Merge pull request #763 from MicrosoftDocs/deniseb-global-admin

denisebmsft · web-flow · commit 3ab20f58d1b9 · 2024-06-24T08:35:14.000-07:00
deniseb global admin
diff --git a/defender-endpoint/advanced-features.md b/defender-endpoint/advanced-features.md
@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 04/08/2024
+ms.date: 06/21/2024
 ---
 
 # Configure advanced features in Defender for Endpoint
@@ -32,7 +32,7 @@ Depending on the Microsoft security products that you use, some advanced feature
 
 ## Enable advanced features
 
-1. Log in to [Microsoft Defender XDR](https://go.microsoft.com/fwlink/p/?linkid=2077139) using an account with the Security administrator or Global administrator role assigned.
+1. Go to the [Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2077139) and sign in. 
 
 2. In the navigation pane, select **Settings** \> **Endpoints** \> **Advanced features**.
 
@@ -42,22 +42,6 @@ Depending on the Microsoft security products that you use, some advanced feature
 
 Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations.
 
-## Live response
-
-Turn on this feature so that users with the appropriate permissions can start a live response session on devices.
-
-For more information about role assignments, see [Create and manage roles](user-roles.md).
-
-## Live response for servers
-
-Turn on this feature so that users with the appropriate permissions can start a live response session on servers.
-
-For more information about role assignments, see [Create and manage roles](user-roles.md).
-
-## Live response unsigned script execution
-
-Enabling this feature allows you to run unsigned scripts in a live response session.
-
 ## Restrict correlation to within scoped device groups
 
 This configuration can be used for scenarios where local SOC operations would like to limit alert correlations only to device groups that they can access. By turning on this setting, an incident composed of alerts that cross-device groups will no longer be considered a single incident. The local SOC can then take action on the incident because they have access to one of the device groups involved. However, global SOC will see several different incidents by device group instead of one incident. We don't recommend turning on this setting unless doing so outweighs the benefits of incident correlation across the entire organization.
@@ -71,15 +55,11 @@ This configuration can be used for scenarios where local SOC operations would li
 
 Endpoint detection and response (EDR) in block mode provides protection from malicious artifacts, even when Microsoft Defender Antivirus is running in passive mode. When turned on, EDR in block mode blocks malicious artifacts or behaviors that are detected on a device. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post breach.
 
-## Autoresolve remediated alerts
-
-For tenants created on or after Windows 10, version 1809, the automated investigation, and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto resolved, you'll need to manually turn off the feature.
+## Automatically resolve alerts
 
-> [!TIP]
-> For tenants created prior to that version, you'll need to manually turn this feature on from the [Advanced features](https://security.microsoft.com//preferences2/integration) page.
+Turn this setting on to automatically resolve alerts where no threats were found or where detected threats were remediated. If you don't want to have alerts auto resolved, you'll need to manually turn off the feature.
 
 > [!NOTE]
->
 > - The result of the auto-resolve action may influence the Device risk level calculation which is based on the active alerts found on a device.
 > - If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it.
 
@@ -94,13 +74,13 @@ This feature enables you to block potentially malicious files in your network. B
 
 To turn **Allow or block** files on:
 
-1. In the navigation pane, select **Settings** \> **Endpoints** \> **General** \> **Advanced features** \> **Allow or block file**.
+1. In the Microsoft Defender portal, in navigation pane, select **Settings** \> **Endpoints** \> **General** \> **Advanced features** \> **Allow or block file**.
 
-1. Toggle the setting between **On** and **Off**.
+2. Toggle the setting between **On** and **Off**.
  
     :::image type="content" source="/defender/media/alloworblockfile.png" alt-text="The Endpoints screen" lightbox="/defender/media/alloworblockfile.png":::
 
-1. Select **Save preferences** at the bottom of the page.
+3. Select **Save preferences** at the bottom of the page.
 
 After turning on this feature, you can [block files](respond-file-alerts.md#allow-or-block-file) via the **Add Indicator** tab on a file's profile page.
 
@@ -145,59 +125,63 @@ Enabling the Skype for Business integration gives you the ability to communicate
 > [!NOTE]
 > When a device is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when devices are in isolation mode.
 
-## Office 365 Threat Intelligence connection
+## Microsoft Defender for Cloud Apps
 
-> [!IMPORTANT]
-> This setting was used when Microsoft Defender for Office 365 and Microsoft Defender for Endpoint were in different portals previously. After the convergence of security experiences into a unified portal that is now called Microsoft Defender XDR, these settings are irrelevant and don't have any functionality associated with them. You can safely ignore the status of the control until it is removed from the portal.
+Enabling this setting forwards Defender for Endpoint signals to Microsoft Defender for Cloud Apps to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Defender for Cloud Apps data.
+
+> [!NOTE]
+> This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)), later Windows 10 versions, or Windows 11.
+
+## Web content filtering
+
+Block access to websites containing unwanted content and track web activity across all domains. To specify the web content categories you want to block, create a [web content filtering policy](https://security.microsoft.com/preferences2/web_content_filtering_policy). Ensure you've network protection in block mode when deploying the [Microsoft Defender for Endpoint security baseline](https://devicemanagement.microsoft.com/#blade/Microsoft_Intune_Workflows/SecurityBaselineSummaryMenu/overview/templateType/2).
 
-This feature is only available if you have an active subscription for Office 365 E5 or the Threat Intelligence add-on. For more information, see the [Office 365 E5 product page](https://www.microsoft.com/microsoft-365/enterprise/office-365-e5?activetab=pivot:overviewtab).
+## Unified audit log
 
-This feature enables you to incorporate data from Microsoft Defender for Office 365 into Microsoft Defender XDR to conduct a comprehensive security investigation across Office 365 mailboxes and Windows devices.
+Search in Microsoft Purview enables your security and compliance team to view critical audit log event data to gain insight and investigate user activities. Whenever an audited activity is performed by a user or an admin, an audit record is generated and stored in the Microsoft 365 audit log for your organization. For more information, see the [Search the audit log](/purview/audit-search).
+
+## Device discovery
+
+Helps you find unmanaged devices connected to your corporate network without the need for extra appliances or cumbersome process changes. Using onboarded devices, you can find unmanaged devices in your network and assess vulnerabilities and risks. For more information, see [Device discovery](device-discovery.md).
 
 > [!NOTE]
-> You'll need to have the appropriate license to enable this feature.
+> You can always apply filters to exclude unmanaged devices from the device inventory list. You can also use the onboarding status column on API queries to filter out unmanaged devices.
 
-To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Defender for Endpoint settings in the Security & Compliance dashboard. For more information, see [Threat investigation and response](/defender-office-365/office-365-ti).
+## Download quarantined files
 
-## Endpoint Attack Notifications
+Backup quarantined files in a secure and compliant location so they can be downloaded directly from quarantine. The **Download file** button will always be available in the file page. This setting is turned on by default. [Learn more about requirements](respond-file-alerts.md#download-quarantined-files)
 
-[Endpoint Attack Notifications](endpoint-attack-notifications.md) enable Microsoft to actively hunt for critical threats to be prioritized based on urgency and impact over your endpoint data. 
+## Default to streamlined connectivity when onboarding devices in the Defender portal
 
-For proactive hunting across the full scope of Microsoft Defender XDR, including threats that span email, collaboration, identity, cloud applications, and endpoints, [learn more](https://aka.ms/DefenderExpertsForHuntingGetStarted) about Microsoft Defender Experts.
+This setting will set the default onboarding package to [streamlined connectivity](configure-device-connectivity.md) for applicable operating systems. You still have the option to use the standard onboarding package within the onboarding page, but you must specifically select it in the drop-down.
 
-## Microsoft Defender for Cloud Apps
 
-Enabling this setting forwards Defender for Endpoint signals to Microsoft Defender for Cloud Apps to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Defender for Cloud Apps data.
+## Live response
 
-> [!NOTE]
-> This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)), later Windows 10 versions, or Windows 11.
+Turn on this feature so that users with the appropriate permissions can start a live response session on devices.
 
-### Enable the Microsoft Defender for Endpoint integration from the Microsoft Defender for Identity portal
+For more information about role assignments, see [Create and manage roles](user-roles.md).
 
-To receive contextual device integration in Microsoft Defender for Identity, you'll also need to enable the feature in the Microsoft Defender for Identity portal.
+## Live response for servers
 
-1. Sign in to the [Microsoft Defender for Identity portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.
+Turn on this feature so that users with the appropriate permissions can start a live response session on servers.
 
-2. Select **Create your instance**.
+For more information about role assignments, see [Create and manage roles](user-roles.md).
 
-3. Toggle the Integration setting to **On** and select **Save**.
+## Live response unsigned script execution
 
-After completing the integration steps on both portals, you'll be able to see relevant alerts in the device details or user details page.
+Enabling this feature allows you to run unsigned scripts in a live response session.
 
-## Web content filtering
+## Deception
 
-Block access to websites containing unwanted content and track web activity across all domains. To specify the web content categories you want to block, create a [web content filtering policy](https://security.microsoft.com/preferences2/web_content_filtering_policy). Ensure you've network protection in block mode when deploying the [Microsoft Defender for Endpoint security baseline](https://devicemanagement.microsoft.com/#blade/Microsoft_Intune_Workflows/SecurityBaselineSummaryMenu/overview/templateType/2).
+Deception enables your security team to manage and deploy lures and decoys to catch attackers in your environment. After you turn this on, go to Rules > Deception rules to run deception campaigns. See [Manage the deception capability in Microsoft Defender XDR](/defender-xdr/deception-overview).
 
-## Share endpoint alerts with Microsoft Purview compliance portal
+## Share endpoint alerts with Microsoft Compliance Center
 
 Forwards endpoint security alerts and their triage status to Microsoft Purview compliance portal, allowing you to enhance insider risk management policies with alerts and remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as your Office 365 data.
 
 After configuring the [Security policy violation indicators](/microsoft-365/compliance/insider-risk-management-settings#indicators) in the insider risk management settings, Defender for Endpoint alerts will be shared with insider risk management for applicable users.
 
-## Authenticated telemetry
-
-You can **Turn on** Authenticated telemetry to prevent spoofing telemetry into your dashboard.
-
 ## Microsoft Intune connection
 
 Defender for Endpoint can be integrated with [Microsoft Intune](/intune/what-is-intune) to [enable device risk-based conditional access](/intune/advanced-threat-protection). When you [turn on this feature](configure-conditional-access.md), you'll be able to share Defender for Endpoint device information with Intune, enhancing policy enforcement.
@@ -210,19 +194,9 @@ This feature is only available if you've the following prerequisites:
 - A licensed tenant for Enterprise Mobility + Security E3, and Windows E5 (or Microsoft 365 Enterprise E5)
 - An active Microsoft Intune environment, with Intune-managed Windows devices [Microsoft Entra joined](/azure/active-directory/devices/concept-azure-ad-join/).
 
-### Conditional Access policy
-
-When you enable Intune integration, Intune will automatically create a classic Conditional Access (CA) policy. This classic CA policy is a prerequisite for setting up status reports to Intune. It shouldn't be deleted.
-
-> [!NOTE]
-> The classic CA policy created by Intune is distinct from modern [Conditional Access policies](/azure/active-directory/conditional-access/overview/), which are used for configuring endpoints.
-
-## Device discovery
-
-Helps you find unmanaged devices connected to your corporate network without the need for extra appliances or cumbersome process changes. Using onboarded devices, you can find unmanaged devices in your network and assess vulnerabilities and risks. For more information, see [Device discovery](device-discovery.md).
+## Authenticated telemetry
 
-> [!NOTE]
-> You can always apply filters to exclude unmanaged devices from the device inventory list. You can also use the onboarding status column on API queries to filter out unmanaged devices.
+You can **Turn on** Authenticated telemetry to prevent spoofing telemetry into your dashboard.
 
 ## Preview features
 
@@ -234,20 +208,15 @@ If you already have preview features turned on, manage your settings from the ma
 
 For more information, see [Microsoft Defender XDR preview features](/defender-xdr/preview)
 
-## Download quarantined files
-
-Backup quarantined files in a secure and compliant location so they can be downloaded directly from quarantine. The **Download file** button will always be available in the file page. This setting is turned on by default. [Learn more about requirements](respond-file-alerts.md#download-quarantined-files)
-
-
-## Streamlined connectivity during device onboarding (Preview)
-
-This setting will set the default onboarding package to 'streamlined' for applicable operating systems.
+## Endpoint Attack Notifications
 
-You will still have the option to use the standard onboarding package within the onboarding page but you will need to specifically select it in the drop-down.
+[Endpoint Attack Notifications](endpoint-attack-notifications.md) enable Microsoft to actively hunt for critical threats to be prioritized based on urgency and impact over your endpoint data. 
 
+For proactive hunting across the full scope of Microsoft Defender XDR, including threats that span email, collaboration, identity, cloud applications, and endpoints, [learn more](https://aka.ms/DefenderExpertsForHuntingGetStarted) about Microsoft Defender Experts.
 
 ## Related topics
 
 - [Update data retention settings](preferences-setup.md)
 - [Configure alert notifications](/defender-xdr/configure-email-notifications)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
