diff --git a/defender-endpoint/TOC.yml b/defender-endpoint/TOC.yml
index cdb1c1adf7..9811b62921 100644
--- a/defender-endpoint/TOC.yml
+++ b/defender-endpoint/TOC.yml
@@ -67,6 +67,8 @@
href: evaluate-microsoft-defender-antivirus.md
- name: Evaluate Microsoft Defender Antivirus using PowerShell
href: microsoft-defender-antivirus-using-powershell.md
+ - name: Evaluate Microsoft Defender Antivirus using Microsoft Defender Endpoint Security Settings Management
+ href: evaluate-mda-using-mde-security-settings-management.md
- name: Evaluate Microsoft Defender Antivirus using Group Policy
href: evaluate-mdav-using-gp.md
- name: Microsoft Defender for Endpoint demonstration scenarios
diff --git a/defender-endpoint/evaluate-mda-using-mde-security-settings-management.md b/defender-endpoint/evaluate-mda-using-mde-security-settings-management.md
new file mode 100644
index 0000000000..05f9baadc2
--- /dev/null
+++ b/defender-endpoint/evaluate-mda-using-mde-security-settings-management.md
@@ -0,0 +1,207 @@
+---
+title: Evaluate Microsoft Defender Antivirus using Microsoft Defender Endpoint Security Settings Management (Endpoint security policies)
+ms.reviewer: yonghree
+description: Learn how to evaluate Microsoft Defender Antivirus using Microsoft Defender Endpoint Security Settings Management (Endpoint security policies).
+ms.service: defender-endpoint
+ms.author: vpattnaik
+author: vpattnai
+ms.localizationpriority: medium
+manager: dolmont
+audience: ITPro
+ms.collection:
+- m365-security
+- tier2
+ms.topic: conceptual
+ms.subservice: edr
+search.appverid: met150
+ms.date: 05/13/2024
+---
+
+# Evaluate Microsoft Defender Antivirus using Microsoft Defender Endpoint Security Settings Management (Endpoint security policies)
+
+In Windows 10 or later, and in Windows Server 2016 or later, you can use next-generation protection features offered by Microsoft Defender Antivirus (MDAV) and Microsoft Defender Exploit Guard (Microsoft Defender EG).
+
+This article describes configuration options in Windows 10 or later, and in Windows Server 2016 or later, that guide you to activate and test the key protection features in MDAV and Microsoft Defender EG; and provides you with guidance and with links to more information.
+
+If you have any questions about a detection that MDAV makes, or you discover a missed detection, you can submit a file to us at our [sample submission help site](/defender-xdr/submission-guide).
+
+## Use Microsoft Defender Endpoint Security Settings Management (Endpoint security policies) to enable the features
+
+This section describes the [Microsoft Defender for Endpoint Security Settings Management (Endpoint security policies)](/mem/intune/protect/mde-security-integration) that configure the features you should use to evaluate our protection.
+
+MDAV indicates a detection through [standard Windows notifications](configure-notifications-microsoft-defender-antivirus.md). You can also review detections in the MDAV app. To do this, see [Review Microsoft Defender Antivirus scan results](review-scan-results-microsoft-defender-antivirus.md).
+
+The Windows event log also records detection and engine events. See the Microsoft Defender Antivirus events article for a list of event IDs and their corresponding actions. For information on the list of event IDs and their corresponding actions, see [Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.yml).
+
+To configure the options that you must use to test the protection features, perform the following steps:
+
+1. Sign in to [Microsoft Defender XDR](https://sip.security.microsoft.com/).
+1. Go to **Endpoints > Configuration management > Endpoint security policies > Windows policies > Create new policy**.
+1. Select **Windows 10, Windows 11, and Windows Server** from the **Select Platform** drop-down list.
+1. Select **Microsoft Defender Antivirus** from the **Select Template** drop-down list.
+1. Select **Create policy**. The **Create a new policy** page appears.
+1. On the **Basics** page, enter a name and description for the profile in the **Name** and **Description** fields, respectively.
+1. Select **Next**.
+1. On the **Configuration settings** page, expand the groups of settings.
+1. From these groups of settings, select those settings that you want to manage with this profile.
+1. Set the policies for the chosen groups of settings by configuring the settings as described in the following tables:
+
+**Real-time Protection (Always-on protection, real-time scanning)**
+
+|Description |Settings |
+|---------|---------|
+|Allow Realtime Monitoring|Allowed|
+|Real Time Scan Direction|Monitor all files (bi-directional) |
+|Allow Behavior Monitoring|Allowed|
+|Allow On Access Protection| Allowed|
+|PUA Protection|PUA Protection on|
+
+**Cloud protection features**
+
+|Description|Setting |
+|---------|---------|
+|Allow Cloud Protection | Allowed |
+|Cloud Block Level | High |
+|Cloud Extended Timeout |Configured, 50 |
+|Submit Samples Consent | Send all samples automatically |
+
+Standard security intelligence updates can take hours to prepare and deliver; our cloud-delivered protection service can deliver this protection in seconds. For more information, see [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md).
+
+**Scans**
+
+|Description|Setting|
+|---------|---------|
+|Allow Email Scanning | Allowed |
+|Allow scanning of all downloaded files and attachments |Allowed |
+|Allow Script Scanning |Allowed |
+|Allow Archive Scanning | Allowed |
+|Allow Scanning Network Files | Allowed |
+|Allow Full Scan Removable Drive Scanning | Allowed |
+
+**Network Protection**
+
+|Description |Setting |
+|---------|---------|
+|Enable Network Protection | Enabled (block mode) |
+|Allow Network Protection Down Level | Network protection will be enabled downlevel. |
+|Allow Datagram Processing On Win Server | Datagram processing on Windows Server is enabled. |
+|Disable DNS over TCP parsing | DNS over TCP parsing is enabled. |
+|Disable HTTP parsing | HTTP parsing is enabled. |
+|Disable SSH parsing | SSH parsing is enabled. |
+|Disable TLS parsing | TLS parsing is enabled. |
+|Enable DNS Sinkhole | DNS Sinkhole is enabled. |
+
+**Security Intelligence updates**
+
+|Description |Setting |
+|---------|---------|
+|Signature Update Interval | Configured, 4 |
+
+**Description**: Signature Update Fallback Order
+**Setting**: Select the checkbox for **Signature Update Fallback**
+
+InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC, where 'InternalDefinitionUpdateServer' is WSUS with Microsoft Defender Antivirus updates allowed; 'MicrosoftUpdateServer' = Microsoft Update (formerly Windows Update); and MMPC = https://www.microsoft.com/en-us/wdsi/definitions.
+
+**Local administrator AV**
+
+Disable local administrator AV settings such as exclusions, and set the policies from the Microsoft Defender for Endpoint Security Settings Management as described in the following table:
+
+|Description |Setting |
+|---------|---------|
+|Disable Local Admin Merge | Disable Local Admin Merge |
+
+**Threat severity default action**
+
+|Description |Setting |
+|---------|---------|
+|Remediation action for High severity threats | Quarantine |
+|Remediation action for Severe threats | Quarantine |
+|Remediation action for Low severity threats | Quarantine |
+|Remediation action for Moderate severity threats | Quarantine |
+
+|Description |Setting |
+|---------|---------|
+|Days to Retain Cleaned | Configured, 60 |
+|Allow User UI Access | Allowed. Let users access UI. |
+
+1. When you're done configuring settings, select **Next**.
+1. On the **Assignments** tab, select **Device Group** or **User Group** or **All devices** or **All Users**.
+1. Select **Next**.
+1. On the **Review + create** tab, review your policy settings, and then select **Save**.
+
+### Attack Surface Reduction rules
+
+To enable Attack Surface Reduction (ASR) rules using the endpoint security policies, perform the following steps:
+
+1. Sign in to [Microsoft Defender XDR](https://sip.security.microsoft.com/).
+1. Go to **Endpoints > Configuration management > Endpoint security policies > Windows policies > Create new policy**.
+1. Select **Windows 10, Windows 11, and Windows Server** from the **Select Platform** drop-down list.
+1. Select **Attack Surface Reduction Rules** from the **Select Template** drop-down list.
+1. Select **Create policy**.
+1. On the **Basics** page, enter a name and description for the profile; then, choose **Next**.
+1. On the **Configuration settings** page, expand the groups of settings and configure those settings you want to manage with this profile.
+1. Set the policies based on the following recommended settings:
+
+ |Description |Setting |
+ |---------|---------|
+ |Block executable content from email client and webmail | Block |
+ |Block Adobe Reader from creating child processes | Block |
+ |Block execution of potentially obfuscated scripts | Block |
+ |Block abuse of exploited vulnerable signed drivers (Device) | Block |
+ |Block Win32 API calls from Office macros | Block |
+ |Block executable files from running unless they meet a prevalence, age, or trusted list criterion | Block |
+ |Block Office communication application from creating child processes | Block |
+ |Block all Office applications from creating child processes | Block |
+ |[PREVIEW] Block use of copied or impersonated system tools | Block |
+ |Block JavaScript or VBScript from launching downloaded executable content | Block |
+ |Block credential stealing from the Windows local security authority subsystem | Block |
+ |Block Webshell creation for Servers | Block |
+ |Block Office applications from creating executable content | Block |
+ |Block untrusted and unsigned processes that run from USB | Block |
+ |Block Office applications from injecting code into other processes | Block |
+ |Block persistence through WMI event subscription | Block |
+ |Use advanced protection against ransomware | Block |
+ |Block process creations originating from PSExec and WMI commands | Block
NOTE: If you have Configuration Manager (formerly SCCM), or other management tools, that use WMI, you might need to set this to **Audit** instead of **Block**. |
+ |[PREVIEW] Block rebooting machine in Safe Mode | Block |
+ |Enable Controlled Folder Access | Enabled |
+
+> [!TIP]
+> Any of the rules may block behavior you find acceptable in your organization. In these cases, add the per-rule exclusions named “Attack Surface Reduction Only Exclusions”. And, change the rule from **Enabled** to **Audit** to prevent unwanted blocks.
+
+1. Select **Next**.
+1. On the **Assignments** tab, select **Device Group** or **User Group** or **All devices** or **All Users**.
+1. Select **Next**.
+1. On the **Review + create** tab, review your policy settings, and then select **Save**.
+
+#### Check the platform update version
+
+The latest "Platform Update" version Production channel (GA) is available in [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4052623+update).
+
+To check which "Platform Update" version you have installed, run the following command in PowerShell using the privileges of an administrator:
+
+`get-mpComputerStatus | ft AMProductVersion`
+
+#### Check the Security Intelligence Update version
+
+The latest “Security Intelligence Update” version is available in [Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware - Microsoft Security Intelligence](https://www.microsoft.com/en-us/wdsi/defenderupdates).
+
+To check which “Security Intelligence Update” version you have installed, run the following command in PowerShell using the privileges of an administrator:
+
+`get-mpComputerStatus | ft AntivirusSignatureVersion`
+
+#### Check the Engine Update version
+
+The latest scan “engine update” version is available in [Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware - Microsoft Security Intelligence](https://www.microsoft.com/en-us/wdsi/defenderupdates).
+
+To check which “Engine Update” version you have installed, run the following command in PowerShell using the privileges of an administrator:
+
+`get-mpComputerStatus | ft AMEngineVersion`
+
+If you're finding that your settings aren't taking effect, you might have a conflict. For information on how to resolve conflicts, see [Troubleshoot Microsoft Defender Antivirus settings](troubleshoot-settings.md).
+
+#### For False Negatives (FNs) submissions
+
+To information on how to make False Negatives (FNs) submissions, see:
+
+- [Submit files in Microsoft Defender for Endpoint](admin-submissions-mde.md) if you have Microsoft XDR, Microsoft Defender for Endpoint P2/P1, or Microsoft Defender for Business.
+- [Submit files for analysis](/defender-xdr/submission-guide) if you have Microsoft Defender Antivirus.
\ No newline at end of file
diff --git a/defender-endpoint/mac-install-with-intune.md b/defender-endpoint/mac-install-with-intune.md
index 196345f872..34293fca2f 100644
--- a/defender-endpoint/mac-install-with-intune.md
+++ b/defender-endpoint/mac-install-with-intune.md
@@ -1,6 +1,6 @@
---
title: Intune-based deployment for Microsoft Defender for Endpoint on Mac
-description: Install Microsoft Defender for Endpoint on Mac by using Microsoft Intune.
+description: Install Microsoft Defender for Endpoint on Mac, using Microsoft Intune.
ms.service: defender-endpoint
author: YongRhee-MSFT
ms.author: yongrhee
@@ -19,13 +19,11 @@ ms.date: 08/21/2024
# Deploy Microsoft Defender for Endpoint on macOS with Microsoft Intune
-[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
-
**Applies to:**
- [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md)
-- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
-- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft Defender for business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)
This article describes how to deploy Microsoft Defender for Endpoint on macOS through Microsoft Intune.
@@ -36,7 +34,7 @@ Before you get started, see [the main Microsoft Defender for Endpoint on macOS p
## Overview
-The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender for Endpoint on Macs, via Microsoft Intune. See the following table for more detailed steps.
+The following table summarizes the steps to deploy and manage Microsoft Defender for Endpoint on Macs via Microsoft Intune. See the following table for more detailed steps:
|Step |Sample file name |Bundle identifier |
|---------|---------|---------|
@@ -61,7 +59,7 @@ In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2
### Step 1: Approve system extensions
-1. In the [Intune admin center](https://intune.microsoft.com), go to **Devices**, and under **Manage Devices**, select **Configuration**.
+1. In the [Intune admin center](https://intune.microsoft.com/#home), go to **Devices**, and under **Manage Devices**, select **Configuration**.
1. Under **Configuration profiles**, select **Create Profile**.
@@ -73,9 +71,11 @@ In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2
1. Under **Profile type**, select **Templates**.
-1. Under **Template name**, select **Extensions**, and then select **Create**.
+1. Under **Template name**, select **Extensions**.
+
+1. Select **Create**.
-1. On the **Basics** tab, **Name** the profile. For example, `SysExt-prod-macOS-Default-MDE`. Then, select **Next**.
+1. On the **Basics** tab, **Name** the profile. For example, `SysExt-prod-macOS-Default-MDE`.
1. Select **Next**.
@@ -86,11 +86,11 @@ In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2
|`com.microsoft.wdav.epsext`|`UBF8T346G9`|
|`com.microsoft.wdav.netext`|`UBF8T346G9`|
- :::image type="content" source="media/mac-system-extension-intune2.png" alt-text="The settings of the system's extension" lightbox="media/mac-system-extension-intune2.png":::
-
- Then select **Next**.
+ :::image type="content" source="../defender-endpoint/media/mac-system-extension-intune2.png" alt-text="Screenshot that shows the settings of the system's extension." lightbox="../defender-endpoint/media/mac-system-extension-intune2.png":::
+
+1. Select **Next**.
-1. On the **Assignments** tab, assign the profile to a group where the macOS devices and/or users are located, or select the **Add all users** and **Add all devices** options. Then select **Next**.
+1. On the **Assignments** tab, assign the profile to a group where the macOS devices and/or users are located, or **All Users** and **All devices**.
1. Review the configuration profile. Select **Create**.
@@ -107,25 +107,27 @@ To configure your network filter:
1. Under **Configuration profiles**, select **Create Profile**.
-1. Under **Platform**, select **macOS**.
+2. Under **Platform**, select **macOS**.
-1. Under **Profile type**, select **Templates**.
+3. Under **Profile type**, select **Templates**.
-1. Under **Template name**, select **Custom**.
+4. Under **Template name**, select **Custom**.
-1. Select **Create**.
+5. Select **Create**.
-1. On the **Basics** tab, **Name** the profile. For example, `NetFilter-prod-macOS-Default-MDE`. Then, select **Next**.
+6. On the **Basics** tab, **Name** the profile. For example, `NetFilter-prod-macOS-Default-MDE`.
-1. On the **Configuration settings** tab, enter a **Custom configuration profile** name. For example, `NetFilter-prod-macOS-Default-MDE`.
+7. Select **Next**.
-1. Choose a Deployment channel and then select **Next**.
+8. On the **Configuration settings** tab, enter a **Custom configuration profile** name. For example, `NetFilter-prod-macOS-Default-MDE`.
-1. Select **Next**.
+9. Choose a Deployment channel and select **Next**.
-1. On the **Assignments** tab, assign the profile to a group where the macOS devices and/or users are located, or **All Users** and **All devices**.
+10. Select **Next**.
-1. Review the configuration profile. Select **Create**.
+11. On the **Assignments** tab, assign the profile to a group where the macOS devices and/or users are located, or **All Users** and **All devices**.
+
+12. Review the configuration profile. Select **Create**.
### Step 3: Full Disk Access
@@ -161,13 +163,12 @@ To configure Full Disk Access:
1. Review the configuration profile. Select **Create**.
> [!NOTE]
-> Full Disk Access granted through Apple MDM Configuration Profile is not reflected in **System Settings** > **Privacy & Security** > **Full Disk Access**.
+> Full Disk Access granted through Apple MDM Configuration Profile is not reflected in **System Settings > Privacy & Security > Full Disk Access**.
### Step 4: Background services
- > [!CAUTION]
- > macOS 13 (Ventura) contains new privacy enhancements. Beginning with this version, by default, applications cannot run in background without explicit consent. Microsoft Defender for Endpoint must run its daemon process in background.
- > This configuration profile grants Background Service permissions to Microsoft Defender for Endpoint. If you previously configured Microsoft Defender for Endpoint through Microsoft Intune, we recommend you update the deployment with this configuration profile.
+> [!CAUTION]
+> macOS 13 (Ventura) contains new privacy enhancements. Beginning with this version, by default, applications cannot run in background without explicit consent. Microsoft Defender for Endpoint must run its daemon process in background. This configuration profile grants Background Service permissions to Microsoft Defender for Endpoint. If you previously configured Microsoft Defender for Endpoint through Microsoft Intune, we recommend you update the deployment with this configuration profile.
Download [background_services.mobileconfig](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/background_services.mobileconfig) from [GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles).
@@ -179,13 +180,15 @@ To configure background services:
1. Under **Profile type**, select **Templates**.
-1. Under **Template name**, select **Custom**, and then select **Create**.
+1. Under **Template name**, select **Custom**.
+
+1. Select **Create**.
1. On the **Basics** tab, **Name** the profile. For example, `BackgroundServices-prod-macOS-Default-MDE`.
1. Select **Next**.
-1. On the **Configuration settings** tab, enter a **Custom configuration profile** name. For example, `background_services.mobileconfig`.
+1. On the **Configuration settings** tab, enter a **Custom configuration profile** name. For example, `backgroundServices-prod-macOS-Default-MDE`.
1. Choose a **Deployment channel**.
@@ -203,10 +206,9 @@ This profile is used to allow Microsoft Defender for Endpoint on macOS and Micro
Download [notif.mobileconfig](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig) from [GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles).
-To turn off notifications for the end users, you can change **Show NotificationCenter** from `true` to `false` in
-[notif.mobileconfig](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig).
+To turn off notifications for the end users, you can change **Show NotificationCenter** from `true` to `false` in [notif.mobileconfig](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig).
-:::image type="content" source="media/image.png" alt-text="Screenshot showing notif.mobileconfig with ShowNotificationCenter set to True.":::
+:::image type="content" source="../defender-endpoint/media/image.png" alt-text="Screenshot showing notif.mobileconfig with ShowNotificationCenter set to True." lightbox="../defender-endpoint/media//image.png":::
To configure notifications:
@@ -271,7 +273,7 @@ Download [accessibility.mobileconfig](https://github.com/microsoft/mdatp-xplat/b
> [!CAUTION]
> macOS 14 (Sonoma) contains new privacy enhancements. Beginning with this version, by default, applications cannot access Bluetooth without explicit consent. Microsoft Defender for Endpoint uses it if you configure Bluetooth policies for Device Control.
-Download [bluetooth.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/bluetooth.mobileconfig) from [GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles) and use the same workflow as for the Accessibility settings mentioned earlier in this article to enable Bluetooth access.
+Download [bluetooth.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/bluetooth.mobileconfig) from [GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles) and use the same workflow as in [Step 6: Accessibility settings](#step-6-accessibility-settings) to enable Bluetooth access.
> [!NOTE]
> Bluetooth granted through Apple MDM Configuration Profile is not reflected in System Settings => Privacy & Security => Bluetooth.
@@ -286,7 +288,7 @@ This profile is used to update the Microsoft Defender for Endpoint on macOS via
For more information, see [Deploy updates for Microsoft Defender for Endpoint on macOS](mac-updates.md).
-Download [AutoUpdate2.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/microsoft_auto_update/com.microsoft.autoupdate2.mobileconfig) from [GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/settings/microsoft_auto_update).
+Download [AutoUpdate2.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/microsoft_auto_update/com.microsoft.autoupdate2.mobileconfig) from [GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles).
> [!NOTE]
> The sample `AutoUpdate2.mobileconfig` from the GitHub repository has it set to Current Channel (Production).
@@ -301,9 +303,11 @@ Download [AutoUpdate2.mobileconfig](https://github.com/microsoft/mdatp-xplat/blo
1. Select **Create**.
-1. On the **Basics** tab, **Name** the profile. For example, `MDATP onboarding for MacOS`and then select **Next**.
+1. On the **Basics** tab, **Name** the profile. For example, `Autoupdate-prod-macOS-Default-MDE`.
-1. On the **Configuration settings** tab, enter a **Custom configuration profile** name. For example, `com.microsoft.autoupdate2.mobileconfig`.
+1. Select **Next**.
+
+1. On the **Configuration settings** tab, enter a **Custom configuration profile** name. For example, `Autoupdate.mobileconfig`.
1. Choose a **Deployment channel**.
@@ -319,6 +323,26 @@ Download [AutoUpdate2.mobileconfig](https://github.com/microsoft/mdatp-xplat/blo
In this step, we go over *Preferences* that enables you to configure anti-malware and EDR policies using Microsoft Intune ([https://intune.microsoft.com](https://intune.microsoft.com)).
+#### 9a. Set policies using Microsoft Defender portal
+
+Set policies using Microsoft Defender Portal by implementing the following instructions, or by using [Microsoft Intune](#set-policies-using-microsoft-intune):
+
+1. Go through [Configure Microsoft Defender for Endpoint in Intune](/mem/intune/protect/advanced-threat-protection-configure) before setting the security policies using Microsoft Defender for Endpoint Security Settings Management.
+
+2. In the [Microsoft Defender portal](https://sip.security.microsoft.com/homepage?tid=72f988bf-86f1-41af-91ab-2d7cd011db47), go to **Configuration management** > **Endpoint security policies** > **Mac policies** > **Create new policy**.
+
+3. Under **Select Platform**, select **macOS**.
+
+4. Under **Select Template**, choose a template and select **Create Policy**.
+
+5. Specify a name and description for the policy, and then select **Next**.
+
+6. On the **Assignments** tab, assign the profile to a group where the macOS devices and/or users are located, or **All Users** and **All devices**.
+
+For more information about managing security settings, see:
+
+- [Manage Microsoft Defender for Endpoint on devices with Microsoft Intune](/mem/intune/protect/mde-security-integration?pivots=mdssc-ga)
+- [Manage security settings for Windows, macOS, and Linux natively in Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/manage-security-settings-for-windows-macos-and-linux-natively-in/ba-p/3870617)
> [!NOTE]
> If managed via Intune, it will not allow for the device to register via the Microsoft Defender for Endpoint Security Settings Management ([Microsoft Defender XDR portal (https://security.microsoft.com)](Microsoft Defender XDR portal (https://security.microsoft.com) or)).
@@ -341,19 +365,19 @@ In the [Microsoft Defender portal](https://sip.security.microsoft.com/homepage?t
1. Under **Select Template**, select **Microsoft Defender Antivirus** and select **Create Policy**.
- :::image type="content" alt-text="networkprotection" source="media/network-protection1.jpg" lightbox="media/network-protection1.jpg":::
+ :::image type="content" source="../defender-endpoint/media/network-protection1.png" alt-text="Screenshot that shows the page on which you create a policy." lightbox="../defender-endpoint/media/network-protection1.png":::
1. On the **Basics** tab, enter the **Name** and **Description** of the policy. Select **Next**.
- :::image type="content" source="media/networkprotection2.png" alt-text="Basicstab":::
+ :::image type="content" source="../defender-endpoint/media/networkprotection2.png" alt-text="Screenshot that shows the Basics tab." lightbox="../defender-endpoint/media/networkprotection2.png":::
1. On the **Configuration Settings** tab, under Network Protection, select an **Enforcement level**. Select **Next**.
- :::image type="content" source="media/networkprotection3.png" alt-text="configurationsettings":::
-
+ :::image type="content" source="../defender-endpoint/media/networkprotection3.png" alt-text="Screenshot that shows the Create a new policy page." lightbox="../defender-endpoint/media/networkprotection3.png":::
+
1. On the **Assignments** tab, assign the profile to a group where the macOS devices and/or users are located, or **All Users** and **All devices**.
- :::image type="content" source="media/networkprotection4.png" alt-text="np4":::
+ :::image type="content" source="../defender-endpoint/media/networkprotection4.png" alt-text="Screenshot that shows the page on which you configure the settings for the Assignments option." lightbox="../defender-endpoint/media/networkprotection4.png":::
1. Review the policy in **Review+Create** and select **Save**.
@@ -379,7 +403,7 @@ After completing the profile configuration, you'll be able to review the status
Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** \> **Device status**:
-:::image type="content" source="media/mdatp-7-devicestatusblade.png" alt-text="The view of the device status" lightbox="media/mdatp-7-devicestatusblade.png":::
+:::image type="content" source="../defender-endpoint/media/mdatp-7-devicestatusblade.png" alt-text="Screenshot that shows the view of the device status." lightbox="../defender-endpoint/media/mdatp-7-devicestatusblade.png":::
#### Client device setup
@@ -387,11 +411,11 @@ A standard [Company Portal installation](/intune-user-help/enroll-your-device-in
1. Confirm device management.
- :::image type="content" source="media/mdatp-3-confirmdevicemgmt.png" alt-text="The Confirm device management page" lightbox="media/mdatp-3-confirmdevicemgmt.png":::
+ :::image type="content" source="../defender-endpoint/media/mdatp-3-confirmdevicemgmt.png" alt-text="Screenshot that shows the Confirm device management page." lightbox="../defender-endpoint/media/mdatp-3-confirmdevicemgmt.png":::
Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**:
- :::image type="content" source="media/mdatp-4-managementprofile.png" alt-text="The Management profile page" lightbox="media/mdatp-4-managementprofile.png":::
+ :::image type="content" source="../defender-endpoint/media/mdatp-4-managementprofile.png" alt-text="Screenshot that shows the Management profile page." lightbox="../defender-endpoint/media/mdatp-4-managementprofile.png":::
2. Select **Continue** and complete the enrollment.
@@ -399,23 +423,23 @@ A standard [Company Portal installation](/intune-user-help/enroll-your-device-in
3. In Intune, open **Manage** \> **Devices** \> **All devices**. Here you can see your device among the listed:
- :::image type="content" source="media/mdatp-5-alldevices.png" alt-text="The All Devices page" lightbox="media/mdatp-5-alldevices.png":::
+ :::image type="content" source="../defender-endpoint/media/mdatp-5-alldevices.png" alt-text="Screenshot that shows the All Devices page." lightbox="../defender-endpoint/media/mdatp-5-alldevices.png":::
#### Verify client device state
1. After the configuration profiles are deployed to your devices, open **System Preferences** > **Profiles** on your Mac device.
- :::image type="content" source="media/mdatp-13-systempreferences.png" alt-text="The System preferences page":::
+ :::image type="content" source="../defender-endpoint/media/mdatp-13-systempreferences.png" alt-text="Screenshot that shows the System preferences page." lightbox="../defender-endpoint/media/mdatp-13-systempreferences.png":::
- :::image type="content" source="media/mdatp-14-systempreferencesprofiles.png" alt-text="The System Preferences Profiles page" lightbox="media/mdatp-14-systempreferencesprofiles.png":::
+ :::image type="content" source="../defender-endpoint/media/mdatp-14-systempreferencesprofiles.png" alt-text="Screenshot that shows the System Preferences Profiles page." lightbox="../defender-endpoint/media/mdatp-14-systempreferencesprofiles.png":::
2. Verify that the following configuration profiles are present and installed. The **Management Profile** should be the Intune system profile. _Wdav-config_ and _wdav-kext_ are system configuration profiles that were added in Intune:
- :::image type="content" source="media/mdatp-15-managementprofileconfig.png" alt-text="The Profiles page" lightbox="media/mdatp-15-managementprofileconfig.png":::
+ :::image type="content" source="../defender-endpoint/media/mdatp-15-managementprofileconfig.png" alt-text="Screenshot that shows the Profiles page." lightbox="../defender-endpoint/media/mdatp-15-managementprofileconfig.png":::
3. You should also see the Microsoft Defender for Endpoint icon in the top-right corner.
- :::image type="content" source="media/mdatp-icon-bar.png" alt-text="The icon for Microsoft Defender for Endpoint in the status bar":::
+ :::image type="content" source="../defender-endpoint/media/mdatp-icon-bar.png" alt-text="Screenshot that shows the icon for Microsoft Defender for Endpoint in the status bar." lightbox="../defender-endpoint/media/mdatp-icon-bar.png":::
### Step 14: Publish application
@@ -423,33 +447,32 @@ This step enables deploying Microsoft Defender for Endpoint to enrolled machines
1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), open **Apps**.
- :::image type="content" source="media/mdatp-8-app-before.png" alt-text="The application's overview page" lightbox="media/mdatp-8-app-before.png":::
+ :::image type="content" source="../defender-endpoint/media/mdatp-8-app-before.png" alt-text="Screenshot that shows the application's overview page." lightbox="../defender-endpoint/media/mdatp-8-app-before.png":::
1. Select **By platform** > **macOS** > **Add**.
1. Under **App type**, select **macOS**. Select **Select**.
- :::image type="content" source="media/mdatp-9-app-type.png" alt-text="The specific application type" lightbox="media/mdatp-9-app-type.png":::
+ :::image type="content" source="../defender-endpoint/media/mdatp-9-app-type.png" alt-text="Screenshot that shows the specific application type." lightbox="../defender-endpoint/media/mdatp-9-app-type.png":::
1. On the **App information**, keep the default values and select **Next**.
- :::image type="content" source="media/mdatp-10-properties.png" alt-text="The application properties page" lightbox="media/mdatp-10-properties.png":::
+ :::image type="content" source="../defender-endpoint/media/mdatp-10-properties.png" alt-text="Screenshot that shows the application properties page." lightbox="../defender-endpoint/media/mdatp-10-properties.png":::
1. On the **Assignments** tab, select **Next**.
- :::image type="content" source="media/mdatp-11-assignments.png" alt-text="The Intune assignments information page" lightbox="media/mdatp-11-assignments.png":::
+ :::image type="content" source="../defender-endpoint/media/mdatp-11-assignments.png" alt-text="Screenshot that shows the Intune assignments information page." lightbox="../defender-endpoint/media/mdatp-11-assignments.png":::
-1. Review and **Create**.
-You can visit **Apps** > **By platform** > **macOS** to see it on the list of all applications.
+1. Review and **Create**. You can visit **Apps** > **By platform** > **macOS** to see it on the list of all applications.
- :::image type="content" source="media/mdatp-12-applications.png" alt-text="The application lists page" lightbox="media/mdatp-12-applications.png":::
+ :::image type="content" source="../defender-endpoint/media/mdatp-12-applications.png" alt-text="Screenshot that shows the application lists page." lightbox="../defender-endpoint/media/mdatp-12-applications.png":::
For more information, see [Add Microsoft Defender for Endpoint to macOS devices using Microsoft Intune](/mem/intune/apps/apps-advanced-threat-protection-macos).
> [!IMPORTANT]
> You should create and deploy the configuration profiles in the order specified (steps 1-13) for a successful system configuration.
-#### Step 15: Download the onboarding package
+### Step 15: Download the onboarding package
To download the onboarding packages from Microsoft 365 Defender portal:
@@ -457,25 +480,25 @@ To download the onboarding packages from Microsoft 365 Defender portal:
2. Set the operating system to **macOS** and the deployment method to **Mobile Device Management / Microsoft Intune**.
- :::image type="content" source="media/macos-install-with-intune.png" alt-text="The Onboarding settings page" lightbox="media/macos-install-with-intune.png":::
+ :::image type="content" source="../defender-endpoint/media/macos-install-with-intune.png" alt-text="Screenshot that shows the Onboarding settings page." lightbox="../defender-endpoint/media/macos-install-with-intune.png":::
3. Select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
4. Extract the contents of the .zip file:
- ```bash
- unzip WindowsDefenderATPOnboardingPackage.zip
- ```
+ ```bash
+ unzip WindowsDefenderATPOnboardingPackage.zip
+ ```
- ```console
- Archive: WindowsDefenderATPOnboardingPackage.zip
- warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
+ ```console
+ Archive: WindowsDefenderATPOnboardingPackage.zip
+ warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
inflating: intune/kext.xml
inflating: intune/WindowsDefenderATPOnboarding.xml
inflating: jamf/WindowsDefenderATPOnboarding.plist
- ```
+ ```
- :::image type="content" alt-text="Sample description" source="media/deploy-onboarding-package.png" lightbox="media/deploy-onboarding-package.png":::
+ :::image type="content" source="../defender-endpoint/media/deploy-onboarding-package.png" alt-text="Screenshot that shows the sample description." lightbox="../defender-endpoint/media/deploy-onboarding-package.png":::
### Step 16: Deploy the onboarding package
@@ -493,11 +516,11 @@ To deploy the onboarding package:
1. Select **Create**.
- :::image type="content" alt-text="Deploy onboarding package" source="media/mdatp-6-systemconfigurationprofiles-1.png" lightbox="media/mdatp-6-systemconfigurationprofiles-1.png":::
+ :::image type="content" source="../defender-endpoint/media/mdatp-6-systemconfigurationprofiles-1.png" alt-text="Screenshot that shows the deploy onboarding package." lightbox="../defender-endpoint/media/mdatp-6-systemconfigurationprofiles-1.png":::
1. On the **Basics** tab, **Name** the profile. For example, `Autoupdate-prod-macOS-Default-MDE`. Select **Next**.
- :::image type="content" alt-text="click next" source="media/mdatp-6-systemconfigurationprofiles-2.png" lightbox="media/mdatp-6-systemconfigurationprofiles-2.png":::
+ :::image type="content" source="../defender-endpoint/media/mdatp-6-systemconfigurationprofiles-2.png" alt-text="Screenshot that shows the Custom page." lightbox="../defender-endpoint/media/mdatp-6-systemconfigurationprofiles-2.png":::
1. On the **Configuration settings** tab, enter a **Custom configuration profile** name. For example, `Autoupdate.mobileconfig`.
@@ -507,21 +530,21 @@ To deploy the onboarding package:
1. Select a **Configuration profile file**.
- :::image type="content" alt-text="configuration profile" source="media/mdatp-6-systemconfigurationprofiles.png" lightbox="media/mdatp-6-systemconfigurationprofiles.png":::
+ :::image type="content" source="../defender-endpoint/media/mdatp-6-systemconfigurationprofiles.png" alt-text="Screenshot that shows the configuration settings." lightbox="../defender-endpoint/media/mdatp-6-systemconfigurationprofiles.png":::
1. On the **Assignments** tab, assign the profile to a group where the macOS devices and/or users are located, or **All Users** and **All devices**.
- :::image type="content" alt-text="assign users" source="media/mdatp-6-systemconfigurationprofiles-3.png" lightbox="media/mdatp-6-systemconfigurationprofiles-3.png":::
+ :::image type="content" source="../defender-endpoint/media/mdatp-6-systemconfigurationprofiles-3.png" alt-text="Screenshot that shows the Assignments tab." lightbox="../defender-endpoint/media/mdatp-6-systemconfigurationprofiles-3.png":::
1. Review the configuration profile. Select **Create**.
1. Open **Devices** > **Configuration profiles** to see the created profile.
-## Step 17: Verify anti-malware detection
+### Step 17: Verify anti-malware detection
See the following article to test for an anti-malware detection review: [Antivirus detection test for verifying device's onboarding and reporting services](validate-antimalware.md)
-## Step 18: Verifying EDR detection
+### Step 18: Verifying EDR detection
See the following article to test for an EDR detection review: [EDR detection test for verifying device onboarding and reporting services](edr-detection.md)
@@ -572,8 +595,4 @@ Learn about adding Microsoft Defender for Endpoint to macOS devices using Micros
Describes how to configure Microsoft Defender for Endpoint on Android.
[Manage Defender for Endpoint on Android devices in Intune - Azure](/mem/intune/protect/advanced-threat-protection-manage-android?source=recommendations)
-
Configure Microsoft Defender for Endpoint web protection on Android devices managed by Microsoft Intune.
-
-
-[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
-
+
Configure Microsoft Defender for Endpoint web protection on Android devices managed by Microsoft Intune.
\ No newline at end of file
diff --git a/defender-endpoint/media/network-protection1.png b/defender-endpoint/media/network-protection1.png
new file mode 100644
index 0000000000..ce82325116
Binary files /dev/null and b/defender-endpoint/media/network-protection1.png differ