Review and edit settings in Microsoft Defender for Business

You can view and edit settings, such as portal settings and advanced features, in the Microsoft Defender portal ( Use this article to get an overview of the various settings that are available and how to edit your Defender for Business settings.

View settings for advanced features

In the Microsoft Defender portal (, go to Settings > Endpoints > General > Advanced features.

The following table describes advanced feature settings.

Setting Description
Automated Investigation
(turned on by default)
As alerts are generated, automated investigations can occur. Each automated investigation determines whether a detected threat requires action and then takes or recommends remediation actions, such as sending a file to quarantine, stopping a process, isolating a device, or blocking a URL. While an investigation is running, any related alerts that arise are added to the investigation until it's completed. If an affected entity is seen elsewhere, the automated investigation expands its scope to include that entity, and the investigation process repeats.

You can view investigations on the Incidents page. Select an incident, and then select the Investigations tab.

By default, automated investigation and response capabilities are turned on, tenant wide. We recommend keeping automated investigation turned on. If you turn it off, real-time protection in Microsoft Defender Antivirus will be affected, and your overall level of protection will be reduced.

Learn more about automated investigations.
Live Response Defender for Business includes the following types of manual response actions:
- Run antivirus scan
- Isolate device
- Stop and quarantine a file
- Add an indicator to block or allow a file

Learn more about response actions.
Live Response for Servers (This setting is currently not available in Defender for Business.)
Live Response unsigned script execution (This setting is currently not available in Defender for Business.)
Enable EDR in block mode
(turned on by default)
Provides added protection from malicious artifacts when Microsoft Defender Antivirus isn't the primary antivirus product and is running in passive mode on a device. Endpoint detection and response (EDR) in block mode works behind the scenes to remediate malicious artifacts detected by EDR capabilities. Such artifacts might have been missed by the primary, non-Microsoft antivirus product.

Learn more about EDR in block mode.
Allow or block a file
(turned on by default)
Enables you to allow or block a file by using indicators. This capability requires Microsoft Defender Antivirus to be in active mode and cloud protection turned on.

Blocking a file prevents it from being read, written, or executed on devices in your organization.

Learn more about indicators for files.
Custom network indicators
(turned on by default)
Enables you to allow or block an IP address, URL, or domain by using network indicators. This capability requires Microsoft Defender Antivirus to be in active mode and network protection turned on.

You can allow or block IPs, URLs, or domains based on your threat intelligence. You can also prompt users if they open a risky app, but the prompt won't stop them from using the app.

Learn more about network protection.
Tamper protection
(we recommend you turn on this setting)
Tamper protection prevents malicious apps from doing actions such as:
- Disable virus and threat protection
- Disable real-time protection
- Turn off behavior monitoring
- Disable cloud protection
- Remove security intelligence updates
- Disable automatic actions on detected threats

Tamper protection essentially locks Microsoft Defender Antivirus to its secure, default values and prevents your security settings from being changed by apps and unauthorized methods.

Learn more about tamper protection.
Show user details
(turned on by default)
Enables people in your organization to see details, such as employees' pictures, names, titles, and departments. These details are stored in Microsoft Entra ID.

Learn more about user profiles in Microsoft Entra ID.
Skype for Business integration
(turned on by default)
Skype for Business was retired in July 2021. If you haven't already moved to Microsoft Teams, see Set up Microsoft Teams in your small business.

Integration with Microsoft Teams (or the former Skype for Business) enables one-click communication between people in your business.
Web content filtering
(turned on by default)
Blocks access to websites that contain unwanted content and tracks web activity across all domains. See Set up web content filtering.
Microsoft Intune connection
(we recommend you turn on this setting if you have Intune)
If your organization's subscription includes Microsoft Intune (included in Microsoft 365 Business Premium resources), this setting enables Defender for Business to share information about devices with Intune.
Device discovery
(turned on by default)
Enables your security team to find unmanaged devices that are connected to your company network. Unknown and unmanaged devices introduce significant risks to your network, whether it's an unpatched printer, a network device with a weak security configuration, or a server with no security controls.

Device discovery uses onboarded devices to discover unmanaged devices, so your security team can onboard the unmanaged devices and reduce your vulnerability.

Learn more about device discovery.
Preview features Microsoft is continually updating services such as Defender for Business to include new feature enhancements and capabilities. If you opt in to receive preview features, you'll be among the first to try upcoming features in the preview experience.

Learn more about preview features.

View and edit other settings in the Microsoft Defender portal

In addition to security policies applied to devices, there are other settings you can view and edit in Defender for Business. For example, you specify the time zone to use, and you can onboard (or offboard) devices.


You might see more settings in your tenant than are listed in this article. This article highlights the most important settings that you should review in Defender for Business.

Settings to review for Defender for Business

The following table describes settings you can view and edit in Defender for Business:

Category Setting Description
Security center Time zone Select the time zone to use for the dates and times displayed in incidents, detected threats, and automated investigation and remediation. You can either use UTC or your local time zone (recommended).
Microsoft 365 Defender Account View details such where your data is stored, your tenant ID, and your organization (org) ID.
Microsoft 365 Defender Preview features Turn on preview features to try upcoming features and new capabilities. You can be among the first to preview new features and provide feedback.
Endpoints Email notifications Set up or edit your email notification rules. When vulnerabilities are detected or an alert is created, the recipients specified in your email notification rules will receive an email. Learn more about email notifications.
Endpoints Device management > Onboarding Onboard devices to Defender for Business by using a downloadable script. To learn more, see Onboard devices to Defender for Business.
Endpoints Device management > Offboarding Offboard (remove) devices from Defender for Business. When you offboard a device, it no longer sends data to Defender for Business, but data received prior to offboarding is retained. To learn more, see Offboarding a device.

Access your settings in the Microsoft Defender portal

  1. Go to the Microsoft Defender portal (, and sign in.

  2. Select Settings, and then select a category (such as Security center, Microsoft 365 Defender, or Endpoints).

  3. In the list of settings, select an item to view or edit.