents the policy and will be used in the reporting and troubleshooting.
-**Property name: IncludedIdList**
+### Property name: IncludedIdList
1. Description: The group(s) that the policy will be applied to. If multiple groups are added, the policy will be applied to any media in all those groups.- 2. Options: The Group ID/GUID must be used at this instance. The following example shows the usage of GroupID: `<IncludedIdList> <GroupId>{EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1}</GroupId> </IncludedIdList>`
-**Property name: ExcludedIDList**
+### Property name: ExcludedIDList
Description: The group(s) that the policy won't be applied to. Options: The Group ID/GUID must be used at this instance.
-**Property name: Entry Id**
+### Property name: Entry Id
1. Description: One PolicyRule can have multiple entries; each entry with a unique GUID tells Device Control one restriction.
-**Property name: Type**
+### Property name: Type
1. Description: Defines the action for the removable storage groups in IncludedIDList. - Enforcement: Allow or Deny
- - Audit: AuditAllowed or AuditDenied
-
+ - Audit: AuditAllowed or AuditDenied
2. Options: - Allow
Options: The Group ID/GUID must be used at this instance.
When there are conflict types for the same media, the system will apply the first one in the policy. An example of a conflict type is **Allow** and **Deny**.
-**Property name: Sid**
+### Property name: Sid
Description: Local computer Sid or the Sid of the AD object, defines whether to apply this policy over a specific user or user group; one entry can have a maximum of one Sid and an entry without any Sid means applying the policy over the machine.
-**Property name: ComputerSid**
+### Property name: ComputerSid
Description: Local computer Sid or the Sid of the AD object, defines whether to apply this policy over a specific machine or machine group; one entry can have a maximum of one ComputerSid and an entry without any ComputerSid means applying the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both Sid and ComputerSid into the same Entry.
-**Property name: Options**
+### Property name: Options
Description: Defines whether to display notification or not.
Description: Defines whether to display notification or not.
Options: 0-4. When Type Allow or Deny is selected:
- - 0: nothing
- - 4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Block** happens and the **AuditDenied** is setting configured, the system won't show notification.
+- 0: nothing
+- 4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Block** happens and the **AuditDenied** is setting configured, the system won't show notification.
- When Type **AuditAllowed** or **AuditDenied** is selected:
+When Type **AuditAllowed** or **AuditDenied** is selected:
- - 0: nothing
- - 1: show notification
- - 2: send event
- - 3: show notification and send event
+- 0: nothing
+- 1: show notification
+- 2: send event
+- 3: show notification and send event
-**Property name: AccessMask**
+### Property name: AccessMask
Description: Defines the access. Options 1-7:
- - 1: Read
- - 2: Write
- - 3: Read and Write
- - 4: Execute
- - 5: Read and Execute
- - 6: Write and Execute
- - 7: Read and Write and Execute
+
+- 1: Read
+- 2: Write
+- 3: Read and Write
+- 4: Execute
+- 5: Read and Execute
+- 6: Write and Execute
+- 7: Read and Write and Execute
## Common Removable Storage Access Control scenarios
To help familiarize you with Microsoft Defender for Endpoint Removable Storage A
### Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs 1. Create groups- 1. Group 1: Any removable storage and CD/DVD. An example of a removable storage and CD/DVD is: Group **9b28fae8-72f7-4267-a1a5-685f747a7146** in the sample [Any Removable Storage and CD-DVD Group.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.
-
2. Group 2: Approved USBs based on device properties. An example for this use case is:
- Instance ID ΓÇô Group **65fa649a-a111-4912-9294-fb6337a25038** in the sample [Approved USBs Group.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.
+ Instance ID - Group **65fa649a-a111-4912-9294-fb6337a25038** in the sample [Approved USBs Group.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.
> [!NOTE] > You have to replace `&` with `&amp;` in the value. 2. Create policy- 1. Policy 1: Block Write and Execute Access but allow approved USBs. An example for this use case is: PolicyRule **c544a991-5786-4402-949e-a032cb790d0e** in the sample [Scenario 1 Block Write and Execute Access but allow approved USBs.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.
-
2. Policy 2: Audit Write and Execute access to allowed USBs. An example for this use case is: PolicyRule **36ae1037-a639-4cff-946b-b36c53089a4c** in the sample [Scenario 1 Audit Write and Execute access to approved USBs.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file. ### Scenario 2: Audit Write and Execute access to all but block specific unapproved USBs 1. Create groups- 1. Group 1: Any removable storage and CD/DVD. An example for this use case is: Group **9b28fae8-72f7-4267-a1a5-685f747a7146** in the sample [Any Removable Storage and CD-DVD Group.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.
-
- 2. Group 2: Unapproved USBs based on device properties, for example, Vendor ID / Product ID, Friendly Name ΓÇô Group **65fa649a-a111-4912-9294-fb6337a25038** in the sample [Unapproved USBs Group.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.
+ 2. Group 2: Unapproved USBs based on device properties, for example, Vendor ID / Product ID, Friendly Name - Group **65fa649a-a111-4912-9294-fb6337a25038** in the sample [Unapproved USBs Group.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.
> [!NOTE] > You have to replace `&` with `&amp;` in the value. 2. Create policy- 1. Policy 1: Block Write and Execute access to all but block specific unapproved USBs. An example of this use case is: PolicyRule **23b8e437-66ac-4b32-b3d7-24044637fc98** in the sample [Scenario 2 Audit Write and Execute access to all but block specific unapproved USBs.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.
-
+ 2. Policy 2: Audit Write and Execute access to others. An example of this use case is: PolicyRule **b58ab853-9a6f-405c-a194-740e69422b48** in the sample [Scenario 2 Audit Write and Execute access to others.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file. ## Deploying and managing policy via Group Policy
Before you get started with Removable Storage Access Control, you must confirm y
### Deploying policy via Group Policy
-1. Combine all groups within `<Groups>` `</Groups>` into one xml file.
+1. Combine all groups within `<Groups>` `</Groups>` into one xml file.
The following image illustrates the example of [Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs](#scenario-1-prevent-write-and-execute-access-to-all-but-allow-specific-approved-usbs).
-
+ :::image type="content" source="images/prevent-write-access-allow-usb.png" alt-text="The screen displaying the configuration settings that allow specific approved USBs on devices":::
-
-2. Combine all rules within `<PolicyRules>` `</PolicyRules>` into one xml file.
+
+2. Combine all rules within `<PolicyRules>` `</PolicyRules>` into one xml file.
If you want to restrict a specific user, then use SID property into the Entry. If there's no SID in the policy Entry, the Entry will be applied to everyone login instance for the machine.
-
+ The following image illustrates the usage of SID property, and an example of [Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs](#scenario-1-prevent-write-and-execute-access-to-all-but-allow-specific-approved-usbs).
-
+ :::image type="content" source="images/usage-sid-property.png" alt-text="The screen displaying a code that indicates usage of the SID property attribute":::
-3. Save both rule and group XML files on network share folder and put network share folder path into the Group Policy setting: **Computer Configuration -> Administrative Templates -> Windows Components -> Microsoft Defender Antivirus -> Device Control: ΓÇÿDefine device control policy groupsΓÇÖ and ΓÇÿDefine device control policy rulesΓÇÖ**.
+3. Save both rule and group XML files on network share folder and put network share folder path into the Group Policy setting: **Computer Configuration -> Administrative Templates -> Windows Components -> Microsoft Defender Antivirus -> Device Control: 'Define device control policy groups' and 'Define device control policy rules'**.
- The target machine must be able to access the network share to have the policy. However, once the policy is read, the network share connection is no longer required, even after machine reboot.
Before you get started with Removable Storage Access Control, you must confirm y
The Removable Storage Access Control feature enables you to apply policy via OMA-URI to either user or device, or both.
-### Licensing
+### Licensing requirements
Before you get started with Removable Storage Access Control, you must confirm yourΓÇ»[Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Removable Storage Access Control, you must have Microsoft 365 E3 or Microsoft 365 E5.
For policy deployment in Intune, the account must have permissions to create, ed
./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bFA6BE102-0784-4A2A-B010-A0BEBEBF68E1%7d/RuleData
- For example, for the **Block Write and Execute Access but allow approved USBs** rule in the sample, the link must be:
+ For example, for the **Block Write and Execute Access but allow approved USBs** rule in the sample, the link must be:
./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bc544a991-5786-4402-949e-a032cb790d0e%7d/RuleData. - Data Type: String (XML file) - ## Deploying and managing policy by using Intune user interface
-This capability (in Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com/) > Devices > Configuration profiles > Create profile > Platform: Windows 10 and later & Profile: Device Control) isn't yet available.
+This capability (in Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>) \> Devices \> Configuration profiles \> Create profile \> Platform: Windows 10 and later & Profile: Device Control) isn't yet available.
## View Device Control Removable Storage Access Control data in Microsoft Defender for Endpoint
The Microsoft 365 security portal shows removable storage blocked by the Device
```kusto //events triggered by RemovableStoragePolicyTriggered DeviceEvents
-| where ActionType == "RemovableStoragePolicyTriggered"
-| extend parsed=parse_json(AdditionalFields)
-| extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess) 
-| extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict) 
-| extend MediaBusType = tostring(parsed.BusType) 
+| where ActionType == "RemovableStoragePolicyTriggered"
+| extend parsed=parse_json(AdditionalFields)
+| extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess) 
+| extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict) 
+| extend MediaBusType = tostring(parsed.BusType) 
| extend MediaClassGuid = tostring(parsed.ClassGuid) | extend MediaClassName = tostring(parsed.ClassName)
-| extend MediaDeviceId = tostring(parsed.DeviceId)
-| extend MediaInstanceId = tostring(parsed.DeviceInstanceId)
-| extend MediaName = tostring(parsed.MediaName)
-| extend RemovableStoragePolicy = tostring(parsed.RemovableStoragePolicy) 
-| extend MediaProductId = tostring(parsed.ProductId) 
-| extend MediaVendorId = tostring(parsed.VendorId) 
-| extend MediaSerialNumber = tostring(parsed.SerialNumber) 
-| extend MediaVolume = tostring(parsed.Volume) 
-| project Timestamp, DeviceId, DeviceName, ActionType, RemovableStorageAccess, RemovableStoragePolicyVerdict, MediaBusType, MediaClassGuid, MediaClassName, MediaDeviceId, MediaInstanceId, MediaName, RemovableStoragePolicy, MediaProductId, MediaVendorId, MediaSerialNumber, MediaVolume
+| extend MediaDeviceId = tostring(parsed.DeviceId)
+| extend MediaInstanceId = tostring(parsed.DeviceInstanceId)
+| extend MediaName = tostring(parsed.MediaName)
+| extend RemovableStoragePolicy = tostring(parsed.RemovableStoragePolicy) 
+| extend MediaProductId = tostring(parsed.ProductId) 
+| extend MediaVendorId = tostring(parsed.VendorId) 
+| extend MediaSerialNumber = tostring(parsed.SerialNumber) 
+| extend MediaVolume = tostring(parsed.Volume) 
+|project Timestamp, DeviceId, DeviceName, ActionType, RemovableStorageAccess, RemovableStoragePolicyVerdict, MediaBusType, MediaClassGuid, MediaClassName, MediaDeviceId, MediaInstanceId, MediaName, RemovableStoragePolicy, MediaProductId, MediaVendorId, MediaSerialNumber, MediaVolume
| order by Timestamp desc ```
DeviceEvents
## Frequently asked questions
-**What is the removable storage media limitation for the maximum number of USBs?**
+### What is the removable storage media limitation for the maximum number of USBs?
We've validated one USB group with 100,000 media - up to 7 MB in size. The policy works in both Intune and GPO without performance issues.
-**Why does the policy not work?**
+### Why does the policy not work?
The most common reason is there's no required [antimalware client version](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control#prepare-your-endpoints).
Another reason could be that the XML file isn't correctly formatted, for example
If there's a value and the policy is managed via Group Policy, check whether the client device can access the policy XML path.
-**How can I know which machine is using out of date antimalware client version in the organization?**
+### How can I know which machine is using out of date antimalware client version in the organization?
You can use following query to get antimalware client version on the Microsoft 365 security portal:+ ```kusto //check the antimalware client version DeviceFileEvents
-| where FileName == "MsMpEng.exe"
-| where FolderPath contains @"C:\ProgramData\Microsoft\Windows Defender\Platform\"
-| extend PlatformVersion=tostring(split(FolderPath, "\\", 5))
-//| project DeviceName, PlatformVersion // check which machine is using legacy platformVersion
-| summarize dcount(DeviceName) by PlatformVersion // check how many machines are using which platformVersion
-| order by PlatformVersion desc
+|where FileName == "MsMpEng.exe"
+|where FolderPath contains @"C:\ProgramData\Microsoft\Windows Defender\Platform\"
+|extend PlatformVersion=tostring(split(FolderPath, "\\", 5))
+//|project DeviceName, PlatformVersion // check which machine is using legacy platformVersion
+|summarize dcount(DeviceName) by PlatformVersion // check how many machines are using which platformVersion
+|order by PlatformVersion desc
```
security Device Control Removable Storage Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-protection.md
Microsoft Defender for Endpoint Device Control Removable Storage Protection prev
**Capabilities** - Prevent installation with or without exclusion based on various device properties.
-**Windows 10 support details**
+**Windows 10 support details**:
+ - Applied at machine level: the same policy applies for any logged on user. - Supports MEM and GPO.-- Supported ΓÇÿ[Device Properties](#device-properties)ΓÇÖ as listed.
+- Supported '[Device Properties](#device-properties)' as listed.
- For more information on Windows, see [How to control USB devices and other removable media using Microsoft Defender for Endpoint](control-usb-devices-using-intune.md). **Supported Platform** - Windows 10
-**macOS support details**
+**macOS support details**:
+ - Applied at machine level: the same policy applies for any logged on user - For macOS specific information, see [Device control for macOS](mac-device-control-overview.md).
-
+ **Supported platform** - macOS Catalina 10.15.4+ (with system extensions enabled) ### Removable storage Access Control **Capabilities**+ - *Audit* Read or Write or Execute access to removable storage based on various device properties, with or without an exclusion. - *Prevent* Read or Write or Execute access with or without an exclusion - Allow specific device based on various device properties.
-**Windows 10 support details**
-- Applied at either machine or user or both ΓÇô only allow specific people performing Read/Write/Execute access to specific removable storage on specific machine.
+**Windows 10 support details**:
+
+- Applied at either machine or user or both. Only allow specific people performing Read/Write/Execute access to specific removable storage on specific machine.
- Support MEM OMA-URI and GPO.-- Supported ΓÇÿ[Device Properties](#device-properties)ΓÇÖ as listed.
+- Supported '[Device Properties](#device-properties)' as listed.
- For feature in Windows, see [Removable storage Access Control](device-control-removable-storage-access-control.md). **Supported Platform** - Windows 10
-**macOS support details**
+**macOS support details**:
+ - Applied at machine level: the same policy applies for any logged on user. - For macOS specific information, see [Device control for macOS](mac-device-control-overview.md).
-
+ **Supported platform** - macOS Catalina 10.15.4+ (with system extensions enabled) ### Windows Portable Device Access Control **Capabilities** - Deny Read or Write access to any [Windows Portable Device](/windows-hardware/drivers/portable/), for example: Tablet, iPhone.
-**Description**
+**Description**:
+ - Applied at either machine or user or both. - Support MEM OMA-URI and GPO.
Microsoft Defender for Endpoint Device Control Removable Storage Protection prev
**Supported Platform** - Windows 10
-### BitLocker
+### BitLocker
+
+**Capabilities**:
-**Capabilities**
- Block data to be written to removable drives that aren't BitLocker protected. - Block access to removable drives unless they were encrypted on a computer owned by your organization
-
-**Description** - For more information on Windows, see [BitLocker ΓÇô Removable Drive Settings](/mem/intune/protect/endpoint-security-disk-encryption-profile-settings).
+
+**Description** - For more information on Windows, see [BitLocker - Removable Drive Settings](/mem/intune/protect/endpoint-security-disk-encryption-profile-settings).
**Supported Platform** - Windows 10
Microsoft Defender for Endpoint Device Control Removable Storage Protection prev
Microsoft Defender for Endpoint Device Control Removable Storage Protection allows you to restrict the removable storage access based on the properties described in the table below:
+<br>
+
+****
-|Property Name |Applicable Policies |Applies to Operating Systems |Description |
-|||||
-|Device Class | [How to control USB devices and other removable media using Microsoft Defender for Endpoint](control-usb-devices-using-intune.md) | Windows | For information about Device ID formats, see [device setup class](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors). **Note**: Device Installation can be applied to any devices, not only Removable storage. |
-|Primary ID | Removable storage Access Control | Windows | The Primary ID includes removable storage and CD/DVD. |
-|Device ID | [How to control USB devices and other removable media using Microsoft Defender for Endpoint](control-usb-devices-using-intune.md); Removable storage Access Control | Windows | For information about Device ID formats, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers), for example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07 |
-|Hardware ID | [How to control USB devices and other removable media using Microsoft Defender for Endpoint](control-usb-devices-using-intune.md); Removable storage Access Control | Windows | A string identified the device in the system, for example, USBSTOR\DiskGeneric_Flash_Disk______8.07; **Note**: Hardware ID is not unique; different devices may share same value.|
-|Instance ID | Device Installation; Removable storage Access Control | Windows | A string uniquely identifies the device in the system, for example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0 |
-|Friendly Name | Removable storage Access Control | Windows | A string attached to the device, for example, Generic Flash Disk USB Device |
-|Vendor ID / Product ID | Removable storage Access Control | Windows Mac | Vendor ID is the four-digit vendor code that the USB committee assigns to the vendor. Product ID is the four-digit product code that the vendor assigns to the device; Support wildcard. |
-|Serial NumberId | Removable storage Access Control | Windows Mac | For example, <SerialNumberId>002324B534BCB431B000058A</SerialNumberId> |
+|Property Name|Applicable Policies|Applies to Operating Systems|Description|
+|||||
+|Device Class|[How to control USB devices and other removable media using Microsoft Defender for Endpoint](control-usb-devices-using-intune.md)|Windows|For information about Device ID formats, see [device setup class](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors). **Note**: Device Installation can be applied to any devices, not only Removable storage.|
+|Primary ID|Removable storage Access Control|Windows|The Primary ID includes removable storage and CD/DVD.|
+|Device ID|[How to control USB devices and other removable media using Microsoft Defender for Endpoint](control-usb-devices-using-intune.md); Removable storage Access Control|Windows|For information about Device ID formats, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers), for example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07|
+|Hardware ID|[How to control USB devices and other removable media using Microsoft Defender for Endpoint](control-usb-devices-using-intune.md); Removable storage Access Control|Windows|A string identified the device in the system, for example, USBSTOR\DiskGeneric_Flash_Disk______8.07; **Note**: Hardware ID is not unique; different devices may share same value.|
+|Instance ID|Device Installation; Removable storage Access Control|Windows|A string uniquely identifies the device in the system, for example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0|
+|Friendly Name|Removable storage Access Control|Windows|A string attached to the device, for example, Generic Flash Disk USB Device|
+|Vendor ID / Product ID|Removable storage Access Control|Windows Mac|Vendor ID is the four-digit vendor code that the USB committee assigns to the vendor. Product ID is the four-digit product code that the vendor assigns to the device; Support wildcard.|
+|Serial NumberId|Removable storage Access Control|Windows Mac|For example, <SerialNumberId>002324B534BCB431B000058A</SerialNumberId>|
+|
## Related topic - [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md)-
security Device Control Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-report.md
Title: Protect your organizationΓÇÖs data with device control
+ Title: Protect your organization's data with device control
description: Monitor your organization's data security through device control reports. ms.prod: m365-security ms.mktglfcycl: deploy
audience: ITPro ms.technology: mde
-# Protect your organizationΓÇÖs data with device control
+# Protect your organization's data with device control
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
The audit events include:
## Monitor device control security
-Device control in Microsoft Defender for Endpoint empowers security administrators with tools that enable them to track their organizationΓÇÖs device control security through reports. You can find the device control report in the Microsoft 365 security center by going to **Reports > Device protection**.
+Device control in Microsoft Defender for Endpoint empowers security administrators with tools that enable them to track their organization's device control security through reports. You can find the device control report in the Microsoft 365 security center by going to **Reports > Device protection**.
The Device protection card on the **Reports** dashboard shows the number of audit events generated by media type, over the last 180 days.
security Device Discovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-discovery.md
You can change and customize your discovery settings, for more information see [
Devices that have been discovered but have not yet been onboarded and secured by Microsoft Defender for Endpoint will be listed in Device Inventory within the Endpoints tab. You can now use a new filter in the device inventory list called Onboarding status which can have any of the following values: -- Onboarded ΓÇô The endpoint is onboarded to Microsoft Defender for Endpoint.-- Can be onboarded ΓÇô The endpoint was discovered in the network and the Operating System was identified as one that is supported by Microsoft Defender for Endpoint, but it is not currently onboarded. We highly recommend onboarding these devices.-- Unsupported ΓÇô The endpoint was discovered in the network but is not supported by Microsoft Defender for Endpoint.-- Insufficient info ΓÇô The system could not determine the supportability of the device. Enabling standard discovery on more devices in the network can enrich the discovered attributes.
+- Onboarded: The endpoint is onboarded to Microsoft Defender for Endpoint.
+- Can be onboarded: The endpoint was discovered in the network and the Operating System was identified as one that is supported by Microsoft Defender for Endpoint, but it is not currently onboarded. We highly recommend onboarding these devices.
+- Unsupported: The endpoint was discovered in the network but is not supported by Microsoft Defender for Endpoint.
+- Insufficient info: The system could not determine the supportability of the device. Enabling standard discovery on more devices in the network can enrich the discovered attributes.
![Image of device inventory dashboard](images/2b62255cd3a9dd42f3219e437b956fb9.png)
The following action types have also been added:
You can try this example query:
-```
+```text
DeviceNetworkEvents | where ActionType == "ConnectionAcknowledged" or ActionType == "ConnectionAttempt" | take 10
DeviceNetworkEvents
The following section lists the changes you'll observe in Microsoft Defender for Endpoint and/or Microsoft 365 Security Center when this capability is enabled. 1. Devices that are not onboarded to Microsoft Defender to Endpoint are expected to appear in the device inventory, advanced hunting, and API queries. This may significantly increase the size of query results.
- 1. "DeviceInfo" and "DeviceNetworkInfo" tables in Advanced Hunting will now hold discovered device. You can filter out those devices by using ΓÇ£OnboardingStatusΓÇ¥ attribute.
+ 1. "DeviceInfo" and "DeviceNetworkInfo" tables in Advanced Hunting will now hold discovered device. You can filter out those devices by using "OnboardingStatus" attribute.
2. Discovered devices are expected to appear in Streaming API query results. You can filter out those devices by using the `OnboardingStatus` filter in your query. 2. Unmanaged devices will be assigned to existing device groups based on the defined criteria. 3. In rare cases, Standard discovery might trigger alerts on network monitors or security tools. Please provide feedback, if you experience such events, to help prevent these issues from recurring. You can explicitly exclude specific targets or entire subnets from being actively probed by Standard discovery.
security Device Timeline Event Flag https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-timeline-event-flag.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
Event flags in the Defender for Endpoint device timeline help you filter and organize specific events when you're investigate potential attacks.
security Edr In Block Mode https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/edr-in-block-mode.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
## What is EDR in block mode?
The following image shows an instance of unwanted software that was detected and
3. Scroll down, and then turn on **Enable EDR in block mode**. + > [!NOTE] > EDR in block mode can be turned on only in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) or the former Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). You cannot use registry keys, Microsoft Intune, or Group Policy to enable or disable EDR in block mode.
security Enable Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction.md
Last updated 06/02/2021
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > [!TIP]
-> Want to experience Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink).
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
[Attack surface reduction rules](attack-surface-reduction.md) (ASR rules) help prevent actions that malware often abuses to compromise devices and networks.
You can use Microsoft Endpoint Manager (MEM) OMA-URI to configure custom ASR rul
9. In step **5 Applicability Rules** for the following settings, do the following:
- - In **Rule**, select either **Assign profile if**, or **DonΓÇÖt assign profile if**
+ - In **Rule**, select either **Assign profile if**, or **Don't assign profile if**
- In **Property**, select the property to which you want this rule to apply - In **Value**, enter the applicable value or value range
security Enable Controlled Folders https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-controlled-folders.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
[Controlled folder access](controlled-folders.md) helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is included with Windows 10 and Windows Server 2019.
security Enable Siem Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-siem-integration.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
Enable security information and event management (SIEM) integration so you can pull detections from Microsoft 365 Defender. Pull detections using your SIEM solution or by connecting directly to the detections REST API.
Enable security information and event management (SIEM) integration so you can p
1. In the navigation pane, select **Settings** > **Endpoints** > **APIs** > **SIEM**.
- :::image type="content" source="../../media/enable_siemnew.png" alt-text="Image of SIEM integration from Settings menu1":::
+ :::image type="content" source="../../media/enable-siemnew.png" alt-text="Image of SIEM integration from Settings menu1":::
- >[!TIP]
- >If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability.
+ >[!TIP]
+ >If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability.
2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under your Azure Active Directory (Azure AD) tenant.
security Evaluate Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-attack-surface-reduction.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
Attack surface reduction rules help prevent actions typically used by malware to compromise devices or networks. Attack surface reduction rules help close off many of the common entry points used by malware and ransomware.
security Evaluate Controlled Folder Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-controlled-folder-access.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
[Controlled folder access](controlled-folders.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 and Windows 10 clients.
security Evaluate Defender Endpoint Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-defender-endpoint-pilot.md
If you are looking for a pre-made simulation, you can use our ["Do It Yourself"
>If you don't have a copy of the password saved during the initial setup, you can reset the password by selecting **Reset password** from the menu: > ![Image of reset password](images/reset-password-test-machine.png) >
- > The device will change itΓÇÖs state to ΓÇ£Executing password reset", then youΓÇÖll be presented with your new password in a few minutes.
+ > The device will change it's state to "Executing password reset", then you'll be presented with your new password in a few minutes.
3. Enter the password that was displayed during the device creation step.
security Evaluate Exploit Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-exploit-protection.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. (The EMET has reached its end of support.)
security Evaluate Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-mde.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
[Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
security Evaluation Lab https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluation-lab.md
localization_priority: Normal audience: ITPro-+ - M365-security-compliance - m365solution-evalutatemtp
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
-
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and device configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation. The Microsoft Defender for Endpoint evaluation lab is designed to eliminate the complexities of device and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUM]
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4qLUM]
-With the simplified set-up experience, you can focus on running your own test scenarios and the pre-made simulations to see how Defender for Endpoint performs.
+With the simplified set-up experience, you can focus on running your own test scenarios and the pre-made simulations to see how Defender for Endpoint performs.
-You'll have full access to the powerful capabilities of the platform such as automated investigations, advanced hunting, and threat analytics, allowing you to test the comprehensive protection stack that Defender for Endpoint offers.
+You'll have full access to the powerful capabilities of the platform such as automated investigations, advanced hunting, and threat analytics, allowing you to test the comprehensive protection stack that Defender for Endpoint offers.
You can add Windows 10 or Windows Server 2019 devices that come pre-configured to have the latest OS versions and the right security components in place as well as Office 2019 Standard installed. You can also install threat simulators. Defender for Endpoint has partnered with industry leading threat simulation platforms to help you test out the Defender for Endpoint capabilities without having to leave the portal. Install your preferred simulator, run scenarios within the evaluation lab, and instantly see how the platform performs - all conveniently available at no extra cost to you. You'll also have convenient access to wide array of simulations which you can access and run from the simulations catalog.
-
## Before you begin+ You'll need to fulfill the [licensing requirements](minimum-requirements.md#licensing-requirements) or have trial access to Microsoft Defender for Endpoint to access the evaluation lab. You must have **Manage security settings** permissions to:+ - Create the lab - Create devices - Reset password-- Create simulations
-
+- Create simulations
+ If you enabled role-based access control (RBAC) and created at least a one machine group, users must have access to All machine groups. For more information, see [Create and manage roles](user-roles.md). Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink) - ## Get started with the lab You can access the lab from the menu. In the navigation menu, select **Evaluation and tutorials > Evaluation lab**. --
->[!NOTE]
->- Depending the type of environment structure you select, devices will be available for the specified number of hours from the day of activation.
->- Each environment is provisioned with a limited set of test devices. When you've used up the provisioned devices and have deleted them, you can request for more devices.
->- You can request for lab resources once a month.
+> [!NOTE]
+>
+> - Depending the type of environment structure you select, devices will be available for the specified number of hours from the day of activation.
+> - Each environment is provisioned with a limited set of test devices. When you've used up the provisioned devices and have deleted them, you can request for more devices.
+> - You can request for lab resources once a month.
Already have a lab? Make sure to enable the new threat simulators and have active devices.
Already have a lab? Make sure to enable the new threat simulators and have activ
2. Depending on your evaluation needs, you can choose to setup an environment with fewer devices for a longer period or more devices for a shorter period. Select your preferred lab configuration then select **Next**.
- ![Image of lab configuration options](images/lab-creation-page.png)
-
+ ![Image of lab configuration options](images/lab-creation-page.png)
-3. (Optional) You can choose to install threat simulators in the lab.
+3. (Optional) You can choose to install threat simulators in the lab.
![Image of install simulators agent](images/install-agent.png) >[!IMPORTANT]
- >You'll first need to accept and provide consent to the terms and information sharing statements.
+ >You'll first need to accept and provide consent to the terms and information sharing statements.
-4. Select the threat simulation agent you'd like to use and enter your details. You can also choose to install threat simulators at a later time. If you choose to install threat simulation agents during the lab setup, you'll enjoy the benefit of having them conveniently installed on the devices you add.
-
- ![Image of summary page](images/lab-setup-summary.png)
+4. Select the threat simulation agent you'd like to use and enter your details. You can also choose to install threat simulators at a later time. If you choose to install threat simulation agents during the lab setup, you'll enjoy the benefit of having them conveniently installed on the devices you add.
-5. Review the summary and select **Setup lab**.
+ ![Image of summary page](images/lab-setup-summary.png)
-After the lab setup process is complete, you can add devices and run simulations.
+5. Review the summary and select **Setup lab**.
+After the lab setup process is complete, you can add devices and run simulations.
## Add devices+ When you add a device to your environment, Defender for Endpoint sets up a well-configured device with connection details. You can add Windows 10 or Windows Server 2019 devices.
-The device will be configured with the most up-to-date version of the OS and Office 2019 Standard as well as other apps such as Java, Python, and SysIntenals.
+The device will be configured with the most up-to-date version of the OS and Office 2019 Standard as well as other apps such as Java, Python, and SysIntenals.
If you chose to add a threat simulator during the lab setup, all devices will have the threat simulator agent installed in the devices that you add.
-The device will automatically be onboarded to your tenant with the recommended Windows security components turned on and in audit mode - with no effort on your side.
+The device will automatically be onboarded to your tenant with the recommended Windows security components turned on and in audit mode - with no effort on your side.
The following security components are pre-configured in the test devices:
The following security components are pre-configured in the test devices:
- [Cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md) - [Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)
->[!NOTE]
+> [!NOTE]
> Microsoft Defender Antivirus will be on (not in audit mode). If Microsoft Defender Antivirus blocks you from running your simulation, you can turn off real-time protection on the device through Windows Security. For more information, see [Configure always-on protection](configure-real-time-protection-microsoft-defender-antivirus.md). Automated investigation settings will be dependent on tenant settings. It will be configured to be semi-automated by default. For more information, see [Overview of Automated investigations](automated-investigations.md).
->[!NOTE]
->The connection to the test devices is done using RDP. Make sure that your firewall settings allow RDP connections.
+> [!NOTE]
+> The connection to the test devices is done using RDP. Make sure that your firewall settings allow RDP connections.
-1. From the dashboard, select **Add device**.
+1. From the dashboard, select **Add device**.
2. Choose the type of device to add. You can choose to add Windows 10 or Windows Server 2019. :::image type="content" source="../../media/add-machine-optionsnew.png" alt-text="lab setup with device options":::
- >[!NOTE]
- >If something goes wrong with the device creation process, you'll be notified and you'll need to submit a new request. If the device creation fails, it will not be counted against the overall allowed quota.
+ > [!NOTE]
+ > If something goes wrong with the device creation process, you'll be notified and you'll need to submit a new request. If the device creation fails, it will not be counted against the overall allowed quota.
3. The connection details are displayed. Select **Copy** to save the password for the device.
- >[!NOTE]
- >The password is only displayed once. Be sure to save it for later use.
+ > [!NOTE]
+ > The password is only displayed once. Be sure to save it for later use.
- :::image type="content" source="../../media/add-machine-eval-labnew.png" alt-text="Image of device added with connection details":::
+ :::image type="content" source="../../media/add-machine-eval-lab-new.png" alt-text="Image of device added with connection details":::
-4. Device set up begins. This can take up to approximately 30 minutes.
+4. Device set up begins. This can take up to approximately 30 minutes.
-5. See the status of test devices, the risk and exposure levels, and the status of simulator installations by selecting the **Devices** tab.
+5. See the status of test devices, the risk and exposure levels, and the status of simulator installations by selecting the **Devices** tab.
![Image of devices tab](images/machines-tab.png)
-
> [!TIP] > In the **Simulator status** column, you can hover over the information icon to know the installation status of an agent. ## Request for more devices
-When all existing devices are used and deleted, you can request for more devices. You can request for lab resources once a month.
+When all existing devices are used and deleted, you can request for more devices. You can request for lab resources once a month.
1. From the evaluation lab dashboard, select **Request for more devices**. ![Image of request for more devices](images/request-more-devices.png)
-2. Choose your configuration.
-3. Submit the request.
+2. Choose your configuration.
+3. Submit the request.
When the request is submitted successfully you'll see a green confirmation banner and the date of the last submission.
-
-You can find the status of your request in the **User Actions** tab, which will be approved in a matter of hours.
-When approved, the requested devices will be added to your lab set up and youΓÇÖll be able to create more devices.
+You can find the status of your request in the **User Actions** tab, which will be approved in a matter of hours.
+When approved, the requested devices will be added to your lab set up and you'll be able to create more devices.
> [!TIP]
-> To get more out of your lab, donΓÇÖt forget to check out our simulations library.
+> To get more out of your lab, don't forget to check out our simulations library.
## Simulate attack scenarios
-Use the test devices to run your own attack simulations by connecting to them.
+
+Use the test devices to run your own attack simulations by connecting to them.
You can simulate attack scenarios using:+ - The ["Do It Yourself" attack scenarios](https://security.microsoft.com/tutorials/all) - Threat simulators You can also use [Advanced hunting](advanced-hunting-overview.md) to query data and [Threat analytics](threat-analytics.md) to view reports about emerging threats. ### Do-it-yourself attack scenarios+ If you are looking for a pre-made simulation, you can use our ["Do It Yourself" attack scenarios](https://security.microsoft.com/tutorials/all). These scripts are safe, documented, and easy to use. These scenarios will reflect Defender for Endpoint capabilities and walk you through investigation experience.
+If you are looking for a pre-made simulation, you can use our ["Do It Yourself" attack scenarios](https://security.microsoft.com/tutorials/all). These scripts are safe, documented, and easy to use. These scenarios will reflect Defender for Endpoint capabilities and walk you through investigation experience.
->[!NOTE]
->The connection to the test devices is done using RDP. Make sure that your firewall settings allow RDP connections.
+> [!NOTE]
+> The connection to the test devices is done using RDP. Make sure that your firewall settings allow RDP connections.
-1. Connect to your device and run an attack simulation by selecting **Connect**.
+1. Connect to your device and run an attack simulation by selecting **Connect**.
![Image of the connect button for test devices](images/test-machine-table.png)
If you are looking for a pre-made simulation, you can use our ["Do It Yourself"
>[!NOTE] >If you don't have a copy of the password saved during the initial setup, you can reset the password by selecting **Reset password** from the menu: > ![Image of reset password](images/reset-password-test-machine.png)<br>
- > The device will change itΓÇÖs state to ΓÇ£Executing password reset", then youΓÇÖll be presented with your new password in a few minutes.
+ > The device will change it's state to "Executing password reset", then you'll be presented with your new password in a few minutes.
-3. Enter the password that was displayed during the device creation step.
+3. Enter the password that was displayed during the device creation step.
![Image of window to enter credentials](images/enter-password.png)
-4. Run Do-it-yourself attack simulations on the device.
-
+4. Run Do-it-yourself attack simulations on the device.
### Threat simulator scenarios
-If you chose to install any of the supported threat simulators during the lab setup, you can run the built-in simulations on the evaluation lab devices.
+If you chose to install any of the supported threat simulators during the lab setup, you can run the built-in simulations on the evaluation lab devices.
Running threat simulations using third-party platforms is a good way to evaluate Microsoft Defender for Endpoint capabilities within the confines of a lab environment.
->[!NOTE]
->Before you can run simulations, ensure the following requirements are met:
->- Devices must be added to the evaluation lab
->- Threat simulators must be installed in the evaluation lab
+> [!NOTE]
+>
+> Before you can run simulations, ensure the following requirements are met:
+>
+> - Devices must be added to the evaluation lab
+> - Threat simulators must be installed in the evaluation lab
1. From the portal select **Create simulation**.
Running threat simulations using third-party platforms is a good way to evaluate
![Image of threat simulator selection](images/select-simulator.png)
-3. Choose a simulation or look through the simulation gallery to browse through the available simulations.
+3. Choose a simulation or look through the simulation gallery to browse through the available simulations.
You can get to the simulation gallery from: - The main evaluation dashboard in the **Simulations overview** tile or
Running threat simulations using third-party platforms is a good way to evaluate
5. Select **Create simulation**.
-6. View the progress of a simulation by selecting the **Simulations** tab. View the simulation state, active alerts, and other details.
+6. View the progress of a simulation by selecting the **Simulations** tab. View the simulation state, active alerts, and other details.
![Image of simulations tab](images/simulations-tab.png)
-
+ After running your simulations, we encourage you to walk through the lab progress bar and explore **Microsoft Defender for Endpoint triggered an automated investigation and remediation**. Check out the evidence collected and analyzed by the feature. Hunt for attack evidence through advanced hunting by using the rich query language and raw telemetry and check out some world-wide threats documented in Threat analytics. - ## Simulation gallery
-Microsoft Defender for Endpoint has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform right from the within the portal.
-View all the available simulations by going to **Simulations and tutorials** > **Simulations catalog** from the menu.
+Microsoft Defender for Endpoint has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform right from the within the portal.
-A list of supported third-party threat simulation agents are listed, and specific types of simulations along with detailed descriptions are provided on the catalog.
+View all the available simulations by going to **Simulations and tutorials** > **Simulations catalog** from the menu.
-You can conveniently run any available simulation right from the catalog.
+A list of supported third-party threat simulation agents are listed, and specific types of simulations along with detailed descriptions are provided on the catalog.
+You can conveniently run any available simulation right from the catalog.
![Image of simulations catalog](images/simulations-catalog.png) Each simulation comes with an in-depth description of the attack scenario and references such as the MITRE attack techniques used and sample Advanced hunting queries you run. **Examples:**
-![Image of simulation description details1](images/simulation-details-aiq.png)
+![Image of simulation description details1](images/simulation-details-aiq.png)
![Image of simulation description details2](images/simulation-details-sb.png) - ## Evaluation report+ The lab reports summarize the results of the simulations conducted on the devices. ![Image of the evaluation report](images/eval-report.png) At a glance, you'll quickly be able to see:+ - Incidents that were triggered - Generated alerts-- Assessments on exposure level
+- Assessments on exposure level
- Threat categories observed - Detection sources - Automated investigations - ## Provide feedback+ Your feedback helps us get better in protecting your environment from advanced attacks. Share your experience and impressions from product capabilities and evaluation results. Let us know what you think, by selecting **Provide feedback**.
security Event Error Codes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/event-error-codes.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual devices.
For example, if devices aren't appearing in the **Devices list**, you might need
2. In the log list, under **Log Summary**, scroll until you see **Microsoft-Windows-SENSE/Operational**. Double-click the item to open the log.
- a. You can also access the log by expanding **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE** and click on **Operational**.
+ You can also access the log by expanding **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE** and click on **Operational**.
> [!NOTE] > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender for Endpoint. 3. Events recorded by the service will appear in the log. See the following table for a list of events recorded by the service.
-<table>
-<tbody style="vertical-align:top;">
-<tr>
-<th>Event ID</th>
-<th>Message</th>
-<th>Description</th>
-<th>Action</th>
-</tr>
-<tr>
-<td>1</td>
-<td>Microsoft Defender for Endpoint service started (Version <code>variable</code>).</td>
-<td>Occurs during system startup, shut down, and during onboarding.</td>
-<td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
-<td>2</td>
-<td>Microsoft Defender for Endpoint service shutdown.</td>
-<td>Occurs when the device is shut down or offboarded.</td>
-<td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
-<td>3</td>
-<td>Microsoft Defender for Endpoint service failed to start. Failure code: <code>variable</code>.</td>
-<td>Service didn't start.</td>
-<td>Review other messages to determine possible cause and troubleshooting steps.</td>
-</tr>
-<tr>
-<td>4</td>
-<td>Microsoft Defender for Endpoint service contacted the server at <code>variable</code>.</td>
-<td>Variable = URL of the Defender for Endpoint processing servers.<br>
-This URL will match that seen in the Firewall or network activity.</td>
-<td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
-<td>5</td>
-<td>Microsoft Defender for Endpoint service failed to connect to the server at <code>variable</code>.</td>
-<td>Variable = URL of the Defender for Endpoint processing servers.<br>
-The service couldn't contact the external processing servers at that URL.</td>
-<td>Check the connection to the URL. See <a href="configure-proxy-internet.md" data-raw-source="[Configure proxy and Internet connectivity](configure-proxy-internet.md)">Configure proxy and Internet connectivity</a>.</td>
-</tr>
-<tr>
-<td>6</td>
-<td>Microsoft Defender for Endpoint service is not onboarded and no onboarding parameters were found.</td>
-<td>The device didn't onboard correctly and won't be reporting to the portal.</td>
-<td>Onboarding must be run before starting the service.<br>
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a>.</td>
-</tr>
-<tr>
-<td>7</td>
-<td>Microsoft Defender for Endpoint service failed to read the onboarding parameters. Failure: <code>variable</code>.</td>
-<td>Variable = detailed error description. The device didn't onboard correctly and won't be reporting to the portal.</td>
-<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a>.</td>
-</tr>
-<tr>
-<td>8</td>
-<td>Microsoft Defender for Endpoint service failed to clean its configuration. Failure code: <code>variable</code>.</td>
-<td><b>During onboarding:</b> The service failed to clean its configuration during the onboarding. The onboarding process continues. <br><br> <b>During offboarding:</b> The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running.
- </td>
-<td><b>Onboarding:</b> No action required. <br><br> <b>Offboarding:</b> Reboot the system.<br>
-See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a>.</td>
-</tr>
-<tr>
-<td>9</td>
-<td>Microsoft Defender for Endpoint service failed to change its start type. Failure code: <code>variable</code>.</td>
-<td><b>During onboarding:</b> The device didn't onboard correctly and won't be reporting to the portal. <br><br><b>During offboarding:</b> Failed to change the service start type. The offboarding process continues. </td>
-<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a>.</td>
-</tr>
-<tr>
-<td>10</td>
-<td>Microsoft Defender for Endpoint service failed to persist the onboarding information. Failure code: <code>variable</code>.</td>
-<td>The device didn't onboard correctly and won't be reporting to the portal.</td>
-<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a>.</td>
-</tr>
-<tr>
-<td>11</td>
-<td>Onboarding or re-onboarding of Defender for Endpoint service completed.</td>
-<td>The device onboarded correctly.</td>
-<td>Normal operating notification; no action required.<br>
-It may take several hours for the device to appear in the portal.</td>
-</tr>
-<tr>
-<td>12</td>
-<td>Microsoft Defender for Endpoint failed to apply the default configuration.</td>
-<td>Service was unable to apply the default configuration.</td>
-<td>This error should resolve after a short period of time.</td>
-</tr>
-<tr>
-<td>13</td>
-<td>Microsoft Defender for Endpoint device ID calculated: <code>variable</code>.</td>
-<td>Normal operating process.</td>
-<td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
-<td>15</td>
-<td>Microsoft Defender for Endpoint cannot start command channel with URL: <code>variable</code>.</td>
-<td>Variable = URL of the Defender for Endpoint processing servers.<br>
-The service couldn't contact the external processing servers at that URL.</td>
-<td>Check the connection to the URL. See <a href="configure-proxy-internet.md" data-raw-source="[Configure proxy and Internet connectivity](configure-proxy-internet.md)">Configure proxy and Internet connectivity</a>.</td>
-</tr>
-<tr>
-<td>17</td>
-<td>Microsoft Defender for Endpoint service failed to change the Connected User Experiences and Telemetry service location. Failure code: <code>variable</code>.</td>
-<td>An error occurred with the Windows telemetry service.</td>
-<td><a href="troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy" data-raw-source="[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy)">Ensure the diagnostic data service is enabled</a>.<br>
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a>.</td>
-</tr>
-<tr>
-<td>18</td>
-<td>OOBE (Windows Welcome) is completed.</td>
-<td>Service will only start after any Windows updates have finished installing.</td>
-<td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
-<td>19</td>
-<td>OOBE (Windows Welcome) has not yet completed.</td>
-<td>Service will only start after any Windows updates have finished installing.</td>
-<td>Normal operating notification; no action required.<br>
-If this error persists after a system restart, ensure all Windows updates have full installed.</td>
-</tr>
-<tr>
-<td>20</td>
-<td>Cannot wait for OOBE (Windows Welcome) to complete. Failure code: <code>variable</code>.</td>
-<td>Internal error.</td>
-<td>If this error persists after a system restart, ensure all Windows updates have full installed.</td>
-</tr>
-<tr>
-<td>25</td>
-<td>Microsoft Defender for Endpoint service failed to reset health status in the registry. Failure code: <code>variable</code>.</td>
-<td>The device didn't onboard correctly.
-It will report to the portal, however the service may not appear as registered in SCCM or the registry.</td>
-<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a>.</td>
-</tr>
-<tr>
-<td>26</td>
-<td>Microsoft Defender for Endpoint service failed to set the onboarding status in the registry. Failure code: <code>variable</code>.</td>
-<td>The device didn't onboard correctly.<br>
-It will report to the portal, however the service may not appear as registered in SCCM or the registry.</td>
-<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a>.</td>
-</tr>
-<tr>
-<td>27</td>
-<td>Microsoft Defender for Endpoint service failed to enable SENSE aware mode in Microsoft Defender Antivirus. Onboarding process failed. Failure code: <code>variable</code>.</td>
-<td>Normally, Microsoft Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Defender for Endpoint.</td>
-<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a>.<br>
-Ensure real-time antimalware protection is running properly.</td>
-</tr>
-<tr>
-<td>28</td>
-<td>Microsoft Defender for Endpoint Connected User Experiences and Telemetry service registration failed. Failure code: <code>variable</code>.</td>
-<td>An error occurred with the Windows telemetry service.</td>
-<td><a href="troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy" data-raw-source="[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy)">Ensure the diagnostic data service is enabled</a>.<br>
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a>.</td>
-</tr>
-<tr>
-<td>29</td>
-<td>Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 </td>
-<td>This event occurs when the system can&#39;t read the offboarding parameters.</td>
-<td>Ensure the device has Internet access, then run the entire offboarding process again. Ensure the offboarding package hasn't expired.</td>
-</tr>
-<tr>
-<td>30</td>
-<td>Microsoft Defender for Endpoint service failed to disable SENSE aware mode in Microsoft Defender Antivirus. Failure code: <code>variable</code>.</td>
-<td>Normally, Microsoft Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Defender for Endpoint.</td>
-<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a><br>
-Ensure real-time antimalware protection is running properly.</td>
-</tr>
-<tr>
-<td>31</td>
-<td>Microsoft Defender for Endpoint Connected User Experiences and Telemetry service unregistration failed. Failure code: <code>variable</code>.</td>
-<td>An error occurred with the Windows telemetry service during onboarding. The offboarding process continues.</td>
-<td><a href="troubleshoot-onboarding.md#ensure-the-diagnostic-data-service-is-enabled" data-raw-source="[Check for errors with the Windows telemetry service](troubleshoot-onboarding.md#ensure-the-diagnostic-data-service-is-enabled)">Check for errors with the Windows telemetry service</a>.</td>
-</tr>
-<tr>
-<td>32</td>
-<td>Microsoft Defender for Endpoint service failed to request to stop itself after offboarding process. Failure code: %1</td>
-<td>An error occurred during offboarding.</td>
-<td>Reboot the device.</td>
-</tr>
-<tr>
-<td>33</td>
-<td>Microsoft Defender for Endpoint service failed to persist SENSE GUID. Failure code: <code>variable</code>.</td>
-<td>A unique identifier is used to represent each device that is reporting to the portal.<br>
-If the identifier doesn't persist, the same device might appear twice in the portal.</td>
-<td>Check registry permissions on the device to ensure the service can update the registry.</td>
-</tr>
-<tr>
-<td>34</td>
-<td>Microsoft Defender for Endpoint service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: <code>variable</code>.</td>
-<td>An error occurred with the Windows telemetry service.</td>
-<td><a href="troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy" data-raw-source="[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy)">Ensure the diagnostic data service is enabled</a>.<br>
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a>.</td>
-</tr>
-<tr>
-<td>35</td>
-<td>Microsoft Defender for Endpoint service failed to remove itself as a dependency on the Connected User Experiences and Telemetry service. Failure code: <code>variable</code>.</td>
-<td>An error occurred with the Windows telemetry service during offboarding. The offboarding process continues.
-</td>
-<td>Check for errors with the Windows diagnostic data service.</td>
-</tr>
-<tr>
-<td>36</td>
-<td>Microsoft Defender for Endpoint Connected User Experiences and Telemetry service registration succeeded. Completion code: <code>variable</code>.</td>
-<td>Registering Defender for Endpoint with the Connected User Experiences and Telemetry service completed successfully.</td>
-<td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
-<td>37</td>
-<td>Microsoft Defender for Endpoint A module is about to exceed its quota. Module: %1, Quota: {%2} {%3}, Percentage of quota utilization: %4.</td>
-<td>The device has almost used its allocated quota of the current 24-hour window. ItΓÇÖs about to be throttled.</td>
-<td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
-<td>38</td>
-<td>Network connection is identified as low. Microsoft Defender for Endpoint will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.</td>
-<td>The device is using a metered/paid network and will be contacting the server less frequently.</td>
-<td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
-<td>39</td>
-<td>Network connection is identified as normal. Microsoft Defender for Endpoint will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.</td>
-<td>The device isn't using a metered/paid connection and will contact the server as usual.</td>
-<td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
-<td>40</td>
-<td>Battery state is identified as low. Microsoft Defender for Endpoint will contact the server every %1 minutes. Battery state: %2.</td>
-<td>The device has low battery level and will contact the server less frequently.</td>
-<td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
-<td>41</td>
-<td>Battery state is identified as normal. Microsoft Defender for Endpoint will contact the server every %1 minutes. Battery state: %2.</td>
-<td>The device doesnΓÇÖt have low battery level and will contact the server as usual.</td>
-<td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
-<td>42</td>
-<td>Microsoft Defender for Endpoint component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception message: %4</td>
-<td>Internal error. The service failed to start.</td>
-<td>If this error persists, contact Support.</td>
-</tr>
-<tr>
-<td>43</td>
-<td>Microsoft Defender for Endpoint component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception Error: %4, Exception message: %5</td>
-<td>Internal error. The service failed to start.</td>
-<td>If this error persists, contact Support.</td>
-</tr>
-<tr>
-<td>44</td>
-<td>Offboarding of Defender for Endpoint service completed.</td>
-<td>The service was offboarded.</td>
-<td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
-<td>45</td>
-<td>Failed to register and to start the event trace session [%1]. Error code: %2</td>
-<td>An error occurred on service startup while creating ETW session. This caused service start-up failure.</td>
-<td>If this error persists, contact Support.</td>
-</tr>
-<tr>
-<td>46</td>
-<td>Failed to register and start the event trace session [%1] due to lack of resources. Error code: %2. This is most likely because there are too many active event trace sessions. The service will retry in 1 minute.</td>
-<td>An error occurred on service startup while creating ETW session due to lack of resources. The service started and is running, but won't report any sensor event until the ETW session is started.</td>
-<td>Normal operating notification; no action required. The service will try to start the session every minute.</td>
-</tr>
-<tr>
-<td>47</td>
-<td>Successfully registered and started the event trace session - recovered after previous failed attempts.</td>
-<td>This event follows the previous event after successfully starting of the ETW session.</td>
-<td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
-<td>48</td>
-<td>Failed to add a provider [%1] to event trace session [%2]. Error code: %3. This means that events from this provider will not be reported.</td>
-<td>Failed to add a provider to ETW session. As a result, the provider events arenΓÇÖt reported.</td>
-<td>Check the error code. If the error persists contact Support.</td>
-</tr>
-</tr>
-<tr>
- <td>49</td>
- <td>Invalid cloud configuration command received and ignored. Version: %1, status: %2, error code: %3, message: %4</td>
- <td>Received an invalid configuration file from the cloud service that was ignored.</td>
- <td>If this error persists, contact Support.</td>
-</tr>
-<tr>
- <td>50</td>
- <td>New cloud configuration applied successfully. Version: %1.</td>
- <td>Successfully applied a new configuration from the cloud service.</td>
- <td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
- <td>51</td>
- <td>New cloud configuration failed to apply, version: %1. Successfully applied the last known good configuration, version %2.</td>
- <td>Received a bad configuration file from the cloud service. Last known good configuration was applied successfully.</td>
- <td>If this error persists, contact Support.</td>
-</tr>
-<tr>
- <td>52</td>
- <td>New cloud configuration failed to apply, version: %1. Also failed to apply last known good configuration, version %2. Successfully applied the default configuration.</td>
- <td>Received a bad configuration file from the cloud service. Failed to apply the last known good configuration - and the default configuration was applied.</td>
- <td>The service will attempt to download a new configuration file within 5 minutes. If you don't see event #50 - contact Support.</td>
-</tr>
-<tr>
- <td>53</td>
- <td>Cloud configuration loaded from persistent storage, version: %1.</td>
- <td>The configuration was loaded from persistent storage on service startup.</td>
- <td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
- <td>55</td>
- <td>Failed to create the Secure ETW autologger. Failure code: %1</td>
- <td>Failed to create the secure ETW logger.</td>
- <td>Reboot the device. If this error persists, contact Support.</td>
-</tr>
-<tr>
- <td>56</td>
- <td>Failed to remove the Secure ETW autologger. Failure code: %1</td>
- <td>Failed to remove the secure ETW session on offboarding.</td>
- <td>Contact Support.</td>
-</tr>
-<tr>
- <td>57</td>
- <td>Capturing a snapshot of the machine for troubleshooting purposes.</td>
- <td>An investigation package, also known as forensics package, is being collected.</td>
- <td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
- <td>59</td>
- <td>Starting command: %1</td>
- <td>Starting response command execution.</td>
- <td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
- <td>60</td>
- <td>Failed to run command %1, error: %2.</td>
- <td>Failed to execute response command.</td>
- <td>If this error persists, contact Support.</td>
-</tr>
-<tr>
- <td>61</td>
- <td>Data collection command parameters are invalid: SasUri: %1, compressionLevel: %2.</td>
- <td>Failed to read or parse the data collection command arguments (invalid arguments).</td>
- <td>If this error persists, contact Support.</td>
-</tr>
-<tr>
- <td>62</td>
- <td>Failed to start Connected User Experiences and Telemetry service. Failure code: %1</td>
- <td>Connected User Experiences and Telemetry (diagtrack) service failed to start. Non-Microsoft Defender for Endpoint telemetry won't be sent from this machine.</td>
- <td>Look for more troubleshooting hints in the event log: Microsoft-Windows-UniversalTelemetryClient/Operational.</td>
-</tr>
-<tr>
- <td>63</td>
- <td>Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4</td>
- <td>Updated start type of the external service.</td>
- <td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
- <td>64</td>
- <td>Starting stopped external service. Name: %1, exit code: %2</td>
- <td>Starting an external service.</td>
- <td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
- <td>65</td>
- <td>Failed to load Microsoft Security Events Component Minifilter driver. Failure code: %1</td>
- <td>Failed to load MsSecFlt.sys filesystem minifilter.</td>
- <td>Reboot the device. If this error persists, contact Support.</td>
-</tr>
-<tr>
- <td>66</td>
- <td>Policy update: Latency mode - %1</td>
- <td>The C&C connection frequency policy was updated.</td>
- <td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
- <td>68</td>
- <td>The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3</td>
- <td>Unexpected external service start type.</td>
- <td>Fix the external service start type.</td>
-</tr>
-<tr>
- <td>69</td>
- <td>The service is stopped. Service name: %1</td>
- <td>The external service is stopped.</td>
- <td>Start the external service.</td>
-</tr>
-<tr>
- <td>70</td>
- <td>Policy update: Allow sample collection - %1</td>
- <td>The sample collection policy was updated.</td>
- <td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
- <td>71</td>
- <td>Succeeded to run command: %1</td>
- <td>The command was executed successfully.</td>
- <td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
- <td>72</td>
- <td>Tried to send first full machine profile report. Result code: %1</td>
- <td>Informational only.</td>
- <td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
- <td>73</td>
- <td>Sense starting for platform: %1</td>
- <td>Informational only.</td>
- <td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
- <td>74</td>
- <td>Device tag in registry exceeds length limit. Tag name: %2. Length limit: %1.</td>
- <td>The device tag exceeds the length limit.</td>
- <td>Use a shorter device tag.</td>
-</tr>
-<tr>
- <td>81</td>
- <td>Failed to create Microsoft Defender for Endpoint ETW autologger. Failure code: %1</td>
- <td>Failed to create the ETW session.</td>
- <td>Reboot the device. If this error persists, contact Support.</td>
-</tr>
-<tr>
- <td>82</td>
- <td>Failed to remove Microsoft Defender for Endpoint ETW autologger. Failure code: %1</td>
- <td>Failed to delete the ETW session.</td>
- <td>Contact Support.</td>
-</tr>
-<tr>
- <td>84</td>
- <td>Set Windows Defender Antivirus running mode. Force passive mode: %1, result code: %2.</td>
- <td>Set defender running mode (active or passive).</td>
- <td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
- <td>85</td>
- <td>Failed to trigger Microsoft Defender for Endpoint executable. Failure code: %1</td>
- <td>Starring SenseIR executable failed.</td>
- <td>Reboot the device. If this error persists, contact Support.</td>
-</tr>
-<tr>
- <td>86</td>
- <td>Starting again stopped external service that should be up. Name: %1, exit code: %2</td>
- <td>Starting the external service again.</td>
- <td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
- <td>87</td>
- <td>Cannot start the external service. Name: %1</td>
- <td>Failed to start the external service.</td>
- <td>Contact Support.</td>
-</tr>
-<tr>
- <td>88</td>
- <td>Updating the start type of external service again. Name: %1, actual start type: %2, expected start type: %3, exit code: %4</td>
- <td>Updated the start type of the external service.</td>
- <td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
- <td>89</td>
- <td>Cannot update the start type of external service. Name: %1, actual start type: %2, expected start type: %3</td>
- <td>Can't update the start type of the external service.</td>
- <td>Contact Support.</td>
-</tr>
-<tr>
- <td>90</td>
- <td>Failed to configure System Guard Runtime Monitor to connect to cloud service in geo-region %1. Failure code: %2</td>
- <td>System Guard Runtime Monitor won't send attestation data to the cloud service.</td>
- <td>Check the permissions on register path: "HKLM\Software\Microsoft\Windows\CurrentVersion\Sgrm". If no issues spotted, contact Support.</td>
-</tr>
-<tr>
- <td>91</td>
- <td>Failed to remove System Guard Runtime Monitor geo-region information. Failure code: %1</td>
- <td>System Guard Runtime Monitor won't send attestation data to the cloud service.</td>
- <td>Check the permissions on register path: "HKLM\Software\Microsoft\Windows\CurrentVersion\Sgrm". If no issues spotted, contact Support.</td>
-</tr>
-<tr>
- <td>92</td>
- <td>Stopping sending sensor cyber data quota because data quota is exceeded. Will resume sending once quota period passes. State Mask: %1</td>
- <td>Exceed throttling limit.</td>
- <td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
- <td>93</td>
- <td>Resuming sending sensor cyber data. State Mask: %1</td>
- <td>Resume cyber data submission.</td>
- <td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
- <td>94</td>
- <td>Microsoft Defender for Endpoint executable has started</td>
- <td>The SenseCE executable has started.</td>
- <td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
- <td>95</td>
- <td>Microsoft Defender for Endpoint executable has ended</td>
- <td>The SenseCE executable has ended.</td>
- <td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
- <td>96</td>
- <td>Microsoft Defender for Endpoint Init has called. Result code: %2</td>
- <td>The SenseCE executable has called MCE initialization.</td>
- <td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
- <td>97</td>
- <td>There are connectivity issues to the Cloud for the DLP scenario</td>
- <td>There are network connectivity issues that affect the DLP classification flow.</td>
- <td>Check the network connectivity.</td>
-</tr>
-<tr>
- <td>98</td>
- <td>The connectivity to the Cloud for the DLP scenario has been restored</td>
- <td>The connectivity to the network was restored and the DLP classification flow can continue.</td>
- <td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
- <td>99</td>
- <td>Sense has encountered the following error while communicating with server: (%1). Result: (%2)</td>
- <td>A communication error occurred.</td>
- <td>Check the following events in the event log for further details.</td>
-</tr>
-<tr>
- <td>100</td>
- <td>Microsoft Defender for Endpoint executable failed to start. Failure code: %1</td>
- <td>The SenseCE executable has failed to start.</td>
- <td>Reboot the device. If this error persists, contact Support.</td>
-</tr>
-<tr>
- <td>102</td>
- <td>Microsoft Defender for Endpoint Network Detection and Response executable has started</td>
- <td>The SenseNdr executable has started.</td>
- <td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
- <td>103</td>
- <td>Microsoft Defender for Endpoint Network Detection and Response executable has ended</td>
- <td>The SenseNdr executable has ended.</td>
- <td>Normal operating notification; no action required.</td>
-</tr>
-</tbody>
-</table>
-
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-eventerrorcodes-belowfoldlink)
+ <br>
+
+ ****
+
+ |Event ID|Message|Description|Action|
+ |||||
+ |1|Microsoft Defender for Endpoint service started (Version `variable`).|Occurs during system startup, shut down, and during onboarding.|Normal operating notification; no action required.|
+ |2|Microsoft Defender for Endpoint service shutdown.|Occurs when the device is shut down or offboarded.|Normal operating notification; no action required.|
+ |3|Microsoft Defender for Endpoint service failed to start. Failure code: `variable`.|Service didn't start.|Review other messages to determine possible cause and troubleshooting steps.|
+ |4|Microsoft Defender for Endpoint service contacted the server at `variable`.|Variable = URL of the Defender for Endpoint processing servers. <p> This URL will match that seen in the Firewall or network activity.|Normal operating notification; no action required.|
+ |5|Microsoft Defender for Endpoint service failed to connect to the server at `variable`.|Variable = URL of the Defender for Endpoint processing servers. <p> The service couldn't contact the external processing servers at that URL.|Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet.md).|
+ |6|Microsoft Defender for Endpoint service is not onboarded and no onboarding parameters were found.|The device didn't onboard correctly and won't be reporting to the portal.|Onboarding must be run before starting the service. <p> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows 10 devices](configure-endpoints.md).|
+ |7|Microsoft Defender for Endpoint service failed to read the onboarding parameters. Failure: `variable`.|Variable = detailed error description. The device didn't onboard correctly and won't be reporting to the portal.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows 10 devices](configure-endpoints.md).|
+ |8|Microsoft Defender for Endpoint service failed to clean its configuration. Failure code: `variable`.|**During onboarding:** The service failed to clean its configuration during the onboarding. The onboarding process continues. <p> **During offboarding:** The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running.|**Onboarding:** No action required. <p> **Offboarding:** Reboot the system. <p> See [Onboard Windows 10 devices](configure-endpoints.md).|
+ |9|Microsoft Defender for Endpoint service failed to change its start type. Failure code: `variable`.|**During onboarding:** The device didn't onboard correctly and won't be reporting to the portal. <p>**During offboarding:** Failed to change the service start type. The offboarding process continues. |Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows 10 devices](configure-endpoints.md).|
+ |10|Microsoft Defender for Endpoint service failed to persist the onboarding information. Failure code: `variable`.|The device didn't onboard correctly and won't be reporting to the portal.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows 10 devices](configure-endpoints.md).|
+ |11|Onboarding or re-onboarding of Defender for Endpoint service completed.|The device onboarded correctly.|Normal operating notification; no action required. <p> It may take several hours for the device to appear in the portal.|
+ |12|Microsoft Defender for Endpoint failed to apply the default configuration.|Service was unable to apply the default configuration.|This error should resolve after a short period of time.|
+ |13|Microsoft Defender for Endpoint device ID calculated: `variable`.|Normal operating process.|Normal operating notification; no action required.|
+ |15|Microsoft Defender for Endpoint cannot start command channel with URL: `variable`.|Variable = URL of the Defender for Endpoint processing servers. <p> The service couldn't contact the external processing servers at that URL.|Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet.md).|
+ |17|Microsoft Defender for Endpoint service failed to change the Connected User Experiences and Telemetry service location. Failure code: `variable`.|An error occurred with the Windows telemetry service.|[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy)">Ensure the diagnostic data service is enabled. <p> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows 10 devices](configure-endpoints.md).|
+ |18|OOBE (Windows Welcome) is completed.|Service will only start after any Windows updates have finished installing.|Normal operating notification; no action required.|
+ |19|OOBE (Windows Welcome) has not yet completed.|Service will only start after any Windows updates have finished installing.|Normal operating notification; no action required. <p> If this error persists after a system restart, ensure all Windows updates have full installed.|
+ |20|Cannot wait for OOBE (Windows Welcome) to complete. Failure code: `variable`.|Internal error.|If this error persists after a system restart, ensure all Windows updates have full installed.|
+ |25|Microsoft Defender for Endpoint service failed to reset health status in the registry. Failure code: `variable`.|The device didn't onboard correctly. It will report to the portal, however the service may not appear as registered in SCCM or the registry.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows 10 devices](configure-endpoints.md).|
+ |26|Microsoft Defender for Endpoint service failed to set the onboarding status in the registry. Failure code: `variable`.|The device didn't onboard correctly. <p> It will report to the portal, however the service may not appear as registered in SCCM or the registry.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows 10 devices](configure-endpoints.md).|
+ |27|Microsoft Defender for Endpoint service failed to enable SENSE aware mode in Microsoft Defender Antivirus. Onboarding process failed. Failure code: `variable`.|Normally, Microsoft Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Defender for Endpoint.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows 10 devices](configure-endpoints.md). <p> Ensure real-time antimalware protection is running properly.|
+ |28|Microsoft Defender for Endpoint Connected User Experiences and Telemetry service registration failed. Failure code: `variable`.|An error occurred with the Windows telemetry service.|[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy). <p> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows 10 devices](configure-endpoints.md).|
+ |29|Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3|This event occurs when the system can&#39;t read the offboarding parameters.|Ensure the device has Internet access, then run the entire offboarding process again. Ensure the offboarding package hasn't expired.|
+ |30|Microsoft Defender for Endpoint service failed to disable SENSE aware mode in Microsoft Defender Antivirus. Failure code: `variable`.|Normally, Microsoft Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Defender for Endpoint.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows 10 devices](configure-endpoints.md). <p> Ensure real-time antimalware protection is running properly.|
+ |31|Microsoft Defender for Endpoint Connected User Experiences and Telemetry service unregistration failed. Failure code: `variable`.|An error occurred with the Windows telemetry service during onboarding. The offboarding process continues.|[Check for errors with the Windows telemetry service](troubleshoot-onboarding.md#ensure-the-diagnostic-data-service-is-enabled).|
+ |32|Microsoft Defender for Endpoint service failed to request to stop itself after offboarding process. Failure code: %1|An error occurred during offboarding.|Reboot the device.|
+ |33|Microsoft Defender for Endpoint service failed to persist SENSE GUID. Failure code: `variable`.|A unique identifier is used to represent each device that is reporting to the portal. <p> If the identifier doesn't persist, the same device might appear twice in the portal.|Check registry permissions on the device to ensure the service can update the registry.|
+ |34|Microsoft Defender for Endpoint service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: `variable`.|An error occurred with the Windows telemetry service.|[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy). <p> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows 10 devices](configure-endpoints.md).|
+ |35|Microsoft Defender for Endpoint service failed to remove itself as a dependency on the Connected User Experiences and Telemetry service. Failure code: `variable`.|An error occurred with the Windows telemetry service during offboarding. The offboarding process continues.|Check for errors with the Windows diagnostic data service.|
+ |36|Microsoft Defender for Endpoint Connected User Experiences and Telemetry service registration succeeded. Completion code: `variable`.|Registering Defender for Endpoint with the Connected User Experiences and Telemetry service completed successfully.|Normal operating notification; no action required.|
+ |37|Microsoft Defender for Endpoint A module is about to exceed its quota. Module: %1, Quota: {%2} {%3}, Percentage of quota utilization: %4.|The device has almost used its allocated quota of the current 24-hour window. It's about to be throttled.|Normal operating notification; no action required.|
+ |38|Network connection is identified as low. Microsoft Defender for Endpoint will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.|The device is using a metered/paid network and will be contacting the server less frequently.|Normal operating notification; no action required.|
+ |39|Network connection is identified as normal. Microsoft Defender for Endpoint will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.|The device isn't using a metered/paid connection and will contact the server as usual.|Normal operating notification; no action required.|
+ |40|Battery state is identified as low. Microsoft Defender for Endpoint will contact the server every %1 minutes. Battery state: %2.|The device has low battery level and will contact the server less frequently.|Normal operating notification; no action required.|
+ |41|Battery state is identified as normal. Microsoft Defender for Endpoint will contact the server every %1 minutes. Battery state: %2.|The device doesn't have low battery level and will contact the server as usual.|Normal operating notification; no action required.|
+ |42|Microsoft Defender for Endpoint component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception message: %4|Internal error. The service failed to start.|If this error persists, contact Support.|
+ |43|Microsoft Defender for Endpoint component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception Error: %4, Exception message: %5|Internal error. The service failed to start.|If this error persists, contact Support.|
+ |44|Offboarding of Defender for Endpoint service completed.|The service was offboarded.|Normal operating notification; no action required.|
+ |45|Failed to register and to start the event trace session [%1]. Error code: %2|An error occurred on service startup while creating ETW session. This caused service start-up failure.|If this error persists, contact Support.|
+ |46|Failed to register and start the event trace session [%1] due to lack of resources. Error code: %2. This is most likely because there are too many active event trace sessions. The service will retry in 1 minute.|An error occurred on service startup while creating ETW session due to lack of resources. The service started and is running, but won't report any sensor event until the ETW session is started.|Normal operating notification; no action required. The service will try to start the session every minute.|
+ |47|Successfully registered and started the event trace session - recovered after previous failed attempts.|This event follows the previous event after successfully starting of the ETW session.|Normal operating notification; no action required.|
+ |48|Failed to add a provider [%1] to event trace session [%2]. Error code: %3. This means that events from this provider will not be reported.|Failed to add a provider to ETW session. As a result, the provider events aren't reported.|Check the error code. If the error persists contact Support.|
+ |49|Invalid cloud configuration command received and ignored. Version: %1, status: %2, error code: %3, message: %4|Received an invalid configuration file from the cloud service that was ignored.|If this error persists, contact Support.|
+ |50|New cloud configuration applied successfully. Version: %1.|Successfully applied a new configuration from the cloud service.|Normal operating notification; no action required.|
+ |51|New cloud configuration failed to apply, version: %1. Successfully applied the last known good configuration, version %2.|Received a bad configuration file from the cloud service. Last known good configuration was applied successfully.|If this error persists, contact Support.|
+ |52|New cloud configuration failed to apply, version: %1. Also failed to apply last known good configuration, version %2. Successfully applied the default configuration.|Received a bad configuration file from the cloud service. Failed to apply the last known good configuration - and the default configuration was applied.|The service will attempt to download a new configuration file within 5 minutes. If you don't see event #50 - contact Support.|
+ |53|Cloud configuration loaded from persistent storage, version: %1.|The configuration was loaded from persistent storage on service startup.|Normal operating notification; no action required.|
+ |55|Failed to create the Secure ETW autologger. Failure code: %1|Failed to create the secure ETW logger.|Reboot the device. If this error persists, contact Support.|
+ |56|Failed to remove the Secure ETW autologger. Failure code: %1|Failed to remove the secure ETW session on offboarding.|Contact Support.|
+ |57|Capturing a snapshot of the machine for troubleshooting purposes.|An investigation package, also known as forensics package, is being collected.|Normal operating notification; no action required.|
+ |59|Starting command: %1|Starting response command execution.|Normal operating notification; no action required.|
+ |60|Failed to run command %1, error: %2.|Failed to execute response command.|If this error persists, contact Support.|
+ |61|Data collection command parameters are invalid: SasUri: %1, compressionLevel: %2.|Failed to read or parse the data collection command arguments (invalid arguments).|If this error persists, contact Support.|
+ |62|Failed to start Connected User Experiences and Telemetry service. Failure code: %1|Connected User Experiences and Telemetry (diagtrack) service failed to start. Non-Microsoft Defender for Endpoint telemetry won't be sent from this machine.|Look for more troubleshooting hints in the event log: Microsoft-Windows-UniversalTelemetryClient/Operational.|
+ |63|Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4|Updated start type of the external service.|Normal operating notification; no action required.|
+ |64|Starting stopped external service. Name: %1, exit code: %2|Starting an external service.|Normal operating notification; no action required.|
+ |65|Failed to load Microsoft Security Events Component Minifilter driver. Failure code: %1|Failed to load MsSecFlt.sys filesystem minifilter.|Reboot the device. If this error persists, contact Support.|
+ |66|Policy update: Latency mode - %1|The C&C connection frequency policy was updated.|Normal operating notification; no action required.|
+ |68|The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3|Unexpected external service start type.|Fix the external service start type.|
+ |69|The service is stopped. Service name: %1|The external service is stopped.|Start the external service.|
+ |70|Policy update: Allow sample collection - %1|The sample collection policy was updated.|Normal operating notification; no action required.|
+ |71|Succeeded to run command: %1|The command was executed successfully.|Normal operating notification; no action required.|
+ |72|Tried to send first full machine profile report. Result code: %1|Informational only.|Normal operating notification; no action required.|
+ |73|Sense starting for platform: %1|Informational only.|Normal operating notification; no action required.|
+ |74|Device tag in registry exceeds length limit. Tag name: %2. Length limit: %1.|The device tag exceeds the length limit.|Use a shorter device tag.|
+ |81|Failed to create Microsoft Defender for Endpoint ETW autologger. Failure code: %1|Failed to create the ETW session.|Reboot the device. If this error persists, contact Support.|
+ |82|Failed to remove Microsoft Defender for Endpoint ETW autologger. Failure code: %1|Failed to delete the ETW session.|Contact Support.|
+ |84|Set Windows Defender Antivirus running mode. Force passive mode: %1, result code: %2.|Set defender running mode (active or passive).|Normal operating notification; no action required.|
+ |85|Failed to trigger Microsoft Defender for Endpoint executable. Failure code: %1|Starring SenseIR executable failed.|Reboot the device. If this error persists, contact Support.|
+ |86|Starting again stopped external service that should be up. Name: %1, exit code: %2|Starting the external service again.|Normal operating notification; no action required.|
+ |87|Cannot start the external service. Name: %1|Failed to start the external service.|Contact Support.|
+ |88|Updating the start type of external service again. Name: %1, actual start type: %2, expected start type: %3, exit code: %4|Updated the start type of the external service.|Normal operating notification; no action required.|
+ |89|Cannot update the start type of external service. Name: %1, actual start type: %2, expected start type: %3|Can't update the start type of the external service.|Contact Support.|
+ |90|Failed to configure System Guard Runtime Monitor to connect to cloud service in geo-region %1. Failure code: %2|System Guard Runtime Monitor won't send attestation data to the cloud service.|Check the permissions on register path: "HKLM\Software\Microsoft\Windows\CurrentVersion\Sgrm". If no issues spotted, contact Support.|
+ |91|Failed to remove System Guard Runtime Monitor geo-region information. Failure code: %1|System Guard Runtime Monitor won't send attestation data to the cloud service.|Check the permissions on register path: "HKLM\Software\Microsoft\Windows\CurrentVersion\Sgrm". If no issues spotted, contact Support.|
+ |92|Stopping sending sensor cyber data quota because data quota is exceeded. Will resume sending once quota period passes. State Mask: %1|Exceed throttling limit.|Normal operating notification; no action required.|
+ |93|Resuming sending sensor cyber data. State Mask: %1|Resume cyber data submission.|Normal operating notification; no action required.|
+ |94|Microsoft Defender for Endpoint executable has started|The SenseCE executable has started.|Normal operating notification; no action required.|
+ |95|Microsoft Defender for Endpoint executable has ended|The SenseCE executable has ended.|Normal operating notification; no action required.|
+ |96|Microsoft Defender for Endpoint Init has called. Result code: %2|The SenseCE executable has called MCE initialization.|Normal operating notification; no action required.|
+ |97|There are connectivity issues to the Cloud for the DLP scenario|There are network connectivity issues that affect the DLP classification flow.|Check the network connectivity.|
+ |98|The connectivity to the Cloud for the DLP scenario has been restored|The connectivity to the network was restored and the DLP classification flow can continue.|Normal operating notification; no action required.|
+ |99|Sense has encountered the following error while communicating with server: (%1). Result: (%2)|A communication error occurred.|Check the following events in the event log for further details.|
+ |100|Microsoft Defender for Endpoint executable failed to start. Failure code: %1|The SenseCE executable has failed to start.|Reboot the device. If this error persists, contact Support.|
+ |102|Microsoft Defender for Endpoint Network Detection and Response executable has started|The SenseNdr executable has started.|Normal operating notification; no action required.|
+ |103|Microsoft Defender for Endpoint Network Detection and Response executable has ended|The SenseNdr executable has ended.|Normal operating notification; no action required.|
+ |
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-eventerrorcodes-belowfoldlink)
## Related topics+ - [Onboard Windows 10 devices](configure-endpoints.md) - [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md) - [Troubleshoot Microsoft Defender for Endpoint](troubleshoot-onboarding.md)
security Event Views https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/event-views.md
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > [!TIP]
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink).
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
Review attack surface reduction events in Event Viewer to monitor what rules or settings are working. You can also determine if any settings are too "noisy" or impacting your day to day workflow.
security Get Alert Related Domain Info https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-alert-related-domain-info.md
Here is an example of the request.
GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_2136280442/domains ```
-### Response:
+### Response example
Here is an example of the response.
security Gov https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/gov.md
This offering is available to GCC, GCC High, and DoD customers and is based on t
> If you are a GCC customer using Defender for Endpoint in Commercial, please refer to the public documentation pages. ## Licensing requirements+ Microsoft Defender for Endpoint for US Government customers requires one of the following Microsoft volume licensing offers: ### Desktop licensing
-GCC | GCC High | DoD
+
+GCC|GCC High|DoD
:|:|:
-Microsoft 365 GCC G5 | Microsoft 365 E5 for GCC High | Microsoft 365 G5 for DOD
-Microsoft 365 G5 Security GCC | Microsoft 365 G5 Security for GCC High | Microsoft 365 G5 Security for DOD
-Microsoft Defender for Endpoint - GCC | Microsoft Defender for Endpoint for GCC High | Microsoft Defender for Endpoint for DOD
-Windows 10 Enterprise E5 GCC | Windows 10 Enterprise E5 for GCC High | Windows 10 Enterprise E5 for DOD
+Microsoft 365 GCC G5|Microsoft 365 E5 for GCC High|Microsoft 365 G5 for DOD
+Microsoft 365 G5 Security GCC|Microsoft 365 G5 Security for GCC High|Microsoft 365 G5 Security for DOD
+Microsoft Defender for Endpoint - GCC|Microsoft Defender for Endpoint for GCC High|Microsoft Defender for Endpoint for DOD
+Windows 10 Enterprise E5 GCC|Windows 10 Enterprise E5 for GCC High|Windows 10 Enterprise E5 for DOD
### Server licensing
-GCC | GCC High | DoD
-:|:|:
-Microsoft Defender for Endpoint Server GCC | Microsoft Defender for Endpoint Server for GCC High | Microsoft Defender for Endpoint Server for DOD
-Azure Defender for Servers | Azure Defender for Servers - Government | Azure Defender for Servers - Government
-<br />
+GCC|GCC High|DoD
+:|:|:
+Microsoft Defender for Endpoint Server GCC|Microsoft Defender for Endpoint Server for GCC High|Microsoft Defender for Endpoint Server for DOD
+Azure Defender for Servers|Azure Defender for Servers - Government|Azure Defender for Servers - Government
## Portal URLs+ The following are the Microsoft Defender for Endpoint portal URLs for US Government customers:
-Customer type | Portal URL
+Customer type|Portal URL
:|:
-GCC | https://gcc.securitycenter.microsoft.us
-GCC High | https://securitycenter.microsoft.us
-DoD | https://securitycenter.microsoft.us
-
-<br />
+GCC|<https://gcc.securitycenter.microsoft.us>
+GCC High|<https://securitycenter.microsoft.us>
+DoD|<https://securitycenter.microsoft.us>
## Endpoint versions ### Standalone OS versions+ The following OS versions are supported:
-OS version | GCC | GCC High | DoD
-:|:|:|:
-Windows 10, version 20H2 (with [KB4586853](https://support.microsoft.com/help/4586853)) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Windows 10, version 2004 (with [KB4586853](https://support.microsoft.com/help/4586853)) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Windows 10, version 1909 (with [KB4586819](https://support.microsoft.com/help/4586819)) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Windows 10, version 1903 (with [KB4586819](https://support.microsoft.com/help/4586819)) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Windows 10, version 1809 (with [KB4586839](https://support.microsoft.com/help/4586839)) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Windows 10, version 1803 (with [KB4598245](https://support.microsoft.com/help/4598245)) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Windows 10, version 1709 | ![No](images/svg/check-no.svg)<br />Note: Won't be supported | ![Yes](images/svg/check-yes.svg) With [KB4499147](https://support.microsoft.com/help/4499147)<br />Note: [Deprecated](/lifecycle/announcements/revised-end-of-service-windows-10-1709), please upgrade | ![No](images/svg/check-no.svg)<br />Note: Won't be supported
-Windows 10, version 1703 and earlier | ![No](images/svg/check-no.svg)<br />Note: Won't be supported | ![No](images/svg/check-no.svg)<br />Note: Won't be supported | ![No](images/svg/check-no.svg)<br />Note: Won't be supported
-Windows Server 2019 (with [KB4586839](https://support.microsoft.com/help/4586839)) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Windows Server 2016 | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Windows Server 2012 R2 | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Windows Server 2008 R2 SP1 | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Windows 8.1 Enterprise | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Windows 8 Pro | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Windows 7 SP1 Enterprise | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Windows 7 SP1 Pro | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Linux | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-macOS | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Android | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development
-iOS | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development
+OS version|GCC|GCC High|DoD
+:|::|::|::
+Windows 10, version 20H2 (with [KB4586853](https://support.microsoft.com/help/4586853))|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
+Windows 10, version 2004 (with [KB4586853](https://support.microsoft.com/help/4586853))|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
+Windows 10, version 1909 (with [KB4586819](https://support.microsoft.com/help/4586819))|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
+Windows 10, version 1903 (with [KB4586819](https://support.microsoft.com/help/4586819))|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
+Windows 10, version 1809 (with [KB4586839](https://support.microsoft.com/help/4586839))|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
+Windows 10, version 1803 (with [KB4598245](https://support.microsoft.com/help/4598245))|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
+Windows 10, version 1709|![No](images/svg/check-no.svg) <p> Note: Won't be supported|![Yes](images/svg/check-yes.svg) With [KB4499147](https://support.microsoft.com/help/4499147) <p> Note: [Deprecated](/lifecycle/announcements/revised-end-of-service-windows-10-1709), please upgrade|![No](images/svg/check-no.svg) <p> Note: Won't be supported
+Windows 10, version 1703 and earlier|![No](images/svg/check-no.svg) <p> Note: Won't be supported|![No](images/svg/check-no.svg) <p> Note: Won't be supported|![No](images/svg/check-no.svg) <p> Note: Won't be supported
+Windows Server 2019 (with [KB4586839](https://support.microsoft.com/help/4586839))|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
+Windows Server 2016|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
+Windows Server 2012 R2|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
+Windows Server 2008 R2 SP1|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
+Windows 8.1 Enterprise|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
+Windows 8 Pro|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
+Windows 7 SP1 Enterprise|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
+Windows 7 SP1 Pro|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
+Linux|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
+macOS|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
+Android|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development
+iOS|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development
> [!NOTE] > Where a patch is specified, it must be deployed prior to device onboarding in order to configure Defender for Endpoint to the correct environment.-
-> [!NOTE]
+>
> Trying to onboard Windows devices older than Windows 10 or Windows Server 2019 using [Microsoft Monitoring Agent](configure-server-endpoints.md#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma)? You'll need to choose "Azure US Government" under "Azure Cloud" if using the [setup wizard](/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard), or if using a [command line](/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line) or a [script](/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation) - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1. ### OS versions when using Azure Defender for Servers
-The following OS versions are supported when using [Azure Defender for Servers](/azure/security-center/security-center-wdatp):
-OS version | GCC | GCC High | DoD
-:|:|:|:
-Windows Server 2019 | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Windows Server 2016 | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Windows Server 2012 R2 | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Windows Server 2008 R2 SP1 | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+The following OS versions are supported when using [Azure Defender for Servers](/azure/security-center/security-center-wdatp):
-<br />
+OS version|GCC|GCC High|DoD
+:|::|::|::
+Windows Server 2019|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
+Windows Server 2016|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
+Windows Server 2012 R2|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
+Windows Server 2008 R2 SP1|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
## Required connectivity settings+ If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed in the downloadable sheet to the allowed domains list. The following downloadable spreadsheet lists the services and their associated URLs your network must be able to connect to. Verify there are no firewall or network filtering rules that would deny access to these URLs, or create an *allow* rule specifically for them.
-Spreadsheet of domains list | Description
+Spreadsheet of domains list|Description
:--|:--
-![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)<br/> | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br /><br />[Download the spreadsheet here.](https://download.microsoft.com/download/8/e-urls.xlsx)
+![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)|Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/8/e-urls.xlsx)
For more information, see [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md). > [!NOTE] > The spreadsheet contains commercial URLs as well, make sure you check the "US Gov" tabs.
->
+>
> When filtering, look for the records labeled as "US Gov" and your specific cloud under the geography column. ### Service backend IP ranges
Defender for Endpoint for US Government customers is built in the Azure US Gover
- AzureCloud.usgovtexas - AzureCloud.usgovvirginia
-You can find the Azure IP ranges in [Azure IP Ranges and Service Tags ΓÇô US Government Cloud](https://www.microsoft.com/download/details.aspx?id=57063).
+You can find the Azure IP ranges in [Azure IP Ranges and Service Tags - US Government Cloud](https://www.microsoft.com/download/details.aspx?id=57063).
> [!NOTE] > As a cloud-based solution, the IP address ranges can change. It's recommended you move to DNS-based rules.
-<br />
- ## API+ Instead of the public URIs listed in our [API documentation](apis-intro.md), you'll need to use the following URIs:
-Endpoint type | GCC | GCC High & DoD
+Endpoint type|GCC|GCC High & DoD
:|:|:
-Login | `https://login.microsoftonline.com` | `https://login.microsoftonline.us`
-Defender for Endpoint API | `https://api-gcc.securitycenter.microsoft.us` | `https://api-gov.securitycenter.microsoft.us`
-SIEM | `https://wdatp-alertexporter-us.gcc.securitycenter.windows.us` | `https://wdatp-alertexporter-us.securitycenter.windows.us`
-
-<br />
+Login|`https://login.microsoftonline.com`|`https://login.microsoftonline.us`
+Defender for Endpoint API|`https://api-gcc.securitycenter.microsoft.us`|`https://api-gov.securitycenter.microsoft.us`
+SIEM|`https://wdatp-alertexporter-us.gcc.securitycenter.windows.us`|`https://wdatp-alertexporter-us.securitycenter.windows.us`
## Feature parity with commercial+ Defender for Endpoint for US Government customers doesn't have complete parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government customers, there are some capabilities not yet available we want to highlight. These are the known gaps:
-Feature name | GCC | GCC High | DoD
-:|:|:|:
-Network discovery | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development
-Web content filtering | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development
-Integrations: Azure Sentinel | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) Alerts <br /> ![No](images/svg/check-no.svg) Incidents & Raw data: In development | ![Yes](images/svg/check-yes.svg) Alerts <br /> ![No](images/svg/check-no.svg) Incidents & Raw data: In development
-Integrations: Microsoft Cloud App Security | ![Yes](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development
-Integrations: Microsoft Compliance Manager | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Integrations: Microsoft Defender for Identity | ![No](images/svg/check-no.svg) Rolling out | ![No](images/svg/check-no.svg) Rolling out | ![No](images/svg/check-no.svg) Rolling out
-Integrations: Microsoft Endpoint DLP | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development
-Integrations: Microsoft Power Automate & Azure Logic Apps | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) Azure Logic Apps <br /> ![No](images/svg/check-no.svg) Power Automate: In development
-Microsoft Threat Experts | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog
+Feature name|GCC|GCC High|DoD
+:|::|::|::
+Network discovery|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development
+Web content filtering|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development
+Integrations: Azure Sentinel|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg) Alerts <p> ![No](images/svg/check-no.svg) Incidents & Raw data: In development|![Yes](images/svg/check-yes.svg) Alerts <p> ![No](images/svg/check-no.svg) Incidents & Raw data: In development
+Integrations: Microsoft Cloud App Security|![Yes](images/svg/check-yes.svg)|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development
+Integrations: Microsoft Compliance Manager|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
+Integrations: Microsoft Defender for Identity|![No](images/svg/check-no.svg) Rolling out|![No](images/svg/check-no.svg) Rolling out|![No](images/svg/check-no.svg) Rolling out
+Integrations: Microsoft Endpoint DLP|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development
+Integrations: Microsoft Power Automate & Azure Logic Apps|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg) Azure Logic Apps <p> ![No](images/svg/check-no.svg) Power Automate: In development
+Microsoft Threat Experts|![No](images/svg/check-no.svg) On engineering backlog|![No](images/svg/check-no.svg) On engineering backlog|![No](images/svg/check-no.svg) On engineering backlog
security Grant Mssp Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/grant-mssp-access.md
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink).
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
> [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
security Indicator Certificates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-certificates.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
You can create indicators for certificates. Some common use cases include: - Scenarios when you need to deploy blocking technologies, such as [attack surface reduction rules](attack-surface-reduction.md) and [controlled folder access](controlled-folders.md) but need to allow behaviors from signed applications by adding the certificate in the allow list. - Blocking the use of a specific signed application across your organization. By creating an indicator to block the certificate of the application, Windows Defender AV will prevent file executions (block and remediate) and the Automated Investigation and Remediation behave the same. -
-### Before you begin
+## Before you begin
It's important to understand the following requirements prior to creating indicators for certificates:
It's important to understand the following requirements prior to creating indica
- The virus and threat protection definitions must be up to date. - This feature currently supports entering .CER or .PEM file extensions.
->[!IMPORTANT]
+> [!IMPORTANT]
+>
> - A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine 'Trusted Root Certification Authorities'). >- The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported. >- Microsoft signed certificates cannot be blocked.
-#### Create an indicator for certificates from the settings page:
+## Create an indicator for certificates from the settings page:
->[!IMPORTANT]
+> [!IMPORTANT]
> It can take up to 3 hours to create and remove a certificate IoC.
-1. In the navigation pane, select **Settings** > **Endpoints** >
-**Indicators** (under **Rules**).
-
+1. In the navigation pane, select **Settings** \> **Endpoints** \> **Indicators** (under **Rules**).
-2. Select the **Certificates** tab.
+2. Select **Add indicator**.
-3. Select **Add item**.
-
-4. Specify the following details:
+3. Specify the following details:
- Indicator - Specify the entity details and define the expiration of the indicator. - Action - Specify the action to be taken and provide a description. - Scope - Define the scope of the machine group.
-5. Review the details in the **Summary** tab, then click **Save**.
+4. Review the details in the Summary tab, then click **Save**.
## Related topics+ - [Create indicators](manage-indicators.md) - [Create indicators for files](indicator-file.md) - [Create indicators for IPs and URLs/domains](indicator-ip-domain.md)
security Indicator File https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-file.md
Title: Create indicators for files-+ description: Create indicators for a file hash that define the detection, prevention, and exclusion of entities. keywords: file, hash, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain search.product: eADQiWindows 10XVcnh
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > [!TIP]
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
Prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization.
This feature is designed to prevent suspected malware (or potentially malicious
## Create an indicator for files from the settings page
-1. In the navigation pane, selectΓÇ»**Settings** > **Endpoints** >
-**Indicators** (under **Rules**).
+1. In the navigation pane, selectΓÇ»**Settings** \> **Endpoints** \> **Indicators** (under **Rules**).
2. Select the **File hashes** tab.
One of the options when takingΓÇ»[response actions on a file](respond-file-alert
Files automatically blocked by an indicator won't show up in the file's Action center, but the alerts will still be visible in the Alerts queue.
->[!IMPORTANT]
+> [!IMPORTANT]
+>
>- Typically, file blocks are enforced and removed within a couple of minutes, but can take upwards of 30 minutes.
->
->- If there are conflicting file IoC policies with the same enforcement type and target, the policy of the more secure hash will be applied. An SHA-256 file hash IoC policy will win over an SHA-1 file hash IoC policy, which will win over an MD5 file hash IoC policy if the hash types define the same file. This is always true regardless of the device group.
-> In all other cases, if conflicting file IoC policies with the same enforcement target are applied to all devices and to the deviceΓÇÖs group, then for a device, the policy in the device group will win.
->
->- If the EnableFileHashComputation group policy is disabled, the blocking accuracy of the file IoC is reduced. However, enabling `EnableFileHashComputation` may impact device performance. For example, copying large files from a network share onto your local device, especially over a VPN connection, might have an effect on device performance.
+>
+>- If there are conflicting file IoC policies with the same enforcement type and target, the policy of the more secure hash will be applied. An SHA-256 file hash IoC policy will win over an SHA-1 file hash IoC policy, which will win over an MD5 file hash IoC policy if the hash types define the same file. This is always true regardless of the device group.
+> In all other cases, if conflicting file IoC policies with the same enforcement target are applied to all devices and to the device's group, then for a device, the policy in the device group will win.
+>
+> - If the EnableFileHashComputation group policy is disabled, the blocking accuracy of the file IoC is reduced. However, enabling `EnableFileHashComputation` may impact device performance. For example, copying large files from a network share onto your local device, especially over a VPN connection, might have an effect on device performance.
> > For more information about the EnableFileHashComputation group policy, see [Defender CSP](/windows/client-management/mdm/defender-csp)
-## Policy conflict handling
+## Policy conflict handling
Cert and File IoC policy handling conflict will follow the below order: - If the file is not allowed by Windows Defender Application Control and AppLocker enforce mode policy/policies, then **Block**- - Else if the file is allowed by the Microsoft Defender Antivirus exclusion, then **Allow**- - Else if the file is blocked or warned by a block or warn file IoC, then **Block/Warn**- - Else if the file is allowed by an allow file IoC policy, then **Allow**--- Else if the file is blocked by ASR rules, CFA, AV, SmartScreen, then **Block** -
+- Else if the file is blocked by ASR rules, CFA, AV, SmartScreen, then **Block**
- Else **Allow** (passes Windows Defender Application Control & AppLocker policy, no IoC rules apply to it) If there are conflicting file IoC policies with the same enforcement type and target, the policy of the more secure (meaning longer) hash will be applied. For example, an SHA-256 file hash IoC policy will win over an MD5 file hash IoC policy if both hash types define the same file.
Threat and vulnerability management's block vulnerable application features uses
### Examples
-|Component |Component enforcement |File indicator Action |Result
-|--|--|--|--|
-|Attack surface reduction file path exclusion |Allow |Block |Block
-|Attack surface reduction rule |Block |Allow |Allow
-|Windows Defender Application Control |Allow |Block |Allow |
-|Windows Defender Application Control |Block |Allow |Block
-|Microsoft Defender Antivirus exclusion |Allow |Block |Allow
+|Component|Component enforcement|File indicator Action|Result
+|||||
+|Attack surface reduction file path exclusion|Allow|Block|Block
+|Attack surface reduction rule|Block|Allow|Allow
+|Windows Defender Application Control|Allow|Block|Allow
+|Windows Defender Application Control|Block|Allow|Block
+|Microsoft Defender Antivirus exclusion|Allow|Block|Allow
## See also
security Indicator Ip Domain https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-ip-domain.md
Title: Create indicators for IPs and URLs/domains-+ description: Create indicators for IPs and URLs/domains that define the detection, prevention, and exclusion of entities. keywords: ip, url, domain, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain search.product: eADQiWindows 10XVcnh
ms.technology: mde
-# Create indicators for IPs and URLs/domains
+# Create indicators for IPs and URLs/domains
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > [!TIP]
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
-
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
Defender for Endpoint can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser.
The threat intelligence data set for this has been managed by Microsoft.
By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others. > [!NOTE]
-> Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.
+> Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.
### Before you begin+ It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains:+ - URL/IP allow and block relies on the Defender for Endpoint component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md).-- The Antimalware client version must be 4.18.1906.x or later. -- Supported on machines on Windows 10, version 1709 or later.
+- The Antimalware client version must be 4.18.1906.x or later.
+- Supported on machines on Windows 10, version 1709 or later.
- Ensure that **Custom network indicators** is enabled in **Microsoft 365 DefenderΓÇ»> Settings > Endpoints > Advanced features**. For more information, see [Advanced features](advanced-features.md). - For support of indicators on iOS, see [Configure custom indicators](/microsoft-365/security/defender-endpoint/ios-configure-features#configure-custom-indicators). - > [!IMPORTANT] > Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs.
-> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS).
-> If there are conflicting URL indicator policies, the longer path is applied. For example, the URL indicator policy `https:\\support.microsoft.com/en-us/office` takes precedence over the URL indicator policy `https:\\support.microsoft.com`.
+> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS).
+> If there are conflicting URL indicator policies, the longer path is applied. For example, the URL indicator policy `https:\\support.microsoft.com/office` takes precedence over the URL indicator policy `https:\\support.microsoft.com`.
> [!NOTE]
-> For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement:
+> For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement:
+>
> - IP is supported for all three protocols > - Only single IP addresses are supported (no CIDR blocks or IP ranges) > - Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge) > - Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) > - Full URL path blocks can be applied on the domain level and all unencrypted URLs
-
-> [!NOTE]
-> There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
+>
+> There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
### Create an indicator for IPs, URLs, or domains from the settings page
-1. In the navigation pane, select **Settings** > **Endpoints** > **Indicators** (under **Rules**).
+1. In the navigation pane, select **Settings** > **Endpoints** > **Indicators** (under **Rules**).
2. Select the **IP addresses or URLs/Domains** tab.
It's important to understand the following prerequisites prior to creating indic
5. Review the details in the Summary tab, then click **Save**. ## Related topics+ - [Create indicators](manage-indicators.md) - [Create indicators for files](indicator-file.md) - [Create indicators based on certificates](indicator-certificates.md)
security Indicator Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-manage.md
Title: Manage indicators-+ description: Manage indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities. keywords: import, indicator, list, ioc, csv, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain search.product: eADQiWindows 10XVcnh
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
1. In the navigation pane, select **Settings** > **Endpoints** > **Indicators** (under **Rules**).
-2. Select the tab of the entity type you'd like to manage.
+2. Select the tab of the entity type you'd like to manage.
3. Update the details of the indicator and click **Save** or click the **Delete** button if you'd like to remove the entity from the list.
You can also choose to upload a CSV file that defines the attributes of indicato
Download the sample CSV to know the supported column attributes.
-1. In the navigation pane, select **Settings** > **Endpoints** >
-**Indicators** (under **Rules**).
+1. In the navigation pane, select **Settings** \> **Endpoints** \> **Indicators** (under **Rules**).
2. Select the tab of the entity type you'd like to import indicators for.
-3. Select **Import** > **Choose file**.
+3. Select **Import** > **Choose file**.
-4. Select **Import**. Do this for all the files you'd like to import.
+4. Select **Import**. Do this for all the files you'd like to import.
5. Select **Done**. The following table shows the supported parameters.
-Parameter | Type | Description
+Parameter|Type|Description
:|:|:
-indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required**
-indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity. **Required**
-action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required**
-title | String | Indicator alert title. **Required**
-description | String | Description of the indicator. **Required**
-expirationTime | DateTimeOffset | The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. **Optional**
-severity | Enum | The severity of the indicator. Possible values are: "Informational", "Low", "Medium" and "High". **Optional**
-recommendedActions | String | TI indicator alert recommended actions. **Optional**
-rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional**
-category | String | Category of the alert. Examples include: Execution and credential access. **Optional**
-mitretechniques| String | MITRE techniques code/id (comma separated). For more information, see [Enterprise tactics](https://attack.mitre.org/tactics/enterprise/). **Optional** It is recommended to add a value in category when a MITRE technique.
+indicatorType|Enum|Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required**
+indicatorValue|String|Identity of the [Indicator](ti-indicator.md) entity. **Required**
+action|Enum|The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required**
+title|String|Indicator alert title. **Required**
+description|String| Description of the indicator. **Required**
+expirationTime|DateTimeOffset|The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. **Optional**
+severity|Enum|The severity of the indicator. Possible values are: "Informational", "Low", "Medium" and "High". **Optional**
+recommendedActions|String|TI indicator alert recommended actions. **Optional**
+rbacGroupNames|String|Comma-separated list of RBAC group names the indicator would be applied to. **Optional**
+category|String|Category of the alert. Examples include: Execution and credential access. **Optional**
+mitretechniques|String|MITRE techniques code/id (comma separated). For more information, see [Enterprise tactics](https://attack.mitre.org/tactics/enterprise/). **Optional** It is recommended to add a value in category when a MITRE technique.
For more information, see [Microsoft Defender for Endpoint alert categories are now aligned with MITRE ATT&CK!](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-atp-alert-categories-are-now-aligned-with/ba-p/732748). - ## See also+ - [Create indicators](manage-indicators.md) - [Create indicators for files](indicator-file.md) - [Create indicators for IPs and URLs/domains](indicator-ip-domain.md)
security Initiate Autoir Investigation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/initiate-autoir-investigation.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description+ Start automated investigation on a device.
-<br>See [Overview of automated investigations](automated-investigations.md) for more information.
+
+See [Overview of automated investigations](automated-investigations.md) for more information.
## Limitations+ 1. Rate limitations for this API are 50 calls per hour. ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+Application|Alert.ReadWrite.All|'Read and write all alerts'
+Delegated (work or school account)|Alert.ReadWrite|'Read and write alerts'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
+>
+> - The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
+> - The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+
+```http
POST https://api.security.microsoft.com/api/machines/{id}/startInvestigation ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
+Authorization|String|Bearer {token}. **Required**.
+Content-Type|string|application/json. **Required**.
## Request body+ In the request body, supply a JSON object with the following parameters:
-Parameter | Type | Description
+Parameter|Type|Description
:|:|:
-Comment | String | Comment to associate with the action. **Required**.
-
+Comment|String|Comment to associate with the action. **Required**.
## Response
-If successful, this method returns 201 - Created response code and [Investigation](investigation.md) in the response body.
+If successful, this method returns 201 - Created response code and [Investigation](investigation.md) in the response body.
## Example
-**Request**
+### Request
Here is an example of the request.
security Linux Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-manually.md
Download the onboarding package from Microsoft 365 Defender portal:
2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Local Script** as the deployment method. 3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip.
- ![Microsoft 365 Defender portal screenshot](images/atp-portal-onboarding-linux.png)
+ ![Microsoft 365 Defender portal screenshot](images/portal-onboarding-linux.png)
4. From a command prompt, verify that you have the file. Extract the contents of the archive:
security Live Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response.md
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
-Live response gives security operations teams instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threatsΓÇöin real time.
+Live response gives security operations teams instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats in real time.
-Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.<br/><br/>
+Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4qLUW] With live response, analysts can do all of the following tasks:+ - Run basic and advanced commands to do investigative work on a device. - Download files such as malware samples and outcomes of PowerShell scripts. - Download files in the background (new!).
With live response, analysts can do all of the following tasks:
Before you can initiate a session on a device, make sure you fulfill the following requirements: -- **Verify that you're running a supported version of Windows**. <br/>
-Devices must be running one of the following versions of Windows
+- **Verify that you're running a supported version of Windows**.
+
+ Devices must be running one of the following versions of Windows
- **Windows 10**
- - [Version 1909](/windows/whats-new/whats-new-windows-10-version-1909) or later
- - [Version 1903](/windows/whats-new/whats-new-windows-10-version-1903) with [KB4515384](https://support.microsoft.com/en-us/help/4515384/windows-10-update-kb4515384)
+ - [Version 1909](/windows/whats-new/whats-new-windows-10-version-1909) or later
+ - [Version 1903](/windows/whats-new/whats-new-windows-10-version-1903) with [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384)
- [Version 1809 (RS 5)](/windows/whats-new/whats-new-windows-10-version-1809) with [with KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818) - [Version 1803 (RS 4)](/windows/whats-new/whats-new-windows-10-version-1803) with [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795) - [Version 1709 (RS 3)](/windows/whats-new/whats-new-windows-10-version-1709) with [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816)
-
+ - **Windows Server 2019 - Only applicable for Public preview**
- - Version 1903 or (with [KB4515384](https://support.microsoft.com/en-us/help/4515384/windows-10-update-kb4515384)) later
- - Version 1809 (with [KB4537818](https://support.microsoft.com/en-us/help/4537818/windows-10-update-kb4537818))
+ - Version 1903 or (with [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384)) later
+ - Version 1809 (with [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818))
+
+- **Enable live response from the advanced settings page**.
+
+ You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page.
+
+ > [!NOTE]
+ > Only users with manage security or global admin roles can edit these settings.
+
+- **Enable live response for servers from the advanced settings page** (recommended).
-- **Enable live response from the advanced settings page**.<br>
-You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page.
+ > [!NOTE]
+ > Only users with manage security or global admin roles can edit these settings.
- >[!NOTE]
- >Only users with manage security or global admin roles can edit these settings.
+- **Ensure that the device has an Automation Remediation level assigned to it**.
-- **Enable live response for servers from the advanced settings page** (recommended).<br>
+ You'll need to enable, at least, the minimum Remediation Level for a given Device Group. Otherwise you won't be able to establish a Live Response session to a member of that group.
- >[!NOTE]
- >Only users with manage security or global admin roles can edit these settings.
-
-- **Ensure that the device has an Automation Remediation level assigned to it**.<br>
-You'll need to enable, at least, the minimum Remediation Level for a given Device Group. Otherwise you won't be able to establish a Live Response session to a member of that group.
+ You'll receive the following error:
- You'll receive the following error:
+ ![Image of error message](images/live-response-error.png)
- ![Image of error message](images/live-response-error.png)
+- **Enable live response unsigned script execution** (optional).
-- **Enable live response unsigned script execution** (optional). <br>
+ > [!WARNING]
+ > Allowing the use of unsigned scripts may increase your exposure to threats.
- >[!WARNING]
- >Allowing the use of unsigned scripts may increase your exposure to threats.
-
Running unsigned scripts is not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page.
-
-- **Ensure that you have the appropriate permissions**.<br>
- Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments, see [Create and manage roles](user-roles.md).
- > [!IMPORTANT]
- > The option to upload a file to the library is only available to users with with "Manage Security Settings" permission.
- > The button is greyed out for users with only delegated permissions.
-
+- **Ensure that you have the appropriate permissions**.
- Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permissions are controlled by RBAC custom role.
+ Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments, see [Create and manage roles](user-roles.md).
+
+ > [!IMPORTANT]
+ > The option to upload a file to the library is only available to users with with "Manage Security Settings" permission.
+ > The button is greyed out for users with only delegated permissions.
+
+ Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permissions are controlled by RBAC custom role.
## Live response dashboard overview
-When you initiate a live response session on a device, a dashboard opens. The dashboard provides information about the session such as the following:
+
+When you initiate a live response session on a device, a dashboard opens. The dashboard provides information about the session such as the following:
- Who created the session - When the session started - The duration of the session The dashboard also gives you access to:+ - Disconnect session-- Upload files to the library
+- Upload files to the library
- Command console - Command log -
-## Initiate a live response session on a device
+## Initiate a live response session on a device
1. Sign in to Microsoft 365 Defender portal.
The dashboard also gives you access to:
## Live response commands
-Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments, see [Create and manage roles](user-roles.md).
-
+Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments, see [Create and manage roles](user-roles.md).
->[!NOTE]
->Live response is a cloud-based interactive shell, as such, specific command experience may vary in response time depending on network quality and system load between the end user and the target device.
+> [!NOTE]
+> Live response is a cloud-based interactive shell, as such, specific command experience may vary in response time depending on network quality and system load between the end user and the target device.
### Basic commands
-The following commands are available for user roles that are granted the ability to run **basic** live response commands. For more information on role assignments, see [Create and manage roles](user-roles.md).
-
-| Command | Description |
-||| |
-|`cd` | Changes the current directory. |
-|`cls` | Clears the console screen. |
-|`connect` | Initiates a live response session to the device. |
-|`connections` | Shows all the active connections. |
-|`dir` | Shows a list of files and subdirectories in a directory. |
-|`drivers` | Shows all drivers installed on the device. |
-|`fg <command ID>` | Place the specified job in the foreground in the foreground, making it the current job. <br> NOTE: fg takes a ΓÇ£command IDΓÇ¥ available from jobs, not a PID |
-|`fileinfo` | Get information about a file. |
-|`findfile` | Locates files by a given name on the device. |
-|`getfile <file_path>` | Downloads a file. |
-|`help` | Provides help information for live response commands. |
-|`jobs` | Shows currently running jobs, their ID and status. |
-|`persistence` | Shows all known persistence methods on the device. |
-|`processes` | Shows all processes running on the device. |
-|`registry` | Shows registry values. |
-|`scheduledtasks` | Shows all scheduled tasks on the device. |
-|`services` | Shows all services on the device. |
-|`trace` | Sets the terminal's logging mode to debug. |
+The following commands are available for user roles that are granted the ability to run **basic** live response commands. For more information on role assignments, see [Create and manage roles](user-roles.md).
+
+|Command|Description|
+||||
+|`cd`|Changes the current directory.|
+|`cls`|Clears the console screen.|
+|`connect`|Initiates a live response session to the device.|
+|`connections`|Shows all the active connections.|
+|`dir`|Shows a list of files and subdirectories in a directory.|
+|`drivers`|Shows all drivers installed on the device.|
+|`fg <command ID>`|Place the specified job in the foreground in the foreground, making it the current job. <br> NOTE: fg takes a "command ID" available from jobs, not a PID|
+|`fileinfo`|Get information about a file.|
+|`findfile`|Locates files by a given name on the device.|
+|`getfile <file_path>`|Downloads a file.|
+|`help`|Provides help information for live response commands.|
+|`jobs`|Shows currently running jobs, their ID and status.|
+|`persistence`|Shows all known persistence methods on the device.|
+|`processes`|Shows all processes running on the device.|
+|`registry`|Shows registry values.|
+|`scheduledtasks`|Shows all scheduled tasks on the device.|
+|`services`|Shows all services on the device.|
+|`trace`|Sets the terminal's logging mode to debug.|
### Advanced commands
-The following commands are available for user roles that are granted the ability to run **advanced** live response commands. For more information on role assignments, see [Create and manage roles](user-roles.md).
-| Command | Description |
-|||
-| `analyze` | Analyses the entity with various incrimination engines to reach a verdict. |
-| `run` | Runs a PowerShell script from the library on the device. |
-| `library` | Lists files that were uploaded to the live response library. |
-| `putfile` | Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default. |
-| `remediate` | Remediates an entity on the device. The remediation action will vary depending on the entity type:<br>- File: delete<br>- Process: stop, delete image file<br>- Service: stop, delete image file<br>- Registry entry: delete<br>- Scheduled task: remove<br>- Startup folder item: delete file <br> NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `remediate` to automatically run the prerequisite command.
-|`undo` | Restores an entity that was remediated. |
+The following commands are available for user roles that are granted the ability to run **advanced** live response commands. For more information on role assignments, see [Create and manage roles](user-roles.md).
+|Command|Description|
+|||
+|`analyze`|Analyses the entity with various incrimination engines to reach a verdict.|
+|`run`|Runs a PowerShell script from the library on the device.|
+|`library`|Lists files that were uploaded to the live response library.|
+|`putfile`|Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default.|
+|`remediate`|Remediates an entity on the device. The remediation action will vary depending on the entity type:<br>- File: delete<br>- Process: stop, delete image file<br>- Service: stop, delete image file<br>- Registry entry: delete<br>- Scheduled task: remove<br>- Startup folder item: delete file <br> NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `remediate` to automatically run the prerequisite command.
+|`undo`|Restores an entity that was remediated.|
## Use live response commands
The advanced commands offer a more robust set of actions that allow you to take
For scenarios when you'd like get a file from a device you're investigating, you can use the `getfile` command. This allows you to save the file from the device for further investigation.
->[!NOTE]
->The following file size limits apply:
->- `getfile` limit: 3 GB
->- `fileinfo` limit: 10 GB
->- `library` limit: 250 MB
+> [!NOTE]
+> The following file size limits apply:
+>
+> - `getfile` limit: 3 GB
+> - `fileinfo` limit: 10 GB
+> - `library` limit: 250 MB
### Download a file in the background
To enable your security operations team to continue investigating an impacted de
Here are some examples: -
-|Command |What it does |
-|||
-|`getfile "C:\windows\some_file.exe" &` |Starts downloading a file named *some_file.exe* in the background. |
-|`fg 1234` |Returns a download with command ID *1234* to the foreground. |
-
+|Command|What it does|
+|||
+|`getfile "C:\windows\some_file.exe" &`|Starts downloading a file named *some_file.exe* in the background.|
+|`fg 1234`|Returns a download with command ID *1234* to the foreground.|
### Put a file in the library Live response has a library where you can put files into. The library stores files (such as scripts) that can be run in a live response session at the tenant level.
-Live response allows PowerShell scripts to run, however you must first put the files into the library before you can run them.
+Live response allows PowerShell scripts to run, however you must first put the files into the library before you can run them.
-You can have a collection of PowerShell scripts that can run on devices that you initiate live response sessions with.
+You can have a collection of PowerShell scripts that can run on devices that you initiate live response sessions with.
#### To upload a file in the library
-1. Click **Upload file to library**.
+1. Click **Upload file to library**.
2. Click **Browse** and select the file.
You can have a collection of PowerShell scripts that can run on devices that you
5. If you'd like to be, know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description.
-6. Click **Confirm**.
+6. Click **Confirm**.
7. (Optional) To verify that the file was uploaded to the library, run the `library` command. - ### Cancel a command
-Anytime during a session, you can cancel a command by pressing CTRL + C.
->[!WARNING]
->Using this shortcut will not stop the command in the agent side. It will only cancel the command in the portal. So, changing operations such as "remediate" may continue, while the command is canceled.
+Anytime during a session, you can cancel a command by pressing CTRL + C.
+
+> [!WARNING]
+> Using this shortcut will not stop the command in the agent side. It will only cancel the command in the portal. So, changing operations such as "remediate" may continue, while the command is canceled.
-## Run a PowerShell script
+## Run a PowerShell script
-Before you can run a PowerShell script, you must first upload it to the library.
+Before you can run a PowerShell script, you must first upload it to the library.
After uploading the script to the library, use the `run` command to run the script. If you plan to use an unsigned script in the session, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page.
->[!WARNING]
->Allowing the use of unsigned scripts may increase your exposure to threats.
+> [!WARNING]
+> Allowing the use of unsigned scripts may increase your exposure to threats.
## Apply command parameters - View the console help to learn about command parameters. To learn about an individual command, run:
-
- `help <command name>`
+
+ ```powershell
+ help <command name>
+ ```
- When applying parameters to commands, note that parameters are handled based on a fixed order:
-
- `<command name> param1 param2`
+
+ ```powershell
+ <command name> param1 param2
+ ```
- When specifying parameters outside of the fixed order, specify the name of the parameter with a hyphen before providing the value:
-
- `<command name> -param2_name param2`
+
+ ```powershell
+ <command name> -param2_name param2
+ ```
- When using commands that have prerequisite commands, you can use flags:
- `<command name> -type file -id <file path> - auto` or `remediate file <file path> - auto`.
+ ```powershell
+ <command name> -type file -id <file path> - auto
+ ```
+
+ or
+
+ ```powershell
+ remediate file <file path> - auto`
+ ```
## Supported output types
Live response supports table and JSON format output types. For each command, the
- `-output json` - `-output table`
->[!NOTE]
->Fewer fields are shown in table format due to the limited space. To see more details in the output, you can use the JSON output command so that more details are shown.
+> [!NOTE]
+> Fewer fields are shown in table format due to the limited space. To see more details in the output, you can use the JSON output command so that more details are shown.
## Supported output pipes
-Live response supports output piping to CLI and file. CLI is the default output behavior. You can pipe the output to a file using the following command: [command] > [filename].txt.
+Live response supports output piping to CLI and file. CLI is the default output behavior. You can pipe the output to a file using the following command: [command] > [filename].txt.
Example:
processes > output.txt
## View the command log
-Select the **Command log** tab to see the commands used on the device during a session.
-Each command is tracked with full details such as:
+Select the **Command log** tab to see the commands used on the device during a session. Each command is tracked with full details such as:
+ - ID - Command line - Duration
Each command is tracked with full details such as:
## Limitations - Live response sessions are limited to 25 live response sessions at a time.-- Live response session inactive timeout value is 30 minutes.
+- Live response session inactive timeout value is 30 minutes.
- A user can initiate up to 10 concurrent sessions. - A device can only be in one session at a time. - The following file size limits apply:
- - `getfile` limit: 3 GB
- - `fileinfo` limit: 10 GB
- - `library` limit: 250 MB
+ - `getfile` limit: 3 GB
+ - `fileinfo` limit: 10 GB
+ - `library` limit: 250 MB
## Related article+ - [Live response command examples](live-response-command-examples.md)
security Mac Install With Other Mdm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-other-mdm.md
Most MDM solutions use the same model for managing macOS devices, with similar t
### Package Configure deployment of a [required application package](mac-install-with-jamf.md),
-with the installation package (wdav.pkg) downloaded from [Microsoft Defender Security Center](mac-install-with-jamf.md).
+with the installation package (wdav.pkg) downloaded from [Microsoft 365 Defender portal](mac-install-with-jamf.md).
In order to deploy the package to your enterprise, use the instructions associated with your MDM solution.
Set up [a system configuration profile](mac-install-with-jamf.md).
Your MDM solution may call it something like "Custom Settings Profile", as Microsoft Defender for Endpoint on macOS is not part of macOS.
-Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be extracted from an onboarding package downloaded from [Microsoft Defender Security Center](mac-install-with-jamf.md).
+Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be extracted from an onboarding package downloaded from [Microsoft 365 Defender portal](mac-install-with-jamf.md).
Your system may support an arbitrary property list in XML format. You can upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case. Alternatively, it may require you to convert the property list to a different format first.
Grant Full Disk Access to the following components:
### Network extension policy
-As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on macOS inspects socket traffic and reports this information to the Microsoft 365 Security Center portal. The following policy allows the network extension to perform this functionality.
+As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on macOS inspects socket traffic and reports this information to the Microsoft 365 Defender portal. The following policy allows the network extension to perform this functionality.
- Filter type: Plugin - Plugin bundle identifier: `com.microsoft.wdav`
security Mac Sysext Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-sysext-policies.md
Add the following JAMF payload to grant Full Disk Access to the Microsoft Defend
As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on macOS inspects socket traffic and reports this information to the Microsoft 365 Defender portal. The following policy allows the network extension to perform this functionality. >[!NOTE]
->JAMF doesnΓÇÖt have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender for Endpoint on macOS installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed.
+>JAMF doesn't have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender for Endpoint on macOS installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed.
>As such, the following steps provide a workaround that involve signing the configuration profile. 1. Save the following content to your device as `com.microsoft.network-extension.mobileconfig` using a text editor:
As part of the Endpoint Detection and Response capabilities, Microsoft Defender
<PathToFile>/com.microsoft.network-extension.mobileconfig: OK ```
-3. Follow the instructions on [this page](https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority) to create a signing certificate using JAMFΓÇÖs built-in certificate authority.
+3. Follow the instructions on [this page](https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority) to create a signing certificate using JAMF's built-in certificate authority.
4. After the certificate is created and installed to your device, run the following command from the Terminal to sign the file:
security Manage Atp Post Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-atp-post-migration.md
localization_priority: Normal audience: ITPro-+ - M365-security-compliance - m365solution-scenario
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-After you have moved from your previous endpoint protection and antivirus solution to Microsoft Defender for Endpoint, your next step is to manage your features and capabilities. We recommend using [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), which includes [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/understand/introduction), to manage your organization's devices and security settings. However, you can use other tools/methods, such as [Group Policy Objects in Azure Active Directory Domain Services](/azure/active-directory-domain-services/manage-group-policy).
+After you have moved from your previous endpoint protection and antivirus solution to Microsoft Defender for Endpoint, your next step is to manage your features and capabilities. We recommend using [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), which includes [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/understand/introduction), to manage your organization's devices and security settings. However, you can use other tools/methods, such as [Group Policy Objects in Azure Active Directory Domain Services](/azure/active-directory-domain-services/manage-group-policy).
-The following table lists various tools/methods you can use, with links to learn more.
-<br/><br/>
+The following table lists various tools/methods you can use, with links to learn more.
-|Tool/Method |Description |
+<br>
+
+****
+
+|Tool/Method|Description|
|||
-|**[Threat and vulnerability management dashboard insights](/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights)** in the [Microsoft 365 Defender](https://security.microsoft.com/) portal |The threat & vulnerability management dashboard provides actionable information that your security operations team can use to reduce exposure and improve your organization's security posture. <br/><br/>See [Threat & vulnerability management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) and [Overview of Microsoft 365 Defender](/microsoft-365/security/defender-endpoint/use). |
-|**[Microsoft Intune](/mem/intune/fundamentals/what-is-intune)** (recommended) |Microsoft Intune (Intune), a component of [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), focuses on mobile device management (MDM) and mobile application management (MAM). With Intune, you control how your organizationΓÇÖs devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications. <br/><br/>See [Manage Microsoft Defender for Endpoint using Intune](manage-atp-post-migration-intune.md). |
-|**[Microsoft Endpoint Configuration Manager](/mem/configmgr/core/understand/introduction)** |Microsoft Endpoint Manager (Configuration Manager), formerly known as System Center Configuration Manager, is a component of [Microsoft Endpoint Manager](/mem/endpoint-manager-overview). Configuration Manager is a powerful tool to manage your users, devices, and software.<br/><br/>See [Manage Microsoft Defender for Endpoint with Configuration Manager](manage-atp-post-migration-configuration-manager.md). |
-|**[Group Policy Objects in Azure Active Directory Domain Services](/azure/active-directory-domain-services/manage-group-policy)** |[Azure Active Directory Domain Services](/azure/active-directory-domain-services/overview) includes built-in Group Policy Objects for users and devices. You can customize the built-in Group Policy Objects as needed for your environment, as well as create custom Group Policy Objects and organizational units (OUs). <br/><br/>See [Manage Microsoft Defender for Endpoint with Group Policy Objects](manage-atp-post-migration-group-policy-objects.md). |
-|**[PowerShell, WMI, and MPCmdRun.exe](manage-atp-post-migration-other-tools.md)** |*We recommend using Microsoft Endpoint Manager (which includes Intune and Configuration Manager) to manage threat protection features on your organization's devices. However, you can configure some settings, such as Microsoft Defender Antivirus settings on individual devices (endpoints) with PowerShell, WMI, or the MPCmdRun.exe tool.*<br/><br/>You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules. See [Configure Microsoft Defender for Endpoint with PowerShell](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-powershell).<br/><br/>You can use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus and exclusions. See [Configure Microsoft Defender for Endpoint with WMI](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-windows-management-instrumentation-wmi).<br/><br/>You can use the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) to manage Microsoft Defender Antivirus and exclusions, as well as validate connections between your network and the cloud. See [Configure Microsoft Defender for Endpoint with MPCmdRun.exe](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe). |
+|**[Threat and vulnerability management dashboard insights](/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights)** in the [Microsoft 365 Defender](https://security.microsoft.com/) portal|The threat & vulnerability management dashboard provides actionable information that your security operations team can use to reduce exposure and improve your organization's security posture. <p> See [Threat & vulnerability management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) and [Overview of Microsoft 365 Defender](/microsoft-365/security/defender-endpoint/use).|
+|**[Microsoft Intune](/mem/intune/fundamentals/what-is-intune)** (recommended)|Microsoft Intune (Intune), a component of [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), focuses on mobile device management (MDM) and mobile application management (MAM). With Intune, you control how your organization's devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications. <p> See [Manage Microsoft Defender for Endpoint using Intune](manage-atp-post-migration-intune.md).|
+|**[Microsoft Endpoint Configuration Manager](/mem/configmgr/core/understand/introduction)**|Microsoft Endpoint Manager (Configuration Manager), formerly known as System Center Configuration Manager, is a component of [Microsoft Endpoint Manager](/mem/endpoint-manager-overview). Configuration Manager is a powerful tool to manage your users, devices, and software. <p> See [Manage Microsoft Defender for Endpoint with Configuration Manager](manage-atp-post-migration-configuration-manager.md).|
+|**[Group Policy Objects in Azure Active Directory Domain Services](/azure/active-directory-domain-services/manage-group-policy)**|[Azure Active Directory Domain Services](/azure/active-directory-domain-services/overview) includes built-in Group Policy Objects for users and devices. You can customize the built-in Group Policy Objects as needed for your environment, as well as create custom Group Policy Objects and organizational units (OUs). <p> See [Manage Microsoft Defender for Endpoint with Group Policy Objects](manage-atp-post-migration-group-policy-objects.md).|
+|**[PowerShell, WMI, and MPCmdRun.exe](manage-atp-post-migration-other-tools.md)**|*We recommend using Microsoft Endpoint Manager (which includes Intune and Configuration Manager) to manage threat protection features on your organization's devices. However, you can configure some settings, such as Microsoft Defender Antivirus settings on individual devices (endpoints) with PowerShell, WMI, or the MPCmdRun.exe tool.* <p> You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules. See [Configure Microsoft Defender for Endpoint with PowerShell](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-powershell). <p> You can use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus and exclusions. See [Configure Microsoft Defender for Endpoint with WMI](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-windows-management-instrumentation-wmi). <p> You can use the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) to manage Microsoft Defender Antivirus and exclusions, as well as validate connections between your network and the cloud. See [Configure Microsoft Defender for Endpoint with MPCmdRun.exe](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe).|
## See also
security Respond File Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-file-alerts.md
You can roll back and remove a file from quarantine if youΓÇÖve determined that
Selecting **Download file** from the response actions allows you to download a local, password-protected .zip archive containing your file. A flyout will appear where you can record a reason for downloading the file, and set a password.
-By default, you will not be able to download files that are in quarantine.
+By default, you should be able to download files that are in quarantine.
![Image of download file action](images/atp-download-file-action.png)
+### Download quarantined files
+
+Files that have been quarantined by Microsoft Defender Antivirus or your security team will be saved in a compliant way according to your [sample submission configurations](enable-cloud-protection-microsoft-defender-antivirus.md). Your security team can download the files directly from the fileΓÇÖs detail page via the "Download file" button. **This preview feature is turned 'On' by default**.
+
+The location depends on your organization's geo settings (either EU, UK, or US). A quarantined file will only be collected once per organization. Learn more about Microsoft's data protection from the Service Trust Portal at https://aka.ms/STP.
+
+Having this setting turned on can help security teams examine potentially bad files and investigate incidents quickly and in a less risky way. However, if you need to turn this setting off, go to **Settings** > **Endpoints** > **Advanced features** > **Download quarantined files** to adjust the setting. [Learn more about advanced features](advanced-features.md)
+
+#### Backing up quarantined files
+
+Users may be prompted to provide explicit consent before backing up the quarantined file, depending on your [sample submission configuration](enable-cloud-protection-microsoft-defender-antivirus.md#use-group-policy-to-turn-on-cloud-delivered-protection).
+
+This feature will not work if sample submission is turned off. If automatic sample submission is set to request permission from the user, only samples that the user agrees to send will be collected.
+
+>[!IMPORTANT]
+>Download quarantined file requirements:
+>- Your organization uses Microsoft Defender Antivirus in active mode
+>- Antivirus engine version is 1.1.17300.4 or later. See [Monthly platform and engine versions](manage-updates-baselines-microsoft-defender-antivirus.md#monthly-platform-and-engine-versions)
+>- CloudΓÇôbased protection is enabled. See [Turn on cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
+>- Sample submission is turned on
+>- Devices have Windows 10 version 1703 or later, or Windows server 2016 or 2019
+ ### Collect files If a file is not already stored by Microsoft Defender for Endpoint, you can't download it. Instead, you'll see a **Collect file** button in the same location. If a file hasn't been seen in the organization in the past 30 days, **Collect file** will be disabled.
security Service Status https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/service-status.md
ms.technology: mde
**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-servicestatus-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-servicestatus-abovefoldlink)
**Service health** provides information on the current status of the Defender for Endpoint service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see information such as when the issue was detected, what the preliminary root cause is, and the expected resolution time.
The **Service health** details page has the following tabs:
- **Status history** ## Current status+ The **Current status** tab shows the current state of the Defender for Endpoint service. When the service is running smoothly a healthy service health is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue: - Date and time for when the issue was detected
Updates on the progress of an issue are reflected on the page as the issue gets
When an issue is resolved, it gets recorded in the **Status history** tab. ## Status history+ The **Status history** tab reflects all the historical issues that were seen and resolved. You'll see details of the resolved issues along with the other information that were included while it was being resolved. ### Related topic+ - [View the Security operations dashboard](security-operations-dashboard.md)
security Troubleshoot Asr Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-The Microsoft 365 security center is the new interface for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure. Here you can easily view the security health of your organization, act to configure devices, users, and apps, and get alerts for suspicious activity. The Microsoft 365 security center is intended for security admins and security operations teams to better manage and protect their organization. Visit the Microsoft 365 security center at https://security.microsoft.com.
+The Microsoft 365 security center is the new interface for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure. Here you can easily view the security health of your organization, act to configure devices, users, and apps, and get alerts for suspicious activity. The Microsoft 365 security center is intended for security admins and security operations teams to better manage and protect their organization. Visit the Microsoft 365 security center at <https://security.microsoft.com>.
+ In Microsoft 365 security center, we offer you a complete look at the current ASR rules configuration and events in your estate. Note that your devices must be onboarded into the Microsoft Defender for Endpoint service for these reports to be populated.
-Here's a screenshot from the Microsoft 365 security center (under **Reports** > **Devices** > **Attack surface reduction**). At the device level, select **Configuration** from the **Attack surface reduction rules** pane. The following screen is displayed, where you can select a specific device and check its individual ASR rule configuration.
+Here's a screenshot from the Microsoft 365 security center (under **Reports** \> **Devices** \> **Attack surface reduction**). At the device level, select **Configuration** from the **Attack surface reduction rules** pane. The following screen is displayed, where you can select a specific device and check its individual ASR rule configuration.
:::image type="content" source="images/asrrulesnew.png" lightbox="images/asrrulesnew.png" alt-text="ASR rules screen":::
-## Microsoft Defender for Endpoint ΓÇô Advanced hunting
+## Microsoft Defender for Endpoint - Advanced hunting
One of the most powerful features of Microsoft Defender for Endpoint is advanced hunting. If you're unfamiliar with advanced hunting, refer [proactively hunt for threats with advanced hunting](advanced-hunting-overview.md).
Pictured below is a screenshot of the Timeline view of these events on a given e
The first and most immediate way is to check locally, on a Windows device, which ASR rules are enabled (and their configuration) is by using the PowerShell cmdlets.
-Here are a few other sources of information that Windows offers, to troubleshoot ASR rulesΓÇÖ impact and operation.
+Here are a few other sources of information that Windows offers, to troubleshoot ASR rules' impact and operation.
### Querying which rules are active
-One of the easiest ways to determine if ASR rules are already enabledΓÇöand, is through a PowerShell cmdlet, Get-MpPreference.
+
+One of the easiest ways to determine if ASR rules are already enabled is through a PowerShell cmdlet, Get-MpPreference.
+ Here's an example: :::image type="content" source="images/getmpreferencescriptnew.png" lightbox="images/getmpreferencescriptnew.png" alt-text="get mppreference script":::
To expand the above information on ASR rules, you can use the properties **Attac
Example:
-*Get-MPPreference | Select-Object -ExpandProperty**AttackSurfaceReductionRules_Ids*
+```powershell
+Get-MPPreference | Select-Object -ExpandProperty**AttackSurfaceReductionRules_Ids
+```
:::image type="content" source="images/getmpref-examplenew.png" alt-text="get mpreference example"::: The above shows all the IDs for ASR rules that have a setting different from 0 (Not Configured).
-The next step is then to list the actual actions (Block or Audit) that each rule is configured with.
+The next step is then to list the actual actions (Block or Audit) that each rule is configured with.
-*Get-MPPreference | Select-Object -ExpandProperty**AttackSurfaceReductionRules_Actions*
+```powershell
+Get-MPPreference | Select-Object -ExpandProperty**AttackSurfaceReductionRules_Actions
+```
:::image type="content" source="images/getmpref-example2new.png" alt-text="get mppreference example2"::: ### Querying blocking and auditing events+ ASR rule events can be viewed within the Windows Defender log. To access it, open Windows Event Viewer, and browse to **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational**.
To access it, open Windows Event Viewer, and browse to **Applications and Servic
:::image type="content" source="images/eventviewerscrnew.png" lightbox="images/eventviewerscrnew.png" alt-text="event viewer scr"::: ## Microsoft Defender Malware Protection Logs+ You can also view rule events through the Microsoft Defender Antivirus dedicated command-line tool, called `*mpcmdrun.exe*`, that can be used to manage and configure, and automate tasks if needed. You can find this utility in *%ProgramFiles%\Windows Defender\MpCmdRun.exe*. You must run it from an elevated command prompt (that is, run as Admin).
Extract that archive and you'll have many files available for troubleshooting pu
The most relevant files are as follows: -- **MPOperationalEvents.txt** - This file contains same level of information found in Event Viewer for Windows DefenderΓÇÖs Operational log.-- **MPRegistry.txt** ΓÇô In this file you can analyze all the current Windows Defender configurations, from the moment the support logs were captured.-- **MPLog.txt** ΓÇô This log contains more verbose information about all the actions/operations of the Windows Defender.
+- **MPOperationalEvents.txt**: This file contains same level of information found in Event Viewer for Windows Defender's Operational log.
+- **MPRegistry.txt**: In this file you can analyze all the current Windows Defender configurations, from the moment the support logs were captured.
+- **MPLog.txt**: This log contains more verbose information about all the actions/operations of the Windows Defender.
security Troubleshoot Mdatp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-mdatp.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
-
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
This section addresses issues that might arise as you use the Microsoft Defender for Endpoint service. ## Server error - Access is denied due to invalid credentials
-If you encounter a server error when trying to access the service, youΓÇÖll need to change your browser cookie settings.
+
+If you encounter a server error when trying to access the service, you'll need to change your browser cookie settings.
Configure your browser to allow cookies. ## Elements or data missing on the portal+ If some elements or data is missing on Microsoft 365 Defender itΓÇÖs possible that proxy settings are blocking it. Make sure that `*.security.microsoft.com` is included the proxy allowlist. - > [!NOTE] > You must use the HTTPS protocol when adding the following endpoints.
For more information, see [Ensure that Microsoft Defender Antivirus is not disab
## Known issues with regional formats
-**Date and time formats**<br>
-There are some known issues with the time and date formats.
+### Date and time formats
+
+There are some known issues with the time and date formats.
The following date formats are supported:+ - MM/dd/yyyy - dd/MM/yyyy The following date and time formats are currently not supported:+ - Date format yyyy/MM/dd - Date format dd/MM/yy - Date format with yy. Will only show yyyy. - Time format HH:mm:ss is not supported (the 12 hour AM/PM format is not supported). Only the 24-hour format is supported.
-**Use of comma to indicate thousand**<br>
+### Use of comma to indicate thousand
+ Support of use of comma as a separator in numbers are not supported. Regions where a number is separated with a comma to indicate a thousand, will only see the use of a dot as a separator. For example, 15,5K is displayed as 15.5K.
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink)
## Microsoft Defender for Endpoint tenant was automatically created in Europe+ When you use Azure Defender to monitor servers, a Microsoft Defender for Endpoint tenant is automatically created. The Microsoft Defender for Endpoint data is stored in Europe by default. ## Related topics+ - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) - [Review events and errors using Event Viewer](event-error-codes.md)
security Tvm Security Recommendation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-security-recommendation.md
ms.technology: mde
- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. Prioritized recommendations help shorten the time to mitigate or remediate vulnerabilities and drive compliance. Each security recommendation includes actionable remediation steps. To help with task management, the recommendation can also be sent using Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment.
->[!TIP]
->To get emails about new vulnerability events, see [Configure vulnerability email notifications in Microsoft Defender for Endpoint](configure-vulnerability-email-notifications.md)
+> [!TIP]
+> To get emails about new vulnerability events, see [Configure vulnerability email notifications in Microsoft Defender for Endpoint](configure-vulnerability-email-notifications.md)
## How it works Each device in the organization is scored based on three important factors to help customers to focus on the right things at the right time. -- **Threat**ΓÇöCharacteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations show the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.--- **Breach likelihood**ΓÇöYour organization's security posture and resilience against threats--- **Business value**ΓÇöYour organization's assets, critical processes, and intellectual properties
+- **Threat**: Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations show the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
+- **Breach likelihood**: Your organization's security posture and resilience against threats.
+- **Business value**: Your organization's assets, critical processes, and intellectual properties.
## Navigate to the Security recommendations page
View recommendations, the number of weaknesses found, related components, threat
The color of the **Exposed devices** graph changes as the trend changes. If the number of exposed devices is on the rise, the color changes into red. If there's a decrease in the number of exposed devices, the color of the graph will change into green.
->[!NOTE]
->Threat and vulnerability management shows devices that were in use up to **30 days** ago. This is different from the rest of Microsoft Defender for Endpoint, where if a device has not been in use for more than 7 days it has in an ΓÇÿInactiveΓÇÖ status.
+> [!NOTE]
+> Threat and vulnerability management shows devices that were in use up to **30 days** ago. This is different from the rest of Microsoft Defender for Endpoint, where if a device has not been in use for more than 7 days it has in an 'Inactive' status.
![Example of the landing page for security recommendations.](images/tvmsecrec-updated.png) ### Icons Useful icons also quickly call your attention to:+ - ![arrow hitting a target](images/tvm_alert_icon.png) possible active alerts - ![red bug](images/tvm_bug_icon.png) associated public exploits - ![light bulb](images/tvm_insight_icon.png) recommendation insights
Select a security recommendation you would like to request remediation for, and
As an alternative to a remediation request when a recommendation is not relevant at the moment, you can create exceptions for recommendations. [Learn more about exceptions](tvm-exception.md)
-Only users with ΓÇ£exceptions handlingΓÇ¥ permissions can add exception. [Learn more about RBAC roles](user-roles.md).
+Only users with "exceptions handling" permissions can add exception. [Learn more about RBAC roles](user-roles.md).
When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state will change to **Full exception** or **Partial exception** (by device group).
security Tvm Software Inventory https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-software-inventory.md
localization_priority: Normal audience: ITPro-+ - m365-security-compliance - m365initiative-defender-endpoint
ms.technology: mde
- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-The software inventory in threat and vulnerability management is a list of known software in your organization with official [Common Platform Enumerations (CPE)](https://nvd.nist.gov/products/cpe). Software products without an official CPE donΓÇÖt have vulnerabilities published. It also includes details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices.
+The software inventory in threat and vulnerability management is a list of known software in your organization with official [Common Platform Enumerations (CPE)](https://nvd.nist.gov/products/cpe). Software products without an official CPE don't have vulnerabilities published. It also includes details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices.
## How it works
You can view software pages a few different ways:
- Side panel with vendor information, prevalence of the software in the organization (including number of devices it's installed on, and exposed devices that aren't patched), whether and exploit is available, and impact to your exposure score. - Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs with the number of exposed devices. - Tabs showing information such as:
- - Corresponding security recommendations for the weaknesses and vulnerabilities identified.
- - Named CVEs of discovered vulnerabilities.
- - Devices that have the software installed (along with device name, domain, OS, and more).
- - Software version list (including number of devices the version is installed on, the number of discovered vulnerabilities, and the names of the installed devices).
+ - Corresponding security recommendations for the weaknesses and vulnerabilities identified.
+ - Named CVEs of discovered vulnerabilities.
+ - Devices that have the software installed (along with device name, domain, OS, and more).
+ - Software version list (including number of devices the version is installed on, the number of discovered vulnerabilities, and the names of the installed devices).
- ![Software example page for Visual Studio 2017 with the software details, weaknesses, exposed devices, and more.](images/tvm-software-page-example.png)
- :::image type="content" alt-text="Software example page for Visual Studio 2017 with the software details, weaknesses, exposed devices, and more." source="images/tvm-software-page-example.png" lightbox="images/tvm-software-page-example.png":::
+ :::image type="content" alt-text="Software example page for Visual Studio 2017 with the software details, weaknesses, exposed devices, and more." source="images/tvm-software-page-example.png" lightbox="images/tvm-software-page-example.png":::
## Report inaccuracy
security Web Protection Monitoring https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-protection-monitoring.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
-Web protection lets you monitor your organizationΓÇÖs web browsing security through reports under **Reports > Web protection** in the Microsoft 365 Defender portal. The report contains cards that provide web threat detection statistics.
+Web protection lets you monitor your organization's web browsing security through reports under **Reports > Web protection** in the Microsoft 365 Defender portal. The report contains cards that provide web threat detection statistics.
- **Web threat protection detections over time** - this trending card displays the number of web threats detected by type during the selected time period (Last 30 days, Last 3 months, Last 6 months)
-
+ :::image type="content" alt-text="Image of the card showing web threats protection detections over time" source="images/wtp-blocks-over-time.png" lightbox="images/wtp-blocks-over-time.png"::: - **Web threat protection summary** - this card displays the total web threat detections in the past 30 days, showing distribution across the different types of web threats. Selecting a slice opens the list of the domains that were found with malicious or unwanted websites. :::image type="content" alt-text="Image of the card showing web threats protection summary" source="images/wtp-summary.png" lightbox="images/wtp-summary.png":::
->[!Note]
->It can take up to 12 hours before a block is reflected in the cards or the domain list.
+> [!NOTE]
+> It can take up to 12 hours before a block is reflected in the cards or the domain list.
## Types of web threats
security Advanced Hunting Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-overview.md
ms.technology: m365d
> Want to experience Microsoft 365 Defender? You can [evaluate it in a lab environment](m365d-evaluation.md?ocid=cx-docs-MTPtriallab) or [run your pilot project in production](m365d-pilot.md?ocid=cx-evalpilot). >
-Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats.
+Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats.
<br><br> > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Bp7O]
-You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings.
+You can use the same threat hunting queries to build custom detection rules. These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings.
-This capability is similar to [advanced hunting in Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). Available in Microsoft 365 security center, this capability supports queries that check a broader data set from:
+This capability is similar to [advanced hunting in Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) and supports queries that check a broader data set from:
- Microsoft Defender for Endpoint - Microsoft Defender for Office 365
This capability is similar to [advanced hunting in Microsoft Defender for Endpoi
To use advanced hunting, [turn on Microsoft 365 Defender](m365d-enable.md).
+For more information on advanced hunting in Microsoft Cloud App Security data, see the [video](https://www.microsoft.com/en-us/videoplayer/embed/RWFISa).
+ ## Get started with advanced hunting We recommend going through several steps to quickly get started with advanced hunting.
security Eval Defender Mcas Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-pilot.md
ms.technology: m365d
This article is [Step 3 of 3](eval-defender-mcas-overview.md) in the process of setting up the evaluation environment for Microsoft Cloud App Security. For more information about this process, see the [overview article](eval-defender-mcas-overview.md).
-Use the following steps to setup and configure the pilot for Microsoft Cloud App Security.
+Use the following steps to set up and configure the pilot for Microsoft Cloud App Security.
![Steps for piloting Microsoft Cloud App Security](../../media/defender/m365-defender-mcas-pilot-steps.png)
Try out Cloud App Security tutorials:
- [Protect your files with admin quarantine](/cloud-app-security/use-case-admin-quarantine) - [Require step-up authentication upon risky action](/cloud-app-security/tutorial-step-up-authentication)
+For more information on advanced hunting in Microsoft Cloud App Security data, see the [video](https://www.microsoft.com/en-us/videoplayer/embed/RWFISa).
+ ## Next steps [Investigate and respond using Microsoft 365 Defender in a pilot environment](eval-defender-investigate-respond.md) Return to the overview for [Evaluate Microsoft Cloud App Security](eval-defender-mcas-overview.md)
-Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)
+Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)
security Eval Defender Promote To Production https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-promote-to-production.md
After successfully evaluating or piloting MDO, it can be promoted to your entire
5. Decommission any third-party SMTP gateways and disable or delete any EXO connectors associated with this relay. ## Microsoft Defender for Endpoint
-To promote Microsoft Defender for Endpoint evaluation environment from a pilot to production, simply onboard more endpoints to the service using any of the [supported tools and methods](onboard-configure.md).
+To promote Microsoft Defender for Endpoint evaluation environment from a pilot to production, simply onboard more endpoints to the service using any of the [supported tools and methods](../defender-endpoint/onboard-configure.md).
Use the following general guidelines to onboard more devices to Microsoft Defender for Endpoint.
-1. Verify that the device fulfills the [minimum requirements](minimum-requirements.md).
+1. Verify that the device fulfills the [minimum requirements](../defender-endpoint/minimum-requirements.md).
2. Depending on the device, follow the configuration steps provided in the onboarding section of the Defender for Endpoint portal. 3. Use the appropriate management tool and deployment method for your devices. 4. Run a detection test to verify that the devices are properly onboarded and reporting to the service.
security Portals https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/portals.md
While these portals are not specifically for managing security, they support var
|||| | Azure portal | View and manage [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) and all your [Azure resources](/azure/azure-resource-manager/management/overview) | [portal.azure.com](https://portal.azure.com/) | | Microsoft 365 compliance center | Manage data handling policies and ensure [compliance with regulations](/compliance/regulatory/offering-home) | [compliance.microsoft.com](https://compliance.microsoft.com/) |
-| Microsoft 365 admin center | Configure Microsoft 365 services; manage roles, licenses, and track updates to your Microsoft 365 services | [admin.microsoft.com](https://admin.microsoft.com/) |
+| Microsoft 365 admin center | Configure Microsoft 365 services; manage roles, licenses, and track updates to your Microsoft 365 services | [admin.microsoft.com](https://go.microsoft.com/fwlink/p/?linkid=2166757) |
| Microsoft Endpoint Manager admin center | Use [Microsoft Endpoint Manager](/mem/configmgr/) to manage and secure devices using combined Intune and Configuration Manager capabilities | [devicemanagement.microsoft.com](https://devicemanagement.microsoft.com/) | | Microsoft Intune portal | Use [Microsoft Intune](/intune/fundamentals/what-is-intune) to deploy device policies and monitor devices for compliance | [endpoint.microsoft.com](https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesMenu/overview)
security Streaming Api https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/streaming-api.md
ms.technology: mde
Microsoft 365 Defender supports streaming events through [Advanced Hunting](../defender/advanced-hunting-overview.md) to an [Event Hubs](/azure/event-hubs/) and/or [Azure storage account](/azure/event-hubs/). -
+For more information on Microsoft 365 Defender streaming API, see the [video](https://www.microsoft.com/en-us/videoplayer/embed/RE4r4ga).
## In this section
security Anti Spam Message Headers https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-message-headers.md
The following table describes the fields and possible values for each email auth
|`action`|Indicates the action taken by the spam filter based on the results of the DMARC check. For example: <ul><li>**oreject** or **o.reject**: Stands for override reject. In this case Microsoft 365 uses this action when it receives a message that fails the DMARC check from a domain whose DMARC TXT record has a policy of p=reject. Instead of deleting or rejecting the message, Microsoft 365 marks the message as spam. For more information on why Microsoft 365 is configured this way, see [How Microsoft 365 handles inbound email that fails DMARC](use-dmarc-to-validate-email.md#how-microsoft-365-handles-inbound-email-that-fails-dmarc).</li><li>**pct.quarantine**: Indicates that a percentage less than 100% of messages that do not pass DMARC will be delivered anyway. This means that the message failed DMARC and the policy was set to quarantine, but the pct field was not set to 100% and the system randomly determined not to apply the DMARC action, as per the specified domain's policy.</li><li>**pct.reject**: Indicates that a percentage less than 100% of messages that do not pass DMARC will be delivered anyway. This means that the message failed DMARC and the policy was set to reject, but the pct field was not set to 100% and the system randomly determined not to apply the DMARC action, as per the specified domain's policy.</li><li>**permerror**: A permanent error occurred during DMARC evaluation, such as encountering an incorrectly formed DMARC TXT record in DNS. Attempting to resend this message isn't likely to end with a different result. Instead, you may need to contact the domain's owner in order to resolve the issue.</li><li>**temperror**: A temporary error occurred during DMARC evaluation. You may be able to request that the sender resend the message later in order to process the email properly.</li></ul>| |`compauth`|Composite authentication result. Used by Microsoft 365 to combine multiple types of authentication such as SPF, DKIM, DMARC, or any other part of the message to determine whether or not the message is authenticated. Uses the From: domain as the basis of evaluation.| |`dkim`|Describes the results of the DKIM check for the message. Possible values include: <ul><li>**pass**: Indicates the DKIM check for the message passed.</li><li>**fail (reason)**: Indicates the DKIM check for the message failed and why. For example, if the message was not signed or the signature was not verified.</li><li>**none**: Indicates that the message was not signed. This may or may not indicate that the domain has a DKIM record or the DKIM record does not evaluate to a result, only that this message was not signed.</li></ul>|
-|`dmarc`|Describes the results of the DMARC check for the message. Possible values include: <ul><li>**pass**: Indicates the DMARC check for the message passed.</li><li>**fail**: Indicates the DMARC check for the message failed.</li><li>**bestguesspass**: Indicates that no DMARC TXT record for the domain exists, but if one had existed, the DMARC check for the message would have passed. This is because the domain in the `5321.MailFrom` address (also known as the MAIL FROM address, P1 sender, or envelope sender) matches the domain in the `5322.From` address (also known as the From address or P2 sender).</li><li>**none**: Indicates that no DMARC TXT record exists for the sending domain in DNS.|
+|`dmarc`|Describes the results of the DMARC check for the message. Possible values include: <ul><li>**pass**: Indicates the DMARC check for the message passed.</li><li>**fail**: Indicates the DMARC check for the message failed.</li><li>**bestguesspass**: Indicates that no DMARC TXT record for the domain exists, but if one had existed, the DMARC check for the message would have passed.</li><li>**none**: Indicates that no DMARC TXT record exists for the sending domain in DNS.|
|`header.d`|Domain identified in the DKIM signature if any. This is the domain that's queried for the public key.| |`header.from`|The domain of the `5322.From` address in the email message header (also known as the From address or P2 sender). Recipient see the From address in email clients.| |`reason`|The reason the composite authentication passed or failed. The value is a 3-digit code. For example: <ul><li>**000**: The message failed explicit authentication (`compauth=fail`). For example, the message received a DMARC fail with an action of quarantine or reject.</li><li>**001**: The message failed implicit authentication (`compauth=fail`). This means that the sending domain did not have email authentication records published, or if they did, they had a weaker failure policy (SPF soft fail or neutral, DMARC policy of `p=none`).</li><li>**002**: The organization has a policy for the sender/domain pair that is explicitly prohibited from sending spoofed email. This setting is manually set by an admin.</li><li>**010**: The message failed DMARC with an action of reject or quarantine, and the sending domain is one of your organization's accepted-domains (this is part of self-to-self, or intra-org, spoofing).</li><li>**1xx** or **7xx**: The message passed authentication (`compauth=pass`). The last two digits are internal codes used by Microsoft 365.</li><li>**2xx**: The message soft-passed implicit authentication (`compauth=softpass`). The last two digits are internal codes used by Microsoft 365.</li><li>**3xx**: The message was not checked for composite authentication (`compauth=none`).</li><li>**4xx** or **9xx**: The message bypassed composite authentication (`compauth=none`). The last two digits are internal codes used by Microsoft 365.</li><li>**6xx**: The message failed implicit email authentication, and the sending domain is one of your organization's accepted domains (this is part of self-to-self or intra-org spoofing).</li></ul>|
security Configure Advanced Delivery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-advanced-delivery.md
You use the _advanced delivery policy_ in Microsoft 365 to prevent these message
- Filters in EOP and Microsoft Defender for Office 365 take no action on these messages.<sup>\*</sup> - [Zero-hour Purge (ZAP)](zero-hour-auto-purge.md) for spam and phishing take no action on these messages.<sup>\*</sup>-- [Default system alerts](alerts.md) aren't triggered for these scenarios.
+- [Default system alerts](/microsoft-365/compliance/alert-policies#default-alert-policies) aren't triggered for these scenarios.
- [AIR and clustering in Defender for Office 365](office-365-air.md) ignores these messages. - Specifically for third-party phishing simulations:
- - [Admin submissions](admin-submission.md) generates an automatic response saying that the message is part of a phishing simulation campaign and isn't a real threat. Alerts and AIR will not be triggered.
+ - [Admin submissions](admin-submission.md) generates an automatic response saying that the message is part of a phishing simulation campaign and isn't a real threat. Alerts and AIR will not be triggered. The admin submissions experience will show these messages as a simulated threat.
+ - When a user reports a phishing simulation message using the [Report Phishing add-in for Outlook](enable-the-report-message-add-in.md), the system will not generate an alert, investigation, or incident. The message will also show up on the User reported messages tab of the submissions page.
- [Safe Links in Defender for Office 365](safe-links.md) doesn't block or detonate the specifically identified URLs in these messages. - [Safe Attachments in Defender for Office 365](safe-attachments.md) doesn't detonate attachments in these messages. <sup>\*</sup> You can't bypass malware filtering or ZAP for malware.
-Messages that are identified by the advanced delivery policy aren't security threats, so the messages are marked as system overrides. Admins can filter and analyze these system overrides in the following experiences:
+Messages that are identified by the advanced delivery policy aren't security threats, so the messages are marked with system overrides. Admin experiences will show these messages as due to either a **Phishing simulation** system override or a **SecOps mailbox** system override. Admins can filter and analyze on these system overrides in the following experiences:
-- [Threat Explorer/Real-time detections in Defender for Office 365 plan 2](threat-explorer.md)-- The [Email entity Page in Threat Explorer/Real-time detections](mdo-email-entity-page.md)-- The [Threat protection status report](view-email-security-reports.md#threat-protection-status-report)-- [Advanced hunting in Microsoft Defender for Endpoint](../defender-endpoint/advanced-hunting-overview.md)-- [Campaign Views](campaigns.md)
+- [Threat Explorer/Real-time detections in Defender for Office 365 plan 2](threat-explorer.md): Admin can filter on **System override source** and select either **Phishing simulation** or **SecOps Mailbox**.
+- The [Email entity Page in Threat Explorer/Real-time detections](mdo-email-entity-page.md): Admin can view a message that was allowed by organization policy by either **SecOps mailbox** or **Phishing simulation** under **Tenant override** in the **Override(s)** section.
+- The [Threat protection status report](view-email-security-reports.md#threat-protection-status-report): Admin can filter by **view data by System override** in the drop down menu and select to see messages allowed due to a phishing simulation system override. To see messages allowed by the SecOps mailbox override, you can select **chart breakdown by delivery location** in the **chart breakdown by reason** drop down menu.
+- [Advanced hunting in Microsoft Defender for Endpoint](../defender-endpoint/advanced-hunting-overview.md): Phishing simulation and SecOps mailbox system overrides will show as options within OrgLevelPolicy in EmailEvents.
+- [Campaign Views](campaigns.md): Admin can filter on **System override source** and select either **Phishing simulation** or **SecOps Mailbox**.
## What do you need to know before you begin?
The SecOps mailbox entries that you configured are displayed on the **SecOps mai
- Click ![Edit icon](../../media/m365-cc-sc-edit-icon.png) **Edit**. - If there are no configured phishing simulations, click **Add**.
-3. On the **Edit third-party phishing simulation** flyout that opens, configure the following settings:
+3. On the **Edit third-party phishing simulation** flyout that opens, configure the following settings:
- **Sending domain**: Expand this setting and enter at least one email address domain (for example, contoso.com) by clicking in the box, entering a value, and then pressing Enter or selecting the value that's displayed below the box. Repeat this step as many times as necessary. You can add up to 10 entries.
- - **Sending IP**: Expand this setting and enter at least one valid IPv4 address is required by clicking in the box, entering a value, and then pressing Enter or selecting the value that's displayed below the box. Repeat this step as many times as necessary. You can add up to 10 entries. Valid values are:
+ - **Sending IP**: Expand this setting and enter at least one valid IPv4 address by clicking in the box, entering a value, and then pressing Enter or selecting the value that's displayed below the box. Repeat this step as many times as necessary. You can add up to 10 entries. Valid values are:
- Single IP: For example, 192.168.1.1. - IP range: For example, 192.168.0.1-192.168.0.254. - CIDR IP: For example, 192.168.0.1/25. - **Simulation URLs to allow**: Expand this setting and optionally enter specific URLs that are part of your phishing simulation campaign that should not be blocked or detonated by clicking in the box, entering a value, and then pressing Enter or selecting the value that's displayed below the box. You can add up to 10 entries. For the URL syntax format, see [URL syntax for the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list#url-syntax-for-the-tenant-allowblock-list). To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
+
+ > [!NOTE]
+ > You must specify at least one **Sending domain** and at least one **Sending IP** to configure a third-party phishing simulation in Advanced Delivery. You may optionally include **Simulation URLs to allow** to ensure URLs present in simulation messages are not blocked. You may specify up to 10 entries for each field. There must be a match on at least one **Sending domain** and one **Sending IP** but no association between values is maintained.
4. When you're finished, do one of the following steps: - **First time**: Click **Add**, and then click **Close**.