From c810bdba6ffefdbd2da2d2c3614646cb1adf6b4f Mon Sep 17 00:00:00 2001 From: Aruneema Deshmukh <50691481+AruneemaXD@users.noreply.github.com> Date: Thu, 26 Dec 2024 14:03:04 +0530 Subject: [PATCH 01/30] Update indicator-file.md --- defender-endpoint/indicator-file.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/defender-endpoint/indicator-file.md b/defender-endpoint/indicator-file.md index 061568f765..6247507142 100644 --- a/defender-endpoint/indicator-file.md +++ b/defender-endpoint/indicator-file.md @@ -81,7 +81,9 @@ Understand the following prerequisites before you create indicators for files: - Available in Defender for Endpoint version 101.85.27 or later. -- [File hash computation is enabled](/defender-endpoint/linux-preferences#configure-file-hash-computation-feature) from the portal or in the managed JSON +- [File hash computation is enabled](/defender-endpoint/linux-preferences#configure-file-hash-computation-feature) from the portal or in the managed JSON + +- BM is preferred but will work with any other scan (RTP, Custom, etc). ## Create an indicator for files from the settings page From 52a3874974fa7b0a3ef5826c20acbfc54ebb6aa8 Mon Sep 17 00:00:00 2001 From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com> Date: Thu, 26 Dec 2024 14:18:58 -0800 Subject: [PATCH 02/30] Learn Editor: Update deployment-vdi-microsoft-defender-antivirus.md --- ...oyment-vdi-microsoft-defender-antivirus.md | 198 +++++++++++++----- 1 file changed, 142 insertions(+), 56 deletions(-) diff --git a/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md b/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md index 848656da72..c1066f713e 100644 --- a/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md +++ b/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md @@ -64,7 +64,7 @@ In Windows 10, version 1903, Microsoft introduced the shared security intelligen A field automatically appears. -5. Enter `\\\wdav-update` (for help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates)). +1. Enter `\\\wdav-update` (for help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates)). 6. Select **OK**, and then deploy the Group Policy Object to the VMs you want to test. @@ -72,7 +72,7 @@ In Windows 10, version 1903, Microsoft introduced the shared security intelligen 1. On each RDS or VDI device, use the following cmdlet to enable the feature: - `Set-MpPreference -SharedSignaturesPath \\\wdav-update` + `Set-MpPreference -SharedSignaturesPath \\\wdav-update` 2. Push the update as you normally would push PowerShell-based configuration policies onto your VMs. (See the [Download and unpackage](#download-and-unpackage-the-latest-updates) section in this article. Look for the *shared location* entry.) @@ -101,9 +101,9 @@ You can also set up your single server or machine to fetch the updates on behalf 1. Create an SMB/CIFS file share. -2. Use the following example to create a file share with the following share permissions. +1. Use the following example to create a file share with the following share permissions. - ```PowerShell + ```PowerShell PS c:\> Get-SmbShareAccess -Name mdatp$ @@ -113,10 +113,10 @@ You can also set up your single server or machine to fetch the updates on behalf ``` - > [!NOTE] + > [!NOTE] > An NTFS permission is added for **Authenticated Users:Read:**. - For this example, the file share is `\\WindowsFileServer.fqdn\mdatp$\wdav-update`. + For this example, the file share is `\\FileServer.fqdn\mdatp$\wdav-update`. ### Set a scheduled task to run the PowerShell script @@ -158,100 +158,174 @@ If you would prefer to do everything manually, here's what to do to replicate th > [!NOTE] > The VMs will pick up the updated package whenever a new GUID folder is created with an extracted update package or whenever an existing folder is updated with a new extracted package. -## Randomize scheduled scans +## Microsoft Defender Antivirus configuration settings -Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-microsoft-defender-antivirus.md). +It’s important to take advantage of the included threat protection capabilities by enabling them with the following recommended configuration settings.  It’s optimized for VDI environments. -The start time of the scan itself is still based on the scheduled scan policy (**ScheduleDay**, **ScheduleTime**, and **ScheduleQuickScanTime**). Randomization causes Microsoft Defender Antivirus to start a scan on each machine within a four-hour window from the time set for the scheduled scan. +> [!TIP] +> The latest Windows group policy administrative templates are available in [Create and manage Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store). -See [Schedule scans](schedule-antivirus-scans.md) for other configuration options available for scheduled scans. +### Root -## Use quick scans +Configure detection for potentially unwanted applications: Enabled - Block -You can specify the type of scan that should be performed during a scheduled scan. Quick scans are the preferred approach as they're designed to look in all places where malware needs to reside to be active. The following procedure describes how to set up quick scans using Group Policy. +Configure local administrator merge behavior for lists: Disabled -1. In your Group Policy Editor, go to **Administrative templates** \> **Windows components** \> **Microsoft Defender Antivirus** \> **Scan**. +Control whether or not exclusions are visible to Local Admins: Enabled -2. Select **Specify the scan type to use for a scheduled scan** and then edit the policy setting. +Turn off routine remediation: Disabled -3. Set the policy to **Enabled**, and then under **Options**, select **Quick scan**. +Randomize scheduled scans: Enabled -4. Select **OK**. -5. Deploy your Group Policy object as you usually do. -## Prevent notifications +### Client Interface -Sometimes, Microsoft Defender Antivirus notifications are sent to or persist across multiple sessions. To help avoid user confusion, you can lock down the Microsoft Defender Antivirus user interface. The following procedure describes how to suppress notifications using Group Policy. +Enable headless UI mode: Enabled -1. In your Group Policy Editor, go to **Windows components** \> **Microsoft Defender Antivirus** \> **Client Interface**. +> [!NOTE] +> This policy hides the entire Microsoft Defender Antivirus user interface from end users in your organization. -2. Select **Suppress all notifications** and then edit the policy settings. +Suppress all notifications: Enabled -3. Set the policy to **Enabled**, and then select **OK**. +> [!NOTE] +> Sometimes, Microsoft Defender Antivirus notifications are sent to or persist across multiple sessions. To help avoid user confusion, you can lock down the Microsoft Defender Antivirus user interface. +> Suppressing notifications prevents notifications from Microsoft Defender Antivirus from showing up when scans are done or remediation actions are taken. However, your security operations team sees the results of a scan if an attack is detected and stopped. Alerts, such as an initial access alert, are generated, and appear in the [Microsoft Defender portal](https://security.microsoft.com). -4. Deploy your Group Policy object as you usually do. +### MAPS -Suppressing notifications prevents notifications from Microsoft Defender Antivirus from showing up when scans are done or remediation actions are taken. However, your security operations team sees the results of a scan if an attack is detected and stopped. Alerts, such as an initial access alert, are generated, and appear in the [Microsoft Defender portal](https://security.microsoft.com). +Join Microsoft MAPS (Turn on cloud-delivered protection): Enabled - Advanced MAPS -## Disable scans after an update +Send file samples when further analysis is required: Send all samples (more secure) or Send safe sample (less secure) -Disabling a scan after an update prevents a scan from occurring after receiving an update. You can apply this setting when creating the base image if you have also run a quick scan. This way, you can prevent the newly updated VM from performing a scan again (as you've already scanned it when you created the base image). +### MPEngine -> [!IMPORTANT] -> Running scans after an update helps ensure your VMs are protected with the latest security intelligence updates. Disabling this option reduces the protection level of your VMs and should only be used when first creating or deploying the base image. +Configure extended cloud check: 20 -1. In your Group Policy Editor, go to **Windows components** \> **Microsoft Defender Antivirus** \> **Security Intelligence Updates**. +Select cloud protection level: Enabled - High -2. Select **Turn on scan after security intelligence update** and then edit the policy setting. +Enable file hash computation feature: Enabled -3. Set the policy to **Disabled**. +> [!NOTE] +> "Enable file hash computation feature" is only needed if using Indicators – File hash.  It can cause higher amount of CPU utilization, since it has to parse thru each binary on disk to get the file hash. -4. Select **OK**. +### Real-time Protection -5. Deploy your Group Policy object as you usually do. +Configure monitoring for incoming and outgoing file and program activity: Enabled – bi-directional (full on-access) -This policy prevents a scan from running immediately after an update. +Monitor file and program activity on your computer: Enabled -## Disable the `ScanOnlyIfIdle` option +Scan all downloaded files and attachments: Enabled -Use the following cmdlet, to stop a quick or scheduled scan whenever the device goes idle if it is in passive mode. +Turn on behavior monitoring: Enabled -```PowerShell +Turn on process scanning whenever real-time protection is enabled: Enabled + +Turn on raw volume write notifications: Enabled + +### Scans + +Check for the latest virus and spyware security intelligence before running a scheduled scan: Enabled + +Scan archive files: Enabled + +Scan network files: Not configured + +Scan packed executables: Enabled + +Scan removable drives: Enabled + +Turn on catch-up full scan (Disable catch-up full scan): Not configured + +Turn on catch-up quick scan (Disable catchup quick scan): Not configured + +> [!NOTE] +> If you want to harden, you could change "Turn on catch-up quick scan" to enabled, which will help when VMs have been offline, and have missed two or more consecutive scheduled scans.  But since it is running a scheduled scan, it will use additional CPU. + +Turn on e-mail scanning: Enabled + +Turn on heuristics: Enabled + +Turn on reparse point scanning: Enabled + +#### __General scheduled scan settings__ + +Configure low CPU priority for scheduled scans (Use low CPU priority for scheduled scans): Not configured + +Specify the maximum percentage of CPU utilization during a scan (CPU usage limit per scan): 50 + +Start the scheduled scan only when computer is on but not in use (ScanOnlyIfIdle): Not configured + + Use the following cmdlet, to stop a quick or scheduled scan whenever the device goes idle if it is in passive mode. + + + + +```powershell Set-MpPreference -ScanOnlyIfIdleEnabled $false ``` -You can also disable the `ScanOnlyIfIdle` option in Microsoft Defender Antivirus by configuration via local or domain group policy. This setting prevents significant CPU contention in high density environments. +> [!TIP] +> "Start the scheduled scan only when computer is on but not in use" setting prevents significant CPU contention in high density environments. + +#### __Daily quick scan__ + +Specify the interval to run quick scans per day: Not configured + +Specify the time for a daily quick scan (Run daily quick scan at): 12 PM + -For more information, see [Start the scheduled scan only when computer is on but not in use](https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::scan_scanonlyifidle). -## Scan VMs that have been offline +#### __Run a weekly scheduled scan (quick or full)__ -1. In your Group Policy Editor, go to **Windows components** \> **Microsoft Defender Antivirus** \> **Scan**. +Specify the scan type to use for a scheduled scan (Scan type): Not configured -2. Select **Turn on catch-up quick scan** and then edit the policy setting. +Specify the time of day to run a scheduled scan (Day of week to run scheduled scan): Not configured -3. Set the policy to **Enabled**. +Specify the day of the week to run a scheduled scan (Time of day to run a scheduled scan): Not configured + +### Security Intelligence Updates + +Turn on scan after security intelligence update (Disable scans after an update): Disabled + +> [!NOTE] +> Disabling a scan after a security intelligence update prevents a scan from occurring after receiving an update. You can apply this setting when creating the base image if you have also run a quick scan. This way, you can prevent the newly updated VM from performing a scan again (as you've already scanned it when you created the base image). + +> [!IMPORTANT] +> Running scans after an update helps ensure your VMs are protected with the latest security intelligence updates. Disabling this option reduces the protection level of your VMs and should only be used when first creating or deploying the base image. -4. Select **OK**. +Specify the interval to check for security intelligence updates (Enter how often to check for security intelligence updates): Enabled - 8 -5. Deploy your Group Policy Object as you usually do. +Leave other settings in default state -This policy forces a scan if the VM missed two or more consecutive scheduled scans. +### Threats -## Enable headless UI mode +Specify threat alert levels at which default action should not be taken when detected: Enabled. Set Severe (5), High (4), Medium (2) and Low (1), all to quarantine (2) -1. In your Group Policy Editor, go to **Windows components** \> **Microsoft Defender Antivirus** \> **Client Interface**. +|Value name|Value | +| -------- | -------- | +|1 |2 | +|2|2| +|4|2| +|5|2| -2. Select **Enable headless UI mode** and edit the policy. +### Attack surface reduction rules -3. Set the policy to **Enabled**. +Configure all available rules to Audit. -4. Select **OK**. -5. Deploy your Group Policy Object as you usually do. -This policy hides the entire Microsoft Defender Antivirus user interface from end users in your organization. +### Enable network protection + +Prevent users and apps from accessing dangerous websites (Enable network protection): Enabled - Audit mode + +### SmartScreen for Microsoft Edge + +Require SmartScreen for Microsoft Edge: Yes + +Block malicious site access: Yes + +Block unverified file download: Yes ## Run the "Windows Defender Cache Maintenance" scheduled task @@ -259,14 +333,25 @@ Optimize the "Windows Defender Cache Maintenance" scheduled task for non-persist 1. Open up the **Task Scheduler** mmc (`taskschd.msc`). -2. Expand **Task Scheduler Library** > **Microsoft** > **Windows** > **Windows Defender**, and then right-click on **Windows Defender Cache Maintenance**. +1. Expand **Task Scheduler Library** > **Microsoft** > **Windows** > **Windows Defender**, and then right-click on **Windows Defender Cache Maintenance**. + +1. Select **Run**, and let the scheduled task finish. -3. Select **Run**, and let the scheduled task finish. +1. > [!WARNING] +> If you do not do this, it can cause higher cpu utilization while the cache maintenance task is running on each of the VMs. -## Exclusions +### Enable Tamper protection + +Enable tamper protection to prevent Microsoft Defender being disabled in the Microsoft Defender XDR portal (security.microsoft.com). + +### Exclusions If you think you need to add exclusions, see [Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md). +## Next step + +If you are also deploying Microsoft Defender for Endpoint - EDR to your Windows based VDI VMs, please go thru the steps here: [Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR](/defender-endpoint/configure-endpoints-vdi) + ## See also - [Tech Community Blog: Configuring Microsoft Defender Antivirus for non-persistent VDI machines](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/configuring-microsoft-defender-antivirus-for-non-persistent-vdi/ba-p/1489633) @@ -278,6 +363,7 @@ If you're looking for information about Defender for Endpoint on non-Windows pla - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md) - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) - [Configure Defender for Endpoint on Android features](android-configure.md) + - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)] From be4b07a45456392746de04277d3896c6dd83dec9 Mon Sep 17 00:00:00 2001 From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com> Date: Thu, 26 Dec 2024 14:19:09 -0800 Subject: [PATCH 03/30] Learn Editor: Update deployment-vdi-microsoft-defender-antivirus.md From dcd9657411c8a5f17e3eb7de5e4d8902b3b2123e Mon Sep 17 00:00:00 2001 From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com> Date: Thu, 26 Dec 2024 14:23:38 -0800 Subject: [PATCH 04/30] Learn Editor: Update configure-endpoints-vdi.md --- defender-endpoint/configure-endpoints-vdi.md | 68 +------------------- 1 file changed, 2 insertions(+), 66 deletions(-) diff --git a/defender-endpoint/configure-endpoints-vdi.md b/defender-endpoint/configure-endpoints-vdi.md index 64547e18b6..4bfb15bfb9 100644 --- a/defender-endpoint/configure-endpoints-vdi.md +++ b/defender-endpoint/configure-endpoints-vdi.md @@ -39,7 +39,7 @@ Like any other system in an IT environment, these too should have an Endpoint De > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-configvdi-abovefoldlink) > [!NOTE] - > **Persistent VDI's** - Onboarding a persistent VDI machine into Microsoft Defender for Endpoint is handled the same way you would onboard a physical machine, such as a desktop or laptop. Group policy, Microsoft Configuration Manager, and other methods can be used to onboard a persistent machine. In the Microsoft Defender portal, (https://security.microsoft.com) under onboarding, select your preferred onboarding method, and follow the instructions for that type. For more information see [Onboarding Windows client](onboard-windows-client.md). +> **Persistent VDI's** - Onboarding a persistent VDI machine into Microsoft Defender for Endpoint is handled the same way you would onboard a physical machine, such as a desktop or laptop. Group policy, Microsoft Configuration Manager, and other methods can be used to onboard a persistent machine. In the Microsoft Defender portal, (https://security.microsoft.com) under onboarding, select your preferred onboarding method, and follow the instructions for that type. For more information see [Onboarding Windows client](onboard-windows-client.md). ## Onboarding non-persistent virtual desktop infrastructure (VDI) devices @@ -184,71 +184,7 @@ After onboarding devices to the service, it's important to take advantage of the ### Next generation protection configuration -The following configuration settings are recommended: - -#### Cloud Protection Service - -- Turn on cloud-delivered protection: Yes -- Cloud-delivered protection level: Not configured -- Defender Cloud Extended Timeout In Seconds: 20 - -#### Exclusions - -- Please review the FXLogix antivirus exclusion recommendations here: [Prerequisites for FSLogix](/fslogix/overview-prerequisites#file--folder-exclusions). - -#### Real-time Protection - -- Turn on all settings and set to monitor all files - -#### Remediation - -- Number of days to keep quarantined malware: 30 -- Submit samples consent: Send all samples automatically -- Action to take on potentially unwanted apps: Enable -- Actions for detected threats: - - Low threat: Clean - - Moderate threat, High threat, Severe threat: Quarantine - -#### Scan - -- Scan archived files: Yes -- Use low CPU priority for scheduled scans: Not configured -- Disable catch-up full scan: Not configured -- Disable catchup quick scan: Not configured -- CPU usage limit per scan: 50 -- Scan mapped network drives during full scan: Not configured -- Run daily quick scan at: 12 PM -- Scan type: Not configured -- Day of week to run scheduled scan: Not configured -- Time of day to run a scheduled scan: Not configured -- Check for signature updates before running scan: Yes - -#### Updates - -- Enter how often to check for security intelligence updates: 8 -- Leave other settings in default state - -#### User experience - -- Allow user access to Microsoft Defender app: Not configured - -#### Enable Tamper protection - -- Enable tamper protection to prevent Microsoft Defender being disabled: Enable - -#### Attack surface reduction - -- Enable network protection: Test mode -- Require SmartScreen for Microsoft Edge: Yes -- Block malicious site access: Yes -- Block unverified file download: Yes - -#### Attack surface reduction rules - -- Configure all available rules to Audit. - -> [!NOTE] -> Blocking these activities may interrupt legitimate business processes. The best approach is setting everything to audit, identifying which ones are safe to turn on, and then enabling those settings on endpoints which do not have false positive detections. +The configuration settings in this link are recommended: [Configure Microsoft Defender Antivirus on a remote desktop or virtual desktop infrastructure environment](/defender-endpoint/deployment-vdi-microsoft-defender-antivirus). ## Related topics From 01d0d29d6662b9594f731cde50d1872342e71830 Mon Sep 17 00:00:00 2001 From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com> Date: Thu, 26 Dec 2024 14:23:47 -0800 Subject: [PATCH 05/30] Learn Editor: Update configure-endpoints-vdi.md From 9f90bd5075e6a3d7b790060e085440930d563e50 Mon Sep 17 00:00:00 2001 From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com> Date: Fri, 27 Dec 2024 05:22:05 -0800 Subject: [PATCH 06/30] Learn Editor: Update defender-antivirus-compatibility-without-mde.md --- defender-endpoint/TOC.yml | 6 ++++++ ...fender-antivirus-compatibility-without-mde.md | 16 ++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 defender-endpoint/defender-antivirus-compatibility-without-mde.md diff --git a/defender-endpoint/TOC.yml b/defender-endpoint/TOC.yml index 83e94cbd17..7b65dc9ade 100644 --- a/defender-endpoint/TOC.yml +++ b/defender-endpoint/TOC.yml @@ -791,6 +791,12 @@ href: microsoft-defender-endpoint-antivirus-performance-mode.md - name: Compatibility with other security products href: microsoft-defender-antivirus-compatibility.md + - name: Microsoft Defender Antivirus and third-party antivirus solutions without + Defender for Endpoint + href: defender-antivirus-compatibility-without-mde.md + displayName: Microsoft Defender Antivirus and non-Microsoft + antivirus/antimalware solutions, Antivirus protection without Defender for + Endpoint - name: Find malware detection names for Microsoft Defender for Endpoint href: find-defender-malware-name.md diff --git a/defender-endpoint/defender-antivirus-compatibility-without-mde.md b/defender-endpoint/defender-antivirus-compatibility-without-mde.md new file mode 100644 index 0000000000..bbeef0a3ae --- /dev/null +++ b/defender-endpoint/defender-antivirus-compatibility-without-mde.md @@ -0,0 +1,16 @@ +--- +# Required metadata +# For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main +# For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main + +title: # Add a title for the browser tab +description: # Add a meaningful description for search results +author: YongRhee-MSFT # GitHub alias +ms.author: yongrhee # Microsoft alias +ms.service: # Add the ms.service or ms.prod value +# ms.prod: # To use ms.prod, uncomment it and delete ms.service +ms.topic: # Add the ms.topic value +ms.date: 12/27/2024 +--- + +Microsoft Defender Antivirus and third-party antivirus solutions without Defender for Endpoint \ No newline at end of file From 2a4d7a8c8956912b6bbfebe5cd1aa8a45fcf6686 Mon Sep 17 00:00:00 2001 From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com> Date: Fri, 27 Dec 2024 07:56:04 -0800 Subject: [PATCH 07/30] Learn Editor: Update defender-antivirus-compatibility-without-mde.md --- ...der-antivirus-compatibility-without-mde.md | 101 +++++++++++++++++- 1 file changed, 100 insertions(+), 1 deletion(-) diff --git a/defender-endpoint/defender-antivirus-compatibility-without-mde.md b/defender-endpoint/defender-antivirus-compatibility-without-mde.md index bbeef0a3ae..c49ffebab0 100644 --- a/defender-endpoint/defender-antivirus-compatibility-without-mde.md +++ b/defender-endpoint/defender-antivirus-compatibility-without-mde.md @@ -13,4 +13,103 @@ ms.topic: # Add the ms.topic value ms.date: 12/27/2024 --- -Microsoft Defender Antivirus and third-party antivirus solutions without Defender for Endpoint \ No newline at end of file +# Microsoft Defender Antivirus and third-party antivirus solutions without Defender for Endpoint + +__Applies to:__ + +- [Microsoft Defender for Endpoint Plan 1](/defender-endpoint/microsoft-defender-endpoint) + +- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals) + +- Microsoft Defender Antivirus + +This section describes what happens when you use Microsoft Defender Antivirus alongside non-Microsoft antivirus/antimalware products on endpoints that aren't onboarded to Defender for Endpoint. + +Microsoft Defender Antivirus doesn't run in passive mode on devices that aren't onboarded to Defender for Endpoint. + +The following table summarizes what to expect: + +| Windows version |Primary antivirus/antimalware solution|Microsoft Defender Antivirus state| +| -------- | -------- | -------- | +|Windows 11 and Windows 10 |Microsoft Defender Antivirus|Active mode| +|Windows 11 and Windows 10|A non-Microsoft antivirus solution|Disabled mode (happens automatically).| +|Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server, version 1803 or newer, Windows Server 2016|Microsoft Defender Antivirus|Active mode| +|Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server, version 1803 or newer, Windows Server 2016|A non-Microsoft antivirus solution|Disabled (set manually; see the note that follows this table)| + +> [!NOTE] +> On Windows Server, if you're running a non-Microsoft antivirus product, you can uninstall Microsoft Defender Antivirus by using the following PowerShell cmdlet (as an administrator): `Uninstall-WindowsFeature Windows-Defender`. Restart your server to finish removing Microsoft Defender Antivirus. On Windows Server 2016, you might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus*. If you uninstall your non-Microsoft antivirus product, make sure that Microsoft Defender Antivirus is re-enabled. See **[Re-enable Microsoft Defender Antivirus on Windows Server if it was disabled](/defender-endpoint/enable-update-mdav-to-latest-ws)**. + +Check the services and filter drivers for Microsoft Defender Antivirus + + +```powershell +gsv WinDefend, WdBoot, WdFilter, WdNisSvc, WdNisDrv | ft -auto DisplayName, Name, StartType, Status +``` + +|Display Name|Name|StartType|Status when Defender AV is enabled| Status when Defender AV is disabled| Comments | +| -------- | -------- | -------- | -------- | -------- | -------- | +|Microsoft Defender Antivirus Boot Driver |WdBoot|Boot |Stopped (0x0 Boot_start)| Stopped (0x3 Demand_start)|It’s normal to be stopped after boot. | +|Microsoft Defender Antivirus Mini-Filter Driver|WdFilter|Manual |Running (0x0 Boot_start)|Stopped (0x3 Demand_start)|If a 3rd party AV is installed, then this will be stopped. | +|Microsoft Defender Antivirus Network Inspection System Driver |WdNisDrv|Manual|Running (0x3 Demand_start)|Stopped (0x3 Demand_start)|If a 3rd party AV is installed, then this will be stopped. | +|Microsoft Defender Antivirus Network Inspection Service |WdNisSvc|Manual|Running (0x3 Demand_start)|Stopped (0x3 Demand_start)|If a 3rd party AV is installed, then this will be stopped. | +|Microsoft Defender Antivirus Service|WinDefend|Automatic|Running (0x2 Auto_start)|Stopped (0x3 Demand_start)|If a 3rd party AV is installed, then this will be stopped.| + +### Frequently Asked Questions (FAQ) + +Q: Can I update Microsoft Defender Antivirus components such as "Security intelligence update" or "Engine update" "Platform update" when Microsoft Defender Antivirus is disabled? + +A: No. When Microsoft Defender Antivirus is disabled, since the services and drivers are not running, you will not be able to update the components such as "Security intelligence update" or "Engine update" "Platform update". + +> [!TIP] +> If you are migrating to Microsoft Defender for Endpoint, when onboarded, Microsoft Defender Antivirus will go into 'passive mode' in Windows clients and via a registry key in Windows Servers, where you will be able to update the different components of Microsoft Defender Antivirus. + +Q: Can I manually change the start type of the services and drivers for Microsoft Defender Antivirus? + +A: We do not support the manual modification of the start type of the services and drivers for Microsoft Defender Antivirus in Windows images. On Windows clients, the supported method is via the third-party antivirus solution registering to Windows Security Center (WSC) api. Or on Windows Servers uninstalling Microsoft Defender Antivirus feature, via the Roles and Features MMC or via Powershell (Run as admin): + + +```powershell +Uninstall-WindowsFeature Windows-Defender +``` + +Q: Can I use Microsoft Defender Antivirus in "passive mode" without onboarding to Microsoft Defender for Endpoint? + +A: No. "Passive mode" is a functionality of Microsoft Defender for Endpoint Plan 2. + +Q: Can I use "EDR in block mode" without onboarding to Microsoft Defender for Endpoint? + +A: No. "EDR in block mode" is a functionality of Microsoft Defender for Endpoint Plan 2. + +Q: Can I use "Indicators" - "File hash" or "IP address/URL's" or "Certificates" with Microsoft Defender Antivirus (active mode) with M365 E3/A3 license? + +A: Yes, please review [Microsoft Defender for Endpoint Plan 1 Now Included in M365 E3/A3 Licenses](https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/microsoft-defender-for-endpoint-plan-1-now-included-in-m365-e3a3-licenses/3060639) and [Overview of Microsoft Defender for Endpoint Plan 1](/defender-endpoint/defender-endpoint-plan-1) + +## See also + +- [Use Microsoft Defender for Endpoint Security Settings Management to manage Microsoft Defender Antivirus](/defender-endpoint/mde-security-settings-management) + +- [Microsoft Intune securely manages identities, manages apps, and manages devices](/mem/intune/fundamentals/what-is-intune) + + - [Defender CSP](/windows/client-management/mdm/defender-csp) + + - [Policy CSP - Defender](/windows/client-management/mdm/policy-csp-defender) + +- [How to create and deploy antimalware policies for Endpoint Protection in Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies) + +- [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](/defender-endpoint/use-group-policy-microsoft-defender-antivirus) + +- [Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus](/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus) + +- [Exclusions overview](/defender-endpoint/navigate-defender-endpoint-antivirus-exclusions) + +- [Address false positives/negatives in Microsoft Defender for Endpoint](/defender-endpoint/defender-endpoint-false-positives-negatives) + +- [Troubleshoot Microsoft Defender Antivirus settings](/defender-endpoint/troubleshoot-settings) + +- [Run the client analyzer on Windows](/defender-endpoint/run-analyzer-windows) + +- [Performance analyzer for Microsoft Defender Antivirus](/defender-endpoint/tune-performance-defender-antivirus) + +> [!TIP] +> Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: **[Microsoft Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP)**. + From 3d2e05b3eb0d4e81efb47680f84d33bdcc3f53c4 Mon Sep 17 00:00:00 2001 From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com> Date: Fri, 27 Dec 2024 07:56:10 -0800 Subject: [PATCH 08/30] update Metadata --- .../defender-antivirus-compatibility-without-mde.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/defender-endpoint/defender-antivirus-compatibility-without-mde.md b/defender-endpoint/defender-antivirus-compatibility-without-mde.md index c49ffebab0..283816dd9d 100644 --- a/defender-endpoint/defender-antivirus-compatibility-without-mde.md +++ b/defender-endpoint/defender-antivirus-compatibility-without-mde.md @@ -3,14 +3,14 @@ # For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main # For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main -title: # Add a title for the browser tab -description: # Add a meaningful description for search results +title: Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware solutions Antivirus protection without Defender for Endpoint +description: Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware solutions Antivirus protection without Defender for Endpoint author: YongRhee-MSFT # GitHub alias ms.author: yongrhee # Microsoft alias -ms.service: # Add the ms.service or ms.prod value -# ms.prod: # To use ms.prod, uncomment it and delete ms.service -ms.topic: # Add the ms.topic value +ms.service: defender-endpoint +ms.topic: article ms.date: 12/27/2024 +ms.subservice: ngp --- # Microsoft Defender Antivirus and third-party antivirus solutions without Defender for Endpoint From 8681556e5baf9ff9215c4871a200c4c19600959b Mon Sep 17 00:00:00 2001 From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com> Date: Fri, 27 Dec 2024 07:56:42 -0800 Subject: [PATCH 09/30] Learn Editor: Update defender-antivirus-compatibility-without-mde.md From 769ca801c4359297b50de217c0ce508581568d47 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Dec 2024 09:35:01 -0800 Subject: [PATCH 10/30] Update ms.date in documentation --- .../deployment-vdi-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md b/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md index c1066f713e..28d5b3f8ac 100644 --- a/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md +++ b/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md @@ -2,7 +2,7 @@ title: Configure Microsoft Defender Antivirus on a remote desktop or virtual desktop infrastructure environment description: Get an overview of how to configure Microsoft Defender Antivirus in a remote desktop or non-persistent virtual desktop environment. ms.localizationpriority: medium -ms.date: 10/28/2024 +ms.date: 12/30/2024 ms.topic: conceptual author: denisebmsft ms.author: deniseb From 318a59e722b14ab115a6414e6604c2e2acae2719 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Dec 2024 10:58:42 -0800 Subject: [PATCH 11/30] Update deployment-vdi-microsoft-defender-antivirus.md --- ...oyment-vdi-microsoft-defender-antivirus.md | 123 +++++++++--------- 1 file changed, 59 insertions(+), 64 deletions(-) diff --git a/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md b/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md index 28d5b3f8ac..e1494ab90b 100644 --- a/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md +++ b/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md @@ -31,9 +31,9 @@ search.appverid: met150 - Windows -This article is designed for customers who are using Microsoft Defender Antivirus capabilities only. If you have Microsoft Defender for Endpoint (which includes Microsoft Defender Antivirus alongside other device protection capabilities), also go through [Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR](configure-endpoints-vdi.md). +This article is designed for customers who are using Microsoft Defender Antivirus capabilities only. If you have Microsoft Defender for Endpoint (which includes Microsoft Defender Antivirus alongside other device protection capabilities), see [Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR](configure-endpoints-vdi.md). -You can use Microsoft Defender Antivirus in a remote desktop (RDS) or non-persistent virtual desktop infrastructure (VDI) environment. Following the guidance in this article, you can configure updates to download directly to your RDS or VDI environments when a user signs in. +You can use Microsoft Defender Antivirus in a remote desktop (RDS) or non-persistent virtual desktop infrastructure (VDI) environment. Using the guidance in this article, you can configure updates to download directly to your RDS or VDI environments whenever a user signs in. This guide describes how to configure Microsoft Defender Antivirus on your VMs for optimal protection and performance, including how to: @@ -60,11 +60,9 @@ In Windows 10, version 1903, Microsoft introduced the shared security intelligen 3. Select **Administrative templates**. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**. -4. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. +4. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears. - A field automatically appears. - -1. Enter `\\\wdav-update` (for help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates)). +5. In the field, type `\\\wdav-update`. (For help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates).) 6. Select **OK**, and then deploy the Group Policy Object to the VMs you want to test. @@ -81,6 +79,7 @@ In Windows 10, version 1903, Microsoft introduced the shared security intelligen Now you can get started on downloading and installing new updates. We've created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you're familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those scripts). ```PowerShell + $vdmpathbase = "$env:systemdrive\wdav-update\{00000000-0000-0000-0000-" $vdmpathtime = Get-Date -format "yMMddHHmmss" $vdmpath = $vdmpathbase + $vdmpathtime + '}' @@ -91,6 +90,7 @@ New-Item -ItemType Directory -Force -Path $vdmpath | Out-Null Invoke-WebRequest -Uri 'https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64' -OutFile $vdmpackage Start-Process -FilePath $vdmpackage -WorkingDirectory $vdmpath -ArgumentList "/x" + ``` You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then the VMs receive the new update. We suggest starting with once a day, but you should experiment with increasing or decreasing the frequency to understand the impact. @@ -101,9 +101,9 @@ You can also set up your single server or machine to fetch the updates on behalf 1. Create an SMB/CIFS file share. -1. Use the following example to create a file share with the following share permissions. +2. Use the following example to create a file share with the following share permissions. - ```PowerShell + ```PowerShell PS c:\> Get-SmbShareAccess -Name mdatp$ @@ -113,7 +113,7 @@ You can also set up your single server or machine to fetch the updates on behalf ``` - > [!NOTE] + > [!NOTE] > An NTFS permission is added for **Authenticated Users:Read:**. For this example, the file share is `\\FileServer.fqdn\mdatp$\wdav-update`. @@ -160,33 +160,31 @@ If you would prefer to do everything manually, here's what to do to replicate th ## Microsoft Defender Antivirus configuration settings -It’s important to take advantage of the included threat protection capabilities by enabling them with the following recommended configuration settings.  It’s optimized for VDI environments. +It's important to take advantage of the included threat protection capabilities by enabling them with the following recommended configuration settings.  It's optimized for VDI environments. > [!TIP] > The latest Windows group policy administrative templates are available in [Create and manage Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store). ### Root -Configure detection for potentially unwanted applications: Enabled - Block +- Configure detection for potentially unwanted applications: `Enabled - Block` -Configure local administrator merge behavior for lists: Disabled +- Configure local administrator merge behavior for lists: `Disabled` -Control whether or not exclusions are visible to Local Admins: Enabled - -Turn off routine remediation: Disabled - -Randomize scheduled scans: Enabled +- Control whether or not exclusions are visible to Local Admins: `Enabled` +- Turn off routine remediation: `Disabled` +- Randomize scheduled scans: `Enabled` ### Client Interface -Enable headless UI mode: Enabled +- Enable headless UI mode: `Enabled` -> [!NOTE] -> This policy hides the entire Microsoft Defender Antivirus user interface from end users in your organization. + > [!NOTE] + > This policy hides the entire Microsoft Defender Antivirus user interface from end users in your organization. -Suppress all notifications: Enabled +- Suppress all notifications: `Enabled` > [!NOTE] > Sometimes, Microsoft Defender Antivirus notifications are sent to or persist across multiple sessions. To help avoid user confusion, you can lock down the Microsoft Defender Antivirus user interface. @@ -194,95 +192,92 @@ Suppress all notifications: Enabled ### MAPS -Join Microsoft MAPS (Turn on cloud-delivered protection): Enabled - Advanced MAPS +- Join Microsoft MAPS (Turn on cloud-delivered protection): `Enabled - Advanced MAPS` -Send file samples when further analysis is required: Send all samples (more secure) or Send safe sample (less secure) +- Send file samples when further analysis is required: `Send all samples (more secure)` or `Send safe sample (less secure)` ### MPEngine -Configure extended cloud check: 20 +- Configure extended cloud check: `20` -Select cloud protection level: Enabled - High +- Select cloud protection level: `Enabled - High` -Enable file hash computation feature: Enabled +- Enable file hash computation feature: `Enabled` > [!NOTE] > "Enable file hash computation feature" is only needed if using Indicators – File hash.  It can cause higher amount of CPU utilization, since it has to parse thru each binary on disk to get the file hash. -### Real-time Protection +### Real-time protection -Configure monitoring for incoming and outgoing file and program activity: Enabled – bi-directional (full on-access) +- Configure monitoring for incoming and outgoing file and program activity: `Enabled – bi-directional (full on-access)` -Monitor file and program activity on your computer: Enabled +- Monitor file and program activity on your computer: `Enabled` -Scan all downloaded files and attachments: Enabled +- Scan all downloaded files and attachments: `Enabled` -Turn on behavior monitoring: Enabled +- Turn on behavior monitoring: `Enabled` -Turn on process scanning whenever real-time protection is enabled: Enabled +- Turn on process scanning whenever real-time protection is enabled: `Enabled` -Turn on raw volume write notifications: Enabled +- Turn on raw volume write notifications: `Enabled` ### Scans -Check for the latest virus and spyware security intelligence before running a scheduled scan: Enabled +- Check for the latest virus and spyware security intelligence before running a scheduled scan: `Enabled` -Scan archive files: Enabled +- Scan archive files: `Enabled` -Scan network files: Not configured +- Scan network files: `Not configured` -Scan packed executables: Enabled +- Scan packed executables: `Enabled` -Scan removable drives: Enabled +- Scan removable drives: `Enabled` -Turn on catch-up full scan (Disable catch-up full scan): Not configured +- Turn on catch-up full scan (Disable catch-up full scan): `Not configured` -Turn on catch-up quick scan (Disable catchup quick scan): Not configured +- Turn on catch-up quick scan (Disable catchup quick scan): `Not configured` -> [!NOTE] -> If you want to harden, you could change "Turn on catch-up quick scan" to enabled, which will help when VMs have been offline, and have missed two or more consecutive scheduled scans.  But since it is running a scheduled scan, it will use additional CPU. + > [!NOTE] + > If you want to harden, you could change "Turn on catch-up quick scan" to enabled, which will help when VMs have been offline, and have missed two or more consecutive scheduled scans.  But since it is running a scheduled scan, it will use additional CPU. -Turn on e-mail scanning: Enabled +- Turn on e-mail scanning: `Enabled` -Turn on heuristics: Enabled +- Turn on heuristics: `Enabled` -Turn on reparse point scanning: Enabled +- Turn on reparse point scanning: `Enabled` -#### __General scheduled scan settings__ +#### General scheduled scan settings -Configure low CPU priority for scheduled scans (Use low CPU priority for scheduled scans): Not configured +- Configure low CPU priority for scheduled scans (Use low CPU priority for scheduled scans): `Not configured` -Specify the maximum percentage of CPU utilization during a scan (CPU usage limit per scan): 50 +- Specify the maximum percentage of CPU utilization during a scan (CPU usage limit per scan): `50` -Start the scheduled scan only when computer is on but not in use (ScanOnlyIfIdle): Not configured +- Start the scheduled scan only when computer is on but not in use (ScanOnlyIfIdle): `Not configured` - Use the following cmdlet, to stop a quick or scheduled scan whenever the device goes idle if it is in passive mode. +- Use the following cmdlet, to stop a quick or scheduled scan whenever the device goes idle if it is in passive mode. - + ```powershell + Set-MpPreference -ScanOnlyIfIdleEnabled $false -```powershell -Set-MpPreference -ScanOnlyIfIdleEnabled $false -``` + ``` > [!TIP] -> "Start the scheduled scan only when computer is on but not in use" setting prevents significant CPU contention in high density environments. - -#### __Daily quick scan__ - -Specify the interval to run quick scans per day: Not configured +> The setting, "Start the scheduled scan only when computer is on but not in use" prevents significant CPU contention in high-density environments. -Specify the time for a daily quick scan (Run daily quick scan at): 12 PM +#### Daily quick scan +- Specify the interval to run quick scans per day: `Not configured` +- Specify the time for a daily quick scan (Run daily quick scan at): `12 PM` -#### __Run a weekly scheduled scan (quick or full)__ +#### Run a weekly scheduled scan (quick or full) -Specify the scan type to use for a scheduled scan (Scan type): Not configured +- Specify the scan type to use for a scheduled scan (Scan type): `Not configured` -Specify the time of day to run a scheduled scan (Day of week to run scheduled scan): Not configured +- Specify the time of day to run a scheduled scan (Day of week to run scheduled scan): `Not configured` -Specify the day of the week to run a scheduled scan (Time of day to run a scheduled scan): Not configured +- Specify the day of the week to run a scheduled scan (Time of day to run a scheduled scan): `Not configured` ### Security Intelligence Updates From 825abe1acf7a9db4a9651aa2ed93e229d4516eda Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Dec 2024 10:59:32 -0800 Subject: [PATCH 12/30] Update deployment-vdi-microsoft-defender-antivirus.md --- .../deployment-vdi-microsoft-defender-antivirus.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md b/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md index e1494ab90b..05519a052d 100644 --- a/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md +++ b/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md @@ -281,17 +281,17 @@ It's important to take advantage of the included threat protection capabilities ### Security Intelligence Updates -Turn on scan after security intelligence update (Disable scans after an update): Disabled +- Turn on scan after security intelligence update (Disable scans after an update): `Disabled` -> [!NOTE] -> Disabling a scan after a security intelligence update prevents a scan from occurring after receiving an update. You can apply this setting when creating the base image if you have also run a quick scan. This way, you can prevent the newly updated VM from performing a scan again (as you've already scanned it when you created the base image). + > [!NOTE] + > Disabling a scan after a security intelligence update prevents a scan from occurring after receiving an update. You can apply this setting when creating the base image if you have also run a quick scan. This way, you can prevent the newly updated VM from performing a scan again (as you've already scanned it when you created the base image). -> [!IMPORTANT] -> Running scans after an update helps ensure your VMs are protected with the latest security intelligence updates. Disabling this option reduces the protection level of your VMs and should only be used when first creating or deploying the base image. + > [!IMPORTANT] + > Running scans after an update helps ensure your VMs are protected with the latest security intelligence updates. Disabling this option reduces the protection level of your VMs and should only be used when first creating or deploying the base image. -Specify the interval to check for security intelligence updates (Enter how often to check for security intelligence updates): Enabled - 8 +- Specify the interval to check for security intelligence updates (Enter how often to check for security intelligence updates): `Enabled - 8` -Leave other settings in default state +- Leave other settings in their default state ### Threats From 70040c35aafeeadb13e2537fe67964391cf28b81 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Dec 2024 11:02:53 -0800 Subject: [PATCH 13/30] Update deployment-vdi-microsoft-defender-antivirus.md --- ...oyment-vdi-microsoft-defender-antivirus.md | 36 +++++++++---------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md b/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md index 05519a052d..da8c381fcd 100644 --- a/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md +++ b/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md @@ -295,32 +295,32 @@ It's important to take advantage of the included threat protection capabilities ### Threats -Specify threat alert levels at which default action should not be taken when detected: Enabled. Set Severe (5), High (4), Medium (2) and Low (1), all to quarantine (2) +- Specify threat alert levels at which default action should not be taken when detected: `Enabled` -|Value name|Value | -| -------- | -------- | -|1 |2 | -|2|2| -|4|2| -|5|2| +- Set `Severe (5)`, `High (4)`, `Medium (2)`, and `Low (1)` all to `Quarantine (2)`, as shown in the following table: -### Attack surface reduction rules - -Configure all available rules to Audit. + |Value name|Value | + | -------- | -------- | + |`1` (Low) |`2` | + |`2` (Medium) |`2`| + |`4` (High) |`2`| + |`5` (Severe) |`2`| +### Attack surface reduction rules +Configure all available rules to `Audit`. ### Enable network protection -Prevent users and apps from accessing dangerous websites (Enable network protection): Enabled - Audit mode +Prevent users and apps from accessing dangerous websites (Enable network protection): `Enabled - Audit mode` ### SmartScreen for Microsoft Edge -Require SmartScreen for Microsoft Edge: Yes +- Require SmartScreen for Microsoft Edge: `Yes` -Block malicious site access: Yes +- Block malicious site access: `Yes` -Block unverified file download: Yes +- Block unverified file download: `Yes` ## Run the "Windows Defender Cache Maintenance" scheduled task @@ -328,12 +328,12 @@ Optimize the "Windows Defender Cache Maintenance" scheduled task for non-persist 1. Open up the **Task Scheduler** mmc (`taskschd.msc`). -1. Expand **Task Scheduler Library** > **Microsoft** > **Windows** > **Windows Defender**, and then right-click on **Windows Defender Cache Maintenance**. +2. Expand **Task Scheduler Library** > **Microsoft** > **Windows** > **Windows Defender**, and then right-click on **Windows Defender Cache Maintenance**. -1. Select **Run**, and let the scheduled task finish. +3. Select **Run**, and let the scheduled task finish. -1. > [!WARNING] -> If you do not do this, it can cause higher cpu utilization while the cache maintenance task is running on each of the VMs. + > [!WARNING] + > If you do not do this, it can cause higher cpu utilization while the cache maintenance task is running on each of the VMs. ### Enable Tamper protection From 094e8b6a8adb7df893c9e6a6b7cf0afdcaae3a09 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Dec 2024 11:05:20 -0800 Subject: [PATCH 14/30] Update deployment-vdi-microsoft-defender-antivirus.md --- .../deployment-vdi-microsoft-defender-antivirus.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md b/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md index da8c381fcd..f9407a2a80 100644 --- a/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md +++ b/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md @@ -76,7 +76,7 @@ In Windows 10, version 1903, Microsoft introduced the shared security intelligen ## Download and unpackage the latest updates -Now you can get started on downloading and installing new updates. We've created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you're familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those scripts). +Now you can get started on downloading and installing new updates. This section contains a sample PowerShell script that you can use. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you're familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those scripts). ```PowerShell @@ -335,9 +335,9 @@ Optimize the "Windows Defender Cache Maintenance" scheduled task for non-persist > [!WARNING] > If you do not do this, it can cause higher cpu utilization while the cache maintenance task is running on each of the VMs. -### Enable Tamper protection +### Enable tamper protection -Enable tamper protection to prevent Microsoft Defender being disabled in the Microsoft Defender XDR portal (security.microsoft.com). +Enable tamper protection to prevent Microsoft Defender Antivirus from being disabled in the [Microsoft Defender portal](https://security.microsoft.com). ### Exclusions @@ -358,7 +358,6 @@ If you're looking for information about Defender for Endpoint on non-Windows pla - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md) - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) - [Configure Defender for Endpoint on Android features](android-configure.md) - - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)] From 69d042536c99835e3e38d7c1f918d1c9153f4083 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Dec 2024 11:06:18 -0800 Subject: [PATCH 15/30] Update deployment-vdi-microsoft-defender-antivirus.md --- .../deployment-vdi-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md b/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md index f9407a2a80..3d5c5b2bb0 100644 --- a/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md +++ b/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md @@ -76,7 +76,7 @@ In Windows 10, version 1903, Microsoft introduced the shared security intelligen ## Download and unpackage the latest updates -Now you can get started on downloading and installing new updates. This section contains a sample PowerShell script that you can use. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you're familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those scripts). +Now you can get started on downloading and installing new updates. This section contains a sample PowerShell script that you can use. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task. Or, if you're familiar with using PowerShell scripts in Azure, Intune, or Configuration Manager, you could use those scripts instead. ```PowerShell From 661b8443c0987ea3ad336d71c20cb86e0660231f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Dec 2024 11:07:49 -0800 Subject: [PATCH 16/30] Update deployment-vdi-microsoft-defender-antivirus.md --- .../deployment-vdi-microsoft-defender-antivirus.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md b/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md index 3d5c5b2bb0..a0a05280f2 100644 --- a/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md +++ b/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md @@ -295,7 +295,7 @@ It's important to take advantage of the included threat protection capabilities ### Threats -- Specify threat alert levels at which default action should not be taken when detected: `Enabled` +- Specify threat alert levels at which default action shouldn't be taken when detected: `Enabled` - Set `Severe (5)`, `High (4)`, `Medium (2)`, and `Low (1)` all to `Quarantine (2)`, as shown in the following table: @@ -343,9 +343,9 @@ Enable tamper protection to prevent Microsoft Defender Antivirus from being disa If you think you need to add exclusions, see [Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md). -## Next step +## EDR -If you are also deploying Microsoft Defender for Endpoint - EDR to your Windows based VDI VMs, please go thru the steps here: [Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR](/defender-endpoint/configure-endpoints-vdi) +If you're also deploying [endpoint detection and response](overview-endpoint-detection-response.md) (EDR) to your Windows-based VDI VMs, see [Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR](/defender-endpoint/configure-endpoints-vdi). ## See also From 6428b2a7152fe4097bdcf1a50e8c7ce826287ef6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Dec 2024 11:10:40 -0800 Subject: [PATCH 17/30] Update deployment-vdi-microsoft-defender-antivirus.md --- ...deployment-vdi-microsoft-defender-antivirus.md | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md b/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md index a0a05280f2..e92cbb945b 100644 --- a/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md +++ b/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md @@ -38,12 +38,9 @@ You can use Microsoft Defender Antivirus in a remote desktop (RDS) or non-persis This guide describes how to configure Microsoft Defender Antivirus on your VMs for optimal protection and performance, including how to: - [Set up a dedicated VDI file share for security intelligence updates](#set-up-a-dedicated-vdi-file-share-for-security-intelligence) -- [Randomize scheduled scans](#randomize-scheduled-scans) -- [Use quick scans](#use-quick-scans) -- [Prevent notifications](#prevent-notifications) -- [Disable scans from occurring after every update](#disable-scans-after-an-update) -- [Scan out-of-date machines or machines that were offline for a while](#scan-vms-that-have-been-offline) -- [Apply exclusions](#exclusions) +- [Download and unpackage the latest updates](#download-and-unpackage-the-latest-updates) +- [Configure Microsoft Defender Antivirus settings](#microsoft-defender-antivirus-configuration-settings) +- > [!IMPORTANT] > Although a VDI can be hosted on Windows Server 2012 or Windows Server 2016, virtual machines (VMs) should be running Windows 10, version 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows. @@ -312,7 +309,7 @@ Configure all available rules to `Audit`. ### Enable network protection -Prevent users and apps from accessing dangerous websites (Enable network protection): `Enabled - Audit mode` +Prevent users and apps from accessing dangerous websites (Enable network protection): `Enabled - Audit mode`. ### SmartScreen for Microsoft Edge @@ -322,7 +319,7 @@ Prevent users and apps from accessing dangerous websites (Enable network protect - Block unverified file download: `Yes` -## Run the "Windows Defender Cache Maintenance" scheduled task +## Run the Windows Defender Cache Maintenance scheduled task Optimize the "Windows Defender Cache Maintenance" scheduled task for non-persistent and/or persistent VDI environments. Run this task on the main image before sealing. @@ -343,7 +340,7 @@ Enable tamper protection to prevent Microsoft Defender Antivirus from being disa If you think you need to add exclusions, see [Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md). -## EDR +## Next step If you're also deploying [endpoint detection and response](overview-endpoint-detection-response.md) (EDR) to your Windows-based VDI VMs, see [Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR](/defender-endpoint/configure-endpoints-vdi). From d8565c3e47b12d96b5087fc69c7e1723e7671f18 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Dec 2024 11:11:43 -0800 Subject: [PATCH 18/30] Update deployment-vdi-microsoft-defender-antivirus.md --- .../deployment-vdi-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md b/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md index e92cbb945b..db62cd2141 100644 --- a/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md +++ b/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md @@ -40,7 +40,7 @@ This guide describes how to configure Microsoft Defender Antivirus on your VMs f - [Set up a dedicated VDI file share for security intelligence updates](#set-up-a-dedicated-vdi-file-share-for-security-intelligence) - [Download and unpackage the latest updates](#download-and-unpackage-the-latest-updates) - [Configure Microsoft Defender Antivirus settings](#microsoft-defender-antivirus-configuration-settings) -- +- [Run the Windows Defender Cache Maintenance scheduled task](#run-the-windows-defender-cache-maintenance-scheduled-task) > [!IMPORTANT] > Although a VDI can be hosted on Windows Server 2012 or Windows Server 2016, virtual machines (VMs) should be running Windows 10, version 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows. From 9f6a7c946d896064c68099b96290087073a9cc67 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Dec 2024 11:25:01 -0800 Subject: [PATCH 19/30] Update configure-endpoints-vdi.md --- defender-endpoint/configure-endpoints-vdi.md | 58 ++++++++------------ 1 file changed, 24 insertions(+), 34 deletions(-) diff --git a/defender-endpoint/configure-endpoints-vdi.md b/defender-endpoint/configure-endpoints-vdi.md index 4bfb15bfb9..ba2691cdc0 100644 --- a/defender-endpoint/configure-endpoints-vdi.md +++ b/defender-endpoint/configure-endpoints-vdi.md @@ -1,6 +1,6 @@ --- title: Onboard non-persistent virtual desktop infrastructure (VDI) devices -description: Deploy the configuration package on virtual desktop infrastructure (VDI) device so that they are onboarded to Microsoft Defender for Endpoint service. +description: Deploy the configuration package on virtual desktop infrastructure (VDI) device so that they're onboarded to Microsoft Defender for Endpoint service. search.appverid: met150 ms.service: defender-endpoint ms.author: deniseb @@ -14,19 +14,12 @@ ms.collection: - tier2 ms.custom: admindeeplinkDEFENDER ms.topic: conceptual -ms.date: 09/21/2023 +ms.date: 12/30/2024 ms.subservice: onboard --- # Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR -Virtual desktop infrastructure (VDI) is an IT infrastructure concept that lets end users access enterprise virtual desktops instances from almost any device (such as your personal computer, smartphone, or tablet), eliminating the need for organization to provide users with physical machines. Using VDI devices reduce cost as IT departments are no longer responsible for managing, repairing, and replacing physical endpoints. Authorized users can access the same company servers, files, apps, and services from any approved device through a secure desktop client or browser. - -Like any other system in an IT environment, these too should have an Endpoint Detection and Response (EDR) and Antivirus solution to protect against advanced threats and attacks. - - -[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md) @@ -38,26 +31,26 @@ Like any other system in an IT environment, these too should have an Endpoint De > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-configvdi-abovefoldlink) - > [!NOTE] +Virtual desktop infrastructure (VDI) is an IT infrastructure concept that lets end users access enterprise virtual desktops instances from almost any device (such as your personal computer, smartphone, or tablet), eliminating the need for organization to provide users with physical machines. Using VDI devices reduces costs, as IT departments are no longer responsible for managing, repairing, and replacing physical endpoints. Authorized users can access the same company servers, files, apps, and services from any approved device through a secure desktop client or browser. + +Like any other system in an IT environment, VDI devices should have an endpoint detection and response (EDR) and antivirus solution to protect against advanced threats and attacks. + +> [!NOTE] > **Persistent VDI's** - Onboarding a persistent VDI machine into Microsoft Defender for Endpoint is handled the same way you would onboard a physical machine, such as a desktop or laptop. Group policy, Microsoft Configuration Manager, and other methods can be used to onboard a persistent machine. In the Microsoft Defender portal, (https://security.microsoft.com) under onboarding, select your preferred onboarding method, and follow the instructions for that type. For more information see [Onboarding Windows client](onboard-windows-client.md). ## Onboarding non-persistent virtual desktop infrastructure (VDI) devices -Defender for Endpoint supports non-persistent VDI session onboarding. - -There might be associated challenges when onboarding VDI instances. The following are typical challenges for this scenario: +Defender for Endpoint supports non-persistent VDI session onboarding. There might be associated challenges when onboarding VDI instances. The following are typical challenges for this scenario: - Instant early onboarding of a short-lived session, which must be onboarded to Defender for Endpoint prior to the actual provisioning. -- The device name is typically reused for new sessions. -In a VDI environment, VDI instances can have short lifespans. VDI devices can appear in the Microsoft Defender portal as either single entries for each VDI instance or multiple entries for each device. +- The device name is typically reused for new sessions. -- Single entry for each VDI instance. If the VDI instance was already onboarded to Microsoft Defender for Endpoint, and at some point deleted, and then recreated with the same host name, a new object representing this VDI instance is NOT be created in the portal. +- In a VDI environment, VDI instances can have short lifespans. VDI devices can appear in the Microsoft Defender portal as either single entries for each VDI instance or multiple entries for each device. - > [!NOTE] - > In this case, the *same* device name must be configured when the session is created, for example using an unattended answer file. + - Single entry for each VDI instance. If the VDI instance was already onboarded to Microsoft Defender for Endpoint, and at some point deleted, and then recreated with the same host name, a new object representing this VDI instance is NOT be created in the portal. In this case, the *same* device name must be configured when the session is created, for example using an unattended answer file. -- Multiple entries for each device - one for each VDI instance. + - Multiple entries for each device - one for each VDI instance. > [!IMPORTANT] > If you're deploying non-persistent VDIs through cloning technology, make sure that your internal template VMs are not onboarded to Defender for Endpoint. This recommendation is to avoid cloned VMs from being onboarded with the same senseGuid as your template VMs, which could prevent VMs from showing up as new entries in the Devices list. @@ -72,7 +65,7 @@ The following steps guide you through onboarding VDI devices and highlight steps > [!NOTE] > Windows Server 2016 and Windows Server 2012 R2 must be prepared by applying the installation package first using the instructions in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2016-and-windows-server-2012-r2) for this feature to work. -1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the Microsoft Defender portal: +1. Open the VDI configuration package file (`WindowsDefenderATPOnboardingPackage.zip`) that you downloaded from the service onboarding wizard. You can also get the package from the [Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2077139). 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Onboarding**. @@ -80,16 +73,16 @@ The following steps guide you through onboarding VDI devices and highlight steps 3. In the **Deployment method** field, select **VDI onboarding scripts for non-persistent endpoints**. - 4. Click **Download package** and save the .zip file. + 4. Click **Download package** and save the file. -2. Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted from the .zip file into the golden/primary image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. +2. Copy the files from the `WindowsDefenderATPOnboardingPackage` folder extracted from the zipped folder into the golden/primary image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. - 1. If you are implementing multiple entries for each device - one for each session, copy WindowsDefenderATPOnboardingScript.cmd. + - If you are implementing multiple entries for each device - one for each session, copy `WindowsDefenderATPOnboardingScript.cmd`. - 2. If you're implementing a single entry for each device, copy both Onboard-NonPersistentMachine.ps1 and WindowsDefenderATPOnboardingScript.cmd. + - If you're implementing a single entry for each device, copy both `Onboard-NonPersistentMachine.ps1` and `WindowsDefenderATPOnboardingScript.cmd`. - > [!NOTE] - > If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from File Explorer. + > [!NOTE] + > If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from File Explorer. 3. Open a Local Group Policy Editor window and navigate to **Computer Configuration** \> **Windows Settings** \> **Scripts** \> **Startup**. @@ -98,15 +91,12 @@ The following steps guide you through onboarding VDI devices and highlight steps 4. Depending on the method you'd like to implement, follow the appropriate steps: - - For single entry for each device: - - Select the **PowerShell Scripts** tab, then select **Add** (Windows Explorer opens directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. There's no need to specify the other file, as it is triggered automatically. - - - For multiple entries for each device: - - Select the **Scripts** tab, then click **Add** (Windows Explorer opens directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`. + | Method | Steps | + |---|---| + | Single entry for each device | 1. Select the **PowerShell Scripts** tab, then select **Add** (Windows Explorer opens directly in the path where you copied the onboarding script earlier).
2. Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. There's no need to specify the other file, as it is triggered automatically. | + | Multiple entries for each device | 1. Select the **Scripts** tab, then click **Add** (Windows Explorer opens directly in the path where you copied the onboarding script earlier).
2. Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`. | -5. Test your solution: +5. Test your solution by following these steps: 1. Create a pool with one device. From 184385efaa8625ac9d0d385157c19ae1cf8aaa67 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Dec 2024 11:26:25 -0800 Subject: [PATCH 20/30] Update configure-endpoints-vdi.md --- defender-endpoint/configure-endpoints-vdi.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/defender-endpoint/configure-endpoints-vdi.md b/defender-endpoint/configure-endpoints-vdi.md index ba2691cdc0..d7414a0bde 100644 --- a/defender-endpoint/configure-endpoints-vdi.md +++ b/defender-endpoint/configure-endpoints-vdi.md @@ -100,16 +100,16 @@ The following steps guide you through onboarding VDI devices and highlight steps 1. Create a pool with one device. - 2. Log on to device. + 2. Sign into device. - 3. Log off from device. + 3. Sign out on the device. - 4. Log on to device with another user. + 4. Sign into the device using another account. 5. Depending on the method you'd like to implement, follow the appropriate steps: - - For single entry for each device: Check only one entry in Microsoft Defender portal. - - For multiple entries for each device: Check multiple entries in Microsoft Defender portal. + - For single entry for each device: Check for only one entry in the [Microsoft Defender portal](https://security.microsoft.com). + - For multiple entries for each device: Check multiple entries in the [Microsoft Defender portal](https://security.microsoft.com). 6. Click **Devices list** on the Navigation pane. From 4bead5d35c5740a60bc544f4fe967b050da46f4e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Dec 2024 11:28:01 -0800 Subject: [PATCH 21/30] Update configure-endpoints-vdi.md --- defender-endpoint/configure-endpoints-vdi.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/defender-endpoint/configure-endpoints-vdi.md b/defender-endpoint/configure-endpoints-vdi.md index d7414a0bde..76c8a3e420 100644 --- a/defender-endpoint/configure-endpoints-vdi.md +++ b/defender-endpoint/configure-endpoints-vdi.md @@ -111,7 +111,7 @@ The following steps guide you through onboarding VDI devices and highlight steps - For single entry for each device: Check for only one entry in the [Microsoft Defender portal](https://security.microsoft.com). - For multiple entries for each device: Check multiple entries in the [Microsoft Defender portal](https://security.microsoft.com). -6. Click **Devices list** on the Navigation pane. +6. In the navigation pane, select **Devices list**. 7. Use the search function by entering the device name and select **Device** as search type. @@ -120,20 +120,20 @@ The following steps guide you through onboarding VDI devices and highlight steps > [!NOTE] > These instructions for other Windows server versions also apply if you are running the previous Microsoft Defender for Endpoint for Windows Server 2016 and Windows Server 2012 R2 that requires the MMA. Instructions to migrate to the new unified solution are at [Server migration scenarios in Microsoft Defender for Endpoint](server-migration.md). -The following registry is relevant only when the aim is to achieve a 'Single entry for each device'. +The following registry is relevant only when the aim is to achieve a single entry for each device. -1. Set registry value to: +1. Set the registry value as follows: - ```console + ```console [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging] "VDI"="NonPersistent" - ``` + ``` - or using command line: + Or, you can use command line as follows: - ```console - reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging" /v VDI /t REG_SZ /d "NonPersistent" /f - ``` + ```console + reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging" /v VDI /t REG_SZ /d "NonPersistent" /f + ``` 2. Follow the [server onboarding process](configure-server-endpoints.md). From abb475d6e175f546a241351b36f739eccf1d893c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Dec 2024 11:29:03 -0800 Subject: [PATCH 22/30] Update configure-endpoints-vdi.md --- defender-endpoint/configure-endpoints-vdi.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/defender-endpoint/configure-endpoints-vdi.md b/defender-endpoint/configure-endpoints-vdi.md index 76c8a3e420..b72e8e01d5 100644 --- a/defender-endpoint/configure-endpoints-vdi.md +++ b/defender-endpoint/configure-endpoints-vdi.md @@ -125,14 +125,18 @@ The following registry is relevant only when the aim is to achieve a single entr 1. Set the registry value as follows: ```console + [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging] "VDI"="NonPersistent" + ``` Or, you can use command line as follows: ```console + reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging" /v VDI /t REG_SZ /d "NonPersistent" /f + ``` 2. Follow the [server onboarding process](configure-server-endpoints.md). @@ -144,20 +148,25 @@ With the ability to easily deploy updates to VMs running in VDIs, we've shortene If you have onboarded the primary image of your VDI environment (SENSE service is running), then you must offboard and clear some data before putting the image back into production. 1. [Offboard the machine](offboard-machines.md). + 2. Ensure the sensor is stopped by running the following command in a CMD window: ```console + sc query sense + ``` 3. Run the following commands in a CMD window:: ```console + del "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber\*.*" /f /s /q REG DELETE "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection" /v senseGuid /f REG DELETE "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection" /v 7DC0B629-D7F6-4DB3-9BF7-64D5AAF50F1A /f REG DELETE "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\48A68F11-7A16-4180-B32C-7F974C7BD783" /f exit + ``` ### Are you using a third party for VDIs? @@ -176,7 +185,7 @@ After onboarding devices to the service, it's important to take advantage of the The configuration settings in this link are recommended: [Configure Microsoft Defender Antivirus on a remote desktop or virtual desktop infrastructure environment](/defender-endpoint/deployment-vdi-microsoft-defender-antivirus). -## Related topics +## Related articles - [Onboard Windows devices using Group Policy](configure-endpoints-gp.md) - [Onboard Windows devices using Microsoft Configuration Manager](configure-endpoints-sccm.md) From ab702d36313a36267d6868798be816dc69982b0b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Dec 2024 11:30:48 -0800 Subject: [PATCH 23/30] Update configure-endpoints-vdi.md --- defender-endpoint/configure-endpoints-vdi.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/defender-endpoint/configure-endpoints-vdi.md b/defender-endpoint/configure-endpoints-vdi.md index b72e8e01d5..5d6053dc96 100644 --- a/defender-endpoint/configure-endpoints-vdi.md +++ b/defender-endpoint/configure-endpoints-vdi.md @@ -36,13 +36,13 @@ Virtual desktop infrastructure (VDI) is an IT infrastructure concept that lets e Like any other system in an IT environment, VDI devices should have an endpoint detection and response (EDR) and antivirus solution to protect against advanced threats and attacks. > [!NOTE] -> **Persistent VDI's** - Onboarding a persistent VDI machine into Microsoft Defender for Endpoint is handled the same way you would onboard a physical machine, such as a desktop or laptop. Group policy, Microsoft Configuration Manager, and other methods can be used to onboard a persistent machine. In the Microsoft Defender portal, (https://security.microsoft.com) under onboarding, select your preferred onboarding method, and follow the instructions for that type. For more information see [Onboarding Windows client](onboard-windows-client.md). +> **Persistent VDI's** - Onboarding a persistent VDI machine into Microsoft Defender for Endpoint is handled the same way you would onboard a physical machine, such as a desktop or laptop. Group policy, Microsoft Configuration Manager, and other methods can be used to onboard a persistent machine. In the Microsoft Defender portal, (https://security.microsoft.com) under onboarding, select your preferred onboarding method, and follow the instructions for that type. For more information, see [Onboarding Windows client](onboard-windows-client.md). ## Onboarding non-persistent virtual desktop infrastructure (VDI) devices Defender for Endpoint supports non-persistent VDI session onboarding. There might be associated challenges when onboarding VDI instances. The following are typical challenges for this scenario: -- Instant early onboarding of a short-lived session, which must be onboarded to Defender for Endpoint prior to the actual provisioning. +- Instant early onboarding of a short-lived session, which must be onboarded to Defender for Endpoint before actual provisioning. - The device name is typically reused for new sessions. @@ -73,11 +73,11 @@ The following steps guide you through onboarding VDI devices and highlight steps 3. In the **Deployment method** field, select **VDI onboarding scripts for non-persistent endpoints**. - 4. Click **Download package** and save the file. + 4. Select **Download package** and save the file. 2. Copy the files from the `WindowsDefenderATPOnboardingPackage` folder extracted from the zipped folder into the golden/primary image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. - - If you are implementing multiple entries for each device - one for each session, copy `WindowsDefenderATPOnboardingScript.cmd`. + - If you're implementing multiple entries for each device - one for each session, copy `WindowsDefenderATPOnboardingScript.cmd`. - If you're implementing a single entry for each device, copy both `Onboard-NonPersistentMachine.ps1` and `WindowsDefenderATPOnboardingScript.cmd`. @@ -93,8 +93,8 @@ The following steps guide you through onboarding VDI devices and highlight steps | Method | Steps | |---|---| - | Single entry for each device | 1. Select the **PowerShell Scripts** tab, then select **Add** (Windows Explorer opens directly in the path where you copied the onboarding script earlier).
2. Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. There's no need to specify the other file, as it is triggered automatically. | - | Multiple entries for each device | 1. Select the **Scripts** tab, then click **Add** (Windows Explorer opens directly in the path where you copied the onboarding script earlier).
2. Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`. | + | Single entry for each device | 1. Select the **PowerShell Scripts** tab, then select **Add** (Windows Explorer opens directly in the path where you copied the onboarding script earlier).
2. Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. There's no need to specify the other file, as it's triggered automatically. | + | Multiple entries for each device | 1. Select the **Scripts** tab, then select **Add** (Windows Explorer opens directly in the path where you copied the onboarding script earlier).
2. Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`. | 5. Test your solution by following these steps: @@ -171,9 +171,9 @@ If you have onboarded the primary image of your VDI environment (SENSE service i ### Are you using a third party for VDIs? -If you're deploying non-persistent VDIs through VMware instant cloning or similar technologies, make sure that your internal template VMs and replica VMs are not onboarded to Defender for Endpoint. If you onboard devices using the single entry method, instant clones that are provisioned from onboarded VMs might have the same senseGuid, and that can stop a new entry from being listed in the Device Inventory view (in the [Microsoft Defender portal](https://security.microsoft.com), choose **Assets** > **Devices**). +If you're deploying non-persistent VDIs through VMware instant cloning or similar technologies, make sure that your internal template VMs and replica VMs aren't onboarded to Defender for Endpoint. If you onboard devices using the single entry method, instant clones that are provisioned from onboarded VMs might have the same senseGuid, and that can stop a new entry from being listed in the Device Inventory view (in the [Microsoft Defender portal](https://security.microsoft.com), choose **Assets** > **Devices**). -If either the primary image, template VM, or replica VM are onboarded to Defender for Endpoint using the single entry method, it will stop Defender from creating entries for new non-persistent VDIs in the Microsoft Defender portal. +If either the primary image, template VM, or replica VM are onboarded to Defender for Endpoint using the single entry method, it stops Defender for Endpoint from creating entries for new non-persistent VDIs in the Microsoft Defender portal. Reach out to your third-party vendors for further assistance. From 8692f16a81c181e4cb0b277f9f5352c70cf223f9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Dec 2024 11:33:05 -0800 Subject: [PATCH 24/30] Update configure-endpoints-vdi.md --- defender-endpoint/configure-endpoints-vdi.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/configure-endpoints-vdi.md b/defender-endpoint/configure-endpoints-vdi.md index 5d6053dc96..26fcbff881 100644 --- a/defender-endpoint/configure-endpoints-vdi.md +++ b/defender-endpoint/configure-endpoints-vdi.md @@ -5,7 +5,7 @@ search.appverid: met150 ms.service: defender-endpoint ms.author: deniseb author: denisebmsft -ms.reviewer: pahuijbr +ms.reviewer: pahuijbr; yonghree ms.localizationpriority: medium manager: deniseb audience: ITPro From 97f6dcbb20785e34311a53b73b7c62d07f89a025 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Dec 2024 11:35:57 -0800 Subject: [PATCH 25/30] Update date, prerequisites, and formatting in indicator-file.md --- defender-endpoint/indicator-file.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/defender-endpoint/indicator-file.md b/defender-endpoint/indicator-file.md index 6247507142..a5496d772c 100644 --- a/defender-endpoint/indicator-file.md +++ b/defender-endpoint/indicator-file.md @@ -6,7 +6,7 @@ ms.service: defender-endpoint ms.author: deniseb author: denisebmsft ms.localizationpriority: medium -ms.date: 10/17/2024 +ms.date: 12/30/2024 manager: deniseb audience: ITPro ms.collection: @@ -47,8 +47,6 @@ There are three ways you can create indicators for files: - By creating a contextual indicator using the add indicator button from the file details page - By creating an indicator through the [Indicator API](api/ti-indicator.md) - - ## Before you begin Understand the following prerequisites before you create indicators for files: @@ -64,6 +62,7 @@ Understand the following prerequisites before you create indicators for files: ### Windows prerequisites - This feature is available if your organization uses [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) (in active mode) + - The Antimalware client version must be `4.18.1901.x` or later. See [Monthly platform and engine versions](microsoft-defender-antivirus-updates.md#platform-and-engine-releases) - This feature is supported on devices running Windows 10, version 1703 or later, Windows 11, Windows Server 2012 R2, Windows Server 2016 or later, Windows Server 2019, or Windows Server 2022. @@ -77,13 +76,13 @@ Understand the following prerequisites before you create indicators for files: - [File hash computation is enabled](/defender-endpoint/mac-resources#configuring-from-the-command-line) by running `mdatp config enable-file-hash-computation --value enabled` -### linux prerequisites +### Linux prerequisites - Available in Defender for Endpoint version 101.85.27 or later. -- [File hash computation is enabled](/defender-endpoint/linux-preferences#configure-file-hash-computation-feature) from the portal or in the managed JSON +- [File hash computation is enabled](/defender-endpoint/linux-preferences#configure-file-hash-computation-feature) in the Microsoft Defender portal or in the managed JSON -- BM is preferred but will work with any other scan (RTP, Custom, etc). +- Behavior monitoring is preferred, but this will work with any other scan (RTP, Custom, etc). ## Create an indicator for files from the settings page @@ -96,7 +95,9 @@ Understand the following prerequisites before you create indicators for files: 4. Specify the following details: - Indicator: Specify the entity details and define the expiration of the indicator. + - Action: Specify the action to be taken and provide a description. + - Scope: Define the scope of the device group (scoping isn't available in [Defender for Business](/defender-business/mdb-overview)). > [!NOTE] @@ -140,7 +141,7 @@ The current supported actions for file IOC are allow, audit and block, and remed > For more information about the EnableFileHashComputation group policy, see [Defender CSP](/windows/client-management/mdm/defender-csp). > For more information on configuring this feature on Defender for Endpoint on Linux and macOS, see [Configure file hash computation feature on Linux](linux-preferences.md#configure-file-hash-computation-feature) and [Configure file hash computation feature on macOS](mac-preferences.md#configure-file-hash-computation-feature). -> ## Advanced hunting capabilities (preview) +## Advanced hunting capabilities (preview) > [!IMPORTANT] > Information in this section (**Public Preview for Automated investigation and remediation engine**) relates to prerelease product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. From 9a388f481ccf304bd3b51fdc3d744664ad280974 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Dec 2024 12:09:33 -0800 Subject: [PATCH 26/30] Update defender-antivirus-compatibility-without-mde.md --- ...der-antivirus-compatibility-without-mde.md | 61 +++++++++---------- 1 file changed, 30 insertions(+), 31 deletions(-) diff --git a/defender-endpoint/defender-antivirus-compatibility-without-mde.md b/defender-endpoint/defender-antivirus-compatibility-without-mde.md index 283816dd9d..3c995b8178 100644 --- a/defender-endpoint/defender-antivirus-compatibility-without-mde.md +++ b/defender-endpoint/defender-antivirus-compatibility-without-mde.md @@ -1,26 +1,23 @@ --- -# Required metadata -# For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main -# For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main - title: Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware solutions Antivirus protection without Defender for Endpoint description: Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware solutions Antivirus protection without Defender for Endpoint -author: YongRhee-MSFT # GitHub alias -ms.author: yongrhee # Microsoft alias +author: denisebmsft +ms.author: deniseb +ms.reviewer: yongrhee ms.service: defender-endpoint -ms.topic: article -ms.date: 12/27/2024 +ms.topic: conceptual +ms.date: 12/30/2024 ms.subservice: ngp ---- +search.appverid: met150 +ms.localizationpriority: medium -# Microsoft Defender Antivirus and third-party antivirus solutions without Defender for Endpoint +--- -__Applies to:__ +# Microsoft Defender Antivirus and non-Microsoft antivirus solutions without Defender for Endpoint -- [Microsoft Defender for Endpoint Plan 1](/defender-endpoint/microsoft-defender-endpoint) +**Applies to**: - [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals) - - Microsoft Defender Antivirus This section describes what happens when you use Microsoft Defender Antivirus alongside non-Microsoft antivirus/antimalware products on endpoints that aren't onboarded to Defender for Endpoint. @@ -39,50 +36,52 @@ The following table summarizes what to expect: > [!NOTE] > On Windows Server, if you're running a non-Microsoft antivirus product, you can uninstall Microsoft Defender Antivirus by using the following PowerShell cmdlet (as an administrator): `Uninstall-WindowsFeature Windows-Defender`. Restart your server to finish removing Microsoft Defender Antivirus. On Windows Server 2016, you might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus*. If you uninstall your non-Microsoft antivirus product, make sure that Microsoft Defender Antivirus is re-enabled. See **[Re-enable Microsoft Defender Antivirus on Windows Server if it was disabled](/defender-endpoint/enable-update-mdav-to-latest-ws)**. -Check the services and filter drivers for Microsoft Defender Antivirus - +Check the services and filter drivers for Microsoft Defender Antivirus by using the following command: ```powershell + gsv WinDefend, WdBoot, WdFilter, WdNisSvc, WdNisDrv | ft -auto DisplayName, Name, StartType, Status + ``` -|Display Name|Name|StartType|Status when Defender AV is enabled| Status when Defender AV is disabled| Comments | +|Display Name|Name|StartType|Status when Microsoft Defender Antivirus is enabled| Status when Microsoft Defender Antivirus is disabled| Comments | | -------- | -------- | -------- | -------- | -------- | -------- | -|Microsoft Defender Antivirus Boot Driver |WdBoot|Boot |Stopped (0x0 Boot_start)| Stopped (0x3 Demand_start)|It’s normal to be stopped after boot. | -|Microsoft Defender Antivirus Mini-Filter Driver|WdFilter|Manual |Running (0x0 Boot_start)|Stopped (0x3 Demand_start)|If a 3rd party AV is installed, then this will be stopped. | -|Microsoft Defender Antivirus Network Inspection System Driver |WdNisDrv|Manual|Running (0x3 Demand_start)|Stopped (0x3 Demand_start)|If a 3rd party AV is installed, then this will be stopped. | -|Microsoft Defender Antivirus Network Inspection Service |WdNisSvc|Manual|Running (0x3 Demand_start)|Stopped (0x3 Demand_start)|If a 3rd party AV is installed, then this will be stopped. | -|Microsoft Defender Antivirus Service|WinDefend|Automatic|Running (0x2 Auto_start)|Stopped (0x3 Demand_start)|If a 3rd party AV is installed, then this will be stopped.| +|Microsoft Defender Antivirus Boot Driver |`WdBoot`|Boot |Stopped (`0x0 Boot_start`)| Stopped (`0x3 Demand_start`)|It's normal to be stopped after boot. | +|Microsoft Defender Antivirus Mini-Filter Driver|`WdFilter`|Manual |Running (`0x0 Boot_start`)|Stopped (`0x3 Demand_start`)|If a non-Microsoft antivirus solution is installed, expect status to be stopped. | +|Microsoft Defender Antivirus Network Inspection System Driver |`WdNisDrv`|Manual|Running (`0x3 Demand_start`)|Stopped (`0x3 Demand_start`)|If a non-Microsoft antivirus solution is installed, expect status to be stopped. | +|Microsoft Defender Antivirus Network Inspection Service |`WdNisSvc`|Manual|Running (`0x3 Demand_start`)|Stopped (`0x3 Demand_start`)|If a non-Microsoft antivirus solution is installed, expect status to be stopped. | +|Microsoft Defender Antivirus Service|`WinDefend`|Automatic|Running (`0x2 Auto_start`)|Stopped (`0x3 Demand_start`)|If a non-Microsoft antivirus solution is installed, expect status to be stopped.| ### Frequently Asked Questions (FAQ) Q: Can I update Microsoft Defender Antivirus components such as "Security intelligence update" or "Engine update" "Platform update" when Microsoft Defender Antivirus is disabled? -A: No. When Microsoft Defender Antivirus is disabled, since the services and drivers are not running, you will not be able to update the components such as "Security intelligence update" or "Engine update" "Platform update". +A: No. When Microsoft Defender Antivirus is disabled, since the services and drivers are not running, you will not be able to update the components such as "Security intelligence update" or "Engine update" "Platform update". > [!TIP] -> If you are migrating to Microsoft Defender for Endpoint, when onboarded, Microsoft Defender Antivirus will go into 'passive mode' in Windows clients and via a registry key in Windows Servers, where you will be able to update the different components of Microsoft Defender Antivirus. +> If you are migrating to Microsoft Defender for Endpoint, when onboarded, Microsoft Defender Antivirus goes into passive mode automatically on Windows clients, and can be set to passive mode using a registry key on Windows Server. You can update the different components of Microsoft Defender Antivirus. Q: Can I manually change the start type of the services and drivers for Microsoft Defender Antivirus? -A: We do not support the manual modification of the start type of the services and drivers for Microsoft Defender Antivirus in Windows images. On Windows clients, the supported method is via the third-party antivirus solution registering to Windows Security Center (WSC) api. Or on Windows Servers uninstalling Microsoft Defender Antivirus feature, via the Roles and Features MMC or via Powershell (Run as admin): - +A: We do not support the manual modification of the start type of the services and drivers for Microsoft Defender Antivirus in Windows images. On Windows clients, the supported method is by registring your non-Microsoft antivirus in Windows Security (WSC) api. Or, on Windows Server, you can uninstall the Microsoft Defender Antivirus feature by using roles and features MMC or by running the following PowerShell command (as an administrator): ```powershell + Uninstall-WindowsFeature Windows-Defender + ``` -Q: Can I use Microsoft Defender Antivirus in "passive mode" without onboarding to Microsoft Defender for Endpoint? +Q: Can I use Microsoft Defender Antivirus in passive mode without onboarding to Microsoft Defender for Endpoint? -A: No. "Passive mode" is a functionality of Microsoft Defender for Endpoint Plan 2. +A: No. Passive mode is functionality in Microsoft Defender for Endpoint Plan 2. -Q: Can I use "EDR in block mode" without onboarding to Microsoft Defender for Endpoint? +Q: Can I use [EDR in block mode](edr-in-block-mode.md) without onboarding to Microsoft Defender for Endpoint? -A: No. "EDR in block mode" is a functionality of Microsoft Defender for Endpoint Plan 2. +A: No. EDR in block mode is a functionality in Microsoft Defender for Endpoint Plan 2. -Q: Can I use "Indicators" - "File hash" or "IP address/URL's" or "Certificates" with Microsoft Defender Antivirus (active mode) with M365 E3/A3 license? +Q: Can I use indicators, such as file hash, IP address/URL's, or certificates with Microsoft Defender Antivirus (in active mode) with my Microsoft 365 E3/A3 license? -A: Yes, please review [Microsoft Defender for Endpoint Plan 1 Now Included in M365 E3/A3 Licenses](https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/microsoft-defender-for-endpoint-plan-1-now-included-in-m365-e3a3-licenses/3060639) and [Overview of Microsoft Defender for Endpoint Plan 1](/defender-endpoint/defender-endpoint-plan-1) +A: Yes. See [Tech Community Blog: Microsoft Defender for Endpoint Plan 1 Now Included in M365 E3/A3 Licenses](https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/microsoft-defender-for-endpoint-plan-1-now-included-in-m365-e3a3-licenses/3060639) and [Overview of Microsoft Defender for Endpoint Plan 1](/defender-endpoint/defender-endpoint-plan-1) ## See also From cc9f8756a55e89a6bf3fde5441d30f7419b399fa Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Dec 2024 12:10:16 -0800 Subject: [PATCH 27/30] Update defender-antivirus-compatibility-without-mde.md --- .../defender-antivirus-compatibility-without-mde.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defender-endpoint/defender-antivirus-compatibility-without-mde.md b/defender-endpoint/defender-antivirus-compatibility-without-mde.md index 3c995b8178..5cc6f890ac 100644 --- a/defender-endpoint/defender-antivirus-compatibility-without-mde.md +++ b/defender-endpoint/defender-antivirus-compatibility-without-mde.md @@ -56,14 +56,14 @@ gsv WinDefend, WdBoot, WdFilter, WdNisSvc, WdNisDrv | ft -auto DisplayName, Name Q: Can I update Microsoft Defender Antivirus components such as "Security intelligence update" or "Engine update" "Platform update" when Microsoft Defender Antivirus is disabled? -A: No. When Microsoft Defender Antivirus is disabled, since the services and drivers are not running, you will not be able to update the components such as "Security intelligence update" or "Engine update" "Platform update". +A: No. When Microsoft Defender Antivirus is disabled, since the services and drivers aren't running, you won't be able to update the components such as "Security intelligence update" or "Engine update" "Platform update". > [!TIP] > If you are migrating to Microsoft Defender for Endpoint, when onboarded, Microsoft Defender Antivirus goes into passive mode automatically on Windows clients, and can be set to passive mode using a registry key on Windows Server. You can update the different components of Microsoft Defender Antivirus. Q: Can I manually change the start type of the services and drivers for Microsoft Defender Antivirus? -A: We do not support the manual modification of the start type of the services and drivers for Microsoft Defender Antivirus in Windows images. On Windows clients, the supported method is by registring your non-Microsoft antivirus in Windows Security (WSC) api. Or, on Windows Server, you can uninstall the Microsoft Defender Antivirus feature by using roles and features MMC or by running the following PowerShell command (as an administrator): +A: We don't support the manual modification of the start type of the services and drivers for Microsoft Defender Antivirus in Windows images. On Windows clients, the supported method is by registering your non-Microsoft antivirus in Windows Security (WSC) API. Or, on Windows Server, you can uninstall the Microsoft Defender Antivirus feature by using roles and features MMC or by running the following PowerShell command (as an administrator): ```powershell @@ -81,7 +81,7 @@ A: No. EDR in block mode is a functionality in Microsoft Defender for Endpoint P Q: Can I use indicators, such as file hash, IP address/URL's, or certificates with Microsoft Defender Antivirus (in active mode) with my Microsoft 365 E3/A3 license? -A: Yes. See [Tech Community Blog: Microsoft Defender for Endpoint Plan 1 Now Included in M365 E3/A3 Licenses](https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/microsoft-defender-for-endpoint-plan-1-now-included-in-m365-e3a3-licenses/3060639) and [Overview of Microsoft Defender for Endpoint Plan 1](/defender-endpoint/defender-endpoint-plan-1) +A: Yes. See [Tech Community Blog: Microsoft Defender for Endpoint Plan 1 Now Included in Microsoft 365 E3/A3 Licenses](https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/microsoft-defender-for-endpoint-plan-1-now-included-in-m365-e3a3-licenses/3060639) and [Overview of Microsoft Defender for Endpoint Plan 1](/defender-endpoint/defender-endpoint-plan-1) ## See also From 4beb46ef9a9a87f37fd97aa4c379ec0a3eecf163 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Dec 2024 12:12:51 -0800 Subject: [PATCH 28/30] Update defender-antivirus-compatibility-without-mde.md --- .../defender-antivirus-compatibility-without-mde.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/defender-endpoint/defender-antivirus-compatibility-without-mde.md b/defender-endpoint/defender-antivirus-compatibility-without-mde.md index 5cc6f890ac..f1cd19a1e7 100644 --- a/defender-endpoint/defender-antivirus-compatibility-without-mde.md +++ b/defender-endpoint/defender-antivirus-compatibility-without-mde.md @@ -17,6 +17,7 @@ ms.localizationpriority: medium **Applies to**: +- [Microsoft Defender for Endpoint Plan 1](defender-endpoint-plan-1.md) - [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals) - Microsoft Defender Antivirus @@ -81,7 +82,7 @@ A: No. EDR in block mode is a functionality in Microsoft Defender for Endpoint P Q: Can I use indicators, such as file hash, IP address/URL's, or certificates with Microsoft Defender Antivirus (in active mode) with my Microsoft 365 E3/A3 license? -A: Yes. See [Tech Community Blog: Microsoft Defender for Endpoint Plan 1 Now Included in Microsoft 365 E3/A3 Licenses](https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/microsoft-defender-for-endpoint-plan-1-now-included-in-m365-e3a3-licenses/3060639) and [Overview of Microsoft Defender for Endpoint Plan 1](/defender-endpoint/defender-endpoint-plan-1) +A: Yes. See [Tech Community Blog: Microsoft Defender for Endpoint Plan 1 Now Included in Microsoft 365 E3/A3 Licenses](https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/microsoft-defender-for-endpoint-plan-1-now-included-in-m365-e3a3-licenses/3060639) and [Overview of Microsoft Defender for Endpoint Plan 1](/defender-endpoint/defender-endpoint-plan-1). ## See also From 710461ad020d063471035051c3a8827bfa89ee2c Mon Sep 17 00:00:00 2001 From: Ruchika Mittal Date: Tue, 31 Dec 2024 01:57:19 +0530 Subject: [PATCH 29/30] fix etc --- defender-endpoint/indicator-file.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/indicator-file.md b/defender-endpoint/indicator-file.md index a5496d772c..7b5a2a27d7 100644 --- a/defender-endpoint/indicator-file.md +++ b/defender-endpoint/indicator-file.md @@ -82,7 +82,7 @@ Understand the following prerequisites before you create indicators for files: - [File hash computation is enabled](/defender-endpoint/linux-preferences#configure-file-hash-computation-feature) in the Microsoft Defender portal or in the managed JSON -- Behavior monitoring is preferred, but this will work with any other scan (RTP, Custom, etc). +- Behavior monitoring is preferred, but this will work with any other scan (RTP or Custom). ## Create an indicator for files from the settings page From 2e9f09dfac35b5528c59a5e344e23f51a75df9e2 Mon Sep 17 00:00:00 2001 From: Ruchika Mittal Date: Tue, 31 Dec 2024 02:36:51 +0530 Subject: [PATCH 30/30] Fix typos in defender-antivirus-compatibility document --- .../defender-antivirus-compatibility-without-mde.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/defender-antivirus-compatibility-without-mde.md b/defender-endpoint/defender-antivirus-compatibility-without-mde.md index f1cd19a1e7..df7cde5905 100644 --- a/defender-endpoint/defender-antivirus-compatibility-without-mde.md +++ b/defender-endpoint/defender-antivirus-compatibility-without-mde.md @@ -80,7 +80,7 @@ Q: Can I use [EDR in block mode](edr-in-block-mode.md) without onboarding to Mic A: No. EDR in block mode is a functionality in Microsoft Defender for Endpoint Plan 2. -Q: Can I use indicators, such as file hash, IP address/URL's, or certificates with Microsoft Defender Antivirus (in active mode) with my Microsoft 365 E3/A3 license? +Q: Can I use indicators, such as file hashes, IP addresses, URLs, or certificates with Microsoft Defender Antivirus (in active mode) with my Microsoft 365 E3/A3 license? A: Yes. See [Tech Community Blog: Microsoft Defender for Endpoint Plan 1 Now Included in Microsoft 365 E3/A3 Licenses](https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/microsoft-defender-for-endpoint-plan-1-now-included-in-m365-e3a3-licenses/3060639) and [Overview of Microsoft Defender for Endpoint Plan 1](/defender-endpoint/defender-endpoint-plan-1).