diff --git a/defender-endpoint/defender-endpoint-false-positives-negatives.md b/defender-endpoint/defender-endpoint-false-positives-negatives.md index bf5636143f..129acde1c8 100644 --- a/defender-endpoint/defender-endpoint-false-positives-negatives.md +++ b/defender-endpoint/defender-endpoint-false-positives-negatives.md @@ -6,7 +6,7 @@ ms.subservice: ngp ms.author: ewalsh author: emmwalshh ms.localizationpriority: medium -ms.date: 11/12/2024 +ms.date: 01/30/2025 manager: deniseb audience: ITPro ms.collection: diff --git a/defender-endpoint/evaluate-microsoft-defender-antivirus.md b/defender-endpoint/evaluate-microsoft-defender-antivirus.md index 57e9a839a5..f6d9dc97a3 100644 --- a/defender-endpoint/evaluate-microsoft-defender-antivirus.md +++ b/defender-endpoint/evaluate-microsoft-defender-antivirus.md @@ -9,7 +9,7 @@ ms.author: ewalsh ms.reviewer: yongrhee manager: deniseb ms.custom: nextgen -ms.date: 10/18/2018 +ms.date: 01/28/2025 ms.subservice: ngp ms.collection: - m365-security @@ -39,12 +39,12 @@ You can choose to configure and evaluate each setting independently, or all at o The guide is available: -- [Evaluate Microsoft Defender Antivirus using PowerShell](microsoft-defender-antivirus-using-powershell.md) -- in PDF format for offline viewing: [Download the guide in PDF format](https://www.microsoft.com/download/details.aspx?id=54795). +- [Evaluate Microsoft Defender Antivirus using PowerShell](microsoft-defender-antivirus-using-powershell.md). +- In PDF format for offline viewing: [Download the guide in PDF format](https://www.microsoft.com/download/details.aspx?id=54795). You can also download a PowerShell that will enable all the settings described in the guide automatically. You can obtain the script alongside the PDF download above, or individually from PowerShell Gallery: -- [Download the PowerShell script to automatically configure the settings](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings) +- [Download the PowerShell script to automatically configure the settings](https://aka.ms/wdeppscript). > [!IMPORTANT] > The guide is currently intended for single-machine evaluation of Microsoft Defender Antivirus. Enabling all of the settings in this guide may not be suitable for real-world deployment. @@ -62,9 +62,22 @@ You can also download a PowerShell that will enable all the settings described i > - [Configure Defender for Endpoint on Android features](android-configure.md) > - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) -## Related topics +## Related articles + +- Evaluate Microsoft Defender Antivirus using [Microsoft Defender Endpoint Security Settings Management (Endpoint security policies) ](/defender-endpoint/evaluate-mda-using-mde-security-settings-management) + +- Evaluate Microsoft Defender Antivirus using [Group Policy](/defender-endpoint/evaluate-mdav-using-gp) + +- Evaluate Microsoft Defender Antivirus using [Powershell](/defender-endpoint/microsoft-defender-antivirus-using-powershell) + +- [Advanced technologies](/defender-endpoint/adv-tech-of-mdav) at the core of Microsoft Defender Antivirus + +- [Microsoft Defender Antivirus compatibility with other security products](/defender-endpoint/microsoft-defender-antivirus-compatibility) + +- [Microsoft Defender Antivirus and non-Microsoft antivirus solutions without Defender for Endpoint](/defender-endpoint/defender-antivirus-compatibility-without-mde) - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-windows.md) + - [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)] diff --git a/defender-endpoint/mac-device-control-jamf.md b/defender-endpoint/mac-device-control-jamf.md index 8c5aa2b27e..997408e7ff 100644 --- a/defender-endpoint/mac-device-control-jamf.md +++ b/defender-endpoint/mac-device-control-jamf.md @@ -15,7 +15,7 @@ ms.collection: ms.topic: conceptual ms.subservice: macos search.appverid: met150 -ms.date: 04/30/2024 +ms.date: 01/31/2025 --- # Deploy and manage Device Control using JAMF @@ -31,49 +31,65 @@ ms.date: 04/30/2024 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) -Microsoft Defender for Endpoint Device Control feature enables you to audit, allow, or prevent the read, write, or execute access to removable storage, and allows you to manage iOS and Portable device and Bluetooth media with or without exclusions. +Device control in Microsoft Defender for Endpoint on macOS enables you to audit, allow, or prevent the read, write, or execute access to removable storage. Device control also allows you to manage iOS and portable devices and Bluetooth media, with or without exclusions. ## Licensing requirements -Before you get started with Removable Storage Access Control, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=3). To access and use Removable Storage Access Control, you must have Microsoft 365 E3. +Before you begin, confirm your subscription. To access and use device control, your subscription must include Defender for Endpoint Plan 1. For more information, see the following resources: + +- [Microsoft 365 Enterprise plans comparison table](https://go.microsoft.com/fwlink/p/?LinkID=2139145&clcid=0x409&culture=&country=us) +- [Understand subscriptions and licenses in Microsoft 365 for business](/microsoft-365/commerce/licenses/subscriptions-and-licenses) [!INCLUDE [Microsoft Defender for Endpoint third-party tool support](../includes/support.md)] ## Deploy policy by using JAMF -### Step 1: Create policy JSON +### Step 1: Creating a JSON policy + +Device Control on Mac is defined through a JSON policy. This policy should have the appropriate groups, rules, and settings defined to tailor specific customer conditions. For example, some enterprise organizations might need to block all removable media devices entirely, while others might have specific exceptions for a vendor or serial number. Microsoft has a [local GitHub repository](https://github.com/microsoft/mdatp-devicecontrol/tree/main/macOS/policy/samples"https://github.com/microsoft/mdatp-devicecontrol/tree/main/macos/policy/samples") that you can use to build your policies. + +For more information about settings, rules, and groups, see [Device Control for macOS](mac-device-control-overview.md). + +### Step 2: Validating a JSON policy -Now, you have 'groups' and 'rules' and 'settings', combine 'settings' and 'groups' and rules into one JSON, here's the demo file: [https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.json](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.json). Make sure to validate your policy with the JSON schema so your policy format is correct: [https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json). +You must validate your JSON policy after it's created to ensure there are no syntax or configuration errors. A schema for device control policies is available in [our GitHub repository](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json"https://github.com/microsoft/mdatp-devicecontrol/blob/main/macos/policy/device_control_policy_schema.json"). The Defender for Endpoint application has built-in functionality to compare your JSON to the defined schema.  -See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules, and groups. +1. Save your configuration on a local device as a `.json` file. -### Step 2: Update MDE Preferences Schema +2. Ensure you have access to `mdatp` commands. If your device is already onboarded, then you should have this functionality. -The [MDE Preferences schema](https://github.com/microsoft/mdatp-xplat/blob/master/macos/schema/schema.json) is updated to include the new `deviceControl/policy` key. The existing MDE Preferences configuration profile should be updated to use the new schema file's content. +3. Run `mdatp device-control policy validate --path `. + +### Step 3: Update your Defender for Endpoint preferences Schema + +The [Defender for Endpoint preferences schema](https://github.com/microsoft/mdatp-xplat/blob/master/macos/schema/schema.json) includes the new `deviceControl/policy` key. The existing Defender for Endpoint preferences configuration profile should be updated to use the new schema file's content. :::image type="content" source="media/macos-device-control-jamf-mde-preferences-schema.png" alt-text="Shows where to edit the Microsoft Defender for Endpoint Preferences Schema to update." lightbox="media/macos-device-control-jamf-mde-preferences-schema.png"::: -### Step 3: Add Device Control Policy to MDE Preferences +### Step 4: Add the device control policy to Defender for Endpoint preferences -A new 'Device Control' property is now available to add to the UX. +A new device control property is now available to add to the user experience. -1. Select the topmost **Add/Remove properties** button, then select **Device Control** and press **Apply**. +1. In your Jamf console, select **Add/Remove properties**, select **Device Control**, and then select **Apply**. -:::image type="content" source="media/macos-device-control-jamf-device-control-property.png" alt-text="Shows how to add Device Control in Microsoft Defender for Endpoint" lightbox="media/macos-device-control-jamf-device-control-property.png"::: + :::image type="content" source="media/macos-device-control-jamf-device-control-property.png" alt-text="Shows how to add Device Control in Microsoft Defender for Endpoint" lightbox="media/macos-device-control-jamf-device-control-property.png"::: -2. Next, scroll down until you see the **Device Control** property (it's the bottommost entry), and select **Add/Remove properties** directly underneath it. +2. Scroll down until you see the **Device Control** property (it's at the bottom of the list), and then select **Add/Remove properties**. 3. Select **Device Control Policy**, and then select **Apply**. -:::image type="content" source="media/macos-device-control-jamf-device-control-add-remove-property.png" alt-text="Shows how to apply Device Control Policy in Microsoft Defender for Endpoint." lightbox="media/macos-device-control-jamf-device-control-add-remove-property.png"::: + :::image type="content" source="media/macos-device-control-jamf-device-control-add-remove-property.png" alt-text="Shows how to apply Device Control Policy in Microsoft Defender for Endpoint." lightbox="media/macos-device-control-jamf-device-control-add-remove-property.png"::: -4. To finish, copy and paste the Device Control policy JSON into the text box, and save your changes to the configuration profile. +4. Copy and paste your device control policy JSON into the text box. -:::image type="content" source="media/macos-device-control-jamf-device-control-policy-json.png" alt-text="Shows where to add the Device Control policy JSON in Microsoft Defender for Endpoint." lightbox="media/macos-device-control-jamf-device-control-policy-json.png"::: + :::image type="content" source="media/macos-device-control-jamf-device-control-policy-json.png" alt-text="Shows where to add the Device Control policy JSON in Microsoft Defender for Endpoint." lightbox="media/macos-device-control-jamf-device-control-policy-json.png"::: + +5. Save your changes. ## See also - [Device Control for macOS](mac-device-control-overview.md) - [Deploy and manage Device Control using Intune](mac-device-control-intune.md) - [macOS Device Control frequently asked questions (FAQ)](mac-device-control-faq.md) + [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)] diff --git a/defender-endpoint/mac-device-control-overview.md b/defender-endpoint/mac-device-control-overview.md index b06388ed12..445a343b28 100644 --- a/defender-endpoint/mac-device-control-overview.md +++ b/defender-endpoint/mac-device-control-overview.md @@ -15,7 +15,7 @@ ms.collection: ms.topic: conceptual ms.subservice: macos search.appverid: met150 -ms.date: 06/12/2024 +ms.date: 01/31/2025 --- # Device Control for macOS @@ -33,33 +33,30 @@ ms.date: 06/12/2024 ## Requirements -Device Control for macOS has the following prerequisites: +Device control for Mac has the following prerequisites: -> [!div class="checklist"] -> -> - Microsoft Defender for Endpoint entitlement (can be trial) -> - Minimum OS version: macOS 11 or higher -> - Minimum product version: 101.34.20 +- Defender for Endpoint or Defender for Business licenses (can be a trial subscription) +- Minimum OS version: macOS 11 or higher +- Minimum product version: `101.34.20` ## Overview -Microsoft Defender for Endpoint Device Control feature enables you to: +Device control in Defender for Endpoint on macOS enables you to: - Audit, allow, or prevent the read, write, or execute access to removable storage; and - Manage iOS and Portable devices, and Apple APFS encrypted devices and Bluetooth media, with or without exclusions. ## Prepare your endpoints -- Microsoft Defender for Endpoint entitlement (can be trial) -- Minimum OS version: macOS 11 or higher - Deploy Full Disk Access: you might have created and deployed this [https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) for other MDE features. You need to grant Full Disk Access permission for a new application: `com.microsoft.dlp.daemon`. -- Enable Device Control on the MDE Preference setting: - - Data Loss Prevention (DLP)/Features/ +- Enable Device Control on your Defender for Endpoint preferences: + + - Data Loss Prevention (DLP)/Features - - For **Feature Name**, enter "DC_in_dlp" + - For **Feature Name**, type `DC_in_dlp` - - For **State**, enter "enabled" + - For **State**, specify `enabled` Example 1: JAMF using [schema.json](https://github.com/microsoft/mdatp-xplat/tree/master/macos/schema). @@ -72,19 +69,20 @@ Example 2: [demo.mobileconfig](https://github.com/microsoft/mdatp-devicecontrol/ features - - name - DC_in_dlp - state - enabled - + + name + DC_in_dlp + state + enabled + ``` - Minimum product version: 101.91.92 or higher -- Run _mdatp version_ through Terminal to see the product version on your client machine: + +- Run `mdatp version` through Terminal to see the product version on your client machine: :::image type="content" source="media/macos-device-control-mdatp-version-terminal.png " alt-text="Screenshot that shows the results when you run mdatp version in Terminal to see the product version on a client machine." lightbox="media/macos-device-control-mdatp-version-terminal.png "::: @@ -92,16 +90,16 @@ Example 2: [demo.mobileconfig](https://github.com/microsoft/mdatp-devicecontrol/ Policies determine the behavior of device control for macOS. The policy is targeted via Intune or JAMF to a collection of machines or users. -The Device Control for macOS policy includes settings, groups, and rules: +The device control for macOS policy includes settings, groups, and rules: - Global setting called 'settings' allows you to define the global environment. -- Group called 'groups' allows you to create media groups. For example, authorized USB group or encrypted USB group. +- Group called `groups` allows you to create media groups. For example, authorized USB group or encrypted USB group. - Access policy rule called 'rules' allows you to create policy to restrict each group. For example, only allow authorized user to Write access-authorized USB group. > [!NOTE] -> We recommend you use the examples on the GitHub to understand the properties: [mdatp-devicecontrol/Removable Storage Access Control Samples/macOS/policy at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples/macOS/policy). +> We recommend you use the examples on the GitHub to understand the properties: [mdatp-devicecontrol/Removable Storage Access Control Samples/macOS/policy at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/tree/main/macOS/policy/samples). > > You can also use the scripts at [mdatp-devicecontrol/tree/main/python#readme at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/tree/main/python#readme) to translate Windows Device Control policy to macOS Device Control policy or translate macOS Device Control V1 policy to this V2 policy. @@ -112,9 +110,10 @@ The Device Control for macOS policy includes settings, groups, and rules: Device control for macOS has similar capabilities to Device control for Windows, but macOS and Windows provide different underlying capabilities to manage devices, so there are some important differences: -- macOS doesn't have a centralized Device Manager or view of devices. Access is granted/denied to applications that interact with devices. This is why on macOS there are a richer set of [access types](#access-types). For example of a ```portableDevice``` device control for macOS can deny or allow ```download_photos_from_device```. -- To stay consistent with Windows, there are ```generic_read```,```generic_write``` ,and ```generic_execute``` access types. Policies with generic access types don't need to be changed if/when more specific access types are added in the future. The best practice is to use generic access types unless there's a specific need to deny/allow a more specific operation. -- Creating a ```deny``` policy using generic access types is the best way to attempt to completely block all operations for that type of device (for example, Android phones), but there might still be gaps if the operation is performed using an application that isn't supported by macOS device control. +- macOS doesn't have a centralized Device Manager or view of devices. Access is granted/denied to applications that interact with devices. This is why on macOS there are a richer set of [access types](#access-types). For example, a `portableDevice` policy can deny or allow `download_photos_from_device`. + +- To stay consistent with Windows, there are `generic_read`,`generic_write` , and `generic_execute` access types. Policies with generic access types don't need to be changed if/when more specific access types are added in the future. The best practice is to use generic access types unless there's a specific need to deny/allow a more specific operation. +- Creating a `deny` policy using generic access types is the best way to attempt to completely block all operations for that type of device (for example, Android phones), but there might still be gaps if the operation is performed using an application that isn't supported by macOS device control. ### Settings @@ -123,7 +122,7 @@ Here are the properties you can use when you create the groups, rules, and setti | Property name | Description | Options | |:---|:---|:---| -| features | Feature specific configurations | You can set `disable` to false or true for following features:
- `removableMedia`
- `appleDevice`
- `portableDevice`, including camera or PTP media
- `bluetoothDevice`

The default is `true`, so if you don't configure this value, it won't apply even if you create a custom policy for `removableMedia`, because it's disabled by default. | +| features | Feature specific configurations | You can set `disable` to false or true for following features:
- `removableMedia`
- `appleDevice`
- `portableDevice`, including camera or PTP media
- `bluetoothDevice`

The default is `true`, so if you don't configure this value, it doesn't apply, even if you create a custom policy for `removableMedia`, because it's disabled by default. | | global | Set default enforcement | You can set `defaultEnforcement` to
- `allow` (_default_)
- `deny` | | ux | You can set a hyperlink on notification. | `navigationTarget: string`. Example: `"http://www.microsoft.com"` | @@ -132,9 +131,9 @@ Here are the properties you can use when you create the groups, rules, and setti | Property name | Description | Options | |:---|:---|:---| | `$type` | The kind of group | "device" | -| `id` | GUID, a unique ID, represents the group and will be used in the policy. | You can generate the ID through [New-Guid (Microsoft.PowerShell.Utility) - PowerShell](/powershell/module/microsoft.powershell.utility/new-guid?view=powershell-7.2&preserve-view=true) or the uuidgen command on macOS | +| `id` | GUID, a unique ID, represents the group and is used in the policy. | You can generate the ID through [New-Guid (Microsoft.PowerShell.Utility) - PowerShell](/powershell/module/microsoft.powershell.utility/new-guid?view=powershell-7.2&preserve-view=true) or the uuidgen command on macOS | | `name` | Friendly name for the group. | string | -| `query` | The media coverage under this group | See the **query** properties tables below for details. | +| `query` | The media coverage under this group | See the **query** property tables for details. | ### Query @@ -145,7 +144,7 @@ Query type 1 is as follows: | Property name | Description | Options | |:---|:---|:---| | `$type` | Identify the logical operation to perform on the clauses | **all**: Any attributes under the **clauses** are an _And_ relationship. For example, if the administrator puts `vendorId` and `serialNumber`, for every connected USB, the system checks to see whether the USB meets both values.
**and**: is equivalent to _all_
**any:** The attributes under the **clauses** are _Or_ relationship. For example, if administrator puts `vendorId` and `serialNumber`, for every connected USB, system does the enforcement as long as the USB has either an identical `vendorId` or `serialNumber` value.
**or**: is equivalent to _any_ | -| `clauses` | Use media device property to set group condition. | An array of clause objects that are evaluated to determine group membership. See the [Clause](#clause) section below. | +| `clauses` | Use media device property to set group condition. | An array of clause objects that are evaluated to determine group membership. See the [Clause](#clause) section. | Query type 2 is as follows: @@ -172,15 +171,15 @@ Query type 2 is as follows: | `productId` | Four digit hexadecimal string | Matches a device's product ID | | `serialNumber` | string | Matches a device's serial number. Doesn't match if the device doesn't have a serial number. | | `encryption` | apfs | Match if a device is apfs-encrypted. | -| `groupId` | UUID string | Match if a device is a member of another group. The value represents the UUID of the group to match against.
The group must be defined within the policy prior to the clause. | +| `groupId` | UUID string | Match if a device is a member of another group. The value represents the UUID of the group to match against.
The group must be defined within the policy before the clause. | ### Access policy rule | Property name | Description | Options | |:---|:---|:---| -| `id` | GUID, a unique ID, represents the rule and will be used in the policy. | New-Guid (Microsoft.PowerShell.Utility) - PowerShell
uuidgen | -| `name` | String, the name of the policy and will display on the toast based on the policy setting. | | -| `includeGroups` | The groups that the policy will be applied to. If multiple groups are specified, the policy applies to any media in all those groups. If not specified, the rule applies to all devices. | The **id** value inside the group must be used in this instance. If multiple groups are in the `includeGroups`, it's _AND_.
`"includeGroups": ["3f082cd3-f701-4c21-9a6a-ed115c28e217"]` | +| `id` | GUID, a unique ID, represents the rule and is used in the policy. | New-Guid (Microsoft.PowerShell.Utility) - PowerShell
uuidgen | +| `name` | String, the name of the policy. Displays in the toast notification based on the policy setting. | | +| `includeGroups` | The groups that the policy is applied to. If multiple groups are specified, the policy applies to any media in all those groups. If not specified, the rule applies to all devices. | The **id** value inside the group must be used in this instance. If multiple groups are in the `includeGroups`, it's _AND_.
`"includeGroups": ["3f082cd3-f701-4c21-9a6a-ed115c28e217"]` | | `excludeGroups` | The groups that the policy doesn't apply to. | The **id** value inside the group must be used in this instance. If multiple groups are in the excludeGroups, it's _OR_. | | `entries` | One rule can have multiple entries; each entry with a unique GUID tells Device Control one restriction.| See entry properties table later in this article to get the details. | @@ -259,7 +258,7 @@ v2_full_disk_access : "approved" - `active` - feature version, you should see ["v2"]. (Device Control is enabled, but not configured.) - [] - Device Control isn't configured on this machine. - ["v1"] - You are on a preview version of Device Control. Migrate to version 2 using this guide. v1 is considered obsolete and not described in this documentation. - - ["v1,""v2"] - You have both v1 and v2 enabled. Offboard from v1. + - ["v1", "v2"] - You have both v1 and v2 enabled. Offboard from v1. - `v1_configured` - v1 configuration is applied - `v1_enforcement_level` - when v1 is enabled - `v2_configured` - v2 configuration is applied @@ -284,27 +283,27 @@ In this scenario, you need to create two groups: one group for any removable med ```json "settings": { - "features": { + "features": { - "removableMedia": { + "removableMedia": { - "disable": false + "disable": false - } + } - }, + }, - "global": { + "global": { - "defaultEnforcement": "allow" + "defaultEnforcement": "allow" - }, + }, - "ux": { + "ux": { - "navigationTarget": "http://www.deskhelp.com" + "navigationTarget": "http://www.deskhelp.com" - } + } } ``` @@ -384,85 +383,85 @@ Create access policy rule and put into `rules`: ```json "rules": [ - { + { - "id": "772cef80-229f-48b4-bd17-a69130092981", + "id": "772cef80-229f-48b4-bd17-a69130092981", - "name": "Deny RWX to all Removable Media Devices except Kingston", + "name": "Deny RWX to all Removable Media Devices except Kingston", - "includeGroups": [ + "includeGroups": [ - "3f082cd3-f701-4c21-9a6a-ed115c28e211" + "3f082cd3-f701-4c21-9a6a-ed115c28e211" - ], + ], - "excludeGroups": [ + "excludeGroups": [ - "3f082cd3-f701-4c21-9a6a-ed115c28e212" + "3f082cd3-f701-4c21-9a6a-ed115c28e212" - ], + ], - "entries": [ + "entries": [ - { + { - "$type": "removableMedia", + "$type": "removableMedia", - "id": "A7CEE2F8-CE34-4B34-9CFE-4133F0361035", + "id": "A7CEE2F8-CE34-4B34-9CFE-4133F0361035", - "enforcement": { + "enforcement": { - "$type": "deny" + "$type": "deny" - }, + }, - "access": [ + "access": [ - "read", + "read", - "write", + "write", - "execute" + "execute" - ] + ] - }, + }, - { + { - "$type": "removableMedia", + "$type": "removableMedia", - "id": "18BA3DD5-4C9A-458B-A756-F1499FE94FB4", + "id": "18BA3DD5-4C9A-458B-A756-F1499FE94FB4", - "enforcement": { + "enforcement": { - "$type": "auditDeny", + "$type": "auditDeny", - "options": [ + "options": [ - "send_event", + "send_event", - "show_notification" + "show_notification" - ] + ] - }, + }, - "access": [ + "access": [ - "read", + "read", - "write", + "write", - "execute" + "execute" - ] + ] - } + } - ] + ] - } + } ] ``` @@ -486,4 +485,5 @@ In this case, only have one access rule policy, but if you have multiple, make s - [Deploy Device Control by using JAMF](mac-device-control-jamf.md) - [Deploy Device Control manually](mac-device-control-manual.md) - [macOS Device Control frequently asked questions (FAQ)](mac-device-control-faq.md) + [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)] diff --git a/defender-endpoint/mac-preferences.md b/defender-endpoint/mac-preferences.md index 359afed0b2..ca3aae18dd 100644 --- a/defender-endpoint/mac-preferences.md +++ b/defender-endpoint/mac-preferences.md @@ -15,7 +15,7 @@ ms.collection: ms.topic: how-to ms.subservice: macos search.appverid: met150 -ms.date: 11/11/2024 +ms.date: 01/31/2025 --- # Set preferences for Microsoft Defender for Endpoint on macOS @@ -416,6 +416,16 @@ Determines whether security intelligence updates are installed automatically: |**Data type**|Boolean| |**Possible values**|true (default)

false| +#### Duration for security intelligence updates due (in days) + +Determines the number of days after which the last installed security intelligence updates are considered outdated. + +|Section|Value| +|---|---| +|**Key**|definitionUpdateDue| +|**Data type**|Integer| +|**Possible values**|7 (default). Allowed values are integers between 1 and 30| + ### User interface preferences Manage the preferences for the user interface of Microsoft Defender for Endpoint on macOS. @@ -742,6 +752,8 @@ The following configuration profile (or, in case of JAMF, a property list that c automaticDefinitionUpdateEnabled + definitionUpdateDue + 7 tamperProtection @@ -855,6 +867,8 @@ The following templates contain entries for all settings described in this docum cloudBlockLevel normal + definitionUpdateDue + 7 edr @@ -1043,6 +1057,8 @@ The following templates contain entries for all settings described in this docum cloudBlockLevel normal + definitionUpdateDue + 7 edr diff --git a/defender-endpoint/microsoft-defender-antivirus-compatibility.md b/defender-endpoint/microsoft-defender-antivirus-compatibility.md index 5bfba51394..bdd9dd9547 100644 --- a/defender-endpoint/microsoft-defender-antivirus-compatibility.md +++ b/defender-endpoint/microsoft-defender-antivirus-compatibility.md @@ -4,7 +4,7 @@ description: Learn about Microsoft Defender Antivirus with other security produc ms.service: defender-endpoint ms.subservice: ngp ms.localizationpriority: medium -ms.date: 01/23/2025 +ms.date: 01/30/2025 ms.topic: conceptual author: emmwalshh ms.author: ewalsh @@ -199,10 +199,9 @@ Defender for Endpoint affects whether Microsoft Defender Antivirus can run in pa > [!IMPORTANT] > - [Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-learn-about) protection continues to operate normally when Microsoft Defender Antivirus is in either active or passive mode. -> -> - Don't disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Defender for Endpoint, or the Windows Security app. This recommendation includes the `wscsvc`, `SecurityHealthService`, `MsSense`, `Sense`, `WinDefend`, or `MsMpEng` services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md). -> +> - Don't disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Defender for Endpoint, or the Windows Security app. This recommendation includes the `wscsvc`, `SecurityHealthService`, `MsSense`, `Sense`, `WinDefend`, or `MsMpEng` services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md). > - In Defender for Endpoint, you can turn EDR in block mode on, even if Microsoft Defender Antivirus isn't your primary antivirus solution. EDR in block mode detects and remediate malicious items that are found on the device (post breach). To learn more, see [EDR in block mode](edr-in-block-mode.md). +> - In Defender for Endpoint, EDR response actions always operate in passive mode, even if EDR is not in block mode. ## How to confirm the state of Microsoft Defender Antivirus @@ -215,12 +214,11 @@ You can use one of several methods to confirm the state of Microsoft Defender An > [!IMPORTANT] > Beginning with [platform version 4.18.2208.0 and later](microsoft-defender-antivirus-updates.md#platform-and-engine-releases): If a server has been onboarded to Microsoft Defender for Endpoint, the "Turn off Windows Defender" [group policy](configure-endpoints-gp.md#update-endpoint-protection-configuration) setting no longer completely disables Windows Defender Antivirus on Windows Server 2012 R2 and later. Instead, it places Microsoft Defender Antivirus into passive mode. In addition, the [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) allows a switch to active mode, but not to passive mode. -> > - If "Turn off Windows Defender" is already in place before onboarding to Microsoft Defender for Endpoint, Microsoft Defender Antivirus remains disabled. > - To switch Microsoft Defender Antivirus to passive mode, even if it was disabled before onboarding, you can apply the [ForceDefenderPassiveMode configuration](switch-to-mde-phase-2.md#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server) with a value of `1`. To place it into active mode, switch this value to `0` instead. -> -> Note the modified logic for `ForceDefenderPassiveMode` when tamper protection is enabled: Once Microsoft Defender Antivirus is toggled to active mode, tamper protection prevents it from going back into passive mode even when `ForceDefenderPassiveMode` is set to `1`. ->Microsoft Defender for Endpoint – EDR response actions always operate in Passive mode, even if EDR is in block mode. + +> [!Note] +> The modified logic for `ForceDefenderPassiveMode` when tamper protection is enabled: Once Microsoft Defender Antivirus is toggled to active mode, tamper protection prevents it from going back into passive mode even when `ForceDefenderPassiveMode` is set to `1`. ### Use the Windows Security app to identify your antivirus app diff --git a/defender-office-365/anti-spoofing-spoof-intelligence.md b/defender-office-365/anti-spoofing-spoof-intelligence.md index 0bf5696a96..f2669c5b88 100644 --- a/defender-office-365/anti-spoofing-spoof-intelligence.md +++ b/defender-office-365/anti-spoofing-spoof-intelligence.md @@ -19,7 +19,7 @@ ms.custom: - seo-marvel-apr2020 description: Admins can learn about the spoof intelligence insight in Exchange Online Protection (EOP). ms.service: defender-office-365 -ms.date: 11/02/2023 +ms.date: 01/31/2025 appliesto: - ✅ Exchange Online Protection - ✅ Microsoft Defender for Office 365 Plan 1 and Plan 2 @@ -54,11 +54,11 @@ The rest of this article explains how to use the spoof intelligence insight in t > [!NOTE] > -> - Only spoofed senders that were detected by spoof intelligence appear in the spoof intelligence insight. When you override the allow or block verdict in the insight, the spoofed sender becomes a manual allow or block entry that appears only on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page at . You can also manually create allow or block entries for spoofed senders before they're detected by spoof intelligence. For more information, see [Spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#spoofed-senders-in-the-tenant-allowblock-list). +> - Only spoofed senders detected by spoof intelligence appear in this insight. Messages from domains that fail DMARC where the DMARC policy is set to `p=reject` or `p=quarantine` don't appear in this insight. Those messages are processed based on the **Honor DMARC record policy when the message is detected as spoof** setting [in anti-phishing policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies). > -> - The **Action** values **Allow** or **Block** in the spoof intelligence insight refer to spoof _detection_ (whether Microsoft 365 identified the message as spoofed or not). The **Action** value doesn't necessarily affect the overall filtering of the message. For example, to avoid false positives, a spoofed message might be delivered if we find that it doesn't have malicious intent. +> - When you override the allow or block verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that appears only on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page at . You can also manually create allow or block entries for spoofed senders before they're detected by spoof intelligence. For more information, see [Spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#spoofed-senders-in-the-tenant-allowblock-list). > -> - The spoof intelligence insight and the **Spoofed senders** tab in the Tenant Allow/Block list replace the functionality of the spoof intelligence policy that was available on the anti-spam policy page in the Security & Compliance Center. +> - The **Action** values **Allow** or **Block** in the spoof intelligence insight refer to spoof _detection_ (whether Microsoft 365 identified the message as spoofed or not). The **Action** value doesn't necessarily affect the overall filtering of the message. For example, to avoid false positives, a spoofed message might be delivered if we find that it doesn't have malicious intent. > > - The spoof intelligence insight shows 7 days worth of data. The **Get-SpoofIntelligenceInsight** cmdlet shows 30 days worth of data. @@ -106,7 +106,7 @@ To view information about the spoof intelligence detections, select **View spoof ### View information about spoof detections > [!NOTE] -> Remember, only spoofed senders that were detected by spoof intelligence appear on this page. +> Remember, only spoofed senders detected by spoof intelligence appear in this insight. Messages from domains that fail DMARC where the DMARC policy is set to `p=reject` or `p=quarantine` don't appear in this insight. Those messages are processed based on the **Honor DMARC record policy when the message is detected as spoof** setting [in anti-phishing policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies). The **Spoof intelligence insight** page at is available when you select **View spoofing activity** from the spoof intelligence insight on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page.