Updates from: 01/11/2023 02:29:12
Category Microsoft Docs article Related commit history on GitHub Change details
commerce Volume Licensing Invoices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/volume-licensing-invoices.md
You can see two types of invoices: debit invoice and credit memo.
## Who receives VL invoices by email?
-The **Bill To contact** for the contract receives invoices by email from no-reply@microsoft.com.
+The **Bill To contact** for the contract receives invoices by email from microsoft-no-reply@microsoft.com.
-Be sure to add no-reply@microsoft.com to your safe senders list or modify any existing email rules to avoid emails landing in your junk folder.
+Be sure to add microsoft-no-reply@microsoft.com to your safe senders list or modify any existing email rules to avoid emails landing in your junk folder.
## How do I become a Volume Licensing Service Center (VLSC) user?
compliance Dlp Migration Assistant For Symantec Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-migration-assistant-for-symantec-get-started.md
+
+ Title: "Get started with the Microsoft Purview Data Loss Prevention migration assistant for Symantec"
+f1.keywords:
+- CSH
+++ Last updated :
+audience: ITPro
++
+ms.localizationpriority: high
+
+- purview-compliance
+- m365solution-mip
+- m365initiative-compliance
+- highpri
+search.appverid:
+- MET150
+description: "This article describes the prerequisites and configuration of the Microsoft Purview Data Loss Prevention migration assistant for Symantec."
++
+# Get started with the Microsoft Purview Data Loss Prevention migration assistant for Symantec (preview)
+
+This article walks you through the prerequisites and installation of the [Microsoft Purview Data Loss Prevention migration assistant for Symantec](dlp-migration-assistant-for-symantec-learn.md).
+
+## Before you begin
+
+If you're using the Microsoft Purview Data Loss Prevention migration assistant for Symantec for the first time, ensure the following prerequisites are met:
+
+> [!TIP]
+> If the application won't launch after completing all the steps in this article, refer to [Troubleshooting](dlp-migration-assistant-for-symantec-use.md#troubleshooting).
+
+### 1. Have appropriate Microsoft 365 subscription
+
+You'll need the appropriate DLP licensing for the locations that the migrated policies are scoped to. Check [here](https://aka.ms/dlplicensing).
+
+### 2. Have appropriate user role and privileges
+
+You need to have a *Global Administrator or Compliance Administrator* role to be able to use the migration assistant.
+
+### 3. Check your Operating System
+
+You can only install and run the migration assistant on these operating systems:
+
+- Windows 11,10,8.1,7
+- Windows Vista
+- Windows Server 2008+
+- Windows Server 2003 (excluding IA-64)
+
+### 4. Install PowerShell
+
+You must have PowerShell v7.2.6 or higher installed on your machine, before the migration assistant can be installed. [Download Powershell-7.2.6-win-x64.msi core on your machine](https://github.com/PowerShell/PowerShell/releases/download/v7.2.6/PowerShell-7.2.6-win-x64.msi).
+
+### 5. Install .NET
+
+You must have installed .NET v6.0.401 or higher on your machine, before the migration assistant can be installed. [Download .NET 6 core SDK on your machine](https://dotnet.microsoft.com/download/dotnet/thank-you/sdk-6.0.401-windows-x64-installer).
+
+> [!IMPORTANT]
+> If you don't already have .NET v6.0.401 installed and attempt to install it through the migration tool installation, you will be directed to the wrong version of .NET. You must have .net v6.0.401 installed.
+
+### Export Symantec DLP policies
+
+Before you begin migration process, you need to export your Symantec DLP policies.
+
+You need to export these policies as XML files from Symantec DLP. Export the policies using these [procedures](https://go.microsoft.com/fwlink/?linkid=2221525).
+
+## Installation steps
+
+Follow these steps to install the Microsoft Purview Data Loss Prevention migration assistant for Symantec:
+
+1. Download and launch **[MigrationAssistantforMicrosoftPurviewDLP.msi](https://aka.ms/DLPMigrationAssistant)** file.
+2. The following dialog box will open. Select **Next**.
+3. Review the End-User License Agreement.
+4. After reviewing, accept the License Agreement and select **Next**.
+5. Select the location where you want to install the migration assistant and select **Next**.
+6. Once installer is ready, select **Install** to begin installation.
+7. Wait while the migration assistant is being installed.
+8. Once migration assistant is installed, select **Finish** and close the dialog box.
+
+## Next steps
+
+Now that you have installed Microsoft Purview Data Loss Prevention migration assistant for Symantec (preview), you're ready to move on to your next step where you use the migration tool.
+
+- [Using the Microsoft Purview Data Loss Prevention migration assistant for Symantec](dlp-migration-assistant-for-symantec-use.md)
+
+## See also
+
+- [Learn about the Microsoft Purview Data Loss Prevention migration assistant for Symantec](dlp-migration-assistant-for-symantec-learn.md)
+- [Learn about data loss prevention](dlp-learn-about-dlp.md)
+- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md)
+- [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=1)
compliance Dlp Migration Assistant For Symantec Learn https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-migration-assistant-for-symantec-learn.md
+
+ Title: "Learn about the Microsoft Purview Data Loss Prevention migration assistant for Symantec"
+f1.keywords:
+- CSH
+++ Last updated :
+audience: ITPro
++
+ms.localizationpriority: high
+
+- purview-compliance
+- m365solution-mip
+- m365initiative-compliance
+- highpri
+search.appverid:
+- MET150
+description: "The migration assistant tool is a Windows based desktop application that will migrate your DLP policies from other DLP platforms to Microsoft DLP platform."
++
+# Learn about the Microsoft Purview Data Loss Prevention migration assistant for Symantec (preview)
+
+This article helps you to learn about the Microsoft Purview Data Loss Prevention migration assistant for Symantec.
+
+The migration assistant tool is a Windows-based desktop application that will migrate your Symantec data loss prevention (DLP) policies to Microsoft Purview Data Loss Prevention. This tool takes you through the five-step migration process. It accepts Symantec DLP policy XML exports, performs mapping, and creates equivalent DLP policies through PowerShell scripts. You can use the migration assistant tool to create DLP policies in test mode. Policies in test mode won't impact your live data or impact your existing business processes.
+
+## What can the migration assistant help with?
+
+The migration assistant helps with some of the tasks involved in a Data Loss Prevention (DLP) migration project:
+
+- In a manual migration scenario, you need to perform a feasibility analysis between the source and target DLP platforms, map the features, migrate policies manually, and test and tweak DLP policies. With the migration assistant, your migrated DLP policies can be up and running within minutes of starting the migration assistant process.
+- With migration assistant, you can quickly scale up your migration project. You can start by moving a single policy manually to multiple policies at the same time.
+- The migration assistant automatically identifies sensitive information types (SITs) or Data Identifiers in source policies and creates custom SITs in your Microsoft tenant. It also moves all of your custom regular expressions and keywords in a few clicks.
+- The migration assistant detects which conditions, exclusions and actions are currently being used in source policies and automatically creates new rules with the same conditions, and actions.
+- The migration assistant provides you with a detailed migration report that includes the migration status and recommendations at the policy level.
+- The migration assistant ensures that your DLP policy migration project is private and takes place within the boundaries of your organization.
+
+## How does the migration assistant for Symantec work?
+
+Here's how the migration process works:
++
+Each time the migration assistant runs, it runs the following steps:
+
+- **Input:** The migration assistant ingests one or more Symantec DLP policy XML files.
+- **Analyze:** The migration assistant interprets the files and identifies Symantec DLP policy constructs.
+- **Rationalize:** The migration assistant maps the identified Symantec DLP policy constructs to Microsoft DLP capabilities. It performs validations for Microsoft DLP platform limitations.
+- **Migrate:** The migration assistant runs PowerShell scripts for the DLP scenarios identified and supported by the UDLP platform.
+- **Report:** The migration assistant reports which policies were migrated successfully, which were partially migration, and which ones couldn't be migrated. It also provides recommendations to improve future migrations.
+
+## Understand mapping of Symantec DLP elements to Microsoft Purview DLP elements
+
+Here's how the migration assistant translates different policy elements from Symantec DLP to Microsoft Purview DLP:
+
+### Symantec DLP supported versions
+
+The migration assistant supports migrating DLP policies from Symantec versions 15.0 through 15.7 maintenance packs included.
+
+### Supported Workloads
+
+The migration assistant migrates policies into these workloads.
+
+| **Workload** | **Migration assistant support** |
+| - | - |
+| Exchange Online (EXO)| Yes |
+| SharePoint Online (SPO) | Yes |
+| OneDrive for Business (ODB) | Yes |
+| Teams chat and channel messages | Yes |
+| Endpoint devices | Yes |
+
+> [!TIP]
+>You can use the migration assistant to extended to more workloads than the ones detected in the input Symantec DLP policy.
+
+### Classification Elements
+
+Here's how the migration assistant maps Symantec elements to Purview DLP elements.
+
+| **Symantec Classification Element** | **Microsoft Purview DLP Classification Element** |
+| - | - |
+| Regular Expression| Create new custom sensitive information type (SIT) with the regular expression.|
+| Keyword | Create new custom SIT with a keyword list or keyword dictionary.|
+| Keyword Pair | Create new custom SIT with first keyword list as primary element & second keyword list as a supporting element with 300 char proximity. |
+| Data Identifier | Map to pre-configured SIT if an equivalent is available, else create a new custom SIT. |
+
+Here are the mapping details of optional validators for sensitive information types (also known as Data Identifiers in Symantec DLP) that the migration assistant uses while translating Symantec DLP policies:
+
+| **Symantec Optional Validators** | **Microsoft Purview DLP Optional Validators**|
+| -- | |
+| Exclude exact match | Exclude specific matches |
+| Exact Match Data Identifier Check | NA |
+| Exclude beginning characters | Starts or doesn't start with characters |
+| Exclude ending characters | Ends or doesn't end with characters |
+| Exclude prefix | Include or Exclude prefixes |
+| Exclude suffix | Include or Exclude prefixes |
+| Number Delimiter| NA |
+| Require beginning characters | Starts or doesn't start with characters |
+| Exact Match | NA |
+| Duplicate digits| Exclude duplicate characters |
+| Require ending characters | Ends or doesn't end with characters |
+| Find keywords | Available as both primary & supporting elements |
+
+### Regular Expressions ΓÇô Potential validation issues to be aware of
+
+When you upload your rule package XML file, the system validates the XML and checks for known bad patterns and obvious performance issues. Here are known issues that the validation process checks a regular expression for.
+
+- Can't begin or end with alternator "|", which matches everything because it's considered an empty match.
+ - For example, "|a" or "b|" won't pass validation.
+- Can't begin or end with a ".{0,m}" pattern, which has no functional purpose and only impairs performance.
+ - For example, ".{0,50}ASDF" or "ASDF.{0,50}" won't pass validation.
+- Can't have ".{0,m}" or ".{1,m}" in groups, and can't have ".*" or ".+" in groups.
+ - For example, "(.{0,50000})" won't pass validation.
+- Can't have any character with "{0,m}" or "{1,m}" repeaters in groups.
+ - For example, "(a*)" won't pass validation.
+- Can't begin or end with ".{1,m}"; instead, use just "."
+ - For example, ".{1,m}asdf" won't pass validation; instead, use just ".asdf".
+- Can't have an unbounded repeater (such as "*" or "+") on a group.
+ - For example, "(xx)*" and "(xx)+" won't pass validation.
+
+### Condition and Exception Mapping
+
+Here's how the migration assistant maps Symantec condition and exception elements for various workloads to Purview DLP conditions.
+
+#### Exchange Workload
+
+| **Condition/Exception in Symantec** | **Condition in Microsoft Purview DLP** |
+| | -- |
+| Content Matches Regular Expression | Content contains SIT |
+| Content Matches Keyword | Content contains SIT |
+| Content Matches Data Identifier | Content contains SIT |
+| Content Matches Classification | Not supported |
+| File Properties<br><li>File name<li>File type | One or more of the following:<li>Document name is<li>File extension is |
+| Message Attachment or File Type Match | One or more of the following:<li>Attachment is password protected<li>Attachment's file extension is |
+| Message Attachment or File Size Match | Document size equals or is greater than |
+| Message Attachment or File Name Match | One or more of the following:<li>Document name contains words or phrases<li>Document name matches patterns |
+| Message/Email Properties and Attributes | One or more of the following:<li>Email subject contains|
+| Sender/User Matches Pattern | One or more of the following:<li>Sender is<li>Sender is a member of<li>Sender domain is<li>Sender address contains words<li>Sender address matches patterns<li>Sender IP address is |
+| Recipient Matches Pattern | One or more of the following:<li>Recipient is a member of<li>Recipient domain is<li>Recipient is<li>Recipient address contains words<li>Recipient address matches patterns |
+| Sender/User based on a Directory Server Group | Not supported |
+| Recipient based on a Directory Server Group | Not supported |
+| Content Matches Exact Data from an Exact Data Profile (EDM) | Not supported |
+| Content Matches Document Signature from an Indexed Document Profile (IDM) | Not supported |
+| Detect using Vector Machine Learning profile (VML) | Not supported |
+| Protocol Monitoring<li>SMTP protocol | Exchange (EXO) DLP policy |
+
+#### Endpoint Devices, SharePoint Online, OneDrive and other workloads
+
+| **Condition/Exception in Symantec** | **Condition in Microsoft Purview DLP** |
+| -- | - |
+| Content Matches Regular Expression | Content contains SIT |
+| Content Matches Keyword | Content contains SIT |
+| Content Matches Data Identifier | Content contains SIT |
+| Message Attachment or File Type Match | DocumentΓÇÖs file extension is |
+| Protocol Monitoring<li>HTTP<li>HTTPS<li>FTP | Cross-workload DLP policy(s) |
+| Protocol Monitoring: Endpoint Device Type<li>CD/DVD<li>Removable storage<li>Copy to network share<li>Printer/Fax<li>Clipboard<li>Cloud storage<li>Application File Access<li>SEP Intensive Protection | One or more of the following (Devices):<li>Copy to USB removable media<li>Copy to network share<li>Copy to clipboard<li>Print<li>Upload to cloud service domains or access by browsers that aren't allowed |
+
+### Response Rules
+
+Here's how the migration assistant maps Symantec response rules to Microsoft Purview DLP actions.
+
+| **Symantec Response Rule** | **Microsoft Purview DLP Action**|
+| -- | -- |
+| Generate DLP Incident | Generate Alert |
+| Logging (Syslog) | Audit logs |
+| Network Prevent: Modify SMTP Message<li>Modify email subject<li>Modify header | One or more of the following:<li>Prepend subject<li>Set headers |
+| Network Prevent: Block SMTP Message<li>Bounce message to sender<li>Redirect message to this address | One or more of the following:<li>Block / Restrict access<li>Send user notification<li>Redirect message to |
+| Send Email Notification | Send User Notification |
+| Endpoint Prevent<li>Notify<li>Notify with Cancel<li>Block | One or more of the following (Endpoint Devices)<li>Notify<li>Block<li>Audit |
+| User Cancel| One or more of the following:<li>Block / Restrict access<li>User Overrides |
+
+## Next steps
+
+Now that you've learned about the Microsoft Purview Data Loss Prevention migration assistant for Symantec, your next steps are:
+
+1. [Get started with the Microsoft Purview Data Loss Prevention migration assistant for Symantec](dlp-migration-assistant-for-symantec-get-started.md)
+2. [Use the Microsoft Purview Data Loss Prevention migration assistant for Symantec](dlp-migration-assistant-for-symantec-use.md)
compliance Dlp Migration Assistant For Symantec Use https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-migration-assistant-for-symantec-use.md
+
+ Title: "Use the Microsoft Purview Data Loss Prevention migration assistant for Symantec"
+f1.keywords:
+- CSH
+++ Last updated :
+audience: ITPro
++
+ms.localizationpriority: high
+
+- tier1
+- purview-compliance
+- m365solution-mip
+- m365initiative-compliance
+- highpri
+search.appverid:
+- MET150
+description: "Learn how to use the Microsoft Purview Data Loss Prevention migration assistant for Symantec to migrate your DLP policies from other DLP platforms to Microsoft's DLP platform."
++
+# Use the Microsoft Purview Data Loss Prevention migration assistant for Symantec (preview)
+
+This article takes you through using the [Microsoft Purview Data Loss Prevention migration assistant for Symantec](dlp-migration-assistant-for-symantec-learn.md).
+
+Before you start with migration, ensure you've met the following prerequisites:
+
+- Complete the steps in the [Before you begin](dlp-migration-assistant-for-symantec-get-started.md#before-you-begin) section.
+- Ensure that you've exported the required XML files from your Symantec DLP instance.
+
+Once a policy is migrated, you can test and fine-tune it in Microsoft Purview DLP.
+
+## Steps for migration
+
+Use these steps to perform a DLP policy migration:
+
+- [Step 1: Log in to your account](#step-1-log-in-to-your-account)
+- [Step 2: Upload your Symantec policy](#step-2-upload-your-symantec-policy)
+- [Step 3: Edit policy settings](#step-3-edit-policy-settings)
+- [Step 4: Review pre-migration feasibility report](#step-4-review-pre-migration-feasibility-report)
+- [Step 5: Test or turn on your policies](#step-5-test-or-turn-on-your-policies)
+- [Step 6: Migration in progress](#step-6-migration-in-progress)
+- [Step 7: View the migration report](#step-7-view-the-migration-report)
+- [Next Steps: After policy import](#next-steps-after-policy-import)
+
+### Step 1: Log in to your account
+
+After you've installed and launched the migration assistant, you need to log in.
+
+> [!IMPORTANT]
+> The first time you launch the migration assistant, please choose **Run as administrator** option. This is required as the migration assistant may need to install additional components if they're not already available on your machine.
+>
+> For all subsequent launches, you may launch the migration assistant normally and don't need to run as administrator.
++
+1. You'll be greeted with a welcome screen.
+ 1. Select **Get Started** and the migration assistant will check if your environment is set up correctly.
+ 2. Select **Next**.
+2. Enter your username and select **Login**.
+ 1. Enter your password in the browser window that opens and select **Sign in**.
+3. You need to wait until your login is validated. Simultaneously, the migration assistant fetches information that will be required in later stages of the migration process.
+ :::image type="content" source="../media/login-fetching-details.png" alt-text="Screenshot of the screen fetching details.":::
+4. Once you're logged in, choose **Next**.
+
+### Step 2: Upload your Symantec policy
+
+You need to upload your Symantec DLP policy exports, which act as input for the migration assistant. The policies you upload will be the ones that will be migrated to the Microsoft Purview DLP platform.
+
+1. To upload the files, select **Browse**.
+2. Select the required policy files in the File Explorer pop-up window and choose **Open**.
+ 1. You can select more than one XML file to migrate multiple policies at a time. It's best to migrate anywhere from one to three policies at a time to avoid confusion during later stages of the migration process.
+
+ > [!NOTE]
+ > Ensure that the XML files you upload are Symantec DLP policy exports only and no other kind of XML.
+
+3. The tool will show you a list of your selected input policy files.
+ 1. If you wish to deselect a previously selected policy file, you can select the delete icon corresponding to that policy.
+ :::image type="content" source="../media/upload-dlp-policies.png" alt-text="Screenshot of uploading DLP Policies to migrate.":::
+4. Once you've completed with the selection of policy files you wish to migrate, select **Next** and move to the next step.
+
+### Step 3: Edit policy settings
+
+Once you input the policies you want to migrate, the migration assistant will process those files and map Symantec DLP policy elements to Microsoft DLP elements.
+
+> [!IMPORTANT]
+> There may be some items that may need your review and will be marked with 'warning symbol'.
+
+ :::image type="content" source="../media/edit-policy-settings.png" alt-text="Screenshot of editing DLP policy settings.":::
+
+#### Keywords, Data Identifiers and Regular expressions
+
+Symantec DLP and Microsoft Purview Information Protection differ in how they allow users to define sensitive information that needs to be protected.
+
+Microsoft Purview Information Protection allows users to define sensitive items that need protection as sensitive information types (SITs), or through trainable classifiers. Microsoft provides many commonly used SITs like Credit Card Number that are preconfigured. If these don't meet your needs, you can create your own custom SITs.
+
+The most common ways in which Symantec users specify the types of sensitive information that need to be protected are:
+
+- Use out-of-box (OOB) Data Identifiers
+- Customize OOB Data Identifiers
+- Define regular expressions and/or keywords in DLP rules
+
+The migration assistant takes care of each of the above scenarios in one of these two ways:
+
+- **Map to an existing OOB SIT:** For all sensitive data types for which there exists an equivalent SIT in Microsoft DLP, the migration assistant will attempt to create a 1:1 mapping. It automatically maps OOB Symantec Data Identifiers to pre-configured Microsoft SITs, if an equivalent exists. If you want to bring the Symantec Data Identifier over as-is, then you can create a new SIT as described in the next step.
+
+- **Migrate as a new custom SIT:** For all sensitive data types for which there isn't an equivalent SIT available in Microsoft DLP, the migration assistant will automatically create a new SIT. Similarly, any regular expression(s) or keyword(s) defined directly in rules will be brought over as a new custom SIT.
+
+> [!NOTE]
+> Regular expressions and/or keywords defined directly at the rule-level of Symantec policies will take on the name of the rule itself and show up in the Source column. In case of multiple regular expressions and/or keywords, it will take the name of the rule name followed by roman numerals.
+>
+>Each of these will be migrated separately as a custom SIT. This may lead to confusion and we recommend you review and rename these SITs as soon as possible.
+>
+>You cannot edit the name of these SITs within the migration assistant. You can edit the names of these custom SITs from Microsoft Purview compliance portal or via PowerShell after the policy migration has been completed.
+
+#### Inclusions, Exclusions and Response Rules
+
+The current version of the migration assistant brings over policies with ΓÇÿ*Generate Incident Report*ΓÇÖ as a default action. Also, DLP policies in Microsoft DLP automatically log events in Unified Audit Log and won't need a separate action equivalent to ΓÇÿSyslogΓÇÖ in Symantec DLP.
+
+All other response rules in Symantec are currently not supported by the migration assistant and thus not migrated along with other policy elements. However, you can manually add (or remove) actions to the policies using the Compliance portal after the migration assistant has successfully migrated the policies.
+
+You'll be able to see a list of all your policies and rules within them along with their status. You can select different policies from the left column to see Details for each policy. By default, the tool will display all items that need review. You can toggle to see all items in a given policy by choosing the **Show All Items** button at the top of the Details section.
+ :::image type="content" source="../media/edit-policy-settings-mampd.png" alt-text="Screenshot of Show All Items.":::
+
+##### Policy Details
+
+Policy Name - You can edit the name of the policy before migration.
+
+Each policy will be divided into two sections:
+
+- Keywords, Data Identifiers and Regular expressions- These will be migrated as sensitive information types (SITs) in Microsoft DLP.
+
+- Rules - These will be automatically mapped to different Microsoft DLP conditions. Each row in the table will show
+ - The name that the SIT will have when migrated
+ - Potential issues that may affect migration
+ - Type of rule as detected from the input policy
+ - Status:
+ - Blank/empty status - This row element will be migrated without issues.
+ - Needs Review - This row element may have one or more issues and may require some input from you.
+ - Informational - This row element may have one or more changes needed for migration but will be auto-resolved.
+ - Unsupported - This row element isn't supported for migration by the tool and may need to be migrated manually after the tool exits.
+ - Edit button
+
+Extend policy coverage to other Microsoft locations.
+ - You can extend your current Symantec policies to other Microsoft locations in addition to the original scope of the policy.
+
+For example:
+A Purview DLP policy that's scoped to email can be extended to SharePoint, OneDrive, Teams, and Endpoint Devices.
+
+The migration assistant will auto-create a new policy based on the original policy with all supported rules for that given workload. One or more rules may be dropped if not supported for a given workload.
+
+For example:
+Email subject is condition may be dropped while extending an email (Exchange) DLP policy to OneDrive.
+
+Some checkboxes may be disabled by default, if there are no supported conditions available in extended locations.
+
+Editing a row element - When editing one or more row elements, you'll be navigated to an **Edit** screen with more details about that row element. If thereΓÇÖs any issue, it will be reported by a yellow banner at the top of the screen. You may need to make changes to the content in the editable sections, and those changes will be incorporated at the time of migration. Once you resolve the issues in the content, the yellow banner will disappear.
+
+Use existing SITs from tenant to auto replace current SIT. You may choose to replace the current SIT (which is being edited) with another SIT from your tenant.
+ :::image type="content" source="../media/sit-content.png" alt-text="Screenshot of editing SIT content.":::
+
+You can manually change any of the mappings if you wish to, by selecting on the corresponding row in the ΓÇÿTargetΓÇÖ column. This will open a drop-down list with all the out-of-box SITs (OOB SITs) and all the custom SITs (if any) that you may have previously created. You can choose the option to which you wish to map to the ΓÇÿSourceΓÇÖ row item. Alternatively, you can also choose the option ΓÇÿNew SITΓÇÖ from the drop-down and the migration assistant will bring over the Source SIT as a new custom SIT.
+
+We strongly recommend using existing SITs to replace current SITs wherever possible to help reduce creation of duplicate SITs and also reduce effort on optimizing multiple custom SITs of the same kind. Learn more about [sensitive information type entity definitions](sensitive-information-type-entity-definitions.md).
+
+ >[!WARNING]
+ > Microsoft DLP platform has a threshold for up to 10 rule packages per tenant. This limit is enough for most customers, but the creation of many duplicate custom SITs may quickly lead you to hitting this threshold without the ability to create any new custom SITs.
+
+After you've reviewed all the policies and the rules within them, select **Next**. If one or more of the policies contain at least one element with *Needs Review* status, then youΓÇÖll see a **Continue with errors** button instead of **Next**.
+
+### Step 4: Review pre-migration feasibility report
+
+The pre-migration feasibility report shows you how you can expect the policies to be migrated. Review this report and make any necessary adjustments prior to starting a migration run.
+
+ :::image type="content" source="../media/review-dlp-policies.png" alt-text="Screenshot of Review your Policies.":::
+
+Review these details and choose **Next**.
+
+### Step 5: Test or turn on your policies
+
+Once imported, DLP policies can be in one of three states:
+
+- On (**Yes, turn it on right away**)
+- Test (**I'd like to test it out first** and **Show policy tips while in test mode**)
+- Off (**No,keep it off. I'll turn it on later**)
+
+You can set the state in the migration assistant prior to migrating a policy using these two steps:
+
+1. Choose whether to turn-on or off from the following three options:
+ - Turn on policy immediately.
+ - Turn on policy in test mode first. Remove from test mode later manually.
+ - Keep it off. Turn it on later manually.
+
+ We recommend you to bring over the policies first in test mode. You can monitor the alerts that the policy generates, and fine-tune it as required by your organization. Once your policy is fine-tuned, you can turn it on or put it into production.
+
+2. Select **Start Migration** to import your policy. A new PowerShell window will open asking you to log in again.
+
+ After you log in, PowerShell scripts will run that creates new policies in Microsoft DLP with all the data in the input policy files, and any other settings you made during the previous migration assistant steps.
+
+ Wait until the script completes finishes with a Success/Failure message. Then, new SITs and policies will start showing up in the Compliance portal as well.
++
+### Step 6: Migration in progress
+
+In this step, the migration tool will create DLP policies in Microsoft Purview compliance portal.
+
+> [!NOTE]
+> Refrain from closing the tool window while policies are being created as it may cause incomplete SITs and policies, which may require you to manually clean up later.
++
+If an error occurs during migration, you can choose one of these actions to try and fix as a next step.
+
+- **Try Again** - Policy creation will be attempted again.
+- **Rollback all changes** - All SITs and policies for that session will be deleted.
+- **Rollback failed policies** - Only the failed SITs and policies for that session will be deleted.
+
+>[!IMPORTANT]
+> When you choose to rollback any changes, it may take two to four hours for the entire rollback to take place. The migration assistant tool window needs to be kept open for the entire duration for a successful rollback.
++
+Once the policies are migrated, select **Next** to view the migration report.
++
+### Step 7: View the migration report
+
+You can view the migration report once your policies are imported and the migration process is complete.
+
+ :::image type="content" source="../media/migration-report.png" alt-text="Screenshot of migration report.":::
+
+Each session gets its own report. A session begins at the time you launch the app and ends when you exit the app or when migration process is completed.
+
+#### Technical report
+
+You can select the **Save Technical Report** button to save a more detailed excel-based report that is divided into three sheets:
+
+- Overview
+- Policy Details
+- SIT Details
+
+**Overview Sheet** - This sheet provides an overview of the migration session with the following details:
+
+- TenantΓÇÖs name.
+- Timestamp of session.
+- Overall summary stats for that session.
+- Input policy level details, migration status and comments/recommendations.
++
+**Policy Details** - This sheet provides a detailed view of each migrated policy created or not created with the following information:
+
+- Mapping of source policy and target policy(s) created.
+- List of workloads each policy is applied to.
+- Analysis status stating if the policy is migrated completely, partially or can't migrate.
+ - For workloads other than Exchange, this would typically show as *Complete* since we create a policy with the *Content contains* condition, which is supported across all workloads.
+- Migration status describing if the policy migration was a success or failure.
+- Comments/recommendations with more details of that policy.
++
+**SIT Details** - This sheet provides information about all the sensitive information types (SITs) that were migrated with following information:
+
+- Policy-wise mapping of Input and Output SITs created.
+- Validation fixes with information about validation errors that occurred during the migration process.
+- Comments about SIT auto-mapping, and remediation steps.
++
+### Next steps: After policy import
+
+You should visit the Compliance portal and validate the policies you just migrated.
+
+#### Check Sensitive Information Types
+
+1. Validate that the SITs were created by opening **Data Classification** > **Sensitive Information Type** tab and look for the SITS. You can also sort the list on **Publisher** and check for SITs with publisher name as ΓÇ£DLP Migration ToolΓÇ¥.
+
+2. Rename SITs as needed. For many SITs, you may notice there are similar names often followed by roman numerals. To avoid confusion and duplication post-migration, you should rename these SITs. This is true for cases where your regular expressions and keywords are defined directly in rules within your input Symantec DLP policies.
+
+3. Test and fine-tune SITs as needed. You should test and fine-tune the migrated SITs. The migration assistant creates new SITs with a few standard settings, which might not be right for your tenant so look out for the following:
+ 1. Regular expressions: Unsupported or deleted regexes (during migration)
+ 2. Keywords
+ 1. Case sensitive versus insensitive keywords
+ 2. String versus word match
+ 3. Proximity
+ 4. Optional validators
+
+#### Check DLP policies
+
+1. **Validate the DLP policies created**
+
+ Choose **Data Loss Prevention** from left panel and check if new policies are created.
+2. **Add any missing policy elements**
+
+ While most of the input Symantec DLP policy elements (like conditions, exclusions, or actions) will get migrated, often a few elements from your input Symantec DLP policy may get dropped during the migration process. This is a known limitation of the migration assistant. In this scenario, you'll have to manually add these elements to the policy as they're supported by the Microsoft Purview DLP platform.
+3. **Test and fine-tune the policy**
+
+ You can test the policy and fine-tune it as per the needs of your organization.
+4. **Turn the policy on**
+
+ Once tested or fine-tuned, you can turn on this policy or put the policy in production mode.
+5. **Bring over any remaining policies**
+
+ You can go back to bring over the next policy or next batch of policies using the migration assistant.
+
+## Troubleshooting
+
+If you see an error on welcome screen after selecting **Get Started**, follow these steps:
+
+ 1. Confirm that you've installed all the pre-requisites using the links/versions mentioned in [Before you start](dlp-migration-assistant-for-symantec-get-started.md#before-you-begin).
+ 2. Ensure that you've restarted the machine after installing the pre-requisites.
+ 3. Check if you're running the tool in admin mode using **Run as administrator** option while starting the application.
+ 4. Check if your PowerShell module path is set correctly using these steps:
+ 1. Go to edit system environment variables.
+ 2. Add this path in PsModulePath system variable: `C:\Program Files\PowerShell\7\Modules`.
+ 3. Move this up and keep at top.
+ 4. Restart the tool in admin mode.
+
+If you're unable to install/uninstall due to another app/process installation, follow these steps:
+
+1. Right click on the task bar to open Task Manager. If necessary, choose **More Details**.
+2. On **Details** tab, look for msiexec.exe and select **End Task**.
+3. Try to install or uninstall again or wait until the installation is finished.
+
+To report issues to Microsoft:
+
+1. **Collect logs** - Find the logs generated by the migration assistant on your local machine at the following path: `C:\Users\<username>\AppData\Local\Temp\MigrationAssistantforMicrosoftPurviewDLP\Logs`.
+2. **Send email** - Send us the details about your issue along with the latest logs at [dlpmigrations@microsoft.com](mailto:dlpmigrations@microsoft.com) or contact your CXE / FastTrack / Microsoft partner to share your feedback and suggestions.
+
+### Reporting errors & providing feedback
+
+To report errors, raise feature requests, or share more feedback, reach out to us at [dlpmigrations@microsoft.com](mailto:dlpmigrations@microsoft.com) or contact your CXE / FastTrack / Microsoft partner.
+
+### Telemetry Notice
+
+**Data Collection**: This software may collect information about you and your use of the software, and send it to Microsoft. Microsoft may use this information to improve our products and services. If you wish to turn off telemetry, you can reach out to us, and we'll provide you with a separate version of tool with telemetry turned off.
+
+There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law that is to provide appropriate notices to users of your applications with a copy of Microsoft's privacy statement. Our privacy statement is located at [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?LinkID=824704). You can learn more about data collection, use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.
+
+## See also
+
+- [Learn about Microsoft Purview Data Loss Prevention migration assistant for Symantec](dlp-migration-assistant-for-symantec-learn.md)
+- [Get started with Microsoft Purview Data Loss Prevention migration assistant for Symantec](dlp-migration-assistant-for-symantec-get-started.md)
+- [Learn about data loss prevention](dlp-learn-about-dlp.md)
+- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md)
compliance Import Hr Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/import-hr-data.md
The type of HR data to import depends on the insider risk management policy and
| Healthcare policy| Employee profile | |||
-For more information about policy templates for insider risk management, see [Insider risk management policies](insider-risk-management-policies.md#policy-templates).
+For more information about policy templates for insider risk management, see [Insider risk management policies](insider-risk-management-policy-templates.md#policy-templates).
For each HR scenario, you'll need to provide the corresponding HR data in one or more CSV files. The number of CSV files to use for your insider risk management implementation is discussed later in this section.
compliance Insider Risk Management Activities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-activities.md
Reviewing, investigating, and acting on potentially risky insider alerts are imp
Becoming overwhelmed with the number of alerts produced by your insider risk management policies could be frustrating. The number of alerts can be quickly addressed with simple steps, depending on the types of alert volume you're receiving. You may be receiving too many valid alerts or have too many stale low-risk alerts. Consider taking the following actions: -- **Adjust your insider risk policies**: Selecting and configuring the correct insider risk policy is the most basic method to address the type and volume of alerts. Starting with the appropriate [policy template](insider-risk-management-policies.md#policy-templates) helps focus the types of risk activities and alerts you'll see. Other factors that may impact alert volume are the size of the in-scope user and groups and the content and [channels that are prioritized](insider-risk-management-policies.md#prioritize-content-in-policies). Consider adjusting policies to refine these areas to what is most important for your organization.
+- **Adjust your insider risk policies**: Selecting and configuring the correct insider risk policy is the most basic method to address the type and volume of alerts. Starting with the appropriate [policy template](insider-risk-management-policy-templates.md#policy-templates) helps focus the types of risk activities and alerts you'll see. Other factors that may impact alert volume are the size of the in-scope user and groups and the content and [channels that are prioritized](insider-risk-management-policies.md#prioritize-content-in-policies). Consider adjusting policies to refine these areas to what is most important for your organization.
- **Modify your insider risk settings**: Insider risk settings include a wide variety of configuration options that can impact the volume and types of alerts you'll receive. These include settings for [policy indicators](insider-risk-management-settings.md#indicators), [indicator thresholds](insider-risk-management-settings.md#indicator-level-settings), and [policy timeframes](insider-risk-management-settings.md#policy-timeframes). Consider configuring [intelligent detections](insider-risk-management-settings.md#intelligent-detections) options to exclude specific file types and sensitive info types, trainable classifiers, define minimum thresholds before activity alerts are reported by your policies, and change the alert volume configuration to a lower setting. - **Enable inline alert customization (preview)**: Enabling [inline alert customization](/microsoft-365/compliance/insider-risk-management-settings#inline-alert-customization-preview) allows analysts and investigators to quickly edit policies when reviewing alerts. They can update thresholds for activity detection with Microsoft recommendations, configure custom thresholds, or choose to ignore the type of activity that created the alert. If this is not enabled, then only users assigned to the *Insider Risk Management* role group can use inline alert customization. - **Bulk deletion of alerts where applicable**: It may help save triage time for your analysts and investigators to immediately [dismiss multiple alerts](insider-risk-management-activities.md#dismiss-multiple-alerts-preview) at once. You can select up to 400 alerts to dismiss at one time.
compliance Insider Risk Management Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-configure.md
See the [Set up a connector to import healthcare data](import-healthcare-data.md
Insider risk management supports using DLP policies to help identify the intentional or accidental exposure of sensitive information to unwanted parties for High severity level DLP alerts. When configuring an insider risk management policy with any of the **Data leaks** templates, you have the option to assign a specific DLP policy to the policy for these types of alerts.
-Data loss policies help identify users to activate risk scoring in insider risk management for high severity DLP alerts for sensitive information and are an important part of configuring full risk management coverage in your organization. For more information about insider risk management and DLP policy integration and planning considerations, see [Insider risk management policies](insider-risk-management-policies.md#data-leaks).
+Data loss policies help identify users to activate risk scoring in insider risk management for high severity DLP alerts for sensitive information and are an important part of configuring full risk management coverage in your organization. For more information about insider risk management and DLP policy integration and planning considerations, see [Insider risk management policies](insider-risk-management-policy-templates.md#data-leaks).
> [!IMPORTANT] > Make sure you've completed the following:
compliance Insider Risk Management Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-policies.md
The **Policy dashboard** allows you to quickly see the policies in your organiza
## Policy recommendations from analytics
-Insider risk analytics gives you an aggregate view of anonymized user activities related to security and compliance, enabling you to evaluate potential insider risks in your organization without configuring any insider risk policies. This evaluation can help your organization identify potential areas of higher risk and help determine the type and scope of insider risk management policies you may consider configuring. If you decide to act on analytics scan results for [data leaks](#data-leaks) or [data theft](#data-theft-by-departing-users) by departing users policies, you even have the option to configure a quick policy based on these results.
+Insider risk analytics gives you an aggregate view of anonymized user activities related to security and compliance, enabling you to evaluate potential insider risks in your organization without configuring any insider risk policies. This evaluation can help your organization identify potential areas of higher risk and help determine the type and scope of insider risk management policies you may consider configuring. If you decide to act on analytics scan results for [data leaks](insider-risk-management-policy-templates.md#data-leaks) or [data theft](insider-risk-management-policy-templates.md#data-theft-by-departing-users) by departing users policies, you even have the option to configure a quick policy based on these results.
To learn more about insider risk analytics and policy recommendations, see [Insider risk management settings: Analytics](insider-risk-management-settings.md#analytics).
For many organizations, getting started with an initial policy can be a challeng
To get started, review the quick policy settings and configure the policy with a single selection. If you need to customize a quick policy, you can change the conditions during the initial configuration or after the policy has been created. Also, you can stay up to date with the detection results for a quick policy by configuring email notifications each time you have a policy warning or each time the policy generates a high severity alert.
-## Policy templates
-
-Insider risk management templates are pre-defined policy conditions that define the types of risk indicators and risk scoring model used by the policy. Each policy must have a template assigned in the policy creation wizard before the policy is created. Insider risk management supports up to five policies for each policy template. When you create a new insider risk policy with the policy wizard, choose from one of the following policy templates:
-
-### Data theft by departing users
-
-When users leave your organization, there are specific risk indicators typically associated with potential data theft by departing users. This policy template uses exfiltration indicators for risk scoring and focuses on detection and alerts in this risk area. Data theft for departing users may include downloading files from SharePoint Online, printing files, and copying data to personal cloud messaging and storage services near their employment resignation and end dates. By using either the Microsoft HR connector or the option to automatically check for user account deletion in Azure Active Directory for your organization, this template starts scoring for risk indicators relating to these activities and how they correlate with user employment status.
-
-> [!IMPORTANT]
-> When using this template, you can configure a Microsoft 365 HR connector to periodically import resignation and termination date information for users in your organization. See the [Import data with the HR connector](import-hr-data.md) article for step-by-step guidance to configure the Microsoft 365 HR connector. If you choose not to use the HR connector, you must select the User account deleted from Azure Active Directory option when configuring trigger events in the policy wizard.
-
-### Data leaks
-
-Protecting data and preventing data leaks is a constant challenge for most organizations, particularly with the rapid growth of new data created by users, devices, and services. Users are empowered to create, store, and share information across services and devices that make managing data leaks increasingly more complex and difficult. Data leaks can include accidental oversharing of information outside your organization or data theft with malicious intent. With an assigned Microsoft Purview Data Loss Prevention (DLP) policy, built-in, or customizable triggering events, this template starts scoring real-time detections of suspicious SharePoint Online data downloads, file and folder sharing, printing files, and copying data to personal cloud messaging and storage services.
-
-When using a *Data leaks* template, you can assign a DLP policy to trigger indicators in the insider risk policy for high severity alerts in your organization. Whenever a high severity alert is generated by a DLP policy rule is added to the Office 365 audit log, insider risk policies created with this template automatically examine the high severity DLP alert. If the alert contains an in-scope user defined in the insider risk policy, the alert is processed by the insider risk policy as a new alert and assigned an insider risk severity and risk score. You can also choose to assign selected indicators as triggering events for a policy. This flexibility and customization helps scope the policy to only the activities covered by the indicators. This policy allows you to evaluate this alert in context with other activities included in the case.
-
-#### Data leaks policy guidelines
-
-When creating or modifying data loss prevention policies for use with insider risk management policies, consider the following guidelines:
--- Prioritize data exfiltration events and be selective when assigning **Incident reports** settings to *High* when configuring rules in your DLP policies. For example, emailing sensitive documents to a known competitor should be a *High* alert level exfiltration event. Over-assigning the *High* level in the **Incident reports** settings in other DLP policy rules can increase the noise in the insider risk management alert workflow and make it more difficult for your data investigators and analysts to properly evaluate these alerts. For example, assigning *High* alert levels to access denial activities in DLP policies makes it more challenging to evaluate truly risky user behavior and activities.-- When using a DLP policy as the triggering event, make sure you understand and properly configure the in-scope users in both the DLP and insider risk management policies. Only users defined as in-scope for insider risk management policies using the **Data leaks** template will have high severity DLP policy alerts processed. Additionally, only users defined as in-scope in a rule for a high severity DLP alert will be analyzed by the insider risk management policy for consideration. It's important that you don't unknowingly configure in-scope users in both your DLP and insider risk policies in a conflicting manner.-
- For example, if your DLP policy rules are scoped to only users on the Sales Team and the insider risk policy created from the **Data leaks** template has defined all users as in-scope, the insider risk policy will only process high severity DLP alerts for the users on the Sales Team. The insider risk policy won't receive any high priority DLP alerts for users to process that aren't defined in the DLP rules in this example. Conversely, if your insider risk management policy created from **Data leaks** templates is scoped to only users on the Sales Team and the assigned DLP policy is scoped to all users, the insider risk policy will only process high severity DLP alerts for members of the Sales Team. The insider risk management policy will ignore high severity DLP alerts for all users not on the Sales Team.
--- Make sure the **Incident reports** rule setting in the DLP policy used for this insider risk management template is configured for *High* severity level alerts. The *High* severity level is the triggering events and insider risk management alerts won't be generated from rules in DLP policies with the **Incident reports** field set at *Low* or *Medium*.-
- ![DLP policy alert setting.](../media/insider-risk-DLP-policy-high-severity.png)
-
- > [!NOTE]
- > When creating a new DLP policy using the built-in templates, you'll need to select the **Create or customize advanced DLP rules** option to configure the **Incident reports** setting for the *High* severity level.
-
-Each insider risk management policy created from the **Data leaks** template can only have one DLP policy assigned when using this triggering event option. Consider creating a dedicated DLP policy that combines the different activities you want to detect and act as triggering events for insider risk policies that use the **Data leaks** template.
-
-See the [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) article for step-by-step guidance to configure DLP policies for your organization.
-
-### Data leaks by priority users (preview)
-
-Protecting data and preventing data leaks for users in your organization may depend on their position, level of access to sensitive information, or risk history. Data leaks can include accidental oversharing of highly sensitive information outside your organization or data theft with malicious intent. With an assigned data loss prevention (DLP) policy as a triggering event option, this template starts scoring real-time detections of suspicious activity and result in an increased likelihood of insider risk alerts and alerts with higher severity levels. Priority users are defined in [priority user groups](insider-risk-management-settings.md#priority-user-groups) configured in the insider risk management settings area.
-
-As with the **Data leaks template**, you can choose a DLP policy to trigger indicators in the insider risk policy for high severity alerts in your organization. Follow the Data leaks policy guidelines for DLP policies when creating a policy with the DLP option when using this template. You can also choose to assign selected indicators as triggering events for a policy. This flexibility and customization help scope the policy to only the activities covered by the indicators. Additionally, you'll need to assign priority user groups created in **Insider risk management** > **Settings** > **Priority user groups** to the policy.
-
-### Data leaks by risky users (preview)
-
-When users experience employment stressors, they may become risky users, which may increase the chances of insider risk activity. This template starts scoring user activity when an indicator associated with risky user is identified. Examples may include performance improvement notifications, poor performance reviews, changes to job level status, or email and other messages that may signal risk activities. Data leaks for risky users may include downloading files from SharePoint Online and copying data to personal cloud messaging and storage services.
-
-When using this template, you must either configure a HR connector, select the option to [integrate communication compliance risk signals](/microsoft-365/compliance/communication-compliance-policies#policy-for-insider-risk-management-integration-preview) from user messages, or choose both. The HR connector enables the periodic import of performance improvement notifications, poor performance review statuses, or job level change information for users in your organization. Communication compliance risk integration imports signals for user messages that may contain potentially threatening, harassing, or discriminatory text content. Associated alerts generated in Communication Compliance do not need to be triaged, remediated, or changed in status to be integrated with the insider risk management policy.
-
-To configure a HR connector, see the [Import data with the HR connector](import-hr-data.md) article. To configure integration with communication compliance, you'll select this option in the wizard when you configure the policy.
-
-### Security policy violations (preview)
-
-In many organizations, users have permission to install software on their devices or to modify device settings to help with their tasks. Either inadvertently or with malicious intent, users may install malware or disable important security features that help protect information on their device or on your network resources. This policy template uses security alerts from Microsoft Defender for Endpoint to start scoring these activities and focus detection and alerts to this risk area. Use this template to provide insights for security policy violations in scenarios when users may have a history of security policy violations that may be an indicator of insider risk.
-
-You'll need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. For more information on configuring Defender for Endpoint for insider risk management integration, see [Configure advanced features in Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-features#share-endpoint-alerts-with-microsoft-compliance-center).
-
-### Patient data misuse (preview)
-
-Protecting healthcare record data and preventing the misuse of patient personal data is a significant concern for organizations in the healthcare industry. This misuse may include confidential data leaks to unauthorized persons, fraudulent modification of patient records, or the theft of patient healthcare records. Preventing this misuse of patient data, either by lack of awareness, negligence, or fraud by users is also key component in meeting the regulatory requirements of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Both of these acts establish the requirements for safeguarding patient protected health information (PHI).
-
-This policy template enables risk scoring for internal users that detects suspicious activities associated with records hosted on existing electronic medical record (EMR) systems. Detection focuses on unauthorized access, viewing, modification, and export of patient data. You'll need to configure a connector the [Microsoft Healthcare connector](import-healthcare-data.md) or [Epic connector](import-epic-data.md) to support detection of access, exfiltration, or obfuscation activities in your EMR system.
-
-When using this template, you must also configure a Microsoft HR connector to periodically import organization profile data for users in your organization. See the [Set up a connector to import HR data](/microsoft-365/compliance/import-hr-data) article for step-by-step guidance to configure the Microsoft 365 HR connector.
-
-### Risky browser usage (preview)
-
-Identifying user visitation to potentially inappropriate or unacceptable web sites on organization devices and networks is an important part of minimizing security, legal, and regulatory risks. Users that inadvertently or purposefully visit these types of websites may expose the organization to legal actions from other users, violate regulatory requirements, elevate network security risks, or jeopardize current and future business operations and opportunities. This misuse is often defined in an organization's acceptable use policy for user devices and organization network resources but is often difficult to quickly identify and act upon.
-
-To help protect against these risks, this policy can help detect and enable risk scoring for web browsing that might be in violation of your organization's acceptable use policy, such as visiting sites that pose a threat (for example phishing sites) or contain adult content. Several types of categories are available for automatic categorization of web browsing activities by in-scope users.
-
-When using this policy template, you'll need several prerequisites. For more information, see [Learn about and configure insider risk management browser signal detection](/microsoft-365/compliance/insider-risk-management-browser-support).
-
-### Security policy violations by departing users (preview)
-
-Departing users, whether leaving on positive or negative terms, may be higher risks for security policy violations. To help protect against inadvertent or malicious security violations for departing users, this policy template uses Defender for Endpoint alerts to provide insights into security-related activities. These activities include the user installing malware or other potentially harmful applications and disabling security features on their devices. By using either the [Microsoft HR connector](import-hr-data.md) or the option to automatically check for user account deletion in Azure Active Directory for your organization, this template starts scoring for risk indicators relating to these security activities and how they correlate with user employment status.
-
-You'll need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defenfder Security Center to import security violation alerts. For more information on configuring Defender for Endpoint for insider risk management integration, see [Configure advanced features in Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-features#share-endpoint-alerts-with-microsoft-compliance-center).
-
-### Security policy violations by priority users (preview)
-
-Protecting against security violations for users in your organization may depend on their position, level of access to sensitive information, or risk history. Because security violations by priority users may have a significant impact on your organization's critical areas, this policy template starts scoring on these indicators, and uses Microsoft Defender for Endpoint alerts to provide insights into security-related activities for these users. These activities may include the priority users installing malware or other potentially harmful applications and disabling security features on their devices. Priority users are defined in priority user groups configured in the insider risk management settings area.
-
-You'll need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. For more information on configuring Defender for Endpoint for insider risk management integration, see [Configure advanced features in Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-features#share-endpoint-alerts-with-microsoft-compliance-center). Additionally, you'll need to assign priority user groups created in **Insider risk management** > **Settings** > **Priority user groups** to the policy.
-
-### Security policy violations by risky users (preview)
-
-Users that experience employment stressors may be at a higher risk for inadvertent or malicious security policy violations. These stressors may result in behaviors that result in the user being placed on a performance improvement plan, a poor performance review status, being demoted from their current position, or the user sending email and other messages that may signal risky behavior. This policy template starts risk scoring based on these indicators and activities associated with these events for these users.
-
-When using this template, you must configure a HR connector, or select the option to [integrate communication compliance risk signals](/microsoft-365/compliance/communication-compliance-policies#policy-for-insider-risk-management-integration-preview) from user messages, or both. The HR connector enables the periodic import of performance improvement notifications, poor performance review statuses, or job level change information for users in your organization. Communication compliance risk integration imports signals for user messages that may contain potentially threatening, harassing, or discriminatory text content. Associated alerts generated in communication compliance do not need to be triaged, remediated, or changed in status to be integrated with the insider risk management policy. To configure a HR connector, see the [Import data with the HR connector](import-hr-data.md) article. To configure integration with communication compliance, you'll select this option in wizard when you configure the policy.
-
-You'll also need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. For more information on configuring Defender for Endpoint for insider risk management integration, see [Configure advanced features in Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-features#share-endpoint-alerts-with-microsoft-compliance-center).
-
-### Policy template prerequisites and triggering events
-
-Depending on the template you choose for an insider risk management policy, the triggering events and policy prerequisites vary. Triggering events are prerequisites that determine if a user is active for an insider risk management policy. If a user is added to an insider risk management policy but doesn't have a triggering event, the user activity isn't evaluated by the policy unless they're manually added in the Users dashboard. Policy prerequisites are required items so that the policy receives the signals or activities necessary to evaluate risk.
-
-The following table lists the triggering events and prerequisites for policies created from each insider risk management policy template:
-
-| **Policy template** | **Triggering events for policies** | **Prerequisites** |
-| : | : | :- |
-| **Data theft by departing users** | Resignation or termination date indicator from HR connector or Azure Active Directory account deletion | (optional) Microsoft 365 HR connector configured for termination and resignation date indicators |
-| **Data leaks** | Data leak policy activity that creates a *High severity* alert or built-in exfiltration event triggers | DLP policy configured for *High severity* alerts <br><br> OR <br><br> Customized triggering indicators |
-| **Data leaks by priority users** | Data leak policy activity that creates a *High severity* alert or built-in exfiltration event triggers | DLP policy configured for *High severity* alerts <br><br> OR <br><br> Customized triggering indicators <br><br> Priority user groups configured in insider risk settings |
-| **Data leaks by risky users** | - Performance improvement, poor performance, or job level change indicators from HR connector. <br> - Messages containing potentially threatening, harassing, or discriminatory language | Microsoft 365 HR connector configured for disgruntlement indicators <br><br> AND/OR <br><br> Communication Compliance integration and dedicated disgruntlement policy |
-| **Security policy violations** | Defense evasion of security controls or unwanted software detected by Microsoft Defender for Endpoint | Active Microsoft Defender for Endpoint subscription <br><br> Microsoft Defender for Endpoint integration with Microsoft Purview compliance portal configured |
-| **Patient data misuse** | Defense evasion of security controls from EMR systems <br><br> User and patient address matching indicators from HR systems | Healthcare access indicators selected in policy or insider risk settings <br><br> Microsoft 365 HR connector configured for address matching <br><br> Microsoft Healthcare or Epic connector configured |
-| **Risky browser usage** | User browsing activity related to security that matches at least one selected *Browsing indicator* | See the complete list of prerequisites in the [browser signal detection article](/microsoft-365/compliance/insider-risk-management-browser-support) |
-| **Security policy violations by departing users** | Resignation or termination date indicators from HR connector or Azure Active Directory account deletion | (optional) Microsoft 365 HR connector configured for termination and resignation date indicators <br><br> Active Microsoft Defender for Endpoint subscription <br><br> Microsoft Defender for Endpoint integration with Microsoft Purview compliance portal configured |
-| **Security policy violations by priority users** | Defense evasion of security controls or unwanted software detected by Microsoft Defender for Endpoint | Active Microsoft Defender for Endpoint subscription <br><br> Microsoft Defender for Endpoint integration with Microsoft Purview compliance portal configured <br><br> Priority user groups configured in insider risk settings |
-| **Security policy violations by risky users** | - Performance improvement, poor performance, or job level change indicators from HR connector. <br> - Messages containing potentially threatening, harassing, or discriminatory language | Microsoft 365 HR connector configured for risk indicators <br><br> AND/OR <br><br> Communication Compliance integration and dedicated risky user policy <br><br> AND <br><br> Active Microsoft Defender for Endpoint subscription <br><br> Microsoft Defender for Endpoint integration with Microsoft Purview compliance portal configured |
- ## Prioritize content in policies Insider risk management policies support specifying a higher priority for content depending on where it's stored, the type of content, or how it's classified. You can also choose whether to assign risk scores to all activities detected by a policy or only activities that include priority content. Specifying content as a priority increases the risk score for any associated activity, which in turn increases the chance of generating a high severity alert. However, some activities won't generate an alert at all unless the related content contains built-in or custom sensitive info types or was specified as a priority in the policy.
Use the following table to learn more about recommendations and warning notifica
|**You're approaching the maximum limit of users being actively scored for this policy template**|All policy templates|Each policy template has a maximum number of in-scope users. See the template limit section details. <br><br> Review the users in the Users tab and remove any users who don't need to be scored anymore.| |**Triggering event is repeatedly occurring for over 15% of users in this policy**|All policy templates|Adjust the triggering event to help reduce how often users are brought into the policy scope.|
-## Policy template limits
-
-Insider risk management policy templates use limits to manage the volume and rate of processing for in-scope user risk activities and how this process is integrated with supporting Microsoft 365 services. Each policy template has a maximum number of users that can be actively assigned risk scores for the policy that it can support and effectively process and report potentially risky activities. In-scope users are users with triggering events for the policy.
-
-The limit for each policy is calculated based on the total number of unique users receiving risk scores per policy template type. If the number of users for a policy template type is near or exceeds the user limit, the policy performance will be reduced. To view the current number of users for a policy, navigate to the Policy tab and the Users in scope column. You may have up to five policies for any policy template. These maximum limits apply to users across all policies using a given policy template.
-
-Use the following table to determine the maximum number of in-scope users supported for each policy template:
-
-|**Policy template**|**Current in-scope user maximum**|
-|:|:--|
-|General data leak|15,000|
-|Data leak by risky users|7,500|
-|Data leak by priority users|1,000|
-|Data theft by departing users|20,000|
-|Security policy violations|1,000|
-|Patient data misuse|5,000|
-|Risky browser usage|7,000|
-|Security policy violation by priority users|1,000|
-|Security policy violations by departing users|15,000|
-|Security policy violations by risky users|7,500|
-|Forensic evidence|5 users for preview release|
- ## Create a new policy To create a new insider risk management policy, you'll generally use the policy wizard in the **Insider risk management** solution in the Microsoft Purview compliance portal. You can also create quick policies for general data leaks and data theft by departing users from Analytics checks if applicable.
compliance Insider Risk Management Policy Templates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-policy-templates.md
+
+ Title: Learn about insider risk management policy templates
+description: Learn about insider risk management policy templates.
+keywords: Microsoft 365, Microsoft Purview, insider risk, risk management, compliance
+ms.localizationpriority: medium
++
+f1.keywords:
+- NOCSH
+++
+audience: itpro
+
+- tier1
+- purview-compliance
+++
+# Learn about insider risk management policy templates
+
+>[!IMPORTANT]
+>Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
+
+## Policy templates
+
+Insider risk management templates are pre-defined policy conditions that define the types of risk indicators and risk scoring model used by the policy. Each policy must have a template assigned in the policy creation wizard before the policy is created. Insider risk management supports up to five policies for each policy template. When you create a new insider risk policy with the policy wizard, choose from one of the following policy templates:
++
+### Data theft by departing users
+
+When users leave your organization, there are specific risk indicators typically associated with potential data theft by departing users. This policy template uses exfiltration indicators for risk scoring and focuses on detection and alerts in this risk area. Data theft for departing users may include downloading files from SharePoint Online, printing files, and copying data to personal cloud messaging and storage services near their employment resignation and end dates. By using either the Microsoft HR connector or the option to automatically check for user account deletion in Azure Active Directory for your organization, this template starts scoring for risk indicators relating to these activities and how they correlate with user employment status.
+
+> [!IMPORTANT]
+> When using this template, you can configure a Microsoft 365 HR connector to periodically import resignation and termination date information for users in your organization. See the [Import data with the HR connector](import-hr-data.md) article for step-by-step guidance to configure the Microsoft 365 HR connector. If you choose not to use the HR connector, you must select the User account deleted from Azure Active Directory option when configuring trigger events in the policy wizard.
+
+### Data leaks
+
+Protecting data and preventing data leaks is a constant challenge for most organizations, particularly with the rapid growth of new data created by users, devices, and services. Users are empowered to create, store, and share information across services and devices that make managing data leaks increasingly more complex and difficult. Data leaks can include accidental oversharing of information outside your organization or data theft with malicious intent. With an assigned Microsoft Purview Data Loss Prevention (DLP) policy, built-in, or customizable triggering events, this template starts scoring real-time detections of suspicious SharePoint Online data downloads, file and folder sharing, printing files, and copying data to personal cloud messaging and storage services.
+
+When using a *Data leaks* template, you can assign a DLP policy to trigger indicators in the insider risk policy for high severity alerts in your organization. Whenever a high severity alert is generated by a DLP policy rule is added to the Office 365 audit log, insider risk policies created with this template automatically examine the high severity DLP alert. If the alert contains an in-scope user defined in the insider risk policy, the alert is processed by the insider risk policy as a new alert and assigned an insider risk severity and risk score. You can also choose to assign selected indicators as triggering events for a policy. This flexibility and customization helps scope the policy to only the activities covered by the indicators. This policy allows you to evaluate this alert in context with other activities included in the case.
+
+#### Data leaks policy guidelines
+
+When creating or modifying data loss prevention policies for use with insider risk management policies, consider the following guidelines:
+
+- Prioritize data exfiltration events and be selective when assigning **Incident reports** settings to *High* when configuring rules in your DLP policies. For example, emailing sensitive documents to a known competitor should be a *High* alert level exfiltration event. Over-assigning the *High* level in the **Incident reports** settings in other DLP policy rules can increase the noise in the insider risk management alert workflow and make it more difficult for your data investigators and analysts to properly evaluate these alerts. For example, assigning *High* alert levels to access denial activities in DLP policies makes it more challenging to evaluate truly risky user behavior and activities.
+- When using a DLP policy as the triggering event, make sure you understand and properly configure the in-scope users in both the DLP and insider risk management policies. Only users defined as in-scope for insider risk management policies using the **Data leaks** template will have high severity DLP policy alerts processed. Additionally, only users defined as in-scope in a rule for a high severity DLP alert will be analyzed by the insider risk management policy for consideration. It's important that you don't unknowingly configure in-scope users in both your DLP and insider risk policies in a conflicting manner.
+
+ For example, if your DLP policy rules are scoped to only users on the Sales Team and the insider risk policy created from the **Data leaks** template has defined all users as in-scope, the insider risk policy will only process high severity DLP alerts for the users on the Sales Team. The insider risk policy won't receive any high priority DLP alerts for users to process that aren't defined in the DLP rules in this example. Conversely, if your insider risk management policy created from **Data leaks** templates is scoped to only users on the Sales Team and the assigned DLP policy is scoped to all users, the insider risk policy will only process high severity DLP alerts for members of the Sales Team. The insider risk management policy will ignore high severity DLP alerts for all users not on the Sales Team.
+
+- Make sure the **Incident reports** rule setting in the DLP policy used for this insider risk management template is configured for *High* severity level alerts. The *High* severity level is the triggering events and insider risk management alerts won't be generated from rules in DLP policies with the **Incident reports** field set at *Low* or *Medium*.
+
+ ![DLP policy alert setting.](../media/insider-risk-DLP-policy-high-severity.png)
+
+ > [!NOTE]
+ > When creating a new DLP policy using the built-in templates, you'll need to select the **Create or customize advanced DLP rules** option to configure the **Incident reports** setting for the *High* severity level.
+
+Each insider risk management policy created from the **Data leaks** template can only have one DLP policy assigned when using this triggering event option. Consider creating a dedicated DLP policy that combines the different activities you want to detect and act as triggering events for insider risk policies that use the **Data leaks** template.
+
+See the [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) article for step-by-step guidance to configure DLP policies for your organization.
+
+### Data leaks by priority users (preview)
+
+Protecting data and preventing data leaks for users in your organization may depend on their position, level of access to sensitive information, or risk history. Data leaks can include accidental oversharing of highly sensitive information outside your organization or data theft with malicious intent. With an assigned data loss prevention (DLP) policy as a triggering event option, this template starts scoring real-time detections of suspicious activity and result in an increased likelihood of insider risk alerts and alerts with higher severity levels. Priority users are defined in [priority user groups](insider-risk-management-settings.md#priority-user-groups) configured in the insider risk management settings area.
+
+As with the **Data leaks template**, you can choose a DLP policy to trigger indicators in the insider risk policy for high severity alerts in your organization. Follow the Data leaks policy guidelines for DLP policies when creating a policy with the DLP option when using this template. You can also choose to assign selected indicators as triggering events for a policy. This flexibility and customization help scope the policy to only the activities covered by the indicators. Additionally, you'll need to assign priority user groups created in **Insider risk management** > **Settings** > **Priority user groups** to the policy.
+
+### Data leaks by risky users (preview)
+
+When users experience employment stressors, they may become risky users, which may increase the chances of insider risk activity. This template starts scoring user activity when an indicator associated with risky user is identified. Examples may include performance improvement notifications, poor performance reviews, changes to job level status, or email and other messages that may signal risk activities. Data leaks for risky users may include downloading files from SharePoint Online and copying data to personal cloud messaging and storage services.
+
+When using this template, you must either configure an HR connector, select the option to [integrate communication compliance risk signals](/microsoft-365/compliance/communication-compliance-policies#policy-for-insider-risk-management-integration-preview) from user messages, or choose both. The HR connector enables the periodic import of performance improvement notifications, poor performance review statuses, or job level change information for users in your organization. Communication compliance risk integration imports signals for user messages that may contain potentially threatening, harassing, or discriminatory text content. Associated alerts generated in Communication Compliance don't need to be triaged, remediated, or changed in status to be integrated with the insider risk management policy.
+
+To configure an HR connector, see the [Import data with the HR connector](import-hr-data.md) article. To configure integration with communication compliance, you'll select this option in the wizard when you configure the policy.
+
+### Security policy violations (preview)
+
+In many organizations, users have permission to install software on their devices or to modify device settings to help with their tasks. Either inadvertently or with malicious intent, users may install malware or disable important security features that help protect information on their device or on your network resources. This policy template uses security alerts from Microsoft Defender for Endpoint to start scoring these activities and focus detection and alerts to this risk area. Use this template to provide insights for security policy violations in scenarios when users may have a history of security policy violations that may be an indicator of insider risk.
+
+You'll need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. For more information on configuring Defender for Endpoint for insider risk management integration, see [Configure advanced features in Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-features#share-endpoint-alerts-with-microsoft-compliance-center).
+
+### Patient data misuse (preview)
+
+Protecting healthcare record data and preventing the misuse of patient personal data is a significant concern for organizations in the healthcare industry. This misuse may include confidential data leaks to unauthorized persons, fraudulent modification of patient records, or the theft of patient healthcare records. Preventing this misuse of patient data, either by lack of awareness, negligence, or fraud by users is also key component in meeting the regulatory requirements of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Both of these acts establish the requirements for safeguarding patient protected health information (PHI).
+
+This policy template enables risk scoring for internal users that detects suspicious activities associated with records hosted on existing electronic medical record (EMR) systems. Detection focuses on unauthorized access, viewing, modification, and export of patient data. You'll need to configure a connector the [Microsoft Healthcare connector](import-healthcare-data.md) or [Epic connector](import-epic-data.md) to support detection of access, exfiltration, or obfuscation activities in your EMR system.
+
+When using this template, you must also configure a Microsoft HR connector to periodically import organization profile data for users in your organization. See the [Set up a connector to import HR data](/microsoft-365/compliance/import-hr-data) article for step-by-step guidance to configure the Microsoft 365 HR connector.
+
+### Risky browser usage (preview)
+
+Identifying user visitation to potentially inappropriate or unacceptable web sites on organization devices and networks is an important part of minimizing security, legal, and regulatory risks. Users that inadvertently or purposefully visit these types of websites may expose the organization to legal actions from other users, violate regulatory requirements, elevate network security risks, or jeopardize current and future business operations and opportunities. This misuse is often defined in an organization's acceptable use policy for user devices and organization network resources but is often difficult to quickly identify and act upon.
+
+To help protect against these risks, this policy can help detect and enable risk scoring for web browsing that might be in violation of your organization's acceptable use policy, such as visiting sites that pose a threat (for example phishing sites) or contain adult content. Several types of categories are available for automatic categorization of web browsing activities by in-scope users.
+
+When using this policy template, you'll need several prerequisites. For more information, see [Learn about and configure insider risk management browser signal detection](/microsoft-365/compliance/insider-risk-management-browser-support).
+
+### Security policy violations by departing users (preview)
+
+Departing users, whether leaving on positive or negative terms, may be higher risks for security policy violations. To help protect against inadvertent or malicious security violations for departing users, this policy template uses Defender for Endpoint alerts to provide insights into security-related activities. These activities include the user installing malware or other potentially harmful applications and disabling security features on their devices. By using either the [Microsoft HR connector](import-hr-data.md) or the option to automatically check for user account deletion in Azure Active Directory for your organization, this template starts scoring for risk indicators relating to these security activities and how they correlate with user employment status.
+
+You'll need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defenfder Security Center to import security violation alerts. For more information on configuring Defender for Endpoint for insider risk management integration, see [Configure advanced features in Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-features#share-endpoint-alerts-with-microsoft-compliance-center).
+
+### Security policy violations by priority users (preview)
+
+Protecting against security violations for users in your organization may depend on their position, level of access to sensitive information, or risk history. Because security violations by priority users may have a significant impact on your organization's critical areas, this policy template starts scoring on these indicators, and uses Microsoft Defender for Endpoint alerts to provide insights into security-related activities for these users. These activities may include the priority users installing malware or other potentially harmful applications and disabling security features on their devices. Priority users are defined in priority user groups configured in the insider risk management settings area.
+
+You'll need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. For more information on configuring Defender for Endpoint for insider risk management integration, see [Configure advanced features in Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-features#share-endpoint-alerts-with-microsoft-compliance-center). Additionally, you'll need to assign priority user groups created in **Insider risk management** > **Settings** > **Priority user groups** to the policy.
+
+### Security policy violations by risky users (preview)
+
+Users that experience employment stressors may be at a higher risk for inadvertent or malicious security policy violations. These stressors may result in behaviors that result in the user being placed on a performance improvement plan, a poor performance review status, being demoted from their current position, or the user sending email and other messages that may signal risky behavior. This policy template starts risk scoring based on these indicators and activities associated with these events for these users.
+
+When using this template, you must configure an HR connector, or select the option to [integrate communication compliance risk signals](/microsoft-365/compliance/communication-compliance-policies#policy-for-insider-risk-management-integration-preview) from user messages, or both. The HR connector enables the periodic import of performance improvement notifications, poor performance review statuses, or job level change information for users in your organization. Communication compliance risk integration imports signals for user messages that may contain potentially threatening, harassing, or discriminatory text content. Associated alerts generated in communication compliance don't need to be triaged, remediated, or changed in status to be integrated with the insider risk management policy. To configure an HR connector, see the [Import data with the HR connector](import-hr-data.md) article. To configure integration with communication compliance, you'll select this option in wizard when you configure the policy.
+
+You'll also need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. For more information on configuring Defender for Endpoint for insider risk management integration, see [Configure advanced features in Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-features#share-endpoint-alerts-with-microsoft-compliance-center).
+
+## Policy template prerequisites and triggering events
+
+Depending on the template you choose for an insider risk management policy, the triggering events and policy prerequisites vary. Triggering events are prerequisites that determine if a user is active for an insider risk management policy. If a user is added to an insider risk management policy but doesn't have a triggering event, the user activity isn't evaluated by the policy unless they're manually added in the Users dashboard. Policy prerequisites are required items so that the policy receives the signals or activities necessary to evaluate risk.
+
+The following table lists the triggering events and prerequisites for policies created from each insider risk management policy template:
+
+| **Policy template** | **Triggering events for policies** | **Prerequisites** |
+| : | : | :- |
+| **Data theft by departing users** | Resignation or termination date indicator from HR connector or Azure Active Directory account deletion | (optional) Microsoft 365 HR connector configured for termination and resignation date indicators |
+| **Data leaks** | Data leak policy activity that creates a *High severity* alert or built-in exfiltration event triggers | DLP policy configured for *High severity* alerts <br><br> OR <br><br> Customized triggering indicators |
+| **Data leaks by priority users** | Data leak policy activity that creates a *High severity* alert or built-in exfiltration event triggers | DLP policy configured for *High severity* alerts <br><br> OR <br><br> Customized triggering indicators <br><br> Priority user groups configured in insider risk settings |
+| **Data leaks by risky users** | - Performance improvement, poor performance, or job level change indicators from HR connector. <br> - Messages containing potentially threatening, harassing, or discriminatory language | Microsoft 365 HR connector configured for disgruntlement indicators <br><br> AND/OR <br><br> Communication Compliance integration and dedicated disgruntlement policy |
+| **Security policy violations** | Defense evasion of security controls or unwanted software detected by Microsoft Defender for Endpoint | Active Microsoft Defender for Endpoint subscription <br><br> Microsoft Defender for Endpoint integration with Microsoft Purview compliance portal configured |
+| **Patient data misuse** | Defense evasion of security controls from EMR systems <br><br> User and patient address matching indicators from HR systems | Healthcare access indicators selected in policy or insider risk settings <br><br> Microsoft 365 HR connector configured for address matching <br><br> Microsoft Healthcare or Epic connector configured |
+| **Risky browser usage** | User browsing activity related to security that matches at least one selected *Browsing indicator* | See the complete list of prerequisites in the [browser signal detection article](/microsoft-365/compliance/insider-risk-management-browser-support) |
+| **Security policy violations by departing users** | Resignation or termination date indicators from HR connector or Azure Active Directory account deletion | (optional) Microsoft 365 HR connector configured for termination and resignation date indicators <br><br> Active Microsoft Defender for Endpoint subscription <br><br> Microsoft Defender for Endpoint integration with Microsoft Purview compliance portal configured |
+| **Security policy violations by priority users** | Defense evasion of security controls or unwanted software detected by Microsoft Defender for Endpoint | Active Microsoft Defender for Endpoint subscription <br><br> Microsoft Defender for Endpoint integration with Microsoft Purview compliance portal configured <br><br> Priority user groups configured in insider risk settings |
+| **Security policy violations by risky users** | - Performance improvement, poor performance, or job level change indicators from HR connector. <br> - Messages containing potentially threatening, harassing, or discriminatory language | Microsoft 365 HR connector configured for risk indicators <br><br> AND/OR <br><br> Communication Compliance integration and dedicated risky user policy <br><br> AND <br><br> Active Microsoft Defender for Endpoint subscription <br><br> Microsoft Defender for Endpoint integration with Microsoft Purview compliance portal configured |
+
+## Policy template limits
+
+Insider risk management policy templates use limits to manage the volume and rate of processing for in-scope user risk activities and how this process is integrated with supporting Microsoft 365 services. Each policy template has a maximum number of users that can be actively assigned risk scores for the policy that it can support and effectively process and report potentially risky activities. In-scope users are users with triggering events for the policy.
+
+The limit for each policy is calculated based on the total number of unique users receiving risk scores per policy template type. If the number of users for a policy template type is near or exceeds the user limit, the policy performance will be reduced. To view the current number of users for a policy, navigate to the Policy tab and the Users in scope column. You may have up to five policies for any policy template. These maximum limits apply to users across all policies using a given policy template.
+
+Use the following table to determine the maximum number of in-scope users supported for each policy template:
+
+|**Policy template**|**Current in-scope user maximum**|
+|:|:--|
+|General data leak|15,000|
+|Data leak by risky users|7,500|
+|Data leak by priority users|1,000|
+|Data theft by departing users|20,000|
+|Security policy violations|1,000|
+|Patient data misuse|5,000|
+|Risky browser usage|7,000|
+|Security policy violation by priority users|1,000|
+|Security policy violations by departing users|15,000|
+|Security policy violations by risky users|7,500|
+|Forensic evidence|5 users for preview release|
compliance Insider Risk Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management.md
Identifying and resolving internal risk activities and compliance issues with in
You can select from the following policy templates to quickly get started with insider risk management: -- [Data theft by departing users](insider-risk-management-policies.md#data-theft-by-departing-users)-- [Data leaks](insider-risk-management-policies.md#data-leaks)-- [Data leaks by priority users (preview)](insider-risk-management-policies.md#data-leaks-by-priority-users-preview)-- [Security policy violations (preview)](insider-risk-management-policies.md#security-policy-violations-preview)-- [Patient data misuse (preview)](insider-risk-management-policies.md#patient-data-misuse-preview)-- [Data leaks by risky users (preview)](insider-risk-management-policies.md#data-leaks-by-risky-users-preview)-- [Security policy violations (preview)](insider-risk-management-policies.md#security-policy-violations-preview)-- [Patient data misuse (preview)](insider-risk-management-policies.md#patient-data-misuse-preview)-- [Security policy violations by departing users (preview)](insider-risk-management-policies.md#security-policy-violations-by-departing-users-preview)-- [Security policy violations by priority users (preview)](insider-risk-management-policies.md#security-policy-violations-by-priority-users-preview)-- [Security policy violations by risky users (preview)](insider-risk-management-policies.md#security-policy-violations-by-risky-users-preview)
+- [Data theft by departing users](insider-risk-management-policy-templates.md#data-theft-by-departing-users)
+- [Data leaks](insider-risk-management-policy-templates.md#data-leaks)
+- [Data leaks by priority users (preview)](insider-risk-management-policy-templates.md#data-leaks-by-priority-users-preview)
+- [Security policy violations (preview)](insider-risk-management-policy-templates.md#security-policy-violations-preview)
+- [Patient data misuse (preview)](insider-risk-management-policy-templates.md#patient-data-misuse-preview)
+- [Data leaks by risky users (preview)](insider-risk-management-policy-templates.md#data-leaks-by-risky-users-preview)
+- [Security policy violations (preview)](insider-risk-management-policy-templates.md#security-policy-violations-preview)
+- [Patient data misuse (preview)](insider-risk-management-policy-templates.md#patient-data-misuse-preview)
+- [Security policy violations by departing users (preview)](insider-risk-management-policy-templates.md#security-policy-violations-by-departing-users-preview)
+- [Security policy violations by priority users (preview)](insider-risk-management-policy-templates.md#security-policy-violations-by-priority-users-preview)
+- [Security policy violations by risky users (preview)](insider-risk-management-policy-templates.md#security-policy-violations-by-risky-users-preview)
![Insider risk management policy dashboard.](../media/insider-risk-policy-dashboard.png)
Insider risk management can help you detect, investigate, and take action to mit
### Data theft by departing users
-When users leave an organization, either voluntarily or as the result of termination, there are often legitimate concerns that company, customer, and user data are at risk. Users may innocently assume that project data isn't proprietary, or they may be tempted to take company data for personal gain and in violation of company policy and legal standards. Insider risk management policies that use the [Data theft by departing users](insider-risk-management-policies.md#policy-templates) policy template automatically detect activities typically associated with this type of theft. With this policy, you'll automatically receive alerts for suspicious activities associated with data theft by departing users so you can take appropriate investigative actions. Configuring a [Microsoft 365 HR connector](import-hr-data.md) for your organization is required for this policy template.
+When users leave an organization, either voluntarily or as the result of termination, there are often legitimate concerns that company, customer, and user data are at risk. Users may innocently assume that project data isn't proprietary, or they may be tempted to take company data for personal gain and in violation of company policy and legal standards. Insider risk management policies that use the [Data theft by departing users](insider-risk-management-policy-templates.md#policy-templates) policy template automatically detect activities typically associated with this type of theft. With this policy, you'll automatically receive alerts for suspicious activities associated with data theft by departing users so you can take appropriate investigative actions. Configuring a [Microsoft 365 HR connector](import-hr-data.md) for your organization is required for this policy template.
### Intentional or unintentional leak of sensitive or confidential information In most cases, users try their best to properly handle sensitive or confidential information. But occasionally users may make mistakes and information is accidentally shared outside your organization or in violation of your information protection policies. In other circumstances, users may intentionally leak or share sensitive and confidential information with malicious intent and for potential personal gain. Insider risk management policies created using the following Data leaks policy templates automatically detect activities typically associated with sharing sensitive or confidential information: -- [Data leaks](insider-risk-management-policies.md#data-leaks)-- [Data leaks by priority users (preview)](insider-risk-management-policies.md#data-leaks-by-priority-users-preview)-- [Data leaks by risky users (preview)](insider-risk-management-policies.md#data-leaks-by-risky-users-preview)
+- [Data leaks](insider-risk-management-policy-templates.md#data-leaks)
+- [Data leaks by priority users (preview)](insider-risk-management-policy-templates.md#data-leaks-by-priority-users-preview)
+- [Data leaks by risky users (preview)](insider-risk-management-policy-templates.md#data-leaks-by-risky-users-preview)
### Intentional or unintentional security policy violations (preview) Users typically have a large degree of control when managing their devices in the modern workplace. This control may include permissions to install or uninstall applications needed in the performance of their duties or the ability to temporarily disable device security features. Whether this risk activity is inadvertent, accidental, or malicious, this conduct can pose risk to your organization and is important to identify and act to minimize. To help identify these risky security activities, the following insider risk management security policy violation templates scores security risk indicators and uses Microsoft Defender for Endpoint alerts to provide insights for security-related activities: -- [Security policy violations (preview)](insider-risk-management-policies.md#security-policy-violations-preview)-- [Security policy violations by departing users (preview)](insider-risk-management-policies.md#security-policy-violations-by-departing-users-preview)-- [Security policy violations by priority users (preview)](insider-risk-management-policies.md#security-policy-violations-by-priority-users-preview)-- [Security policy violations by risky users (preview)](insider-risk-management-policies.md#security-policy-violations-by-risky-users-preview)
+- [Security policy violations (preview)](insider-risk-management-policy-templates.md#security-policy-violations-preview)
+- [Security policy violations by departing users (preview)](insider-risk-management-policy-templates.md#security-policy-violations-by-departing-users-preview)
+- [Security policy violations by priority users (preview)](insider-risk-management-policy-templates.md#security-policy-violations-by-priority-users-preview)
+- [Security policy violations by risky users (preview)](insider-risk-management-policy-templates.md#security-policy-violations-by-risky-users-preview)
### Policies for users based on position, access level, or risk history (preview) Users in your organization may have different levels of risk depending on their position, level of access to sensitive information, or risk history. This structure may include members of your organization's executive leadership team, IT administrators that have extensive data and network access privileges, or users with a past history of risky activities. In these circumstances, closer inspection and more aggressive risk scoring are important to help surface alerts for investigation and quick action. To help identify risky activities for these types of users, you can create priority user groups and create policies from the following policy templates: -- [Security policy violations by priority users (preview)](insider-risk-management-policies.md#security-policy-violations-by-priority-users-preview)-- [Data leaks by priority users (preview)](insider-risk-management-policies.md#data-leaks-by-priority-users-preview)
+- [Security policy violations by priority users (preview)](insider-risk-management-policy-templates.md#security-policy-violations-by-priority-users-preview)
+- [Data leaks by priority users (preview)](insider-risk-management-policy-templates.md#data-leaks-by-priority-users-preview)
### Healthcare (preview) For organizations in the healthcare industry, recent studies have found a very high rate of insider-related data breaches. Detecting misuse of patient data and health record information is a critical component of safeguarding patient privacy and complying with compliance regulation such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Patient data misuse can range from accessing privileged patient records to accessing records of patients from family or neighbors with malicious intent. To help identity these types of risky activities, the following insider risk management policy templates use the Microsoft 365 HR connector and a healthcare-specific data connector to start scoring risk indicators relating to behaviors that may occur within your electronic heath record (EHR) systems: -- [Patient data misuse (preview)](insider-risk-management-policies.md#patient-data-misuse-preview)
+- [Patient data misuse (preview)](insider-risk-management-policy-templates.md#patient-data-misuse-preview)
### Actions and behaviors by risky users (preview) Employment stressor events can impact user behavior in several ways that relate to insider risks. These stressors may be a poor performance review, a position demotion, or the user being placement on a performance review plan. Stressors may also result in potentially inappropriate behavior such as users sending potentially threatening, harassing, or discriminatory language in email and other messages. Though most users don't respond maliciously to these events, the stress of these actions may result in some users to behave in ways they may not normally consider during normal circumstances. To help identify these types of potentially risky activities, the following insider risk management policy templates can use the HR connector and/or integration with a [dedicated communication compliance policy](/microsoft-365/compliance/communication-compliance-policies#integration-with-insider-risk-management-preview) to bring users into scope for insider risk management policies and start scoring risk indicators relating to behaviors that may occur: -- [Data leaks by risky users (preview)](insider-risk-management-policies.md#data-leaks-by-risky-users-preview)-- [Security policy violations by risky users (preview)](insider-risk-management-policies.md#security-policy-violations-by-risky-users-preview)
+- [Data leaks by risky users (preview)](insider-risk-management-policy-templates.md#data-leaks-by-risky-users-preview)
+- [Security policy violations by risky users (preview)](insider-risk-management-policy-templates.md#security-policy-violations-by-risky-users-preview)
### Visual context for potentially risky user activities with forensic evidence (preview)
compliance Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md
Whether it be adding new solutions to the [Microsoft Purview compliance portal](
- **In preview**: Insider risk management [integration with communication compliance](/microsoft-365/compliance/communication-compliance#integration-with-insider-risk-management-preview) when using the *Data leaks by risky users* or *Security policy violations by risky users* policy templates. Communication compliance can now provide risk signals detected in messages to insider risk management policies. - **In preview**: New [inline alert customization](/microsoft-365/compliance/insider-risk-management-settings#inline-alert-customization-preview) allows analysts and investigators to quickly edit policies when reviewing alerts. - New [priority content scoring updates](/microsoft-365/compliance/insider-risk-management-policies#prioritize-content-in-policies) that allow you to choose whether to assign risk scores to all activities detected by a policy or only activities that include priority content.-- Security teams are now able to [customize a security trigger](/microsoft-365/compliance/insider-risk-management-policies#policy-templates) in the 'data leaks' policy to surface when a user performs a sequence, enabling them to respond to user actions that might be considered riskier.
+- Security teams are now able to [customize a security trigger](/microsoft-365/compliance/insider-risk-management-policy-templates#policy-templates) in the 'data leaks' policy to surface when a user performs a sequence, enabling them to respond to user actions that might be considered riskier.
- New updates now allow security teams to create [policies with sequences](/microsoft-365/compliance/insider-risk-management-policies#sequence-detection-preview) without any other required underlying policy indicator selections. ### Data lifecycle management and records management
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
## [Migration guides](migration-guides.md) ### [Migrate Defender for Endpoint servers to Defender for Cloud](migrating-mde-server-to-cloud.md)
-### [Move to Defender for Endpoint](switch-to-mde-overview.md)
+### [Migrate to Defender for Endpoint](switch-to-mde-overview.md)
#### [Phase 1: Prepare](switch-to-mde-phase-1.md) #### [Phase 2: Setup](switch-to-mde-phase-2.md) #### [Phase 3: Onboard](switch-to-mde-phase-3.md)
###### [Frequently asked questions](device-control-removable-storage-access-control-faq.md) ##### [Device Installation](mde-device-control-device-installation.md) ##### [Device Control Printer Protection](printer-protection.md)
+###### [Printer Protection Overview](printer-protection-overview.md)
+###### [Deploy and manage using group policy](deploy-and-manage-using-group-policy.md)
+###### [Deploy and manage using Intune](deploy-and-manage-using-intune.md)
+###### [Printer Protection frequently asked questions](printer-protection-frequently-asked-questions.md)
##### [Device Control Reports](device-control-report.md) #### [Exploit protection]() ##### [Protect devices from exploits](exploit-protection.md)
security Command Line Arguments Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus.md
The following table lists common errors that can occur while using the MpCmdRun
|Error message|Possible reason| |||
-|**ValidateMapsConnection failed (800106BA)** or **0x800106BA**|The Microsoft Defender Antivirus service is disabled. Enable the service and try again. If you need help re-enabling Microsoft Defender Antivirus, see [Reinstall/enable Microsoft Defender Antivirus on your endpoints](switch-to-mde-phase-2.md#reinstallenable-microsoft-defender-antivirus-on-your-endpoints).<p> **TIP**: In Windows 10 1909 or older, and Windows Server 2019 or older, the service was formerly called *Windows Defender Antivirus*.|
+|**ValidateMapsConnection failed (800106BA)** or **0x800106BA**|The Microsoft Defender Antivirus service is disabled. Enable the service and try again. If you need help re-enabling Microsoft Defender Antivirus, see [Reinstall/enable Microsoft Defender Antivirus on your endpoints](switch-to-mde-phase-2.md#step-1-reinstallenable-microsoft-defender-antivirus-on-your-endpoints).<p> **TIP**: In Windows 10 1909 or older, and Windows Server 2019 or older, the service was formerly called *Windows Defender Antivirus*.|
|**0x80070667**|You're running the `-ValidateMapsConnection` command from a computer that is Windows 10 version 1607 or older, or Windows Server 2016 or older. Run the command from a machine that is Windows 10 version 1703 or newer, or Windows Server 2019 or newer.| |**MpCmdRun is not recognized as an internal or external command, operable program, or batch file.**|The tool must be run from either `%ProgramFiles%\Windows Defender` or `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2012.4-0` (where `2012.4-0` might differ since platform updates are monthly except for March)| |**ValidateMapsConnection failed to establish a connection to MAPS (hr=80070005 httpcode=450)**|The command was attempted using insufficient privileges. Use the command prompt (cmd.exe) as an administrator.|
security Configure Proxy Internet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-proxy-internet.md
The information in the list of proxy and firewall configuration information is r
4. Check the Microsoft Defender for Endpoint URLs list for the complete list of requirements for your region (refer to the Service URLs [Spreadsheet](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx)).
- :::image type="content" source="images/admin-powershell.png" alt-text="The administrator in Windows PowerShell" lightbox="images/admin-powershell.png":::
+ :::image type="content" source="../../media/defender-endpoint/admin-powershell.png" alt-text="This is admin powershell.":::
The wildcards (\*) used in \*.ods.opinsights.azure.com, \*.oms.opinsights.azure.com, and \*.agentsvc.azure-automation.net URL endpoints can be replaced with your specific Workspace ID. The Workspace ID is specific to your environment and workspace. It can be found in the Onboarding section of your tenant within the Microsoft 365 Defender portal.
security Defender Endpoint Antivirus Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-antivirus-exclusions.md
When you're dealing with false positives, or known entities that are generating
|:|:-| | [False positive](defender-endpoint-false-positives-negatives.md): An entity, such as a file or a process, was detected and identified as malicious, even though the entity isn't a threat. | <ol><li>[Review and classify alerts](defender-endpoint-false-positives-negatives.md#part-1-review-and-classify-alerts) that were generated as a result of the detected entity. </li><li>[Suppress an alert](defender-endpoint-false-positives-negatives.md#suppress-an-alert) for a known entity. </li><li>[Review remediation actions](defender-endpoint-false-positives-negatives.md#part-2-review-remediation-actions) that were taken for the detected entity. </li><li>[Submit the false positive to Microsoft](/microsoft-365/security/intelligence/submission-guide.md) for analysis. </li><li>[Define an exclusion](defender-endpoint-false-positives-negatives.md#part-3-review-or-define-exclusions) for the entity (only if necessary).</li></ol> | | [Performance issues](troubleshoot-performance-issues.md) such as one of the following issues:<ul><li>A system is having high CPU usage or other performance issues.</li><li>A system is having memory leak issues.</li><li>An app is slow to load on devices. </li><li>An app is slow to open a file on devices.</li></ul> | <ol><li>[Collect diagnostic data](collect-diagnostic-data.md) for Microsoft Defender Antivirus.</li><li>If you're using a non-Microsoft antivirus solution, [check with the vendor for any needed exclusions](troubleshoot-performance-issues.md#check-with-vendor-for-antivirus-exclusions).</li><li>[Analyze the Microsoft Protection Log](troubleshoot-performance-issues.md#analyze-the-microsoft-protection-log) to see the estimated performance impact.</li><li>[Define an exclusion for Microsoft Defender Antivirus](configure-exclusions-microsoft-defender-antivirus.md) (if necessary).</li><li>[Create an indicator for Defender for Endpoint](manage-indicators.md) (only if necessary).</li></ul> |
-| [Compatibility issues](microsoft-defender-antivirus-compatibility.md) with non-Microsoft antivirus products. <br/>Example: Defender for Endpoint relies on security intelligence updates for devices, whether they're running Microsoft Defender Antivirus or a non-Microsoft antivirus solution. | <ol><li>If you're using a non-Microsoft antivirus product as your primary antivirus/antimalware solution, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-compatibility.md#requirements-for-microsoft-defender-antivirus-to-run-in-passive-mode). </li><li>If you're switching from a non-Microsoft antivirus/antimalware solution to Defender for Endpoint, see [Make the switch to Defender for Endpoint](switch-to-mde-overview.md). This guidance includes:<ul><li>[Exclusions you might need to define for the non-Microsoft antivirus/antimalware solution](switch-to-mde-phase-2.md#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution);</li><li>[Exclusions you might need to define for Microsoft Defender Antivirus](switch-to-mde-phase-2.md#add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-antivirus); </li><li>[Troubleshooting information](switch-to-mde-troubleshooting.md) (just in case something goes wrong while migrating).</li></ul></li></ol> |
+| [Compatibility issues](microsoft-defender-antivirus-compatibility.md) with non-Microsoft antivirus products. <br/>Example: Defender for Endpoint relies on security intelligence updates for devices, whether they're running Microsoft Defender Antivirus or a non-Microsoft antivirus solution. | <ol><li>If you're using a non-Microsoft antivirus product as your primary antivirus/antimalware solution, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-compatibility.md#requirements-for-microsoft-defender-antivirus-to-run-in-passive-mode). </li><li>If you're switching from a non-Microsoft antivirus/antimalware solution to Defender for Endpoint, see [Make the switch to Defender for Endpoint](switch-to-mde-overview.md). This guidance includes:<ul><li>[Exclusions you might need to define for the non-Microsoft antivirus/antimalware solution](switch-to-mde-phase-2.md#step-3-add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution);</li><li>[Exclusions you might need to define for Microsoft Defender Antivirus](switch-to-mde-phase-2.md#step-4-add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-antivirus) ; </li><li>[Troubleshooting information](switch-to-mde-troubleshooting.md) (just in case something goes wrong while migrating).</li></ul></li></ol> |
> [!IMPORTANT] > An "allow" indicator is the strongest type of exclusion you can define in Defender for Endpoint. Make sure to use indicators sparingly (only when necessary), and review all exclusions periodically.
security Deploy And Manage Using Group Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-and-manage-using-group-policy.md
+
+ Title: Deploy and manage using group policy
+description: Use group policy to deploy and manage on printer protection.
++
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+- m365-security
+- tier2
++ Last updated : 01/09/2023+
+search.appverid: met150
++
+# Deploy and manage using group policy
+
+**Applies to:**
+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+
+Microsoft Defender for Endpoint Device Control Printer Protection feature enables you to audit, allow, or prevent printer with or without exclusions.
+
+## Licensing requirements
+
+Before you get started with Removable Storage Access Control, you must confirm yourΓÇ»[Microsoft 365 subscription](https://www.microsoft.com/en-in/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=3). To access and use Printer Protection through group policy, you must have Microsoft 365 E5.
+
+## Deploy using group policy
+
+1. Enable or Disable Device control:
+
+ You can enable or disable Device control as follows:
+
+ - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Features** > **Device Control**.
+ - In the **Device Control** window, select **Enabled**.
+
+ :::image type="content" source="images/enable-rsac-gp.png" alt-text="Screenshot of Enabling RSAC using Group Policy. " lightbox="images/enable-rsac-gp.png":::
+
+The purpose of this configuration is to temporarily disable device control on specific machine.
+
+> [!NOTE]
+> If you don't see this group policy objects, you need to add the group policy administrative template. You can download administrative template (WindowsDefender.admx and WindowsDefender.admx) from [samples](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples)
+.
+
+> [!NOTE]
+> This configuration controls both Removable storage access control [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md) and Printer protection.
++
+2. Set Default Enforcement:
+
+ You can set default access (Deny or Allow) for all Device Control features (RemovableMediaDevices, CdRomDevices, WpdDevices, PrinterDevices).
+
+ For example, you can have either a Deny or an Allow policy for RemovableMediaDevices, but not for CdRomDevices or WpdDevices. You set Default Deny through this policy, then Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked.
+
+ - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Features** > **Device Control** > **Select Device Control Default Enforcement**
+
+ - In the **Select Device Control Default Enforcement** pane, select **Default Deny**:
+
+ :::image type="content" source="images/set-default-enforcement-deny-gp.png" alt-text="Screenshot of setting Default Enforcement = Deny using Group Policy." lightbox="images/set-default-enforcement-deny-gp.png":::
+
+ > [!NOTE]
+ > This configuration controls both Removable storage access control [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md) and Printer protection. If you only want to manage storage, make sure to create Allow policy for Printer. Otherwise, this Default Enforcement will be applied to Printer as well.
+
+3. Create one XML file for removable storage group(s):
+
+ Use the properties in removable storage group to create an XML file for the Removable storage group(s), save the XML file to network share, and define the setting as follows:
+
+ - Go to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Device Control** \> **Define device control policy groups**.
+
+ :::image type="content" source="images/define-device-control-policy-grps-gp.png" alt-text="Screenshot of Define device control policy groups." lightbox="images/define-device-control-policy-grps-gp.png":::
+
+ - In the **Define device control policy groups** window, specify the network share file path containing the XML groups data.
+
+ Take a look at the **Overview** > **Removable storage group**. You can create different group types. Here's one group example XML file for any removable storage and CDROM and Windows portable devices and approved USBs group: [XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Demo_Groups.xml)
+
+> [!NOTE]
+> Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.
+
+4. Create one XML file for access policy rule(s):
+
+ Use the properties in removable storage access policy rule(s) to create an XML for each group's removable storage access policy rule, save the XML file to network share, and deliver the setting as follows:
+
+ - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Device Control** > **Define device control policy rules**.
+
+ :::image type="content" source="images/define-device-cntrl-policy-rules-gp.png" alt-text="Screenshot of define device control policy rules." lightbox="images/define-device-cntrl-policy-rules-gp.png":::
+
+ - In the **Define device control policy rules** window, select **Enabled**, and enter the network share file path containing the XML rules data.
+
+ Take a look at the **Overview** -> **Access policy rule**, you can use **Parameters** to set condition for specific Entry. Here's one [example XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Demo_Policies.xml).
+
+> [!NOTE]
+> Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.
+
+5. Set location for a copy of the file (evidence):
+
+ If you want to have a copy of the file (evidence) when Write access happens, set right **Options** in your removable storage access policy rule in the XML file, and then specify the location where system can save the copy.
+
+ - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Device Control** > **Define Device Control evidence data remote location**.
+
+ - In the **Define Device Control evidence data remote location** pane, select **Enabled**, and then specify the local or network share folder path.
+
+ :::image type="content" source="images/evidence-data-remote-location-gp.png" alt-text="Screenshot of Define Device Control evidence data remote location." lightbox="images/evidence-data-remote-location-gp.png":::
+
+## Scenarios
+
+Here are some common scenarios to help you familiarize with Microsoft Defender for Endpoint Removable Storage Access Control. In the following samples, 'Default Enforcement' hasn't been used because the 'Default Enforcement' will apply to both the removable storage and the printer.
+
+### Scenario 1: Prevent print to all but allow print through specific approved USB printer when the machine is corporate network, VPN connected, or print through PDF/XPS file
+
+Allows to print only through approved USB when machine is in corporate network, VPN connected, or print through PDF/XPS file.
+
+You can download the files here, [Printer Protection Samples](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Printer%20Protection%20Samples/Group%20Policy).
+
+1. Create any printer group and allowed-USB printer group and allowed-file printer group
+
+ 1. Group 1: Any printer group
+
+ :::image type="content" source="media/screenshot-of-removable-storage.png" alt-text="This is the screenshot of removable of storage." lightbox="media/screenshot-of-removable-storage.png":::
+
+ 2. Group 2: Allowed-USB printer group
+
+ :::image type="content" source="media/screenshot-of-approved-usbs.png" alt-text="This is the screenshot of approved USBs." lightbox="media/screenshot-of-approved-usbs.png":::
+
+ 3. Group 2: Allowed PDF/XPS file printer group: following PrinterConnectionId is used, but if you want to only allow PDF, FriendlyNameId with ΓÇÿMicrosoft Print to PDFΓÇÖ is recommended
+
+ :::image type="content" source="images/group-3.png" alt-text="This is group 3policy." lightbox="images/group-3.png":::
+
+ Combine these two groups into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Demo_Groups.xml). See step 3 from the [Deploy using group policy](deploy-and-manage-using-group-policy.md) section to deploy this configuration.
+
+ > [!TIP]
+ > Replace `&` with `&amp;` in the value.
+
+2. Create policy
+
+ 1. Create Allow and Audit policy for allowed-file printer group
+
+ :::image type="content" source="media/block-write-execute-access.png" alt-text="This is block write access screenshot." lightbox="media/block-write-execute-access.png":::
++
+ 2. Create policy to allow authorized USB printer only when the machine is Corporate Network OR VPN connected
+
+ :::image type="content" source="media/audit-write.png" alt-text="This is the deafult audit write access screenshot." lightbox="media/audit-write.png":::
+
+ 3. Create Default Deny custom policy for any other printers
+
+ :::image type="content" source="images/create-default.png" alt-text="This is create default." lightbox="images/create-default.png":::
+
+ Combine these two policy rules into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Scenario%201%20GPO%20Policy%20-%20Prevent%20Write%20and%20Execute%20access%20to%20all%20but%20allow%20specific%20approved%20USBs.xml). See step 4 from the [Deploy using group policy](deploy-and-manage-using-group-policy.md) section to deploy this configuration.
+
security Deploy And Manage Using Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-and-manage-using-intune.md
+
+ Title: Deploy and manage using Intune
+description: Use Intune OMA-URI and Intune user interface to deploy and manage on printer protection.
++
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+- m365-security
+- tier2
++ Last updated : 01/09/2023+
+search.appverid: met150
++
+# Deploy and manage using Intune
+
+**Applies to:**
+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+
+Microsoft Defender for Endpoint Device Control Printer Protection feature enables you to audit, allow, or prevent printer with or without exclusions.
+
+## Licensing requirements
+
+Before you get started with Printer Protection, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Printer Protection, you must have Microsoft 365 E3.
+
+### Permission
+
+For policy deployment in Intune, the account must have permissions to create, edit, update, or delete device configuration profiles. You can create custom roles or use any of the built-in roles with these permissions.
+
+- Policy and profile Manager role
+- Custom role with Create/Edit/Update/Read/Delete/View Reports permissions turned on for Device Configuration profiles
+- Global administrator
+
+## Deploy using Intune OMA-URI
+
+Go to Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>) > **Devices** > **Configuration profiles** > **Create profile** > **Platform: Windows 10 and later, Profile type: Templates** > **Custom** > **Create**.
+
+1. Enable or Disable Device control (Optional):
+
+ - Under **Custom**, enter the **Name** and **Description** and select **Next**.
+ - In the **Configuration settings**, select **Add**.
+ - In the **Add Row** pane, specify the following settings:
+ - **Name** as **Enable Device Control**
+ - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled`
+ - **Data Type** as **Integer**
+ - **Value** as **1**
+
+ `Disable: 0`
+ `Enable: 1`
+
+ - Select **Save**.
+
+ :::image type="content" source="media/enable-rsac.png" alt-text="Screenshot of enabling Removable Storage Access Control policy." lightbox="media/enable-rsac.png":::
+
+The purpose of this configuration is to temporarily disable Device control on specific machine.
+
+> [!NOTE]
+ > This configuration controls both [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md) and Printer Protection.
+
+2. Set Default Enforcement:
+
+ You can set the default access (Deny or Allow) for all Device Control features (`RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, `PrinterDevices`).
+
+ - In the **Add Row** pane, specify the following settings:
+ - **Name** as **Default Deny**
+ - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DefaultEnforcement`
+ - **Data Type** as **Integer**
+ - **Value** as **1** or **2**
+
+ `DefaultEnforcementAllow = 1`
+ `DefaultEnforcementDeny = 2`
+
+ - Select **Save**.
+
+ :::image type="content" source="media/default-deny.png" alt-text="Screenshot of setting Default Enforcement as Deny." lightbox="media/default-deny.png":::
+
+ > [!NOTE]
+ > This configuration controls both Removable storage access control [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md) and Printer protection. If you only want to manage storage, make sure to create Allow policy for Printer. Otherwise, this Default Enforcement will be applied to Printer as well.
+
+3. Create one XML file for each group:
+
+ You can create a removable storage group for each group as follows:
+
+ - In the **Add Row** pane, enter:
+ - **Name** as **Any Removable Storage Group**
+ - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**[GroupId]**%7d/GroupData`
+ - **Data Type** as **String (XML file)**
+ - **Custom XML** as selected XML file
+
+ Take a look at the **Overview** -> **Removable storage group**, you can create different group types. Here's a [XML file for any printer and USB Printer and file Printer](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml).
+
+ :::image type="content" source="media/any-removable-storage-group.png" alt-text="Screenshot of creating any Removable Storage Group." lightbox="media/any-removable-storage-group.png":::
+
+ > [!NOTE]
+ > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.
+
+4. Create one XML file for each access control or policy rule:
+
+ You can create a policy and apply it to related removable storage group as follows:
+
+ - In the **Add Row** pane, enter:
+ - **Name** as **Allow Read Activity**
+ - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b**[PolicyRule Id]**%7d/RuleData`
+ - **Data Type** as **String (XML file)**
+ - **Custom XML** as selected XML file
+
+ Take a look at the **Overview** -> **Access policy rule**, you can use **Parameters** to set condition for specific Entry. Here's a [group example XML file for Allow Read access for each removable storage](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Allow%20Read.xml).
+
+ :::image type="content" source="media/allow-read-activity.png" alt-text="Screenshot of Allow Read Activity policy." lightbox= "media/allow-read-activity.png":::
+
+ > [!NOTE]
+ > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.
+
+5. Set location for a copy of the file (Optional):
+
+ If you want to have a copy of the file (evidence) when Write access happens, set right **Options** in your removable storage access policy rule in the XML file, and then specify the location where system can save the copy.
+
+ - In the **Add Row** pane, enter:
+ - **Name** as **Evidence folder location**
+ - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DataDuplicationRemoteLocation`
+ - **Data Type** as **String**
+
+ :::image type="content" source="media/device-control-oma-uri-edit-row.png" alt-text="Set location for file evidence." lightbox="media/device-control-oma-uri-edit-row.png":::
+
+## Scenarios (default enforcement)
+
+Here are some common scenarios to help you familiarize with Microsoft Defender for Endpoint Printer Protection. In the following samples, **Default Enforcement** hasn't been used because the **Default Enforcement** will apply to both the removable storage and the printer.
+
+### Scenario 1: Prevent print to all but allow print through specific approved USB printer when the machine is Corporate Network OR VPN connected or print through PDF/XPS file
+
+Allows to print only through approved the USB when machine is in Corporate Network OR VPN connected, or print through PDF/XPS file.
+
+You can download the files [Printer Protection Samples](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Printer%20Protection%20Samples/Intune%20OMA-URI).
+
+1. Create groups
+
+ 1. Group 1: Any printer group
+
+ :::image type="content" source="media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png" alt-text="A screenshot showing removable storage." lightbox= "media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png":::
+
+ Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml). See step 3 from the [Deploy Printer Protection](deploy-and-manage-using-intune.md) section to deploy the configuration.
+
+ 2. Group 2: Allowed-USB printer group
+
+ :::image type="content" source="media/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png" alt-text="A screenshot of approved USBs." lightbox= "media/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png":::
+
+ Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml). See step 3 from the [Deploy Printer Protection](deploy-and-manage-using-intune.md) section to deploy the configuration.
+
+ 3. Group 3: Allowed PDF/XPS file printer group: following PrinterConnectionId is used, but if you want to only allow PDF, FriendlyNameId with ΓÇÿMicrosoft Print to PDFΓÇÖ is recommended.
+
+ :::image type="content" source="images/allowed-pdf.png" alt-text="This is allowed pdf."lightbox="images/allowed-pdf.png":::
++
+ Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml). See step 3 from the [Deploy Printer Protection](deploy-and-manage-using-intune.md) section to deploy the configuration.
+
+ > [!TIP]
+ > Replace `&` with `&amp;` in the value.
+
+2. Create policy
+
+ 1. Create **Allow** and **Audit** policy for allowed-file printer group.
+
+ :::image type="content" source="media/188243425-c0772ed4-6537-4c6a-9a1d-1dbb48018578.png" alt-text="A screenshot of policy 1." lightbox= "media/188243425-c0772ed4-6537-4c6a-9a1d-1dbb48018578.png":::
+
+ Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Scenario%201%20Block%20Write%20and%20Execute%20Access%20but%20allow%20approved%20USBs.xml). See step 4 from the [Deploy Printer Protection](deploy-and-manage-using-intune.md) section to deploy the configuration.
+
+ 2. Create policy to allow authorized USB printer only when the machine is in Corporate Network or connected to the VPN
+
+ :::image type="content" source="media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png" alt-text="A screenshot of policy 2." lightbox= "media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png":::
+
+ Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Scenario%201%20Block%20Write%20and%20Execute%20Access%20but%20allow%20approved%20USBs.xml). See step 4 from the [Deploy Printer Protection](deploy-and-manage-using-intune.md) section to deploy the configuration.
+
+ 3. Create Default Deny custom policy for any other printers
+
+ :::image type="content" source="media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png" alt-text="A screenshot of policy 2." lightbox= "media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png":::
+
+ Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Scenario%201%20Block%20Write%20and%20Execute%20Access%20but%20allow%20approved%20USBs.xml). See step 4 from the [Deploy Printer Protection](deploy-and-manage-using-intune.md) section to deploy the configuration.
++
security Deploy Manage Removable Storage Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-manage-removable-storage-intune.md
For this scenario, you need to create two groups: one group for any removable st
### Scenario 2: Audit Write and Execute access for all but block specific blocked USBs
-For this scenario, you need to create two groupss: one group for any removable storage and another group for blocked USBs. You also need to create two policies: one policy to audit Write and Execute access for any removable storage group and the other policy to deny the blocked USBs group.
+For this scenario, you need to create two groups: one group for any removable storage and another group for blocked USBs. You also need to create two policies: one policy to audit Write and Execute access for any removable storage group and the other policy to deny the blocked USBs group.
1. Create groups
security Faqs Tamper Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/faqs-tamper-protection.md
ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium Previously updated : 12/07/2022 Last updated : 01/10/2023 audience: ITPro
Your security operations team can also use hunting queries, such as the followin
> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) > - [Configure Defender for Endpoint on Android features](android-configure.md) > - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)+
+## What are all the options for configuring tamper protection?
+
+You can use any of the following methods to configure tamper protection:
+
+- The [Microsoft 365 Defender portal](manage-tamper-protection-microsoft-365-defender.md) (turn tamper protection on or off, tenant wide)
+- [Intune](manage-tamper-protection-microsoft-endpoint-manager.md) (turn tamper protection on or off, and/or configure tamper protection for some or all users)
+- [Configuration Manager](manage-tamper-protection-configuration-manager.md) (with tenant attach, you can configure tamper protection for some or all devices by using the Windows Security experience profile)
+- [Windows Security app](manage-tamper-protection-individual-device.md) (for an individual device used at home or that is not centrally managed by a security team)
+
+> [!NOTE]
+> We recommend keeping tamper protection turned on for your whole organization. If tamper protection prevents your IT or security team from performing a necessary task on a device,
+consider using [troubleshooting mode](enable-troubleshooting-mode.md) instead of disabling tamper protection.
security Isolate Machine https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/isolate-machine.md
Isolates a device from accessing external network.
> [!IMPORTANT] > > - Full isolation is available for devices on Windows 10, version 1703, and on Windows 11.
+> - Full isolation is available in **public preview** for all supported Microsoft Defender for Endpoint on Linux listed in [System requirements](microsoft-defender-endpoint-linux.md#system-requirements).
> - Selective isolation is available for devices on Windows 10, version 1709 or later, and on Windows 11. > - When isolating a device, only certain processes and destinations are allowed. Therefore, devices that are behind a full VPN tunnel won't be able to reach the Microsoft Defender for Endpoint cloud service after the device is isolated. We recommend using a split-tunneling VPN for Microsoft Defender for Endpoint and Microsoft Defender Antivirus cloud-based protection-related traffic.
security Printer Protection Frequently Asked Questions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/printer-protection-frequently-asked-questions.md
+
+ Title: Printer Protection frequently asked questions
+description: Answers frequently asked questions on MDE Printer Protection.
++
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+- m365-security
+- tier3
++ Last updated : 01/09/2023+
+search.appverid: met150
++
+# Printer Protection frequently asked questions
+
+**Applies to:**
+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+
+This article provides answers to frequently asked questions about device control printer protection capabilities in Microsoft Defender for Endpoint.
+
+## How do I generate GUID for Group ID/PolicyRule ID/Entry ID?
+
+You can generate the GUID through online open source or by using PowerShell. For more information, see [How to generate GUID through PowerShell](/powershell/module/microsoft.powershell.utility/new-guid).
++
+## What are the removable storage media and policy limitations?
+
+The backend call is done through OMA-URI (GET to read or PATCH to update) either from Intune or through Microsoft Graph API. The limitation is the same as any OMA-URI custom configuration profile at Microsoft, which is officially 350,000 characters for XML files. For example, if you need two blocks of entries per user SID to "Allow" / "Audit allowed" specific users, and then two blocks of entries at the end to "Deny" all, you'll be able to manage 2,276 users.
+
+## Why doesn't the policy work?
+
+The most common reason is there's no required [anti-malware client version](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control#prepare-your-endpoints).
+
+Another reason could be that the XML file isn't correctly formatted. For example, not using the correct markdown formatting for the "&" character in the XML file or the text editor might add a byte order mark (BOM) 0xEF 0xBB 0xBF at the beginning of the files causing the XML parsing not to work. One simple solution is to download the [sample file](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) (select **Raw** and then **Save as**), and then update.
+
+If you're deploying and managing the policy by using Group Policy, make sure to combine all PolicyRules into one XML file within a parent node called `PolicyRules`. Also combine all Groups into one XML file within a parent node called `Groups`. If you manage through Intune, keep one PolicyRule XML file, and one Group XML file.
+
+The device (machine) should have a valid certificate. Run the following command on the machine to check:
+
+`Get-AuthenticodeSignature C:\Windows\System32\wbem\WmiPrvSE.exe`
++
+If the policy still isn't working, contact support, and share your support cab. To get that file, open Command Prompt as an administrator, and then use the following command:
+
+`"%programfiles%\Windows Defender\MpCmdRun.exe" -GetFiles`
+
+## Why is there no configuration UX for some policy groups?
+
+There is no configuration UX for **Define device control policy groups** and **Define device control policy rules** on your Group Policy. But, you can still get the related `.adml` and `.admx` files by selecting **Raw** and **Save as** at the [WindowsDefender.adml](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.adml) and [WindowsDefender.admx](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.admx) files.
+
+## How do I confirm that the latest policy has been deployed to the target machine?
+
+You can run the PowerShell cmdlet `Get-MpComputerStatus` as an administrator. The following value will show whether the latest policy has been applied to the target machine.
++
+## How can I know which machine is using out of date anti-malware client version in the organization?
+
+You can use following query to get anti-malware client version on the Microsoft 365 security portal:
+
+```kusto
+//check the anti-malware client version
+DeviceFileEvents
+|where FileName == "MsMpEng.exe"
+|where FolderPath contains @"C:\ProgramData\Microsoft\Windows Defender\Platform\"
+|extend PlatformVersion=tostring(split(FolderPath, "\\", 5))
+//|project DeviceName, PlatformVersion // check which machine is using legacy platformVersion
+|summarize dcount(DeviceName) by PlatformVersion // check how many machines are using which platformVersion
+|order by PlatformVersion desc
+```
+
+## How do I find the media property in the Device Manager?
+
+1. Plug in the media.
+
+2. Open Device Manager.
+
+ :::image type="content" source="media/screenshot-of-device-manager.png" alt-text="This is the screenshot of device manager." lightbox="media/screenshot-of-device-manager.png":::
+
+3. Locate the media in the Device Manager, right-click, and then select **Properties**.
+
+ :::image type="content" source="media/locate-the-media.png" alt-text="This is the locate the media screenshot." lightbox="media/locate-the-media.png":::
+
+4. Open **Details**, and select **Properties**.
+
+ :::image type="content" source="media/details.png" alt-text="This is details screenshot." lightbox="media/details.png":::
+
+
+## How do I find Sid or ComputerSid for Azure AD group?
+
+Different from AD group, the Sid or ComputerSid is using Object ID for Azure AD group. You can find the Object ID from Azure portal.
++
security Printer Protection Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/printer-protection-overview.md
+
+ Title: Printer Protection Overview
+description: A walk-through about Microsoft Defender for Endpoint for Printer Protection
+
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+- m365-security
+- tier3
+++ Last updated : 01/09/2023+
+search.appverid: met150
++
+# Printer Protection Overview
+
+**Applies to:**
+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+
+> [!NOTE]
+> The Group Policy management and Intune OMA-URI/Custom Policy management of this product have been release, if you are currently using [Microsoft Defender for Endpoint Device Control Printer Protection | Microsoft Learn](printer-protection-overview.md), we recommend you upgrade.
+
+## Overview
+
+Microsoft Defender for Endpoint Device Control Printer Protection feature enables you to audit, allow, or prevent printer with or without exclusions.
+
+|Privilege|Permission|
+|||
+|Access|Read, Write, Execute|
+|Action Mode|Audit, Allow, Prevent|
+|CSP Support|Yes|
+|GPO Support|Yes|
+|User-based Support|Yes|
+|Machine-based Support|Yes|
+
+### Prerequisites for preview
+
+Ensure that the Windows devices that you need to onboard should meet the following requirements:
+
+1. Install the right OS KB:
+
+- [KB5020030 (OS Builds 19042.2311, 19043.2311, 19044.2311, and 19045.2311) Preview Microsoft Support](https://support.microsoft.com/en-us/topic/november-15-2022-kb5020030-os-builds-19042-2311-19043-2311-19044-2311-and-19045-2311-preview-237a9048-f853-4e29-a3a2-62efdbea95e2)
+- [KB5019157 (OS Build 22000.1281) Preview - Microsoft Support](https://support.microsoft.com/en-us/topic/november-15-2022-kb5019157-os-build-22000-1281-preview-d64fb317-3435-49ff-b2c4-d0356a51a6b0)
+
+2. MOCAMP:4.18.2205 or later, you can run the command `Get-MpComputerStatus `on PowerShell to check the version.
++
+### Device control printer protection properties
+
+The printer protection comprises group and policy configurations:
+
+- Group configuration allows you to create group. For example, authorized USB printer group or network location group.
+- Policy configuration allows you to create policy to restrict each printer group. For example, only allow authorized users to Print access authorized printer group.
+
+**Group configuration**
+
+Group configuration includes the following types:
+
+- Device
+- Network
+- VPNConnection
+- PrintJob
+
+The table below lists the properties you can use in **Group**:
+
+|Property Name|Description|Options|
+||||
+|Group ID |GUID, a unique ID, represents the group and will be used in the policy.|You can generate the group ID throughΓÇ» [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid?view=powershell-7.3&preserve-view=true)|
+|Name |String, the name of the policy and will display on the toast based on the policy setting. |
+|Type |The type of the group. |<li> Device</li><li>Network</li><li>VPN Connection</li><li>PrintJob</li><p><b>Note:</b></p>Default type is Device that includes removable storage and printer. For any other group you define in your Group setting, make sure explicitly mark Type, for example, Type="File".
+|DescriptorIdList|List the device properties you want to use to cover in the group. All properties are case sensitive.|When the Group type is Device, following are the attributes you can use inside DescriptorIdList: <li> PrimaryId: The Primary ID includes RemovableMediaDevices, CdRomDevices, WpdDevices, PrinterDevices. </li><li> FriendlyNameId: It's a string attached to the device, for example, Generic Flash Disk USB Device. It's the Friendly name in the Device Manager. </li><li> Device</li>VID_PID: Vendor ID is the four-digit vendor code that the USB committee assigns to the vendor. Product ID is the four-digit product code that the vendor assigns to the device. It supports wildcard. To transform Device instance path to Vendor ID and Product ID format, see  [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers). For example:<b>0751_55E0: match this exact VID/PID pair</b><b>_55E0: match any media with PID=55E0</b><b>_0751_: match any media with VID=0751 </b> PrinterConnectionId: The PrinterConnectionId includes:<li> USB: A printer connected through USB port of a computer. You can use this if you want to enforce any USB printer, if you want to define specific USB printer then use the VID_PID.</li> <li> Corporate: A corporate printer is a print queue shared through on-premises Windows print server in your domain. Its path might look like \print-server\contoso.com\legal_printer_001. </li> <li> Network: A network printer is a printer that is accessible by network connection, making it usable by other computers connected to the network. </li> <li> Universal: See, Set up Universal Print for more information on universal printers. </li> <li> File: Microsoft Print to PDF or Microsoft XPS Document Writer. If you only want to enforce Microsoft Print to PDF, you should use Friendly printer name with 'Microsoft Print to PDF'.</li> <li> Custom: Any printer not connecting through Microsoft print port.</li> <li> Local: Any printer connecting through Microsoft print port but not any of above type, for example print through remote desktop or redirect printer. </li> **When the Group type is Network, following are the attributes you can use inside DescriptorIdList:** <li> NameId: The name of the Network, support wildcard. </li> <li> NetworkCategoryId: includes Public, Private, DomainAuthenticated. </li> <li> NetworkDomainId: includes NonDomain, Domain, DomainAuthenticated. </li> **When the Group type is VPNConnection, following are the attributes you can use inside DescriptorIdList:** <li> NameId: The name of the VPN Connection, support wildcard. </li> <li> VPNConnectionStatusId: includes Connected, Disconnected. </li> <li> VPNServerAddressId: string, value of VPNServerAddress, support. </li> <li> VPNDnsSuffixId: string, value of VPNDnsSuffix, support wildcard. </li> **When the Group type is PrintJob, following are the attributes you can use inside DescriptorIdList:** <li> PrintOutputFileNameId: Print to file, the output destination file path, support wildcard, for example, C:\*\Test.pdf </li> <li> PrintDocumentNameId: The source file path, support wildcard. This may not exist, e.g. open a `notepad.exe`, type and print without saving to the disk.</li>
+|MatchType|When there are multiple device properties being used in the `DescriptorIDList`, MatchType defines the relationship.|<li> **MatchAll**: Any attributes under the DescriptorIdList will be And relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will check to see whether the USB meets both values. </li><li>**MatchAny**: The attributes under the DescriptorIdList will be Or relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will do the enforcement as long as the USB has either an identical DeviceID or InstanceID value. </li><li>**MatchExcludeAll**: The attributes under the DescriptorIdList will be And relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAll, for every connected USB, system will do the enforcement as long as the USB doesn't have both identical DeviceID and InstanceID value.</li><li>**MatchExcludeAny**: The attributes under the DescriptorIdList will be Or relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAny, for every connected USB, system will do the enforcement as long as the USB doesn't have either an identical DeviceID or InstanceID value.</li>|
+
+## Access policy rule
+
+Every access policy rule called PolicyRule can be used to define access restriction for each Device type group through multiple Entry.
+
+The table below lists the properties you can use inΓÇ»**PolicyRule**:
+
+|Property Name|Description|Options|
+||||
+|PolicyRule ID|GUID, a unique ID, represents the policy and will be used in the reporting and troubleshooting.|You can generate the group ID through ΓÇ»[PowerShell](/powershell/module/microsoft.powershell.utility/new-guid?view=powershell-7.3&preserve-view=true)|
+|Name |String, the name of the policy and will display on the toast based on the policy setting and will be captured in the reporting.|
+|IncludedIdList|The group(s) that the policy will be applied to. If multiple groups are added, the policy will be applied to any media in all those groups. |The Group ID/GUID must be used at this instance. The following example shows the usage of GroupID: {EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1}<p><b>Note:</b></p> You shouldn't add multiple groups inside IncludedIdList, instead, add all groups into a new group and then add the new group inside IncludedIdList.|
+|ExcludedIDList |The group(s) that the policy won't be applied to.|The Group ID/GUID must be used at this instance.|
+|Entry |One PolicyRule can have multiple entries; each entry with a unique GUID tells Device Control one restriction. |See Entry properties table below for more details.|
+
+The table below lists the properties you can use inΓÇ»**Entry**:
+
+|Property Name|Description|Options|
+||||
+|PolicyRule ID|GUID, a unique ID, represents the policy and will be used in the reporting and troubleshooting.|You can generate the group ID throughΓÇ» [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid?view=powershell-7.3&preserve-view=true)|
+|Type |Defines the action for the removable storage groups in IncludedIDList.<li> Enforcement: Allow or Deny</li> <li> Audit: AuditAllowed or AuditDenied | <li> Allow</li> <li> Deny</li><li> AuditAllowed: Defines event when access is allowed</li> <li> AuditDenied: Defines notification and event when access is denied; has to work together with Deny entry. </li> When there are conflict types for the same media, the system will apply the first one in the policy. An example of a conflict type is  **Allow**  and  **Deny**.|
+|Sid |Local user Sid or user Sid group or the Sid of the AD object or the Object ID of the Azure AD object, defines whether to apply this policy over a specific user or user group. One entry can have a maximum of one SID and an entry without any SID means to apply the policy over the machine.|
+|ComputerSid|Local computer Sid or computer Sid group or the Sid of the AD object or the Object ID of the AAD object, defines whether to apply this policy over a specific machine or machine group. One entry can have a maximum of one ComputerSID and an entry without any ComputerSID means to apply the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both SID and ComputerSID into the same Entry. |
+|Options|Defines whether to display notification or not|**When Type Allow is selected:**<li> 0: nothing </li> <li> 4: disable AuditAllowed and AuditDenied for this Entry. Even if Allow happens and the AuditAllowed is setting configured, the system won't send event. </li> <li> 8: capture file information and have a copy of the file as evidence for Write access. </li> <li> 16: capture printed content. </li> **When Type Deny is selected:**<li> 0: nothing </li> <li> 4: disable AuditDenied for this Entry. Even if Block happens and the AuditDenied is setting configured, the system won't show notification. </li> **When Type AuditAllowed is selected:**<li> 0: nothing </li> <li> 1: nothing </li> <li> 2: send event </li> **When Type AuditDenied is selected:**<li> 0: nothing </li> <li> 1: show notification </li> <li> 2: send event </li> <li> 3: show notification and send event </li> <li> 4: print </li>|
+|AccessMask |Defines the access. |
+|Parameters |Condition for this Entry, for example, network condition.| Can add groups (non-devices type) or even put Parameters into Parameters. See Parameters properties table below for more details.|
+
+The table below lists the properties you can use inΓÇ»**Parameters**:
+
+|Property Name|Description|Options|
+||||
+|MatchType | When there are multiple device properties being used in the DescriptorIDList, MatchType defines the relationship.| **MatchAll:**<li> Any attributes under the DescriptorIdList will be And relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will check to see whether the USB meets both values.</li> **MatchAny:**</li> The attributes under the DescriptorIdList will be Or relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will do the enforcement as long as the USB has either an identical DeviceID or InstanceID value. </li> **MatchExcludeAll:**<li> The attributes under the DescriptorIdList will be And relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAll, for every connected USB, system will do the enforcement as long as the USB doesn't have both identical DeviceID and InstanceID value.</li> **MatchExcludeAny:**<li> The attributes under the DescriptorIdList will be Or relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAny, for every connected USB, system will do the enforcement as long as the USB doesn't have either an identical DeviceID or InstanceID value.</li>|
+|PrintJob Network VPNConnection| The PrintJob or Network or VPNConnection group(s) created above.| Use the GroupId of the PrintJob or Network or VPNConnection group(s) created above.|
+|Parameters | You can embed Parameters inside Parameters with MatchType. |
+
+## Enduser experience
+
+You can view the policy name and printer information if you have right options setting in your policy.
+
security Printer Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/printer-protection.md
ms.mktglfcycl: deploy
ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium Last updated : 01/10/2023
search.appverid: met150
- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+> [!NOTE]
+> If you want to manage printers, see [Microsoft Defender for Endpoint Device Control Printer Protection](printer-protection-overview.md).
+ Microsoft Defender for Endpoint Device Control Printer Protection blocks people from printing via non-corporate printers or non-approved USB printer. ## Licensing
security Switch To Mde Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-overview.md
- tier1 Previously updated : 01/03/2023 Last updated : 01/10/2023 search.appverid: met150
search.appverid: met150
- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-If you are ready to switch from a non-Microsoft endpoint protection solution to [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) (Defender for Endpoint), or you're just interested in what all is involved in the process, use this article as a guide. This article describes the overall process of moving to [Defender for Endpoint Plan 1 or Plan 2](defender-endpoint-plan-1-2.md). The following image depicts the migration process at a high level:
+If you are ready to move from a non-Microsoft endpoint protection solution to [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md), or you're just interested in what all is involved in the process, use this article as a guide. This article describes the overall process of moving to [Defender for Endpoint Plan 1 or Plan 2](defender-endpoint-plan-1-2.md). The following image depicts the migration process at a high level:
:::image type="content" source="images/nonms-mde-migration.png" alt-text="Diagram depicting the process of migrating to Defender for Endpoint" lightbox="images/nonms-mde-migration.png":::
-When you migrate to Defender for Endpoint, you begin with your non-Microsoft antivirus/antimalware protection in active mode. Then, you configure Microsoft Defender Antivirus in passive mode, and onboard your devices to Defender for Endpoint. Next, you configure Defender for Endpoint features, and verify that everything is working correctly. Finally, you remove the non-Microsoft solution from your devices.
+When you migrate to Defender for Endpoint, you begin with your non-Microsoft antivirus/antimalware protection in active mode. Then, you configure Microsoft Defender Antivirus in passive mode, and configure Defender for Endpoint features. Then, you onboard your organization's devices, and verify that everything is working correctly. Finally, you remove the non-Microsoft solution from your devices.
## The migration process
security Switch To Mde Phase 1 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-phase-1.md
Title: Switch to Microsoft Defender for Endpoint - Prepare
+ Title: Migrate to Microsoft Defender for Endpoint - Prepare
description: Get ready to make the switch to Microsoft Defender for Endpoint. Update your devices and configure your network connections. keywords: migration, Microsoft Defender for Endpoint, best practice
search.appverid: met150
-# Switch to Microsoft Defender for Endpoint - Phase 1: Prepare
+# Migrate to Microsoft Defender for Endpoint - Phase 1: Prepare
**Applies to:** - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037)
search.appverid: met150
|--|--|--| |*You are here!*| | |
-**Welcome to the Prepare phase of [switching to Defender for Endpoint](switch-to-mde-overview.md#the-migration-process)**.
+**Welcome to the Prepare phase of [migrating to Defender for Endpoint](switch-to-mde-overview.md#the-migration-process)**.
This migration phase includes the following steps:
-1. [Get and deploy updates across your organization's devices](#get-and-deploy-updates-across-your-organizations-devices).
-2. [Get Microsoft Defender for Endpoint Plan 1 or Plan 2](#get-microsoft-defender-for-endpoint-plan-1-or-plan-2).
-3. [Grant access to the Microsoft 365 Defender portal](#grant-access-to-the-microsoft-365-defender-portal).
-4. [Review more information about device proxy and internet connectivity settings](#more-information-about-device-proxy-and-internet-connectivity-settings).
+1. [Get and deploy updates across your organization's devices](#step-1-get-and-deploy-updates-across-your-organizations-devices).
+2. [Get Microsoft Defender for Endpoint Plan 1 or Plan 2](#step-2-get-microsoft-defender-for-endpoint-plan-1-or-plan-2).
+3. [Grant access to the Microsoft 365 Defender portal](#step-3-grant-access-to-the-microsoft-365-defender-portal).
+4. [Review more information about device proxy and internet connectivity settings](#step-4-view-information-about-device-proxy-and-internet-connectivity-settings).
-## Get and deploy updates across your organization's devices
+## Step 1: Get and deploy updates across your organization's devices
As a best practice, keep your organization's devices and endpoints up to date. Make sure your existing endpoint protection and antivirus solution is up to date, and that your organization's operating systems and apps also have the latest updates. Getting updates installed now can help prevent problems later as you migrate to Defender for Endpoint and employ Microsoft Defender Antivirus on all your devices.
Need help with updating your organization's devices? See the following resources
|Android|[Check & update your Android version](https://support.google.com/android/answer/7680439)| |Linux|[Linux 101: Updating Your System](https://www.linux.com/training-tutorials/linux-101-updating-your-system)|
-## Get Microsoft Defender for Endpoint Plan 1 or Plan 2
+## Step 2: Get Microsoft Defender for Endpoint Plan 1 or Plan 2
Now that you've updated your organization's devices, the next step is to get Defender for Endpoint, assign licenses, and make sure the service is provisioned.
At this point, you're ready to grant access to your security administrators and
> [!TIP] > The Microsoft 365 Defender portal is accessed at <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">https://security.microsoft.com</a>. The former Microsoft Defender Security Center (https://securitycenter.windows.com) now redirects to the Microsoft 365 Defender portal. To learn more, see [Microsoft 365 Defender portal overview](portal-overview.md).
-## Grant access to the Microsoft 365 Defender portal
+## Step 3: Grant access to the Microsoft 365 Defender portal
The <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> is where you and your security team will access and configure features and capabilities of Defender for Endpoint. To learn more, see [Overview of the Microsoft 365 Defender portal](use.md).
Permissions to the Microsoft 365 Defender portal can be granted by using either
3. Grant your security team access to the Microsoft 365 Defender portal. (Need help? See [Manage portal access using RBAC](rbac.md).
-## More information about device proxy and internet connectivity settings
+## Step 4: View information about device proxy and internet connectivity settings
To enable communication between your devices and Defender for Endpoint, you might have to configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems:
security Switch To Mde Phase 2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-phase-2.md
Title: Switch to Microsoft Defender for Endpoint - Setup
+ Title: Migrate to Microsoft Defender for Endpoint - Setup
description: Make the switch to Defender for Endpoint. Review the setup process, which includes installing Microsoft Defender Antivirus. keywords: migration, Microsoft Defender for Endpoint, antivirus, passive mode, setup process
ms.pagetype: security
ms.localizationpriority: medium Previously updated : 12/01/2022 Last updated : 01/10/2023 audience: ITPro
search.appverid: met150
-# Switch to Microsoft Defender for Endpoint - Phase 2: Setup
+# Migrate to Microsoft Defender for Endpoint - Phase 2: Setup
**Applies to:** - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037)
search.appverid: met150
|||| ||*You are here!*||
-**Welcome to the Setup phase of [switching to Defender for Endpoint](switch-to-mde-overview.md#the-migration-process)**. This phase includes the following steps:
+**Welcome to the Setup phase of [migrating to Defender for Endpoint](switch-to-mde-overview.md#the-migration-process)**. This phase includes the following steps:
-1. [Reinstall/enable Microsoft Defender Antivirus on your endpoints](#reinstallenable-microsoft-defender-antivirus-on-your-endpoints).
-2. [Configure Defender for Endpoint](#configure-defender-for-endpoint).
-3. [Add Defender for Endpoint to the exclusion list for your existing solution](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution).
-4. [Add your existing solution to the exclusion list for Microsoft Defender Antivirus](#add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-antivirus).
-5. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
+1. [Reinstall/enable Microsoft Defender Antivirus on your endpoints](#step-1-reinstallenable-microsoft-defender-antivirus-on-your-endpoints).
+2. [Configure Defender for Endpoint Plan 1 or Plan 2](#step-2-configure-defender-for-endpoint-plan-1-or-plan-2)
+3. [Add Defender for Endpoint to the exclusion list for your existing solution](#step-3-add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution).
+4. [Add your existing solution to the exclusion list for Microsoft Defender Antivirus](#step-4-add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-antivirus).
+5. [Set up your device groups, device collections, and organizational units](#step-5-set-up-your-device-groups-device-collections-and-organizational-units).
-## Reinstall/enable Microsoft Defender Antivirus on your endpoints
+## Step 1: Reinstall/enable Microsoft Defender Antivirus on your endpoints
On certain versions of Windows, Microsoft Defender Antivirus was likely uninstalled or disabled when your non-Microsoft antivirus/antimalware solution was installed. When endpoints running Windows are onboarded to Defender for Endpoint, Microsoft Defender Antivirus can run in passive mode alongside a non-Microsoft antivirus solution. To learn more, see [Antivirus protection with Defender for Endpoint](microsoft-defender-antivirus-compatibility.md#antivirus-protection-without-defender-for-endpoint).
As you're making the switch to Defender for Endpoint, you might need to take cer
You can now run Microsoft Defender Antivirus in passive mode on Windows Server 2012 R2 and 2016 using the method above. For more information, see [Options to install Microsoft Defender for Endpoint](configure-server-endpoints.md#options-to-install-the-microsoft-defender-for-endpoint-packages).
-## Configure Defender for Endpoint
+## Step 2: Configure Defender for Endpoint Plan 1 or Plan 2
-This step of the migration process involves configuring Microsoft Defender Antivirus for your endpoints. We recommend using Intune; however, you can any of the methods that are listed in the following table:
+> [!IMPORTANT]
+> - This article describes how to configure your Defender for Endpoint capabilities before devices are onboarded.
+> - If you have Defender for Endpoint Plan 1, complete steps 1-5 in the following procedure.
+> - If you have Defender for Endpoint Plan 2, complete steps 1-7 in the following procedure.
-|Method|What to do|
-|||
-|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/><br/> **NOTE**: Intune is now part of Microsoft Endpoint Manager.|1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<br/><br/>2. Select **Devices** \> **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).<br/><br/>3. Select **Properties**, and then select **Configuration settings: Edit**<br/><br/>4. Expand **Microsoft Defender Antivirus**.<br/><br/>5. Enable **Cloud-delivered protection**.<br/><br/>6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.<br/><br/>7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.<br/><br/>8. Select **Review + save**, and then choose **Save**. <br/><br/> **TIP**: For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](/intune/device-profiles).|
-|[Microsoft Endpoint Configuration Manager](/mem/configmgr)|See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies). <br/><br/> When you create and configure your antimalware policies, make sure to review the [real-time protection settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md).
-|Control Panel in Windows|Follow the guidance here: [Turn on Microsoft Defender Antivirus](/mem/intune/user-help/turn-on-defender-windows). (You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.)|
-|[Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) <br/><br/> or <br/><br/> [Group Policy Management Console](/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus)|1. Go to **Computer configuration** \> **Administrative templates** \> **Windows components** \> **Microsoft Defender Antivirus**.<br/><br/>2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<br/><br/>3. Choose **Edit policy setting**, and make sure that policy is disabled. This action enables Microsoft Defender Antivirus. <br/>(You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.)|
+1. Make sure Defender for Endpoint is provisioned. As a global admin, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in. Then, in the navigation pane, select **Assets** > **Devices**.
-> [!TIP]
-> You can deploy the policies before your organization's devices are onboarded.
+ The following table shows what your screen might look like and what it means.
-## Add Microsoft Defender for Endpoint to the exclusion list for your existing solution
+ | Screen | What it means |
+ ||:|
+ | :::image type="content" source="medie-hangon-provisioning.png"::: | Defender for Endpoint isn't finished provisioning yet. You might have to wait a little while for the process to finish. |
+ | :::image type="content" source="media/device-inventory-empty.png" alt-text="Screenshot showing device inventory page with no device onboarded yet." lightbox="media/device-inventory-empty.png"::: | Defender for Endpoint is provisioned. In this case, proceed to the next step. |
-This step of the setup process involves adding Defender for Endpoint to the exclusion list for your existing endpoint protection solution and any other security products your organization is using.
+2. Turn on [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md). We recommend turning tamper protection on for your whole organization. You can do this task in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).
-> [!TIP]
-> To get help configuring exclusions, refer to your solution provider's documentation.
+ 1. In the Microsoft 365 Defender portal, choose **Settings** > **Endpoints**.
+
+ 2. Go to **General** > **Advanced features**, and then set the toggle for tamper protection to **On**.
+
+ 3. Select **Save**.
+
+ [Learn more about tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md).
+
+3. If you're going to use either [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) or [Microsoft Endpoint Configuration Manager](/mem/endpoint-manager-overview) to onboard devices and configure device policies, set up integration with Defender for Endpoint by following these steps: <br/>
+
+ 1. In the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), go to **Endpoint security**.
+
+ 2. Under **Setup**, choose **Microsoft Defender for Endpoint**.
+
+ 3. Under **Endpoint Security Profile Settings**, set the toggle for **Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations** to **On**.
+
+ 4. Near the top of the screen, select **Save**.
+
+ 5. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), choose **Settings** > **Endpoints**.
+
+ 6. Scroll down to **Configuration management**, and select **Enforcement scope**.
+
+ 7. Set the toggle for **Use MDE to enforce security configuration settings from MEM** to **On**, and then select the options for both Windows client and Windows Server devices.
+
+ 8. If you're planning to use Configuration Manager, set the toggle for **Manage Security settings using Configuration Manager** to **On**. (If you need help with this step, see [Co-existence with Microsoft Endpoint Configuration Manager](/mem/intune/protect/mde-security-integration#co-existence-with-microsoft-endpoint-configuration-manager).)
+
+ 9. Scroll down and select **Save**.
+
+4. Configure your initial [attack surface reduction capabilities](overview-attack-surface-reduction.md). At a minimum, enable the standard protection rules that are listed in the following table right away:
+
+ | Standard protection rules | Configuration methods |
+ |:|:|
+ | [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](attack-surface-reduction-rules-reference.md#block-credential-stealing-from-the-windows-local-security-authority-subsystem) <br/><br/>[Block abuse of exploited vulnerable signed drivers](attack-surface-reduction-rules-reference.md#block-abuse-of-exploited-vulnerable-signed-drivers)<br/><br/>[Block persistence through Windows Management Instrumentation (WMI) event subscription](attack-surface-reduction-rules-reference.md#block-persistence-through-wmi-event-subscription) | [Intune](enable-attack-surface-reduction.md#intune) (Device configuration profiles or Endpoint Security policies) <br/><br/>[Mobile Device Management (MDM)](enable-attack-surface-reduction.md#mdm) (Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.)<br/><br/>[Group Policy](enable-attack-surface-reduction.md#group-policy) or [PowerShell](enable-attack-surface-reduction.md#powershell) (only if you're not using Intune, Configuration Manager, or another enterprise-level management platform) |
+
+ [Learn more about attack surface reduction capabilities](overview-attack-surface-reduction.md).
+
+5. Configure your [next-generation protection capabilities](next-generation-protection.md).
+
+ | Capability | Configuration methods |
+ |:|:|
+ | [Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) |1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** \> **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).<br/><br/>2. Select **Properties**, and then select **Configuration settings: Edit**<br/><br/>3. Expand **Microsoft Defender Antivirus**.<br/><br/>4. Enable **Cloud-delivered protection**.<br/><br/>5. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.<br/><br/>6. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.<br/><br/>7. Select **Review + save**, and then choose **Save**. <br/><br/> **TIP**: For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](/intune/device-profiles).|
+ |[Configuration Manager](/mem/configmgr)|See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies). <br/><br/> When you create and configure your antimalware policies, make sure to review the [real-time protection settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md).
+ |[Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) <br/> or <br/> [Group Policy Management Console](/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus)|1. Go to **Computer configuration** \> **Administrative templates** \> **Windows components** \> **Microsoft Defender Antivirus**.<br/><br/>2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<br/><br/>3. Choose **Edit policy setting**, and make sure that policy is disabled. This action enables Microsoft Defender Antivirus. (You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.)|
+ |Control Panel in Windows|Follow the guidance here: [Turn on Microsoft Defender Antivirus](/mem/intune/user-help/turn-on-defender-windows). (You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.)|
+
+ *If you have Defender for Endpoint Plan 1, your initial setup and configuration is done for now. If you have Defender for Endpoint Plan 2, continue to steps 6-7.*
+
+6. Configure your endpoint detection and response (EDR) policies in the Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)). To get help with this task, see [Create EDR policies](/mem/intune/protect/endpoint-security-edr-policy#create-edr-policies).
+
+7. Configure your automated investigation and remediation capabilities in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). To get help with this task, see [Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint](configure-automated-investigations-remediation.md).
+
+ *At this point, initial setup and configuration of Defender for Endpoint Plan 2 is complete.*
+
+## Step 3: Add Microsoft Defender for Endpoint to the exclusion list for your existing solution
+
+This step of the setup process involves adding Defender for Endpoint to the exclusion list for your existing endpoint protection solution and any other security products your organization is using. Make sure to refer to your solution provider's documentation to add exclusions.
The specific exclusions to configure will depend on which version of Windows your endpoints or devices are running, and are listed in the following table.
The specific exclusions to configure will depend on which version of Windows you
[Windows Server 2022](/windows/release-health/status-windows-server-2022)<br/><br/>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019) <br/><br/>[Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<br/><br/>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/><br/>[Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803) | On Windows Server 2012 R2 and Windows Server 2016 running the [modern, unified solution](configure-server-endpoints.md#windows-server-2012-r2-and-windows-server-2016), the following exclusions are required after updating the Sense EDR component using [KB5005292](https://support.microsoft.com/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f69773-f17f-420f-91f4-a8e5167284ac):<br/> <br/> `C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\MsSense.exe` <br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCnCProxy.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseIR.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCE.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseSampleUploader.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCM.exe` <br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection`| |[Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/><br/>[Windows 7](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<br/><br/>[Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<br/><br/>**NOTE**: Monitoring Host Temporary Files 6\45 can be different numbered subfolders.<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
-## Add your existing solution to the exclusion list for Microsoft Defender Antivirus
+## Step 4: Add your existing solution to the exclusion list for Microsoft Defender Antivirus
-During this step of the setup process, you add your existing solution to the Microsoft Defender Antivirus exclusion list. You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table:
+During this step of the setup process, you add your existing solution to the list of exclusions for Microsoft Defender Antivirus. You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table:
|Method|What to do| |||
-|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/><br/> **NOTE**: Intune is now part of Microsoft Endpoint Manager.|1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<br/><br/>2. Select **Devices** \> **Configuration profiles**, and then select the profile that you want to configure.<br/><br/>3. Under **Manage**, select **Properties**.<br/><br/>4. Select **Configuration settings: Edit**.<br/><br/>5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.<br/><br/>6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).<br/><br/>7. Choose **Review + save**, and then choose **Save**.|
+|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<br/><br/>2. Select **Devices** \> **Configuration profiles**, and then select the profile that you want to configure.<br/><br/>3. Under **Manage**, select **Properties**.<br/><br/>4. Select **Configuration settings: Edit**.<br/><br/>5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.<br/><br/>6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).<br/><br/>7. Choose **Review + save**, and then choose **Save**.|
|[Microsoft Endpoint Configuration Manager](/mem/configmgr/)|1. Using the [Configuration Manager console](/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** \> **Endpoint Protection** \> **Antimalware Policies**, and then select the policy that you want to modify.<br/><br/>2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans.| |[Group Policy Object](/previous-versions/windows/desktop/Policy/group-policy-objects)|1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and then select **Edit**.<br/><br/>2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.<br/><br/>3. Expand the tree to **Windows components \> Microsoft Defender Antivirus \> Exclusions**. (You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.)<br/><br/>4. Double-click the **Path Exclusions** setting and add the exclusions.<br/><br/>5. Set the option to **Enabled**.<br/><br/>6. Under the **Options** section, select **Show...**.<br/><br/>7. Specify each folder on its own line under the **Value name** column. If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.<br/><br/>8. Select **OK**.<br/><br/>9. Double-click the **Extension Exclusions** setting and add the exclusions.<br/><br/>10. Set the option to **Enabled**.<br/><br/>11. Under the **Options** section, select **Show...**.<br/><br/>12. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.<br/><br/>13. Select **OK**.| |Local group policy object|1. On the endpoint or device, open the Local Group Policy Editor.<br/><br/>2. Go to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Exclusions**. (You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.)<br/><br/>3. Specify your path and process exclusions.| |Registry key|1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.<br/><br/>2. Import the registry key. Here are two examples:<br/>- Local path: `regedit.exe /s c:\temp\MDAV_Exclusion.reg`<br/>- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg`|
+[Learn more about exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md).
+ ### Keep the following points about exclusions in mind When you add [exclusions to Microsoft Defender Antivirus scans](/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions.
-Keep the following points in mind:
- - *Path exclusions* exclude specific files and whatever those files access. - *Process exclusions* exclude whatever a process touches, but doesn't exclude the process itself. - List your process exclusions using their full path and not by their name only. (The name-only method is less secure.) - If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.
-## Set up your device groups, device collections, and organizational units
+## Step 5: Set up your device groups, device collections, and organizational units
Device groups, device collections, and organizational units enable your security team to manage and assign security policies efficiently and effectively. The following table describes each of these groups and how to configure them. Your organization might not use all three collection types.
security Switch To Mde Phase 3 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-phase-3.md
Title: Switch to Microsoft Defender for Endpoint - Onboard
+ Title: Migrate to Microsoft Defender for Endpoint - Onboard
description: Make the switch to Microsoft Defender for Endpoint. Onboard devices and then uninstall your non-Microsoft solution. keywords: migration, Microsoft Defender for Endpoint, edr
- migrationguides - admindeeplinkDEFENDER Previously updated : 11/15/2022 Last updated : 01/10/2023 search.appverid: met150
search.appverid: met150
|--|--|--| || |*You are here!* |
-**Welcome to Phase 3 of [switching to Defender for Endpoint](switch-to-mde-overview.md#the-migration-process)**. This migration phase includes the following steps:
+**Welcome to Phase 3 of [migrating to Defender for Endpoint](switch-to-mde-overview.md#the-migration-process)**. This migration phase includes the following steps:
-1. [Onboard devices to Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint).
-2. [Run a detection test](#run-a-detection-test).
-3. [Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode-on-your-endpoints).
-4. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).
-5. [Uninstall your non-Microsoft solution](#uninstall-your-non-microsoft-solution).
-6. [Make sure Defender for Endpoint is working correctly](#make-sure-defender-for-endpoint-is-working-correctly).
+1. [Onboard devices to Defender for Endpoint](#step-1-onboard-devices-to-microsoft-defender-for-endpoint).
+2. [Run a detection test](#step-2-run-a-detection-test).
+3. [Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints](#step-3-confirm-that-microsoft-defender-antivirus-is-in-passive-mode-on-your-endpoints).
+4. [Get updates for Microsoft Defender Antivirus](#step-4-get-updates-for-microsoft-defender-antivirus).
+5. [Uninstall your non-Microsoft solution](#step-5-uninstall-your-non-microsoft-solution).
+6. [Make sure Defender for Endpoint is working correctly](#step-6-make-sure-defender-for-endpoint-is-working-correctly).
-## Onboard devices to Microsoft Defender for Endpoint
+## Step 1: Onboard devices to Microsoft Defender for Endpoint
1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
Deployment methods vary, depending on operating system and preferred methods. Th
|Operating systems |Methods | |||
-|Windows 10 or later<br/><br/>Windows Server 2019 or later<br/><br/>Windows Server, version 1803 or later<br/><br/>Windows Server 2012 R2 and 2016<sup>[[1](#fn1)]<sup> | [Local script (up to 10 devices)](configure-endpoints-script.md)<br><br/> [Group Policy](configure-endpoints-gp.md)<br/><br/>[Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)<br/><br/>[Microsoft Endpoint Manager/ Mobile Device Management (Intune)](configure-endpoints-mdm.md)<br> [VDI scripts](configure-endpoints-vdi.md) <br><br> **NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-|Windows Server 2008 R2 SP1 | [Microsoft Monitoring Agent (MMA)](onboard-downlevel.md#install-and-configure-microsoft-monitoring-agent-mma) or [Microsoft Defender for Cloud](/azure/security-center/security-center-wdatp) <br><br> **NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](/azure/azure-monitor/platform/log-analytics-agent). |
-|Windows 8.1 Enterprise<br/><br/>Windows 8.1 Pro<br/><br/>Windows 7 SP1 Pro<br/><br/>Windows 7 SP1| [Microsoft Monitoring Agent (MMA)](onboard-downlevel.md) <br><br> **NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](/azure/azure-monitor/platform/log-analytics-agent).
-| macOS (see [System requirements](microsoft-defender-endpoint-mac.md) | [Local script](mac-install-manually.md)<br/><br/>[Microsoft Endpoint Manager](mac-install-with-intune.md)<br/><br/>[JAMF Pro](mac-install-with-jamf.md)<br/><br/>[Mobile Device Management](mac-install-with-other-mdm.md) |
-| Linux (see [System requirements](microsoft-defender-endpoint-linux.md#system-requirements)) | [Local script](linux-install-manually.md) <br><br/> [Puppet](linux-install-with-puppet.md) <br><br/> [Ansible](linux-install-with-ansible.md)|
-| iOS | [Microsoft Endpoint Manager](ios-install.md) |
-|Android | [Microsoft Endpoint Manager](android-intune.md) |
+|Windows 10 or later<br/><br/>Windows Server 2019 or later<br/><br/>Windows Server, version 1803 or later<br/><br/>Windows Server 2016 or Windows Server 2012 R2<sup>[[1](#fn1)]<sup> | [Microsoft Intune or Mobile Device Management](configure-endpoints-mdm.md)<br/><br/>[Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)<br/><br/>[Group Policy](configure-endpoints-gp.md)<br/><br/>[VDI scripts](configure-endpoints-vdi.md)<br/><br/>[Local script (up to 10 devices)](configure-endpoints-script.md)<br/> Note that the local script method is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
+|Windows Server 2008 R2 SP1 | [Microsoft Monitoring Agent (MMA)](onboard-downlevel.md#install-and-configure-microsoft-monitoring-agent-mma) or [Microsoft Defender for Cloud](/azure/security-center/security-center-wdatp) <br> Note that the Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](/azure/azure-monitor/platform/log-analytics-agent). |
+|Windows 8.1 Enterprise<br/><br/>Windows 8.1 Pro<br/><br/>Windows 7 SP1 Pro<br/><br/>Windows 7 SP1| [Microsoft Monitoring Agent (MMA)](onboard-downlevel.md) <br>Note that the Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](/azure/azure-monitor/platform/log-analytics-agent).
+| macOS (see [System requirements](microsoft-defender-endpoint-mac.md) | [Intune](mac-install-with-intune.md)<br/><br/>[JAMF Pro](mac-install-with-jamf.md)<br/><br/>[Mobile Device Management](mac-install-with-other-mdm.md)<br/><br/> [Local script](mac-install-manually.md) |
+| Linux (see [System requirements](microsoft-defender-endpoint-linux.md#system-requirements)) | [Puppet](linux-install-with-puppet.md) <br><br/> [Ansible](linux-install-with-ansible.md)<br/><br/>[Local script](linux-install-manually.md) |
+| iOS | [Intune](ios-install.md) |
+|Android | [Intune](android-intune.md) |
(<a id="fn1">1</a>) Windows Server 2016 and Windows Server 2012 R2 will need to be onboarded using the instructions in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2012-r2-and-windows-server-2016).
-## Run a detection test
+> [!IMPORTANT]
+> The standalone versions of Defender for Endpoint Plan 1 and Plan 2 do not include server licenses. To onboard servers, you'll need an additional license, such as [Defender for Servers Plan 1 or Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan).
+
+## Step 2: Run a detection test
To verify that your onboarded devices are properly connected to Defender for Endpoint, you can run a detection test.
To verify that your onboarded devices are properly connected to Defender for End
|macOS (see [System requirements](microsoft-defender-endpoint-mac.md)|Download and use the DIY app at <https://aka.ms/mdatpmacosdiy>. <br/><br/> For more information, see [Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md).| |Linux (see [System requirements](microsoft-defender-endpoint-linux.md#system-requirements))|1. Run the following command, and look for a result of **1**: `mdatp health --field real_time_protection_enabled`.<br/><br/>2. Open a Terminal window, and run the following command: `curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.<br/><br/>3. Run the following command to list any detected threats: `mdatp threat list`.<br/><br/>For more information, see [Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md).|
-## Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints
+## Step 3: Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints
Now that your endpoints have been onboarded to Defender for Endpoint, your next step is to make sure Microsoft Defender Antivirus is running in passive mode. You can use one of several methods, as described in the following table:
To set Microsoft Defender Antivirus to passive mode on Windows Server, version 1
2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings: - Set the DWORD's value to **1**.- - Under **Base**, select **Hexadecimal**. > [!NOTE]
To set Microsoft Defender Antivirus to passive mode on Windows Server, version 1
If you are using Windows Server 2016, you might have to start Microsoft Defender Antivirus manually. You can perform this task by using the PowerShell cmdlet `mpcmdrun.exe -wdenable` on the device.
-## Get updates for Microsoft Defender Antivirus
+## Step 4: Get updates for Microsoft Defender Antivirus
Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in passive mode. (See [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md).)
There are two types of updates related to keeping Microsoft Defender Antivirus u
To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).
-## Uninstall your non-Microsoft solution
+## Step 5: Uninstall your non-Microsoft solution
If at this point you have:
Then your next step is to uninstall your non-Microsoft antivirus, antimalware, a
To get help with uninstalling your non-Microsoft solution, contact their technical support team.
-## Make sure Defender for Endpoint is working correctly
+## Step 6: Make sure Defender for Endpoint is working correctly
Now that you have onboarded to Defender for Endpoint, and you have uninstalled your former non-Microsoft solution, your next step is to make sure that Defender for Endpoint working correctly.
security Switch To Mde Troubleshooting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-troubleshooting.md
- tier1 Previously updated : 05/20/2022 Last updated : 01/10/2023 search.appverid: met150
To resolve this issue, take the following steps:
Certain exclusions for Defender for Endpoint must be defined in your existing non-Microsoft endpoint protection solution. Make sure to add the following exclusions:
-`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`
+`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\MsSense.exe`
-`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`
+`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCnCProxy.exe`
-`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`
+`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseSampleUploader.exe`
-`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
+`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseIR.exe`
+
+`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCM.exe`
+
+`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection`
-`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exe`
### Set Microsoft Defender Antivirus to passive mode manually
-On Windows Server 2019, Windows Server, version 1803 or newer, Windows Server 2016, or Windows Server 2012 R2, you must set Microsoft Defender Antivirus to passive mode manually. This action helps prevent problems caused by having multiple antivirus products installed on a server. You can set Microsoft Defender Antivirus to passive mode using PowerShell, Group Policy, or a registry key.
+On Windows Server 2022, Windows Server 2019, Windows Server, version 1803 or newer, Windows Server 2016, or Windows Server 2012 R2, you must set Microsoft Defender Antivirus to passive mode manually. This action helps prevent problems caused by having multiple antivirus products installed on a server. You can set Microsoft Defender Antivirus to passive mode using PowerShell, Group Policy, or a registry key.
You can set Microsoft Defender Antivirus to passive mode by setting the following registry key:
security Unisolate Machine https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/unisolate-machine.md
Undo isolation of a device.
> [!IMPORTANT] > > - Full isolation is available for devices on Windows 10, version 1703.
+> - Full isolation is available in **public preview** for all supported Microsoft Defender for Endpoint on Linux listed in [System requirements](microsoft-defender-endpoint-linux.md#system-requirements).
> - Selective isolation is available for devices on Windows 10, version 1709 or later. > - When isolating a device, only certain processes and destinations are allowed. Therefore, devices that are behind a full VPN tunnel won't be able to reach the Microsoft Defender for Endpoint cloud service after the device is isolated. We recommend using a split-tunneling VPN for Microsoft Defender for Endpoint and Microsoft Defender Antivirus cloud-based protection-related traffic.
security Whats New In Microsoft Defender Endpoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint.md
For more information on Microsoft Defender for Endpoint on specific operating sy
- [What's new in Defender for Endpoint on iOS](ios-whatsnew.md) - [What's new in Defender for Endpoint on Linux](linux-whatsnew.md) +
+## January 2023
+
+- Live Response is now generally available for macOS and Linux. For more information, see, [Investigate entities on devices using live response](live-response.md).
+
+- [Live response API and library API for Linux and macos is now generally available](run-live-response.md) <br/> You can now run live response API commands on Linux and macos.
+ ## November 2022 - [Built-in protection](built-in-protection.md) is now generally available. Built-in protection helps protect your organization from ransomware and other threats with default settings that help ensure your devices are protected.
For more information on Microsoft Defender for Endpoint on specific operating sy
- [Zero-touch onboarding of Microsoft Defender for Endpoint on iOS now in public preview](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/zero-touch-onboarding-of-microsoft-defender-for-endpoint-on-ios/ba-p/3038045)<br>With this new capability, enterprises can now deploy Microsoft Defender for Endpoint on iOS devices that are enrolled with Microsoft Endpoint Manager automatically, without needing end-users to interact with the app. This eases the deployment frictions and significantly reduces the time needed to deploy the app across all devices as Microsoft Defender for Endpoint gets silently activated on targeted devices and starts protecting your iOS estate.
-## December 2021
--- [Microsoft Defender Vulnerability Management can help identify Log4j vulnerabilities in applications and components](https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/#TVM)<br>Threat and vulnerability management automatically and seamlessly identifies devices affected by the Log4j vulnerabilities and the associated risk in the environment and significantly reduces time-to-mitigate. Microsoft continues to iterate on these features based on the latest information from the threat landscape.--- Discover IoT devices (preview): [Device discovery](device-discovery.md) now has the ability to help you find unmanaged IoT devices connected to your corporate network. This gives you a single unified view of your IoT inventory alongside the rest of your IT devices (workstations, servers, and mobile).--- Microsoft Defender for IoT integration (preview): See [Enable Enterprise IoT security with Defender for Endpoint](/azure/defender-for-iot/organizations/eiot-defender-for-endpoint/). This integration enhances your device discovery capabilities with the agentless monitoring capabilities provided by Microsoft Defender for IoT. This provides increased visibility to help locate, identify, and secure the IoT devices in your network.-
-## November 2021
--- [Security configuration management](security-config-management.md) <br/> A capability for devices that aren't managed by a Microsoft Endpoint Manager, either Microsoft Intune or Microsoft Endpoint Configuration Manager, to receive security configurations for Microsoft Defender directly from Endpoint Manager.--- [Evaluation Lab: Expanded OS support & Atomic Red Team simulations](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/evaluation-lab-expanded-os-support-amp-atomic-red-team/ba-p/2993927)<br>the Evaluation Lab now supports adding Windows 11, Windows Server 2016, and Linux devices. In addition, weΓÇÖd also like to announce a new partnership with Red CanaryΓÇÖs open-source simulation library, Atomic Red Team!--- [Announcing the public preview of Microsoft Defender for Endpoint Mobile - Tamper protection](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-the-public-preview-of-microsoft-defender-for-endpoint/ba-p/2971038)<br>Mark a device non-compliant after seven days of inactivity in the Microsoft Defender for Endpoint mobile app.--- [Boost protection of your Linux estate with behavior monitoring, extended distro coverage, and more](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/boost-protection-of-your-linux-estate-with-behavior-monitoring/ba-p/2909320)<br>We're thrilled to share the latest news about Microsoft Defender for Endpoint on Linux next generation protection, endpoint detection and response (EDR), threat and vulnerability management (TVM). Microsoft protection for your Linux estate is getting an impressive boost across the full spectrum of the security suite. With recent Microsoft Defender for Endpoint on Linux integration into Azure Security Center, the benefits of our Linux EDR and TVM now extend to Azure Defender customers.-
-## October 2021
--- [Updated onboarding and feature parity for Windows Server 2012 R2 and Windows Server 2016 (preview)](configure-server-endpoints.md)<br/> The new unified solution package makes it easier to onboard servers by removing dependencies and installation steps. In addition, this unified solution package comes with many new feature improvements.--- Windows 11 support added to Microsoft Defender for Endpoint and Microsoft 365 Defender.-
-## September 2021
--- [Web content filtering](web-content-filtering.md) <br/>As part of web protection capabilities in Microsoft Defender for Endpoint, web content filtering enables your organization's security team to track and regulate access to websites based on their content categories. Categories include adult content, high bandwidth, legal liability, leisure, and uncategorized. Although many websites that fall into one or more of these categories might not be malicious, they could be problematic because of compliance regulations, bandwidth usage, or other concerns. [Learn more about web content filtering](web-content-filtering.md).-
-## August 2021
--- (Preview) [Microsoft Defender for Endpoint Plan 1](defender-endpoint-plan-1.md) <br/>Defender for Endpoint Plan 1 (preview) is an endpoint protection solution that includes next-generation protection, attack surface reduction, centralized management and reporting, and APIs. Defender for Endpoint Plan 1 (preview) is a new offering for customers who want to try our endpoint protection capabilities, have Microsoft 365 E3, and do not yet have Microsoft 365 E5. -
- To learn more, see [Microsoft Defender for Endpoint Plan 1 (preview)](defender-endpoint-plan-1.md). Existing [Defender for Endpoint](microsoft-defender-endpoint.md) capabilities will be known as Defender for Endpoint Plan 2.
--- (Preview) [Web Content Filtering](web-content-filtering.md)<br> Web content filtering is part of web protection capabilities in Microsoft Defender for Endpoint. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.-
-## July 2021
--- (Preview) [Device health and compliance report](device-health-reports.md) <br> The device health and compliance report provides high-level information about the devices in your organization.-
-## June 2021
--- [Delta export software vulnerabilities assessment](get-assessment-methods-properties.md#31-methods) API <br> An addition to the [Export assessments of vulnerabilities and secure configurations](get-assessment-methods-properties.md) API collection. <br> Unlike the full software vulnerabilities assessment (JSON response) - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export API call is used to fetch only the changes that have happened between a selected date and the current date (the "delta" API call). Instead of getting a full export with a large amount of data every time, you'll only get specific information on new, fixed, and updated vulnerabilities. Delta export API call can also be used to calculate different KPIs such as "how many vulnerabilities were fixed" or "how many new vulnerabilities were added to an organization."--- [Export assessments of vulnerabilities and secure configurations](get-assessment-methods-properties.md) API <br> Adds a collection of APIs that pull Defender Vulnerability Management data on a per-device basis. There are different API calls to get different types of data: secure configuration assessment, software inventory assessment, and software vulnerabilities assessment. Each API call contains the requisite data for devices in your organization.--- [Remediation activity](get-remediation-methods-properties.md) API <br> Adds a collection of APIs with responses that contain Defender Vulnerability Management remediation activities that have been created in your tenant. Response information types include one remediation activity by ID, all remediation activities, and exposed devices of one remediation activity.--- [Device discovery](device-discovery.md) <br> Helps you find unmanaged devices connected to your corporate network without the need for extra appliances or cumbersome process changes. Using onboarded devices, you can find unmanaged devices in your network and assess vulnerabilities and risks. You can then onboard discovered devices to reduce risks associated with having unmanaged endpoints in your network.-
- > [!IMPORTANT]
- > Standard discovery will be the default mode for all customers starting July 19, 2021. You can choose to retain the basic mode through the settings page.
---- [Device group definitions](/microsoft-365/security/defender-endpoint/machine-groups) can now include multiple values for each condition. You can set multiple tags, device names, and domains to the definition of a single device group.--- [Mobile Application management support](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-new-capabilities-on-android-and-ios/ba-p/2442730) <br> This enhancement enables Microsoft Defender for Endpoint protect an organization's data within a managed application when Intune is being used to manage mobile applications. For more information about mobile application management, see [this documentation](/mem/intune/apps/mam-faq).--- [Microsoft Tunnel VPN integration](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-new-capabilities-on-android-and-ios/ba-p/2442730) <br> Microsoft Tunnel VPN capabilities are now integrated with Microsoft Defender for Endpoint app for Android. This unification enables organizations to offer a simplified end user experience with one security app ΓÇô offering both mobile threat defense and the ability to access on-premises resources from their mobile device, while security and IT teams are able to maintain the same admin experiences they are familiar with.--- [Jailbreak detection on iOS](/microsoft-365/security/defender-endpoint/ios-configure-features#conditional-access-with-defender-for-endpoint-on-ios) <br> Jailbreak detection capability in Microsoft Defender for Endpoint on iOS is now generally available. This adds to the phishing protection that already exists. For more information, see [Setup Conditional Access Policy based on device risk signals](/microsoft-365/security/defender-endpoint/ios-configure-features).--
-## March 2021
--- [Manage tamper protection for your organization using Microsoft 365 Defender portal](manage-tamper-protection-microsoft-365-defender.md) <br> You can manage tamper protection settings on Windows 10, Windows Server 2016, Windows Server 2019, and Windows Server 2022 by using a method called *tenant attach*.--
-## January 2021
--- [Azure Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/) <br> Microsoft Defender for Endpoint now adds support for Azure Virtual Desktop.
security Windows Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/windows-whatsnew.md
ms.pagetype: security
ms.localizationpriority: medium Previously updated : 09/20/2022 Last updated : 01/10/2023 audience: ITPro
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-pullalerts-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-pullalerts-abovefoldlink).
All updates contain: - Performance improvements
All updates contain:
- Integration improvements (Cloud, [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)) <details>
+ <summary>Dec-2022 (Release version: 10.8210.*)</summary>
+
+|OS |KB |Release version |
+||||
+|Windows Server 2012 R2, 2016 |[KB 5005292](https://support.microsoft.com/en-us/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f69773-f17f-420f-91f4-a8e5167284ac)|10.8210.22621.1016|
+
+**What's new**
+
+- Bug fixes and stability improvements
+</details>
+
+<details>
<summary>Aug-2022 (Release version: 10.8210.*)</summary> |OS |KB |Release version |
security Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md
For more information on what's new with other Microsoft Defender security produc
You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter).
+## January 2023
+
+- (GA) Live Response is now generally available for macOS and Linux.
+ ## December 2022 - (Preview) The new Microsoft 365 Defender role-based access control (RBAC) model is now available for preview. The new RBAC model enables security admins to centrally manage privileges across multiple security solutions within a single system with a greater efficiency, currently supporting Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity. The new model is fully compatible with the existing individual RBAC models currently supported in Microsoft 365 Defender. For more information, see [Microsoft 365 Defender role-based access control (RBAC)](./manage-rbac.md).
security Defender For Office 365 Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/defender-for-office-365-whats-new.md
For more information on what's new with other Microsoft Defender security produc
## December 2022 -- [Use the built-in Report button in Outlook on the web](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook-on-the-web): Use the built-in Report button in Outlook on the web to report messages as phish, junk, and not junk.
+- The new Microsoft 365 Defender role-based access control (RBAC) model, with support for Microsoft Defender for Office, is now available in public preview. For more information, see [Microsoft 365 Defender role-based access control (RBAC)](../defender/manage-rbac.md).
+
+- [Use the built-in Report button in Outlook on the web](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook-on-the-web): Use the built-in Report button in Outlook on the web to report messages as phish, junk, and not junk.
## October 2022
security Submissions User Reported Messages Files Custom Mailbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-user-reported-messages-files-custom-mailbox.md
When the toggle is **On** ![Toggle on.](../../media/scc-toggle-on.png) and you'v
The following settings are also available on the page: -- **Show a pop-up message in Outlook to confirm it the user want's to report the message** in the **Before a message is reported** section: This setting controls whether users see a pop-up before they report a message using the Report Message add-in or the Report Phishing add-in. Currently, this setting does not affect the built-in **Report** button in Outlook on the web.
+ > [!NOTE]
+ > Currently, users who report messages from Outlook on the web using the built-in **Report** button don't get these before or after pop-up messages. The pop-ups work for users who report messages using the Microsoft Report Message and Report Phishing add-ins.
+
+- **Show a pop-up message in Outlook to confirm it the user want's to report the message** in the **Before a message is reported** section: This setting controls whether users see a pop-up before they report a message.
If this setting is selected, click **Customize before message** to enter the the **Title** and **Message** text in the **Customize text before message is reported** flyout that opens. Use the variable `%type%` to include the submission type (junk, not junk, phishing, etc.). When you're finished, click **Confirm** to return to the **User reported** page. -- **Show a success pop-up message in Outlook after the user reports** in the **After a message is reported** section: This setting controls whether users see a pop-up after they report a message using the Report Message add-in or the Report Phishing add-in. Currently, this setting does not affect the built-in **Report** button in Outlook on the web.
+- **Show a success pop-up message in Outlook after the user reports** in the **After a message is reported** section: This setting controls whether users see a pop-up after they report a message.
If this setting is selected, click **Customize after message** to enter the the **Title** and **Message** text in the **Customize text after message is reported** flyout that opens. Use the variable `%type%` to include the submission type (junk, not junk, phishing, etc.).
To specify the reason why the original, attached messages were reported, message
- `Not Junk:This text in the Subject line is also ignored by the system` Messages that don't follow this format will not display properly on the **Submissions** page at <https://security.microsoft.com/reportsubmission>.+
+## Use Exchange Online PowerShell to configure the user reported message settings
+
+After you [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), you use the **\*-ReportSubmissionPolicy** and **\*-ReportSubmissionRule** cmdlets to manage and configure the user reported message settings.
+
+In Exchange Online PowerShell, the basic elements of the user reported message settings are:
+
+- **The report submission policy**: Turns the Microsoft integrated reporting experience on or off, turns sending reported messages to Microsoft on or off, turns sending reported messages to the reporting mailbox on or off, and most other settings.
+- **The report submission rule**: Specifies the email address of the reporting mailbox or a blank value when the reporting mailbox isn't used (report messages to Microsoft only).
+
+The difference between these two elements isn't obvious when you manage the user reported message settings in the Microsoft 365 Defender portal:
+
+- There's only one report submission policy named DefaultReportSubmissionPolicy and one report submission rule named DefaultReportSubmissionRule by default.
+
+ If you've never gone to <https://security.microsoft.com/securitysettings/userSubmission>, there's no report submission policy or report submission rule (the Get-ReportSubmissionPolicy and Get-ReportSubmissionRule cmdlets return nothing).
+
+ As soon as you visit <https://security.microsoft.com/securitysettings/userSubmission> and even before you configure any settings, the report submission policy is created with the default values and is visible in PowerShell.
+
+ Only after you specify a reporting mailbox (used by Microsoft or third-party reporting tools) and save the changes is the report submission rule named DefaultReportSubmissionRule automatically created. It takes several seconds before the rule is visible in PowerShell.
+
+- You can delete the report submission rule and recreate it with a different name, but the rule is always associated with the report submission policy whose name you can't change. So, we recommend that you name the rule DefaultReportSubmissionRule whenever you create or recreate the rule.
+
+- When you specify the email address of the reporting mailbox in the Microsoft 365 Defender portal, that value is primarily set in the report submission rule, but the value is also copied into the related properties in the report submission policy. In PowerShell, when you set the email address in the rule, the value isn't copied into the related properties in the policy. For consistency with the Microsoft 365 Defender portal and for clarity, we recommend that you add or update the email address in the policy and the rule.
+
+### Use PowerShell to view the report submission policy and the report submission rule
+
+To view the report submission policy, run the following command in Exchange Online PowerShell:
+
+```powershell
+Get-ReportSubmissionPolicy
+```
+
+To view the report submission rule, run the following command:
+
+```powershell
+Get-ReportSubmissionRule
+```
+
+To view both the policy and the rule at the same time, run the following commands:
+
+```powershell
+Write-Output -InputObject `r`n,"Report Submission Policy",("-"*79); Get-ReportSubmissionPolicy; Write-Output -InputObject `r`n,"Report Submission Rule",("-"*79); Get-ReportSubmissionRule
+```
+
+Remember, if you've never gone to <https://security.microsoft.com/securitysettings/userSubmission> or manually created the report submission policy or the report submission rule in PowerShell, there is no report submission policy or report submission rule, so the **Get-ReportSubmissionPolicy** and **Get-ReportSubmissionRule** cmdlets return nothing.
+
+For detailed syntax and parameter information, see [Get-ReportSubmissionPolicy](/powershell/module/exchange/get-reportsubmissionpolicy) and [Get-ReportSubmissionRule](/powershell/module/exchange/get-reportsubmissionrule).
+
+### Use PowerShell to create the report submission policy and the report submission rule
+
+If the **Get-ReportSubmissionPolicy** and **Get-ReportSubmissionRule** cmdlets return no output, you can create the report submission policy and the report submission rule. If you try to create them after they already exist, you'll get an error.
+
+Always create the report submission policy first, because you specify the report submission policy in the report submission rule.
+
+For detailed syntax and parameter information, see [New-ReportSubmissionPolicy](/powershell/module/exchange/new-reportsubmissionpolicy) and [New-ReportSubmissionRule](/powershell/module/exchange/new-reportsubmissionrule).
+
+#### Use PowerShell to configure the Microsoft integrated reporting experience with report messages to Microsoft only
+
+This example creates the report submission policy with the default settings (the same settings as when you first visit <https://security.microsoft.com/securitysettings/userSubmission>, but before you save any setting changes):
+
+- The Microsoft integrated reporting experience is turned on: toggle **On** (![Toggle on.](../../media/scc-toggle-on.png)) and **Use the built-in "Report" button with "Phishing", "Junk", and "Not Junk options** is selected (`-EnableReportToMicrosoft $true -EnableThirdPartyAddress $false` are the default values).
+
+- **Reported message destinations** section: **Send messages to** \> **Microsoft only** is selected (`-ReportJunkToCustomizedAddress $false -ReportNotJunkToCustomizedAddress $false -ReportPhishToCustomizedAddress $false` are the default values).
+
+Other settings:
+
+- **Before a message is reported** section:
+ - **Show a pop-up message in Outlook to confirm if the user wants to report the message** is selected (`-PreSubmitMessageEnabled $true | $false` is available only on **Set-ReportSubmissionPolicy**; the unconfigurable value on **New-ReportSubmissionPolicy** is `$true`).
+ - **Customize before message** link: Nothing is entered in the **Title** or **Message** boxes in the flyout.(`-EnableCustomizedMsg $false` is the default value).
+
+- **After a message is reported** section:
+ - **Show a success pop-up message in Outlook after the user reports message** is selected (`-PostSubmitMessageEnabled $true | $false` is available only on **Set-ReportSubmissionPolicy**; the unconfigurable value on **New-ReportSubmissionPolicy** is `$true`).
+ - **Customize after message** link: Nothing is entered in the **Title** or **Message** boxes in the flyout (`-EnableCustomizedMsg $false` is the default value).
+
+ > [!NOTE]
+ > Currently, pop-up messages before or after a user reports a message are supported only by the Microsoft Report Message and Report Phishing add-ins. Users who report messages with the built-in **Report** button in Outlook on the web don't see these pop-ups.
+
+- **Email sent to user after admin review** section:
+ - **Specify an Office 365 mailbox to send email notifications from** is not selected (`-EnableCustomNotificationSender $false` is the default value).
+ - **Replace the Microsoft logo with my company logo** is not selected (`-EnableOrganizationBranding $false` is the default value).
+ - **Customize email notification messages** link: Nothing is entered in the **Email body results text** or **Email footer text** boxes on the **Phishing**, **Junk**, or **No threats found** tabs in the flyout (`-EnableCustomizedMsg $false` is the default value).
+- **Report from quarantine** section: **Let your organization report messages from quarantine** is selected (`-DisableQuarantineReportingOption $false` is the default value).
+
+```powershell
+New-ReportSubmissionPolicy
+```
+
+Because a reporting mailbox isn't use, the report submission rule is not needed or created.
+
+#### Use PowerShell to configure the Microsoft integrated reporting experience with report messages to Microsoft and the reporting mailbox
+
+This example creates the report submission policy and the report submission rule with the following settings:
+
+- The Microsoft integrated reporting experience is **On** (![Toggle on.](../../media/scc-toggle-on.png)) and **Use the built-in "Report" button with "Phishing", "Junk", and "Not Junk options** is selected (`-EnableReportToMicrosoft $true -EnableThirdPartyAddress $false` are the default values).
+
+- **Reported message destinations** section:
+ - **Send messages to** \> **Microsoft and my reporting mailbox** is selected.
+ - **Add a mailbox to send reported messages to** specifies the email address of the reporting mailbox.
+
+ - **New-ReportSubmissionPolicy**: `-ReportJunkToCustomizedAddress $true -ReportJunkAddresses <emailaddress> -ReportNotJunkToCustomizedAddress $true -ReportNotJunkAddresses <emailaddress> -ReportPhishToCustomizedAddress $true -ReportPhishAddresses <emailaddress>`.
+ - **New-ReportSubmissionRule**: `-SentTo <emailaddress>`.
+
+ In this example, the email address of the reporting mailbox is reportedmessages@contoso.com in Exchange Online (you can't specify an external email address).
+
+ > [!NOTE]
+ > You must use the same email address value in all parameters that identify the reporting mailbox.
+
+The remaining settings are the default values in "Other settings" as described in [Use PowerShell to configure the Microsoft integrated reporting experience with report to Microsoft only](#use-powershell-to-configure-the-microsoft-integrated-reporting-experience-with-report-messages-to-microsoft-only).
+
+```powershell
+$usersub = "reportedmessages@contoso.com"
+
+New-ReportSubmissionPolicy -ReportJunkToCustomizedAddress $true -ReportJunkAddresses $usersub -ReportNotJunkToCustomizedAddress $true -ReportNotJunkAddresses $usersub -ReportPhishToCustomizedAddress $true -ReportPhishAddresses $usersub
+
+New-ReportSubmissionRule -Name DefaultReportSubmissionRule -ReportSubmissionPolicy DefaultReportSubmissionPolicy -SentTo $usersub
+```
+
+#### Use PowerShell to configure the Microsoft integrated reporting experience with report messages to the reporting mailbox only
+
+This example creates the report submission policy and the report submission rule with the following settings:
+
+- The Microsoft integrated reporting experience is **On** (![Toggle on.](../../media/scc-toggle-on.png)) and **Use the built-in "Report" button with "Phishing", "Junk", and "Not Junk options** is selected (you need to set `-EnableReportToMicrosoft $false`; `-EnableThirdPartyAddress $false` is the default value).
+
+- **Reported message destinations** section:
+ - **Send messages to** \> **Microsoft and my reporting mailbox** is selected.
+ - **Add a mailbox to send reported messages to** specifies the email address of the reporting mailbox.
+
+ - **New-ReportSubmissionPolicy**: `-ReportJunkToCustomizedAddress $true -ReportJunkAddresses <emailaddress> -ReportNotJunkToCustomizedAddress $true -ReportNotJunkAddresses <emailaddress> -ReportPhishToCustomizedAddress $true -ReportPhishAddresses <emailaddress>`.
+ - **New-ReportSubmissionRule**: `-SentTo <emailaddress>`.
+
+ In this example, the email address of the reporting mailbox is userreportedmessages@fabrikam.com in Exchange Online (you can't specify an external email address).
+
+ > [!NOTE]
+ > You must use the same email address value in all parameters that identify the reporting mailbox.
+
+The remaining settings are the default values in "Other settings" as described in [Use PowerShell to configure the Microsoft integrated reporting experience with report to Microsoft only](#use-powershell-to-configure-the-microsoft-integrated-reporting-experience-with-report-messages-to-microsoft-only).
+
+```powershell
+$usersub = "userreportedmessages@fabrikam.com"
+
+New-ReportSubmissionPolicy -EnableReportToMicrosoft $false -ReportJunkToCustomizedAddress $true -ReportJunkAddresses $usersub -ReportNotJunkToCustomizedAddress $true -ReportNotJunkAddresses $usersub -ReportPhishToCustomizedAddress $true -ReportPhishAddresses $usersub
+
+New-ReportSubmissionRule -Name DefaultReportSubmissionRule -ReportSubmissionPolicy DefaultReportSubmissionPolicy -SentTo $usersub
+```
+
+#### Use PowerShell to configure the Microsoft integrated reporting experience to use third-party reporting tools
+
+This example creates the report submission policy and the report submission rule with the following settings:
+
+- The Microsoft integrated reporting experience is **On** (![Toggle on.](../../media/scc-toggle-on.png)) and **Use a non-Microsoft add-in button** is selected (`-EnableReportToMicrosoft $false -EnableThirdPartyAddress $true`).
+
+- **Reported message destinations** section: **Add a mailbox to send reported messages to** specifies the email address of the reporting mailbox.
+
+ - **New-ReportSubmissionPolicy**:`-ThirdPartyReportAddresses <emailaddress>`.
+ - **New-ReportSubmissionRule**: `-SentTo <emailaddress>`.
+
+ In this example, the email address of the reporting mailbox is thirdpartyreporting@wingtiptoys.com in Exchange Online (you can't specify an external email address).
+
+ > [!NOTE]
+ > You must use the same email address value in all parameters that identify the reporting mailbox.
+
+Other settings:
+
+- **Report from quarantine** section: **Let your organization report messages from quarantine** is selected (`-DisableQuarantineReportingOption $false` is the default value).
+
+```powershell
+$usersub = "thirdpartyreporting@wingtiptoys.com"
+
+New-ReportSubmissionPolicy -EnableReportToMicrosoft $false -EnableThirdPartyAddress $true -ThirdPartyReportAddresses $usersub
+
+New-ReportSubmissionRule -Name DefaultReportSubmissionRule -ReportSubmissionPolicy DefaultReportSubmissionPolicy -SentTo $usersub
+```
+
+#### Use PowerShell to turn off the Microsoft integrated reporting experience
+
+Turning off the Microsoft integrated reporting experiences has the following consequences:
+
+- The **Report** button in Outlook on the web and the Microsoft Report Message and Report Phishing add-ins are unavailable in all Outlook platforms.
+- Third-party reporting tools still work, but reported messages do not appear on the **Submissions** page in the Microsoft 365 Defender portal.
+
+This example creates the report submission policy with the Microsoft integrated reporting experience turned **Off** (![Toggle off.](../../media/scc-toggle-on.png)) (`-EnableReportToMicrosoft $false`; `-EnableThirdPartyAddress $false -ReportJunkToCustomizedAddress $false -ReportNotJunkToCustomizedAddress $false -ReportPhishToCustomizedAddress $false` are the default values).
+
+```powershell
+New-ReportSubmissionPolicy -EnableReportToMicrosoft $false
+```
+
+### Use PowerShell to modify the report submission policy and the report submission rule
+
+Virtually all of the same settings are available when you modify the report submission policy in PowerShell as when you created the policy as described in [the previous section](#use-powershell-to-create-the-report-submission-policy-and-the-report-submission-rule). The exceptions is:
+
+- You can turn off **Show a pop-up message in Outlook to confirm if the user wants to report the message** and **Show a success pop-up message in Outlook after the user reports** using the _PreSubmitMessageEnabled_ and _PostSubmitMessageEnabled_ parameters on **Set-ReportSubmissionPolicy**.
+
+ > [!NOTE]
+ > Currently, users who report messages from Outlook on the web using the built-in **Report** button don't get these pop-up messages. The pop-ups work for users who report messages using the Microsoft Report Message and Report Phishing add-ins.
+
+When you modify the existing settings in the report submission policy, you might need to undo or nullify some important settings that you previously configured or didn't configure. And, you might need to create or delete the report submission rule to allow or prevent message reporting to a reporting mailbox.
+
+For detailed syntax and parameter information, see [Set-ReportSubmissionPolicy](/powershell/module/exchange/set-reportsubmissionpolicy).
+
+The following examples show how to change the user reporting experience without concern for the existing settings or values:
+
+- Change to **Use built-in "Report" button with "Phishing", "Junk" and "Not Junk" options** and **Send messages to** \> **Microsoft only**:
+
+ ```powershell
+ Set-ReportSubmissionPolicy -Identity DefaultReportSubmissionPolicy -EnableReportToMicrosoft $true -EnableThirdPartyAddress $false -ThirdPartyReportAddresses $null -ReportJunkToCustomizedAddress $false -ReportJunkAddresses $null -ReportNotJunkToCustomizedAddress $false -ReportNotJunkAddresses $null -ReportPhishToCustomizedAddress $false -ReportPhishAddresses $null
+
+ Get-ReportSubmissionRule | Remove-ReportSubmissionRule
+ ```
+
+- Change to **Use built-in "Report" button with "Phishing", "Junk" and "Not Junk" options** and **Send messages to** \> **Microsoft and my reporting mailbox*** (for example, reportedmessages@contoso.com):
+
+ ```powershell
+ $usersub = "reportedmessages@contoso.com"
+
+ Set-ReportSubmissionPolicy -Identity DefaultReportSubmissionPolicy -EnableReportToMicrosoft $true -EnableThirdPartyAddress $false -ThirdPartyReportAddresses $null -ReportJunkToCustomizedAddress $true -ReportJunkAddresses $usersub -ReportNotJunkToCustomizedAddress $true -ReportNotJunkAddresses $usersub -ReportPhishToCustomizedAddress $true -ReportPhishAddresses $usersub
+ ```
+
+ The following command is required only if you don't already have the report submission rule:
+
+ ```powershell
+ New-ReportSubmissionRule -Name DefaultReportSubmissionRule -ReportSubmissionPolicy DefaultReportSubmissionPolicy -SentTo $usersub
+ ```
+
+- Change to **Use built-in "Report" button with "Phishing", "Junk" and "Not Junk" options** and **Send messages to** \> **Microsoft and my reporting mailbox** (for example, userreportedmessages@fabrikam.com):
+
+ ```powershell
+ $usersub = "userreportedmessages@fabrikam.com"
+
+ Set-ReportSubmissionPolicy -Identity DefaultReportSubmissionPolicy -EnableReportToMicrosoft $false -EnableThirdPartyAddress $false -ThirdPartyReportAddresses $null -ReportJunkToCustomizedAddress $true -ReportJunkAddresses $usersub -ReportNotJunkToCustomizedAddress $true -ReportNotJunkAddresses $usersub -ReportPhishToCustomizedAddress $true -ReportPhishAddresses $usersub
+ ```
+
+ The following command is required only if you don't already have the report submission rule:
+
+ ```powershell
+ New-ReportSubmissionRule -Name DefaultReportSubmissionRule -ReportSubmissionPolicy DefaultReportSubmissionPolicy -SentTo $usersub
+ ```
+
+- Change to **Use a non-Microsoft add-in button** (for example, thirdpartyreporting@wingtiptoys.com):
+
+ ```powershell
+ $usersub = "thirdpartyreporting@wingtiptoys.com"
+
+ Set-ReportSubmissionPolicy -Identity DefaultReportSubmissionPolicy -EnableReportToMicrosoft $false -EnableThirdPartyAddress $true -ThirdPartyReportAddresses $usersub -ReportJunkToCustomizedAddress $false -ReportJunkAddresses $null -ReportNotJunkToCustomizedAddress $false -ReportNotJunkAddresses $null -ReportPhishToCustomizedAddress $false -ReportPhishAddresses $null
+ ```
+
+ The following command is required only if you don't already have the report submission rule:
+
+ ```powershell
+ New-ReportSubmissionRule -Name DefaultReportSubmissionRule -ReportSubmissionPolicy DefaultReportSubmissionPolicy -SentTo $usersub
+ ```
+
+- Turn off the Microsoft integrated reporting experience **Off** (![Toggle off.](../../media/scc-toggle-off.png)):
+
+ ```powershell
+ Set-ReportSubmissionPolicy -Identity DefaultReportSubmissionPolicy -EnableReportToMicrosoft $false -EnableThirdPartyAddress $false -ThirdPartyReportAddresses $null -ReportJunkToCustomizedAddress $false -ReportJunkAddresses $null -ReportNotJunkToCustomizedAddress $false -ReportNotJunkAddresses $null -ReportPhishToCustomizedAddress $false -ReportPhishAddresses $null
+ ```
+
+ The following command is required only if you don't already have the report submission rule:
+
+ ```powershell
+ Get-ReportSubmissionRule | Remove-ReportSubmissionRule
+ ```
+
+The only meaningful setting that you can modify in the report submission rule is the email address of the reporting mailbox (the _SentTo_ parameter value). For example:
+
+```powershell
+Get-ReportSubmissionRule | Set-ReportSubmissionRule -SentTo newemailaddress@contoso.com
+```
+
+> [!NOTE]
+> If you change the email address of the reporting mailbox in the report submission rule, be sure to change the corresponding values in the report submissions policy. For example:
+>
+> - _ThirdPartyReportAddresses_
+> - _ReportJunkAddresses_, _ReportNotJunkAddresses_, and _ReportPhishAddresses_
+
+For detailed syntax and parameter information, see [Set-ReportSubmissionRule](/powershell/module/exchange/set-reportsubmissionrule).
+
+To temporarily disable sending email messages to the reporting mailbox without deleing the report submission rule, use [Disable-ReportSubmissionRule](/powershell/module/exchange/disable-reportsubmissionrule). For example:
+
+```powershell
+Get-ReportSubmissionRule | Disable-ReportSubmissionRule -Confirm:$false
+```
+
+To enable the report submission rule again, use [Enable-ReportSubmissionRule](/powershell/module/exchange/enable-reportsubmissionrule). For example:
+
+```powershell
+Get-ReportSubmissionRule | Disable-ReportSubmissionRule -Confirm:$false
+```
+
+### Use PowerShell to remove the report submission policy and the report submission rule
+
+To start over with the default settings of the report submission policy, you can delete it and recreate it. Removing the report submission policy does not remove the report submission rule, and vice-versa.
+
+To remove the report submission policy, run the following command in Exchange Online PowerShell:
+
+```powershell
+Remove-ReportSubmissionPolicy -Identity DefaultReportSubmissionPolicy
+```
+
+To remove the report submission rule, run the following command:
+
+```powershell
+Get-ReportSubmissionRule | Remove-ReportSubmissionRule
+```
+
+To remove both the report submission policy and report submission rule in the same command without prompts, run the following command:
+
+```powershell
+Remove-ReportSubmissionPolicy -Identity DefaultReportSubmissionPolicy; Get-ReportSubmissionRule | Remove-ReportSubmissionRule -Confirm:$false
+```
+
+For detailed syntax and parameter information, see [Remove-ReportSubmissionPolicy](/powershell/module/exchange/remove-reportsubmissionpolicy) and [Remove-ReportSubmissionRule](/powershell/module/exchange/remove-reportsubmissionrule).
solutions Data Privacy Protection Protect Govern https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/data-privacy-protection-protect-govern.md
The three data handling policies available in Priva Privacy Risk Management help
We recommend deploying policies in a phased approach so you can get to know how they behave and optimize them to suit your needs. For the first phase, we recommend creating one custom policy to serve as a basis of understanding. Let's use the example of creating a [data overexposure policy](/privacy/priva/risk-management-policy-data-overexposure), which identifies content items containing personal data that may be too broadly accessible by other people. You can find [detailed policy creation instructions starting here](/privacy/priva/risk-management-policy-data-overexposure#custom-setup-guided-policy-creation-process). -- When you get to the **Chose data to monitor** step of the policy creation wizard, we recommend selecting the **Individual sensitive information types** option and choosing the SITs that are most relevant to your organization. For example, if you're a financial services company with customers in Europe, you'll likely want to include the EU debit card number as one of your SITs. [Find the list of SIT definitions here](../compliance/sensitive-information-type-entity-definitions.md).
+- When you get to the **Choose data to monitor** step of the policy creation wizard, we recommend selecting the **Individual sensitive information types** option and choosing the SITs that are most relevant to your organization. For example, if you're a financial services company with customers in Europe, you'll likely want to include the EU debit card number as one of your SITs. [Find the list of SIT definitions here](../compliance/sensitive-information-type-entity-definitions.md).
- At the **Choose users and groups covered by this policy** step, we recommend selecting **Specific users or groups** and choosing a small inner circle of users in scope for this policy.
Below are specific recommendations for key settings when creating your first **d
- For **Data to monitor**, choose specific SITs or classification groups. - For **Choose users and groups covered by this policy**, select an inner ring of users. - For **Choose conditions for the policy**, choose 30, 60, 90, or 120 days.-- or **Decide policy mode**, keep the policy in test mode.
+- For **Decide policy mode**, keep the policy in test mode.
### Maximizing policy performance to minimize privacy risks