Microsoft defender for endpoint best practices

Microsoft defender for endpoint best practices

These scheduled scans are in addition to always-on, real-time protection and on-demand antivirus scans. Deploy using Microsoft Configuration Manager. Feb 1, 2023 · That is to say, they are different cloud service provided different functions. Next-generation antimalware. Use Microsoft Teams for collaboration and sharing. This article is designed for customers who are using Microsoft Defender Antivirus capabilities only. Turn on Microsoft Defender XDR to hunt for threats using more data sources. Review the requirements, plan your rollout, and set up your environment. Included with Microsoft 365 E3. The Microsoft Defender Antivirus cloud service delivers updated protection to your network and endpoints. May 31, 2024 · 5. See Protect yourself against phishing and other attacks. Sep 20, 2023 · Configuration Guidance: Azure Defender for servers (with Microsoft Defender for Endpoint integrated) provides EDR capability to prevent, detect, investigate, and respond to advanced threats. Cyberattack surface reduction rules. Central activation of encryption during OS installation. Option 2) Device configuration – Profiles > Profile name > Microsoft Defender ATP (Windows 10) > Sample sharing for all files > Enable. In Microsoft Defender for Endpoint, you can create device groups and use them to: Limit access to related alerts and data to specific Microsoft Entra user groups with assigned RBAC roles; Configure different auto-remediation settings for different sets of devices; Assign specific remediation levels to apply during automated investigations Apr 17, 2024 · Select Endpoint security > Microsoft Defender for Endpoint, and then select Open the Microsoft Defender Security Center. Network configuration. There are several options to deploy Windows Defender Application Control policies to managed endpoints, including: Deploy using a Mobile Device Management (MDM) solution, such as Microsoft Intune. With this update, the app is available as preview for Consumers in the US region. Microsoft - Windows Defender in VDI environments. Deploy via script. Windows; You can set up regular, scheduled antivirus scans on devices. You signed out in another tab or window. Now being offered in Plan 1 and Plan 2, the full offering you get with Plan 2 not only provides antivirus May 21, 2024 · With Microsoft Intune’s security baselines, you can rapidly deploy a recommended security posture to your managed Windows devices for Windows security baselines to help you secure and protect your users and devices. Notice how it mentions Microsoft Defender ATP in the description. 0 as the Minimum operating system. -Windows Server Onboarding via GPO. Ensure devices can connect Jul 1, 2021 · Windows 10 has had the EDR and engine – Microsoft Defender Antivirus (MDAV) – built-in; with MDAV exposed through the Windows Security app. The cloud service should not be considered as only protection for your files that are stored in the cloud; instead, the cloud service uses distributed resources and machine learning to deliver protection for your endpoints at a faster rate than the traditional Security intelligence Nov 15, 2023 · A private endpoint is assigned a private IP address from your virtual network. add windows Defender in the product tab. By Natalia Godyla, Sr. Apply any optimizations and other settings to the VDI machines at first boot. Ensuring network-level security (40%). Firewall - Use the endpoint security Firewall policy in Intune to configure a devices built-in firewall for devices that run macOS and Windows 10/11. Oct 17, 2023 · Here are some best practices for configuring **Microsoft Defender for Endpoint** agent settings using Group Policy: 1. Endpoints —the many physical devices connected to a network, such as mobile phones, desktops, laptops, virtual machines, and Internet of Things (IoT) technology—give malicious This article is a reference for the settings that are available in the different versions of the Microsoft Defender for Endpoint security baseline that you can deploy with Microsoft Intune. May 12, 2022 · Use the following recommended best practices to begin your endpoint security management journey with Microsoft Defender for Endpoint: Configure your tenant. If it is malicious, it will limit the outcome to the sandbox, keeping your endpoint and network secure and report the outcome so your team has visibility. Start free trial. This enrollment method was Jan 25, 2024 · A honeytoken is a very simple and effective detective control, and can be leveraged in multiple different ways as described in Deceptive defense: best practices for identity based honeytokens in Microsoft Defender for Identity. Communication with a PaaS service is achieved by using the service's public IP address and DNS record. Use the installation package from the previous step to install Microsoft Defender for Endpoint. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Chris Sistrunk, Technical Manager in Mandiant’s ICS/OT Consulting practice and former engineer at Entergy, where he was a subject matter Included with Microsoft 365 E3. Our plan for onboarding our devices: -Windows Clients via MEM since they are HDJ and already enrolled in Intune. Jun 11, 2024 · If Microsoft Defender XDR hasn't been turned on yet, onboarding to Defender for Endpoint also turns on Defender XDR, and a new data center location is automatically selected based on the location of active Microsoft 365 security services. Jul 19, 2023 · Microsoft Defender for Endpoint Blog When evaluating various solutions, your peers value hearing from people like you who’ve used the product. Given the challenges that a modern security team is faced with, there’s potential to revisit these best practices to see where improvements can be made. Mobile Device Management (MDM): Intune Mobile Device Management (MDM) allows IT administrators to configure device-level security policies, such as device encryption, password complexity, and screen lock. Select iOS 15. Strengthen Zero Trust with AI and integration. D: Dec 1, 2022 · Endpoint data sources: Getting insights and data for attacks and malware on cloud-hosted servers is often faster, easier, and more precise with native cloud-detection tools. Learn more. After verifying the tenant meets the pre-requisites, enabling the feature requires turning on relevant toggles both in Microsoft Defender for Endpoint and Microsoft Endpoint Manager. Once opened, the sensors will identify if the document is malicious or not. Apr 24, 2024 · Performance analyzer for Microsoft Defender Antivirus in Windows 10, Windows 11, and Windows Server, is a PowerShell command-line tool that helps you determine files, file extensions, and processes that might be causing performance issues on individual endpoints during antivirus scans. Windows Clients are pretty straightforward. Bitdefender - Implementing Security Best Practices in the Virtual Data Center. For more information, see Authorize access to data in Azure Storage. Restrict internet access to DCs. May 29, 2024 · In the Windows Security App, go to Virus & threat Protection settings > Manage settings, and verify that Dev Drive protection is enabled. Mar 27, 2024 · These allow rules lead to a false sense of security and are frequently found and exploited by red teams. However, if necessary, you can exclude files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. Best practice: Create network access controls between subnets. By default, visible details include: Device name. Review Defender for Endpoint by filling out a Gartner Peer Insights survey and receive a $25 USD gift card (for customers only). May 22, 2024 · Microsoft Defender for Endpoint Plan 1; Microsoft Defender for Endpoint Plan 2; Microsoft Defender Antivirus; Platforms. For a Get comprehensive features, automation, guided experiences, and threat intelligence with Microsoft Sentinel and Microsoft Defender XDR, which combine extended detection and response (XDR) and security information and event management (SIEM) capabilities to deliver a unified security operations platform. This is yet another way we are creating integrations between hardware and software with our ecosystem partners to create choice for customers based on their specific Jul 16, 2023 · Endpoint solutions. ”. Includes everything in Endpoint P1, plus: Endpoint detection and response. Entries with user or user groups can reference objects from either Entra Id or a local Active Directory. You can use security baselines to rapidly deploy a best practice configuration of device and application settings to protect your users and devices. Intune's endpoint detection and response policies include platform-specific profiles to manage the onboarding installation of Microsoft Defender for Endpoint. In the search results section, click on Microsoft Defender and click Select. - Microsoft Teams for communication, collaboration, and sharing May 18, 2021 · The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. Antivirus policy includes several profiles. Your community for best practices and the latest news on Microsoft Defender for Endpoint. Mar 3, 2022 · The partnership between Intel and Microsoft can help provide stronger full-stack security from hardware to software and enhance our detections in Microsoft Defender for Endpoint. May 17, 2024 · You signed in with another tab or window. Learn more—download Top 20 use cases for CASB . Devices not at High cloud block level won't generate alerts for any <ASR Rule, Rule State> combinations. Azure Virtual Desktop has many built-in advanced security features, such Aug 19, 2019 · Microsoft Defender for Endpoint enables enhanced security by protecting cyber threats, advanced attacks and data breaches, automate security incidents, and enhance the current level of security already in place. May 20, 2024 · Install Microsoft Defender For Endpoint using the command line. Jan 10, 2024 · Azure Virtual Desktop is a managed virtual desktop service that includes many security capabilities for keeping your organization safe. Use the tabs to select and view the settings in the most recent baseline version and a few older versions that might still be in use. Microsoft Defender for Endpoint P2 offers all the capabilities in P1, plus endpoint detection and response, automated investigation and incident response, and cyberthreat and vulnerability management. Here are some best practices to keep in mind when setting up endpoint security for your organization: ‍. Today, we are releasing an AI security risk assessment framework as a step to empower organizations to reliably audit, track, and improve the security of the AI systems. I will guide you through important configurations and strategies to enhance your organisations security. C: Since the system drive (for example, C: or D:) drive is formatted with NTFS, it's not eligible for Defender Performance mode. Each profile includes an onboarding package that applies to the device platform that the policy targets. Firewall status. Unified security tools and centralized management. Status. That there are additional configurations that can affect AuditD subsystem CPU strain. Part 1 (How to enroll device to Microsoft The Microsoft cloud security benchmark is the Microsoft-authored set of guidelines for security and compliance best practices. Reserve **Full Scan** for investigating virus attacks. Applies to: Microsoft Defender for Endpoint Plans 1 and 2; Microsoft Defender Antivirus; Platforms. Tip In the Intune admin center, if the Connection status at the top of the Microsoft Defender for Endpoint page is already set to Enabled , the connection to Intune is already active and the admin center displays different UI Apr 1, 2020 · With Microsoft Defender ATP, this flexibility is included without the need to acquire additional licenses. Aug 23, 2021 · Best practices for optimizing custom indicators. Endpoint detection and response - When you integrate Microsoft Defender for Endpoint with Intune, use the endpoint security policies for endpoint detection and response (EDR) to manage the EDR Included with Microsoft 365 E3. We are migrating from Kaspersky to MDE. But neither are native to Windows 7 and 8. Run the following command to install Microsoft Defender for Endpoint: Msiexec /i md4ws. Select See volumes. Detail: Enable the Microsoft Defender for Endpoint integration via your Defender for Cloud security policy. May 31, 2024 · Learn how to set up and configure Defender for Endpoint Plan 1. Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat. First, open the MEM portal and select Endpoint security > Antivirus > + Create Policy: Then, select Windows 10 and later and Microsoft Defender Antivirus from the dropdowns. If you are using Microsoft Defender Antivirus, some or all of the suggested exclusions that are mentioned in this article might be built-in or provided by automatic exclusions. Review the rest of information about the app and click Next. Apr 24, 2024 · Microsoft Defender for Endpoint Plan 1; Microsoft Defender for Endpoint Plan 2; Microsoft Defender Antivirus; Platforms. That communication occurs over the internet. Trend Micro - Deep Security Recommended Exclusions. Employees today expect their systems to be deployed quickly and ready to use. But Windows Server: ASR rules with <ASR Rule, Rule State> combinations are used to surface alerts (toast notifications) on Microsoft Defender for Endpoint only for devices at cloud block level High. Microsoft Defender ATP is purchased on a per user basis which covers users for up to 5 concurrent devices of the licensed user, allowing you to expand endpoint protection to additional devices used by licensed users with zero friction. This option incurs extra costs for the data ingestion. Nov 26, 2019 · In Endpoint Manager/Intune, you can enable it in either of two ways. For more information, see the following articles: Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus Apr 13, 2022 · Limit the use of Domain Admin privileges. Set preferences for Microsoft Defender for Endpoint Apr 22, 2024 · Some tables in this article might not be available in Microsoft Defender for Endpoint. Feb 11, 2021 · A playbook for modernizing security operations. If you have Microsoft Defender for Endpoint (which includes Microsoft Defender Antivirus alongside additional device protection capabilities), skip this article and proceed to Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR. Jun 21, 2021 · Post. Nov 8, 2021 · Upload a log file from your network firewall or enable logging via Microsoft Defender for Endpoint to discover Shadow IT in your network. In this pert, we delve into essential insights and best practices for Microsoft Defender for Endpoint. Figure 1 identifies such concerns as per the IoT Signals report published in October 2021: Ensuring data privacy (46%). EDR alerts are generated for ASR rules in the specified states Oct 15, 2021 · App Deployment & Patching Best Practices w/ MVP Johan Arwidmark. David Kennedy, Founder of Binary Defense and TrustedSec. Best practice: Segment the larger address space into subnets. Connect your cloud apps to detect suspicious user activity and exposed sensitive data. The Forrester study also found that “existing solutions failed to provide the high-fidelity signals, comprehensive visibility, and end-to-end self-healing capabilities needed to defend against today’s sophisticated attackers and volume of cyberthreats. Custom indicators of compromise (IoC) are an essential feature for every endpoint solution. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to attack. In the meantime, I am including docs that highlight some of our key protection features: Specifically for mac/linux: Set preferences for Microsoft Defender for Endpoint on Mac | Microsoft Docs. . I am looking for best practice settings around url scanning and blocking when users access the urls in received via emails in their mobile devices. Microsoft - FSLogix Antivirus Exclusions. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft Defender XDR by following the steps in Migrate advanced hunting queries from Microsoft Feb 20, 2024 · Microsoft Defender for Endpoint Blog. More Resources Citrix Ready Workspace Security Program. May 20, 2024 · Related to roles and access management in Microsoft Purview, you can apply the following security best practices: Define roles and tasks required to deploy and manage Microsoft Purview inside an Azure subscription. Jan 11, 2023 · Dear Audience, the original content of this blog meanwhile got extended and moved as official Microsoft documentation that we jointly created with our colleagues of the MDE Development and Product Management team. Tools like Microsoft Defender for Cloud and endpoint detection and response (EDR) solutions provide more precise data than traditional approaches of direct disk access. Windows Event Forwarding. Alerts list that is part of incident. - Create different **Endpoint Configuration Manager AV policies** for various device types This guide covers Microsoft Defender for Endpoint plans, deployment prerequisites, device onboarding, and recommended configurations. EDR is a cybersecurity technology that continuously monitors endpoints for evidence of threats and performs automatic actions to help mitigate them. You can find the comprehensive documentation under the title Deployment guidance for Microsoft Defender for Endpoint on Linux for SAP. -. You must be a registered user to add a comment. EDR defined. Jul 25, 2023 · It also does not affect deployments to systems that are not running memory integrity. 2 days ago · When evaluating various solutions, your peers value hearing from people like you who’ve used the product. Included with Microsoft 365 E5. Drive. - Anti-spam, anti-malware, and anti-phishing protection for email - Advanced threat protection for email and Office documents: 6. If You will need one ADR to deploy definitions updates (3 times per day seems to be the current recommendation) Of course, the prerequisite is to properly Configure the Software Update Point: schedule the sync of the SUP 3 times per day (custom interval, recur every 8 hours. Jun 2, 2021 · Secure users with Microsoft Defender for Endpoint Mobile Threat Defense. Data is reported through the Windows DeviceStatus CSP, and identifies each device where the Firewall is off. Option 1) Endpoint Security > Endpoint detection and response. Keep in mind the principle of least privilege when assigning permissions to a Microsoft Entra security principal via Azure RBAC. In the latest post from our new Voice of the Community blog Jun 4, 2024 · On Windows, a user or user group can be a condition on an entry in a policy. Automatic exclusions for roles on Windows Server 2016 and later. It combines the most advanced GPT4 model from OpenAI with a Microsoft-developed security model, powered by Microsoft Security’s unique expertise, global threat intelligence, and comprehensive security Feb 28, 2024 · As our organization has encouraged users to enroll their personal devices via intune, what are the best practice settings that we can configure via defender app without affecting user privacy. Use jump boxes for RDP access or MMC access. Monitor the application and determine storage bandwidth and latency requirements for SQL Server data, log, and tempdb files before choosing the disk type. Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular Dec 7, 2023 · After some weeks here is the second part of my series on Microsoft Defender for Endpoint. This is the basic prerequisite for using BitLocker. Windows; In general, you shouldn't need to define exclusions for Microsoft Defender Antivirus. You switched accounts on another tab or window. Do not install 3 rd party applications on DCs. AND. Security endpoints for each IoT device (39%). ), printers, Bluetooth devices, or other Mar 26, 2024 · Intune supports security baselines for Windows 10/11 device settings, Microsoft Edge, Microsoft Defender for Endpoint Protection, and more. Windows; This article describes types of exclusions that you don't have to define for Microsoft Defender Antivirus: Built-in exclusions for operating system files on all versions of Windows. You can see more benefits with the integration in the following link: Apr 18, 2023 · Best practice: Speed up your investigation and hunting processes and reduce false positives by integrating Endpoint Detection and Response (EDR) capabilities into your attack investigation. Applies to: Microsoft Defender for Endpoint Plan 1; Microsoft Defender for Endpoint Plan 2; Microsoft Defender for Business; Device control capabilities in Microsoft Defender for Endpoint enable your security team to control whether users can install and use peripheral devices, like removable storage (USB thumb drives, CDs, disks, etc. Dec 7, 2023 · After some weeks here is the second part of my series on Microsoft Defender for Endpoint. Part 1: Security intelligence updates download and availability. Citrix Guidelines for Antivirus Software Configuration Tip. This widely respected benchmark builds on controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) , with a focus on cloud-centric security. In addition, we are providing new updates to Counterfit, our open-source tool to simplify assessing the security posture of AI Included with Microsoft 365 E3. Jan 3, 2024 · To use Microsoft Defender for Endpoint on iOS devices, you need to onboard them to the service and assign licenses to users. Microsoft Defender for Endpoint P1 offers a foundational set of capabilities, including industry-leading antimalware, cyberattack surface reduction, and device-based conditional access. Reload to refresh your session. Jun 13, 2024 · About Intune policy for endpoint detection and response. Choose an existing policy or create a new one. May 15, 2024 · In this article. Deception techniques. Microsoft Defender for Endpoint delivers preventative protection, post-breach detection, automated investigation, and response. Part 1 (How to enroll device to Microsoft Dec 9, 2021 · Best practices for AI security risk management. **Scan Types**: - For daily scheduled scans on all systems, use **Quick Scan**. Best practices for using device control with users and user groups Oct 12, 2023 · Microsoft Entra ID provides superior security and ease of use over Shared Key for authorizing requests to Blob storage. Aug 15, 2022 · Hi Rob, we currently do not have an all-up best practices doc but we have a related article in-plan. The architecture of Azure Virtual Desktop comprises many components that make up the service connecting users to their desktops and apps. The endpoint allows other resources in the network to communicate with the PaaS service over the private IP address. Apr 24, 2024 · Microsoft Defender for Endpoint is now available as Microsoft Defender in the play store. Use Microsoft Defender for Cloud to deploy Azure Defender for servers for your endpoint and integrate the alerts to your SIEM solution such as Azure Sentinel. May 1, 2024 · As a general best practice, it is recommended to update the Microsoft Defender for Endpoint agent to latest available version and confirming issue still persists before investigating further. The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. The following table offers a breakdown of the features included in Microsoft Defender for Endpoint Plans 1 and 2. Apr 24, 2024 · Microsoft Defender for Endpoint Plan 2; Microsoft Defender Antivirus; Platforms. Apr 22, 2024 · Open the Microsoft Intune admin center, and then go to Endpoint security > Firewall > MDM devices running Windows 10 or later with firewall off. Business Planner. 1. Train everyone on email best practices. Alert named "Powermet malware was blocked" is highlighted. msi /quiet To uninstall, ensure the machine is offboarded first using the appropriate offboarding Aug 25, 2023 · Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities. Detail: Use CIDR -based subnetting principles to create your subnets. Custom IoCs provide SecOps with greater capacity to fine-tune detections based on their organization’s particular and contextualized threat intelligence. Note: If you don't have Microsoft 365 admin permissions, open the guide in a test or POC tenant to get instructions. In this article. May 13, 2024 · Intune Endpoint security Antivirus policies can help security admins focus on managing the discrete group of antivirus settings for managed devices. Feb 17, 2022 · 2. Each profile contains only the settings that are relevant for Microsoft Defender for Endpoint antivirus for macOS and Windows devices, or for the user May 17, 2024 · Note. Jul 16, 2022 · MDE Onboarding Best Practices. Define roles and task needed to perform data management and governance using Microsoft Purview. Mar 11, 2024 · The checklist in this section covers the storage best practices for SQL Server on Azure VMs. Based on how you log into the app with your work or personal account, you have access to features for Microsoft Defender for Endpoint or for Microsoft Defender for individuals. To prepare your organization for Microsoft Defender for Endpoint, first review the required May 9, 2023 · First, Microsoft Defender for Endpoint will isolate any untrusted documents in a lightweight container with sensors. If you need to collect logs from Endpoint solutions, such as EDR, other security events, Sysmon, and so on, use one of the following methods: Microsoft Defender XDR connector to collect logs from Microsoft Defender for Endpoint. If available, configure the tempdb data and log files on the D: local SSD volume. This blog post explains the onboarding process of the recently announced support of Microsoft Defender for Endpoint on Intune managed iOS/iPadOS devices enrolled with Apple User Enrollment mode. For all release announcements on Microsoft Defender for Endpoint from features under development to retirement, visit the M365 Roadmap. 2. The selected data center location is shown on the screen. Jun 25, 2020 · Configure bare minimum settings that tell the VDI machines where to go to get the updates. Learn how IT Pros can deploy & manage Microsoft Defender for Endpoint on their organizations iOS & Android devices and understand capabilities available across both platforms. While attack prevention is preferable to retroactive detection, these days it is not reasonable to expect that an Aug 23, 2021 · Step one was device hardware and identifying which systems have a Trusted Platform Module (TPM) 1. Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including endpoint detection and response (EDR), attack surface On the Add app page, click on Search the App Store and type Microsoft Defender in the search bar. Windows; Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques. Feb 12, 2021 · Missing MDE (Microsoft Defender for Endpoint) exclusion If you need to apply exclusion for threat detected by Defender for Endpoint Cloud Service, use the related exclusion. Microsoft Defender for Endpoint supports a robust Aug 19, 2019 · Microsoft Defender for Endpoint enables enhanced security by protecting cyber threats, advanced attacks and data breaches, automate security incidents, and enhance the current level of security already in place. To integrate Microsoft Defender for Endpoint with Microsoft Intune, it can help you prevent security breaches and limit the impact of breaches within an organization. Microsoft Copilot for Security is the first generative AI security product that will help defend organizations at machine speed and scale. Expand table. Consider using Microsoft Sentinel for threat Jun 8, 2023 · Microsoft Defender Experts observed a multi-stage adversary-in-the-middle (AiTM) and business email compromise (BEC) attack targeting banking and financial services organizations over two days. Microsoft Defender for Endpoint Plan 1; Microsoft Defender for Endpoint Plan 2; Attack surfaces are all the places where your organization is vulnerable to cyberthreats and attacks. Microsoft Defender for Endpoint is part of Microsoft 365 Defender, a fully-fledged extended detection and response Oct 15, 2021 · Microsoft Defender for Endpoint (MDE) is much more than a traditional antivirus service. Aug 31, 2021 · Microsoft Defender for Endpoint offers one of the best antimalware capabilities in the industry with built in machine learning and behavioral monitoring, and consistently achieving top scores in independent AV tests. This attack originated from a compromised trusted vendor, involved AiTM and BEC attacks across multiple supplier/partner organizations for financial fraud, and did not use a reverse proxy like typical Apr 25, 2022 · During a thorough survey, organizations were asked about their top security concerns when implementing IoT. Microsoft Defender for Endpoint (MDE, previously known as Microsoft Defender Advanced Threat Protection) is Microsoft’s endpoint security platform that goes far and beyond the traditional Sep 28, 2020 · Let’s jump to configuring Microsoft Defender Antivirus. Some security policy settings can be set via the local security policy editor. 2 or higher. td uu rl as iq zq vm zq cm tj