Updates from: 01/13/2021 04:10:13
Category Microsoft Docs article Related commit history on GitHub Change details
admin https://docs.microsoft.com/en-us/microsoft-365/admin/services-in-china/parity-between-azure-information-protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/services-in-china/parity-between-azure-information-protection.md
@@ -4,6 +4,7 @@ f1.keywords:
- NOCSH ms.author: sharik author: skjerland
+ms.reviewer: arthurj
manager: scotv audience: Admin ms.topic: overview
@@ -18,15 +19,15 @@ search.appverid:
- MET150 - GEU150 - GEA150
-description: "Learn more about Azure Information Protection for Office 365 operated by 21Vianet and how to configure it for customers in China."
+description: "Learn more about Azure Information Protection (AIP) for Office 365 operated by 21Vianet and how to configure it for customers in China."
monikerRange: 'o365-21vianet' --- # Parity between Azure Information Protection for Office 365 operated by 21Vianet and commercial offerings
-While our goal is to deliver all commercial features and functionality to customers in China with our Azure Information Protection for Office 365 operated by 21Vianet offer, there is some missing functionality that we'd like to highlight.
+While our goal is to deliver all commercial features and functionality to customers in China with our Azure Information Protection (AIP) for Office 365 operated by 21Vianet offer, there's some missing functionality that we'd like to highlight.
-The following list includes the existing gaps between Azure Information Protection for Office 365 operated by 21Vianet and our commercial offerings as of July 2019:
+The following list includes the existing gaps between Azure Information Protection for Office 365 operated by 21Vianet and our commercial offerings as of January 2021:
- Information Rights Management (IRM) is supported only for Microsoft 365 Apps for enterprise (build 11731.10000 or higher). Office 2010, Office 2013, and other Office 2016 versions are not supported.
@@ -40,6 +41,8 @@ The following list includes the existing gaps between Azure Information Protecti
- The Mobile Device Extension for AD RMS is currently not available.
+- The [Mobile Viewer](/azure/information-protection/rms-client/mobile-app-faq) is not supported by Azure China 21Vianet.
+ ## Configuring Azure Information Protection for customers in China ### Enable Rights Management for the tenant
@@ -48,7 +51,7 @@ For the encryption to work correctly, the RMS must be enabled for the tenant.
- Check if the RMS is enabled: 1. Launch PowerShell as an administrator.
- 2. If the AIPService module is not installed, run `Install-Module AipService`.
+ 2. If the AIPService module isn't installed, run `Install-Module AipService`.
3. Import the module using `Import-Module AipService`. 4. Connect to the service using `Connect-AipService -environmentname azurechinacloud`. 5. Run `(Get-AipServiceConfiguration).FunctionalState` and check if the state is `Enabled`.
@@ -63,7 +66,7 @@ Also, the assumption is that users will log in with a username based off the ten
- Get the RMS ID: 1. Launch PowerShell as an administrator.
- 2. If the AIPService module is not installed, run `Install-Module AipService`.
+ 2. If the AIPService module isn't installed, run `Install-Module AipService`.
3. Connect to the service using `Connect-AipService -environmentname azurechinacloud`. 4. Run `(Get-AipServiceConfiguration).RightsManagementServiceId` to get the RMS ID.
@@ -80,10 +83,53 @@ Also, the assumption is that users will log in with a username based off the ten
### DNS configuration for encryption (Mac, iOS, Android) -- Log in to your DNS provider, navigate to the DNS settings for the domain, and then add a new SRV record.
- - Service = `_rmsdisco`
- - Protocol = `_http`
- - Name = `_tcp`
- - Target = `api.aadrm.cn`
- - Port = `80`
- - Priority, Weight, Seconds, TTL = default values
+Log in to your DNS provider, navigate to the DNS settings for the domain, and then add a new SRV record.
+
+- Service = `_rmsdisco`
+- Protocol = `_http`
+- Name = `_tcp`
+- Target = `api.aadrm.cn`
+- Port = `80`
+- Priority, Weight, Seconds, TTL = default values
+
+### AIP client configuration
+
+The unified AIP client can be downloaded from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=53018).
+
+For more information, see:
+
+- [Azure Information Protection documentation](/azure/information-protection/)
+- [AIP version history and support policy](/azure/information-protection/rms-client/unifiedlabelingclient-version-release-history)
+- [AIP system requirements](/azure/information-protection/requirements)
+- [AIP quickstart: Deploy the AIP client](/azure/information-protection/quickstart-deploy-client)
+- [AIP administrator guide](/azure/information-protection/rms-client/clientv2-admin-guide)
+- [AIP user guide](/azure/information-protection/rms-client/clientv2-user-guide)
+- [Learn about Microsoft 365 sensitivity labels](/microsoft-365/compliance/sensitivity-labels)
+
+### AIP apps configuration (unified labeling client only)
+
+For the unified labeling solution, AIP apps on Windows need the following registry key to point them to the correct sovereign cloud for Azure China:
+
+- Registry node = `HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIP`
+- Name = `CloudEnvType`
+- Value = `6` (default = 0)
+- Type = `REG_DWORD`
+
+> [!IMPORTANT]
+> Make sure you don't delete the registry key after an uninstall. If the key is empty, incorrect, or non-existent, the functionality will behave as the default value (default value = 0 for the commercial cloud). If the key is empty or incorrect, a print error is also added to the log.
+
+### Manage Azure Information Protection content scan jobs
+
+To manage your Azure Information Protection content scan jobs with an Azure China scanner server, use the following cmdlets instead of the Azure portal:<br><br>
+
+| Cmdlet | Description |
+|--|--|
+| [Add-AIPScannerRepository](/powershell/module/azureinformationprotection/add-aipscannerrepository) | Adds a new repository to your content scan job. |
+| [Get-AIPScannerContentScanJob](/powershell/module/azureinformationprotection/get-aipscannercontentscanjob) | Gets details about your content scan job. |
+| [Get-AIPScannerRepository](/powershell/module/azureinformationprotection/get-aipscannerrepository) | Gets details about repositories defined for your content scan job. |
+| [Remove-AIPScannerContentScanJob](/powershell/module/azureinformationprotection/remove-aipscannercontentscanjob) | Deletes your content scan job. |
+| [Remove-AIPScannerRepository](/powershell/module/azureinformationprotection/remove-aipscannerrepository) | Removes a repository from your content scan job. |
+| [Set-AIPScannerContentScanJob](/powershell/module/azureinformationprotection/set-aipscannercontentscanjob) | Defines settings for your content scan job. |
+| [Set-AIPScannerRepository](/powershell/module/azureinformationprotection/set-aipscannerrepository) | Defines settings for an existing repository in your content scan job. |
+
+For more information, see [Manage your content scan jobs using PowerShell only](/azure/information-protection/deploy-aip-scanner-prereqs#use-powershell-with-a-disconnected-computer).
\ No newline at end of file
business https://docs.microsoft.com/en-us/microsoft-365/business/security-features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/security-features.md
@@ -81,7 +81,7 @@ Advanced features in Microsoft 365 Business Premium are available to help you pr
- [Access based on location](https://docs.microsoft.com/azure/active-directory/authentication/howto-registration-mfa-sspr-combined#conditional-access-policies-for-combined-registration); only allow access from trusted IP ranges or specific countries - Require MFA for access - Block access to apps that use [legacy authentication](https://docs.microsoft.com/azure/active-directory/conditional-access/block-legacy-authentication)
- - Require apps tp use [Intune app protection](https://docs.microsoft.com/azure/active-directory/conditional-access/app-protection-based-conditional-access)
+ - Require apps to use [Intune app protection](https://docs.microsoft.com/azure/active-directory/conditional-access/app-protection-based-conditional-access)
- Custom authentication such as MFA with third-party providers, for example DUO. Other features:
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/advanced-ediscovery-edrm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/advanced-ediscovery-edrm.md new file mode 100644
@@ -0,0 +1,54 @@
+---
+title: "Advanced eDiscovery alignment with the EDRM"
+f1.keywords:
+- NOCSH
+ms.author: markjjo
+author: markjjo
+manager: laurawi
+ms.date:
+audience: Admin
+ms.topic: overview
+ms.service: O365-seccomp
+localization_priority: Normal
+ms.collection:
+- M365-security-compliance
+- m365solution-aed
+- m365initiative-compliance
+search.appverid:
+- MOE150
+- MET150
+description: "The built-in workflow of Advanced eDiscovery in Microsoft 365 aligns with the eDiscovery process outlined by the Electronic Discovery Reference Model (EDRM)."
+ms.custom: seo-marvel-apr2020
+---
+
+# Advanced eDiscovery alignment with the Electronic Discovery Reference Model
+
+The built-in workflow of Advanced eDiscovery in Microsoft 365 aligns with the eDiscovery process outlined by the Electronic Discovery Reference Model (EDRM).
+
+![The Electronic Discovery Reference Model (EDRM)](../media/EDRMv1.png)
+
+(Image source courtesy of edrm.net. The source image was made available under Creative Commons Attribution 3.0 Unported License.)
+
+At a high level, here's how Advanced eDiscovery supports the EDRM workflow:
+
+- **Identification.** After you identify potential persons of interest in an investigation, you can add them as custodians (also called *data custodians*, because they may possess information that's relevant to the investigation) to an Advanced eDiscovery case. After users are added as custodians, it's easy to preserve, collect, and review custodian documents.
+
+- **Preservation.** To preserve and protect data that's relevant to an investigation, Advanced eDiscovery lets you place a legal hold on the data sources associated with the custodians in a case. You can also place non-custodial data on hold. Advanced eDiscovery also has a built-in communications workflow so you can send legal hold notifications to custodians and track their acknowledgments.
+
+- **Collection.** After you identified (and preserved) the data sources relevant to the investigation, you can use the built-in search tool in Advanced eDiscovery search for and collect live data from the custodial data sources (and non-custodial data sources, if applicable) that may be relevant to the case.
+
+- **Processing.** After you've collected all data relevant to the case, the next step is process it for further review and analysis. In Advanced eDiscovery, the in-place data that you identified in the collection phase is copied to an Azure Storage location (called a *review set*), which provides you with a static view of the case data.
+
+- **Review.** After data has been added to a review set, you can view specific documents and run additional queries to reduce the data to what is most relevant to the case. Also, can annotate and tag specific documents.
+
+- **Analysis.** Advanced eDiscovery provides integrated analytics tool that helps you further cull data from the review set that you determine isn't relevant to the investigation. In addition to reducing the volume of relevant data, Advance eDiscovery also helps you save legal review costs by letting you organize content to make the review process easier and more efficient.
+
+- **Production** and **Presentation.** When you're ready, you can export documents from a review set for legal review. You can export documents in their native format or in an EDRM-specified format so they can be imported into third-party review applications.
+
+## More information
+
+To get started using Advanced eDiscovery, see:
+
+- [Set up Advanced eDiscovery](get-started-with-advanced-ediscovery.md)
+
+- [Create and manage an Advanced eDiscovery case](create-and-manage-advanced-ediscoveryv2-case.md)
\ No newline at end of file
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/apply-irm-to-a-list-or-library https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-irm-to-a-list-or-library.md
@@ -68,7 +68,7 @@ You can use Information Rights Management (IRM) to help control and protect file
|Select this option if you want to restrict access to content to a specified period of time. If you select this option, people's issuance licenses to access the content will expire after the specified number of days, and people will be required to return to the server to verify their credentials and download a new copy.|Select the **After download, document access rights will expire after these number of days (1-365)** check box, and then specify the number of days for which you want the document to be viewable.| | Prevent people from uploading documents that do not support IRM to this list or library. If you select this option, people will not be able to upload any of the following file types: File types that do not have corresponding IRM protectors installed on all of the front-end web servers. File types that SharePoint Server 2010 cannot decrypt. File types that are IRM protected in another program.|Select the **Do not allow users to upload documents that do not support IRM** check box.| |Remove restricted permissions from this list or library on a specific date.|Select the **Stop restricting access to the library at** check box, and then select the date that you want.|
-|Control the interval that credentials are cached for the program that is licensed to open the document.|Select the **Users must verify their credentials using this interval (days)** check box, then enter the interval for caching credentials in number of days.|
+|Control the interval that credentials are cached for the program that is licensed to open the document. This setting is only supported in the Microsoft global cloud. The setting is not available in national cloud deployments.|Select the **Users must verify their credentials using this interval (days)** check box, then enter the interval for caching credentials in number of days.|
|Allow group protection so that users can share with members of the same group.|Select **Allow group protection**, and enter the group's name for sharing.| 8. After you finish selecting the options you want, select **OK**.
@@ -116,8 +116,6 @@ IRM cannot protect restricted content from the following:
- Copying through the use of third-party screen-capture programs - Copying of content metadata (column values) through the use of third-party screen-capture programs or copy-and-paste action
-
-[Apply Information Rights Management to a list or library](https://support.office.com/article/6714cfe3-ef39-43b0-bb65-a887726bb63c)
## How IRM works for lists and libraries <a name="__toc256598178"> </a>
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/create-and-manage-advanced-ediscoveryv2-case https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-and-manage-advanced-ediscoveryv2-case.md new file mode 100644
@@ -0,0 +1,103 @@
+---
+title: "Create and manage Advanced eDiscovery cases in Microsoft 365"
+f1.keywords:
+- NOCSH
+ms.author: markjjo
+author: markjjo
+manager: laurawi
+ms.date:
+audience: Admin
+ms.topic: how-to
+ms.service: O365-seccomp
+localization_priority: Normal
+ms.collection:
+- M365-security-compliance
+- m365solution-aed
+- m365initiative-compliance
+search.appverid:
+- MOE150
+- MET150
+description: "This article describes how to create and manage Advanced eDiscovery cases. The first step is to create a case and start using Advanced eDiscovery features and functionality."
+---
+
+# Create and manage an Advanced eDiscovery case
+
+After setting up Advanced eDiscovery and [assigning permissions to eDiscovery managers](get-started-with-advanced-ediscovery.md#step-2-assign-ediscovery-permissions) in your organization that will manage cases, the next step is to create and manage a case.
+
+This article also provides a high-level overview of using cases to manage the Advanced eDiscovery workflow for a legal investigation.
+
+## Create a case
+
+Complete the following steps to create a case and add members. The user who creates the case is automatically added as a member.
+
+1. Go to [https://compliance.microsoft.com](https://compliance.microsoft.com) and sign in using the credentials for user account that has been assigned eDiscovery permissions. Members of the Organization Management role group can also create Advanced eDiscovery cases.
+
+2. In the left navigation pane of the Microsoft 365 compliance center, click **Show all**, and then click **eDiscovery > Advanced**.
+
+3. On the **Advanced eDiscovery** page, click the **Cases** tab, and then click **Create a case**.
+
+4. On the **New eDiscovery case** flyout page, give the case a name (required), and then type an optional case number and description. The case name must be unique in your organization.
+
+5. Click **Save** to create the case.
+
+ The new case is created and the **Settings** tab in the new case is displayed.
+
+6. In the **Access & permissions** tile on the **Settings** tab, click **Select**, and then click **Update**.
+
+7. Click **Update**.
+
+8. On the **Manage this case** flyout page, under **Manage members**, click **Add** to add members to the case.
+
+9. In the list of people, select the check box next to the names of the people that you want to add to the case. As previously explained, be sure that the people you add to the case have been assigned the appropriate eDiscovery permissions.
+
+10. After you've selected the people to add as members of the case, click **Add**.
+
+11. In the **Manage this case** flyout page, click **Save** to save the new list of case members.
+
+12. Click the **Home** tab to go to the case home page.
+
+## Manage the workflow
+
+To get you started using Advanced eDiscovery, here's a basic workflow that aligns with [common eDiscovery practices](advanced-ediscovery-edrm.md). In each of these steps, we'll also highlight some extended Advanced eDiscovery functionality that you can explore.
+
+![Advanced eDiscovery workflow](../media/AeDWorkflow.png)
+
+1. **[Add custodians](add-custodians-to-case.md) and [non-custodial data sources](non-custodial-data-sources.md) to the case**. The first step after creating a case is to add custodians. A *custodian* is a person having administrative control of a document or electronic file that may be relevant to the case. Additionally, you can add data sources that aren't associated with a specific user but may be relevant to the case.
+
+ Here are some things that happen (or that you can do) when you add custodians to a case:
+
+ - Data in the custodian's Exchange mailbox, OneDrive account, and any Microsoft Teams or Yammer groups that the custodian is a member of can be "marked" as custodial data in the case.
+
+ - Custodian data is reindexed (by a process called *Advanced indexing*). This helps optimize searching for it in the next step.
+
+ - You can place a hold on custodian data. This preserves data that may be relevant to the case during the investigation.
+
+ - You can associate other data sources with a custodian (for example, you can associate a SharePoint site or Microsoft 365 Group with a custodian) so this data can be reindexed, placed on hold, and searched, just like the data in the custodian's mailbox or OneDrive account.
+
+ - You can use the [communications workflow](managing-custodian-communications.md) in Advanced eDiscovery to send a legal hold notification to custodians.
+
+2. **[Search data sources for data relevant to the case](collecting-data-for-ediscovery.md)**. After you add custodians and non-custodial data sources to a case, use the built-in search tool to search these data sources for data that may be relevant to the case. You use keywords, properties, and conditions to [build search queries](building-search-queries.md) that return search results with the data that's most likely relevant to the case. You can also:
+
+ - View [search statistics](search-statistics-in-advanced-ediscovery.md) that may help you refine a search query to narrow the results.
+
+ - Preview the search results to quickly verify whether the relevant data is being found.
+
+ - Revise a query and rerun the search.
+
+3. **[Add data to a review set](add-data-to-review-set.md)**. Once you've configured and verified that a search returns the desired data, the next step is to add the search results to a review set. When you add data to a review set, items are copied from their original location to a secure Azure Storage location. The data is reindexed again to optimize it for thorough and fast searches when reviewing and analyzing items in the review set. Additionally, you can also [add non-Office 365 data into a review set](load-non-office-365-data-into-a-review-set.md).
+
+ There's also a special kind of review set that you can add data to, called a *conversation review set*. These types of reviews sets provide conversation reconstruction capabilities to reconstruct, review, and export threaded conversations like those in Microsoft Teams. For more information, see [Review conversations in Advanced eDiscovery](conversation-review-sets.md).
+
+4. **Review and analyze data in a review set**. Now that data is in a review set, you can use a wide-variety of tools and capabilities to view and analyze the case data with the goal of reducing the data set to what is most relevant to the case you're investigating. Here's a list of some tools and capabilities that you can use during this process.
+
+ - [View documents](view-documents-in-review-set.md). This includes viewing the metadata for each document in a review set, and viewing the document in its native version or text version.
+
+ - [Create queries and filters](review-set-search.md). You create search queries using various search criteria (including the ability to search all [file metadata properties](document-metadata-fields-in-advanced-ediscovery.md)) to further refine and cull the case data to what is most relevant to the case. You can also use review set filters to quickly apply other conditions to the results of a search query to further refine those results.
+
+ - [Create and use tags](tagging-documents.md). You can apply tags to documents in a review set to identify which are responsive (or non-responsive to the case) and then use those tags when creating search queries to include or exclude the tagged documents. You can also tagging to determine which documents to export.
+
+ - [Annotate and redact documents](view-documents-in-review-set.md#annotate-view). You can use the annotation tool in a review to annotate documents and redact content in documents as work product. We generate a PDF version of an annotated or redacted document during review to reduce the risk of exporting the unredacted native version of the document.
+
+ - [Analyze case data](analyzing-data-in-review-set.md). The analytics functionality in Advanced eDiscovery is powerful. After you run analytics on the data in review set, we perform analysis such as near duplicate detection, email threading, and themes that can help reduce the volume of documents that you have to review. We also generate an Analytics reports that summarize the result of running analytics. As previously explained, running analytics also runs [the attorney-client privilege detection model](attorney-privilege-detection.md#use-the-attorney-client-privilege-detection-model).
+
+5. **Export and download case data**. A final step after collecting, reviewing, and analyzing case data is to export it out of Advanced eDiscovery for external review or for review by people outside of the investigation team. Exporting data is a two-step process. The first step is to [export](export-documents-from-review-set.md) data out of the review set and copy it to a different Azure Storage location (one provided by Microsoft or one managed by your organization). Then you use Azure Storage Explorer to [download](download-export-jobs.md) the data to a local computer. In addition to the exported data files, the contains of the export package also contains an export report, a summary report, and an error report.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/create-hold-notification https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-hold-notification.md
@@ -22,7 +22,7 @@ ms.custom: seo-marvel-mar2020
# Create a legal hold notice
-Using Advanced eDiscovery custodian communications, organizations can manage their workflow around communicating with custodians. Through the Communications tool, legal teams can systematically send, collect, and track legal hold notifications. The flexible creation process also allows teams to customize the hold notification workflow and the content in the notices sent to custodians.
+Using Advanced eDiscovery custodian communications, organizations can manage their workflow around communicating with custodians. Through the Communications tool, legal teams can systematically send, collect, and track legal hold notifications. The flexible creation process also allows teams to customize the hold notification workflow and the content in the notices sent to custodians.
![Communications Page](../media/CommunicationPage.PNG)
@@ -42,7 +42,7 @@ The first step is to specify the appropriate details for legal hold notices or o
- **Name**: This is the name for the communication.
- - **Issuing officer**: The dropdown list displays a list of case members. For more information on how to add new members to a case, see [Create an Advanced eDiscovery case](get-started-with-advanced-ediscovery.md#step-4-create-an-advanced-ediscovery-case). Each notice sent to custodians will be sent on behalf of the specified issuing officer.
+ - **Issuing officer**: The dropdown list displays a list of case members. For more information on how to add new members to a case, see [Create an Advanced eDiscovery case](create-and-manage-advanced-ediscoveryv2-case.md#create-a-case). Each notice sent to custodians will be sent on behalf of the specified issuing officer.
> [!NOTE] > The issuing officer must have an **active mailbox** to show up in the Issuing Officer dropdown
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/create-retention-policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-retention-policies.md
@@ -48,7 +48,7 @@ Although a retention policy can support multiple locations, you can't create a s
- Yammer community messages - Yammer private messages
-If you select the Teams or Yammer locations when you create a retention policy, the other locations are automatically excluded. Therefore, which instructions to follow depends on whether you need to include the Teams or Yammer locations:
+If you select the Teams or Yammer locations when you create a retention policy, the other locations are automatically excluded. Therefore, which instructions to follow depend on whether you need to include the Teams or Yammer locations:
- [Instructions for a retention policy for Teams locations](#retention-policy-for-teams-locations) - [Instructions for a retention policy for Yammer locations](#retention-policy-for-yammer-locations)
@@ -252,17 +252,20 @@ For example, if a policy includes all Exchange email and all SharePoint sites, a
### A policy with specific inclusions or exclusions
-Only if you use the optional configuration to scope your retention settings to specific users, specific Microsoft 365 groups, or specific sites, there are some limits to be aware of:
+Only if you use the optional configuration to scope your retention settings to specific users, specific Microsoft 365 groups, or specific sites, there are some limits per policy to be aware of:
- Maximum numbers for a retention policy:
- - 1,000 mailboxes
+ - 1,000 mailboxes (user mailboxes or group mailboxes)
- 1,000 Microsoft 365 groups - 1,000 users for Teams private chats - 100 sites (OneDrive or SharePoint)
-There is also a maximum number of policies that are supported for a tenant: 10,000. However, for Exchange Online, the maximum number is 1,800. The maximum number includes retention policies, retention label policies, and auto-apply retention policies.
+These limitations are per policy, so if you need to use specific inclusions or exclusions that result in going over these numbers, you can create additional retention policies that have the same retention settings. See the next section for some [example scenarios and solutions](#examples-of-using-inclusions-and-exclusions) that use multiple retention policies for this reason. Multiple retention policies result in higher administrative overheads, so always challenge whether you really need inclusions and exclusions. Remember that the default configuration that applies to the entire location doesn't have any limitations, and this configuration choice might be a better solution than creating and maintaining multiple policies.
+
+> [!TIP]
+> If do you need to create and maintain multiple retention policies for this scenario, consider using [PowerShell](retention.md#powershell-cmdlets-for-retention-policies-and-retention-labels) for more efficient configuration.
-If your retention policies are likely to be subject to these limitations, use the default configuration that applies to the entire location because these policies don't have any limitations.
+There is also a maximum number of policies that are supported for a tenant: 10,000. However, for Exchange Online, the maximum number is 1,800. The maximum number includes retention policies, retention label policies, and auto-apply retention policies.
To use the optional configuration to scope your retention settings, make sure the **Status** of that location is **On**, and then use the links to include or exclude specific users, Microsoft 365 groups, or sites.
@@ -273,6 +276,28 @@ To use the optional configuration to scope your retention settings, make sure th
> > In this scenario, toggle the location off if you don't want the **All** setting for the location to be subject to the retention policy. Alternatively, specify excludes to be exempt from the policy.
+#### Examples of using inclusions and exclusions
+
+The following examples provide some design solutions for when you can't specify just the location for a retention policy, and must take into account the limitations documented in the previous section.
+
+Exchange example:
+
+- **Requirement**: In an organization that has over 40,000 user mailboxes, most users must have their email retained for 7 years but a subset of identified users (425) must have their email retained for only 5 years.
+
+- **Solution**: Create one retention policy for Exchange email with a retention period of 7 years and exclude the subset of users. Then create a second retention policy for Exchange email with a retention period of 5 years and include the subset of users.
+
+ In both cases, the number included and excluded is below the maximum number of specified mailboxes for a single policy, and the subset of users must be explicitly excluded from the first policy because it has a [longer retention period](retention.md#the-principles-of-retention-or-what-takes-precedence) than the second policy. If the subset of users required a longer retention policy, you wouldn't need to exclude them from the first policy.
+
+ With this solution, if anybody new joins the organization, their mailbox is automatically included in the first policy for 7 years and there is no impact to the maximum numbers supported. However, new users that require the 5 year retention period add to the include and exclude numbers, and this limit would be reached at 1,000.
+
+SharePoint example:
+
+- **Requirement**: An organization has several thousand SharePoint sites but only 2,000 sites require a retention period of 10 years, and 8,000 sites require a retention period of 4 years.
+
+- **Solution**: Create 20 retention policies for SharePoint with a retention period of 10 years that includes 100 specific sites, and create 80 retention policies for SharePoint with a retention period of 4 years that includes 100 specific sites.
+
+ Because you don't need to retain all SharePoint sites, you must create retention policies that specify the specific sites. Because a retention policy doesn't support more than 100 specified sites, you must create multiple policies for the two retention periods. These retention policies have the maximum number of included sites, so the next new site that needs retaining would require a new retention policy, irrespective of the retention period.
+ ## Updating retention policies Some settings can't be changed after a retention policy is created and saved, which include:
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/dlp-microsoft-teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-microsoft-teams.md
@@ -92,7 +92,7 @@ To perform this task, you must be assigned a role that has permissions to edit D
4. In the **Status** column, turn the policy on for **Teams chat and channel messages**.<br/>![DLP for Teams chats and channels](../media/dlp-teams-addteamschatschannels.png)<br/>
-5. On the **Choose locations** tab, keep the default setting of all accounts, or select **Let me choose specific locations** and specify which accounts, distribution lists, or security groups for inclusion and exclusion. Then choose **Next**.
+5. On the **Choose locations** tab, keep the default setting of all accounts, or select **Let me choose specific locations** and specify which accounts to include or exclude. Then choose **Next**.
6. Click **Save**.
@@ -111,7 +111,7 @@ To perform this task, you must be assigned a role that has permissions to edit D
4. On the **Name your policy** tab, specify a name and description for the policy, and then choose **Next**.
-5. On the **Choose locations** tab, keep the default setting of all accounts, or select **Let me choose specific locations** and specify which accounts, distribution lists, or security groups for inclusion and exclusion. Then choose **Next**.
+5. On the **Choose locations** tab, keep the default setting of all accounts, or select **Let me choose specific locations** and specify which accounts to include or exclude. Then choose **Next**.
![DLP policy locations](../media/dlp-teams-selectlocationsnewpolicy.png)
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery.md
@@ -15,72 +15,73 @@ search.appverid:
- MOE150 - MET150 ms.assetid: 143b3ab8-8cb0-4036-a5fc-6536d837bfce
-description: "Microsoft 365 offers a number of different eDiscovery tools that you can use to search for and hold content found in different locations such as Exchange mailboxes, SharePoint and OneDrive for Business sites, Microsoft 365 Groups, and Skype for Business conversations."
+description: "Microsoft 365 offers a number of different eDiscovery tools that you can use to search for and hold content found in different locations such as Exchange mailboxes, SharePoint and OneDrive for Business sites, Microsoft 365 Groups, Microsoft Teams, and Skype for Business conversations."
---
-# eDiscovery in Microsoft 365
+# eDiscovery solutions in Microsoft 365
Electronic discovery, or eDiscovery, is the process of identifying and delivering electronic information that can be used as evidence in legal cases. You can use eDiscovery tools in Microsoft 365 to search for content in Exchange Online mailboxes, Microsoft 365 Groups, Microsoft Teams, SharePoint Online and OneDrive for Business sites, and Skype for Business conversations, and Yammer teams. You can search mailboxes and sites in the same eDiscovery search by using the Content Search tool. And you can use Core eDiscovery cases to identify, hold, and export content found in mailboxes and sites. If your organization has an Office 365 E5 or Microsoft 365 E5 subscription (or related E5 add-on subscriptions), you can further manage custodians and analyze content by using the Advanced eDiscovery solution in Microsoft 365. Microsoft 365 provides the following eDiscovery tools: -- [Content Search](#content-search)
+- [Content search](#content-search)
- [Core eDiscovery](#core-ediscovery) - [Advanced eDiscovery](#advanced-ediscovery)
-## Content Search
+## Content search
-The following table contains links to topics that will help you use the Content Search tool.
+The following table contains links to articles that will help you use the Content search tool.
-|**Topic**|**Description**|
+|**Article**|**Description**|
|:-----|:-----|
-|[Run a Content Search](content-search.md) <br/> |Learn how to use the Content Search tool to search mailboxes, public folders, Microsoft 365 Groups, Microsoft Teams, SharePoint Online sites, One Drive for Business locations, and Skype for Business conversations in your organization in a single search. <br/> |
-|[Keyword queries and search conditions for Content Search](keyword-queries-and-search-conditions.md) <br/> |Learn about the email and file properties and search conditions you can use to search for content in mailboxes and sites in your organization. <br/> |
-|[View keyword statistics for Content Search results](view-keyword-statistics-for-content-search.md) <br/> |Learn how to use search statistics to display and compare the statistics for one or more content searches, and to configure new and existing searches to return statistics for each keyword in the search query. <br/> |
-|[Export search results](export-search-results.md) <br/> |Learn how to export the results of a Content Search. <br/> |
-|[Configure permissions filtering for Content Search](permissions-filtering-for-content-search.md) <br/> |Learn how to use permissions filtering to let an eDiscovery manager search only a subset of mailboxes and sites in your organization. <br/> |
-|[Export a Content Search report](export-a-content-search-report.md) <br/> |Learn how to download the export report without having to export the actual search results. <br/> |
-|[Content Search limits](limits-for-content-search.md) <br/> |Learn about the limits of the Content Search tool, such as the maximum number of searches that you can run at one time. <br/> |
-|[Unindexed items in Content Search](partially-indexed-items-in-content-search.md) <br/> |Learn about unindexed items in Exchange and SharePoint that you can include in the estimated search result statistics when you run a search. You can also include unindexed items when you export search results. <br/> |
-|[Search for and delete email messages](search-for-and-delete-messages-in-your-organization.md) <br/> |Learn how to use Content Search to search for and delete an email message from *all* mailboxes in your organization. This can help you find and remove potentially harmful or high-risk email. <br/> |
-|[Use Content Search to search the mailbox and OneDrive accounts for a list of users](search-the-mailbox-and-onedrive-for-business-for-a-list-of-users.md) <br/> |Learn how to use a script to search the mailbox and One Drive for Business site for a group of users. See [Create a list of all OneDrive locations](https://docs.microsoft.com/onedrive/list-onedrive-urls) for steps on how to quickly generate a list of email addresses that you can use for the source content locations when you create and run content searches. <br/> |
-|[Use Content Search for targeted collections](use-content-search-for-targeted-collections.md) <br/> |Learn how to use the Windows PowerShell script in this article to perform targeted collections using Content Search. A targeted collection means you want to search a specific folder because you're confident that items responsive to a case (or privileged items) are located in that folder. Use the script in this article to obtain the folder ID or path for the specific mailbox or site folders that you want to search. <br/> |
+|[Run a search](content-search.md) <br/> |Learn how to use the Content Search tool to search mailboxes, public folders, Microsoft 365 Groups, Microsoft Teams, SharePoint Online sites, One Drive for Business locations, and Skype for Business conversations in your organization in a single search. <br/> |
+|[Keyword queries and search conditions](keyword-queries-and-search-conditions.md) <br/> |Learn about the email and file properties and search conditions you can use to search for content in mailboxes and sites in your organization. <br/> |
+|[View keyword statistics for search results](view-keyword-statistics-for-content-search.md) <br/> |Learn how to use search statistics to display and compare the statistics for one or more content searches, and to configure new and existing searches to return statistics for each keyword in the search query. <br/> |
+|[Export search results](export-search-results.md) <br/> |Learn how to export the results of a Content search. <br/> |
+|[Configure permissions filtering for Content search](permissions-filtering-for-content-search.md) <br/> |Learn how to use permissions filtering to let an eDiscovery manager search only a subset of mailboxes and sites in your organization. <br/> |
+|[Export a search report](export-a-content-search-report.md) <br/> |Learn how to download the export report without having to export the actual search results. <br/> |
+|[Content search limits](limits-for-content-search.md) <br/> |Learn about the limits of the Content Search tool, such as the maximum number of searches that you can run at one time. <br/> |
+|[Unindexed items in Content search](partially-indexed-items-in-content-search.md) <br/> |Learn about unindexed items in Exchange and SharePoint that you can include in the estimated search result statistics when you run a search. You can also include unindexed items when you export search results. <br/> |
+|[Search for and delete email messages](search-for-and-delete-messages-in-your-organization.md) <br/> |Learn how to use Content search to search for and delete an email message from *all* mailboxes in your organization. This can help you find and remove potentially harmful or high-risk email. <br/> |
+|[Search the mailbox and OneDrive accounts for a list of users](search-the-mailbox-and-onedrive-for-business-for-a-list-of-users.md) <br/> |Learn how to use a script to search the mailbox and One Drive for Business site for a group of users. See [Create a list of all OneDrive locations](https://docs.microsoft.com/onedrive/list-onedrive-urls) for steps on how to quickly generate a list of email addresses that you can use for the source content locations when you create and run content searches. <br/> |
+|[Use Content search for targeted collections](use-content-search-for-targeted-collections.md) <br/> |Learn how to use the Windows PowerShell script in this article to perform targeted collections using Content search. A targeted collection means you want to search a specific folder because you're confident that items responsive to a case (or privileged items) are located in that folder. Use the script in this article to obtain the folder ID or path for the specific mailbox or site folders that you want to search. <br/> |
||| ## Core eDiscovery The following table contains links to topics that will help you use Core eDiscovery cases. You can use Core eDiscovery cases to add eDiscovery managers who can access the case, place an eDiscovery hold on content locations relevant to the case, search for content, and export the search results from the case.
-|**Topic**|**Description**|
+|**Article**|**Description**|
|:-----|:-----| |[Get started with Core eDiscovery](get-started-core-ediscovery.md) |Learn how to assign eDiscovery permissions and create Core eDiscovery cases. This topic also provides an overview of the Core eDiscovery workflow.<br/> |
-|[Create an eDiscovery hold](create-ediscovery-holds.md)|Learn how to create eDiscovery holds that associated with a Core eDiscovery case to preserve content relevant to the case you're investigating.|
-|[Search for content in a Core eDiscovery case](search-for-content-in-core-ediscovery.md)|Learn how to search for content that's relevant to a case. You can quickly create searches that search the content locations on hold.|
-|[Export content from a Core eDiscovery case](export-content-in-core-ediscovery.md)|Learn how to export and download content from a Core eDiscovery case.|
-|[Close, reopen, and delete a Core eDiscovery case](close-reopen-delete-core-ediscovery-cases.md)|Learn how to manage the lifecycle of a Core eDiscovery case.|
-|[Assign eDiscovery permissions](assign-ediscovery-permissions.md)|Learn how to assign permissions to users so they can search for content, place content locations on hold, and perform other eDiscovery-related tasks.|
+|[Assign eDiscovery permissions](assign-ediscovery-permissions.md)|Learn how to assign permissions to users so they can search for content, place content locations on hold, and perform other eDiscovery-related tasks in a Core eDiscovery case.|
|[Set up compliance boundaries for Core eDiscovery](set-up-compliance-boundaries.md)|Learn how to use compliance boundaries to create logical boundaries within an organization that control the content locations that an eDiscovery manager can search.|
+|[Create an eDiscovery hold](create-ediscovery-holds.md)|Learn how to create eDiscovery holds that associated with a Core eDiscovery case to preserve content relevant to the case you're investigating.|
+|[Search for content in a case](search-for-content-in-core-ediscovery.md)|Learn how to search for content that's relevant to a case. You can quickly create searches that search the content locations on hold.|
+|[Export content from a case](export-content-in-core-ediscovery.md)|Learn how to export and download content from a Core eDiscovery case.|
+|[Close, reopen, and delete a case](close-reopen-delete-core-ediscovery-cases.md)|Learn how to manage the lifecycle of a Core eDiscovery case.|
||| ## Advanced eDiscovery
-The Advanced eDiscovery solution in Microsoft 365 (also called *Advanced eDiscovery v2.0*) builds on the existing eDiscovery and analytics capabilities in Office 365. This eDiscovery solution provides an end-to-end workflow to preserve, collect, review, analyze, and export content that's responsive to your organization's internal and external investigations. It also lets legal teams manage custodians and the entire legal hold notification workflow to communicate with custodians involved in a case.
+The Advanced eDiscovery solution in Microsoft 365 (also called *Advanced eDiscovery v2.0*) builds on the existing eDiscovery and analytics capabilities in Microsoft 365. This eDiscovery solution provides an end-to-end workflow to preserve, collect, review, analyze, and export content that's responsive to your organization's internal and external investigations. It also lets legal teams manage custodians and the entire legal hold notification workflow to communicate with custodians involved in a case.
-|**Topic**|**Description**|
+|**Article**|**Description**|
|:-----|:-----|
-|[Overview of Advanced eDiscovery](overview-ediscovery-20.md)|This article introduces Advanced eDiscovery v2.0 and provides a high-level overview of the built-in workflow of Advanced eDiscovery and how it aligns to the eDiscovery process outlined by the Electronic Discovery Reference Model|.
-|[Get started with Advanced eDiscovery](get-started-with-advanced-ediscovery.md)|Learn how to get started using Advanced eDiscovery, including the required licensing and necessary eDiscovery permission. This article shows you how to create an Advanced eDiscovery case and provides a walk-through of the Advanced eDiscovery workflow.|
-|[Work with custodians](managing-custodians.md)|Learn about working with custodians in an Advanced eDiscovery. This topic links to step-by-step instructions to add custodians to a case, managing custodians in a case, and viewing custodian activity in Microsoft 365 by searching the audit log.|
-|[Work with communications](managing-custodian-communications.md)|Learn about managing the legal hold notification process in Advanced eDiscovery. This includes creating and automating the notification workflow and how a user acknowledged a hold notification.
-|[Work with processing errors](processing-data-for-case.md)|Learn about Advanced indexing and how to remediate indexing errors in content from custodial and non-custodial content locations, such as Exchange mailboxes, SharePoint sites, and OneDrive accounts. You can bulk-remediate errors and then upload remediated files to a review set or remediate individual processing errors within a review set.|
+|[Overview of Advanced eDiscovery](overview-ediscovery-20.md)|This article introduces Advanced eDiscovery, outlines the business justification for using this tool, presents Advanced eDiscovery architecture, and provides a high-level overview of the built-in workflow of Advanced eDiscovery.|
+|[Set up Advanced eDiscovery](get-started-with-advanced-ediscovery.md)|Learn how to get started using Advanced eDiscovery, including the required licensing and necessary eDiscovery permission.|
+|[Create and manage a case](create-and-manage-advanced-ediscoveryv2-case.md)|This article shows you how to create an Advanced eDiscovery case and provides a walk-through of the Advanced eDiscovery workflow.|
+|[Manage custodians](managing-custodians.md)|Learn about working with custodians in an Advanced eDiscovery. This topic links to step-by-step instructions to add custodians to a case, managing custodians in a case, and viewing custodian activity in Microsoft 365 by searching the audit log.|
+|[Manage custodian communications](managing-custodian-communications.md)|Learn about managing the legal hold notification process in Advanced eDiscovery. This includes creating and automating the notification workflow and how a user acknowledged a hold notification.
+|[Manage processing errors](processing-data-for-case.md)|Learn about Advanced indexing and how to remediate indexing errors in content from custodial and non-custodial content locations, such as Exchange mailboxes, SharePoint sites, and OneDrive accounts. You can bulk-remediate errors and then upload remediated files to a review set or remediate individual processing errors within a review set.|
|[Collect data for a case](collecting-data-for-ediscovery.md)|Learn about searching for content in custodial content locations, and then adding relevant case data to a review set. When you copy content to a review set, the data is copied from the original content locations to a Microsoft-provided Azure Storage location. This provides a static set of documents for the review process.| |[Manage review sets](managing-review-sets.md)|Learn about reviewing case data in a review set. This includes viewing, querying, filtering, and tagging documents in a review set. |[Analyze data in a review set](analyzing-data-in-review-set.md)|Learn about running analysis on the documents in a review set. The results of running analysis include near-duplication detection, email threading, and themes identification.| |[Export case data](exporting-data-ediscover20.md)|Learn about exporting data from a case for external review.| |||
-## Roadmap
+## eDiscovery roadmap
-To see what eDiscovery features have been launched, are rolling out, or in development, please visit the [Microsoft 365 Roadmap](https://aka.ms/eDiscoRoadMap).
+To see what eDiscovery features have been launched, are rolling out, or in development, see the [Microsoft 365 Roadmap](https://aka.ms/eDiscoRoadMap).
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/endpoint-dlp-configure-proxy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-configure-proxy.md new file mode 100644
@@ -0,0 +1,154 @@
+---
+title: "Configure device proxy and internet connection settings for Endpoint DLP"
+f1.keywords:
+- CSH
+ms.author: chrfox
+author: chrfox
+manager: laurawi
+ms.date: 07/21/2020
+audience: ITPro
+ms.topic: conceptual
+f1_keywords:
+- 'ms.o365.cc.DLPLandingPage'
+ms.service: O365-seccomp
+localization_priority: Priority
+ms.collection:
+- M365-security-compliance
+- m365solution-mip
+- m365initiative-compliance
+search.appverid:
+- MET150
+description: "Learn how to Configure device proxy and internet connection settings for Endpoint DLP."
+---
+
+# Configure device proxy and internet connection settings for Endpoint DLP
+
+Microsoft Endpoint DLP uses Microsoft Windows HTTP (WinHTTP) to report data and communicate with the Microsoft endpoint cloud service. The embedded Endpoint DLP runs in system context using the LocalSystem account.
+
+> [!TIP]
+> For organizations that use forward proxies as a gateway to the Internet, you can use network protection to investigate behind a proxy. For more information, see [Investigate connection events that occur behind forward proxies](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy).
+
+The WinHTTP configuration setting is independent of the Windows Internet (WinINet) Internet browsing proxy settings and can only discover a proxy server by using the following auto discovery methods:
+
+- Transparent proxy
+- Web Proxy Auto-discovery Protocol (WPAD)
+
+> [!NOTE]
+> If youΓÇÖre using Transparent proxy or WPAD in your network topology, you donΓÇÖt need special configuration settings. For more information on Defender for Endpoint URL exclusions in the proxy, see [Enable access to Endpoint DLP cloud service URLs in the proxy server](#enable-access-to-endpoint-dlp-cloud-service-urls-in-the-proxy-server).
+
+- Manual static proxy configuration:
+ - Registry based configuration
+ - WinHTTP configured using netsh command ΓÇô Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
+
+## Configure the proxy server manually using a registry-based static proxy
+
+For endpoint devices that aren't permitted to connect to the Internet, you need to configure a registry-based static proxy. You need to configure this to allow only Microsoft Endpoint DLP to report diagnostic data and communicate with Microsoft endpoint cloud service.
+
+The static proxy is configurable through Group Policy (GP). The group policy can be found under:
+
+1. Open **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service**
+
+2. Set it to **Enabled** and select **Disable Authenticated Proxy usage**:
+
+![Image of group policy settings 1](../media/atp-gpo-proxy1.png)
+
+3. Open **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**:
+
+ Configure the proxy
+
+![Image of group policy settings 2](../media/atp-gpo-proxy2.png)
+
+The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`.
+
+The registry value TelemetryProxyServer is in this format \<server name or ip\>:\<port\>. For example: **10.0.0.6:8080**
+
+The registry value `DisableEnterpriseAuthProxy` should be set to 1.
+
+## Configure the proxy server manually using "netsh" command
+
+Use netsh to configure a system-wide static proxy.
+
+> [!NOTE]
+> This will affect all applications including Windows services which use WinHTTP with default proxy. - Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-based static proxy configuration.
+
+1. Open an elevated command-line:
+ 1. Go to **Start** and type **cmd**
+ 1. Right-click **Command prompt** and select **Run as administrator**.
+2. Enter the following command and press **Enter**:
+
+ `netsh winhttp set proxy <proxy>:<port>`
+
+ For example: **netsh winhttp set proxy 10.0.0.6:8080**
+
+3. To reset the winhttp proxy, enter the following command and press **Enter**:
+
+ `netsh winhttp reset proxy`
+
+See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/windows-server/networking/technologies/netsh/netsh-contexts) to learn more.
++
+## Enable access to Endpoint DLP cloud service URLs in the proxy server
+
+If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed in the downloadable sheet to the allowed domains list.
+
+This [downloadable spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an allow rule specifically for them.
+
+If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed in the above table from HTTPS scanning.
+If a proxy or firewall is blocking anonymous traffic, as Endpoint DLP is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
+
+## Verify client connectivity to Microsoft cloud service URLs
+
+Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Defender for Endpoint service URLs.
+
+1. Download the [MDATP Client Analyzer tool](https://aka.ms/mdatpanalyzer) to the PC where Endpoint DLP is running on.
+2. Extract the contents of MDATPClientAnalyzer.zip on the device.
+3. Open an elevated command-line:
+ 1. Go to **Start** and type **cmd**.
+ 1. Right-click **Command prompt** and select **Run as administrator**.
+4. Enter the following command and press **Enter**:
+
+`HardDrivePath\MDATPClientAnalyzer.cmd`
+
+Replace *HardDrivePath* with the path where the MDATPClientAnalyzer tool was downloaded to, for example
+
+**C:\Work\tools\MDATPClientAnalyzer\MDATPClientAnalyzer.cmd**
++
+5. Extract the **MDATPClientAnalyzerResult.zip*** file created by tool in the folder used in the *HardDrivePath*.
+
+6. Open **MDATPClientAnalyzerResult.txt** and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs. The tool checks the connectivity of Defender for Endpoint service URLs that Defender for Endpoint client is configured to interact with. It then prints the results into the **MDATPClientAnalyzerResult.txt** file for each URL that can potentially be used to communicate with the Defender for Endpoint services. For example:
+
+ **Testing URL : https://xxx.microsoft.com/xxx </br>
+1 - Default proxy: Succeeded (200) </br>
+2 - Proxy auto discovery (WPAD): Succeeded (200)</br>
+3 - Proxy disabled: Succeeded (200)</br>
+4 - Named proxy: Doesn't exist</br>
+5 - Command line proxy: Doesn't exist**</br>
++
+If at least one of the connectivity options returns a (200) status, then the Defender for Endpoint client can communicate with the tested URL properly using this connectivity method.
+
+However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Endpoint DLP cloud service URLs in the proxy server](#enable-access-to-endpoint-dlp-cloud-service-urls-in-the-proxy-server). The URLs youΓÇÖll use will depend on the region selected during the onboarding procedure.
+[!NOTE] The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
+
+[!NOTE] When the TelemetryProxyServer is set, in Registry or via Group Policy, Defender for Endpoint will fall back to direct if it canΓÇÖt access the defined proxy.
+Related topics
+ΓÇó Onboard Windows 10 devices
+ΓÇó Troubleshoot Microsoft Endpoint DLP onboarding issues
+++++
+## See also
+
+- [Learn about Endpoint data loss prevention ](endpoint-dlp-learn-about.md)
+- [Using Endpoint data loss prevention ](endpoint-dlp-using.md)
+- [Overview of data loss prevention](data-loss-prevention-policies.md)
+- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md)
+- [Get started with Activity explorer](data-classification-activity-explorer.md)
+- [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/)
+- [Onboarding tools and methods for Windows 10 machines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints)
+- [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=1)
+- [Azure AD joined devices](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-join)
+- [Download the new Microsoft Edge based on Chromium](https://support.microsoft.com/help/4501095/download-the-new-microsoft-edge-based-on-chromium)
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/endpoint-dlp-getting-started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-getting-started.md
@@ -94,6 +94,8 @@ Make sure that the Windows 10 devices that you plan on deploying Endpoint DLP to
6. If you are on Monthly Enterprise Channel of Microsoft 365 Apps versions 2004-2008, there is a known issue with Endpoint DLP classifying Office content and you need to update to version 2009 or later. See [Update history for Microsoft 365 Apps (listed by date)](https://docs.microsoft.com/officeupdates/update-history-microsoft365-apps-by-date) for current versions. To learn more about this issue, see the Office Suite section of [Release notes for Current Channel releases in 2020](https://docs.microsoft.com/officeupdates/current-channel#version-2010-october-27).
+7. If you have endpoints that use a device proxy to connect to the internet, follow the procedures in [Configure device proxy and internet connection settings for Endpoint DLP](endpoint-dlp-configure-proxy.md).
+ ## Onboarding devices into device management You must enable device monitoring and onboard your endpoints before you can monitor and protect sensitive items on a device. Both of these actions are done in the Microsoft 365 Compliance portal.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/export-search-results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/export-search-results.md
@@ -182,20 +182,7 @@ Here's more information about exporting search results.
### Export limits
-These limits also apply when exporting search results in a Core eDiscovery case.
-
-|Description of limit|Limit|
-|:-----|:-----|
-|Maximum amount of exportable data from a single Content Search <br/><br/> **Note:** If the search results are larger than 2 TB, consider using date ranges or other types of filters to decrease the total size of the search results. <br/> |2 TB <br/> |
-|Maximum an organization can export in a single day <br/><br/> **Note:** This limit is reset daily at 12:00AM UTC <br/> |2 TB <br/> |
-|Maximum concurrent exports that can be ran at same time within your organization <br/><br/> **Note:** Running a **Report Only** export counts against total concurrent exports for your organization. If three users are performing 3 exports each, then only one other export can be performed. Whether it is exporting a report or search results, no other exports can be performed until one has completed. <br/> |10 <br/> |
-|Maximum exports a single user can run <br/> |3 <br/> |
-|Maximum amount of mailboxes search results can be downloaded using the eDiscovery Export Tool in the Microsoft 365 compliance center <br/><br/> **Note:** To download the search results from more than 100,000 mailboxes, you have to use Security & Compliance Center PowerShell. For instructions, see [Exporting results from more than 100,000 mailboxes](#exporting-results-from-more-than-100000-mailboxes). <br/> | 100,000 <br/>|
-|Maximum size of PST file that can be exported <br/><br/> **Note:** If the search results from a user's mailbox are larger than 10 GB, the search results for the mailbox will be exported in two (or more) separate PST files. If you choose to export all search results in a single PST file, the PST file will be spilt into additional PST files if the total size of the search results is larger than 10 GB. If you want to change this default size, you can edit the Windows Registry on the computer that you use to export the search results. See [Change the size of PST files when exporting eDiscovery search results](change-the-size-of-pst-files-when-exporting-results.md). The search results from a specific mailbox won't be divided among multiple PST files unless the content from a single mailbox is more than 10 GB. If you chose to export the search results in one PST file for that contains all messages in a single folder and the search results are larger than 10 GB, the items are still organized in chronological order, so they will be spilt into additional PST files based on the sent date.<br/> | 10 GB <br/> |
-|Rate at which search results from mailboxes and sites are uploaded to a Microsoft-provided Azure Storage location. |Maximum of 2 GB per hour|
-|||
-
-For information about other limits, see [Limits for Content Search](limits-for-content-search.md).
+For information about limits when exporting content search results, see the "Export limits" section in [Limits for content search](limits-for-content-search.md#export-limits).
### Export reports
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-with-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-advanced-ediscovery.md
@@ -1,5 +1,5 @@
---
-title: "Get started with Advanced eDiscovery in Microsoft 365"
+title: "Set up Advanced eDiscovery in Microsoft 365"
f1.keywords: - NOCSH ms.author: markjjo
@@ -17,14 +17,14 @@ ms.collection:
search.appverid: - MOE150 - MET150
-description: "This article describes how to get started using Advanced eDiscovery in Microsoft 365. After you complete a few quick steps, the Advanced eDiscovery tool is ready to use. The first step is to create a case, and then start using Advanced eDiscovery features and functionality."
+description: "This article describes how to set up Advanced eDiscovery so you can start creating and managing cases. It also describes the required Microsoft subscriptions and licensing. After you complete a few quick steps, the Advanced eDiscovery tool is ready to use."
---
-# Get started with Advanced eDiscovery
+# Set up Microsoft 365 Advanced eDiscovery
-Advanced eDiscovery in Microsoft 365 provides an [end-to-end workflow](overview-ediscovery-20.md#advanced-ediscovery-architecture) to preserve, collect, review, analyze, and export data that's responsive to your organization's internal and external investigations. Nothing is needed to deploy Advanced eDiscovery, but there are some prerequisite tasks that an IT admin and eDiscovery manager have to complete before your organization can start to create and use Advanced eDiscovery cases to manage your investigations.
+Advanced eDiscovery in Microsoft 365 provides an [end-to-end workflow](overview-ediscovery-20.md#advanced-ediscovery-workflow) to preserve, collect, review, analyze, and export data that's responsive to your organization's internal and external investigations. Nothing is needed to deploy Advanced eDiscovery, but there are some prerequisite tasks that an IT admin and eDiscovery manager have to complete before your organization can start to create and use Advanced eDiscovery cases to manage your investigations.
-This article discusses the steps necessary to set up Advanced eDiscovery. This includes ensuring the proper licensing required to access Advanced eDiscovery and add custodians to cases, as well as assigning permissions to your legal and investigation team so they can access and manage cases. This article also provides a high-level overview of using cases to manage the Advanced eDiscovery workflow for a legal investigation.
+This article discusses the steps necessary to set up Advanced eDiscovery. This includes ensuring the proper licensing required to access Advanced eDiscovery and add custodians to cases, and assigning permissions to your legal and investigation team so they can access and manage cases.
## Step 1: Verify and assign appropriate licenses
@@ -98,76 +98,6 @@ For more information about setting up and using the attorney-client privilege de
> [!NOTE] > This is an optional step that you can perform anytime. Not implementing the attorney-client privilege detection model doesn't prevent you from creating and using Advanced eDiscovery cases.
-## Step 4: Create an Advanced eDiscovery case
+## Next steps
-The next step is to create a case and start using Advanced eDiscovery. Complete the following steps to create a case and add members. The user who creates the case is automatically added as a member.
-
-1. Go to [https://compliance.microsoft.com](https://compliance.microsoft.com) and sign in with a user account that has been assigned the appropriate eDiscovery permissions. Members of the Organization Management role group can also create Advanced eDiscovery cases.
-
-2. In the left navigation pane of the Microsoft 365 compliance center, click **Show all**, and then click **eDiscovery > Advanced**.
-
-3. On the **Advanced eDiscovery** page, click the **Cases** tab, and then click **Create a case**.
-
-4. On the **New eDiscovery case** flyout page, give the case a name (required), and then type an optional case number and description. The case name must be unique in your organization.
-
-5. Click **Save** to create the case.
-
- The new case is created and the **Settings** tab in the new case is displayed.
-
-6. In the **Access & permissions** tile on the **Settings** tab, click **Select**, and then click **Update**.
-
-7. Click **Update**.
-
-8. On the **Manage this case** flyout page, under **Manage members**, click **Add** to add members to the case.
-
-9. In the list of people, select the check box next to the names of the people that you want to add to the case. As previously explained, be sure that the people you add to the case have been assigned the appropriate eDiscovery permissions.
-
-10. After you've selected the people to add as members of the case, click **Add**.
-
-11. In the **Manage this case** flyout page, click **Save** to save the new list of case members.
-
-12. Click the **Home** tab to go to the case home page.
-
-## Explore the Advanced eDiscovery workflow
-
-To get you started using Advanced eDiscovery, here's a simple workflow that aligns with [common eDiscovery practices](overview-ediscovery-20.md#alignment-with-edrm). In each of these steps, we'll also highlight some extended Advanced eDiscovery functionality that you can explore.
-
-![Advanced eDiscovery workflow](../media/AeDWorkflow.png)
-
-1. **[Add custodians to a case](add-custodians-to-case.md)**. The first step after creating a case is to add custodians. A *custodian* is a person having administrative control of a document or electronic file that may be relevant to the case. Here are some things that happen (or that you can do) when you add custodians to a case:
-
- - Data in the custodian's Exchange mailbox, OneDrive account, and any Microsoft Teams or Yammer groups that the custodian is a member of can be "marked" as custodial data in the case.
-
- - Custodian data is reindexed (by a process called *Advanced indexing*). This helps optimize searching for it in the next step.
-
- - You can place a hold on custodian data. This preserves data that may be relevant to the case during the investigation.
-
- - You can associate other data sources with a custodian (for example, you can associate a SharePoint site or Microsoft 365 Group with a custodian) so this data can be reindexed, placed on hold, and searched, just like the data in the custodian's mailbox or OneDrive account.
-
- - You can use the [communications workflow](managing-custodian-communications.md) in Advanced eDiscovery to send a legal hold notification to custodians.
-
-2. **[Search custodial data sources for data relevant to the case](collecting-data-for-ediscovery.md)**. After you add custodians to a case, use the built-in search tool to search the custodian data locations for data that may be relevant to the case. You use keywords, properties, and conditions to [build search queries](building-search-queries.md) that return search results with the data that's most likely relevant to the case. You can also:
-
- - View [search statistics](search-statistics-in-advanced-ediscovery.md) that may help you refine a search query to narrow the results.
-
- - Preview the search results to quickly verify whether the relevant data is being found.
-
- - Revise a query and rerun the search.
-
-3. **[Add data to a review set](add-data-to-review-set.md)**. Once you've configured and verified that a search returns the desired data, the next step is to add the search results to a review set. When you add data to a review set, items are copied from their original location to a secure Azure Storage location. The data is reindexed again to optimize it for thorough and fast searches when reviewing and analyzing items in the review set. Additionally, you can also [add non-Office 365 data into a review set](load-non-office-365-data-into-a-review-set.md).
-
- There's also a special kind of review set that you can add data to, called a *conversation review set*. These types of review sets provide conversation reconstruction capabilities to reconstruct, review, and export threaded conversations like those in Microsoft Teams. For more information, see [Review conversations in Advanced eDiscovery](conversation-review-sets.md).
-
-4. **Review and analyze data in a review set**. Now that data is in a review set, you can use a wide-variety of tools and capabilities to view and analyze the case data with the goal of reducing the data set to what is most relevant to the case you're investigating. Here's a list of some tools and capabilities that you can use during this process.
-
- - [View documents](view-documents-in-review-set.md). This includes viewing the metadata for each document in a review set, and viewing the document in its native version or text version.
-
- - [Create queries and filters](review-set-search.md). You create search queries using a variety of search criteria (including the ability to search all [file metadata properties](document-metadata-fields-in-advanced-ediscovery.md)) to further refine and cull the case data to what is most relevant to the case. You can also use review set filters to quickly apply additional conditions to the results of a search query to further refine those results.
-
- - [Create and use tags](tagging-documents.md). You can apply tags to documents in a review set to identify which are responsive (or non-responsive to the case) and then use those tags when creating search queries to include or exclude the tagged documents. You can also tagging to determine which documents to export.
-
- - [Annotate and redact documents](view-documents-in-review-set.md#annotate-view). You can use the annotation tool in a review to annotate documents and redact content in documents as work product. We generate a PDF version of an annotated or redacted document during the review to reduce the risk of exporting the un-redacted native version of the document.
-
- - [Analyze case data](analyzing-data-in-review-set.md). The analytics functionality in Advanced eDiscovery is powerful. Advanced eDiscovery provides a number of tools to analyze the documents to further reduce the volume of documents to be reviewed in a review set. We also generate analytics reports that summarize the result of running analytics. As previously explained, running analytics also runs [the attorney-client privilege detection model](attorney-privilege-detection.md#use-the-attorney-client-privilege-detection-model).
-
-5. **Export and download case data**. A final step after collecting, reviewing, and analyzing case data is to export it out of Advanced eDiscovery for external review or for review by people outside of the investigation team. Exporting data is a two-step process. The first step is to [export](export-documents-from-review-set.md) data out of the review set and copy it to a different Azure Storage location (one provided by Microsoft or one managed by your organization). Then you use Azure Storage Explorer to [download](download-export-jobs.md) the data to a local computer. In addition to the exported data files, the contains of the export package also contains an export report, a summary report, and an error report.
+After you set up Advanced eDiscovery, you're ready to [create a case](create-and-manage-advanced-ediscoveryv2-case.md).
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/insider-risk-management-cases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-cases.md
@@ -179,9 +179,9 @@ Risk analysts and investigators can take action on a case in one of several meth
### Send email notice
-In most cases, user actions that create insider risk alerts are inadvertent or accidental. Sending a reminder notice to the user via email is an effective method for documenting case review and action, as well as a method to remind users of corporate policies or point them to refresher training. Notices are generated from [notice templates that you create](insider-risk-management-notices.md) for your insider risk management infrastructure.
+In most cases, user actions that create insider risk alerts are inadvertent or accidental. Sending a reminder notice to the user via email is an effective method for documenting case review and action, and is a method to remind users of corporate policies or point them to refresher training. Notices are generated from [notice templates that you create](insider-risk-management-notices.md) for your insider risk management infrastructure.
-It's important to remember that sending an email notice to a user ***does not*** resolve the case as *Closed*. In some cases, you may want to leave a case open after sending a notice to a user to look for additional risk activities without opening a new case. If you want to resolve a case after sending a notice, you must select the **Resolve case** as a follow-on step after sending a notice.
+It's important to remember that sending an email notice to a user ***does not*** resolve the case as *Closed*. In some cases, you may want to leave a case open after sending a notice to a user to look for more risk activities without opening a new case. If you want to resolve a case after sending a notice, you must select the **Resolve case** as a follow-on step after sending a notice.
To send a notice to the user assigned to a case:
@@ -212,6 +212,7 @@ Using recommended Power Automate flows, risk investigators and analysts can quic
- Request information from HR or business about a user in an insider risk case - Notify manager when a user has an insider risk alert - Add calendar reminder to follow up on an insider risk case
+- Create a record for an insider risk management case in ServiceNow
To run, manage, or create Power Automate flows for an insider risk management case:
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/insider-risk-management-settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-settings.md
@@ -56,7 +56,7 @@ Policy indicators are segmented into the following areas. You can choose the ind
- **Office indicators**: These include policy indicators for SharePoint sites, Teams, and email messaging. - **Device indicators**: These include policy indicators for activity such as sharing files over the network or with devices. Indicators include activity involving Microsoft Office files, .CSV files, and .PDF files. If you select **Device indicators**, activity is processed only for devices with Windows 10 Build 1809 or higher. For more information on configuring devices for integration with insider risk, see the following [Enable device indicators and onboard devices](insider-risk-management-settings.md#OnboardDevices) section. - **Security policy violation indicator**: These include indicators from Microsoft Defender for Endpoint related to unapproved or malicious software installation or bypassing security controls. To receive alerts in insider risk management, you must have an active Defender for Endpoint license and insider risk integration enabled. For more information on configuring Defender for Endpoint for insider risk management integration, see [Configure advanced features in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features\#share-endpoint-alerts-with-microsoft-compliance-center).-- **Risk score boosters**: These include raising the risk score for unusual activities or past policy violations. Enabling risk score boosters increase risk scores and the likelihood of alerts for these types of activities. Risk score boosters can only be selected if one or more indicators above are selected.
+- **Risk score boosters**: These include raising the risk score for unusual activities or past policy violations. Enabling risk score boosters increase risk scores and the likelihood of alerts for these types of activities. Risk score boosters can only be selected if one or more indicators are selected.
![Insider risk management indicator settings](../media/insider-risk-settings-indicators.png)
@@ -99,8 +99,8 @@ In this deployment scenario, you'll onboard devices that have not been onboarded
3. Choose **Device management** to open the **Devices** list. The list will be empty until you onboard devices. 4. Choose **Onboarding** to begin the onboarding process.
-5. Choose the way you want to deploy to these additional devices from the **Deployment method** list and then **download package**.
-6. Follow the appropriate procedures in [Onboarding tools and methods for Windows 10 machines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). This link take you to a landing page where you can access Microsoft Defender for Endpoint procedures that match the deployment package you selected in step 5:
+5. Choose the way you want to deploy to these more devices from the **Deployment method** list and then **download package**.
+6. Follow the appropriate procedures in [Onboarding tools and methods for Windows 10 machines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). This link takes you to a landing page where you can access Microsoft Defender for Endpoint procedures that match the deployment package you selected in step 5:
- Onboard Windows 10 machines using Group Policy - Onboard Windows machines using Microsoft Endpoint Configuration Manager - Onboard Windows 10 machines using Mobile Device Management tools
@@ -120,9 +120,9 @@ If Microsoft Defender for Endpoint is already deployed and there are endpoints r
1. Open the [Microsoft compliance center](https://compliance.microsoft.com). 2. Open the Compliance Center settings page and choose **Enable device monitoring**. 3. Choose **Device management** to open the **Devices** list. You should see the list of devices that are already reporting in to Microsoft Defender for Endpoint.
-4. Choose **Onboarding** if you need to onboard additional devices.
-5. Choose the way you want to deploy to these additional devices from the **Deployment method** list and then **Download package**.
-6. Follow the appropriate procedures in [Onboarding tools and methods for Windows 10 machines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). This link take you to a landing page where you can access Microsoft Defender for Endpoint procedures that match the deployment package you selected in step 5:
+4. Choose **Onboarding** if you need to onboard more devices.
+5. Choose the way you want to deploy to these more devices from the **Deployment method** list and then **Download package**.
+6. Follow the appropriate procedures in [Onboarding tools and methods for Windows 10 machines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). This link takes you to a landing page where you can access Microsoft Defender for Endpoint procedures that match the deployment package you selected in step 5:
- Onboard Windows 10 machines using Group Policy - Onboard Windows machines using Microsoft Endpoint Configuration Manager - Onboard Windows 10 machines using Mobile Device Management tools
@@ -336,7 +336,7 @@ Complete the following steps to configure priority physical assets:
2. In the [Microsoft 365 compliance center](https://compliance.microsoft.com), go to **Insider risk management** and select **Insider risk settings** > **Priority physical assets**. 3. On the **Priority physical assets** page, you can either manually add the physical asset IDs you want to monitor for the asset events imported by the Physical badging connector or import a .CSV file of all physical assets IDs imported by the Physical badging connector:
- a) To manually add physical assets IDs, choose **Add priority physical assets**, enter a physical asset ID, then select **Add**. Enter additional physical asset IDs and then select **Add priority physical assets** to save all the assets entered.
+ a) To manually add physical assets IDs, choose **Add priority physical assets**, enter a physical asset ID, then select **Add**. Enter other physical asset IDs and then select **Add priority physical assets** to save all the assets entered.
b) To add a list of physical asset IDs from a .CSV file, choose **Import priority physical assets**. From the file explorer dialog, select the .CSV file you wish to import, then select **Open**. The physical asset IDs from the .CSV files are added to the list. 4. Navigate to the **Policy indicators** tab in Settings. 5. On the **Policy indicators** page, navigate to the **Physical access indicators** section and select the checkbox for **Physical access after termination or failed access to sensitive asset**.
@@ -359,13 +359,13 @@ Complete the following steps to delete a priority physical asset:
[Microsoft Power Automate](https://docs.microsoft.com/power-automate/getting-started) is a workflow service that automates actions across applications and services. By using flows from templates or created manually, you can automate common tasks associated with these applications and services. When you enable Power Automate flows for insider risk management, you can automate important tasks for cases and users. You can configure Power Automate flows to retrieve user, alert, and case information and share this information with stakeholders and other applications, as well as automate actions in insider risk management, such as posting to case notes. Power Automate flows are applicable for cases and any user in scope for a policy.
-Customers with Microsoft 365 subscriptions that include insider risk management do not need additional Power Automate licenses to use the recommended insider risk management Power Automate templates. These templates can be customized to support your organization and cover core insider risk management scenarios. If you choose to use premium Power Automate features in these templates, create a custom template using the Microsoft 365 compliance connector, or use Power Automate templates for other compliance areas in Microsoft 365, you may need additional Power Automate licenses.
+Customers with Microsoft 365 subscriptions that include insider risk management do not need additional Power Automate licenses to use the recommended insider risk management Power Automate templates. These templates can be customized to support your organization and cover core insider risk management scenarios. If you choose to use premium Power Automate features in these templates, create a custom template using the Microsoft 365 compliance connector, or use Power Automate templates for other compliance areas in Microsoft 365, you may need more Power Automate licenses.
The following Power Automate templates are provided to customers to support process automation for insider risk management users and cases: - **Notify users when they're added to an insider risk policy**: This template is for organizations that have internal policies, privacy, or regulatory requirements that users must be notified when they are subject to insider risk management policies. When this flow is configured and selected for a user in the users page, users and their managers are sent an email message when the user is added to an insider risk management policy. This template also supports updating a SharePoint list hosted on a SharePoint site to help track notification message details like date/time and the message recipient. If you've chosen to anonymize users in **Privacy settings**, flows created from this template will not function as intended so that user privacy is maintained. Power Automate flows using this template are available on the **Users dashboard**. - **Request information from HR or business about a user in an insider risk case**: When acting on a case, insider risk analysts and investigators may need to consult with HR or other stakeholders to understand the context of the case activities. When this flow is configured and selected for a case, analysts and investigators send an email message to HR and business stakeholders configured for this flow. Each recipient is sent a message with pre-configured or customizable response options. When recipients select a response option, the response is recorded as a case note and includes recipient and date/time information. If you've chosen to anonymize users in **Privacy settings**, flows created from this template will not function as intended so that user privacy is maintained. Power Automate flows using this template are available on the **Cases dashboard**.-- **Notify manager when a user has an insider risk alert**: Some organizations may need to have immediate management notification when a user has an insider risk management alert. When this flow is configured and selected, the manager for the case user is sent an email message with the following information about all case alerts:
+- **Notify manager when a user has an insider risk alert**: Some organizations may need to have immediate management notification when a user has an insider risk management alert. When this flow is configured and selected, the manager for the case user is sent an email message with the following information about all case alerts:
- Applicable policy for the alert - Date/Time of the alert - Severity level of the alert
@@ -373,6 +373,7 @@ The following Power Automate templates are provided to customers to support proc
The flow automatically updates the case notes that the message was sent and that the flow was activated. If you've chosen to anonymize users in **Privacy settings**, flows created from this template will not function as intended so that user privacy is maintained. Power Automate flows using this template are available on the **Cases dashboard**. - **Add calendar reminder to follow up on an insider risk case**: This template allows risk investigators and analysts to add calendar reminders for cases to their Office 365 Outlook calendar. This flow eliminates the need for users to exit or switch out of the insider risk management workflow when processing cases and triaging alerts. When this flow is configured and selected, a reminder is added to Office 365 Outlook calendar for the user running the flow. Power Automate flows using this template are available on the **Cases dashboard**.
+- **Create record for insider risk case in ServiceNow**: This template is for organizations that want to use their ServiceNow solution to track insider risk management cases. When in a case, insider risk analysts and investigators can create a record for the case in ServiceNow. You can customize this template to populate selected fields in ServiceNow based on your organization's requirements. Power Automate flows using this template are available on the **Cases dashboard**. For more information on available ServiceNow fields, see the [ServiceNow Connector reference](/connectors/service-now/) article.
### Create a Power Automate flow from insider risk management template
@@ -386,7 +387,7 @@ Complete the following steps to create a Power Automate flow from a recommended
2. On the **Power Automate flows** page, select a recommended template from the **Insider risk management templates you may like** section on the page. 3. The flow lists the embedded connections needed for the flow and will note if the connection statuses are available. If needed, update any connections that aren't displayed as available. Select **Continue**. 4. By default, the recommended flows are pre-configured with the recommended insider risk management and Microsoft 365 service data fields required to complete the assigned task for the flow. If needed, customize the flow components by using the **Show advanced options** control and configuring the available properties for the flow component.
-5. If needed, add any additional steps to the flow by selecting the **New step** button. In most cases, this should not be needed for the recommended default templates.
+5. If needed, add any other steps to the flow by selecting the **New step** button. In most cases, this should not be needed for the recommended default templates.
6. Select **Save draft** to save the flow for further configuration or select **Save** to complete the configuration for the flow. 7. Select **Close** to return to the **Power Automate flow** page. The new template will be listed as a flow on the **My flows** tabs and is automatically available from the **Automate** dropdown control when working with insider risk management cases for the user creating the flow.
@@ -399,7 +400,7 @@ Some processes and workflows for your organization may be outside of the recomme
Complete the following steps to create a custom Power Automate template for insider risk management:
-1. **Check your Power Automate flow license**: To create customized Power Automate flows that use insider risk management triggers, you'll need a Power Automate license. The recommended insider risk management flow templates do not require additional licensing and are included as part of your insider risk management license.
+1. **Check your Power Automate flow license**: To create customized Power Automate flows that use insider risk management triggers, you'll need a Power Automate license. The recommended insider risk management flow templates do not require extra licensing and are included as part of your insider risk management license.
2. **Create an automated flow**: Create a flow that performs one or more tasks after it's triggered by an insider risk management event. For details on how to create an automated flow, see [Create a flow in Power Automate](https://docs.microsoft.com/power-automate/get-started-logic-flow). 3. **Select the Microsoft 365 compliance connector**: Search for and select the Microsoft 365 compliance connector. This connector enables insider risk management triggers and actions. For more information on connectors, see the [Connector reference overview](https://docs.microsoft.com/connectors/connector-reference/) article. 4. **Choose insider risk management triggers for your flow**: Insider risk management has two triggers available for custom Power Automate flows:
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/limits-core-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/limits-core-ediscovery.md
@@ -19,11 +19,11 @@ search.appverid:
description: "This article describes the limits in core eDiscovery case in Microsoft 365." ---
-# Limits in core eDiscovery
+# Limits in Core eDiscovery
-The following table lists the limits for core eDiscovery cases and holds associated with a core eDiscovery case. For more information about core eDiscovery, see [Overview of core eDiscovery](ediscovery-cases.md).
+The following table lists the limits for core eDiscovery cases and holds associated with a core eDiscovery case. For more information about Core eDiscovery, see [Overview of Core eDiscovery](ediscovery-cases.md).
- |**Description of limit**|**Limit**|
+ | Description of limit | Limit |
|:-----|:-----| |Maximum number of cases for an organization <br/> |No limit <br/> | |Maximum number of case holds for an organization <br/> |10,000 <br/> |
@@ -33,4 +33,11 @@ The following table lists the limits for core eDiscovery cases and holds associa
||| > [!NOTE]
- > <sup>1</sup> To view a list of more than 1,000 cases, holds, searches, or exports, you can use the corresponding Office 365 Security & Compliance PowerShell cmdlet:<br/> [Get-ComplianceCase](https://docs.microsoft.com/powershell/module/exchange/get-compliancecase) <br/> [Get-CaseHoldPolicy](https://docs.microsoft.com/powershell/module/exchange/get-caseholdpolicy)<br/> [Get-ComplianceSearch](https://docs.microsoft.com/powershell/module/exchange/get-compliancesearch)<br/> [Get-ComplianceSearchAction](https://docs.microsoft.com/powershell/module/exchange/get-compliancesearchaction)
+ > <sup>1</sup> To view a list of more than 1,000 cases, holds, searches, or exports, you can use the corresponding Office 365 Security & Compliance PowerShell cmdlets:
+ >
+ > - [Get-ComplianceCase](https://docs.microsoft.com/powershell/module/exchange/get-compliancecase)
+ > - [Get-CaseHoldPolicy](https://docs.microsoft.com/powershell/module/exchange/get-caseholdpolicy)
+ > - [Get-ComplianceSearch](https://docs.microsoft.com/powershell/module/exchange/get-compliancesearch)
+ > - [Get-ComplianceSearchAction](https://docs.microsoft.com/powershell/module/exchange/get-compliancesearchaction)
+
+For more information about limits related to content searches and exports associated with a Core eDiscovery case, see [Limits for Content Search and Core eDiscovery](limits-for-content-search.md).
\ No newline at end of file
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/limits-ediscovery20 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/limits-ediscovery20.md
@@ -26,7 +26,7 @@ This article describes the limits in the Advanced eDiscovery solution in Microso
The following table lists the limits for cases and review sets in Advanced eDiscovery.
-|**Description of limit**|**Limit**|
+| Description of limit | Limit |
|:-----|:-----| |Total number of documents that can be added to a case (for all review sets in a case). <br/> |3 million <br/> | |Total file size per load set. This includes loading non-Office 365 into a review set. <br/> |300 GB <br/> |
@@ -41,7 +41,7 @@ The following table lists the limits for cases and review sets in Advanced eDisc
The following table lists the indexing limits in Advanced eDiscovery.
-|**Description of limit**|**Limit**|
+| Description of limit | Limit |
|:-----|:-----| |Maximum number of characters extracted from a single file. <br/> |10 million<sup>1</sup> <br/> | |Maximum size of a single file. <br/> |100 MB<sup>1</sup> <br/> |
@@ -54,13 +54,13 @@ The following table lists the indexing limits in Advanced eDiscovery.
The limits described in this section are related to using the search tool on the **Searches** tab to collect data for a case. For more information, see [Collect data for a case in Advanced eDiscovery](collecting-data-for-ediscovery.md).
-|**Description of limit**|**Limit**|
+| Description of limit | Limit |
|:-----|:-----| |Maximum number of mailboxes or sites that can be searched in a single search. <br/> |No limit <br/> | |Maximum number of searches that can run at the same time. <br/> |No limit <br/> | |Maximum number of searches that a single user can start at the same time. <br/> |10 <br/> | |Maximum number of characters for a search query (including operators and conditions). <br/> |**Mailboxes**: 10,000<br/>**Sites**: 4,000 when searching all sites or 2,000 when searching up to 20 sites <sup>2</sup> <br/> |
-|Minimum number of alpha characters for prefix wildcards; for example **one\*** or **set\***. <br/> |3 <br/> |
+|Minimum number of alpha characters for prefix wildcards; for example, **one\*** or **set\***. <br/> |3 <br/> |
|Maximum variants returned when using prefix wildcard to search for an exact phrase or when using a prefix wildcard and the **NEAR** Boolean operator. <br/> |10,000 <sup>3</sup> <br/> | |Maximum number of items per user mailbox that are displayed on preview page for searches. The newest items are displayed. <br/> |100 <br/> | |Maximum number of items from all mailboxes displayed on preview page for searches. <br/> |1,000 <br/> |
@@ -74,14 +74,14 @@ The limits described in this section are related to using the search tool on the
## Viewer limits
-|**Description of limit**|**Limit**|
+| Description of limit | Limit |
|:-----|:-----| |Maximum size of Excel file that can be viewed in the native viewer. <br/> |4 MB <br/> | ||| ## Export limits
-|**Description of limit**|**Limit**|
+| Description of limit | Limit |
|:-----|:-----| |Maximum size of a single export.|3 million documents or 100 GB, whichever is smaller| |Maximum amount of data in a single day. | 2 TB |
@@ -93,7 +93,7 @@ The limits described in this section are related to using the search tool on the
## Review set download limits
-|**Description of limit**|**Limit**|
+| Description of limit | Limit |
|:-----|:-----| |Total file size or maximum number of documents downloaded from a review set. <br/> |3 MB or 50 documents <sup>5</sup>| |||
@@ -102,10 +102,14 @@ The limits described in this section are related to using the search tool on the
<br/> > [!NOTE]
-> <sup>1</sup> Any item that exceeds a single file limit will show up as a processing error.<br/>
-> <sup>2</sup> When searching SharePoint and OneDrive for Business locations, the characters in the URLs of the sites being searched count against this limit.<br/>
-> <sup>3</sup> For non-phrase queries (a keyword value that doesn't use double quotation marks) we use a special prefix index. This tells us that a word occurs in a document, but not where it occurs in the document. To do a phrase query (a keyword value with double quotation marks), we need to compare the position within the document for the words in the phrase. This means that we can't use the prefix index for phrase queries. In this case, we internally expand the query with all possible words that the prefix expands to; for example, **time\*** can expand to **"time OR timer OR times OR timex OR timeboxed OR …"**. The limit of 10,000 is the maximum number of variants the word can expand to, not the number of documents matching the query. There is no upper limit for non-phrase terms.<br/>
-> <sup>4</sup> This limit is shared across all eDiscovery tools. This means that concurrent exports in Content search, Core eDiscovery, and Advanced eDiscovery are applied against this limit. <br/>
-> <sup>5</sup> This limit applies to downloading selected documents from a review set. It doesn't apply to exporting documents from a review set. For more information about downloading and exporting documents, see [Export case data in Advanced eDiscovery](exporting-data-ediscover20.md). <br/>
-> <sup>6</sup> Indexing limits per organization per day. As a workaround, you can select multiple custodians and then click **Update index** to avoid creating a separate index job for each custodian. <br/>
-
+> <sup>1</sup> Any item that exceeds a single file limit will show up as a processing error.
+>
+> <sup>2</sup> When searching SharePoint and OneDrive for Business locations, the characters in the URLs of the sites being searched count against this limit.
+>
+> <sup>3</sup> For non-phrase queries (a keyword value that doesn't use double quotation marks) we use a special prefix index. This tells us that a word occurs in a document, but not where it occurs in the document. To do a phrase query (a keyword value with double quotation marks), we need to compare the position within the document for the words in the phrase. This means that we can't use the prefix index for phrase queries. In this case, we internally expand the query with all possible words that the prefix expands to; for example, **time\*** can expand to **"time OR timer OR times OR timex OR timeboxed OR …"**. The limit of 10,000 is the maximum number of variants the word can expand to, not the number of documents matching the query. There is no upper limit for non-phrase terms.
+>
+> <sup>4</sup> This limit is shared across all eDiscovery tools. This means that concurrent exports in Content search, Core eDiscovery, and Advanced eDiscovery are applied against this limit.
+>
+> <sup>5</sup> This limit applies to downloading selected documents from a review set. It doesn't apply to exporting documents from a review set. For more information about downloading and exporting documents, see [Export case data in Advanced eDiscovery](exporting-data-ediscover20.md).
+>
+> <sup>6</sup> Indexing limits per organization per day. As a workaround, you can select multiple custodians on the **Data sources** tab in a case and then click **Update index** to avoid creating a separate index job for each custodian.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/limits-for-content-search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/limits-for-content-search.md
@@ -1,5 +1,5 @@
---
-title: "Limits for Content Search in the Security & Compliance Center"
+title: "Limits for content search and Core eDiscovery in the compliance center"
f1.keywords: - NOCSH ms.author: markjjo
@@ -16,45 +16,56 @@ search.appverid:
- MOE150 - MET150 ms.assetid: 78fe3147-1979-4c41-83bb-aeccf244368d
-description: "Learn about the limits in effect for the Content Search feature in the Security & Compliance Center in Office 365, such as the maximum number of simultaneous searches."
+description: "Learn about the limits in effect for the Content search feature in the Microsoft 365 compliance center, such as the maximum number of simultaneous searches. These search limits also apply to searches associated with Core eDiscovery cases."
---
-# Limits for Content Search in the Security & Compliance Center
-
-> [!NOTE]
-> The limits in this topic are different from the current limits for In-Place eDiscovery in Exchange Online and for the eDiscovery Center in SharePoint Online.
-
-Various limits are applied to the Content Search feature in the Security & Compliance Center. This includes searches run on the **Content search** page and searches that are associated with an eDiscovery case. These limits help to maintain the health and quality of services provided to organizations. There are also limits related to the indexing of email messages in Exchange Online for search. You can't modify the Content Search or email indexing limits, but you should be aware of them so that you can take these limits into consideration when planning, running, and troubleshooting Content Searches.
+# Limits for Content search
+Various limits are applied to the Content search tool in the Microsoft 365 compliance center. This includes searches run on the **Content search** page and searches that are associated with an eDiscovery case on the **Core eDiscovery** page. These limits help to maintain the health and quality of services provided to organizations. There are also limits related to the indexing of email messages in Exchange Online for search. You can't modify the limits for Content Search or email indexing, but you should be aware of them so that you can take these limits into consideration when planning, running, and troubleshooting content searches.
-## Content Search limits
+## Search limits
-The following table lists the search limits in the Security & Compliance Center.
+The following table lists the search limits when using the content search tool in the Microsoft 365 compliance center and for searches that are associated with a Core eDiscovery case.
| Description of limit | Limit | |:-----|:-----|
-|The maximum number of mailboxes or sites that can be searched in a single Content Search <br/> |No limit <sup>1</sup> <br/> |
-|The maximum number of Content Searches that can run at the same time in your organization. <br/> |30 <br/> |
-|The maximum number of Content Searches that a single user can start at the same time. This limit is most likely hit when the user tries to start multiple searches by using the **Get-ComplianceSearch \| Start-ComplianceSearch** command in Security & Compliance Center PowerShell. <br/> |10 <br/> |
+|The maximum number of mailboxes or sites that can be searched in a single search <br/> |No limit <sup>1</sup> <br/> |
+|The maximum number of searches that can run at the same time in your organization. <br/> |30 <br/> |
+|The maximum number of searches that a single user can start at the same time. This limit is most likely hit when the user tries to start multiple searches by using the **Get-ComplianceSearch \| Start-ComplianceSearch** command in Security & Compliance Center PowerShell. <br/> |10 <br/> |
|The maximum number of items per user mailbox that are displayed on the preview page when previewing Content Search results. <br/> |100 <br/> |
-|The maximum number of items found in all user mailboxes that are displayed on the preview page when previewing Content Search results. The newest items are displayed. <br/> |1,000 <br/> |
+|The maximum number of items found in all user mailboxes that are displayed on the preview page when previewing search results. The newest items are displayed. <br/> |1,000 <br/> |
|The maximum number of user mailboxes that can be previewed for search results. If there are more than 1000 mailboxes that contain content that matches the search query, only the top 1000 mailboxes with the most search results will be available for preview. <br/> |1,000 <br/> |
-|The maximum number of items found in SharePoint and OneDrive for Business sites that are displayed on the preview page when previewing Content Search results. The newest items are displayed. <br/> |200 <br/> |
+|The maximum number of items found in SharePoint and OneDrive for Business sites that are displayed on the preview page when previewing search results. The newest items are displayed. <br/> |200 <br/> |
|The maximum number of sites (in SharePoint and OneDrive for Business) that can be previewed for search results. If there are more than 200 total sites that contain content that matches the search query, only the top 200 sites with the most search results will be available for preview. <br/> |200 <br/> |
-|The maximum number of items per public folder mailbox that are displayed on the preview page when previewing Content Search results. <br/> |100 <br/> |
-|The maximum number of items found in all public folder mailboxes that are displayed on the preview page when previewing Content Search results. <br/> |200 <br/> |
+|The maximum number of items per public folder mailbox that are displayed on the preview page when previewing content search results. <br/> |100 <br/> |
+|The maximum number of items found in all public folder mailboxes that are displayed on the preview page when previewing content search results. <br/> |200 <br/> |
|The maximum number of public mailboxes that can be previewed for search results. If there are more than 500 public folder mailboxes that contain content that matches the search query, only the top 500 public folder mailboxes with the most search results will be available for preview. <br/> |500 <br/> |
-|The maximum number of characters for the search query (including operators and conditions) for a Content Search. <br/><br/> **Note:** This limit takes effect after the query is expanded, which means the query will get expanded against each of the keywords. For example, if a search query has 15 keywords and additional parameters and conditions, the query gets expanded 15 times, each with the other parameters and conditions in the query. So even though the number of characters in search query may be below the limit, it's the expanded query that may contribute to exceeding this limit. <br/> |**Mailboxes:** 10,000 <br/> **Sites:** 4,000 when searching all sites or 2,000 when searching up to 20 sites <sup>2</sup> <br/> |
+|The maximum number of characters for the search query (including operators and conditions) for a search. <br/><br/> **Note:** This limit takes effect after the query is expanded, which means the query will get expanded against each of the keywords. For example, if a search query has 15 keywords and additional parameters and conditions, the query gets expanded 15 times, each with the other parameters and conditions in the query. So even though the number of characters in search query may be below the limit, it's the expanded query that may contribute to exceeding this limit. <br/> |**Mailboxes:** 10,000 <br/> **Sites:** 4,000 when searching all sites or 2,000 when searching up to 20 sites <sup>2</sup> <br/> |
|Maximum number of variants returned when using a prefix wildcard to search for an exact phrase in a search query or when using a prefix wildcard and the **NEAR** Boolean operator. <br/> |10,000 <sup>3</sup> <br/> | |The minimum number of alpha characters for prefix wildcards; for example, `time*`, `one*`, or `set*`. <br/> |3 <br/> |
-|The maximum number of mailboxes in a Content Search that you can delete items in by doing a "search and purge" action (by using the **New-ComplianceSearchAction -Purge** command). If the Content Search that you're doing a purge action for has more source mailboxes than this limit, the purge action will fail. For more information about search and purge, see [Search for and delete email messages in your organization](search-for-and-delete-messages-in-your-organization.md). <br/> |50,000 <br/> |
-|The maximum number of locations in a Content Search that you can export items from. If the Content Search that you're exporting has more locations than this limit, the export will fail. For more information, see [Export Content Search results](export-search-results.md). <br/> |100,000 <br/> |
+|The maximum number of mailboxes in a search that you can delete items in by doing a "search and purge" action (by using the **New-ComplianceSearchAction -Purge** command). If the search that you're doing a purge action for has more source mailboxes than this limit, the purge action will fail. For more information about search and purge, see [Search for and delete email messages in your organization](search-for-and-delete-messages-in-your-organization.md). <br/> |50,000 <br/> |
+|The maximum number of locations in a search that you can export items from. If the search that you're exporting has more locations than this limit, the export will fail. For more information, see [Export content search results](export-search-results.md). <br/> |100,000 <br/> |
+|||
> [!NOTE]
-> <sup>1</sup> Although you can search an unlimited number of mailboxes in a single search, you can only download the exported search results from a maximum of 100,000 mailboxes using the eDiscovery Export Tool in Office 365 Security & Compliance Center or the Microsoft 365 compliance center. To download the search results from more than 100,000 mailboxes, you have to use Security & Compliance Center PowerShell. For more information and a sample script, see [Exporting results from more than 100,000 mailboxes](export-search-results.md#exporting-results-from-more-than-100000-mailboxes). <br/><br/> <sup>2</sup> When searching SharePoint and OneDrive for Business locations, the characters in the URLs of the sites being searched are counted against this limit. <br/><br/> <sup>3</sup> For non-phrase queries (a keyword value that doesn't use double quotation marks) we use a special prefix index. This tells us that a word occurs in a document, but not where it occurs in the document. To do a phrase query (a keyword value with double quotation marks), we need to compare the position within the document for the words in the phrase. This means that we can't use the prefix index for phrase queries. In this case, we internally expand the query with all possible words that the prefix expands to; for example, `"time*"` can expand to `"time OR timer OR times OR timex OR timeboxed OR …"`. 10,000 is the maximum number of variants the word can expand to, not the number of documents matching the query. There is no upper limit for non-phrase terms.
+> <sup>1</sup> Although you can search an unlimited number of mailboxes in a single search, you can only download the exported search results from a maximum of 100,000 mailboxes using the eDiscovery Export Tool in the Microsoft 365 compliance center. To download the search results from more than 100,000 mailboxes, you have to use Security & Compliance Center PowerShell. For more information and a sample script, see [Exporting results from more than 100,000 mailboxes](export-search-results.md#exporting-results-from-more-than-100000-mailboxes). <br/><br/> <sup>2</sup> When searching SharePoint and OneDrive for Business locations, the characters in the URLs of the sites being searched are counted against this limit. <br/><br/> <sup>3</sup> For non-phrase queries (a keyword value that doesn't use double quotation marks) we use a special prefix index. This tells us that a word occurs in a document, but not where it occurs in the document. To do a phrase query (a keyword value with double quotation marks), we need to compare the position within the document for the words in the phrase. This means that we can't use the prefix index for phrase queries. In this case, we internally expand the query with all possible words that the prefix expands to; for example, `"time*"` can expand to `"time OR timer OR times OR timex OR timeboxed OR …"`. 10,000 is the maximum number of variants the word can expand to, not the number of documents matching the query. There is no upper limit for non-phrase terms.
+## Export limits
+The following table lists the limits when exporting the results of a content search. These limits also apply when you export content from a Core eDiscovery case.
+
+|Description of limit|Limit|
+|:-----|:-----|
+|Maximum amount of exportable data from a single search <br/><br/> **Note:** If the search results are larger than 2 TB, consider using date ranges or other types of filters to decrease the total size of the search results. <br/> |2 TB <br/> |
+|Maximum an organization can export in a single day <br/><br/> **Note:** This limit is reset daily at 12:00AM UTC <br/> |2 TB <br/> |
+|Maximum concurrent exports that can be ran at same time within your organization <br/><br/> **Note:** Running a **Report Only** export counts against total concurrent exports for your organization. If three users are performing 3 exports each, then only one other export can be performed. Whether it is exporting a report or search results, no other exports can be performed until one has completed. <br/> |10 <br/> |
+|Maximum exports a single user can run at any one time <br/> |3 <br/> |
+|Maximum number of mailboxes for search results that can be downloaded using the eDiscovery Export Tool <br/><br/> **Note:** To download the search results from more than 100,000 mailboxes, you have to use Security & Compliance Center PowerShell. For instructions, see [Exporting results from more than 100,000 mailboxes](export-search-results.md#exporting-results-from-more-than-100000-mailboxes). <br/> | 100,000 <br/>|
+|Maximum size of PST file that can be exported <br/><br/> **Note:** If the search results from a user's mailbox are larger than 10 GB, the search results for the mailbox will be exported in two (or more) separate PST files. If you choose to export all search results in a single PST file, the PST file will be spilt into additional PST files if the total size of the search results is larger than 10 GB. If you want to change this default size, you can edit the Windows Registry on the computer that you use to export the search results. See [Change the size of PST files when exporting eDiscovery search results](change-the-size-of-pst-files-when-exporting-results.md). The search results from a specific mailbox won't be divided among multiple PST files unless the content from a single mailbox is more than 10 GB. If you chose to export the search results in one PST file for that contains all messages in a single folder and the search results are larger than 10 GB, the items are still organized in chronological order, so they will be spilt into additional PST files based on the sent date.<br/> | 10 GB <br/> |
+|Rate at which search results from mailboxes and sites are uploaded to a Microsoft-provided Azure Storage location. |Maximum of 2 GB per hour|
+|||
+ ## Indexing limits for email messages
-The following table describes the indexing limits that might result in an email message being returned as an unindexed item or a partially indexed item in the results of a Content Search.
+The following table describes the indexing limits that might result in an email message being returned as an unindexed item or a partially indexed item in the results of a content search.
| Indexing limit | Maximum value | Description | |:-----|:-----|:-----|
@@ -67,12 +78,11 @@ The following table describes the indexing limits that might result in an email
|Maximum annotation tokens <br/> |2 million <br/> |When an email message is indexed, each word is annotated with different processing instructions that specify how that word should be indexed. Each set of processing instructions is called an annotation token. To maintain the quality of service in Office 365, there is a limit of 2 million annotation tokens for an email message. <br/> | |Maximum body size in index <br/> |67 million characters <br/> |The total number of characters in the body of an email message and all its attachments. When an email message is indexed, all text in the body of the message and in all attachments is concatenated into a single string. The maximum size of this string that is indexed is 67 million characters. <br/> | |Maximum unique tokens in body <br/> |1 million <br/> |As previously explained, tokens are the result of extracting text from content, removing punctuation and spaces, and then dividing it into words (called tokens) that are stored in the index. For example, the phrase `"cat, mouse, bird, dog, dog"` contains 5 tokens. But only 4 of these are unique tokens. There is a limit of 1 million unique tokens per email message, which helps prevent the index from getting too large with random tokens. <br/> |
+|||
## More information
-There are additional limits related to different aspects of Content Search, such as exporting search results and content indexing. For a description of these limits, see the following topics:
-
-- [Export Content Search results](export-search-results.md#export-limits)
+There are additional limits related to different aspects of searching for content, such as content indexing. For more information about these limits, see the following topics:
- [Partially indexed items in Content Search](partially-indexed-items-in-content-search.md)
@@ -80,8 +90,16 @@ There are additional limits related to different aspects of Content Search, such
- [Search limits for SharePoint Online](https://docs.microsoft.com/sharepoint/search-limits)
-For information about Content Searches, see:
+For information about content searches, see:
-- [Content Search in Microsoft 365](content-search.md)
+- [Content search in Microsoft 365](content-search.md)
+
+- [Search for content in a Core eDiscovery case](search-for-content-in-core-ediscovery.md)
+
+- [Keyword queries and search conditions for content search](keyword-queries-and-search-conditions.md)
+
+For case limits related to Core eDiscovery and Advanced eDiscovery, see:
+
+- [Limits in Core eDiscovery](limits-core-ediscovery.md)
-- [Keyword queries and search conditions for Content Search](keyword-queries-and-search-conditions.md)
+- [Limits in Advanced eDiscovery](limits-ediscovery20.md)
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/manage-legal-investigations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/manage-legal-investigations.md
@@ -24,49 +24,49 @@ description: "Use eDiscovery cases in the Security & Compliance Center in Office
Organizations have many reasons to respond to a legal case involving certain executives or other employees in your organization. This might involve quickly finding and retaining for further investigation-specific information in email, documents, instant messaging conversations, and other content locations used by people in their day-to-day work tasks. You can perform these and many other similar activities by using the eDiscovery case tools in the security and compliance center. **Want to know how Microsoft manages its eDiscovery investigations?** Here's a [technical white paper](https://go.microsoft.com/fwlink/?linkid=852161) you can download that explains how we use the same search and investigation tools to manage our internal eDiscovery workflow.
-
+ ## Manage legal investigations with eDiscovery cases eDiscovery cases let you control who can create, access, and manage eDiscovery cases in your organization. Use cases to add members and control what types of actions they can perform, place a hold on content locations relevant to a legal case, and use the Content Search tool to search the locations on hold for content that might be responsive to your case. Then you can also export and download those results for further investigation by external reviewers. -- [Manage your eDiscovery workflow](ediscovery-cases.md) by creating and using eDiscovery cases for every legal investigation your organization has to undertake
-
-- [Assign eDiscovery permissions](assign-ediscovery-permissions.md) to control who can create and manage eDiscovery cases in your organization
-
-- [Set up compliance boundaries](tagging-and-assessment-in-advanced-ediscovery.md) to control the user content locations that eDiscovery managers can search
-
-- [Search for content](search-for-content.md) in your organization
-
+- [Manage your eDiscovery workflow](ediscovery-cases.md) by creating and using eDiscovery cases for every legal investigation your organization has to undertake.
+
+- [Assign eDiscovery permissions](assign-ediscovery-permissions.md) to control who can create and manage eDiscovery cases in your organization.
+
+- [Set up compliance boundaries](set-up-compliance-boundaries.md) to control the user content locations that eDiscovery managers can search.
+
+- [Search for content](search-for-content.md) in your organization.
+ ### Use scripts for advanced scenarios Like the previous section that listed scripts for content search scenarios, we've also created some Security & Compliance Center PowerShell scripts to help you manage eDiscovery cases. -- [Create a eDiscovery hold report](create-a-report-on-holds-in-ediscovery-cases.md) that contains information about all holds associated with eDiscovery cases in your organization
-
-- [Add mailboxes and OneDrive locations](use-a-script-to-add-users-to-a-hold-in-ediscovery.md) for a list of users to an eDiscovery hold
+- [Create a eDiscovery hold report](create-a-report-on-holds-in-ediscovery-cases.md) that contains information about all holds associated with eDiscovery cases in your organization.
+
+- [Add mailboxes and OneDrive locations](use-a-script-to-add-users-to-a-hold-in-ediscovery.md) for a list of users to an eDiscovery hold.
## Manage legal investigations with the Advanced eDiscovery solution in Microsoft 365 The Advanced eDiscovery solution in Microsoft 365 builds on the existing eDiscovery and analytics capabilities in Office 365. This new solution, called *Advanced eDiscovery*, provides an end-to-end workflow to preserve, collect, review, analyze, and export content that's responsive to your organization's internal and external investigations. It also lets legal teams manage the entire legal hold notification workflow to communicate with custodians involved in a case.
-Advanced eDiscovery requires an E5 subscription for your Microsoft 365 or Office 365 organization. For more information about licensing, see [Get started with Advanced eDiscovery](get-started-with-advanced-ediscovery.md#step-1-verify-and-assign-appropriate-licenses).
+Advanced eDiscovery requires an E5 subscription for your Microsoft 365 or Office 365 organization. For more information about licensing, see [Set up Advanced eDiscovery](get-started-with-advanced-ediscovery.md#step-1-verify-and-assign-appropriate-licenses).
-Here's a quick overview of the built-in workflow in Advanced eDiscovery. For more information, see [Explore the Advanced eDiscovery workflow](get-started-with-advanced-ediscovery.md#explore-the-advanced-ediscovery-workflow).
+Here's a quick overview of the built-in workflow in Advanced eDiscovery. For more information, see [Manage the Advanced eDiscovery workflow](create-and-manage-advanced-ediscoveryv2-case.md#manage-the-workflow).
-- [Create a case](create-new-ediscovery-case.md) to get started
+- [Create a case](create-and-manage-advanced-ediscoveryv2-case.md#create-a-case) to get started.
-- [Manage custodians](managing-custodians.md) by adding them to a case and placing a legal hold on content in their mailbox, OneDrive account, and Microsoft Teams they're members of
+- [Manage custodians](managing-custodians.md) by adding them to a case and placing a legal hold on content in their mailbox, OneDrive account, and Microsoft Teams they're members of.
-- [Manage communications](managing-custodian-communications.md) with custodians by automating the legal hold notification process
+- [Manage communications](managing-custodian-communications.md) with custodians by automating the legal hold notification process.
-- [Index custodian data](processing-data-for-case.md) and fix indexing errors so you can effectively collect data for your investigations
+- [Index custodian data](processing-data-for-case.md) and fix indexing errors so you can effectively collect data for your investigations.
-- [Collect data](collecting-data-for-ediscovery.md) for a case and add [add it to a review set](collecting-data-for-ediscovery.md#add-search-results-to-a-review-set) for further investigation
+- [Collect data](collecting-data-for-ediscovery.md) for a case and add [add it to a review set](collecting-data-for-ediscovery.md#add-search-results-to-a-review-set) for further investigation.
-- [View ](view-documents-in-review-set.md) documents, [query](review-set-search.md) data, and [tag](tagging-documents.md) items in a review set
+- [View](view-documents-in-review-set.md) documents, [query](review-set-search.md) data, and [tag](tagging-documents.md) items in a review set.
-- [Analyze case data](analyzing-data-in-review-set.md) with advanced analytics tools
+- [Analyze case data](analyzing-data-in-review-set.md) with advanced analytics tools.
-- [Export case data](exporting-data-ediscover20.md) for review by outside counsel
+- [Export case data](exporting-data-ediscover20.md) for review by outside counsel.
-- [Manage long-running jobs](managing-jobs-ediscovery20.md) in Advanced eDiscovery
+- [Manage long-running jobs](managing-jobs-ediscovery20.md) in Advanced eDiscovery.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/overview-ediscovery-20 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/overview-ediscovery-20.md
@@ -7,7 +7,7 @@ author: markjjo
manager: laurawi ms.date: audience: Admin
-ms.topic: article
+ms.topic: overview
ms.service: O365-seccomp localization_priority: Normal ms.collection:
@@ -17,45 +17,49 @@ ms.collection:
search.appverid: - MOE150 - MET150
-ms.assetid:
-description: "This article provides an overview of Advanced eDiscovery in Microsoft 365, a tool for internal and external investigations."
+description: "Learn about the Advanced eDiscovery solution in Microsoft 365. This article provides an overview of Advanced eDiscovery in Microsoft 365, a tool to help you manage internal and external investigations. It also frames the business reasons for using Advanced eDiscovery to manage your legal investigations."
ms.custom: seo-marvel-apr2020 ---
-# Overview of the Advanced eDiscovery solution in Microsoft 365
+# Overview of Microsoft 365 Advanced eDiscovery
-The Advanced eDiscovery solution in Microsoft 365 builds on the existing eDiscovery and analytics capabilities in Office 365. This new solution, called *Advanced eDiscovery*, provides an end-to-end workflow to preserve, collect, review, analyze, and export content that's responsive to your organization's internal and external investigations. It also lets legal teams manage the entire legal hold notification workflow to communicate with custodians involved in a case.
+The Advanced eDiscovery solution in Microsoft 365 builds on the existing Microsoft eDiscovery and analytics capabilities. Advanced eDiscovery provides an end-to-end workflow to preserve, collect, analyze, review, analyze, and export content that's responsive to your organization's internal and external investigations. It also lets legal teams manage the entire legal hold notification workflow to communicate with custodians involved in a case.
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 or Microsoft 365 E5 Enterprise subscription. For more information about Advanced eDiscovery licensing, see [Microsoft 365 licensing guidance for security & compliance](https://docs.microsoft.com/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#advanced-ediscovery).
+Advanced eDiscovery can help your organization respond to legal matters or internal investigations by discovering data where it lives. You can seamlessly manage eDiscovery workflows by identifying persons of interest and their data sources, seamlessly apply holds to preserve data, and then manage the legal hold communication process. By collecting data from the source, you can search the live Microsoft 365 platform to quickly find what you need. Intelligent, machine learning capabilities such as deep indexing, email threading, and near duplicate detection also help you reduce large volumes of data to a relevant data set.
-## Alignment with EDRM
+The following sections describe how these Advanced eDiscovery capabilities can help your organization.
-The built-in workflow of Advanced eDiscovery aligns with the eDiscovery process outlined by the Electronic Discovery Reference Model (EDRM).
+## Discover and collect data in-place
-![The Electronic Discovery Reference Model (EDRM)](../media/EDRMv1.png)
+Traditionally, organizations that rely on multiple third-party eDiscovery solutions require copying large volumes of data out of Microsoft 365 to process and having to host duplicate data. This necessity increases the time to find relevant data and the risk, cost, and complexity of managing multiple solutions.
-(Image source courtesy of edrm.net. The source image was made available under Creative Commons Attribution 3.0 Unported License.)
+Advanced eDiscovery in Microsoft 365 lets you discover data at the source and staying within your Microsoft 365 security and compliance boundary. By collecting data in-place from the live system, Advanced eDiscovery reduces the friction of going back to the source and reduces unnecessary work of having to find missing content, which often happens when journaling lags in traditional eDiscovery solutions.
-At a high level, here's how Advanced eDiscovery supports the EDRM workflow:
+Native search and collection capabilities for data in Teams, Yammer, SharePoint Online, OneDrive for Business, and Exchange Online further enhances data discovery. For example, Advanced eDiscovery:
-- **Identification.** After you identify potential persons of interest in an investigation, you can add them as custodians (also called *data custodians*, because they may possess information that's relevant to the investigation) to an Advanced eDiscovery case. After you identify custodians and add them to a case, you can easily preserve, collect, review, and analyze the associated custodial data.
+- Reconstructs Teams conversations (instead of returning individual messages from conversations).
-- **Preservation.** To preserve and protect data that's relevant to an investigation, Advanced eDiscovery lets you place a legal hold on the data sources associated with the custodians in a case. You can also place non-custodial data on hold (usually shared group resources such as SharePoint sites or shared Teams channels). Advanced eDiscovery also has a built-in communications workflow so you can send legal hold notifications to custodians and track their acknowledgments.
+- Collects cloud-based content shared with users by use of links or modern attachments in email message and Teams chats.
-- **Collection.** After you have identified (and optionally preserved) the data sources relevant to the investigation, you can use the built-in search tool in Advanced eDiscovery to search and collect live data from the custodial data sources (and non-custodial data sources, if applicable) that may be relevant to the case.
+- Has built-in support for hundreds of non-Microsoft 365 file types.
-- **Processing.** After you've collected all data relevant to the case, the next step is to process it for further review and analysis. In Advanced eDiscovery, the in-place data you identified in the collection phase is copied to an Azure Storage location (called a *review set*), which provides you with a static view of the case data.
+- Collects data from third-party sources (such as Bloomberg, Facebook, Slack, and Zoom Meetings) that's imported and archived in Microsoft 365 by [data connectors](archiving-third-party-data.md).
-- **Review.** After data has been added to a review set, you can view specific documents and run additional queries within the review set to reduce the data to the most relevant documents. You can also annotate and tag specific documents.
+## Manage eDiscovery workflow in one platform
-- **Analysis.** Advanced eDiscovery provides a powerful set of integrated analytics tools that help you intelligently cull irrelevant data from the review set, which saves you legal review costs by efficiently reducing the volume of relevant data for production.
+Advanced eDiscovery can help you reduce the number of eDiscovery solutions you need to rely on. It provides a streamlined, end-to-end workflow, all which occurs within Microsoft 365. Advanced eDiscovery helps reduce the friction of identifying and collecting potential sources of relevant information by automatically mapping unique and shared data sources to the person of interest (known as a *custodian*), and by providing reporting and analytics on potentially relevant data prior to collecting it for analysis and review.
-- **Production** and **Presentation.** When you're ready, you can export documents from a review set for legal review. You can export documents in their EDRM-specified format so they can be imported into third-party review applications.
+Additionally, Microsoft Graph APIs can help you automate the eDiscovery workflow and extend Advanced eDiscovery for custom solutions.
+
+## Cull data intelligently
+
+Intelligent, machine learning capabilities in Advanced eDiscovery help you reduce the amount of data to review. These intelligent capabilities help you reduce and cull large volumes of data to a relevant set. For example, a built-in review set query helps filter only for unique content by identifying near duplicates. This capability can substantially reduce the amount of data to review.
+
+Additional machine learning capabilities can further refine and identify relevant data using smart tags and technology assisted review tools like the Relevance modules.
## Advanced eDiscovery architecture
-Here's an Advanced eDiscovery architecture diagram that shows the end-to-end workflow in a single-geo environment and a multi-geo environment. The end-to-end data flow is aligned with the EDRM.
+Here's an Advanced eDiscovery architecture diagram that shows the end-to-end workflow in a single-geo environment and in a multi-geo environment, and the end-to-end data flow that's aligned with the [Electronic Discovery Reference Model](advanced-ediscovery-edrm.md) (EDRM).
[![Model poster: Advanced eDiscovery Architecture in Microsoft 365](../media/solutions-architecture-center/ediscovery-poster-thumb.png)](../media/solutions-architecture-center/m365-advanced-ediscovery-architecture.png)
@@ -67,31 +71,35 @@ Here's an Advanced eDiscovery architecture diagram that shows the end-to-end wor
For more information about the end-to-end workflow in Advanced eDiscovery, see this [Microsoft Mechanics video](https://go.microsoft.com/fwlink/?linkid=2066133).
-The sections that follow describe each step in the built-in workflow in Advanced eDiscovery. The following screenshot shows the **Overview** tab of a case named *2020.11.03 - Contoso v. Fabrikam*.
+## Advanced eDiscovery workflow
+
+The following sections describe each step in the built-in workflow in the Advanced eDiscovery tool in the Microsoft 365 compliance center. The following screenshot shows the **Overview** tab of a case named *2020.11.03 - Contoso v. Fabrikam*.
![Tabs in built-in Advanced eDiscovery workflow](../media/AeD-Case-Screenshot1.png)
-## Managing custodians and non-custodial data sources
+For more detailed information, see [Manage the Advanced eDiscovery workflow](create-and-manage-advanced-ediscoveryv2-case.md#manage-the-workflow).
-Use the **Data sources** tab to add and manage the people that you've identified as persons of interest in the case and other data sources that may not be associated with a custodian. When you add custodians or non-custodial data sources, you can quickly perform actions like placing a legal hold on custodian and non-custodial data sources, communicating with custodians, and searching custodian and non-custodial data sources to collect content that's relevant to the case. As the case progresses, it's easy to add new custodians or non-custodial data sources or release them from the case. For more information, see [Work with custodians in Advanced eDiscovery](managing-custodians.md).
+### Managing custodians and non-custodial data sources
-## Managing legal hold notifications
+Use the **Data sources** tab to add and manage the people that you've identified as persons of interest in the case and other data sources that may not be associated with a custodian. When you add custodians or non-custodial data sources, you can quickly perform actions like placing a legal hold on custodian and non-custodial data sources, communicating with custodians, and searching custodian and non-custodial data sources to collect content that's relevant to the case. As the case progresses, it's easy to add new custodians or non-custodial date sources or release them from the case. For more information, see [Work with custodians](managing-custodians.md).
-Use the **Communications** tab to manage the process of communicating with the custodians in the case. A legal hold notice instructs custodians to preserve any content that's relevant to the case. Legal teams must track the notices that have been received, read, and acknowledged by custodians. The communications workflow in Advanced eDiscovery allows you to create and send initial notifications, reminders, release notices, and escalations if custodians fail to acknowledge a hold notification. For more information, see [Work with communications in Advanced eDiscovery](managing-custodian-communications.md).
+### Managing legal hold notifications
-## Managing content preservation
+Use the **Communications** tab to manage the process of communicating with the custodians in the case. A legal hold notice instructs custodians to preserve any content that's relevant to the case. Legal teams must be able to track the notices that have been received, read, and acknowledged by custodians. The communications workflow in Advanced eDiscovery allows you to create and send initial notifications, reminders, release notices, and escalations if custodians fail to acknowledge a hold notification. For more information, see [Work with communications](managing-custodian-communications.md).
-When you add a custodian to a case, you can place a hold on custodial data. Use the **Hold** tab to manage the hold created when you add custodians and manage other legal holds associated with the case; for example, you can identify and place a hold on non-custodial data sources. You can also edit any hold in the case and make it a query-based hold to preserve only the content that matches the query. For example, you could add a date range to the hold so that only content created within a specific date ranged in preserved. You can also get statistics on content that's on hold, remove the hold after it's no longer relevant to the case, or delete it. For more information, see [Manage holds in Advanced eDiscovery](managing-holds.md).
+### Managing content preservation
-## Indexing custodian data
+When you add a custodian to a case, you can place a hold on custodial data. Use the **Hold** tab to manage the hold created when you add custodians, and to manage other legal holds associated with the case; for example, you can identify and place a hold on non-custodial data sources. You can also edit any hold in the case and make it a query-based hold to preserve only the content that matches the query. For example, you could add a date range to the hold so that only content created within a specific date ranged in preserved. You can also get statistics on content that's on hold, remove the hold after it's no longer relevant to the case, or delete it. For more information, see [Manage holds](managing-holds.md).
-When you add a custodian and the corresponding custodial data sources to a case, any partially indexed item from a custodian data source is reindexed by a process called *Advanced indexing*. This allows custodial content such as images, unsupported file types, and other potentially unindexed content to be fully searchable when you run searches to collect data for the case. Use the **Processing** tab to monitor the status of Advanced indexing and fix processing errors by using a process called *error remediation*. For more information, see [Fix processing errors in Advanced eDiscovery](processing-data-for-case.md).
+### Indexing custodian data
-## Collecting case data
+When you add a custodian and the corresponding custodial data sources to a case, any partially indexed item from a custodian data source is reindexed by a process called *Advanced indexing*. This allows custodial content such as images, unsupported file types, and other potentially unindexed content to be fully searchable when you run searches to collect data for the case. Use the **Processing** tab to monitor the status of Advanced indexing and fix processing errors by using a process called *error remediation*. For more information, see [Fix processing errors](processing-data-for-case.md).
-Use the **Searches** tab to create searches to search the in-place custodial and non-custodial data sources for content relevant to the case. You can create and run query-based searches (using keywords and conditions) to identify a set of email messages and documents relevant to the case and that you want to further review and analyze in subsequent steps in the eDiscovery workflow. You can create one or more searches associated with the case. You can also use the search tool to preview sample documents and view search statistics to help you refine and improve the search results. After you search and collect all the data relevant to the case, you can add the search results to a review set for further review, analysis, and culling. For more information, see [Collect data for a case in Advanced eDiscovery](collecting-data-for-ediscovery.md).
+### Collecting case data
-## Reviewing and analyzing case data
+Use the **Searches** tab to create searches to search the in-place custodial and non-custodial data sources for content relevant to the case. You can create and run query-based searches (using keywords and conditions) to identify a set of email messages and documents that are relevant to the case and that you want to further review and analyze in subsequent steps in the eDiscovery workflow. You can create one or more searches associated with the case. You can also use the search tool to preview sample documents and view search statistics to help you refine and improve the search results. After you're satisfied the search results contain the all data relevant to the case, you add the search results to a review set for further review, analysis, and culling. For more information, see [Collect data for a case](collecting-data-for-ediscovery.md).
+
+### Reviewing and analyzing case data
Use the **Review sets** tab to review and analyze the content you've collected from the live system and added to a review set. A *review set* is a static collection of that data (in other words, an offline copy of data) of custodial data (and, if applicable, non-custodial data) that you collected in the previous phase of the eDiscovery workflow. When you add search results to a review set, a process is triggered to extract files from containers, extract metadata, and extract text. When this process is complete, the system builds a new index of all the data collected from custodians and adds it to the review set. After the data is added to the review set, you can run more queries to narrow the case data, view data as text or in the native file format, and annotate, redact, and tag documents in the review set. You can also perform advanced analytics, such as identifying document duplication, email threading, and themes. After you've culled the data to only what is relevant to the case, you can either download documents directly or export them along with file metadata, annotations, and any tags. For more information, see:
@@ -103,14 +111,20 @@ Use the **Review sets** tab to review and analyze the content you've collected f
- [Analyze data in a review set](analyzing-data-in-review-set.md)
-## Exporting data for review and presentation
+### Exporting data for review and presentation
+
+After you export the data from a review set, use the **Exports** tab to manage an export job and download data from a review set. When you export a review set, the data is uploaded to a Microsoft-provided Azure Storage location (or an Azure Storage location managed by your organization). After it's uploaded to Azure, it's then and available to download to a local computer. You can obtain the storage assess key necessary to download the exported data on the **Exports** tab. For more information, see [Export case data](exporting-data-ediscover20.md).
+
+### Managing jobs
+
+Use the **Jobs** tab to monitor long-running processes for case-related tasks that you've initiated. Examples of jobs include ones related to reindexing, searching, and exporting case data. For example, if you create a search on the **Searches** tab that includes many data sources, the status of this search process will be displayed on the **Jobs** tab. For more information, see [Manage jobs](managing-jobs-ediscovery20.md).
-After you export the data from a review set, use the **Exports** tab to manage an export job and download data from a review set. When you export a review set, the data is uploaded to a Microsoft-provided Azure Storage location (or an Azure Storage location managed by your organization). After it's uploaded to Azure, it's then and available to download to a local computer. You can obtain the storage access key necessary to download the exported data on the **Exports** tab. For more information, see [Export case data in Advanced eDiscovery](exporting-data-ediscover20.md).
+### Configuring case settings
-## Managing jobs
+Use the **Settings** tab to configure case-wide settings. This includes adding members to a case, closing or deleting a case, and configuring search and analytics settings. For more information, see:
-Use the **Jobs** tab to monitor long-running processes for case-related tasks that you've initiated. Examples of jobs include ones related to reindexing, searching, and exporting case data. For example, if you create a search on the **Searches** tab that includes many data sources, the status of this search process will be displayed on the **Jobs** tab. For more information, see [Manage jobs in Advanced eDiscovery](managing-jobs-ediscovery20.md).
+- [Add members to a case](add-or-remove-members-from-a-case-in-advanced-ediscovery.md)
-## Configuring case settings
+- [Close or delete a case](close-or-delete-case.md)
-Use the **Settings** tab to configure case-wide settings. This includes adding members to a case, closing or deleting a case, and configuring search and analytics settings.
+- [Configure search and analytics settings](configure-search-and-analytics-settings-in-advanced-ediscovery.md)
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/MMD-and-ITSM https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/MMD-and-ITSM.md
@@ -1,6 +1,6 @@
--- title: Microsoft Managed Desktop and ITIL
-description:
+description: Correlates ITIL phases with Microsoft Managed Desktop information and articles
keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation, ITISM ms.service: m365-md author: jaimeo
@@ -12,9 +12,9 @@ ms.localizationpriority: normal
Many organizations find it valuable to structure their IT services along the lines of a formalized IT Service Model (ITSM), such as [ITIL](https://www.axelos.com/best-practice-solutions/itil).
-Microsoft Managed Desktop enables your organization to comply with many key aspects of such formalized ITSM models. Using ITIL as an example, this topic helps you see the connections between common ITIL phases and processes and equivalent Microsoft Managed Desktop features, where applicable. This only applies to the Microsoft Managed Desktop portion of your organization.
+Microsoft Managed Desktop enables your organization to comply with many key aspects of such formalized ITSM models. Using ITIL as an example, this article helps you see the connections between common ITIL phases and processes and equivalent Microsoft Managed Desktop features, where applicable. This information only applies to the Microsoft Managed Desktop portion of your organization.
-For more comprehensive about ITIL and its phases and process see their [documentation](https://www.axelos.com/best-practice-solutions/itil).
+For more comprehensive about ITIL and its phases and process, see their [documentation](https://www.axelos.com/best-practice-solutions/itil).
## Service design
@@ -28,7 +28,7 @@ This table relates key ITIL phases and processes to Microsoft Managed Desktop fe
|Service-level management | Response times are defined for admin support requests and incidents. | [Admin support for Microsoft Managed Desktop](working-with-managed-desktop/admin-support.md) | |Service catalog management | Service description detailing components of the service is kept true to state of the service, available to all current and interested customers.<br><br>Pre-requisites detailed to understand what is needed to operate the service. | - [Microsoft Managed Desktop service description](service-description/index.md)<br><br>- [Get ready for enrollment in Microsoft Managed Desktop](get-ready/index.md) | |Information security management | Security information, including information security for the service.<br><br> Security-related policies and other information on how devices are configured. | - [Security in Microsoft Managed Desktop](service-description/security.md)<br><br>- [Device configuration](service-description/device-policies.md) |
-|Availability management | Microsoft Managed Desktop balances responsibility with your organization to ensure availability of service.<br><br>Admins and users have routes to respective support in case of service or availability issues. | - [Microsoft Managed Desktop operations and monitoring](service-description/operations-and-monitoring.md)<br><br>- [Admin support for Microsoft Managed Desktop](working-with-managed-desktop/admin-support.md)<br>- [Getting help for users](working-with-managed-desktop/end-user-support.md) |
+|Availability management | Microsoft Managed Desktop balances responsibility with your organization to ensure availability of service.<br><br>Admins and users have routes to respective support if there are service or availability issues. | - [Microsoft Managed Desktop operations and monitoring](service-description/operations-and-monitoring.md)<br><br>- [Admin support for Microsoft Managed Desktop](working-with-managed-desktop/admin-support.md)<br>- [Getting help for users](working-with-managed-desktop/end-user-support.md) |
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/get-ready/apps-MCS https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/apps-MCS.md
@@ -19,7 +19,7 @@ You can engage with Microsoft Consulting Services (MCS) to get your apps package
To work with MCS app packaging, **you must provide these elements**: -- The source installer files (e.g., setup.exe or .msi).
+- The source installer files (for example, setup.exe or .msi).
- The installation instructions, specifying details about how the final installation should look. For example, should there be a desktop shortcut to the app? What should the app's visibility be? Should the app connect to a server and if so, which one? For details, see the [application packaging request template](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/get-ready/downloads/app-packaging-template.docx). - You must perform your own acceptance testing to verify that the app works as you need it to in your environment.
@@ -35,11 +35,11 @@ Start the packaging process by uploading the app information to the Microsoft Ma
![calendar showing app inflow on a Thursday (the 21st in this example), media validation the next day, packaging on the following Monday (the 25th), and app delivery on the subsequent Friday (the 29th)](../../media/MCS-cal.png)
-You'll be notified once the app has been delivered. At that point, you have 21 days to perform acceptance testing and sign off on the work in the Microsoft Managed Desktop portal. If discover some problem with the app during your acceptance testing, reject the app in the Microsoft Managed Desktop portal and you will be connected via email with an MCS packager to understand and resolve the issue.
+You'll be notified once the app has been delivered. At that point, you have 21 days to perform acceptance testing and approve the work in the Microsoft Managed Desktop portal. If discover some problem with the app during your acceptance testing, reject the app in the Microsoft Managed Desktop portal and you will be connected via email with an MCS packager to understand and resolve the issue.
## Testing accounts and environment
-For the packaging team to complete the migration to Microsoft Intune we recommend that you provide certain permissions:
+For the packaging team to complete the migration to Microsoft Intune, we recommend that you provide certain permissions:
- Access to Microsoft IntuneΓÇÖs App Deployment capabilities for the packager to add and assign the app - Test groups, user accounts, and licenses for the packagers to be able to test the apps
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/get-ready/apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/apps.md
@@ -1,6 +1,6 @@
--- title: Apps in Microsoft Managed Desktop
-description:
+description: Explains how apps are handled, including how to package, deploy, and support them.
keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation ms.service: m365-md author: jaimeo
@@ -42,7 +42,7 @@ There are still certain things you need to do with these apps:
## Apps you provide
-Of course, you probably have a number of other apps you need for your business operations. These can only be deployed to Microsoft Managed Desktop devices by using Microsoft IntuneΓÇÖs deployment pipeline. If the app needs it you can have them packaged by a vendor (which could be a non-Microsoft vendor or Microsoft Consulting Services (MCS)) or if you have the means, you can package them yourself. You then add these packages to the Microsoft Managed Desktop portal and assign them to Azure Active Directory groups to trigger the deployment.
+You probably have other apps you need for your business operations. These apps can only be deployed to Microsoft Managed Desktop devices by using Microsoft IntuneΓÇÖs deployment pipeline. If the app needs it you can have them packaged by a vendor (which could be a non-Microsoft vendor or Microsoft Consulting Services (MCS)) or if you have the means, you can package them yourself. You then add these packages to the Microsoft Managed Desktop portal and assign them to Azure Active Directory groups to trigger the deployment.
If you currently deploy your apps by using Microsoft Endpoint Configuration Manager, Microsoft Managed Desktop can provide you with a query to assess your apps and discover which ones are ready for to migrate to Microsoft Intune and which ones might require some adjustment.
@@ -51,23 +51,19 @@ If you currently deploy your apps by using Microsoft Endpoint Configuration Mana
Review your apps, checking: - None of the apps are prohibited or have restricted behavior, as described in [Microsoft Managed Desktop app requirements](https://aka.ms/app-req).-- Apps must be ready for management by Microsoft Intune. For more about this, see [Windows 10 app deployment using Microsoft Intune](https://docs.microsoft.com/intune/apps-windows-10-app-deploy) and [Add apps to Microsoft Intune](https://docs.microsoft.com/intune/apps-add).
+- Apps must be ready for management by Microsoft Intune. For more about this topic, see [Windows 10 app deployment using Microsoft Intune](https://docs.microsoft.com/intune/apps-windows-10-app-deploy) and [Add apps to Microsoft Intune](https://docs.microsoft.com/intune/apps-add).
- Other pre-packaging requirements such as providing license keys, agreement with license terms, and pre-setting server connections. ### Decide how to package apps
-Some independent software vendors might require that your apps are packaged before they are centrally deployed. ΓÇ£PackagingΓÇ¥ means that the appΓÇÖs installer is configured with settings like license keys, remote server locations, or desktop shortcuts so that the app can be installed in the background.
+Some independent software publishers might require that your apps are packaged before they are centrally deployed. ΓÇ£PackagingΓÇ¥ means that the appΓÇÖs installer is configured with settings like license keys, remote server locations, or desktop shortcuts so that the app can be installed in the background.
There are three options to get your apps packaged: - You can package apps yourself - You can work with a non-Microsoft vendor-- You can engage with MCS to package your apps. Work with your Microsoft account representative. For more details, see [Working with Microsoft Consulting Services](apps-MCS.md).----
+- You can engage with MCS to package your apps. Work with your Microsoft account representative. For more information, see [Working with Microsoft Consulting Services](apps-MCS.md).
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/get-ready/authentication https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/authentication.md
@@ -13,7 +13,7 @@ ms.topic: article
# Prepare on-premises resources access for Microsoft Managed Desktop
-In Microsoft Managed Desktop, devices are automatically joined to Azure Active Directory (Azure AD). This means that if you are using an on-premises Active Directory, you'll have to check some things to ensure that devices joined to Azure AD can communicate with your on-premises Active Directory.
+In Microsoft Managed Desktop, devices are automatically joined to Azure Active Directory (Azure AD). For this reason, if you are using an on-premises Active Directory, you'll have to check some things to ensure that devices joined to Azure AD can communicate with your on-premises Active Directory.
> [!NOTE] > *Hybrid* Azure AD join is not supported by Microsoft Managed Desktop.
@@ -23,7 +23,7 @@ Azure Active Directory lets your users take advantage of Single Sign-On (SSO), w
For information about joining Azure Active Directory, refer to [How to: Plan your Azure AD join implementation](https://docs.microsoft.com/azure/active-directory/devices/azureadjoin-plan). For background information about Single Sign-On (SSO) on devices joined to Azure AD, see [How SSO to on-premises resources works on Azure AD joined devices](https://docs.microsoft.com/azure/active-directory/devices/azuread-join-sso#how-it-works).
-This topic explains the things you need to check in order to ensure that apps and other resources that depend on local Active Directory connectivity will work smoothly with Microsoft Managed Desktop.
+This article explains the things you need to check in order to ensure that apps and other resources that depend on local Active Directory connectivity will work smoothly with Microsoft Managed Desktop.
## Single Sign-On for on-premises resources
@@ -32,7 +32,7 @@ Single Sign-On (SSO) by using UPN and password is enabled by default on Microsof
### Single Sign-On by using UPN and password
-In most organizations, your users will be able to use SSO to authenticate by UPN and password on Microsoft Managed Desktop Devices. However, to make sure this will work, you should double-check the following:
+In most organizations, your users will be able to use SSO to authenticate by UPN and password on Microsoft Managed Desktop Devices. However, to make sure this function will work, you should double-check the following things:
- Confirm that Azure AD Connect is set up and uses an on-premises Active Directory server running Windows Server 2008 R2 or later. - Confirm that Azure AD Connect is running a supported version and is set to sync these three attributes with Azure AD:
@@ -53,13 +53,13 @@ Refer to [Understand considerations for applications and resources](https://docs
- If you use **cloud-based apps**, such as those added to the Azure AD app gallery, most don't require any further preparation to work with Microsoft Managed Desktop. However, any Win32 apps that don't use Web Account Manager (WAM) might still prompt users for authentication. -- For apps that are **hosted on-premises**, be sure to add those apps to the trusted sites list in your browsers. This will enable Windows authentication to work seamlessly, without users being prompted for credentials. To do this, refer to [Trusted sites](https://docs.microsoft.com/microsoft-365/managed-desktop/working-with-managed-desktop/config-setting-ref#trusted-sites) in the [Configurable settings reference](https://docs.microsoft.com/microsoft-365/managed-desktop/working-with-managed-desktop/config-setting-ref).
+- For apps that are **hosted on-premises**, be sure to add those apps to the trusted sites list in your browsers. This step will enable Windows authentication to work seamlessly, without users being prompted for credentials. To add apps, refer to [Trusted sites](https://docs.microsoft.com/microsoft-365/managed-desktop/working-with-managed-desktop/config-setting-ref#trusted-sites) in the [Configurable settings reference](https://docs.microsoft.com/microsoft-365/managed-desktop/working-with-managed-desktop/config-setting-ref).
- If you are using Active Directory Federated Services, check that SSO is enabled by using the steps in [Verify and manage single sign-on with AD FS](https://docs.microsoft.com/previous-versions/azure/azure-services/jj151809(v=azure.100)). - For apps that are **on-premises and use older protocols**, no extra setup is required, as long as the devices have access to an on-premises domain controller to authenticate. To provide secure access for these applications, however, you should deploy Azure AD Application Proxy. For more information, see [Remote access to on-premises applications through Azure Active Directory's Application Proxy](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy). -- Apps that run **on-premises and rely on machine authentication** aren't supported, so you should consider replacing these with newer versions.
+- Apps that run **on-premises and rely on machine authentication** aren't supported, so you should consider replacing them with newer versions.
### Network shares that use authentication
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/get-ready/certs-wifi-lan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/certs-wifi-lan.md
@@ -23,7 +23,7 @@ Because Microsoft Managed Desktop devices are joined to Azure Active Directory (
Root certificates are required to deploy certificates through a SCEP or PKCS infrastructure. Other applications and services in your organization might require root certificates to be deployed to your Microsoft Managed Desktop devices.
-Before you deploy SCEP or PKCS certificates to Microsoft Managed Desktop, you should gather requirements for each service that requires a user or device certificate in your organization. To make this easier, you can use one of the following planning templates:
+Before you deploy SCEP or PKCS certificates to Microsoft Managed Desktop, you should gather requirements for each service that requires a user or device certificate in your organization. To make this activity easier, you can use one of the following planning templates:
- [PKCS certificate template](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/get-ready/downloads/PKCS-certificate-template.xlsx) - [SCEP certificate template](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/get-ready/downloads/SCEP-certificate-template.xlsx)
@@ -33,12 +33,12 @@ Before you deploy SCEP or PKCS certificates to Microsoft Managed Desktop, you sh
To allow a device to be automatically provided with the required Wi-Fi configuration for your enterprise network, you might need a Wi-Fi configuration profile. You can configure Microsoft Managed Desktop to deploy these profiles to your devices. If your network security requires devices to be part of the local domain, you might also need to evaluate your Wi-Fi network infrastructure to make sure it's compatible with Microsoft Managed Desktop devices (Microsoft Managed Desktop devices are Azure AD-joined only).
-Before you deploy a Wi-Fi configuration to Microsoft Managed Desktop devices, you will be required to gather your organizationΓÇÖs requirements for each Wi-Fi network. To make this easier, you can use this [WiFi profile template](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/get-ready/downloads/WiFi-profile-template.xlsx).
+Before you deploy a Wi-Fi configuration to Microsoft Managed Desktop devices, you will be required to gather your organizationΓÇÖs requirements for each Wi-Fi network. To make this activity easier, you can use this [WiFi profile template](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/get-ready/downloads/WiFi-profile-template.xlsx).
## Wired connectivity requirements and 802.1x authentication
-If you use 802.1x authentication to secure access from devices to your local area network (LAN) you will need to push the required configuration details to your Microsoft Managed Desktop devices. Microsoft Managed Desktop devices running Windows 10, version 1809 or later support deploying an 802.1x configuration through the WiredNetwork configuration service provider (CSP). For more information, see [WiredNetwork CSP](https://docs.microsoft.com/windows/client-management/mdm/wirednetwork-csp) documentation.
+If you use 802.1x authentication to secure access from devices to your local area network (LAN), you will need to push the required configuration details to your Microsoft Managed Desktop devices. Microsoft Managed Desktop devices running Windows 10, version 1809 or later support deploying an 802.1x configuration through the WiredNetwork configuration service provider (CSP). For more information, see [WiredNetwork CSP](https://docs.microsoft.com/windows/client-management/mdm/wirednetwork-csp) documentation.
Before you deploy a wired network configuration profile to Microsoft Managed Desktop devices, gather your organizationΓÇÖs requirements for your wired corporate network. To do so, follow these steps:
@@ -52,7 +52,7 @@ Before you deploy a wired network configuration profile to Microsoft Managed Des
## Deploy certificate infrastructure
-If you already have an existing SCEP or PKCS infrastructure with Intune and this meets your requirements, you can also use it for Microsoft Managed Desktop. If no SCEP or PKCS infrastructure already exists, you'll have to prepare one.
+If you already have an existing SCEP or PKCS infrastructure with Intune and this approach meets your requirements, you can also use it for Microsoft Managed Desktop. If no SCEP or PKCS infrastructure already exists, you'll have to prepare one.
For more information, see [Configure a certificate profile for your devices in Microsoft Intune](https://docs.microsoft.com/intune/certificates-configure).
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/get-ready/mapped-drives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/mapped-drives.md
@@ -43,7 +43,7 @@ It's entirely your responsibility to ensure that users and groups have and maint
Make sure that mapped drives cannot be avoided and you have carefully reviewed the requirements before submitting any service request. Then follow these steps:
-1. Navigate to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and select "Troubleshooting + support" then look for "Service requests" under the Microsoft Managed Deskop section.
+1. Navigate to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and select "Troubleshooting + support" then look for "Service requests" under the Microsoft Managed Desktop section.
2. Submit a support request titled ΓÇ£Mapped drives deploymentΓÇ¥ and provide all the required file share details. 3. Microsoft Managed Desktop IT Operations will advise, by using support request updates, when the request has been completed. Initially this configuration will only be deployed to devices in the Test deployment group. 4. You must test and confirm whether the configuration deployed by the Microsoft Managed Desktop IT Operations works as you expect. Reply using the Discussion tab in the details of the same support request to notify Microsoft Managed Desktop IT Operations once you've completed your testing.
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/get-ready/printing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/printing.md
@@ -16,7 +16,7 @@ ms.topic: article
As you get ready to enroll in Microsoft Managed Desktop, you should evaluate your printing requirements and determine the right approach for your environment. You have three options: - Deploy the Microsoft Universal Print solution to make it easy for Microsoft Managed Desktop devices to discover printers. For more information, see [What is Universal Print](https://docs.microsoft.com/universal-print/fundamentals/universal-print-whatis).-- Deploy printers directly by using a custom PowerShell script. Follow the steps in the [Set up local printers](#set-up-local-printers) section to do this.
+- Deploy printers directly by using a custom PowerShell script. Follow the steps in the [Set up local printers](#set-up-local-printers) section.
- Use a non-Microsoft cloud printing solution that is compatible with Windows 10 devices that are joined to an Azure Active Directory domain. The solution must meet the software requirements for Microsoft Managed Desktop. For more information, see [Microsoft Managed Desktop app requirements](../service-description/mmd-app-requirements.md). In all cases, if the printer drivers are not available from Microsoft Update or the Microsoft Store, you'll have to obtain them yourself and have them packaged for deployment to your Microsoft Managed Desktop devices with Microsoft Intune. For more, see [Intune Standalone - Win32 app management](https://docs.microsoft.com/mem/intune/apps/apps-win32-app-management)
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/get-ready/readiness-assessment-fix https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/readiness-assessment-fix.md
@@ -216,7 +216,7 @@ Review apps you want your Microsoft Managed Desktop users to have.
**Advisory**
-You should prepare an inventory of the apps that you want your Microsoft Managed Desktop users to have. Since these apps must be deployed by Intune, evaluate re-using existing Intune apps. Consider using Company Portal (see [Install Intune Company Portal on devices](https://docs.microsoft.com/microsoft-365/managed-desktop/get-started/company-portal) and Enrollment Status Page (ESP) to distribute apps to your users. For more information, see [Apps in Microsoft Managed Desktop](apps.md) and [First-run experience with Autopilot and the Enrollment Status Page](https://docs.microsoft.com/microsoft-365/managed-desktop/get-started/esp-first-run).
+You should prepare an inventory of the apps that you want your Microsoft Managed Desktop users to have. Since these apps must be deployed by Intune, evaluate reusing existing Intune apps. Consider using Company Portal (see [Install Intune Company Portal on devices](https://docs.microsoft.com/microsoft-365/managed-desktop/get-started/company-portal) and Enrollment Status Page (ESP) to distribute apps to your users. For more information, see [Apps in Microsoft Managed Desktop](apps.md) and [First-run experience with Autopilot and the Enrollment Status Page](https://docs.microsoft.com/microsoft-365/managed-desktop/get-started/esp-first-run).
You can ask your Microsoft account representative for a query in Microsoft Endpoint Configuration Manager to identify those apps that are ready to migrate to Intune or need adjustment.
@@ -244,7 +244,7 @@ You have an "update ring" policy that targets all devices, all users, or both. C
**Advisory**
-Make sure that any update ring policies you have exclude the **Modern Workplace Devices -All** Azure AD group. If you have assigned Azure AD user group to these policies, make sure that any update ring policies you have also excluded the **Modern Workplace -All** Azure AD group which includes your Microsoft Managed Desktop users. For steps, see [Manage Windows 10 software updates in Intune](https://docs.microsoft.com/mem/intune/protect/windows-update-for-business-configure). Both the **Modern Workplace Devices -All** and **Modern Workplace -All** Azure AD groups are assigned groups that we create when you enroll in Microsoft Managed Desktop, so you'll have to come back to exclude this group after enrollment.
+Make sure that any update ring policies you have exclude the **Modern Workplace Devices -All** Azure AD group. If you have assigned Azure AD user group to these policies, make sure that any update ring policies you have also excluded the **Modern Workplace -All** Azure AD group that includes your Microsoft Managed Desktop users. For steps, see [Manage Windows 10 software updates in Intune](https://docs.microsoft.com/mem/intune/protect/windows-update-for-business-configure). Both the **Modern Workplace Devices -All** and **Modern Workplace -All** Azure AD groups are assigned groups that we create when you enroll in Microsoft Managed Desktop, so you'll have to come back to exclude this group after enrollment.
## Azure Active Directory settings
@@ -288,7 +288,7 @@ You have at least one account name that will conflict with ones created by Micro
### Security administrator roles
-Users with certain security roles must have those assigned in Microsoft Defender for Endpoint.
+Users with certain security roles must have those roles assigned in Microsoft Defender for Endpoint.
**Advisory**
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/get-ready/readiness-assessment-tool https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/readiness-assessment-tool.md
@@ -13,11 +13,11 @@ ms.topic: article
# Readiness assessment tool
-For the smoothest possible experience when you enroll in Microsoft Managed Desktop, there are a number of settings and other parameters you must set ahead of time. You can use this tool to check those settings and receive detailed steps for fixing any that aren't right.
+For the smoothest possible experience when you enroll in Microsoft Managed Desktop, there are important settings and other parameters you must set ahead of time. You can use this tool to check those settings and receive detailed steps for fixing any that aren't right.
The tool checks settings in Microsoft Endpoint Manager (specifically, Microsoft Intune), Azure Active Directory (Azure AD), and Microsoft 365 to ensure they will work with Microsoft Managed Desktop. Microsoft Managed Desktop retains the data associated with these checks for 12 months after the last time you run a check in your Azure AD organization (tenant). After 12 months, we retain it in de-identified form. You can choose to delete the data we collect.
-Anyone with at least the Intune Administrator role will be able to run this tool, but two of the checks ([Conditional access policies](readiness-assessment-fix.md#conditional-access-policies) and [Multifactor authentication](readiness-assessment-fix.md#multifactor-authentication) require additional permissions.
+Anyone with at least the Intune Administrator role will be able to run this tool, but two of the checks ([Conditional access policies](readiness-assessment-fix.md#conditional-access-policies) and [Multifactor authentication](readiness-assessment-fix.md#multifactor-authentication) require more permissions.
The assessment tool checks these items:
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/get-started/access-admin-portal https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/access-admin-portal.md
@@ -1,6 +1,7 @@
--- title: Access the Admin portal keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation
+description: How to find and use the Admin portal, including controlling access to it.
ms.service: m365-md ms.author: jaimeo author: jaimeo
@@ -13,17 +14,17 @@ manager: laurawi
# Access the admin portal
-Your gateway to the Microsoft Managed Desktop service is the Microsoft [Azure portal](https://portal.azure.com). For more about using and customizing your Azure portal experience generally, see the [Azure portal documentation](https://docs.microsoft.com/azure/azure-portal/). Available in preview now, you can also find Microsoft Managed Desktop in the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/). If you are unfamiliar with the capabilities of this portal for device management see the [Microsoft Endpoint Manager documentation](https://docs.microsoft.com/mem/).
+Your gateway to the Microsoft Managed Desktop service is the Microsoft [Azure portal](https://portal.azure.com). For more about using and customizing your Azure portal experience generally, see the [Azure portal documentation](https://docs.microsoft.com/azure/azure-portal/). Available in preview now, you can also find Microsoft Managed Desktop in the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/). If you are unfamiliar with the capabilities of this portal for device management, see the [Microsoft Endpoint Manager documentation](https://docs.microsoft.com/mem/).
> [!NOTE]
-> However you choose to accesss Microsoft Managed Desktop, in [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) or the [Azure portal](https://portal.azure.com), the following browsers are supported:
+> However you choose to access Microsoft Managed Desktop, in [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) or the [Azure portal](https://portal.azure.com), the following browsers are supported:
> - Microsoft Edge (latest version) > - Microsoft Internet Explorer 11 > - Safari (latest version, Mac only) > - Chrome (latest version) > - Firefox (latest version)
-Your administrative account needs specific permissions in order to access the Microsoft Managed Desktop administrative features in either Azure portal or Microsoft Endpoint Manager. You can manage admin access to these features within your organization by using Role-based Access Control (RBAC). Several Azure Active Directory (Azure AD) administrator roles and built-in custom roles are available to provide more granular control to different features within the Microsoft Managed Desktop Admin portal. For more information about Azure Active Directory roles, see [Administrator role permissions in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles). Unlike Azure AD administrator roles that apply to a variety of Microsoft products and services, custom roles are specific to Microsoft Managed Desktop and will only guarantee access to the Admin features for this service. Admins can assign custom roles to users individually or in combination with Azure AD administrator roles to add Microsoft Managed Desktop permissions to existing admin accounts.
+Your administrative account needs specific permissions in order to access the Microsoft Managed Desktop administrative features in either Azure portal or Microsoft Endpoint Manager. You can manage admin access to these features within your organization by using Role-based Access Control (RBAC). Several Azure Active Directory (Azure AD) administrator roles and built-in custom roles are available to provide more granular control to different features within the Microsoft Managed Desktop Admin portal. For more information about Azure Active Directory roles, see [Administrator role permissions in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles). Unlike Azure AD administrator roles that apply to various Microsoft products and services, custom roles are specific to Microsoft Managed Desktop and will only guarantee access to the Admin features for this service. Admins can assign custom roles to users individually or in combination with Azure AD administrator roles to add Microsoft Managed Desktop permissions to existing admin accounts.
Each of the roles below can be assigned to provide different levels of access:
@@ -51,15 +52,15 @@ Each of the roles below can be assigned to provide different levels of access:
## Assigning roles to administrators
-If you need help assigning Azure Active Directory roles, see [Administrator role permissions in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles).
+If you need help with assigning Azure Active Directory roles, see [Administrator role permissions in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles).
-For easy management of the built-in roles, a security group has been created for each custom role (for example, ΓÇ£Modern Workplace Roles ΓÇô Security ManagerΓÇ¥). To assign users to one of the security groups, follow these steps:
-1. Go the Microsoft Endpoint Manager portal
-2. Select Groups on the left-hand side.
-3. Search for Modern Workplace Roles, and then select the group associated with the role you want to assign.
-4. Select Members on the left-hand side, and then select + Add members on the command bar.
-5. Enter the email of the person being added. If they are an external user, you have to invite them before you can assign the group.
-6. Select Select at the bottom.
+To make it easy to manage built-in roles, there is a security group for each custom role (for example, ΓÇ£Modern Workplace Roles ΓÇô Security ManagerΓÇ¥). To assign users to one of the security groups, follow these steps:
+1. Go the Microsoft Endpoint Manager portal.
+2. Select **Groups** on the left side.
+3. Search for **Modern Workplace Roles**, and then select the group associated with the role you want to assign.
+4. Select **Members** on the left side, and then select **+ Add members** on the command bar.
+5. Enter the email of the person being added. If they are a guest, you must invite them before you can assign the group.
+6. Select **Select** at the bottom.
> [!NOTE] > Nesting security groups for role assignment is not currently supported.
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/get-started/assign-licenses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/assign-licenses.md
@@ -13,10 +13,10 @@ ms.topic: article
# Assign licenses
-As part of preparing to enroll in Microsoft Managed Desktop, you'll need to be sure you've obtained the necessary licenses. If you haven't already done this, see [More about licenses](../get-ready/prerequisites.md#more-about-licenses) for details about exactly which licenses you need.
+As part of preparing to enroll in Microsoft Managed Desktop, you'll need to be sure you've obtained the necessary licenses. If you haven't already obtained the licenses, see [More about licenses](../get-ready/prerequisites.md#more-about-licenses) for details about exactly which licenses you need.
-If your license are all lined up, it's time now to assign them to your users. To do this, we recommend that you take advantage of the [group-based licensing feature](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal) of Azure Active Directory.
+If your licenses are all lined up, it's time now to assign them to your users. To assign licenses, we recommend that you take advantage of the [group-based licensing feature](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal) of Azure Active Directory.
If you have any difficulty with license assignment, contact Admin [support](../working-with-managed-desktop/admin-support.md).
@@ -24,7 +24,7 @@ If you have any difficulty with license assignment, contact Admin [support](../w
1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md) 2. [Adjust conditional access](conditional-access.md)
-3. Assign licenses (this topic)
+3. Assign licenses (this article)
4. [Deploy Intune Company Portal](company-portal.md) 5. [Enable Enterprise State Roaming](enterprise-state-roaming.md) 6. [Set up devices](set-up-devices.md)
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/get-started/edge-browser-app https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/edge-browser-app.md
@@ -21,11 +21,11 @@ The new [Microsoft Edge browser](https://www.microsoft.com/edge) provides world-
To migrate your Microsoft Managed Desktop devices to the new Microsoft Edge browser, file an IT Support Ticket through the Microsoft Managed Desktop Portal. We will deploy the Edge Stable channel to the Test Group when you file the ticket, and then deploy it in each subsequent deployment group every 24 hours. To pause the deployment, file another ticket asking Operations to hold.
-The [Beta Channel](https://docs.microsoft.com/deployedge/microsoft-edge-channels#beta-channel) is also available upon request for representative validation within your organization. Microsoft Managed Desktop will deploy the application as required to the Test and First Groups so that all of those users have the Beta Channel in addition to the Stable Channel. For any additional users who need access to the Beta Channel please add them to the **Modern Workplace - Edge Beta Users** group and have them install it from the Company Portal
+The [Beta Channel](https://docs.microsoft.com/deployedge/microsoft-edge-channels#beta-channel) is also available upon request for representative validation within your organization. Microsoft Managed Desktop will deploy the application as required to the Test and First Groups so that all of those users have the Beta Channel in addition to the Stable Channel. For any other users who need access to the Beta Channel, add them to the **Modern Workplace - Edge Beta Users** group and have them install it from the Company Portal
## Updates to Microsoft Edge
-Microsoft Managed Desktop deploys the [Stable channel](https://docs.microsoft.com/deployedge/microsoft-edge-channels#stable-channel) of Microsoft Edge which is auto-updated about every six weeks. Updates on the Stable channel are rolled out [progressively](https://docs.microsoft.com/deployedge/microsoft-edge-update-progressive-rollout) by the Microsoft Edge product group in order to ensure the best experience for customers.
+Microsoft Managed Desktop deploys the [Stable channel](https://docs.microsoft.com/deployedge/microsoft-edge-channels#stable-channel) of Microsoft Edge, which is auto-updated about every six weeks. Updates on the Stable channel are rolled out [progressively](https://docs.microsoft.com/deployedge/microsoft-edge-update-progressive-rollout) by the Microsoft Edge product group in order to ensure the best experience for customers.
The [Beta Channel](https://docs.microsoft.com/deployedge/microsoft-edge-channels#beta-channel) is deployed to devices in both the Test and First groups for representative validation within the organization. This channel is fully supported and is auto-updated with new features approximately every six weeks.
@@ -50,21 +50,21 @@ Microsoft Managed Desktop sets this policy to prevent Chrome extensions from bei
**Default value:** Disabled
-By disabling this policy, Microsoft Edge will only use native messaging hosts installed on the system level. Native messaging hosts are a part of Chrome extensions which allow for the browser to interact with other parts of userΓÇÖs endpoint, creating a variety of security concerns.
+By disabling this policy, Microsoft Edge will only use native messaging hosts installed on the system level. Native messaging hosts are a part of Chrome extensions, which allow for the browser to interact with other parts of userΓÇÖs endpoint, creating a variety of security concerns.
-### Secure Sockets Layer (SSL)
+### Secure Sockets Layer (TLS/SSL)
-#### Minimum SSL version
+#### Minimum TLS version
**Default value:** Minimum TLS 1.2 supported
-If you want to use the less secure TLS 1.1, you can request this.
+If you want to use the less secure TLS 1.1, you can file a request to do so.
#### Allows users to proceed from the SSL warning page **Default value:** Disabled
-We don't recommend enabling this setting since it allows users to visit sites with SSL errors.
+We don't recommend enabling this setting since it allows users to visit sites with TSL errors.
### Microsoft Defender SmartScreen
@@ -92,7 +92,7 @@ We do not recommend disabling this setting since that would allow users to ignor
**Default value:** Disabled
-We don't recommend using Flash because of associated security risks. If you still have processes which depend on Flash, set the **[PluginsAllowedForUrls](https://docs.microsoft.com/deployedge/microsoft-edge-policies#pluginsallowedforurls)** policy to enable Flash for sites which need it. If you can't maintain an allowed list of sites to use Flash, file a change request to change the value to **Click to Play**, which allows users choose when it's appropriate to run Flash.
+We don't recommend using Flash because of associated security risks. If you still have processes that depend on Flash, set the **[PluginsAllowedForUrls](https://docs.microsoft.com/deployedge/microsoft-edge-policies#pluginsallowedforurls)** policy to enable Flash for sites that need it. If you can't maintain an allowed list of sites to use Flash, file a change request to change the value to **Click to Play**, which allows users choose when it's appropriate to run Flash.
### Password manager
@@ -110,7 +110,7 @@ Microsoft Managed Desktop enables Internet Explorer mode for your devices by def
#### Internet Explorer mode integration **Default Value:** Internet Explorer mode
-By default, devices are set to use Internet Explorer mode, but you can set them to open sites in a standalone Internet Explorer 11 window instead. To change this, file a support request.
+By default, devices are set to use Internet Explorer mode, but you can set them to open sites in a standalone Internet Explorer 11 window instead. To change this behavior, file a support request.
#### Add sites to the Enterprise Mode Site list For sites to open in Internet Explorer mode you must include them on the [Enterprise Site list](https://docs.microsoft.com/DeployEdge/edge-ie-mode-sitelist). Maintaining and deploying the Enterprise Site list is your responsibility. For details, see [Configure using the Configure Enterprise Mode Site List policy](https://docs.microsoft.com/DeployEdge/edge-ie-mode-policies#configure-using-the-configure-the-enterprise-mode-site-list-policy)
@@ -138,7 +138,7 @@ With this policy applied, the First Run Experience will skip the import section,
## Settings you manage
-You can deploy any Microsoft Edge settings not previously described by using the Administrative Templates profile in Microsoft Intune. For details, see [Configure Microsoft Edge policy settings with Microsoft Intune](https://docs.microsoft.com/deployedge/configure-edge-with-intune). If you want to evaluate a policy that is not currently included in the Microsoft Edge Administrative Templates in Intune you can use custom settings for Windows 10 devices in Intune.
+You can deploy any Microsoft Edge settings not previously described by using the Administrative Templates profile in Microsoft Intune. For details, see [Configure Microsoft Edge policy settings with Microsoft Intune](https://docs.microsoft.com/deployedge/configure-edge-with-intune). If you want to evaluate a policy that is not currently included in the Microsoft Edge Administrative Templates in Intune, you can use custom settings for Windows 10 devices in Intune.
### Enabling specific Chrome extensions
@@ -153,7 +153,7 @@ To ensure that Microsoft Edge updates correctly, do not modify the Microsoft Edg
### Other common enterprise policies
-Microsoft Edge offers a great many additional policies. These are some of the more common ones:
+Microsoft Edge offers a great many other policies. These are some of the more common ones:
- [Configure Sites on the Enterprise Site List and IE Mode](https://docs.microsoft.com/deployedge/edge-ie-mode-sitelist) - [Configure start-up, home page, and new tab page settings](https://docs.microsoft.com/deployedge/microsoft-edge-policies#startup-home-page-and-new-tab-page)
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/get-started/m365-apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/m365-apps.md
@@ -27,7 +27,7 @@ Microsoft Managed Desktop ensures that Microsoft 365 Apps for enterprise (64-bit
- Skype for Business - OneNote
-This approach minimizes network impact and ensures that users can be productive as soon as they receive their device. We then deploy additional policies to managed devices to set up the applications for use.
+This approach minimizes network impact and ensures that users can be productive as soon as they receive their device. We then deploy more policies to managed devices to set up the applications for use.
> [!NOTE] > Microsoft Teams is deployed separately from Microsoft 365 Apps for enterprise and is not included in the base image.
@@ -46,8 +46,8 @@ Microsoft 365 Apps are set to update on the [Monthly Enterprise Channel](https:/
Microsoft Managed Desktop staggers each release to identify any potential issues in your environment. We complete the rollout 28 days after the release from the Microsoft 365 App product group. Microsoft Managed Desktop schedules update releases to different groups to allow time for validation and testing as follows: -- Test: 0 days-- First: 0 days
+- Test: zero days
+- First: zero days
- Fast: 7 days - Broad: 21 days
@@ -61,7 +61,7 @@ During a release, Microsoft Managed Desktop monitors the error rates of all Micr
### Delivery optimization
-Delivery Optimization is a peer-to-peer distribution technology available in Windows 10. It allows devices to share content, such as updates, that the devices have downloaded from Microsoft over the internet. This can help reduce network bandwidth because a device can get portions of the update from another device on its local network instead of having to download the update completely from Microsoft.
+Delivery Optimization is a peer-to-peer distribution technology available in Windows 10. It allows devices to share content, such as updates, that the devices have downloaded from Microsoft over the internet. Using it can help reduce network bandwidth because a device can get portions of the update from another device on its local network instead of having to download the update completely from Microsoft.
[Delivery Optimization](https://docs.microsoft.com/deployoffice/delivery-optimization) is enabled by default on devices running the Windows 10 Enterprise or Windows 10 Education editions.
@@ -89,8 +89,8 @@ The **UpdateDeadline** policy is used to configure the grace period which users
This policy is configured differently for each update management device group and is required for Microsoft Managed Desktop to meet its update targets: -- Test: 0 days-- First: 0 days
+- Test: zero days
+- First: zero days
- Fast 7 days - Broad: 21 days
@@ -145,7 +145,7 @@ Some organizations are concerned about users having access to both corporate and
## Settings you manage
-There are many other policies which Microsoft Managed Desktop does not yet set as a part of our service. You can configure these by using Microsoft Intune, which uses the [Office Cloud Policy](https://docs.microsoft.com/DeployOffice/overview-office-cloud-policy-service#how-the-policy-configuration-is-applied) service. To do this, follow these steps:
+There are many other policies which Microsoft Managed Desktop does not yet set as a part of our service. You can configure these policies by using Microsoft Intune, which uses the [Office Cloud Policy](https://docs.microsoft.com/DeployOffice/overview-office-cloud-policy-service#how-the-policy-configuration-is-applied) service. To set these policies, follow these steps:
1. Sign in to the Microsoft Endpoint Manager admin center. 2. Select **Apps > Policies for Office apps > Create**
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/get-started/register-devices-self https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/register-devices-self.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
# Register new devices yourself
-Microsoft Managed Desktop can work with brand-new devices or you can re-use devices you might already have (which will require that you re-image them). You can register devices with Microsoft Managed Desktop in the Microsoft Endpoint Manager portal.
+Microsoft Managed Desktop can work with brand-new devices or you can reuse devices you might already have (which will require that you reimage them). You can register devices with Microsoft Managed Desktop in the Microsoft Endpoint Manager portal.
> [!NOTE] > Working with a partner to obtain devices? If so, you don't need to worry about getting the hardware hashes; they'll take care of that for you. Make sure your partner establishes a relationship with you at theΓÇ»[Partner Center](https://partner.microsoft.com/dashboard). Your partner can learn more atΓÇ»[Partner Center help](https://docs.microsoft.com/partner-center/request-a-relationship-with-a-customer). Once this relationship established, your partner will simply register devices on your behalf ΓÇô no further action required from you. If you want to see the details, or your partner has questions, see [Steps for Partners to register devices](register-devices-partner.md). Once the devices are registered, you can proceed with [checking the image](#check-the-image) and [delivering the devices](#deliver-the-device) to your users.
@@ -63,14 +63,14 @@ You can use the [Get-WindowsAutoPilotInfo.ps1](https://www.powershellgallery.com
### Merge hash data
-You'll need to have the data in the CSV files combined into a single file to complete registration. Here's a sample PowerShell script to make this easy:
+You'll need to have the data in the CSV files combined into a single file to complete registration. Here's a sample PowerShell script to make it easy:
`Import-CSV -Path (Get-ChildItem -Filter *.csv) | ConvertTo-Csv -NoTypeInformation | % {$_.Replace('"', '')} | Out-File .\aggregatedDevices.csv` #### Register devices by using the Admin Portal
-In [Microsoft Endpoint Manager](https://endpoint.microsoft.com/), select **Devices** in the left navigation pane. Look for the Microsoft Managed Desktop section of the menu and select **Devices**. In the Microsoft Managed Desktop Devices workspace, Select **+ Register devices** which opens a fly-in to register new devices.
+In [Microsoft Endpoint Manager](https://endpoint.microsoft.com/), select **Devices** in the left navigation pane. Look for the Microsoft Managed Desktop section of the menu and select **Devices**. In the Microsoft Managed Desktop Devices workspace, Select **+ Register devices**, which opens a fly-in to register new devices.
<!-- [![Fly-in after selecting Register devices, listing devices with columns for assigned users, serial number, status, last-seen date, and age](../../media/new-registration-ui.png)](../../media/new-registration-ui.png) -->
@@ -81,7 +81,7 @@ In [Microsoft Endpoint Manager](https://endpoint.microsoft.com/), select **Devic
Follow these steps: 1. In **File upload**, provide a path to the CSV file you created previously.
-3. Select **Register devices**. The system will add the devices to your list of devices on the **Devices blade**, marked as **Registration Pending**. Registration typically takes less than 10 minutes, and when successful the device will show as **Ready for user** meaning it's ready and waiting for a user to start using.
+3. Select **Register devices**. The system will add the devices to your list of devices on **Devices**, marked as **Registration Pending**. Registration typically takes less than 10 minutes, and when successful the device will show as **Ready for user** meaning it's ready and waiting for a user to start using.
You can monitor the progress of device registration on the main page. Possible states reported there include:
@@ -90,8 +90,8 @@ You can monitor the progress of device registration on the main page. Possible s
|---------------|-------------| | Registration Pending | Registration is not done yet. Check back later. | | Registration failed | Registration could not be completed. Refer to [Troubleshooting device registration](#troubleshooting-device-registration) for more information. |
-| Ready for user | Registration succeeded and the device is now ready to be delivered to the user. Microsoft Managed Desktop will guide them through first time set-up, so thereΓÇÖs no need for you to do any further preparations. |
-| Active | The device has been delivered to the user and they have registered with your tenant. This also indicates that they are regularly using the device. |
+| Ready for user | Registration succeeded and the device is now ready to be delivered to the user. Microsoft Managed Desktop will guide them through first-time set-up, so thereΓÇÖs no need for you to do any further preparations. |
+| Active | The device has been delivered to the user and they have registered with your tenant. This state also indicates that they are regularly using the device. |
| Inactive | The device has been delivered to the user and they have registered with your tenant. However, they have not used the device recently (in the last 7 days). | #### Troubleshooting device registration
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/get-started/register-reused-devices-self https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/register-reused-devices-self.md
@@ -1,6 +1,6 @@
--- title: Register existing devices yourself
-description: Register re-used devices you might already have yourself so they can be managed by Microsoft Managed Desktop
+description: Register reused devices you might already have yourself so they can be managed by Microsoft Managed Desktop
ms.prod: w10 author: jaimeo f1.keywords:
@@ -12,11 +12,11 @@ ms.localizationpriority: medium
# Register existing devices yourself >[!NOTE]
->This topic describes the steps for you to re-use devices you already have and register them in Microsoft Managed Desktop. If you are working with brand-new devices, follow the steps in [Register new devices in Microsoft Managed Desktop yourself](register-devices-self.md) instead.
+>This topic describes the steps for you to reuse devices you already have and register them in Microsoft Managed Desktop. If you are working with brand-new devices, follow the steps in [Register new devices in Microsoft Managed Desktop yourself](register-devices-self.md) instead.
The process for Partners is documented in [Steps for Partners to register devices](register-devices-partner.md).
-Microsoft Managed Desktop can work with brand-new devices or you can re-use devices you might already have (which will require that you re-image them). You can register devices with Microsoft Managed Desktop in the Microsoft Endpoint Manager portal.
+Microsoft Managed Desktop can work with brand-new devices or you can reuse devices you might already have (which will require that you reimage them). You can register devices with Microsoft Managed Desktop in the Microsoft Endpoint Manager portal.
## Prepare to register existing devices
@@ -51,7 +51,7 @@ If you've met all these prerequisites, you're ready to collect the information b
2. In the Monitoring workspace, expand the **Reporting** node, expand **Reports**, and select the **Hardware - General** node. 3. Run the report, **Windows Autopilot Device Information**, and view the results. 4. In the report viewer, select the **Export** icon, and choose the **CSV (comma-delimited)** option.
-5. After saving the file, you will need to filter results to just those devices you plan to register with Microsoft Managed Desktop and upload the data to Microsoft Managed Desktop. Open Microsoft Endpoint Manager and navigate to the **Devices** menu, then look for Microsoft Managed Desktop section and select **Devices**. Select **+ Register devices** which opens a fly-in to register new devices.
+5. After saving the file, you will need to filter results to just those devices you plan to register with Microsoft Managed Desktop and upload the data to Microsoft Managed Desktop. Open Microsoft Endpoint Manager and navigate to the **Devices** menu, then look for Microsoft Managed Desktop section and select **Devices**. Select **+ Register devices**, which opens a fly-in to register new devices.
Refer to [Register devices by using the Admin Portal](#register-devices-by-using-the-admin-portal) for more information.
@@ -59,7 +59,7 @@ Refer to [Register devices by using the Admin Portal](#register-devices-by-using
#### Active Directory PowerShell script method
-In an Active Directory environment, you can use the `Get-WindowsAutoPilotInfo` PowerShell cmdlet to remotely collect the information from devices in Active Directory Groups by using WinRM. You can also use the `Get-AD Computer` cmdlet and get filtered results for a specific hardware model names included in the catalog. To do this, first confirm these prerequisites, and then proceed with the steps:
+In an Active Directory environment, you can use the `Get-WindowsAutoPilotInfo` PowerShell cmdlet to remotely collect the information from devices in Active Directory Groups by using WinRM. You can also use the `Get-AD Computer` cmdlet and get filtered results for a specific hardware model name included in the catalog. Before you proceed, first confirm these prerequisites, and then proceed with the steps:
- WinRM is enabled. - The devices you want to register are active on the network (that is, they are not disconnected or turned off).
@@ -86,9 +86,9 @@ In an Active Directory environment, you can use the `Get-WindowsAutoPilotInfo` P
``` 3. Access any directories where there might be entries for the devices. Remove entries for each device from *all* directories, including Windows Server Active Directory Domain Services and
-Azure Active Directory. Be aware that this removal could take a few hours to completely process.
+Azure Active Directory. Be aware that removal could take a few hours to completely process.
-4. Access management services where there might be entries for the devices. Remove entries for each device from *all* management services, including Microsoft Endpoint Configuration Manager, Microsoft Intune, and Windows Autopilot. Be aware that this removal could take a few hours to completely process.
+4. Access management services where there might be entries for the devices. Remove entries for each device from *all* management services, including Microsoft Endpoint Configuration Manager, Microsoft Intune, and Windows Autopilot. Be aware that removal could take a few hours to completely process.
Now you can proceed to [register devices](#register-devices-by-using-the-admin-portal).
@@ -119,7 +119,7 @@ Now you can proceed to [register devices](#register-devices-by-using-the-admin-p
### Merge hash data
-If you collected the hardware hash data by the manual PowerShell or flash drive methods, you now need to have the data in the CSV files combined into a single file to complete registration. Here's a sample PowerShell script to make this easy:
+If you collected the hardware hash data by the manual PowerShell or flash drive methods, you now need to have the data in the CSV files combined into a single file to complete registration. Here's a sample PowerShell script to make it easy:
```powershell Import-CSV -Path (Get-ChildItem -Filter *.csv) | ConvertTo-Csv -NoTypeInformation | % {$_.Replace('"', '')} | Out-File .\aggregatedDevices.csv
@@ -130,7 +130,7 @@ With the hash data merged into one CSV file, you can now proceed to [register th
#### Register devices by using the Admin Portal
-In [Microsoft Endpoint Manager](https://endpoint.microsoft.com/), select **Devices** in the left navigation pane. Look for the Microsoft Managed Desktop section of the menu and select **Devices**. In the Microsoft Managed Desktop Devices workspace, Select **+ Register devices** which opens a fly-in to register new devices.
+In [Microsoft Endpoint Manager](https://endpoint.microsoft.com/), select **Devices** in the left navigation pane. Look for the Microsoft Managed Desktop section of the menu and select **Devices**. In the Microsoft Managed Desktop Devices workspace, Select **+ Register devices**, which opens a fly-in to register new devices.
<!-- Update with new picture [![Fly-in after selecting Register devices, listing devices with columns for assigned users, serial number, status, last-seen date, and age](../../media/new-registration-ui.png)](../../media/new-registration-ui.png) -->
@@ -151,7 +151,7 @@ You can monitor the progress of device registration on the main page. Possible s
|---------------|-------------| | Registration Pending | Registration is not done yet. Check back later. | | Registration failed | Registration could not be completed. Refer to [Troubleshooting device registration](#troubleshooting-device-registration) for more information. |
-| Ready for user | Registration succeeded and the device is now ready to be delivered to the user. Microsoft Managed Desktop will guide them through first time set-up, so thereΓÇÖs no need for you to do any further preparations. |
+| Ready for user | Registration succeeded and the device is now ready to be delivered to the user. Microsoft Managed Desktop will guide them through first-time set-up, so thereΓÇÖs no need for you to do any further preparations. |
| Active | The device has been delivered to the user and they have registered with your tenant. This also indicates that they are regularly using the device. | | Inactive | The device has been delivered to the user and they have registered with your tenant. However, they have not used the device recently (in the last 7 days). |
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/get-started/set-up-devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/set-up-devices.md
@@ -1,6 +1,6 @@
--- title: Set up devices for Microsoft Managed Desktop
-description:
+description: How to get new devices or reuse existing ones that qualify
keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation ms.service: m365-md author: jaimeo
@@ -24,9 +24,9 @@ We recommend working with one of our approved device partners. You can work with
- Work with a partner to register the devices 4. [Get your users ready](get-started-devices.md) to use Microsoft Managed Desktop devices
-## To re-use existing devices
+## To reuse existing devices
-1. Review the list of [currently approved devices](../service-description/device-list.md) to identify which of your devices is approved for use with Microsoft Managed Desktop. If you re-use an existing device, you will have to re-image it.
+1. Review the list of [currently approved devices](../service-description/device-list.md) to identify which of your devices is approved for use with Microsoft Managed Desktop. If you reuse an existing device, you will have to reimage it.
2. Do either of the following: - [Register existing devices yourself](register-reused-devices-self.md) - Work with a partner to register the devices
@@ -39,6 +39,6 @@ We recommend working with one of our approved device partners. You can work with
3. [Assign licenses](assign-licenses.md) 4. [Deploy Intune Company Portal](company-portal.md) 5. [Enable Enterprise State Roaming](enterprise-state-roaming.md)
-6. Set up devices (this topic)
+6. Set up devices (this article)
7. [Get your users ready to use devices](get-started-devices.md) 8. [Deploy apps](deploy-apps.md)
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/intro/faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/intro/faq.md deleted file mode 100644
@@ -1,18 +0,0 @@
-title: Frequently Asked Questions
-description:
-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation
-ms.service: m365-md
-author: jaimeo
-ms.localizationpriority: normal
-ms.collection: M365-modern-desktop
-ms.author: jaimeo
-manager: laurawi
-ms.topic: article
-
-# FAQ for Microsoft Managed Desktop
-
-## COMING SOON
-
-This page is coming soon. Please check back with us.
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/intro/index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/intro/index.md
@@ -1,6 +1,6 @@
---
-title: Is Microsoft Managed Desktop right for you
-description:
+title: Is Microsoft Managed Desktop right for you?
+description: Orientation for what the service is and shortcuts to articles for different audiences
keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation ms.service: m365-md author: jaimeo
@@ -32,7 +32,7 @@ Your users will enjoy the latest versions of Windows 10 and Microsoft 365 Apps f
## Unique to Microsoft Managed Desktop
-Of course there's nothing stopping you from obtaining and managing your own devices and Microsoft 365 deployments yourself. So what does Microsoft Managed Desktop offer beyond that?
+Of course, there's nothing stopping you from obtaining and managing your own devices and Microsoft 365 deployments yourself. So what does Microsoft Managed Desktop offer beyond those things?
Our policies and security baseline offers your users these benefits:
@@ -66,10 +66,10 @@ We also monitor device health and provide you with insights about device perform
## Need more details? For more about the value of Microsoft Managed desktop, including customer stories, see [Microsoft Managed Desktop](https://aka.ms/mmd). Great places to get started with more are the [Roadmap](https://aka.ms/AA6jiam), a [Forrester Total Economic Impact case study](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/intro/downloads/forrester-tei-study.pdf), and a downloadable [one-page summary](https://aka.ms/AA6ob3h). You can find the latest news at the Microsoft Managed Desktop [blog](https://aka.ms/AA6l2dd).
-If Microsoft Managed Desktop seems right for your organization, you can delve into additional documentation that explains more about the service, how to prepare your organization to enroll, how to get started with the service, and ongoing operations thereafter, including how you and your users can easily get help if needed. If you're already ready to come on board, start with contacting your [local account team](https://pages.email.office.com/contactmmd/).
+If Microsoft Managed Desktop seems right for your organization, you can delve into further documentation that explains more about the service, how to prepare your organization to enroll, how to get started with the service, and ongoing operations thereafter, including how you and your users can easily get help if needed. If you're already ready to come on board, start with contacting your [local account team](https://pages.email.office.com/contactmmd/).
**More overview and background**
-Primarily for technical and business decision makers, these topics detail the division of roles and responsibilities between your organization and Microsoft, more about the technologies used in Microsoft Managed Desktop, and how the service fits into a broader strategy as part of the ITIL framework.
+Primarily for technical and business decision makers, these articles detail the division of roles and responsibilities between your organization and Microsoft, more about the technologies used in Microsoft Managed Desktop, and how the service fits into a broader strategy as part of the ITIL framework.
- [Microsoft Managed Desktop roles and responsibilities](roles-and-responsibilities.md) - [Microsoft Managed Desktop technologies](technologies.md)
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/intro/roles-and-responsibilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/intro/roles-and-responsibilities.md
@@ -25,7 +25,7 @@ Microsoft provides these key roles and responsibilities:
Role or responsibility | Description --- | ---
-MDM policy management | Microsoft will apply MDM policies according to best practices, and consider requests for policy changes. We'll also make changes to your tenant as prescribed in [Device policies](../service-description/device-policies.md).
+MDM policy management | Microsoft will apply MDM policies according to best practices and consider requests for policy changes. We'll also make changes to your tenant as prescribed in [Device policies](../service-description/device-policies.md).
user support | We provide user support for devices, Windows, and the Microsoft 365 Apps for enterprise product suite for all enrolled users through the Get Help app that's preinstalled on all Microsoft Managed Desktop devices. Microsoft Managed Desktop service support | Microsoft will provide support to your IT department through a Microsoft Managed Desktop Operations Team. This team will support technical troubleshooting, change requests, and incident management for the customerΓÇÖs Microsoft Managed Desktop environment. For more information, see [Admin support for Microsoft Managed Desktop](../working-with-managed-desktop/admin-support.md). Security monitoring | Microsoft will monitor your Microsoft Managed Desktop devices using Microsoft Defender for Endpoint. If the Microsoft Managed Desktop Security Operations Center (SOC) detects a threat, we will notify you, isolate the device, and rectify the issue remotely. For more information, see [Security](../service-description/security.md).
@@ -34,7 +34,7 @@ User and device grouping | Microsoft Managed Desktop operations team will create
## Your roles and responsibilities
-This additional set of common roles and responsibilities is required for deployment, but aren't provided by Microsoft. ItΓÇÖs not exhaustive but is applicable for most organizations. There are a few items that both you and Microsoft share responsibility for.
+This set of common roles and responsibilities is required for deployment, but aren't provided by Microsoft. ItΓÇÖs not exhaustive but is applicable for most organizations. There are a few items that both you and Microsoft share responsibility for.
Role or responsibility | Description --- | ---
@@ -44,7 +44,7 @@ Microsoft 365 Apps for enterprise configuration and management | Microsoft is re
User support | You must provide user support for: <br>- On-site infrastructure: all network and internet connectivity, VPN infrastructure and client configuration, local conference room equipment, printers, proxy server and configuration, and firewalls.<br><br>- Company-wide cloud resources: email, SharePoint, collaboration services, and other cloud infrastructure that relates to the company-wide technology footprint.<br><br>- Line of business and any other company-specific applications. Apps | Roles and responsibilities vary somewhat for the apps provided as part of Microsoft Managed Desktop versus the apps you provide. <br><br>For apps provided by Microsoft (Microsoft 365 Apps for enterprise comprising Word, Excel, PowerPoint, Outlook, Publisher, Access, Skype for Business, Teams, and OneNote), **Microsoft** will provide full service for the deployment, update, and support. **You** must obtain and assign licenses for these apps, add users to security groups, and manage end of life and deploy any add-ons you need.<br><br>For apps you provide (such as your line-of-business apps), whether you package them yourself or engage a non-Microsoft vendor to do so, **you** are responsible for these actions: <br><br>- Identifying applications needed for targeted user groups<br>- Creating and managing Azure AD groups for app deployment<br>- Packaging apps to meet Microsoft Intune deployment standards<br>- Uploading apps to Microsoft Intune<br>- Testing apps in Microsoft Managed Desktop environment<br>- Testing apps with your users<br>- Managing and assigning users to applications<br>- Identify and deploy application updates through Microsoft Intune<br>- Uninstalling and removing applications when they have been retired<br>- Procuring and assigning licenses<br>- Providing user support for line-of-business apps<br>- Managing app settings remotely<br><br>**Microsoft** will provide Microsoft Intune deployment tools to deliver the applications to remote clients.<br><br>For more information, see [Apps](../get-ready/apps.md). Security monitoring and response | You are responsible for investigating and resolving incidents for devices that aren't Microsoft Managed Desktop devices and ensuring that the Microsoft Managed Desktop Operations Team is informed of any issues that may impact the service.
-Operations support | You must provide a list of preferred contacts and subject matter experts in your organization. We need these in case of an operational incident unrelated to Microsoft Managed Desktop. <br><br>You're also responsible for investigating and resolving incidents for devices and services that aren't in Microsoft Managed Desktop and ensuring that the Microsoft Managed Desktop Operations Team is always informed.
+Operations support | You must provide a list of preferred contacts and subject matter experts in your organization. We need these contacts if there is an operational incident unrelated to Microsoft Managed Desktop. <br><br>You're also responsible for investigating and resolving incidents for devices and services that aren't in Microsoft Managed Desktop and ensuring that the Microsoft Managed Desktop Operations Team is always informed.
Network infrastructure, including VPN | You're responsible for setup, configuration, and management (including troubleshooting and debugging) of all networking-related infrastructure and services, including internet connectivity, network controls, proxy configuration, and remote connectivity infrastructure.<br><br>If a proxy is configured (in hardware or software), there is a collection of URLs that must be allowed by the proxy. You're responsible for troubleshooting any conflicts or incompatibilities due to multiple proxies. You can add network proxies specific to your organization using configurable settings. For more information, see [Configurable settings](../working-with-managed-desktop/config-setting-ref.md#proxy).<br><br>For more information, see [Proxy Configuration](../get-ready/network.md). Printing | You're responsible for installing, maintaining, and administering printers and print queues. Cloud printing is a recommended solution, but it isn't required.
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/intro/technologies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/intro/technologies.md
@@ -1,6 +1,6 @@
--- title: Microsoft Managed Desktop technologies
-description: This topic lists the technologies and apps used in Microsoft Managed Desktop.
+description: This article lists the technologies and apps used in Microsoft Managed Desktop.
keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation ms.service: m365-md author: jaimeo
@@ -13,23 +13,23 @@ ms.topic: article
# Microsoft Managed Desktop technologies
-This topic lists the technologies and apps used in Microsoft Managed Desktop.
+This article lists the technologies and apps used in Microsoft Managed Desktop.
<!-- Microsoft 365 E5; Device as a Service --> <!-- in O365 table, standard suite, removed this sentence "Please see the Installation of Project/Visio 64bit Click to Run Addendum for important deployment instructions. --> Microsoft 365 Enterprise licensing is required for all Microsoft Managed Desktop users. For more information on licensing requirements for the service, see [Prerequisites for Microsoft Managed Desktop](../get-ready/prerequisites.md).
-This topic summarizes the components included in the required Enterprise licenses, with a description of how the service uses each component with Microsoft Managed Desktop devices. Specific roles and responsibilities for each area are detailed throughout Microsoft Managed Desktop documentation.
+This article summarizes the components included in the required Enterprise licenses, with a description of how the service uses each component with Microsoft Managed Desktop devices. Specific roles and responsibilities for each area are detailed throughout Microsoft Managed Desktop documentation.
## Office 365 E3 or E5 | --- | ---
-Microsoft 365 Apps for enterprise (64-bit) | These Office applications will be shipped with the device: Word, Excel, PowerPoint, Outlook, Publisher, Access, Skype for Business, OneNote.<br><br>The 64-bit full versions of Microsoft Project and Microsoft Visio are not included. However, since the installation of these applications depends on the Microsoft 365 Apps for enterprise installation, Microsoft Managed Desktop has created default Microsoft Intune deployments and security groups that you can then use to deploy these applications to licensed users. For more information, see [Install Microsoft Project or Microsoft Visio on Microsoft Managed Desktop devices](../get-started/project-visio.md).
-OneDrive |Azure Active Directory Single Sign On is enabled for users upon first sign in to OneDrive.<br><br>Known Folder Redirection for "Desktop", "Document", and "Pictures" folders is included; enabled and configured by Microsoft Managed Desktop.
-Store Apps | Microsoft Sway and Power BI are not shipped with the device. These apps are available for download from Microsoft Store.
-Win32 Applications | Teams is not shipped with the device, but is packaged and provided by Microsoft for Microsoft Managed Desktop devices. Azure Information Protection Client is not shipped with the device, but you can have this packaged for deployment.
-Web Applications | Yammer, Office in a browser, Delve, Flow, StaffHub, PowerApps, and Planner are not shipped with the device. Users can access the web version of these applications with a browser.
+Microsoft 365 Apps for enterprise (64-bit) | These Office applications will be shipped with the device: Word, Excel, PowerPoint, Outlook, Publisher, Access, Skype for Business, OneNote.<br><br>The 64-bit full versions of Microsoft Project and Microsoft Visio aren't included. However, since the installation of these applications depends on the Microsoft 365 Apps for enterprise installation, Microsoft Managed Desktop has created default Microsoft Intune deployments and security groups that you can then use to deploy these applications to licensed users. For more information, see [Install Microsoft Project or Microsoft Visio on Microsoft Managed Desktop devices](../get-started/project-visio.md).
+OneDrive |Azure Active Directory Single Sign On is enabled for users when they first sign in to OneDrive.<br><br>Known Folder Redirection for "Desktop", "Document", and "Pictures" folders is included; enabled and configured by Microsoft Managed Desktop.
+Store Apps | Microsoft Sway and Power BI aren't shipped with the device. These apps are available for download from Microsoft Store.
+Win32 Applications | Teams isn't shipped with the device, but is packaged and provided by Microsoft for Microsoft Managed Desktop devices. Azure Information Protection Client isn't shipped with the device, but you can have it packaged for deployment.
+Web Applications | Yammer, Office in a browser, Delve, Flow, StaffHub, PowerApps, and Planner aren't shipped with the device. Users can access the web version of these applications with a browser.
## Windows 10 Enterprise E5 or E3 with Microsoft Defender for Endpoint
@@ -37,7 +37,7 @@ Web Applications | Yammer, Office in a browser, Delve, Flow, StaffHub, PowerApps
| --- | --- Application Virtualization (App-V) | Customers can deploy App-V packages using the Intune Win32 app management client.
-Microsoft Defender for Endpoint | Microsoft Managed Desktop uses this to monitor device security.
+Microsoft Defender for Endpoint | Microsoft Managed Desktop uses this product to monitor device security.
## Enterprise Mobility + Security E5
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/service-description/app-control https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/app-control.md
@@ -1,6 +1,6 @@
--- title: App control
-description:
+description: How to use app control and trust with applications
keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation ms.service: m365-md author: jaimeo
@@ -17,10 +17,10 @@ ms.collection: M365-modern-desktop
App control is an optional security practice in Microsoft Managed Desktop that restricts the execution of code on client devices. This control mitigates the risk of malware or malicious scripts by requiring that only code signed by a customer-approved list of publishers can run. There are many security benefits from this control, but it primarily aims to protect data and identity from client-based exploits.
-Microsoft Managed Desktop simplifies the management of app control policies by creating a base policy that enables core productivity scenarios. You can extend trust to additional signers that are specific to the apps and scripts in your environment.
+Microsoft Managed Desktop simplifies the management of app control policies by creating a base policy that enables core productivity scenarios. You can extend trust to other signers that are specific to the apps and scripts in your environment.
-Any security technology requires a balance among user experience, security, and cost. App control reduces the threat of malicious software in your environment, but there are consequences to the user and additional actions for your IT administrator.
+Any security technology requires a balance among user experience, security, and cost. App control reduces the threat of malicious software in your environment, but there are consequences to the user and further actions for your IT administrator.
**Additional security:**
@@ -43,7 +43,7 @@ Microsoft Managed Desktop curates a base policy that trusts the core components
### Base policy
-Microsoft Managed Desktop, in collaboration with Microsoft cybersecurity experts, creates and maintains a standard policy that enables most apps deployed through Microsoft Intune while blocking dangerous activities like code compilation or execution of untrusted files.
+Microsoft Managed Desktop, in collaboration with Microsoft cybersecurity experts, creates, and maintains a standard policy that enables most apps deployed through Microsoft Intune while blocking dangerous activities like code compilation or execution of untrusted files.
The base policy takes the following approach to restricting software execution:
@@ -57,7 +57,7 @@ If a user other than an administrator could have added an app or script to a dev
### Signer requests
-You inform us of which apps are provided by software vendors you trust by filing a *signer request*. By doing so, we add that trust information into the baseline application control policy and allow any software signed with that publisher's certificate to run on your devices.
+You inform us of which apps are provided by software publishers you trust by filing a *signer request*. By doing so, we add that trust information into the baseline application control policy and allow any software signed with that publisher's certificate to run on your devices.
## Audit and Enforced policies
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/service-description/archived-device-list https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/archived-device-list.md
@@ -15,14 +15,14 @@ ms.topic: article
# Microsoft Managed Desktop archived devices
-To assure the best user experience, Microsoft Managed Desktop retires support for devices at a certain point. This topic lists devices that are nearing retirement in the next few years, which we call "archived." If you're getting started with Microsoft Managed Desktop by using devices you already have, you should check this list carefully.
+To assure the best user experience, Microsoft Managed Desktop retires support for devices at a certain point. This article lists devices that are nearing retirement in the next few years, which we call "archived." If you're getting started with Microsoft Managed Desktop by using devices you already have, you should check this list carefully.
>[!IMPORTANT] >You can still enroll these devices today, but they will have a shorter service life with Microsoft Managed Desktop. If you are buying new devices, you should use models from the [list of active devices](./device-list.md). <!-- Microsoft 365 E5; Device as a Service --> <!-- Split from device & technologies topic. Destination topic for aka.ms/device-list -->
-To be enrolled in Microsoft Managed Desktop a device must be one of the following models and meet or exceed the listed specifications for RAM, processor family, and disk space. No other customization is supported.
+To be enrolled in Microsoft Managed Desktop, a device must be one of the following models and meet or exceed the listed specifications for RAM, processor family, and disk space. No other customization is supported.
@@ -65,7 +65,7 @@ In addition, the device must also:
- Not have completed the Windows first-run experience. - Be registered with Microsoft Managed Desktop using the [Device Registration](https://aka.ms/mmddrhelp) feature
-#### Additional help
+#### More help
These resources can help answer questions that you might have about specific devices:
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/service-description/customizing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/customizing.md
@@ -1,6 +1,6 @@
--- title: Exceptions to the service plan
-description:
+description: How to request exceptions to the standard service plan
keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation ms.service: m365-md author: jaimeo
@@ -26,7 +26,7 @@ An exception is any addition or change to the Microsoft Managed Desktop base con
|Digital experience monitoring | Software used to track data on a userΓÇÖs device to report to IT | |Hardware or software drivers | Device drivers, restricted by the [application requirements](mmd-app-requirements.md) | |Policies | Windows 10 or Microsoft 365 Apps for enterprise settings on a managed device |
-|Devices | Devices which are not on the Microsoft Managed Desktop [device list](device-list.md) |
+|Devices | Devices that are not on the Microsoft Managed Desktop [device list](device-list.md) |
|Other | Anything not covered by the other areas | ## Request an exception
@@ -44,7 +44,7 @@ When we review exception requests, we assess these factors in this order:
1. Some applications and policies which Microsoft Managed Desktop deploys to all devices aren't negotiable, so your request must not affect those. See [Device configuration](device-policies.md) for more information. 2. Restricted productivity software required by a user to do their job will likely be approved.
-3. If we can meet your requirement by using Microsoft technology, weΓÇÖll likely approve your request for an exception migration period of three to twelve months (depending on the scope of the project).
+3. If we can meet your requirement by using Microsoft technology, weΓÇÖll likely approve your request for an exception migration period of three to 12 months (depending on the scope of the project).
4. If we canΓÇÖt meet your requirement by using Microsoft technology, weΓÇÖll likely approve your request unless it violates one of the conditions below. These principles ensure that Microsoft Managed Desktop can always meet your needs while tracking deviations from our standard template.
@@ -66,10 +66,10 @@ After a requested exception is approved and deployed, itΓÇÖs possible that we mi
If this happens, weΓÇÖll notify you by using the Microsoft Managed Desktop admin portal. From the first time we notify you, you have 90 days to remove the exception before the devices with the exception are no longer bound by Microsoft Managed Desktop service level agreements. We'll send you several notifications according to a strict timeline--however, a severe incident or threat might require us to change the timeline or our decisions about an exception. We won't *remove* an exception without your consent, but any device with a revoked exception will no longer be bound by our service level agreement. Here is the timeline of notifications we will send you: -- **First notice:** We provide the first notice of our decision to revoke approval, including information about why weΓÇÖre revoking it, the actions we advise you to take, the deadline for those actions, and steps to follow if you want to appeal the decision. This is 90 days in advance before the exception needs to be removed from all devices.
+- **First notice:** We provide the first notice of our decision to revoke approval, including information about why weΓÇÖre revoking it, the actions we advise you to take, the deadline for those actions, and steps to follow if you want to appeal the decision. This notice occurs 90 days in advance before the exception needs to be removed from all devices.
- **Second notice (30 days later):** We provide a second notice, including the same information provided in the first notice. - **Third notice (60 days after the first notice):** We provide a third notice, including the same information provided in the first notice. -- **Final notice (1 week before the 90-day deadline):** We provide a fourth notice, including the same information provided in the first notice.
+- **Final notice (one week before the 90-day deadline):** We provide a fourth notice, including the same information provided in the first notice.
- **90 days after first notice:** Microsoft Managed Desktop service level agreements no longer apply to any devices that have the revoked exception. At any time, you can challenge the decision and provide additional information for consideration, including upgrade, configuration changes, or change of software.
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/service-description/device-lifecycle https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/device-lifecycle.md
@@ -1,6 +1,6 @@
--- title: Microsoft Managed Desktop product lifecycle
-description: This topic lists the device specifications used in Microsoft Managed Desktop.
+description: This article lists the device specifications used in Microsoft Managed Desktop.
keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation ms.service: m365-md author: jaimeo
@@ -14,7 +14,7 @@ ms.topic: article
Microsoft Managed Desktop benefits users assuring that they always use devices that offer the best performance, reliability, design, and security capabilities (such as support for features like Windows Hello). To accomplish this, Microsoft Managed Desktop maintains a short catalog of continuously updated [approved devices](device-list.md).
-This topic details the lifecycle of devices as they are added and removed from the approved catalog.
+This article details the lifecycle of devices as they are added and removed from the approved catalog.
> [!NOTE] > In this topic, we'll make a distinction between a "device" and a "product." By "device," we mean one individual, specific computer. For example, "Serial number 1234", "Bill's laptop", "Shared VM XYZ" refer to specific devices. A "product", however, refers to a collection or family of devices. For example, "Fabrikam Laptop", "Adatum ZX450 Laptop", etc. This is important because products are added to our [approved list](device-list.md), or catalog, and devices are what get enrolled into Microsoft Managed Desktop.
@@ -33,7 +33,7 @@ This illustration shows the entire sequence:
![lifecycle timeline: starting with product general availability, "primary availability" lasts for two years. During this time the certification window ends and at some point the device is onboarded. At the end of primary availability, the product is archived and the "grace period" of three years starts. Starting when the device is onboarded, it has a 3-year period of use until it's removed from management. At the end of the grace period we remove the product from the catalog.](../../media/non-dark1-edits.PNG)
-Products remain on the catalog for up to 24 months, but <em>devices</em> remain under management for 3 years based on their individual enrollment dates. Effectively, each product has three important dates, but each device has only one. For products, all three of these dates are calculated based on the <em>approval date</em>, and therefore we publish these dates upon approval so that you can always look ahead and plan appropriately for the product's entire lifecycle.
+Products remain on the catalog for up to 24 months, but <em>devices</em> remain under management for three years based on their individual enrollment dates. Effectively, each product has three important dates, but each device has only one. For products, all three of these dates are calculated based on the <em>approval date</em>, and therefore we publish these dates upon approval so that you can always look ahead and plan appropriately for the product's entire lifecycle.
This table shows example dates for a theoretical product:
@@ -58,9 +58,9 @@ The product lifecycle starts when a manufacturer publicly releases the product:
![lifecycle timeline showing release and evaluation period](../../media/non-dark3-edits.PNG)
-During this stage, the Microsoft Managed Desktop engineering team does their evaluation and certification of a product. The team evaluates things like reliability and performance with Windows, compliance with a hardware baseline, market sentiment, and inventory and channel readiness, among other things. This process typically takes approximately 6 weeks.
+During this stage, the Microsoft Managed Desktop engineering team does their evaluation and certification of a product. The team evaluates things like reliability and performance with Windows, compliance with a hardware baseline, market sentiment, and inventory and channel readiness, among other things. This process typically takes approximately six weeks.
-Microsoft Managed Desktop will only evaluate devices for certification within their first 6 months of availability. This ensures that we're always focusing our efforts on the latest generation of hardware.
+Microsoft Managed Desktop will only evaluate devices for certification within their first six months of availability. This policy ensures that we're always focusing our efforts on the latest generation of hardware.
At the end of this phase, Microsoft Managed Desktop adds the product to the [approved list](device-list.md), effectively releasing the product for customer enrollments. Regardless of the date when a device is certified, its **approved date** is back-dated to the product's own general availability date.
@@ -73,13 +73,13 @@ This period is the core of product availability:
Any device enrolled during this period receives the full three years of support from Microsoft Managed Desktop (as shown by the blue timeline). This period lasts until an end date set to 24 months from the general availability date.
-You can think of this period as effectively "open enrollment", so to maximize the value of Microsoft Managed Desktop, you should target your procurement models and selected products to fall within this period. As a small example, a customer should avoid settling on a two-year roll-out period using a product that is in its final month of primary availability ΓÇô most of those devices will not receive the full three years of Microsoft Managed Desktop management (see [grace period](#product-grace-period) for more information).
+You can think of this period as effectively "open enrollment", so to maximize the value of Microsoft Managed Desktop, you should target your procurement models and selected products to fall within this period. As a small example, you should avoid settling on a two-year roll-out period using a product that is in its final month of primary availability ΓÇô most of those devices will not receive the full three years of Microsoft Managed Desktop management (see [grace period](#product-grace-period) for more information).
## Product grace period The product grace period is a three-year period following primary availability. This phase allows you to enroll devices that are from a supported product family, but still hold firm to the promises of Microsoft Managed Desktop regarding modern hardware and device performance. This phase is ideal for customers who have made procurement decisions before knowing about Microsoft Managed Desktop.
-If you've recently bought a number of approved devices prior to enrolling with Microsoft Managed Desktop, you can still enroll them, but you won't receive a full three years of management. Instead, they'll fall out of compliance on the retirement date, regardless of when they were enrolled. Behind the scenes, Microsoft Managed Desktop will treat these devices as if they were enrolled on the last day of primary availability. In this illustration, you can see this scenario by noting that both the blue and green device end on the same day, despite their one-year difference in enrollment:
+If you've recently bought approved devices prior to enrolling with Microsoft Managed Desktop, you can still enroll them, but you won't receive a full three years of management. Instead, they'll fall out of compliance on the retirement date, regardless of when they were enrolled. Behind the scenes, Microsoft Managed Desktop will treat these devices as if they were enrolled on the last day of primary availability. In this illustration, you can see this scenario by noting that both the blue and green device end on the same day, despite their one-year difference in enrollment:
![lifecycle timeline showing grace period](../../media/non-dark2-edits.PNG)
@@ -90,20 +90,20 @@ The Fabrikam Laptop example from the previous table illustrates this situation:
|---------|---------|---------|---------| |Fabrikam Laptop | 6/1/2017 | 6/1/2019 | 6/1/2022 |
-As a customer, you can enroll Fabrikam Laptops all the way until 6/1/2022 ΓÇô however they will all be treated as though you enrolled them on 6/1/2019. If you enroll a Fabrikam Laptop on 6/1/2021 you'll only get one year of management. This policy allows you to extract partial lifecycles from products that were previously supported, rather than having to procure new devices prematurely.
+As a customer, you can enroll Fabrikam Laptops all the way until 6/1/2022 ΓÇô however they will all be treated as though you enrolled them on 6/1/2019. If you enroll a Fabrikam Laptop on 6/1/2021, you'll only get one year of management. This policy allows you to extract partial lifecycles from products that were previously supported, rather than having to procure new devices prematurely.
Finally, during this phase the device is removed from the [device list](device-list.md) and moved to the [archived device list](archived-device-list.md). ## Product retirement
-Product retirement is the final phase of the lifecycle. In this phase, no new devices of that product type can be enrolled in Microsoft Managed Desktop and, by definition, all existing devices are now outside their allowed three-year term. During this time, Microsoft Managed Desktop will remove the device from the public list entirely. It's also during this phase where, if you haven't already procured replacements, you'll start to see diminished services as Microsoft Managed Desktop starts to ramp down on the devices which are out of compliance.
+Product retirement is the final phase of the lifecycle. In this phase, no new devices of that product type can be enrolled in Microsoft Managed Desktop and, by definition, all existing devices are now outside their allowed three-year term. During this time, Microsoft Managed Desktop will remove the device from the public list entirely. It's also during this phase where, if you haven't already procured replacements, you'll start to see diminished services as Microsoft Managed Desktop starts to ramp down on the devices that are out of compliance.
## Devices that are out of compliance
-A device is out of compliance when its allowed window for Microsoft Managed Desktop management has elapsed. This occurs when the device has reached three years of management or when that product type is removed from the device catalog, whichever occurs first. You should always target your procurement cycles such that new devices are deployed prior to current devices going out of compliance.
+A device is out of compliance when its allowed window for Microsoft Managed Desktop management has elapsed. This situation occurs when the device has reached three years of management or when that product type is removed from the device catalog, whichever occurs first. You should always target your procurement cycles such that new devices are deployed prior to current devices going out of compliance.
-The Microsoft Managed Desktop team knows that procurement cycles are long and planned around long-running budgets. To ensure that you're always aware of the state of your device population, we provide a [website](https://aka.ms/mmdportal) that lists every device under management, its age, and a status indicating its compliance. This means you always have the latest information regarding device age and can use the report in any procurement planning cycle.
+The Microsoft Managed Desktop team knows that procurement cycles are long and planned around long-running budgets. To ensure that you're always aware of the state of your device population, we provide a [website](https://aka.ms/mmdportal) that lists every device under management, its age, and a status indicating its compliance. The website helps you always have the latest information regarding device age and can use the report in any procurement planning cycle.
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/service-description/device-list https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/device-list.md
@@ -1,6 +1,6 @@
--- title: Microsoft Managed Desktop devices
-description: This topic lists the specifications for devices approved for Microsoft Managed Desktop.
+description: This article lists the specifications for devices approved for Microsoft Managed Desktop.
keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation ms.service: m365-md author: jaimeo
@@ -18,7 +18,7 @@ For more information on Microsoft Managed Desktop, see [Microsoft Managed Deskto
<!-- Microsoft 365 E5; Device as a Service --> <!-- Split from device & technologies topic. Destination topic for aka.ms/device-list -->
-To be enrolled in Microsoft Managed Desktop a device must be one of the following models and meet or exceed the listed specifications for RAM, processor family, and disk space.
+To be enrolled in Microsoft Managed Desktop, a device must be one of the following models and meet or exceed the listed specifications for RAM, processor family, and disk space.
The links to devices here are for your reference only. If you want to order devices, work with your commercial channel contacts to ensure that you choose the correct configurations. In this table, the *archive date* is the date on which these models will be subject to a shorter Microsoft Managed Desktop service life; any such devices onboarded after this date will not receive a full three-year term of support from Microsoft Managed Desktop. Archived devices are also listed in [Microsoft Managed Desktop archived devices](archived-device-list.md). *Retirement date* is the date on which this model will no longer be supported by Microsoft Managed Desktop at all. On that date, all enrolled devices of this model will be removed from Microsoft Managed Desktop, no matter when they were enrolled.
@@ -61,15 +61,15 @@ The links to devices here are for your reference only. If you want to order devi
| Model | Minimum specifications | Additional requirements | Archive date | Retirement date | |----------|----------------|---------------------------|----------------|--------------------|
-| [Surface Book 3](https://www.microsoft.com/p/surface-book-3-for-business/93h0mb2gqd5b?activetab=pivot%3aoverviewtab) | 256 GB / Intel i5 / 8GB RAM | None | May 21, 2022 | May 21, 2027 |
-| [Surface Go 2](https://www.microsoft.com/p/surface-go-2-for-business/8wzd6dhzj7kv?activetab=pivot%3aoverviewtab) | 128 GB / Intel Core M3 / 8GB RAM | None | May 21, 2022 | May 21, 2027 |
+| [Surface Book 3](https://www.microsoft.com/p/surface-book-3-for-business/93h0mb2gqd5b?activetab=pivot%3aoverviewtab) | 256 GB / Intel i5 / 8 GB RAM | None | May 21, 2022 | May 21, 2027 |
+| [Surface Go 2](https://www.microsoft.com/p/surface-go-2-for-business/8wzd6dhzj7kv?activetab=pivot%3aoverviewtab) | 128 GB / Intel Core M3 / 8 GB RAM | None | May 21, 2022 | May 21, 2027 |
| [Surface Laptop Go](https://www.microsoft.com/surface/business/surface-laptop-go) | 128 GB / Intel i5 / 8 GB RAM | None | Oct 12, 2022 | Oct 12, 2025 | | [Surface Laptop 3](https://www.microsoft.com/surface/business/surface-laptop-3) | 128 GB / Intel i5 / 8 GB RAM | None | Oct 22, 2021 | Oct 22, 2024 | | [Surface Pro 7](https://www.microsoft.com/surface/business/surface-pro-7) | 128 GB / Intel i5 / 8 GB RAM | None | Oct 22, 2021 | Oct 22, 2024 | In addition, the device must also meet these criteria: -- If a specific SKU is listed in the device requirements, make sure you use it when you order. This ensures that devices comply with Microsoft Managed Desktop software requirements.
+- If a specific SKU is listed in the device requirements, make sure you use it when you order. Doing so ensures that devices comply with Microsoft Managed Desktop software requirements.
- Not have completed the Windows first-run experience. - Be registered with Microsoft Managed Desktop using the [Device Registration](https://aka.ms/mmddrhelp) feature
@@ -79,7 +79,7 @@ In addition, the device must also meet these criteria:
>- Using one device for several different workloads. >- Using multiple monitors.
-**Additional Help**
+**More Help**
These resources can help answer questions that you might have about specific devices:
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/service-description/device-policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/device-policies.md
@@ -18,7 +18,7 @@ ms.topic: article
<!-- Device configuration and Security Addendum-->
-When a new Microsoft Managed Desktop device is being set up, we ensure that it has the right configuration optimized for Microsoft Managed Desktop. This includes a set of default policies that are set as part of the onboarding process. These policies are delivered using Mobile Device Management (MDM) whenever possible. For more information, see [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/).
+When a new Microsoft Managed Desktop device is being set up, we ensure that it has the right configuration optimized for Microsoft Managed Desktop. That configuration includes a set of default policies that are set as part of the onboarding process. These policies are delivered using Mobile Device Management (MDM) whenever possible. For more information, see [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/).
>[!NOTE] >To avoid conflicts, do not alter these policies.
@@ -39,7 +39,7 @@ Metered connections | By default, updates over metered connections (such as LTE
## Windows diagnostic data
- Devices will be set to provide enhanced diagnostic data to Microsoft under a known commercial identifier. As part of Microsoft Managed Desktop, IT admins can not change these settings. For customers in General Data Protection Regulation (GDPR) regions, users can reduce the level of diagnostic data that is provided, but there will be a reduction in service. For example, Microsoft Managed Desktop will be unable to collect the data necessary to iterate on settings and policies to best serve performance and security needs. For more information, see [Configure Windows diagnostic data in your organization.](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enhanced-level)
+ Devices will be set to provide enhanced diagnostic data to Microsoft under a known commercial identifier. As part of Microsoft Managed Desktop, IT admins cannot change these settings. For customers in General Data Protection Regulation (GDPR) regions, users can reduce the level of diagnostic data that is provided, but there will be a reduction in service. For example, Microsoft Managed Desktop will be unable to collect the data necessary to iterate on settings and policies to best serve performance and security needs. For more information, see [Configure Windows diagnostic data in your organization.](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enhanced-level)
## Security addendum
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/service-description/index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/index.md
@@ -24,13 +24,13 @@ Microsoft Managed Desktop is a service that provides your users with a secure mo
- IT support for your users - Operational support for IT pros
-For details about the specific services included with Microsoft Managed Desktop, see the other topics in this section. If you've already decided that Microsoft Managed Desktop is for you, the topics in [Get ready for enrollment in Microsoft Managed Desktop](https://docs.microsoft.com/microsoft-365/managed-desktop/get-ready/) provide you with the steps to prepare to join the service.
+For details about the specific services included with Microsoft Managed Desktop, see the other articles in this section. If you've already decided that Microsoft Managed Desktop is for you, the articles in [Get ready for enrollment in Microsoft Managed Desktop](https://docs.microsoft.com/microsoft-365/managed-desktop/get-ready/) provide you with the steps to prepare to join the service.
- [Microsoft Managed Desktop supported regions and languages](regions-languages.md) explains which regions and languages are supported with the service. - To guarantee the best experience for your users, only certain devices are supported by Microsoft Managed Desktop. [Program devices](device-list.md) specifies the exact device models and configurations you can use with the service, whether you provide them or work with a partner. - [Device services](device-services.md) specifies the device-related services that Microsoft will provide to subscribers. - [Device configuration](device-policies.md) clarifies the default and security-related Mobile Device Management policies that the service will apply to enrolled devices.-- [Security](security.md) specifies the data collected from enrolled devices, as well as the features and policies related to device security, identity and access management, network security, and information security.
+- [Security](security.md) specifies the data collected from enrolled devices, and the features and policies related to device security, identity and access management, network security, and information security.
- [Updates](updates.md) describes the various update groups that Microsoft Managed Desktop uses to roll out updates to your devices. - [Support](support.md) clarifies the support Microsoft provides for your organization and users. - [Operations and monitoring](operations-and-monitoring.md) explains how change management works with Microsoft Managed Desktop, including standard procedures for requesting and preparing for changes in the deployment.
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/service-description/operations-and-monitoring https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/operations-and-monitoring.md
@@ -1,6 +1,6 @@
--- title: Microsoft Managed Desktop operations and monitoring
-description:
+description: Who does what for various change processes
keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation ms.service: m365-md author: jaimeo
@@ -20,13 +20,13 @@ ms.topic: article
## Change management
-In a service offering, the balance of responsibility for things such as hardware maintenance and security updates shifts to the service provider (Microsoft) instead of the customer (you). However, you still need to ensure that third-party and custom software continues to function as expected when updates are rolled out.
+In a service offering, the balance of responsibility for things such as hardware maintenance and security updates shifts to the service provider (Microsoft) instead of the customer (you). However, you still need to ensure that non-Microsoft and custom software continues to function as expected when updates are rolled out.
For on-premises products, your organization assumes all responsibility for managing change. ### Balance of responsibility
-Responsibility | Microsoft Managed Desktop service | Microsoft 365 client software | On-premises clients and servers | 3rd party and custom software
+Responsibility | Microsoft Managed Desktop service | Microsoft 365 client software | On-premises clients and servers | non-Microsoft and custom software
----- | ----- | ----- | ----- | ----- Provide new functionality | Microsoft | Microsoft | Both | Customer Test new features for quality assurance | Microsoft | Microsoft | Both | Customer
@@ -39,7 +39,7 @@ Package for deployment | Microsoft | Microsoft | Customer | Customer
### Change process overview
-HereΓÇÖs a summary of how the change process is shared between Microsoft and customers.
+HereΓÇÖs a summary of how the change process is shared between Microsoft and customers:
@@ -55,14 +55,14 @@ HereΓÇÖs a summary of how the change process is shared between Microsoft and cus
### Change types
-There are several types of changes that are made to the service on a regular basis. The communication channel for those changes and the actions that customers are responsible for varies.
+There are several types of changes that we make to the service regularly. The communication channel for those changes and the actions that you are responsible for varies.
Not all changes have the same impact on your users or require action. Some are planned and some unplanned by their nature (non-security updates and security updates aren't usually planned). Depending on the type of change, the communication channel may vary. The following table lists the types of changes you can expect for the Microsoft Managed Desktop service. | | Functionality | Non-security updates | Security --- | --- | --- | ---
-**Type of change** | - Feature updates<br>- New features or applications<br>- Deprecated features | Client hotfixes for issues | Security patches
-**Advance notice** | 5 days notice for changes that require action | No, these are included in the monthly release | No, these are included in the monthly release
+**Type of change** | - Feature updates<br>- New features or applications<br>- Deprecated features | Client hotfixes for issues | Security updates
+**Advance notice** | Five days notice for changes that require action | No, such changes are included in the monthly release | No, changes are included in the monthly release
**Communication channel** | - Message Center<br>- Email alert | - Message Center<br>- Email alert | - Message Center<br>- Email alert **Requires global admin action** | Sometimes | Rarely | Rarely **Type of action** | Change settings | Communicate changes to users | Change admin settings
@@ -72,26 +72,26 @@ Not all changes have the same impact on your users or require action. Some are p
## Standard operating procedures
-The Microsoft Managed Desktop service is implemented and operated by Microsoft in your Microsoft cloud instance where you may conduct other administrative activities. Microsoft is solely responsible for Microsoft Managed Desktop-specific setup, configuration and operation.
+The Microsoft Managed Desktop service is implemented and operated by Microsoft in your Microsoft cloud instance where you might conduct other administrative activities. Microsoft is solely responsible for Microsoft Managed Desktop-specific setup, configuration, and operation.
-For on-premises products, your organization takes on all the responsibility for managing setup,and configuration and operational activities.
+For on-premises products, your organization takes on all the responsibility for managing setup, and configuration and operational activities.
Categories | Microsoft will | Customer will --- | --- | ---
-Network (proxy, packet inspection, VPN) | Advise and plan with customers to minimize risk to business users. | - Create a support request requesting information for a planned configuration change, including configuration details, scope, timeline and other pertinent details for Microsoft to review.<br>- Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.
-Service accounts |- Implement, securely store, and manage the credentials.<br> - Communicate unauthorized access or use of these credentials to your Security Operations team. | - Create a support request requesting information for a planned configuration change, including configuration details, scope, timeline and other pertinent details for Microsoft to review.<br>- Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.<br>- Not assign policy, multifactor authentication, conditional access, or application deployment to the Microsoft Managed Desktop Service Accounts.<br>- Not reset the password or use the credentials.<br>- Open a Sev C support request to Microsoft Managed Desktop Operations if suspicious activity is observed in Intune or Azure audit logs, related to these service accounts.
-Device Groups | - Implement and manage the membership of devices within Microsoft Managed Desktop groups.<br>- Use the Microsoft Managed Desktop groups to manage the assignment and release of configuration and updates to devices. | - Create a support request requesting information for a planned configuration change, including configuration details, scope, timeline and other pertinent details for Microsoft to review.<br>- Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.<br>- Not modify the membership of any Microsoft Managed Desktop group.<br>- Only use the groups to assign corporate certificates for services such as VPN, Windows Hello for Business or email encryption, or corporate Wi-Fi profile configuration.<br>- Where co-management exists, explicitly exclude all Microsoft Managed Desktop groups when deploying the Configuration Manager client.
-Policies | - Implement and manage the Microsoft Managed Desktop policies that govern the configuration state of devices within service.<br>- Deploy updates, to policy or Windows, incrementally using Device Groups.<br> - Explicitly exclude targeting non-Microsoft Managed Desktop groups. | - Create a support request requesting information for a planned configuration change, including configuration details, scope, timeline and other pertinent details for Microsoft to review.<br>- Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.<br>- Not edit or assign Microsoft Managed Desktop policies to devices or users not managed by the Microsoft Managed Desktop service.
-Microsoft Defender for Endpoint | Monitor and investigate devices within the scope of the Microsoft Managed Desktop service. | - Create a support request requesting information for a planned configuration change, including configuration details, scope, timeline and other pertinent details for Microsoft to review.<br>- Only apply a change once Microsoft Managed Desktop Operations has assessed and advised
-Microsoft Store for Business | Configure and maintain the Windows Autopilot profile for the Microsoft Managed Desktop service. | - Create a support request requesting information for a planned configuration change, including configuration details, scope, timeline and other pertinent details for Microsoft to review.<br>- Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.<br>- Not modify the configuration of the Microsoft Managed Desktop Windows Autopilot profile or add/remove assigned devices.
-Certificates | | - Create a support request 60 days prior to a certificate expiring, requesting information for a planned configuration change, including configuration details, scope, timeline and other pertinent details for Microsoft to review.<br>- Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.<br>- Update all certificates that are required to configure certificate profiles, VPN profiles, and Wi-Fi profiles.
+Network (proxy, packet inspection, VPN) | Advise and plan with customers to minimize risk to business users. | - Create a support request requesting information for a planned configuration change, including configuration details, scope, timeline, and other pertinent details for Microsoft to review.<br>- Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.
+Service accounts |- Implement, securely store, and manage the credentials.<br> - Communicate unauthorized access or use of these credentials to your Security Operations team. | - Create a support request requesting information for a planned configuration change, including configuration details, scope, timeline, and other pertinent details for Microsoft to review.<br>- Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.<br>- Not assign policy, multifactor authentication, conditional access, or application deployment to the Microsoft Managed Desktop Service Accounts.<br>- Not reset the password or use the credentials.<br>- Open a Sev C support request to Microsoft Managed Desktop Operations if suspicious activity is observed in Intune or Azure audit logs, related to these service accounts.
+Device Groups | - Implement and manage the membership of devices within Microsoft Managed Desktop groups.<br>- Use the Microsoft Managed Desktop groups to manage the assignment and release of configuration and updates to devices. | - Create a support request requesting information for a planned configuration change, including configuration details, scope, timeline, and other pertinent details for Microsoft to review.<br>- Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.<br>- Not modify the membership of any Microsoft Managed Desktop group.<br>- Only use the groups to assign corporate certificates for services such as VPN, Windows Hello for Business or email encryption, or corporate Wi-Fi profile configuration.<br>- Where co-management exists, explicitly exclude all Microsoft Managed Desktop groups when deploying the Configuration Manager client.
+Policies | - Implement and manage the Microsoft Managed Desktop policies that govern the configuration state of devices within service.<br>- Deploy updates, to policy or Windows, incrementally using Device Groups.<br> - Explicitly exclude targeting non-Microsoft Managed Desktop groups. | - Create a support request requesting information for a planned configuration change, including configuration details, scope, timeline, and other pertinent details for Microsoft to review.<br>- Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.<br>- Not edit or assign Microsoft Managed Desktop policies to devices or users not managed by the Microsoft Managed Desktop service.
+Microsoft Defender for Endpoint | Monitor and investigate devices within the scope of the Microsoft Managed Desktop service. | - Create a support request requesting information for a planned configuration change, including configuration details, scope, timeline, and other pertinent details for Microsoft to review.<br>- Only apply a change once Microsoft Managed Desktop Operations has assessed and advised
+Microsoft Store for Business | Configure and maintain the Windows Autopilot profile for the Microsoft Managed Desktop service. | - Create a support request requesting information for a planned configuration change, including configuration details, scope, timeline, and other pertinent details for Microsoft to review.<br>- Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.<br>- Not modify the configuration of the Microsoft Managed Desktop Windows Autopilot profile or add/remove assigned devices.
+Certificates | | - Create a support request 60 days prior to a certificate expiring, requesting information for a planned configuration change, including configuration details, scope, timeline, and other pertinent details for Microsoft to review.<br>- Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.<br>- Update all certificates that are required to configure certificate profiles, VPN profiles, and Wi-Fi profiles.
## Device wipe with factory reset
-The Microsoft Managed Desktop Operations Team can perform a factory reset of devices enrolled in the service when required. This is helpful if you need to give a device to a different employee, or if an employee leaves your company.
+The Microsoft Managed Desktop Operations team can perform a factory reset of devices enrolled in the service when required. Resetting is helpful if you need to give a device to a different employee, or if an employee leaves your company.
There are a few requirements:
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/service-description/privacy-personal-data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/privacy-personal-data.md
@@ -25,7 +25,7 @@ When users enroll corporate devices into Microsoft Managed Desktop, data collect
Microsoft Managed Desktop does not collect data by itself to provide its service (except for [IT Admin contact information](#it-admin-contact-information). Instead, Microsoft Managed Desktop reuses data that other sources, such as Windows and Microsoft Intune, have already collected. Microsoft Managed Desktop uses data these services collect from enrolled devices: - Windows diagnostic data from devices managed by Microsoft Managed Desktop is sent to Microsoft's Windows diagnostic data stores.-- Microsoft Managed Desktop uses [modern management](https://docs.microsoft.com/learn/modules/introduction-to-modern-management-in-microsoft-365/) for managing the enrolled devices. As part of that, the devices must be enrolled in the tenantΓÇÖs Azure Active Directory.
+- Microsoft Managed Desktop uses [modern management](https://docs.microsoft.com/learn/modules/introduction-to-modern-management-in-microsoft-365/) for managing the enrolled devices. As part of "modern management," the devices must be enrolled in the tenantΓÇÖs Azure Active Directory.
- For distributing its highly optimized and secure configuration to enrolled devices, Microsoft Managed Desktop uses Microsoft Intune. - Microsoft Managed Desktop uses security intelligence data from Microsoft Defender Advanced Thread Protection for those customers that use that service.
@@ -56,7 +56,7 @@ Microsoft Managed Desktop uses this data:
|Azure Active Directory data | Used in reports created for tenant admins, which are available in the Microsoft Managed Desktop Admin portal. | |Intune data | Used in reports created for tenant admins, which are available in the Microsoft Managed Desktop Admin portal. | |Microsoft Defender for Endpoint | Used for addressing security threats detected on enrolled devices by Microsoft Managed DesktopΓÇÖs Security Operations Center (SOC). |
-|Windows diagnostic data |Used to determine the update status of managed devices as well as to provide and improve Microsoft Managed DesktopΓÇÖs IT-as-a-Service (ITaaS) offering. |
+|Windows diagnostic data |Used to determine the update status of managed devices and to provide and improve Microsoft Managed DesktopΓÇÖs IT-as-a-Service (ITaaS) offering. |
|Admin contact data | Used by Microsoft Managed Desktop to communicate with tenant administrators. |
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/service-description/regions-languages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/regions-languages.md
@@ -15,7 +15,7 @@ This article provides details about regions and languages supported by Microsoft
## Supported languages
-English is the only language available to users of Microsoft Managed Desktop. This includes all user interfaces for both users and administrators and all interactions with both [admin support](https://docs.microsoft.com/microsoft-365/managed-desktop/working-with-managed-desktop/admin-support) and [end-user support](https://docs.microsoft.com/microsoft-365/managed-desktop/working-with-managed-desktop/end-user-support).
+English is the only language available to users of Microsoft Managed Desktop. This policy includes all user interfaces for both users and administrators and all interactions with both [admin support](https://docs.microsoft.com/microsoft-365/managed-desktop/working-with-managed-desktop/admin-support) and [user support](https://docs.microsoft.com/microsoft-365/managed-desktop/working-with-managed-desktop/end-user-support).
You can still use managed devices outside of English-speaking regions without an interruption to the Microsoft Managed Desktop service. For example, an employee based in the United Kingdom can work securely and receive updates on their managed device while traveling Asia, Europe, or South America.
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/service-description/security-operations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/security-operations.md
@@ -1,6 +1,6 @@
--- title: Security operations in Microsoft Managed Desktop
-description:
+description: Services and processes provided by the Security Operations Center
keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation ms.service: m365-md author: jaimeo
@@ -27,7 +27,7 @@ The SOC provides these services:
## Processes -- Microsoft Managed Desktop Security Operations is staffed by full-time Microsoft employees in partnership with MicrosoftΓÇÖs [Cyber Defense Operations Center](https://www.microsoft.com/msrc/cdoc).
+- Microsoft Managed Desktop Security Operations is staffed by full-time Microsoft employees in partnership with MicrosoftΓÇÖs [Cyber Defense Operations Center](https://www.microsoft.com/msrc/cdoc).
- Our SOC uses collective signals from across our company, both internal and external, to protect your devices--even from things we have not yet seen in Microsoft Managed Desktop. - Microsoft security solutions align to many cybersecurity protection standards. SOC operations are based on the National Institute of Standards and Technology Computer Security Incident Response Handling Guide (NIST 800-61 r2). - The process allows for proper collection of information and evidence, for analysis and documentation and post-recovery insights into ways to better defend your environment through these phases:
@@ -36,5 +36,5 @@ The SOC provides these services:
- Eradication - Recovery - Post-incident activity-- Microsoft Managed Desktop customers are eligible to enroll in the Microsoft Threat Experts service. The SOC liaises with this service to understand better the complex threats affecting your organization, including alert inquiries, potentially compromised devices, root cause of a suspicious network connection, and additional threat intelligence regarding ongoing advanced persistent threat campaigns. For more information, see [Microsoft Threat Experts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts).
+- Microsoft Managed Desktop customers are eligible to enroll in the Microsoft Threat Experts service. The SOC liaises with this service to understand better the complex threats affecting your organization, including alert inquiries, potentially compromised devices, root cause of a suspicious network connection, and other threat intelligence regarding ongoing advanced persistent threat campaigns. For more information, see [Microsoft Threat Experts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts).
- SOCΓÇÖs Threat and Vulnerability Management process uses some of MicrosoftΓÇÖs services to help inform recommendations for your organization to protect against threats. The SOC consumes data from your Microsoft Defender for Endpoint Security Center and from relevant vulnerability data sources within and outside of Microsoft to discover vulnerabilities and misconfigurations and provide actionable reporting.
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/service-description/security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/security.md
@@ -1,6 +1,6 @@
--- title: Security technologies in Microsoft Managed Desktop
-description:
+description: Technologies used for device security, identity and access management, network security, and information security
keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation ms.service: m365-md author: jaimeo
@@ -14,7 +14,7 @@ ms.topic: article
<!--Security, also Onboarding doc: data handling/store, privileged account access -->
-Microsoft Managed Desktop uses several Microsoft technologies to help secure managed devices and data. In addition, the Microsoft Managed Desktop Security Operations Center uses a variety of [processes](security-operations.md) in conjunction with these technologies.
+Microsoft Managed Desktop uses several Microsoft technologies to help secure managed devices and data. In addition, the Microsoft Managed Desktop Security Operations Center uses various [processes](security-operations.md) in conjunction with these technologies.
Specifically:
@@ -23,7 +23,7 @@ Specifically:
- [Network security](#network-security) ΓÇô VPN information and Microsoft Managed Desktop recommended solution and settings - [Information security](#information-security) ΓÇô optional available services to further protect sensitive information
-For information about data storage, usage, and security practices used by Microsoft Managed Desktop, see our white paper at [https://aka.ms/mmd-data](https://aka.ms/mmd-data).
+For information about data storage, usage, and security practices used by Microsoft Managed Desktop, see our whitepaper at [https://aka.ms/mmd-data](https://aka.ms/mmd-data).
## Device security
@@ -47,7 +47,7 @@ Identity and access management protects corporate assets and business-critical d
Service | Description --- | --- Biometric Authentication | Windows Hello allows users to sign in by using their face or a PIN, making passwords harder to forget or steal. Customers are responsible for implementing the necessary pre-requisites for their on-premises Active Directory for use of this service in a hybrid configuration. For more information, see [Windows Hello.](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello)
-Standard user permission | To protect the system and make it more secure, the user will be assigned Standard User Permissions. This is assigned as part of the Windows Autopilot out-of-box experience.
+Standard user permission | To protect the system and make it more secure, the user will be assigned Standard User Permissions. This permission is assigned as part of the Windows Autopilot out-of-box experience.
@@ -57,7 +57,7 @@ Customers are responsible for network security.
Service | Description --- | ---
-VPN | Customers own their VPN infrastructure, to ensure limited corporate resources can be exposed outside the intranet.<br><br>Minimum requirement: Microsoft Managed Desktop requires a Windows 10 compatible and supported VPN solution. If your organization needs a VPN solution, it needs to support Windows 10 and be packaged and deployable through Intune. Contact your software publisher for more information.<br><br>Recommendation:<br>- Microsoft recommends a modern VPN solution that could be easily deployed through Intune to push VPN profiles. This provides an always-on, seamless, reliable, and secure way to access corporate network. For more information, see [[VPN settings in Intune]](https://docs.microsoft.com/intune/vpn-settings-configure).<br>- Thick VPN clients, or legacy VPN clients, are not recommended by Microsoft while using Microsoft Managed Desktop as it can impact the user environment.<br>- Microsoft recommends that the outgoing web traffic goes directly to Internet without going through the VPN to avoid any performance issues.<br>- Ideally, Microsoft recommends the use of Azure Active Directory App Proxy instead of a VPN.
+VPN | Customers own their VPN infrastructure, to ensure limited corporate resources can be exposed outside the intranet.<br><br>Minimum requirement: Microsoft Managed Desktop requires a Windows 10 compatible and supported VPN solution. If your organization needs a VPN solution, it needs to support Windows 10 and be packaged and deployable through Intune. Contact your software publisher for more information.<br><br>Recommendation:<br>- Microsoft recommends a modern VPN solution that could be easily deployed through Intune to push VPN profiles. This approach provides an always-on, seamless, reliable, and secure way to access corporate network. For more information, see [[VPN settings in Intune]](https://docs.microsoft.com/intune/vpn-settings-configure).<br>- Thick VPN clients, or older VPN clients, are not recommended by Microsoft while using Microsoft Managed Desktop as it can impact the user environment.<br>- Microsoft recommends that the outgoing web traffic goes directly to Internet without going through the VPN to avoid any performance issues.<br>- Ideally, Microsoft recommends the use of Azure Active Directory App Proxy instead of a VPN.
## Information security
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/service-description/updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/updates.md
@@ -18,7 +18,7 @@ ms.collection: M365-modern-desktop
<!--Update management -->
-Microsoft Managed Desktop connects all devices to a modern cloud-based infrastructure. Keeping Windows, Office, drivers, firmware, and Microsoft Store for Business applications up to date is a balance of speed and stability. Deployment groups will be used to ensure operating system updates and policies are rolled out in a safe manner. For more about this, see the video [Microsoft Managed Desktop Change and Release Process](https://www.microsoft.com/videoplayer/embed/RE4mWqP).
+Microsoft Managed Desktop connects all devices to a modern cloud-based infrastructure. Keeping Windows, Office, drivers, firmware, and Microsoft Store for Business applications up to date is a balance of speed and stability. Deployment groups will be used to ensure operating system updates and policies are rolled out in a safe manner. For more information, see the video [Microsoft Managed Desktop Change and Release Process](https://www.microsoft.com/videoplayer/embed/RE4mWqP).
Updates released by Microsoft are cumulative and are categorized as quality or feature updates. For more information, see [Windows Update for Business: Update types](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb#update-types).
@@ -28,9 +28,9 @@ For more information, see [Windows Update for Business: Update types](https://do
Microsoft Managed Desktop uses four Azure AD groups to manage updates: - **Test**: Used to validate Microsoft Managed Desktop policy changes, operating system updates, feature updates, and other changes pushed to the tenant. There should not be any users placed in the test group. The test group is exempt from any established service level agreements and user support. This group is available for use to validate compatibility of applications with new policy or operating system changes. -- **First**: Contains early software adopters and devices that could be subject to pre-release updates. Devices in this group might experience outages if there are scenarios which were not covered during testing in the test ring.-- **Fast**: Prioritizes speed over stability. Useful for detecting quality issues before they are offered to the Broad group. This group serves as a next layer of validation but is generally more stable than the Test and First groups. -- **Broad**: Last group to have feature and quality updates available. This group contains the majority of users in the tenant, and therefore favors stability over speed in deployment. Testing of apps should be done here as the environment is most stable.
+- **First**: Contains early software adopters and devices that could be subject to pre-release updates. Devices in this group might experience outages if there are scenarios that were not covered during testing in the test ring.
+- **Fast**: Prioritizes speed over stability. Useful for detecting quality issues before they are offered to the Broad group. This group serves as a next layer of validation but is typically more stable than the Test and First groups.
+- **Broad**: Last group to have feature and quality updates available. This group contains most of users in the tenant, and therefore favors stability over speed in deployment. Testing of apps should be done here as the environment is most stable.
> [!NOTE] > If you need to move a user to a different update group, submit a support request. See [Support for Microsoft Managed Desktop](support.md) for more information on submitting support requests. If you move a user yourself, the move will be reverted.
@@ -38,12 +38,12 @@ Microsoft Managed Desktop uses four Azure AD groups to manage updates:
For more information roles and responsibilities with these deployment groups, see [Microsoft Managed Desktop Roles and responsibilities](../intro/roles-and-responsibilities.md) How update deployment works:-- Microsoft Managed Desktop deploys a new feature or quality update according the schedule specified below.
+- Microsoft Managed Desktop deploys a new feature or quality update according the the schedule specified in the table.
- During deployment, Microsoft Managed Desktop monitors for signs of failure or disruption (based on diagnostic data and the user support system). If any are detected, then the deployment to all current and future groups is immediately paused. - Example: if an issue is discovered while deploying a quality update to the First group, then update deployments to First, Fast, and Broad will all be paused until the issue is resolved. - Compatibility issues can be reported by filing a ticket in the Microsoft Managed Desktop Admin portal. - Feature and quality updates are paused independently. Pause is in effect for 35 days by default, but can be reduced or extended depending on whether the issue is remediated.-- Once the groups are un-paused, deployment resumes according to the schedule below.
+- Once the groups are unpaused, deployment resumes according to the schedule in the table.
- This deployment process applies to both feature and quality updates, though the timeline varies for each.
@@ -67,12 +67,12 @@ How update deployment works:
## Windows Insider Program
-Microsoft Managed Desktop does not support devices that are part of the Windows Insider program. The Windows Insider program is used to validate pre-release Windows software and is intended for devices that aren't mission critical. While this is an important Microsoft initiative, it is not intended for broad deployment in production environments.
+Microsoft Managed Desktop does not support devices that are part of the Windows Insider program. The Windows Insider program is used to validate pre-release Windows software and is intended for devices that aren't mission critical. While it's an important Microsoft initiative, it's not intended for broad deployment in production environments.
Any devices found with Windows Insider builds might be put into the Test group and will be exempt from update service level agreements and user support from Microsoft Managed Desktop. ## Bandwidth management
-We use [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) for all operating system and driver updates. This minimizes the download size from the Windows Update service by seeking updates from peers within the corporate network.
+We use [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) for all operating system and driver updates. This feature minimizes the download size from the Windows Update service by seeking updates from peers within the corporate network.
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/working-with-managed-desktop/admin-support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/admin-support.md
@@ -1,6 +1,6 @@
--- title: Admin support for Microsoft Managed Desktop
-description:
+description: How admins can get help with the service
keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation ms.service: m365-md author: jaimeo
@@ -20,7 +20,7 @@ You can submit support tickets or feedback requests to Microsoft using the Micro
**To submit a support request** 1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Troubleshooting + support** menu.
-2. Look for the Microsoft Managed Desktop section, select **Sevice request**.
+2. Look for the Microsoft Managed Desktop section, select **Service request**.
3. On **Support requests**, select **+ New Support ticket**. 4. Select the **Support request type** that matches the help you need. The table below outlines the options. 5. Select the **Severity level**. For more information, see [Support request severity definitions](#sev).
@@ -28,7 +28,7 @@ You can submit support tickets or feedback requests to Microsoft using the Micro
Support request type | When to use --- | --- Incident | You require the Microsoft Managed Desktop Operations Team to investigate, like widespread impact of a change or security incident.
-Request for information | You are planning a change for networking, proxy configuration, VPN systems, certificate expiration, or just need some information about the service. A response from the Microsoft Managed Desktop Operations Team is strongly advised when communicating a change within your organization.
+Request for information | You are planning a change for networking, proxy configuration, VPN systems, certificate expiration, or just need some information about the service. A response from the Microsoft Managed Desktop Operations Team is advised when communicating a change within your organization.
Change request | You require the Microsoft Managed Desktop Operations Team to make a change, such as moving devices between update groups. <span id="sev" />
@@ -43,24 +43,24 @@ Severity level | Customer situation | Initial response time | Expected customer
**Severity B ΓÇô Moderate Impact** | **Moderate business impact**<br><br>CustomerΓÇÖs business has moderate loss or degradation of services, but work can reasonably continue in an impaired manner.<br><br>**Moderate application compatibility impact**<br><br>A specific business group is no longer productive, due to crashing behavior or loss of critical functionality. | Initial: < 4 hours<br>Update: 12 hours<br>Business hours (24x7 available) | When you select Severity B, you confirm that the issue has moderate impact to your business with loss and degradation of services, but workarounds enable reasonable, albeit temporary, business continuity. <br><br>The issue demands an urgent response. If you chose 24x7 when you submit the support request, you commit to a continuous 24x7 operation every day with the Microsoft team until resolution, otherwise, Microsoft might at its discretion decrease the severity to level C. If you chose business-hours support when you submit a Severity B incident, Microsoft will contact you during business hours only.<br><br>You also ensure that Microsoft has your accurate contact information. **Severity C ΓÇô Minimal Impact** | **Minimum business impact**<br><br> CustomerΓÇÖs business is functioning with minor impediments of services.<br><br>**Minor application compatibility impact**<br><br>Potentially unrelated users experience minor compatibility issues that do not prevent productivity | Initial: < 8 hours<br>Update: 24 hours<br>Business hours | When you select Severity C, you confirm that the issue has minimum impact to your business with minor impediment of service.<br><br>For a Severity C incident, Microsoft will contact you during business hours only.<br><br>You also ensure that Microsoft has your accurate contact information
-Additional details:
+More details:
- **Support languages** - All support is provided in English. - **Severity level changes** - Microsoft may downgrade the severity level if the customer is not able to provide adequate resources or responses to enable Microsoft to continue with problem resolution efforts. - **Business hours** - For most countries, business hours are from 9:00 AM to 5:00 PM, Pacific Standard Time.-- **Application compatibility** - For an application compatibility issue to be considered, there must be a reproduceable error, of the same version of the application, between the previous and current version of Windows or Office. To resolve application compatibility issues, Microsoft requires a customer point of contact to work with. The individual must work directly with our Fast Track team to investigate and resolve the issue.
+- **Application compatibility** - For an application compatibility issue to be considered, there must be a reproducible error, of the same version of the application, between the previous and current version of Windows or Office. To resolve application compatibility issues, Microsoft requires a customer point of contact to work with. The individual must work directly with our Fast Track team to investigate and resolve the issue.
- **Customer response time** If a customer is unable to meet the expected response requirements, Microsoft will downgrade the request by one severity level, to a minimum of Severity C. If a customer is unresponsive to requests for action, Microsoft will mitigate and close the support request within 48 hours of the last request. ## Provide feedback We appreciate your feedback and use it to improve the admin support experience.
-Once a ticket is in the **Mitigated** or **Resolved** state, you can share your feedback on your experience with that particular issue. To do this, go to the **Service requests** page in the **Troubleshooting + support** menu of the MEM portal. Select the specific ticket. The ticket details will appear in the fly-in on the right side, select the **Feedback** tab, and provide the requested information. Be careful not to include any personal information in the feedback form. For more information about privacy, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement).
+Once a ticket is in the **Mitigated** or **Resolved** state, you can share your feedback on your experience with that particular issue. To share feedback, go to the **Service requests** page in the **Troubleshooting + support** menu of the MEM portal. Select the specific ticket. The ticket details will appear in the fly-in on the right side, select the **Feedback** tab, and provide the requested information. Be careful not to include any personal information in the feedback form. For more information about privacy, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement).
![Feedback form](../../media/feedback_form.png)
-## Additional resources
+## More resources
- [User support for Microsoft Managed Desktop](end-user-support.md). - [Support for Microsoft Managed Desktop](../service-description/support.md). - If you already subscribe to Microsoft Managed Desktop, you can find detailed procedures, process flows, work instructions, and FAQs in the Microsoft Managed Desktop Admin Guide in the **Online resources** page under the **Microsoft Managed Desktop** section of the **Tenant administration** menu in [Microsoft Endpoint Manager](https://endpoint.microsoft.com/).
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/working-with-managed-desktop/end-user-support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/end-user-support.md
@@ -1,6 +1,6 @@
---
-title: Get support for Microsoft Managed Desktop
-description:
+title: Get user support for Microsoft Managed Desktop
+description: How users can get help with the service and devices
keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation ms.service: m365-md author: jaimeo
@@ -24,9 +24,9 @@ The preferred method for providing support to your users is **Get Help**, an eas
![Get Help app icon](../../media/get-help.png)
-This is an application thatΓÇÖs installed on all Microsoft Managed Desktop devices and is pinned to the task bar.
+Get Help is an application thatΓÇÖs installed on all Microsoft Managed Desktop devices and is pinned to the task bar.
-- Users can request a call back to a provided phone number, or chat online with a service rep.
+- Users can request a callback to a provided phone number, or chat online with a service rep.
- Requests that fall outside of Microsoft Managed Desktop support scope are redirected to the local IT helpdesk via phone call. > [!NOTE]
@@ -37,7 +37,7 @@ For your users to be able to get help through the app, make sure these prerequis
- The device must be registered with Microsoft Managed Desktop using one of the methods in [Set up Microsoft Managed Desktop devices](../get-started/set-up-devices.md), such as [Register new devices yourself](../get-started/register-devices-self.md). - The display language for the device must be set to any of these English-language locales: en-us, en-gb, en-au, en-nz, or en-ca.-- The Get Help app should be up to date. To confirm this, check for app updates in the Microsoft Store.
+- The Get Help app should be up to date. To confirm its status, check for app updates in the Microsoft Store.
- Certain [endpoints](../get-ready/network.md#endpoints-allowed-that-are-necessary-for-microsoft-managed-desktop) must be accessible from the device. > [!NOTE]
@@ -47,7 +47,7 @@ If you've checked these prerequisites and the Get Help app still isn't working,
## Phone support
-Users with Microsoft Managed Desktop devices also have access to toll-free phone numbers they can call. This is meant to be used when Get Help isnΓÇÖt available. For example, if they canΓÇÖt sign in to the device, or the device is broken. Here are the phone numbers for phone support:
+Users with Microsoft Managed Desktop devices also have access to toll-free phone numbers they can call. The numbers are meant to be used when Get Help isnΓÇÖt available. For example, if they canΓÇÖt sign in to the device, or the device is broken. Here are the phone numbers for phone support:
- United States: +1 855 425 0216 - Canada (excluding Quebec): +1 855 425 0216
@@ -66,7 +66,7 @@ Users with Microsoft Managed Desktop devices also have access to toll-free phone
>[!NOTE] >You'll need to have your organizational email address ready when you call to verify your identity.
-## Additional resources
+## More resources
- [Admin support for Microsoft Managed Desktop](admin-support.md). - [Support for Microsoft Managed Desktop](../service-description/support.md). - If you already subscribe to Microsoft Managed Desktop, you can find detailed procedures, process flows, work instructions, and FAQs in the Microsoft Managed Desktop Admin Guide in the **Online resources** under the Microsoft Managed Desktop section of the **Tenant administration** menu in [Microsoft Endpoint Manager](https://endpoint.microsoft.com/).
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/identity-access-policies-guest-access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-policies-guest-access.md
@@ -1,6 +1,6 @@
---
-title: Identity and device access policies for allowing guest and external B2B access - Microsoft 365 for enterprise | Microsoft Docs
-description: Describes the recommended Conditional Access and related policies for protecting access of guest and external users.
+title: Identity and device access policies for allowing guest and external user B2B access - Microsoft 365 for enterprise | Microsoft Docs
+description: Describes the recommended Conditional Access and related policies for protecting access of guests and external users.
ms.prod: microsoft-365-enterprise ms.topic: article ms.author: josephd
@@ -19,17 +19,17 @@ ms.collection:
- m365solution-scenario ---
-# Policies for allowing guest and external B2B access
+# Policies for allowing guest access and B2B external user access
-This article describes how to adjust the recommended common identity and device access policies to allow access for guest and external users that have an Azure Active Directory (Azure AD) Business-to-Business (B2B) account. This guidance builds on the [common identity and device access policies](identity-access-policies.md).
+This article discusses adjusting the recommended device and identity access policies to allow access for guests and external users that have an Azure Active Directory (Azure AD) Business-to-Business (B2B) account. This guidance builds on the [common identity and device access policies](identity-access-policies.md).
-These recommendations are designed to apply to the **baseline** tier of protection. However, you can also adjust the recommendations based on the granularity of your needs for **sensitive** and **highly regulated** protection.
+These recommendations are designed to apply to the **baseline** tier of protection. But you can also adjust the recommendations based on your specific needs for **sensitive** and **highly regulated** protection.
-Providing a path for B2B accounts to authenticate with your Azure AD tenant doesn't give these accounts access to your entire environment. B2B users and their accounts only have access to resources that are shared with them (such as files) within the services granted in Conditional Access policies.
+Providing a path for B2B accounts to authenticate with your Azure AD tenant doesn't give these accounts access to your entire environment. B2B users and their accounts have access to services and resources, like files, shared with them by Conditional Access policy.
-## Updating the common policies to allow and protect guest and external access
+## Updating the common policies to allow and protect guests and external user access
-To protect guest and external access with Azure AD B2B accounts, the following diagram illustrates which policies to add or update from the the common identity and device access policies.
+This diagram shows which policies to add or update among the common identity and device access policies, for B2B guest and external user access.
[![Summary of policy updates for protecting guest access](../../media/microsoft-365-policies-configurations/identity-access-ruleset-guest.png)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/media/microsoft-365-policies-configurations/identity-access-ruleset-guest.png)
@@ -39,41 +39,41 @@ The following table lists the policies you either need to create and update. The
|Protection level|Policies|More information| |---|---|---|
-|**Baseline**|[Require MFA always for guest and external users](identity-access-policies.md#require-mfa-based-on-sign-in-risk)|Create this new policy and configure: <ul><li>For **Assignments > Users and groups > Include**, choose **Select users and groups**, and then select **All guest and external users**.</li><li>For **Assignments > Conditions > Sign-in**, leave all options unchecked to always enforce multi-factor authentication (MFA).</li></ul>|
-||[Require MFA when sign-in risk is *medium* or *high*](identity-access-policies.md#require-mfa-based-on-sign-in-risk)|Modify this policy to exclude guest and external users.|
-||[Require compliant PCs](identity-access-policies.md#require-compliant-pcs-but-not-compliant-phones-and-tablets)|Modify this policy to exclude guest and external users.|
+|**Baseline**|[Require MFA always for guests and external users](identity-access-policies.md#require-mfa-based-on-sign-in-risk)|Create this new policy and configure: <ul><li>For **Assignments > Users and groups > Include**, choose **Select users and groups**, and then select **All guest and external users**.</li><li>For **Assignments > Conditions > Sign-in**, leave all options unchecked to always enforce multi-factor authentication (MFA).</li></ul>|
+||[Require MFA when sign-in risk is *medium* or *high*](identity-access-policies.md#require-mfa-based-on-sign-in-risk)|Modify this policy to exclude guests and external users.|
+||[Require compliant PCs](identity-access-policies.md#require-compliant-pcs-but-not-compliant-phones-and-tablets)|Modify this policy to exclude guests and external users.|
-To include or exclude guest and external users in Conditional Access policies, for **Assignments > Users and groups > Include** or **Exclude**, check **All guest and external users**.
+To include or exclude guests and external users in Conditional Access policies, for **Assignments > Users and groups > Include** or **Exclude**, check **All guest and external users**.
-![screen capture of controls for excluding guest and external users](../../media/microsoft-365-policies-configurations/identity-access-exclude-guests-ui.png)
+![screen capture of controls for excluding guests and external users](../../media/microsoft-365-policies-configurations/identity-access-exclude-guests-ui.png)
## More information
-### Guest and external access with Microsoft Teams
+### Guests and external user access with Microsoft Teams
-Microsoft Teams defines the following:
+Microsoft Teams defines the following users:
-- **Guest access** uses an Azure AD B2B account that can be added as a member of a team and have all permissioned access to the communications and resources of the team.
+- **Guest access** uses an Azure AD B2B account that can be added as a member of a team and have access to the communications and resources of the team.
-- **External access** is for an external user that does not have a B2B account. External access can include invitations and participation in calls, chats, and meetings, but does not include team membership and access to the resources of the team.
+- **External access** is for an external user that doesn't have a B2B account. External user access includes invitations, calls, chats, and meetings, but doesn't include team membership and access to the resources of the team.
-For more information, see the [comparison between guest and external access for teams](https://docs.microsoft.com/microsoftteams/communicate-with-users-from-other-organizations#compare-external-and-guest-access).
+For more information, see the [comparison between guests and external user access for teams](https://docs.microsoft.com/microsoftteams/communicate-with-users-from-other-organizations#compare-external-and-guest-access).
-See [Policy recommendations for securing Teams chats, groups, and files](teams-access-policies.md) for more information about securing identity and device access policies for Teams.
+For more information on securing identity and device access policies for Teams, see [Policy recommendations for securing Teams chats, groups, and files](teams-access-policies.md).
### Require MFA always for guest and external users
-This policy prompts guests to register for MFA in your tenant, regardless of whether they're registered for MFA in their home tenant. When accessing resources in your tenant, guest and external users are required to use MFA for every request.
+This policy prompts guests to register for MFA in your tenant, regardless of whether they're registered for MFA in their home tenant. When accessing resources in your tenant, guests and external users are required to use MFA for every request.
-### Excluding guest and external users from risk-based MFA
+### Excluding guests and external users from risk-based MFA
-While organizations can enforce risk-based policies for B2B users using Azure AD Identity Protection, there are limitations in the implementation of Azure AD Identity Protection for B2B collaboration users in a resource directory due to their identity existing in their home directory. Due to these limitations, Microsoft recommends you exclude guest users from risk-based MFA policies and require these users to always use MFA.
+While organizations can enforce risk-based policies for B2B users using Azure AD Identity Protection, there are limitations in the implementation of Azure AD Identity Protection for B2B collaboration users in a resource directory due to their identity existing in their home directory. Due to these limitations, Microsoft recommends you exclude guests from risk-based MFA policies and require these users to always use MFA.
For more information, see [Limitations of Identity Protection for B2B collaboration users](https://docs.microsoft.com/azure/active-directory/identity-protection/concept-identity-protection-b2b#limitations-of-identity-protection-for-b2b-collaboration-users).
-### Excluding guest and external users from device management
+### Excluding guests and external users from device management
-Only one organization can manage a device. If you don't exclude guest and external users from policies that require device compliance, these policies will block these users.
+Only one organization can manage a device. If you don't exclude guests and external users from policies that require device compliance, these policies will block these users.
## Next step
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/identity-access-prerequisites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-prerequisites.md
@@ -1,6 +1,6 @@
--- title: Prerequisite work for implementing identity and device access policies - Microsoft 365 for enterprise | Microsoft Docs
-description: Describes the prerequisites prior to implementing identity and device access policies and configurations.
+description: This article describes the prerequisites you need to meet to use identity and device access policies and configurations.
ms.author: josephd author: JoeDavies-MSFT manager: Laurawi
@@ -22,11 +22,11 @@ ms.collection:
# Prerequisite work for implementing identity and device access policies
-This article describes prerequisites that need to be implemented before you can deploy the recommended identity and device access policies. This article also discusses the recommended default platform client configurations to provide the best single sign-on (SSO) experience to your users, as well as the technical prerequisites for Conditional Access.
+This article describes the prerequisites admins must meet to use recommended identity and device access policies, and to use Conditional Access. It also discusses the recommended defaults for configuring client platforms for the best single sign-on (SSO) experience.
## Prerequisites
-Before implementing the recommended identity and device access policies, there are several prerequisites that your organization must meet for these identity and authentication models for Microsoft 365 and Office 365:
+Before using the identity and device access policies that are recommended, your organization needs to meet prerequisites. The requirements are different for the various identity and authentication models listed:
- Cloud-only - Hybrid with password hash sync (PHS) authentication
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/isolated-sharepoint-online-team-sites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/isolated-sharepoint-online-team-sites.md
@@ -27,9 +27,9 @@ description: Learn about isolated SharePoint Online team sites, including uses,
**Summary:** Learn about the uses for isolated SharePoint Online team sites.
-SharePoint Online team sites are an easy way to quickly create a space for collaboration of notes, documents, articles, a calendar, and other resources in Microsoft Office 365. SharePoint Online team sites are based on a Microsoft 365 group and have a simplified administration model to allow open collaboration with a private set of group members or the entire organization. A default SharePoint Online team site allows members of the Microsoft 365 group to invite other users and control permissions settings.
+SharePoint Online team sites are an easy way to quickly create a space for collaboration. Users can work together on notes, documents, articles, a calendar, and other resources in Microsoft Office 365. SharePoint Online team sites are based on a Microsoft 365 group and have a simplified administration model to allow open collaboration with a private set of group members or the entire organization. A default SharePoint Online team site allows members of the Microsoft 365 group to invite other users and control permissions settings.
-However, in some cases, you want to create a SharePoint Online team site for collaboration where the permissions of that site are more tightly controlled through group membership and SharePoint Online permission levels, which are only managed by SharePoint administrators. We call this an isolated site, which is isolated to the set of users that are either collaborating, viewing its contents, or administering the site. You might need an isolated site for the following:
+However, you'll sometimes need site access to be controlled by group memberships, and SharePoint Online permission levels managed by SharePoint administrators. We call this an isolated site, which is isolated to the set of users that are either collaborating, viewing its contents, or administering the site. You might need an isolated site for the following:
- A secret project within your organization.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/support-for-validation-of-dkim-signed-messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/support-for-validation-of-dkim-signed-messages.md
@@ -1,5 +1,5 @@
---
-title: "Support for validation of DKIM signed messages"
+title: "Support for validation of Domain Keys Identified Mail (DKIM) signed messages"
f1.keywords: - NOCSH ms.author: tracyp
@@ -21,11 +21,15 @@ description: "Learn about the validation of DKIM signed messages in Exchange Onl
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+Exchange Online Protection (EOP) and Exchange Online both support inbound validation of Domain Keys Identified Mail ([DKIM](https://www.rfc-editor.org/rfc/rfc6376.txt)) messages.
-Exchange Online Protection (EOP) and Exchange Online support inbound validation of Domain Keys Identified Mail ([DKIM](https://www.rfc-editor.org/rfc/rfc6376.txt)) messages. DKIM is a method for validating that a message was sent from the domain it says it originated from and that it was not spoofed by someone else. It ties an email message to the organization responsible for sending it. DKIM verification is automatically used for all messages sent over IPv6 communications. Microsoft 365 also now supports DKIM when mail is sent over IPv4. (For more information about IPv6 support, see [Support for anonymous inbound email messages over IPv6](support-for-anonymous-inbound-email-messages-over-ipv6.md).)
+DKIM validates that an email message wasn't *spoofed* by someone else, and was sent from the domain it *says* it came from. It ties an email message to the organization that sent it. DKIM verification is used automatically for all messages sent with IPv6. Microsoft 365 also supports DKIM when mail is sent over IPv4. (For more information about IPv6 support, see [Support for anonymous inbound email messages over IPv6](support-for-anonymous-inbound-email-messages-over-ipv6.md).)
-DKIM validates a digitally signed message that appears in the DKIM-Signature header in the message headers. The results of a DKIM-Signature validation is stamped in the Authentication-Results header which conforms with RFC 7001 ([Message Header Field for Indicating Message Authentication Status](https://www.rfc-editor.org/rfc/rfc7001.txt)). The message header text appears similar to the following (where contoso.com is the sender):
+DKIM validates a digitally signed message that appears in the DKIM-Signature header of the message headers. The results of a DKIM-Signature validation are stamped in the Authentication-Results header. The message header text appears similar to the following (where contoso.com is the sender):
`Authentication-Results: <contoso.com>; dkim=pass (signature was verified) header.d=example.com;`
-Admins can create Exchange [mail flow rules](https://docs.microsoft.com/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules) (also known as transport rules) on the results of a DKIM validation to filter or route messages as needed.
+> [!NOTE]
+> For more information about the Authentication-Results header, see RFC 7001 ([Message Header Field for Indicating Message Authentication Status](https://www.rfc-editor.org/rfc/rfc7001.txt). Microsoft's DKIM implementation conforms with this RFC.
+
+Admins can create Exchange [mail flow rules](https://docs.microsoft.com/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules) (also known as transport rules) on the results of DKIM validation. These mail flow rules will allow admins to filter or route messages as needed.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/tenant-allow-block-list https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list.md
@@ -1,5 +1,5 @@
---
-title: "Manage your allowed and blocked URLs in the Tenant Allow/Block List"
+title: "Manage your allows and blocks in the Tenant Allow/Block List"
f1.keywords: - NOCSH ms.author: chrisda
@@ -14,10 +14,10 @@ search.appverid:
- MET150 ms.collection: - M365-security-compliance
-description: "Admins can learn how to configure URL entries in the Tenant Allow/Block List in the Security & Compliance Center."
+description: "Admins can learn how to configure allows and blocks in the Tenant Allow/Block List in the Security portal."
---
-# Manage URLs in the Tenant Allow/Block List
+# Managing allows and blocks in the Tenant Allow/Block List
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]