+

+- Which groups or teams are part of the policy. A maximum of 50 groups can be selected.

+- If you're a Cloud Solution Provider (CSP) and you bought products on behalf of a customer, you can't use the **Your products** page to assign or unassign licenses for certain products, like perpetual software. To assign or unassign licenses for those products, [use the Licenses page](#use-the-licenses-page-to-assign-licenses-to-users).

+The **Licenses** page shows an aggregate total of licenses for all subscriptions for the same product name. For example, you might have one subscription for Microsoft 365 Business Premium that has five licenses, and another subscription that has eight licenses for the same product. The **Licenses** page shows that you have a total of 13 licenses for Microsoft 365 Business Premium across all your subscriptions. This number is different from what you see on the **Your products** page, which displays a row for each subscription you own, even if they are for the same product.

+ You might have to buy more licenses if you don't have enough licenses for everyone.

+- If you're a Cloud Solution Provider (CSP) and you bought products on behalf of a customer, you can't use the **Your products** page to assign or unassign licenses for certain products, like perpetual software. To assign or unassign licenses for those products, [use the Licenses page](#use-the-licenses-page-to-unassign-licenses).

+> [!IMPORTANT]

+> Starting on April 1, 2023, we will stop accepting checks as a payment method for subscriptions paid by invoice. Beginning on that date, pay by check will no longer be available as a payment option, and check payment instructions will be removed from invoices. You can still pay for your invoice by electronic funds transfer (EFT). See your invoice for EFT payment information. If you're an existing customer who currently pays by check, you have until September 30, 2023 to change to paying by EFT, and avoid possible service disruption.

+> [!IMPORTANT]

+>

+> - Starting on April 1, 2023, we will stop accepting checks as a payment method for subscriptions paid by invoice. Beginning on that date, pay by check will no longer be available as a payment option, and check payment instructions will be removed from invoices. You can still pay for your invoice by electronic funds transfer (EFT). See your invoice for EFT payment information. If you're an existing customer who currently pays by check, you have until September 30, 2023 to change to paying by EFT, and avoid possible service disruption.

+> - As of January 26, 2021, new bank accounts are no longer supported for customers in Belgium, France, Italy, Luxembourg, Portugal, Spain, and the United States. If you're an existing customer in one of those countries, you can continue paying for your subscription with an existing bank account that is in good standing. However, you can't add new subscriptions to the bank account.

+> [!IMPORTANT]

+> Starting on April 1, 2023, we will stop accepting checks as a payment method for subscriptions paid by invoice. Beginning on that date, pay by check will no longer be available as a payment option, and check payment instructions will be removed from invoices. You can still pay for your invoice by electronic funds transfer (EFT). See your invoice for EFT payment information. If you're an existing customer who currently pays by check, you have until September 30, 2023 to change to paying by EFT, and avoid possible service disruption.

+> [!IMPORTANT]

+> Starting on April 1, 2023, we will stop accepting checks as a payment method for subscriptions paid by invoice. Beginning on that date, pay by check will no longer be available as a payment option, and check payment instructions will be removed from invoices. You can still pay for your invoice by electronic funds transfer (EFT). See your invoice for EFT payment information. If you're an existing customer who currently pays by check, you have until September 30, 2023 to change to paying by EFT, and avoid possible service disruption.

+**Payment Terms** is the number of days from the invoice date when payment is due.

+> [!IMPORTANT]

+> Starting on April 1, 2023, we will stop accepting checks as a payment method for subscriptions paid by invoice. Beginning on that date, pay by check will no longer be available as a payment option, and check payment instructions will be removed from invoices. You can still pay for your invoice by electronic funds transfer (EFT). See your invoice for EFT payment information. If you're an existing customer who currently pays by check, you have until September 30, 2023 to change to paying by EFT, and avoid possible service disruption.

+> [!IMPORTANT]

+> Starting on April 1, 2023, we will stop accepting checks as a payment method for subscriptions paid by invoice. Beginning on that date, pay by check will no longer be available as a payment option, and check payment instructions will be removed from invoices. You can still pay for your invoice by electronic funds transfer (EFT). See your invoice for EFT payment information. If you're an existing customer who currently pays by check, you have until September 30, 2023 to change to paying by EFT, and avoid possible service disruption.

+The **Bill To contact** for the contract receives invoices by email from `microsoft-noreply@microsoft.com`.

+Be sure to add `microsoft-noreply@microsoft.com` to your safe senders list or modify any existing email rules to avoid emails landing in your junk folder.

+> [!IMPORTANT]

+> Starting on April 1, 2023, we will stop accepting checks as a payment method for subscriptions paid by invoice. Beginning on that date, pay by check will no longer be available as a payment option, and check payment instructions will be removed from invoices. You can still pay for your invoice by electronic funds transfer (EFT). See your invoice for EFT payment information. If you're an existing customer who currently pays by check, you have until September 30, 2023 to change to paying by EFT, and avoid possible service disruption.

+A proposal is a formal offer from Microsoft for your organization to buy Microsoft products and services. Proposals represent large orders that your organization's procurement or IT department place with Microsoft.

+> [!IMPORTANT]

+> Starting on April 1, 2023, we will stop accepting checks as a payment method for subscriptions paid by invoice. Beginning on that date, pay by check will no longer be available as a payment option, and check payment instructions will be removed from invoices. You can still pay for your invoice by electronic funds transfer (EFT). See your invoice for EFT payment information. If you're an existing customer who currently pays by check, you have until September 30, 2023 to change to paying by EFT, and avoid possible service disruption.

+You must be a billing account owner or billing account contributor to successfully sign an agreement or buy products and services. If you're a Global admin but don't have one of those roles, you can assign the roles to yourself. If you're not a Global admin, ask your Global admin, or billing account owner to assign one of the roles to you.

+Compliance Manager can indicate which assessments may be most relevant to your organization. When you provide basic information about your organization's industry and locations, we'll recommend which templates to use from our library of over 300 templates. Choose among the recommended templates for quick setup of multiple assessments all at once.

+1. From your **Assessments** page, select **Add assessment** to begin the assessment creation wizard.

+ - **Product**: Select the product you want your assessment to apply to. If you're using a Microsoft template, such as one designed for Microsoft 365, this field will be populated for you to indicate the appropriate product and can't be changed. If you're using a universal template, select whether you're creating this assessment for a new product or a custom product you have already defined in Compliance Manager. If you choose a new product, enter its name. You can't select a pre-defined Microsoft product when using a universal template.

+External users who need access for auditing or other purposes can also be assigned a role for viewing assessments and editing test data. You'll provide access to external individual by assigning them an Azure Active Directory (AD) role. Learn more about [assigning Azure AD roles](compliance-manager-setup.md#setting-permissions-in-azure-ad).

+> [!NOTE]

+> Admins whose permissions for Compliance Manager were set in Azure AD won't appear on the **Manage user access** flyout pane. This means that if a user has access to one or more assessments, and their role is Global Administrator, Compliance Administrator, Compliance Data Administrator, or Security Administrator, they won't appear on this pane. Learn more about [setting Compliance Manager permissions and roles](compliance-manager-setup.md#set-user-permissions-and-assign-roles).

+description: "Set up user permissions and roles, and set up automated testing, for Microsoft Purview Compliance Manager."

+The person holding the global admin role for your organization can set user permissions for Compliance Manager. Permissions can be set in either of the following places:

+- The Microsoft Purview compliance portal ([instructions](#setting-permissions-in-the-microsoft-purview-compliance-portal))

+- Azure Active Directory (Azure AD) ([instructions](#setting-permissions-in-azure-ad))

+#### Setting permissions in the Microsoft Purview compliance portal

+#### Setting permissions in Azure AD

+To set permissions and assign roles in Azure AD, see [Assign administrator and non-administrator roles to users with Azure Active Directory](/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal).

+You can assign roles to users in order to grant access to specific assessments. Granting access to individual assessments is useful when you need to ensure that only the people working on certain regulatory requirements have access to that data. You can grant access to individual assessments to users outside of your organization, which helps when you have external auditors. For users outside your organization, you'll need to assign them an Azure AD role. For instructions, see [More about Azure AD](#setting-permissions-in-azure-ad).

+To grant users access to an assessment, open the assessment's details page and select **Manage users access** to add users by role. If a user has a role assigned to them in the Microsoft Purview compliance portal for overall access to Compliance Manager, any role you assign them for a specific assessment will apply only to that assessment.

+**More information**:

+- See [Grant user access to assessments](compliance-manager-assessments.md#grant-user-access-to-individual-assessments) for more detailed information and instructions.

+- Learn more about [managing all users' access to assessments](#user-access) in Compliance Manager settings.

+The **User access** section of **Settings** displays a list of all users who have a role that allows access to one or more assessments. From this page, you can make changes to assessment-based role assignments. To add or remove such roles for users, follow the steps below:

+1. Select the checkbox next to the name of one or more users whose role you want to edit.

+1. From the **Edit assessment roles** dropdown menu above the list of names, select **Add assessment permissions** or **Remove assessment permissions**.

+1. **For adding a role**: From the flyout pane, go to the tab that corresponds to the role you want to add (Reader, Assessor, or Contributor), then select **Add assessments**. On the next flyout pane, choose the checkbox next to the assessments and select **Apply**, then select **Save**.

+1. **For removing a role**: From the flyout pane, go to the tab that corresponds to the role you want to remove (Reader, Assessor, or Contributor). Select the button next to the assessments for which you want to remove access, and select the X mark in the **Remove** column.

+ 1. A **Remove access?** confirmation box appears. Select **Confirm** to remove the user's role, or select **Cancel** to cancel. The name of the assessments will now be removed from the role tab.

+ 1. Select **Save** on the flyout pane. The role removal won't be completed until you select the **Save** button. Selecting **Close** will cancel out of the process without saving the role removal.

+> [!NOTE]

+> Admins whose permissions for Compliance Manager were set in Azure AD won't appear on the **User access** page. This means that if a user has access to one or more assessments, and their role is Global Administrator, Compliance Administrator, Compliance Data Administrator, or Security Administrator, they won't appear on this page. Learn more about [setting Compliance Manager permissions in Azure AD](#setting-permissions-in-azure-ad).

+**More information**:

+- [Visit these instructions](compliance-manager-assessments.md#grant-user-access-to-individual-assessments) for assigning user roles from an assessment's details page.

+ Title: "Get started with the Microsoft Purview Chrome Extension"

+# Get started with Microsoft Purview Chrome Extension

+Use these procedures to roll out the Microsoft Purview Chrome Extension.

+To use Microsoft Purview Chrome Extension, the device must be onboarded into endpoint DLP. Review these articles if you are new to DLP or endpoint DLP

+- [Learn about Microsoft Purview Chrome Extension](dlp-chrome-learn-about.md)

+- [Onboarding tools and methods for Windows 10/11 devices](device-onboarding-overview.md)

+Here's a list of applicable role groups. To learn more about them, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).

+If you are rolling out the extension to all your monitored Windows 10/11 devices, you should remove Google Chrome from the unallowed app and unallowed browser lists. For more information, see [Unallowed browsers](dlp-configure-endpoint-settings.md#unallowed-browsers). If you are only rolling it out to a few devices, you can leave Chrome on the unallowed browser or unallowed app lists. The extension will bypass the restrictions of both lists for those computers where it is installed.

+ Title: "Learn about the Microsoft Purview Chrome Extension"

+# Learn about the Microsoft Purview Chrome Extension

+[Endpoint data loss prevention (endpoint DLP)](endpoint-dlp-learn-about.md) extends the activity monitoring and protection capabilities of [Microsoft Purview data loss prevention (DLP)](dlp-learn-about-dlp.md) to sensitive items that are on Windows 10/11 devices. Once devices are onboarded into the Microsoft Purview solutions, the information about what users are doing with sensitive items is made visible in [activity explorer](data-classification-activity-explorer.md) and you can enforce protective actions on those items via [DLP policies](create-test-tune-dlp-policy.md).

+Once the Microsoft Purview Chrome Extension is installed on a Windows 10/11 device, organizations can monitor when a user attempts to access or upload a sensitive item to a cloud service using Google Chrome and enforce protective actions via DLP.

+The extension enables you to audit and manage the following types of activities users take on sensitive items on devices running Windows 10/11.

+2. [Onboarding tools and methods for Windows 10/11 devices](device-onboarding-overview.md)

+3. [Install the extension for Chrome on your Windows 10/11 devices](dlp-chrome-get-started.md)

+4. [Create or edit DLP policies](create-test-tune-dlp-policy.md) that restrict upload to cloud service, or access by unallowed browsers actions and apply them to your Windows 10/11 devices

+See [Get started with the Microsoft Purview Chrome Extension](dlp-chrome-get-started.md) for complete deployment procedures and scenarios.

+- [Get started with Microsoft Purview Chrome Extension](dlp-chrome-get-started.md)

+> The **Service domains** setting only applies to files uploaded using Microsoft Edge or Google Chrome with the [Microsoft Purview Chrome Extension](dlp-chrome-learn-about.md) installed.

+ Title: "Get started with the Microsoft Purview Firefox Extension"

+f1.keywords:

+- CSH

+audience: ITPro

+f1_keywords:

+- 'ms.o365.cc.DLPLandingPage'

+ms.localizationpriority: high

+- tier2

+- purview-compliance

+- m365solution-mip

+- m365initiative-compliance

+search.appverid:

+- MET150

+description: "Prepare for and deploy the Microsoft Purview Firefox Extension."

+# Get started with Microsoft Purview Firefox Extension (preview)

+Use these procedures to roll out the Microsoft Purview Firefox Extension.

+## Before you begin

+To use Microsoft Purview Extension, the device must be onboarded into endpoint DLP. Review these articles if you are new to DLP or endpoint DLP

+- [Learn about Microsoft Purview Firefox Extension](dlp-firefox-extension-learn.md)

+- [Learn about Microsoft Purview Data Loss Prevention](dlp-learn-about-dlp.md)

+- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md)

+- [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md)

+- [Learn about endpoint data loss prevention](endpoint-dlp-learn-about.md)

+- [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md)

+- [Onboarding tools and methods for Windows 10 devices](device-onboarding-overview.md)

+- [Configure device proxy and internet connection settings for Information Protection](device-onboarding-configure-proxy.md#configure-device-proxy-and-internet-connection-settings-for-information-protection)

+- [Using Endpoint data loss prevention](endpoint-dlp-using.md)

+### SKU/subscriptions licensing

+Before you get started, you should confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=1) and any add-ons. To access and use Endpoint DLP functionality, you must have one of these subscriptions or add-ons.

+- Microsoft 365 E5

+- Microsoft 365 A5 (EDU)

+- Microsoft 365 E5 compliance

+- Microsoft 365 A5 compliance

+- Microsoft 365 E5 information protection and governance

+- Microsoft 365 A5 information protection and governance

+For detailed licensing guidance, see [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection).

+- Your org must be licensed for Endpoint DLP

+- Your devices must be running Windows 10 x64 build 1809 or later.

+- The device must have Antimalware Client Version is 4.18.2202.x or later. Check your current version by opening **Windows Security** app, select the **Settings** icon, and then select **About**.

+### Permissions

+Data from Endpoint DLP can be viewed in [Activity explorer](data-classification-activity-explorer.md). There are seven roles that grant permission to activity explorer, the account you use for accessing the data must be a member of any one of them.

+- Global admin

+- Compliance admin

+- Security admin

+- Compliance data admin

+- Global reader

+- Security reader

+- Reports reader

+#### Roles and Role Groups

+There are roles and role groups that you can use to fine tune your access controls.

+Here's a list of applicable roles. To learn more about them, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).

+- Information Protection Admin

+- Information Protection Analyst

+- Information Protection Investigator

+- Information Protection Reader

+Here's a list of applicable role groups. To learn more about the, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).

+- Information Protection

+- Information Protection Admins

+- Information Protection Analysts

+- Information Protection Investigators

+- Information Protection Readers

+### Overall installation workflow

+Deploying the extension is a multi-phase process. You can choose to install on one machine at a time, or use Microsoft Endpoint Manager or Group Policy for organization-wide deployments.

+1. [Prepare your devices](#prepare-your-devices).

+2. [Basic Setup Single Machine Selfhost](#basic-setup-single-machine-selfhost)

+3. [Deploy using Microsoft Endpoint Manager](#deploy-using-microsoft-endpoint-manager)

+4. [Deploy using Group Policy](#deploy-using-group-policy)

+5. [Test the extension](#test-the-extension)

+6. [Use the Alerts Management Dashboard to view Firefox DLP alerts](#use-the-alerts-management-dashboard-to-view-firefox-dlp-alerts)

+7. [Viewing Firefox DLP data in activity explorer](#viewing-firefox-dlp-data-in-activity-explorer)

+### Prepare infrastructure

+If you are rolling out the extension to all your monitored Windows 10 devices, you should remove Mozilla Firefox from the unallowed app and unallowed browser lists. For more information, see [Unallowed browsers](dlp-configure-endpoint-settings.md#unallowed-browsers). If you are only rolling it out to a few devices, you can leave Firefox on the unallowed browser or unallowed app lists. The extension will bypass the restrictions of both lists for those computers where it is installed.

+### Prepare your devices

+1. Use the procedures in these topics to onboard your devices:

+ 1. [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md)

+ 1. [Onboarding Windows 10 and Windows 11 devices](device-onboarding-overview.md)

+ 1. [Configure device proxy and internet connection settings for Information Protection](device-onboarding-configure-proxy.md#configure-device-proxy-and-internet-connection-settings-for-information-protection)

+### Basic Setup Single Machine Selfhost

+This is the recommended method.

+1. Download the initial [XPI file](https://firefoxdlp.blob.core.windows.net/packages-prod/prod-1.1.0.210.xpi).

+2. Locate the extension in your file explorer and drag the file into an open Mozilla Firefox window.

+3. Confirm the installation.

+### Deploy using Microsoft Endpoint Manager

+Use this setup method for organization-wide deployments.

+#### Microsoft Endpoint Manager Force Install Steps

+Before adding the extension to the list of force-installed extensions, it is important to ingest the Firefox ADMX. Steps for this process in Microsoft Endpoint Manager are documented below. Before beginning these steps, please ensure you have downloaded the latest Firefox ADMX from the [Firefox GitHub](https://github.com/mozilla/policy-templates/releases).

+After ingesting the ADMX, the steps below can be followed to create a configuration profile for this extension.

+1. Sign in to the Microsoft Endpoint Manager Admin Center (https://endpoint.microsoft.com).

+2. Navigate to Configuration Profiles.

+3. Select **Create Profile**.

+4. Select **Windows 10** as the platform.

+5. Select **Custom** as profile type.

+6. Select the **Settings** tab.

+7. Select **Add**.

+8. Enter the following policy information.

+ OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Extensions/ExtensionSettings`<br/>

+ Data type: `String`<br/>

+ Value: `<enabled/><data id="ExtensionSettings" value='{

+ "microsoft.defender.browser_extension.native_message_host@microsoft.com": {

+ "installation_mode": "force_installed",

+ "install_url": ΓÇ£https://firefoxdlp.blob.core.windows.net/packages-prod/prod-1.1.0.210.xpiΓÇ¥,

+ ΓÇ£updates_disabledΓÇ¥: false

+ }

+ }'/> `

+9. Note: It is critical that updates_disabled is set to false so that the extension can automatically update over time.

+10. Click create.

+### Deploy using Group Policy

+If you don't want to use Microsoft Endpoint Manager, you can use group policies to deploy the extension across your organization.

+#### Adding the Chrome Extension to the ForceInstall List

+1. In the Group Policy Management Editor, navigate to your OU.

+2. Expand the following path **Computer/User configuration** > **Policies** > **Administrative templates** > **Classic administrative templates** > **Firefox** > **Extensions**. This path may vary depending on your configuration.

+3. Select **Extensions to install**.

+4. Right click and select **Edit**.

+5. Select **Enabled**.

+6. Select **Show**.

+7. Under **Value**, add the following entry: `https://firefoxdlp.blob.core.windows.net/packages-prod/prod-1.1.0.210.xpi`

+8. Select **OK** and then **Apply**.

+### Test the Extension

+#### Upload to cloud service, or access by unallowed browsers Cloud Egress

+1. Create or get a sensitive item and, try to upload a file to one of your organizationΓÇÖs restricted service domains. The sensitive data must match one of our built-in [Sensitive Info Types](sensitive-information-type-entity-definitions.md), or one of your organizationΓÇÖs sensitive information types. You should get a DLP toast notification on the device you are testing from that shows that this action is not allowed when the file is open.

+#### Testing other DLP scenarios in Firefox

+Now that youΓÇÖve removed Firefox from the disallowed browsers/apps list, you can test the scenarios below to confirm the behavior meets your organizationΓÇÖs requirements:

+- Copy data from a sensitive item to another document using the Clipboard

+ - To test, open a file that is protected against copy to clipboard actions in the Firefox browser and attempt to copy data from the file.

+ - Expected Result: A DLP toast notification showing that this action is not allowed when the file is open.

+- Print a document

+ - To test, open a file that is protected against print actions in the Firefox browser and attempt to print the file.

+ - Expected Result: A DLP toast notification showing that this action is not allowed when the file is open.

+- Copy to USB Removeable Media

+ - To test, try to save the file to a removeable media storage.

+ - Expected Result: A DLP toast notification showing that this action is not allowed when the file is open.

+- Copy to Network Share

+ - To test, try to save the file to a network share.

+ - Expected Result: A DLP toast notification showing that this action is not allowed when the file is open.

+### Use the Alerts Management Dashboard to view Firefox DLP alerts

+1. Open the **Data loss prevention** page in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft Purview compliance portal</a> and select **Alerts**.

+2. Refer to the procedures in [How to configure and view alerts for your DLP policies](dlp-configure-view-alerts-policies.md) to view alerts for your Endpoint DLP policies.

+### Viewing Firefox DLP data in activity explorer

+1. Open the [Data classification page](https://compliance.microsoft.com/dataclassification?viewid=overview) for your domain in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft Purview compliance portal</a> and choose **Activity explorer**.

+2. Refer to the procedures in [Get started with Activity explorer](data-classification-activity-explorer.md) to access and filter all the data for your Endpoint devices.

+ > [!div class="mx-imgBorder"]

+ > 

+### Known Issues and Limitations

+1. Incognito mode is not supported and must be disabled.

+## Next steps

+Now that you have onboarded devices and can view the activity data in Activity explorer, you are ready to move on to your next step where you create DLP policies that protect your sensitive items.

+- [Using Endpoint data loss prevention](endpoint-dlp-using.md)

+## See also

+- [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md)

+- [Using Endpoint data loss prevention](endpoint-dlp-using.md)

+- [Learn about data loss prevention](dlp-learn-about-dlp.md)

+- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md)

+- [Get started with Activity explorer](data-classification-activity-explorer.md)

+- [Microsoft Defender for Endpoint](/windows/security/threat-protection/)

+- [Onboarding tools and methods for Windows 10 machines](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints)

+- [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=1)

+- [Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join)

+- [Download the new Microsoft Edge based on Chromium](https://support.microsoft.com/help/4501095/download-the-new-microsoft-edge-based-on-chromium)

+ Title: "Learn about the Microsoft Purview Firefox Extension"

+f1.keywords:

+- CSH

+audience: ITPro

+f1_keywords:

+- 'ms.o365.cc.DLPLandingPage'

+ms.localizationpriority: high

+- tier2

+- purview-compliance

+- m365solution-mip

+- m365initiative-compliance

+search.appverid:

+- MET150

+description: "The Microsoft Purview Firefox Extension extends monitoring and control of file activities and protective actions to the Firefox browser"

+# Learn about the Microsoft Purview Firefox Extension (preview)

+[Endpoint data loss prevention (endpoint DLP)](endpoint-dlp-learn-about.md) extends the activity monitoring and protection capabilities of [Microsoft Purview data loss prevention (DLP)](dlp-learn-about-dlp.md) to sensitive items that are on Windows 10 devices. Once devices are onboarded into the Microsoft Purview solutions, the information about what users are doing with sensitive items is made visible in [activity explorer](data-classification-activity-explorer.md) and you can enforce protective actions on those items via [DLP policies](create-test-tune-dlp-policy.md).

+Once the Firefox extension is installed on a Windows 10 device, organizations can monitor when a user attempts to access or upload a sensitive item to a cloud service using Mozilla Firefox and enforce protective actions via DLP.

+## Activities you can monitor and take action on

+The extension enables you to audit and manage the following types of activities users take on sensitive items on devices running Mozilla Firefox in Windows 10.

+activity |description | supported policy actions|

+||||

+|file copied to cloud | Detects when a user attempts to upload a sensitive item to a restricted service domain through the Firefox browser |audit, block with override, block|

+|file printed |Detects when a user attempts to print a sensitive item that is open in the Firefox browser to a local or network printer |audit, block with override, block|

+|file copied to clipboard |Detects when a user attempts to copy information from a sensitive item that is being viewed in the Firefox browser and then paste it into another app, process, or item. |audit, block with override, block|

+|file copied to removable storage | Detects when a user attempts to copy a sensitive item or information from a sensitive item that is open in the Firefox browser to removable media or USB device |audit, block with override, block|

+|file copied to network share |Detects when a user attempts to copy a sensitive item or information from a sensitive item that is open in the Firefox browser to a network share or mapped network drive.|audit, block with override, block |

+## Deployment process

+1. [Get started with endpoint data loss prevention](endpoint-dlp-getting-started.md)

+2. [Onboarding tools and methods for Windows 10 devices](device-onboarding-overview.md)

+3. [Install the Firefox extension on your Windows 10 devices](dlp-firefox-extension-get-started.md)

+4. [Create or edit DLP policies](create-test-tune-dlp-policy.md) that restrict upload to cloud service, or access by unallowed browsers actions and apply them to your Windows 10 devices

+## Next steps

+See [Get started with the Microsoft Purview Firefox Extension](dlp-firefox-extension-get-started.md) for complete deployment procedures and scenarios.

+## See also

+- [Get started with Microsoft Purview Firefox Extension](dlp-firefox-extension-get-started.md)

+- [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md)

+- [Getting started with Endpoint data loss prevention](endpoint-dlp-getting-started.md)

+- [Using Endpoint data loss prevention](endpoint-dlp-using.md)

+- [Learn about data loss prevention](dlp-learn-about-dlp.md)

+- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md)

+- [Get started with Activity explorer](data-classification-activity-explorer.md)

+- [Microsoft Defender for Endpoint](/windows/security/threat-protection/)

+- [Insider risk management](insider-risk-management.md)

+You must have PowerShell v7.2.6 or higher installed on the host machine. [Download Powershell-7.2.6-win-x64.msi core on your machine](https://github.com/PowerShell/PowerShell/releases/download/v7.2.6/PowerShell-7.2.6-win-x64.msi).

+You must have .NET desktop runtime v6.0.13 or higher installed on the host machine. [Download .NET 6.0 Desktop Runtime (v6.0.13) - Windows x64 Installer (microsoft.com)](https://dotnet.microsoft.com/download/dotnet/thank-you/runtime-desktop-6.0.13-windows-x64-installer?cid=getdotnetcore).

+1. Download and launch the **[migration assistant](https://aka.ms/DLPMigrationAssistant)** file.

+Now that you have installed Microsoft Purview Data Loss Prevention migration assistant for Symantec (preview), you're ready to move on to your next step where you use the migration assistant.

+description: "The migration assistant is a Windows based desktop application that will migrate your DLP policies from other DLP platforms to Microsoft DLP platform."

+The migration assistant is a Windows-based desktop application that will migrate your Symantec data loss prevention (DLP) policies to Microsoft Purview Data Loss Prevention. This takes you through the five-step migration process. It accepts Symantec DLP policy XML exports, performs mapping, and creates equivalent DLP policies through PowerShell scripts. You can use the migration assistant to create DLP policies in test mode. Policies in test mode won't impact your live data or impact your existing business processes.

+ Title: "Test your DLP policies"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- M365-security-compliance

+search.appverid:

+- MOE150

+- MET150

+description: "Learn how to use the Test-DlpPolicies cmdlet on items in SharePoint Online and OneDrive for Business to see which DLP policies are matched"

+# Test your Data Loss Prevention policies (preview)

+

+You should test and tune the behavior of your Microsoft Purview Data Loss Prevention (DLP) policies as part of your DLP policy deployment. This article introduces you to some of the basic methods you can use to test policies in your DLP environment.

+## Test mode

+When you deploy a new policy, [you should run it in test mode,](dlp-overview-plan-for-dlp.md#policy-deployment) and then use the [view the reports for](view-the-dlp-reports.md) and any [alerts](dlp-alerts-dashboard-learn.md) to assess the impact. Test mode allows you to see the impact of an individual policy on all the items that are in the policies scope. You use it to find out what items match a policy.

+## Test-DlpPolicies (preview)

+**Test-DlpPolicies** is a cmdlet that allows you to see what SharePoint Online and OneDrive for Business scoped DLP policies match/don't match an individual item in SharePoint Online or OneDrive for Business.

+### Before you begin

+- You must be able to connect to [Connect to Security & Compliance PowerShell](/powershell/exchange/exchange-online-powershell).

+- You must have a valid smtp address to send the report to. For example: `dlp_admin@contoso.com`

+- You must get the site ID where the item is located.

+- You must have the direct link path to the item.

+> [!IMPORTANT]

+>

+> - Test-DlpPolicies only works for items that are in SharePoint Online (SPO) or OneDrive for Business (ODB).

+> - It will only report results for policies that include SharePoint Online alone, OneDrive alone or SharePoint and OneDrive in their scope.

+> - Test-DlpPolices works only with simple conditions. It doesn't work with complex, grouped, or nested conditions.

+### Use Test-DlpPolices

+To see which DLP policies an item will match, follow these steps:

+#### Get the direct link path to the item

+1. Open the SharePoint or OneDrive folder in a browser.

+1. Select the files ellipsis and select **details**.

+1. In the details pane, scroll down and select **Path** (Copy direct link). Save it.

+For example:

+`https://contoso.sharepoint.com/personal/user_contoso_com/Documents/test.docx`

+#### Get the site ID

+1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).

+1. For SharePoint use the following syntax to get the site id and save it.

+```powershell

+$reportAddress = "email@report.com" $siteName = "SITENAME@TENANT.onmicrosoft.com" $filePath = "https://Contoso.sharepoint.com/sites/SOMESITENAME/Shared%20Documents/TESTFILE.pptx" $r = Get-Mailbox -Identity $siteName -GroupMailbox $e = $r.EmailAddresses | Where-Object {$_ -like '*SPO*'} Test-DlpPolicies -SiteId $e.Substring(8,36) -FileUrl $filePath -Workload SPO -SendReportTo $reportAddress

+```

+3. For OneDrive use the following syntax to get the site id and save it.

+```powershell

+$reportAddress = "email@report.com" $odbUser = "USER@TENANT.onmicrosoft.com" $filePath = "https://contoso-my.sharepoint.com/personal/userid_contoso_onmicrosoft_com/Documents/TESTFILE.docx" $r = Get-Mailbox -Identity $odbUser $e = $r.EmailAddresses | Where-Object {$_ -like '*SPO*'} Test-DlpPolicies -SiteId $e.Substring(8,36) -FileUrl $filePath -Workload ODB -SendReportTo $reportAddress

+```

+Here's an example of a returned value:

+`36ca70ab-6f38-7f3c-515f-a71e59ca6276`

+#### Run Test-DlpPolicies

+1. Run this syntax in the PowerShell window

+

+```powershell

+Test-DlpPolicies -workload <workload> -Fileurl <path/direct link> -SendReportTo <smtpaddress>

+```

+For example:

+`Test-DlpPolicies -workload <ODB> -Fileurl <https://contoso.sharepoint.com/personal/user_contoso_com/Documents/test.docx> -SendReportTo <dlp_admin@contoso.com>`

+For detailed syntax and parameter information, see [Test-DlpPolicies](/powershell/module/exchange/test-dlppolicies).

+### Interpret the report

+The report is sent to the smtp address you passed the Test-DlpPolicies PowerShell command. There are multiple fields, here are explanations of the most important ones.

+|Field name |Means |

+|||

+|Classification ID |The sensitive information type (SIT) the item is categorized as |

+|Confidence |The [confidence level](/sensitive-information-type-learn-about.md#more-on-confidence-levels) of the SIT |

+|Count |The total number of times the SIT value was found in the item, this includes duplicates |

+|Unique Count |The number SIT values found in the item with duplicates eliminated |

+|Policy Details |The name and GUID of the policy that was evaluated |

+|Rules - Rule Details |The DLP rule name and GUID |

+|Rules - Predicates - Name |The condition defined in the DLP rule |

+|Rules - Predicates - IsMatch | Whether the item matched the conditions |

+|Predicates - Past Actions |Any actions, like notify user, block, block with override that 's been taken on the item |

+|Predicates - Rule's Actions |The action defined in the DLP rule |

+|Predicates - IsMatched | Whether the item matched the rule |

+|IsMatched |Whether the item matched the overall policy |

+ To check the minimum versions of Outlook apps that use built-in labeling to support applying the Encrypt-Only option with a sensitivity label, use the [capabilities table for Outlook](sensitivity-labels-versions.md#sensitivity-label-capabilities-in-outlook) and the row **Let users assign permissions: - Encrypt-Only**.

+ To check which apps that use built-in labeling support this option, use the [capabilities table for Word, Excel, and PowerPoint](sensitivity-labels-versions.md#sensitivity-label-capabilities-in-word-excel-and-powerpoint) and the rows for **Let users assign permissions**.

+- **Current Channel** and **Monthly Enterprise Channel**: Not before version 2302+ (not yet released)

+ - This option is currently rolling out in preview. For more information, see [Specify a default sublabel for a parent label](sensitivity-labels-office-apps.md#specify-a-default-sublabel-for-a-parent-label)

+Use the tables in [Minimum versions for sensitivity labels in Office apps](sensitivity-labels-versions.md) to identify the minimum Office version that introduced specific capabilities for sensitivity labels built in to Office apps. Or, if the label capability is in public preview or under review for a future release.

+In addition to listing the minimum versions for Windows, macOS, iOS, and Android, the tables also include whether the capability is supported for Office on the web:

+- [Capabilities table for Word, Excel, and PowerPoint](sensitivity-labels-versions.md#sensitivity-label-capabilities-in-word-excel-and-powerpoint)

+- [Capabilities table for Outlook](sensitivity-labels-versions.md#sensitivity-label-capabilities-in-outlook)

+> The Azure Information Protection unified labeling client supports dynamic markings. For labeling built in to Office, see the tables in [Minimum versions for sensitivity labels in Office apps](sensitivity-labels-versions.md).

+> The [Azure Information Protection unified labeling client](/azure/information-protection/rms-client/install-unifiedlabelingclient-app) supports this configuration that's also known as mandatory labeling. For labeling built in to Office apps, see the tables in [Minimum versions for sensitivity labels in Office apps](sensitivity-labels-versions.md).

+> Now rolling out: Office apps that use built-in labeling and support a default label for existing documents. For details, see the [capabilities table](sensitivity-labels-versions.md#sensitivity-label-capabilities-in-word-excel-and-powerpoint) for Word, Excel, and PowerPoint.

+For built-in labeling, identify the minimum versions of Outlook that support these features by using the [capabilities table for Outlook](sensitivity-labels-versions.md#sensitivity-label-capabilities-in-outlook) and the row **Different settings for default label and mandatory labeling**. All versions of the Azure Information Protection unified labeling client support these Outlook-specific options.

+> This capability is available for built-in labeling for Windows, Mac, iOS, and Android, but it's not yet available for Outlook on the web. Identify the minimum versions of Outlook that support this feature by using the [capabilities table for Outlook](sensitivity-labels-versions.md#sensitivity-label-capabilities-in-outlook) and the row **Apply S/MIME protection**.

+For built-in labeling, use the tables in [Minimum versions for sensitivity labels in Office apps](sensitivity-labels-versions.md). The Azure Information Protection unified labeling client doesn't support PDF in Office apps.

+Newly supported in preview for built-in labels in Word, Excel, and PowerPoint, but not yet for Outlook or Office for the web, see the tables in [Minimum versions for sensitivity labels in Office apps](sensitivity-labels-versions.md) to identify which Office versions support this feature.

+> The Azure Information Protection unified labeling client supports label colors. For labeling built in to Office, label colors are currently supported in preview for Word, Excel, and PowerPoint on Windows, but not yet for Outlook, macOS, or Office for the web. For more information, see the tables in [Minimum versions for sensitivity labels in Office apps](sensitivity-labels-versions.md).

+## Specify a default sublabel for a parent label

+> [!NOTE]

+> For built-in labeling, identify the minimum versions that support this setting by using the [capabilities tables](sensitivity-labels-versions.md) and the row **Default sublabel for parent label**. All versions of the Azure Information Protection unified labeling client support this setting.

+This configuration is not available in the Microsoft Purview compliance portal. You must use the PowerShell advanced setting *DefaultSubLabelId* with the [Set-Label](/powershell/module/exchange/set-label) or [New-Label](/powershell/module/exchange/new-label) cmd after you've [connected to Security & Compliance PowerShell](/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell).

+When you add a sublabel to a label, users can no longer apply the parent label to a document or email. By default, users select the parent label to see the sublabels that they can apply, and then select one of those sublabels. If you specify a default sublabel for a parent label, when users select the parent label, a sublabel is automatically selected and applied for them.

+Example PowerShell command, where the parent sensitivity label GUID is **8faca7b8-8d20-48a3-8ea2-0f96310a848e** and its sublabel that you want to specify as the default is **1ace2cc3-14bc-4142-9125-bf946a70542c**:

+```PowerShell

+Set-Label -Identity "8faca7b8-8d20-48a3-8ea2-0f96310a848e" -AdvancedSettings @{DefaultSubLabelId="1ace2cc3-14bc-4142-9125-bf946a70542c"}

+```

+For more help in specifying PowerShell advanced settings, see [PowerShell tips for specifying the advanced settings](create-sensitivity-labels.md#powershell-tips-for-specifying-the-advanced-settings).

+ Title: "Minimum versions for sensitivity labels in Microsoft 365 Apps"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: high

+- purview-compliance

+- tier3

+search.appverid:

+- MOE150

+- MET150

+description: Identify the minimum versions of Office apps that support specific capabilities for sensitivity labels from Microsoft Purview Information Protection.

+# Minimum versions for sensitivity labels in Office apps

+>*[Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).*

+The capabilities tables on this page supplement [Manage sensitivity labels in Office apps](sensitivity-labels-office-apps.md) by listing the minimum Office version that introduced specific capabilities for sensitivity labels built in to Office apps. Or, if the label capability is in public preview or under review for a future release.

+New versions of Office apps are made available at different times for different update channels. For Windows, you'll get the new capabilities earlier when you are on the Current Channel or Monthly Enterprise Channel, rather than Semi-Annual Enterprise Channel. The minimum version numbers can also be different from one update channel to the next. For more information, see [Overview of update channels for Microsoft 365 Apps](/deployoffice/overview-update-channels) and [Update history for Microsoft 365 Apps](/officeupdates/update-history-microsoft365-apps-by-date).

+New capabilities that are in private preview are not included in the tables but you might be able to join these previews by nominating your organization for the [Microsoft Information Protection private preview program](https://aka.ms/mip-preview).

+> [!TIP]

+> When you compare the minimum versions in the tables with the versions you have, remember the common practice of release versions to omit leading zeros.

+>

+> For example, you have version 4.2128.0 and read that 4.7.1+ is the minimum version. For easier comparison, read 4.7.1 (no leading zeros) as 4.**0007**.1 (and not 4.**7000**.1). Your version of 4.2128.0 is higher than 4.0007.1, so your version is supported.

+## Sensitivity label capabilities in Word, Excel, and PowerPoint

+The numbers listed are the minimum Office application versions required for each capability.

+> [!NOTE]

+> For Windows and the Semi-Annual Enterprise Channel, the minimum supported version numbers might not yet be released. [Learn more](/officeupdates/update-history-microsoft365-apps-by-date#supported-versions)

+

+|Capability |Windows |Mac |iOS |Android |Web |

+|--|-:|-|-|--|-|

+|[AIP add-in disabled by default](sensitivity-labels-aip.md#how-to-configure-newer-versions-of-office-to-enable-the-aip-add-in)| Preview: [Current Channel (Preview)](https://office.com/insider) | Not relevant | Not relevant | Not relevant| Not relevant |

+|[Manually apply, change, or remove label](https://support.microsoft.com/office/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9)| Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |

+|[Multi-language support](create-sensitivity-labels.md#additional-label-settings-with-security--compliance-powershell)| Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 2.21+ | 16.0.11231+ | Under review |

+|[Apply a default label](sensitivity-labels.md#what-label-policies-can-do) to new documents | Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |

+|[Apply a default label](sensitivity-labels.md#what-label-policies-can-do) to existing documents | Current Channel: 2208+ <br /><br> Monthly Enterprise Channel: 2207+ <br /><br> Semi-Annual Enterprise Channel: Under review | 16.63+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |

+|[Require a justification to change a label](sensitivity-labels.md#what-label-policies-can-do) | Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |

+|[Provide help link to a custom help page](sensitivity-labels.md#what-label-policies-can-do) | Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |

+|[Mark the content](sensitivity-labels.md#what-sensitivity-labels-can-do) | Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |

+|[Dynamic markings with variables](sensitivity-labels-office-apps.md#dynamic-markings-with-variables) | Current Channel: 2010+ <br /><br> Monthly Enterprise Channel: 2010+ <br /><br> Semi-Annual Enterprise Channel: 2102+ | 16.42+ | 2.42+ | 16.0.13328+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |

+|[Assign permissions now](encryption-sensitivity-labels.md#assign-permissions-now) | Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |

+|[Let users assign permissions: <br /> - Prompt users for custom permissions (users and groups)](encryption-sensitivity-labels.md#let-users-assign-permissions) |Current Channel: 2004+ <br /><br> Monthly Enterprise Channel: 2004+ <br /><br> Semi-Annual Enterprise Channel: 2008+ | 16.35+ | Under review | Under review | Under review |

+|[Let users assign permissions: <br /> - Prompt users for custom permissions (users, groups, and organizations)](encryption-sensitivity-labels.md#support-for-organization-wide-custom-permissions) |Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) | Under review | Under review | Under review | Under review |

+|[Audit label-related user activity](sensitivity-labels-office-apps.md#auditing-labeling-activities) | Current Channel: 2011+ <br /><br> Monthly Enterprise Channel: 2011+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.43+ | 2.46+ | 16.0.13628+ | Yes |

+|[Require users to apply a label to their email and documents](sensitivity-labels-office-apps.md#require-users-to-apply-a-label-to-their-email-and-documents) | Current Channel: 2101+ <br /><br> Monthly Enterprise Channel: 2101+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.45+ | 2.47+ | 16.0.13628+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md)

+|[Apply a sensitivity label to files automatically](apply-sensitivity-label-automatically.md) <br /> - Using sensitive info types | Current Channel: 2009+ <br /><br> Monthly Enterprise Channel: 2009+ <br /><br> Semi-Annual Enterprise Channel: 2102+ | 16.44+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |

+|[Apply a sensitivity label to files automatically](apply-sensitivity-label-automatically.md) <br /> - Using trainable classifiers | Current Channel: 2105+ <br /><br> Monthly Enterprise Channel: 2105+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.49+ | Under review | Under review | Under review |

+|[Support co-authoring and AutoSave](sensitivity-labels-coauthoring.md) for labeled and encrypted documents | Current Channel: 2107+ <br /><br> Monthly Enterprise Channel: 2107+ <br /><br> Semi-Annual Enterprise Channel: 2202+ | 16.51+ | 2.58+ | 16.0.14931+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |

+|[PDF support](sensitivity-labels-office-apps.md#pdf-support)| Current Channel: 2208+ <br /><br> Monthly Enterprise Channel: 2209+ <br /><br> Semi-Annual Enterprise Channel: 2302+ | Under review | Under review | Under review | Under review |

+|[Sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) and [display label color](sensitivity-labels-office-apps.md#label-colors) | Preview: [Current Channel (Preview)](https://office.com/insider) | Under review | Under review | Under review | Under review |

+|[Default sublabel for parent label](sensitivity-labels-office-apps.md#specify-a-default-sublabel-for-a-parent-label)| Preview: Rolling out to [Beta Channel](https://office.com/insider) | Under review | Under review | Under review | Under review |

+## Sensitivity label capabilities in Outlook

+The numbers listed are the minimum Office application versions required for each capability.

+> [!NOTE]

+> For Windows and the Semi-Annual Enterprise Channel, the minimum supported version numbers might not yet be released. [Learn more](/officeupdates/update-history-microsoft365-apps-by-date#supported-versions)

+|Capability |Outlook for Windows |Outlook for Mac |Outlook on iOS |Outlook on Android |Outlook on the web |

+|--|-:|-||-|-|

+|[AIP add-in disabled by default](sensitivity-labels-aip.md#how-to-configure-newer-versions-of-office-to-enable-the-aip-add-in)| Preview: [Current Channel (Preview)](https://office.com/insider) | Not relevant | Not relevant | Not relevant| Not relevant |

+|Manually apply, change, or remove label <br /> - [Files and emails](https://support.microsoft.com/office/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9)| Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |

+|Manually apply, change, or remove label <br /> - [Calendar items](sensitivity-labels-meetings.md)| Preview: Rolling out to [Beta Channel](https://office.com/insider) | Under review | Under review | Under review | Yes |

+|[Multi-language support](create-sensitivity-labels.md#additional-label-settings-with-security--compliance-powershell)| Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |

+|[Apply a default label](sensitivity-labels.md#what-label-policies-can-do) | Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |

+|[Require a justification to change a label](sensitivity-labels.md#what-label-policies-can-do) | Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |

+|[Provide help link to a custom help page](sensitivity-labels.md#what-label-policies-can-do) | Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |

+|[Mark the content](sensitivity-labels.md#what-sensitivity-labels-can-do) | Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |

+|[Dynamic markings with variables](sensitivity-labels-office-apps.md#dynamic-markings-with-variables) | Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |

+|[Assign permissions now](encryption-sensitivity-labels.md#assign-permissions-now) | Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |

+|[Let users assign permissions: <br /> - Do Not Forward](encryption-sensitivity-labels.md#let-users-assign-permissions) | Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |

+|[Let users assign permissions: <br /> - Encrypt-Only](encryption-sensitivity-labels.md#let-users-assign-permissions) | Current Channel: 2011+ <br /><br> Monthly Enterprise Channel: 2011+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.48+ ^\* | 4.2112.0+ | 4.2112.0+ | Yes |

+|[Require users to apply a label to their email and documents](sensitivity-labels-office-apps.md#require-users-to-apply-a-label-to-their-email-and-documents) | Current Channel: 2101+ <br /><br> Monthly Enterprise Channel: 2101+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.43+ ^\* | 4.2111+ | 4.2111+ | Yes |

+|[Audit label-related user activity](sensitivity-labels-office-apps.md#auditing-labeling-activities) | Current Channel: 2011+ <br /><br> Monthly Enterprise Channel: 2011+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.51+ ^\* | 4.2126+ | 4.2126+ | Yes |

+|[Apply a sensitivity label to emails automatically](apply-sensitivity-label-automatically.md) <br /> - Using sensitive info types | Current Channel: 2009+ <br /><br> Monthly Enterprise Channel: 2009+ <br /><br> Semi-Annual Enterprise Channel: 2102+ | 16.44+ ^\* | Under review | Under review | Yes |

+|[Apply a sensitivity label to emails automatically](apply-sensitivity-label-automatically.md) <br /> - Using trainable classifiers | Current Channel: 2105+ <br /><br> Monthly Enterprise Channel: 2105+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.49+ | Under review | Under review | Yes |

+|[Different settings for default label and mandatory labeling](sensitivity-labels-office-apps.md#outlook-specific-options-for-default-label-and-mandatory-labeling) | Current Channel: 2105+ <br /><br> Monthly Enterprise Channel: 2105+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.43+ ^\* | 4.2111+ | 4.2111+ | Yes |

+|[PDF support](sensitivity-labels-office-apps.md#pdf-support) | Current Channel: 2205+ <br /><br> Monthly Enterprise Channel: 2205+ <br /><br> Semi-Annual Enterprise Channel: Under review| Under review | Under review | Under review | Under review |

+|[Apply S/MIME protection](sensitivity-labels-office-apps.md#configure-a-label-to-apply-smime-protection-in-outlook) | Current Channel: 2211+ <br /><br> Monthly Enterprise Channel: 2211+ <br /><br> Semi-Annual Enterprise Channel:Under review | 16.61+ ^\* | 4.2226+ | 4.2203+ | Under review |

+|[Sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) and [display label color](sensitivity-labels-office-apps.md#label-colors) | Under review | Under review | Under review | Under review | Under review |

+|[Default sublabel for parent label](sensitivity-labels-office-apps.md#specify-a-default-sublabel-for-a-parent-label)| Preview: Rolling out to [Beta Channel](https://office.com/insider) | Under review | Under review | Under review | Under review |

+**Footnotes:**

+^\*

+Requires the [new Outlook for Mac](https://support.microsoft.com/office/the-new-outlook-for-mac-6283be54-e74d-434e-babb-b70cefc77439)

+## Future releases

+Use the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=Microsoft%20Information%20Protection&searchterms=label) for details about new labeling capabilities that are planned for future releases.

+The following example from Excel shows some sensitivity labels that have been made available to users. In this case, the **Highly Confidential** label has been applied to the spreadsheet, but users can change the label by using the **Sensitivity** button from the **Home** tab on the Ribbon.

+ > Default labeling for existing documents is newly supported for built-in labeling for Office apps. For more information about the rollout per app and minimum versions, see the [capabilities table](sensitivity-labels-versions.md#sensitivity-label-capabilities-in-word-excel-and-powerpoint) for Word, Excel, and PowerPoint.

+## January 2023

+### Sensitivity labels

+- **Rolling out in preview**: As a parity feature for the AIP add-in, built-in labeling for Windows supports the configuration of a [default sublabel for a parent label](sensitivity-labels-office-apps.md#specify-a-default-sublabel-for-a-parent-label).

+- The earliest version for the AIP add-in to be [disabled by default in Office apps](sensitivity-labels-aip.md#how-to-disable-the-aip-add-in-to-use-built-in-labeling-for-office-apps) for the Current Channel and Monthly Enterprise Channel is now version 2302. The minimum version for the Semi-Annual Channel hasn't changed.

+For additional references, see [What is Azure ExpressRoute?](/azure/expressroute/expressroute-introduction)

+Here's a short link you can use to come back: [https://aka.ms/expressrouteoffice365](https://aka.ms/expressrouteoffice365)

+ :::image type="content" alt-text="This screenshot shows the training & guides card in the Microsoft 365 admin center." source="../media/setup-guides-for-microsoft-365/adminportal-trainingandguides.png":::

+ ::image type="content" alt-text="Screenshot of the Setup guidance page in the Microsoft 365 admin center." source="../media/setup-guides-for-microsoft-365/adminportal-setupguidance.png":::

+## Troubleshoot Teams EHR connector setup and integration

+If you're experiencing issues when setting up the integration, see [Troubleshoot Teams EHR connector setup and configuration](ehr-connector-troubleshoot-setup-configuration.md) for guidance on how to resolve common setup and configuration issues.

+## Troubleshoot Teams EHR connector setup and integration

+If you're experiencing issues when setting up the integration, see [Troubleshoot Teams EHR connector setup and configuration](ehr-connector-troubleshoot-setup-configuration.md) for guidance on how to resolve common setup and configuration issues.

+ Title: Troubleshoot Microsoft Teams EHR connector setup and configuration

+audience: ITPro

+search.appverid: MET150

+searchScope:

+ - Microsoft Teams

+ - Microsoft Cloud for Healthcare

+f1.keywords:

+- NOCSH

+ms.localizationpriority: high

+ - M365-collaboration

+ - Teams_ITAdmin_Healthcare

+ - microsoftcloud-healthcare

+ - m365solution-healthcare

+ - m365solution-scenario

+ - m365-frontline

+ - highpri

+ - tier2

+appliesto:

+ - Microsoft Teams

+ - Microsoft 365 for frontline workers

+description: Use this guidance to help you troubleshoot common setup and configuration issues for the Teams Electronic Health Record (EHR) connector.

+# Troubleshoot Microsoft Teams EHR connector setup and configuration

+This article provides guidance for how to troubleshoot common setup and configuration issues for the Microsoft Teams Electronic Health Record (EHR) connector. Use it to help resolve blockers that you may experience when you set up and configure the EHR connector to integrate with your [Cerner EHR](ehr-admin-cerner.md) or [Epic EHR](ehr-admin-epic.md) system.

+## FHIR URL isn't working

+### I get an "FHIR URL isn't valid" error when I try to configure the EHR connector

+This issue can happen in the following scenarios:

+- The FHIR base URL is missing the DSTU2 extension and you're using Teams version 1.1 or 1.2.

+- The FHIR base URL is missing the R4 extension and you're using Teams version 1.3.

+Contact your Epic technical specialist to provide the full FHIR base URL.

+### I'm an Epic analyst and I get an "OAUTH2" error from Epic when I try to approve the FHIR URL.

+This issue can occur if the keys aren't set up in the Epic instance or if OAuth configuration isn't completed by Epic. Contact your Epic technical specialist.

+### I'm an Epic analyst and when I try to approve the FHIR URL in the EHR connector configuration portal, I can't sign in to Epic using my Epic credentials.

+Your permissions need to be changed in Epic. Contact your Epic technical specialist to check and update your permissions.

+## Can't launch virtual appointments

+### I've set up the EHR connector for the first time and patients are unable to launch a virtual appointment from the patient portal.

+Here are some common reasons why you may be experiencing this issue and how to resolve it.

+#### The FDI records in Epic don't match the values from the EHR connector configuration portal

+The launch URL and the context tokens must be copied from the [EHR connector configuration portal](https://ehrconnector.teams.microsoft.com/) to the FDI records in Epic. Contact the Epic analyst in your organization to verify that the values were copied correctly. Keep in mind that in some cases, manipulating the FDI records after copying them from the EHR connector configuration portal is allowed.

+#### The FDI records aren't updated in the correct Epic environment

+The FHIR base URLs for the test and production environments in Epic are different. Check to make sure that the FDI records reflect the values for the correct environment.

+#### You're using a production environment and you don't have a production license

+Your organization must have at least one active license for either Microsoft Cloud for Healthcare, Microsoft Teams EHR Connector add-on, or Microsoft Teams EMR connector add-on. For Cerner customers, a license is also required for testing.

+### Users get a "Tenant config not found" error when launching a virtual appointment even though all our FHIR base URLs are configured correctly.

+This issue can happen if a user accidentally launches the virtual appointment in the EHR production environment by using the test FHIR base URL or vice versa.

+To resolve this issue:

+- Make sure that the production FHIR base URL is used only to launch virtual appointments in the production environment.

+- Make that the test FHIR base URL is used only to launch virtual appointments in the test environment.

+## Group visits

+### Group visits aren't working in my organization.

+Currently, group visits are only supported in Epic.

+Here are some common reasons why you may be experiencing this issue when integrating with Epic, and how to resolve it.

+- You're using an incorrect version of Teams. Group visits require a minimum of Teams version 1.2 and an upgrade must be requested in Epic App Market.

+- New FDI records need to be added. Your Epic analyst will need to create new FDI records for group visits to support the provider and patient join experience. Additionally, you must change the context token in the group visit FDI records from ```sessionId=%CSN%``` to ```sessionId=%CONFERENCEID%```. Contact your Epic technical specialist for help.

+- If you're still experiencing this issue after trying the previous steps in this list, your tenant settings may need to be changed. Contact Microsoft Support to open a support ticket for the Teams EHR connector. Indicate in the ticket that group settings need to be enabled.

+## Provider experience

+### Providers donΓÇÖt get a Teams notification when patients join a virtual appointment.

+Often this can be solved by training. When a provider starts the virtual appointment, a temporary notification is displayed to the provider to admit the patient. This notification appears only briefly.

+Providers can also select **People** in the meeting controls at the top of the screen to see the list of participants, and then under **Waiting in lobby**, select the green check mark next to the participantΓÇÖs name to admit them.

+## Patient experience

+### Patients are prompted to download the Teams app instead of joining from a web browser. We want patients to join from a web browser without having to install Teams.

+Contact Microsoft Support and open a support ticket for the Teams EHR connector. Indicate in the ticket that the web browser join setting needs to be turned on. This change needs to be done by the Teams EHR connector team.

+After the web browser join setting is turned on, patients can join virtual appointments in a browser without having to install Teams.

+### Patients can send chat messages to providers in Teams after the virtual appointment ends from within the appointment. How can we block this?

+This scenario can happen because of several reasons.

+#### The provider leaves the appointment but didn't end it

+If the provider leaves the appointment but didn't end it and the patient remains in the appointment, they can both continue to chat. To prevent the patient from sending chat messages, the provider must select **End meeting** in Teams to end the appointment.

+#### The web browser join setting is turned off and the patient, who is also an employee of your organization, joins in the Teams app using their work credentials

+If the patient is an employee of your organization and they join the appointment via the Teams app using their work credentials, they're joining the appointment as a member of your organization and not as a guest. This means that they can send chat messages even after the appointment ends.

+To avoid this scenario, you can do one of the following actions:

+- Contact Microsoft Support and open a support ticket for the Teams EHR connector. Indicate in the ticket that the web browser join setting needs to be turned on. This change needs to be done by the Teams EHR connector team.

+- Train your employees to not sign in to Teams using their work credentials when they attend appointments as a patient.

+## Admin experience

+### I'm unable to access the EHR connector configuration portal or I can only see existing configurations and can't add new ones.

+You don't have admin access to the [EHR connector configuration portal](https://ehrconnector.teams.microsoft.com/). As a quick check, see whether you can access the [Teams admin center](https://admin.teams.microsoft.com/). If you can't access the Teams admin center, you don't have admin permissions.

+Contact an admin in your organization to either grant you admin access or set up the integration in the portal.

+## Virtual Desktop Infrastructure (VDI) support

+### My organization uses a Citrix environment. How do I configure it to use the EHR connector?

+You can configure a Citrix environment to route certain URLs back to the local machine and not launch in the virtual machine. For example, to launch virtual appointments in Teams, configure all traffic for ΓÇ£*.teams.microsoft.comΓÇ¥ to the local machine.

+To learn more, see the following Citrix documentation:

+- [Optimization for Microsoft Teams](https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html)

+- [Browser content redirection](https://docs.citrix.com//en-us/citrix-virtual-apps-desktops/multimedia/browser-content-redirection.html)

+## Related articles

+- [Virtual Appointments with Teams - Integration into Cerner EHR](ehr-admin-cerner.md)

+- [Virtual Appointments with Teams - Integration into Epic EHR](ehr-admin-epic.md)

+- [EHR connector Virtual Appointments report](ehr-connector-report.md)

+- [Get started with Microsoft 365 for healthcare organizations](teams-in-hc.md)

+## Week of January 09, 2023

+| Published On |Topic title | Change |

+|||--|

+| 1/9/2023 | [Upgrade distribution lists to Microsoft 365 Groups in Exchange Online](/microsoft-365/admin/manage/upgrade-distribution-lists?view=o365-worldwide) | modified |

+| 1/9/2023 | [Create and manage insider risk management policies](/microsoft-365/compliance/insider-risk-management-policies?view=o365-worldwide) | modified |

+| 1/9/2023 | [Deploy Microsoft Defender for Endpoint on Linux manually](/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide) | modified |

+| 1/9/2023 | [Assess personal data and privacy risks ΓÇô Microsoft Priva and Purview](/microsoft-365/solutions/data-privacy-protection-assess?view=o365-worldwide) | added |

+| 1/9/2023 | [Protect and govern personal data ΓÇô Microsoft Priva and Purview](/microsoft-365/solutions/data-privacy-protection-protect-govern?view=o365-worldwide) | added |

+| 1/9/2023 | [Stay on track with data privacy regulations ΓÇô Microsoft Priva and Purview](/microsoft-365/solutions/data-privacy-protection-regulations?view=o365-worldwide) | added |

+| 1/9/2023 | [Respond to privacy incidents and subject requests ΓÇô Microsoft Priva and Purview](/microsoft-365/solutions/data-privacy-protection-respond-requests?view=o365-worldwide) | added |

+| 1/9/2023 | [Manage data privacy and protection ΓÇô Microsoft Priva and Purview](/microsoft-365/solutions/data-privacy-protection?view=o365-worldwide) | added |

+| 1/9/2023 | [What's new in Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-whatsnew?view=o365-worldwide) | modified |

+| 1/9/2023 | Assess data privacy risks and identify sensitive items with Microsoft 365 | removed |

+| 1/9/2023 | Use Compliance Manager to manage improvement actions | removed |

+| 1/9/2023 | Govern information subject to data privacy regulation | removed |

+| 1/9/2023 | Use identity, device, and threat protection for data privacy regulation | removed |

+| 1/9/2023 | Monitor and respond to data privacy incidents in your organization | removed |

+| 1/9/2023 | Protect information subject to data privacy regulation | removed |

+| 1/9/2023 | Deploy information protection for data privacy regulations with Microsoft 365 | removed |

+| 1/9/2023 | [Configure SMS text notifications and reminders in Microsoft Bookings](/microsoft-365/bookings/bookings-sms?view=o365-worldwide) | modified |

+| 1/9/2023 | [Buy a domain name](/microsoft-365/admin/get-help-with-domains/buy-a-domain-name?view=o365-worldwide) | modified |

+| 1/10/2023 | [Deploy and manage using group policy](/microsoft-365/security/defender-endpoint/deploy-and-manage-using-group-policy?view=o365-worldwide) | added |

+| 1/10/2023 | [Deploy and manage using Intune](/microsoft-365/security/defender-endpoint/deploy-and-manage-using-intune?view=o365-worldwide) | added |

+| 1/10/2023 | [Printer Protection frequently asked questions](/microsoft-365/security/defender-endpoint/printer-protection-frequently-asked-questions?view=o365-worldwide) | added |

+| 1/10/2023 | [Printer Protection Overview](/microsoft-365/security/defender-endpoint/printer-protection-overview?view=o365-worldwide) | added |

+| 1/10/2023 | [Switch to Microsoft Defender for Endpoint - Setup](/microsoft-365/security/defender-endpoint/switch-to-mde-phase-2?view=o365-worldwide) | modified |

+| 1/10/2023 | [What's new in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint?view=o365-worldwide) | modified |

+| 1/10/2023 | [Get started with the Microsoft Purview Data Loss Prevention migration assistant for Symantec](/microsoft-365/compliance/dlp-migration-assistant-for-symantec-get-started?view=o365-worldwide) | added |

+| 1/10/2023 | [Learn about the Microsoft Purview Data Loss Prevention migration assistant for Symantec](/microsoft-365/compliance/dlp-migration-assistant-for-symantec-learn?view=o365-worldwide) | added |

+| 1/10/2023 | [Use the Microsoft Purview Data Loss Prevention migration assistant for Symantec](/microsoft-365/compliance/dlp-migration-assistant-for-symantec-use?view=o365-worldwide) | added |

+| 1/10/2023 | [Learn about insider risk management policy templates](/microsoft-365/compliance/insider-risk-management-policy-templates?view=o365-worldwide) | added |

+| 1/10/2023 | [Create and manage insider risk management policies](/microsoft-365/compliance/insider-risk-management-policies?view=o365-worldwide) | modified |

+| 1/10/2023 | [Learn about insider risk management](/microsoft-365/compliance/insider-risk-management?view=o365-worldwide) | modified |

+| 1/10/2023 | [Migrate to Microsoft Defender for Endpoint - Prepare](/microsoft-365/security/defender-endpoint/switch-to-mde-phase-1?view=o365-worldwide) | modified |

+| 1/10/2023 | [Migrate to Microsoft Defender for Endpoint - Setup](/microsoft-365/security/defender-endpoint/switch-to-mde-phase-2?view=o365-worldwide) | modified |

+| 1/10/2023 | [Migrate to Microsoft Defender for Endpoint - Onboard](/microsoft-365/security/defender-endpoint/switch-to-mde-phase-3?view=o365-worldwide) | modified |

+| 1/10/2023 | [Frequently asked questions on tamper protection](/microsoft-365/security/defender-endpoint/faqs-tamper-protection?view=o365-worldwide) | modified |

+| 1/10/2023 | [Troubleshooting issues when switching to Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/switch-to-mde-troubleshooting?view=o365-worldwide) | modified |

+| 1/10/2023 | [User reported message settings](/microsoft-365/security/office-365-security/submissions-user-reported-messages-files-custom-mailbox?view=o365-worldwide) | modified |

+| 1/11/2023 | [What happens to my data and access when my subscription ends?](/microsoft-365/commerce/subscriptions/what-if-my-subscription-expires?view=o365-worldwide) | modified |

+| 1/11/2023 | [Enable attack surface reduction rules](/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide) | modified |

+| 1/11/2023 | [What's new in Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-whatsnew?view=o365-worldwide) | modified |

+| 1/11/2023 | [Performance analyzer for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus?view=o365-worldwide) | modified |

+| 1/11/2023 | [What's new in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint?view=o365-worldwide) | modified |

+| 1/11/2023 | [What's new in Microsoft Defender for Endpoint on Windows](/microsoft-365/security/defender-endpoint/windows-whatsnew?view=o365-worldwide) | modified |

+| 1/11/2023 | [Exposure score in Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/tvm-exposure-score?view=o365-worldwide) | modified |

+| 1/11/2023 | [Security recommendations](/microsoft-365/security/defender-vulnerability-management/tvm-security-recommendation?view=o365-worldwide) | modified |

+| 1/11/2023 | [Get started with the Microsoft Purview Firefox Extension](/microsoft-365/compliance/dlp-firefox-extension-get-started?view=o365-worldwide) | added |

+| 1/11/2023 | [Learn about the Microsoft Purview Firefox Extension](/microsoft-365/compliance/dlp-firefox-extension-learn?view=o365-worldwide) | added |

+| 1/11/2023 | [Get started with the Microsoft Purview Chrome Extension](/microsoft-365/compliance/dlp-chrome-get-started?view=o365-worldwide) | modified |

+| 1/11/2023 | [Learn about the Microsoft Purview Chrome Extension](/microsoft-365/compliance/dlp-chrome-learn-about?view=o365-worldwide) | modified |

+| 1/11/2023 | [Get started with the Microsoft Purview Data Loss Prevention migration assistant for Symantec](/microsoft-365/compliance/dlp-migration-assistant-for-symantec-get-started?view=o365-worldwide) | modified |

+| 1/11/2023 | [Identify the available PowerShell cmdlets for retention](/microsoft-365/compliance/retention-cmdlets?view=o365-worldwide) | modified |

+| 1/11/2023 | [Use attack surface reduction rules to prevent malware infection](/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide) | modified |

+| 1/11/2023 | [Report spam, non-spam, phishing, suspicious emails and files to Microsoft](/microsoft-365/security/office-365-security/submissions-report-messages-files-to-microsoft?view=o365-worldwide) | modified |

+| 1/11/2023 | [Build and manage assessments in Microsoft Purview Compliance Manager](/microsoft-365/compliance/compliance-manager-assessments?view=o365-worldwide) | modified |

+| 1/11/2023 | [Get started with Microsoft Purview Compliance Manager](/microsoft-365/compliance/compliance-manager-setup?view=o365-worldwide) | modified |

+| 1/12/2023 | [Troubleshoot Microsoft Teams EHR connector setup and configuration](/microsoft-365/frontline/ehr-connector-troubleshoot-setup-configuration?view=o365-worldwide) | added |

+| 1/12/2023 | Redirection of users from the Office 365 Security and Compliance Center to the Microsoft Purview compliance portal | removed |

+| 1/12/2023 | [Frequently asked questions on tamper protection](/microsoft-365/security/defender-endpoint/faqs-tamper-protection?view=o365-worldwide) | modified |

+| 1/12/2023 | [Protect security settings with tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide) | modified |

+| 1/12/2023 | [Add, update or delete a scan definition](/microsoft-365/security/defender-endpoint/add-a-new-scan-definition?view=o365-worldwide) | modified |

+| 1/12/2023 | [Deploy and manage using group policy](/microsoft-365/security/defender-endpoint/deploy-and-manage-using-group-policy?view=o365-worldwide) | modified |

+| 1/12/2023 | [Deploy and manage using Intune](/microsoft-365/security/defender-endpoint/deploy-and-manage-using-intune?view=o365-worldwide) | modified |

+| 1/12/2023 | [Deploy and manage Removable Storage Access Control using Intune](/microsoft-365/security/defender-endpoint/deploy-manage-removable-storage-intune?view=o365-worldwide) | modified |

+| 1/12/2023 | [Get scan definitions](/microsoft-365/security/defender-endpoint/get-all-scan-definitions?view=o365-worldwide) | modified |

+| 1/12/2023 | [Printer Protection Overview](/microsoft-365/security/defender-endpoint/printer-protection-overview?view=o365-worldwide) | modified |

+| 1/12/2023 | [Migrate to Microsoft Defender for Endpoint - Onboard](/microsoft-365/security/defender-endpoint/switch-to-mde-phase-3?view=o365-worldwide) | modified |

+| 1/12/2023 | [Troubleshooting issues when moving to Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/switch-to-mde-troubleshooting?view=o365-worldwide) | modified |

+| 1/12/2023 | [What's new in Microsoft Purview Compliance Manager](/microsoft-365/compliance/compliance-manager-whats-new?view=o365-worldwide) | modified |

+| 1/12/2023 | [Review and remove unnecessary allow list entries with Advanced Hunting in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/step-by-step-guides/review-allow-entries?view=o365-worldwide) | added |

+| 1/13/2023 | [Trainable classifiers definitions](/microsoft-365/compliance/classifier-tc-definitions?view=o365-worldwide) | modified |

+| 1/13/2023 | [What's new in Microsoft Purview Compliance Manager](/microsoft-365/compliance/compliance-manager-whats-new?view=o365-worldwide) | modified |

+| 1/13/2023 | [Get started with the Microsoft Purview Chrome Extension](/microsoft-365/compliance/dlp-chrome-get-started?view=o365-worldwide) | modified |

+"scanType": "Windows",

+"scanName": "Test Windows scan",

+"isActive": true,

+"target": "127.0.0.1",

+ "@odata.type": "#microsoft.windowsDefenderATP.api.WindowsAuthParams",

+ "type": "Kerberos",

+ "username": "username",

+ "domain": "password",

+"scanType": "Network",

+"scanName": "Test Network scan",

+"isActive": true,

+"target": "127.0.0.1",

+ "@odata.type": "#microsoft.windowsDefenderATP.api.SnmpAuthParams",

+ "type": "AuthPriv",

+ "username": "username",

+ "authProtocol": "authProtocol",

+ "authPassword": "authPassword",

+ "privProtocol": "privProtocol",

+ "privPassword": "privPassword",

+ "communityString": "community-string"

+"scanName": "Test Network scan",

+ "type": "Kerberos",

+ "username": "username",

+ "domain": "password",

+> For information about configuring per-rule exclusions, see the section titled **Configure ASR rules per-rule exclusions** in the topic [Test attack surface reduction (ASR) rules](attack-surface-reduction-rules-deployment-test.md).

+### Audit mode

+Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would affect your organization if enabled. Run all rules in audit mode first so you can understand how they affect your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they might perform tasks in ways that seem similar to malware.

+### Exclusions

+By monitoring audit data and [adding exclusions](attack-surface-reduction-rules-deployment-test.md) for necessary applications, you can deploy attack surface reduction rules without reducing productivity.

+### Per-rule exclusions

+For information about configuring per-rule exclusions, see the section titled **Configure ASR rules per-rule exclusions** in the topic [Test attack surface reduction (ASR) rules](attack-surface-reduction-rules-deployment-test.md).

+> Built-in protection sets default values for Windows and Mac devices. If endpoint security settings change, such as through baselines or policies in [Microsoft Intune](/mem/endpoint-manager-overview), those settings override the built-in protection settings.

+| Determine whether tamper protection is turned on for your organization | 1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.<br/>2. Go to **Settings** > **Endpoints** > **Advanced features** > **Tamper protection**. |

+| Manage tamper protection tenant wide using the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) | 1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.<br/>2. Go to **Settings** > **Endpoints** > **Advanced features**.<br/>3. Set **Tamper protection** to **On** (*recommended*) or **Off**.<br/>4. Select **Save preferences**.<br/>See [Manage tamper protection for your organization using Microsoft 365 Defender portal](manage-tamper-protection-microsoft-365-defender.md). |

+| Set tamper protection settings for some, but not all, devices | Use endpoint security policies and profiles that are applied to specific devices. See the following articles:<br/>- [Manage tamper protection using Microsoft Intune](manage-tamper-protection-microsoft-endpoint-manager.md)<br/>- [Manage tamper protection using tenant attach with Configuration Manager, version 2006](manage-tamper-protection-configuration-manager.md)|

+| Turn tamper protection on or off on an individual Windows device | 1. On your Windows device, select **Start**, and start typing *Security*.<br/>2. In the search results, select **Windows Security**.<br/>3. Select **Virus & threat protection** > **Virus & threat protection settings**.<br/>4. Set **Tamper Protection** to **On** (*recommended*) or **Off**. <br/><br/>If the device is onboarded to Defender for Endpoint, or the device is managed in the Microsoft Endpoint Manager admin center, those settings will override user settings on the individual device. See [Manage tamper protection on an individual device](manage-tamper-protection-individual-device.md). |

+| Turn tamper protection on or off manually on a Mac | 1. On your Mac, open Finder, and go to **Applications** > **Utilities** > **Terminal**.<br/>2. In Terminal, type the following command `sudo mdatp config tamper-protection enforcement-level --value (chosen mode)`.<br/><br/>See [Manual configuration](tamperprotection-macos.md#manual-configuration). |

+| Change tamper protection settings using a Mobile Device Management (MDM) solution | To change the tamper protection mode using an MDM, go to the configuration profile and change the enforcement level in [Intune](tamperprotection-macos.md#intune) or [JAMF](tamperprotection-macos.md#jamf).<br/><br/>The configuration profile set with the MDM will be your first point of reference. Any settings defined in the profile will be enforced on the device, and built-in-protection default settings won't override these applied settings. |

+| [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) <br/>[Defender for Endpoint Plan 1 or Plan 2](defender-endpoint-plan-1-2.md) | <ul><li>[Automatic exclusions](#automatic-exclusions) (for Windows Server 2016 and later)</li><li>[Custom exclusions](#custom-exclusions), such as process-based exclusions, folder location-based exclusions, file extension exclusions, or contextual file and folder exclusions</li><li>[Custom remediation actions](#custom-remediation-actions) based on threat severity or for specific threats </li></ul> *The standalone versions of Defender for Endpoint Plan 1 and Plan 2 don't include server licenses. To onboard servers, you'll need another license, such as Microsoft Defender for Endpoint for Servers or [Microsoft Defender for Servers Plan 1 or 2](/azure/defender-for-cloud/defender-for-servers-introduction). To learn more, see [Defender for Endpoint onboarding Windows Server](onboard-windows-server.md).*<br/><br/>*If you're a small or medium-sized business using [Microsoft Defender for Business](../defender-business/mdb-overview.md), you can get [Microsoft Defender for Business servers](../defender-business/get-defender-business-servers.md).* |

+- **Microsoft Defender for Endpoint for Servers**. See [Defender for Endpoint onboarding Windows Server](onboard-windows-server.md).

+- **Microsoft Defender for Business servers** for small and medium-sized businesses. See [How to get Microsoft Defender for Business servers](../defender-business/get-defender-business-servers.md).

+Microsoft Defender for Endpoint Device Control Printer Protection feature enables you to audit, allow, or prevent printer with or without exclusions.

+## Licensing requirements

+Before you get started with Removable Storage Access Control, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=3). To access and use Printer Protection through group policy, you must have Microsoft 365 E5.

+ The purpose of this configuration is to temporarily disable device control on specific machine.

+ > [!NOTE]

+ > If you don't see this group policy objects, you need to add the group policy administrative template. You can download administrative template (WindowsDefender.admx and WindowsDefender.admx) from [samples](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples).

+ >

+ > This configuration controls both Removable storage access control [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md) and Printer protection.

+ For example, you can have either a Deny or an Allow policy for RemovableMediaDevices, but not for CdRomDevices or WpdDevices. You set Default Deny through this policy, then Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked.

+ > [!NOTE]

+ > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

+ > [!NOTE]

+ > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

+Allows to print only through approved USB when machine is in corporate network, VPN connected, or print through PDF/XPS file.

+1. Create any printer group and allowed-USB printer group and allowed-file printer group.

+ 1. Group 1: Any printer group.

+ :::image type="content" source="media/screenshot-of-removable-storage.png" alt-text="This is the screenshot of removable of storage." lightbox="media/screenshot-of-removable-storage.png":::

+ 2. Group 2: Allowed-USB printer group.

+ :::image type="content" source="media/screenshot-of-approved-usbs.png" alt-text="This is the screenshot of approved USBs." lightbox="media/screenshot-of-approved-usbs.png":::

+ 3. Group 2: Allowed PDF/XPS file printer group: following PrinterConnectionId is used, but if you want to only allow PDF, FriendlyNameId with 'Microsoft Print to PDF' is recommended.

+ :::image type="content" source="images/group-3.png" alt-text="This is group 3policy." lightbox="images/group-3.png":::

+ Combine these two groups into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Demo_Groups.xml). See step 3 from the [Deploy using group policy](deploy-and-manage-using-group-policy.md) section to deploy this configuration.

+ > [!TIP]

+ > Replace `&` with `&amp;` in the value.

+2. Create policy.

+ 1. Create Allow and Audit policy for allowed-file printer group.

+ :::image type="content" source="media/block-write-execute-access.png" alt-text="This is block write access screenshot." lightbox="media/block-write-execute-access.png":::

+ 2. Create policy to allow authorized USB printer only when the machine is Corporate Network OR VPN connected.

+ :::image type="content" source="media/audit-write.png" alt-text="This is the deafult audit write access screenshot." lightbox="media/audit-write.png":::

+ 3. Create Default Deny custom policy for any other printers.

+ :::image type="content" source="images/create-default.png" alt-text="This is create default." lightbox="images/create-default.png":::

+ Combine these two policy rules into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Scenario%201%20GPO%20Policy%20-%20Prevent%20Write%20and%20Execute%20access%20to%20all%20but%20allow%20specific%20approved%20USBs.xml). See step 4 from the [Deploy using group policy](deploy-and-manage-using-group-policy.md) section to deploy this configuration.

+ Title: Deploy and manage using Intune

+Microsoft Defender for Endpoint Device Control Printer Protection feature enables you to audit, allow, or prevent printer with or without exclusions.

+ The purpose of this configuration is to temporarily disable Device control on specific machine.

+ > [!NOTE]

+ > This configuration controls both [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md) and Printer Protection.

+Here are some common scenarios to help you familiarize with Microsoft Defender for Endpoint Printer Protection. In the following samples, **Default Enforcement** hasn't been used because the **Default Enforcement** will apply to both the removable storage and the printer.

+Allows to print only through approved the USB when machine is in Corporate Network OR VPN connected, or print through PDF/XPS file.

+1. Create groups.

+ 1. Group 1: Any printer group

+ :::image type="content" source="media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png" alt-text="A screenshot showing removable storage." lightbox= "media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png":::

+ Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml). See step 3 from the [Deploy Printer Protection](deploy-and-manage-using-intune.md) section to deploy the configuration.

+ 2. Group 2: Allowed-USB printer group

+ :::image type="content" source="media/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png" alt-text="A screenshot of approved USBs." lightbox= "media/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png":::

+ 3. Group 3: Allowed PDF/XPS file printer group: following PrinterConnectionId is used, but if you want to only allow PDF, FriendlyNameId with 'Microsoft Print to PDF' is recommended.

+ > [!TIP]

+ > Replace `&` with `&amp;` in the value.

+2. Create policy.

+ 1. Create **Allow** and **Audit** policy for allowed-file printer group.

+ :::image type="content" source="media/188243425-c0772ed4-6537-4c6a-9a1d-1dbb48018578.png" alt-text="A screenshot of policy 1." lightbox= "media/188243425-c0772ed4-6537-4c6a-9a1d-1dbb48018578.png":::

+ Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Scenario%201%20Block%20Write%20and%20Execute%20Access%20but%20allow%20approved%20USBs.xml). See step 4 from the [Deploy Printer Protection](deploy-and-manage-using-intune.md) section to deploy the configuration.

+ 2. Create policy to allow authorized USB printer only when the machine is in Corporate Network or connected to the VPN.

+ :::image type="content" source="media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png" alt-text="A screenshot of policy 2." lightbox= "media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png":::

+ Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Scenario%201%20Block%20Write%20and%20Execute%20Access%20but%20allow%20approved%20USBs.xml). See step 4 from the [Deploy Printer Protection](deploy-and-manage-using-intune.md) section to deploy the configuration.

+ 3. Create Default Deny custom policy for any other printers.

+ :::image type="content" source="media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png" alt-text="A screenshot of policy 2." lightbox= "media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png":::

+ Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Scenario%201%20Block%20Write%20and%20Execute%20Access%20but%20allow%20approved%20USBs.xml). See step 4 from the [Deploy Printer Protection](deploy-and-manage-using-intune.md) section to deploy the configuration.

+1. Create groups.

+ 1. Group 1: Any removable storage, CD/DVD, and Windows portable devices.

+ :::image type="content" source="media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png" alt-text="A screenshot showing removable storage" lightbox= "media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png":::

+ Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml). See step 3 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.

+ 2. Group 2: Approved USBs based on device properties.

+ :::image type="content" source="media/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png" alt-text="A screenshot of approved USBs" lightbox= "media/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png":::

+ Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Approved%20USBs%20Group.xml). See step 3 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.

+ > [!TIP]

+ > Replace `&` with `&amp;` in the value in the XML file.

+ 1. Policy 1: Block Write and Execute access for any removable storage group but allow approved USBs.

+ :::image type="content" source="media/188243425-c0772ed4-6537-4c6a-9a1d-1dbb48018578.png" alt-text="A screenshot of policy 1" lightbox= "media/188243425-c0772ed4-6537-4c6a-9a1d-1dbb48018578.png":::

+ Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Scenario%201%20Block%20Write%20and%20Execute%20Access%20but%20allow%20approved%20USBs.xml). See step 4 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.

+ 2. Policy 2: Audit Write and Execute access for allowed USBs.

+ :::image type="content" source="media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png" alt-text="A screenshot of policy 2" lightbox= "media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png":::

+ What does `54` mean in the policy? It's `18 + 36 = 54`.

+ - Write access: disk level 2 + file system level 16 = 18.

+ - Execute: disk level 4 + file system level 32 = 36.

+ Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Scenario%201%20Audit%20Write%20and%20Execute%20access%20to%20aproved%20USBs.xml). See step 4 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.

+ What does `54` mean in the policy? It's `18 + 36 = 54`.

+1. Create groups.

+ 1. Group 1: Any removable storage, CD/DVD, and Windows portable devices.

+ :::image type="content" source="media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png" alt-text="A screenshot of group 1" lightbox="media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png":::

+ Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml). See step 3 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.

+ 2. Group 2: Unallowed file extensions.

+ Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Unauthorized%20File%20Group.xml). See step 3 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.

+ > [!TIP]

+ > Explicily mark the Type attribute on the group as **File**

+ 3. Policy 2: Deny read and execute access to any file under the allowed file extension group for defined removable storage group.

+ :::image type="content" source="media/200713006-c0d39e2b-9acc-4522-9f88-e064eeb3a4ae.png" alt-text="Screenshot of OMA-URI settings." lightbox="media/200713006-c0d39e2b-9acc-4522-9f88-e064eeb3a4ae.png":::

+ What does `40` mean in the policy? It's `8 + 32 = 40`.

+ - only need to restrict file system level access

+ Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Deny%20Read%20and%20Write%20access%20to%20specific%20files.xml). See step 4 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.

+1. To set up the groups you'll need, go to **Endpoint Security** \> **Attack Surface Reduction** \> **Reusable settings** \> **Add**. For more details, see **DescriptorIdList** on the [Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media](device-control-removable-storage-access-control.md#group).

+2. To set up your policy, go to **Endpoint Security** \> **Attack Surface Reduction** \> **Create Policy**.

+2. To create your policy, go to **Endpoint Security** > **Attack Surface Reduction** > **Create Policy**. Choose **Platform**: **Windows 10 and later** with **Profile: Device Control**. Select **Device Control**: **Configured**.

+ 2. Policy 2: Choose **+ Add** to create another policy for 'Audit Write and Execute access for any removable storage group'. Choose **+ Set reusable settings** for **Included ID**, and then choose **Select**, as shown in the following screenshot:

+Although attack surface reduction rules don't require a [Windows E5 license](/windows/deployment/deploy-enterprise-licenses), with a Windows E5 license, you get advanced management capabilities including monitoring, analytics, and workflows available in Defender for Endpoint, as well as reporting and configuration capabilities in the [Microsoft 365 Defender](https://go.microsoft.com/fwlink/p/?linkid=2077139) portal. These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.

+For information about per-rule exclusions, see the section titled **Configure ASR rules per-rule exclusions** in the topic [Test attack surface reduction (ASR) rules](attack-surface-reduction-rules-deployment-test.md)

+## On which versions of Windows can I configure tamper protection?

+If you're an organization using [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See the following sections of this article:

+If you're a home user, see [Manage tamper protection on an individual device](manage-tamper-protection-individual-device.md).

+## Does tamper protection apply to Microsoft Defender Antivirus exclusions?

+New functionality is rolling out now to protect Microsoft Defender Antivirus exclusions. However, certain conditions must be met. See [What about exclusions](prevent-changes-to-security-settings-with-tamper-protection.md#what-about-exclusions)?

+## How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus with Group Policy?

+If you're currently using Intune to configure and manage tamper protection, you should continue using Intune. When tamper protection is turned on and you use Group Policy to make changes to Microsoft Defender Antivirus settings, any settings that are protected by tamper protection will be ignored.

+If you're using Intune to configure and manage tamper protection, you can target your entire organization, or select specific devices and user groups.

+## What settings can't be changed when tamper protection is turned on?

+When tamper protection is turned on, tamper-protected settings cannot be changed from their default value, even if you're using Intune to manage your security settings. Changes might appear to be successful in Intune, but will not actually be allowed by tamper protection. For the most current list of tamper protected settings, contact support.

+Currently, configuring tamper protection in Intune is only available for customers whose subscriptions include [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint).

+ "id": "60c4vv57-asdf-3454-a456-2e45t9d79ec9d",

+ "scanType": "Windows",

+ "scanName": "Test Windows scan",

+ "isActive": true,

+ "target": "127.0.0.1",

+ "intervalInHours": 1,

+ "@odata.type": "#microsoft.windowsDefenderATP.api.WindowsAuthParams",

+ "type": "Kerberos",

+ "username": "username",

+ "domain": "password",

+ },

+ {

+ "isActive": true,

+ "target": "127.0.0.1",

+ "intervalInHours": 1,

+ "@odata.type": "#microsoft.windowsDefenderATP.api.SnmpAuthParams"",

+ type": "AuthPriv",

+ "username": "username",

+ "authProtocol": "authProtocol",

+ "authPassword": "authPassword",

+ "privProtocol": "privProtocol",

+ "privPassword": "privPassword",

+ "communityString": "community-string"

+ }

+ }

+> [!NOTE]

+> **Control Filter not working as expected on Supervised devices**

+Control Filter is not working as expected from iOS 16.1 onwards. This has impacted the Web Protection capability for Supervised devices without local loopback VPN. The issue has been acknowledge by iOS platform. As a temporary fix, the loopback VPN has been enabled for the affected devices where the users will be asked to setup the loopback VPN. The fix is available with the new version - 1.1.36120102. The issue is expected to be resolved with iOS 16.3. Once the issue is resolved by Apple, we will re-enable the support for Control filter.

+

+## Installation failed due to dependency error

+If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the pre-requisite dependencies.

+The following external package dependencies exist for the mdatp package:

+The mdatp RPM package requires "glibc >= 2.17", "audit", "policycoreutils", "selinux-policy-targeted", "mde-netfilter"

+For RHEL6 the mdatp RPM package requires "audit", "policycoreutils", "libselinux", "mde-netfilter"

+For DEBIAN the mdatp package requires "libc6 >= 2.23", "uuid-runtime", "auditd", "mde-netfilter"

+The mde-netfilter package also has the following package dependencies:

+For DEBIAN the mde-netfilter package requires "libnetfilter-queue1", "libglib2.0-0"

+For RPM the mde-netfilter package requires "libmnl", "libnfnetlink", "libnetfilter_queue", "glib2"

+- Your Windows devices must be running Windows 10 [version 1709 or later](/lifecycle/announcements/revised-end-of-service-windows-10-1709) or Windows 11. (For more information about releases, see [Windows release information](/windows/release-health/release-information).)

+> Tamper protection can prevent changes to security settings from occurring. If you see an error code with Event ID 5013, see [Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md).

+| Operating systems | Windows 11, or Windows 10, version 1709, or later <br/>macOS (the three most recent releases are supported) <br/>iOS <br/>Android OS <br/><br/>Note that the standalone version of Defender for Endpoint Plan 1 does not include server licenses. To onboard servers, you'll need either Microsoft Defender for Endpoint for Servers, or Defender for Servers Plan 1 or Plan 2 (as part of the [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)) offering. To learn more. see [Defender for Endpoint onboarding Windows Server](onboard-windows-server.md). |

+The standalone versions of [Defender for Endpoint Plan 1 and Plan 2](defender-endpoint-plan-1-2.md), even when they are included as part of other Microsoft 365 plans, do not include server licenses. To onboard servers to those plans, you'll need either Microsoft Defender for Endpoint for Servers or Defender for Servers Plan 1 or Plan 2 as part of the [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction) offering. To learn more, see [Defender for Endpoint onboarding Windows Server](onboard-windows-server.md).

+> - The standalone versions of [Defender for Endpoint Plan 1 and Plan 2](defender-endpoint-plan-1-2.md) do not include server licenses. To onboard servers to those plans, you'll need either Defender for Endpoint for Servers, or Defender for Servers Plan 1 or Plan 2 (as part of the [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction) offering). To learn more. see [Defender for Endpoint onboarding Windows Server](onboard-windows-server.md).

+## How tamper protection works

+## Tamper protection and cloud protection

+

+Depending on the method or management tool you use to enable tamper protection, there might be a dependency on [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md). Cloud-delivered protection is also referred to as cloud protection, or Microsoft Advanced Protection Service (MAPS). The following table summarizes whether there's a dependency on cloud protection.

+| How tamper protection is enabled | Dependency on cloud protection? |

+|Microsoft Intune|No|

+|Microsoft Endpoint Configuration Manager with Tenant Attach|No|

+|Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com))|Yes|

+## Methods to configure tamper protection

+The following table lists the various methods you can use to configure tamper protection:

+|To perform this task...|See this content...|

+|||

+|Manage tamper protection across your tenant <br/><br/> Use the Microsoft 365 Defender portal to turn tamper protection on or off|[Manage tamper protection for your organization using Microsoft 365 Defender](manage-tamper-protection-microsoft-365-defender.md)|

+|Fine-tune tamper protection settings in your organization <br/><br/> Use Microsoft Intune to turn tamper protection on or off. You can configure tamper protection for some or all users with this method.|[Manage tamper protection for your organization using Intune](manage-tamper-protection-microsoft-endpoint-manager.md)|

+| Protect Microsoft Defender Antivirus exclusions | [What about exclusions?](#what-about-exclusions) <br/><br/>[How to determine whether the functionality to protect exclusions is enabled on a Windows device](#how-to-determine-whether-the-functionality-to-protect-exclusions-is-enabled-on-a-windows-device) |

+|Turn tamper protection on (or off) for an individual device (for home users or devices that aren't managed by a security team)|[Manage tamper protection on an individual device](manage-tamper-protection-individual-device.md)|

+## What about exclusions?

+If your organization has [exclusions defined for Microsoft Defender Antivirus](configure-exclusions-microsoft-defender-antivirus.md), tamper protection will protect those exclusions, provided all of the following conditions are met:

+- `DisableLocalAdminMerge` is enabled. (See [DisableLocalAdminMerge](/windows/client-management/mdm/defender-csp).)

+- Microsoft Defender Antivirus exclusions are managed in Microsoft Intune. (See [Settings for Microsoft Defender Antivirus policy in Microsoft Intune for Windows devices](/mem/intune/protect/antivirus-microsoft-defender-settings-windows).)

+- Tamper protection is deployed and managed by using Intune. (See [Manage tamper protection for your organization using Microsoft Intune](manage-tamper-protection-microsoft-endpoint-manager.md).)

+- Devices are running Windows Defender platform `4.18.2111.*` or later. (See [Monthly platform and engine versions](manage-updates-baselines-microsoft-defender-antivirus.md#monthly-platform-and-engine-versions).)

+- Functionality to protect exclusions is enabled on devices. (See [How to determine whether the functionality is enabled on a Windows device](#how-to-determine-whether-the-functionality-to-protect-exclusions-is-enabled-on-a-windows-device).)

+> [!TIP]

+> For more detailed information about exclusions, see [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md).

+### How to determine whether the functionality to protect exclusions is enabled on a Windows device

+You can use a registry key to determine whether the functionality to protect Microsoft Defender Antivirus exclusions is enabled.

+1. On a Windows device open Registry Editor. (Read-only mode is fine; you won't be editing the registry key.)

+2. Go to `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features` (or `HKLM\SOFTWARE\Microsoft\Windows Defender\Features`), and look for a `REG_DWORD` entry called **TPExclusions**.

+ - If **TPExclusions** has a value of `1`, then the new functionality to protect exclusions is enabled on the device.

+ - If **TPExclusions** has a value of `0`, then tamper protection isn't currently protecting exclusions on the device.

+> [!CAUTION]

+> Do not change the value of **TPExclusions**. Use the preceding procedure for information only. Changing the key will have no effect on whether tamper protection applies to exclusions.

+> [!IMPORTANT]

+> On Windows Server 2016, the Settings app won't accurately reflect the status of real-time protection when tamper protection is enabled.

+Tampering attempts typically indicate that a larger cyberattack has taken place. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats.

+Whenever a tampering attempt is detected, an alert is raised in the [Microsoft 365 Defender portal](/microsoft-365/security/defender-endpoint/portal-overview) ([https://security.microsoft.com](https://security.microsoft.com)).

+> The Group Policy management and Intune OMA-URI/Custom Policy management of this product have been released. If you're currently using [Microsoft Defender for Endpoint Device Control Printer Protection](printer-protection-overview.md), we recommend that you upgrade.

+Microsoft Defender for Endpoint Device Control Printer Protection feature enables you to audit, allow, or prevent printer with or without exclusions.

+||::|

+### Prerequisites for preview

+ - [KB5020030 (OS Builds 19042.2311, 19043.2311, 19044.2311, and 19045.2311) Preview Microsoft Support](https://support.microsoft.com/topic/november-15-2022-kb5020030-os-builds-19042-2311-19043-2311-19044-2311-and-19045-2311-preview-237a9048-f853-4e29-a3a2-62efdbea95e2)

+ - [KB5019157 (OS Build 22000.1281) Preview - Microsoft Support](https://support.microsoft.com/topic/november-15-2022-kb5019157-os-build-22000-1281-preview-d64fb317-3435-49ff-b2c4-d0356a51a6b0)

+2. MOCAMP:4.18.2205 or later, you can run the command `Get-MpComputerStatus` in PowerShell to check the version.

+- Group configuration allows you to create group. For example, authorized USB printer group or network location group.

+- Policy configuration allows you to create policy to restrict each printer group. For example, only allow authorized users to Print access authorized printer group.

+#### Group configuration

+|Group ID|GUID, a unique ID, represents the group and will be used in the policy.|You can generate the group ID through [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid?view=powershell-7.3&preserve-view=true)|

+|Name|String, the name of the policy and will display on the toast based on the policy setting.|

+|Type|The type of the group.|<ul><li>Device</li><li>Network</li><li>VPN Connection</li><li>PrintJob</li></ul> <p> **Note:** Default type is Device that includes removable storage and printer. For any other group you define in your Group setting, make sure explicitly mark Type, for example, Type="File".|

+|DescriptorIdList|List the device properties you want to use to cover in the group. All properties are case sensitive.|When the Group type is Device, you can use the following attributes inside DescriptorIdList: <ul><li>PrimaryId: The Primary ID includes: <ul><li>RemovableMediaDevices</li><li>CdRomDevices</li><li>WpdDevices</li><li>PrinterDevices</li></ul></li><li>FriendlyNameId: A string that's attached to the device (the same string as the Friendly name in Device Manager). For example, `Generic Flash Disk USB Device`.</li><li>Device instance path (VID_PID): <ul><li>Vendor ID (VID): The four-digit vendor code that's assigned to the vendor by the USB committee.</li><li>Product ID (PID): The four-digit product code that's assigned to the device by the vendor. Wildcards are supported.</li></ul> <p> To transform the Device instance path to the VID_PID format, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers). For example: <ul><li>`0751_55E0` matches that exact VID_PID pair value.</li><li>`_55E0` matches any device with the PID value 55E0.</li><li>`0751_` matches any device with the VID value 0751.</li></ul></li><li>PrinterConnectionId: Includes the following values: <ul><li>USB: A printer that's connected through USB port of a computer. You can use this value to enforce any USB printer. To define a specific USB printer, use the VID_PID.</li><li>Corporate: A print queue that's shared through a Windows print server in your on-premises domain. For example, `\print-server\contoso.com\legal_printer_001`.</li><li>Network: A printer that's accessible by network connection, making it usable by other computers that are connected to the network.</li><li>Universal: For more information about universal printers, see [Set up Universal Print](/universal-print/fundamentals/universal-print-getting-started).</li><li>File: Microsoft Print to PDF or Microsoft XPS Document Writer. To enforce Microsoft Print to PDF only, use the FriendlyNameId value 'Microsoft Print to PDF'.</li><li>Custom: A printer that doesn't connect through a Microsoft print port.</li><li>Local: A printer that connects through a Microsoft print port, but not any of the previously described types. For example, print through Remote Desktop or redirect printer.</li></ul> </li></ul> <p> **When the Group type is Network, you can use the following attributes inside DescriptorIdList**: <ul><li>NameId: The name of the Network. Wildcards are supported.</li><li>NetworkCategoryId: Public, Private, or DomainAuthenticated.</li><li>NetworkDomainId: NonDomain, Domain, or DomainAuthenticated.</li></ul> <p> **When the Group type is VPNConnection, you can use the following attributes inside DescriptorIdList**: <ul><li>NameId: The name of the VPN Connection. Wildcards are supported.</li><li>VPNConnectionStatusId: Connected or Disconnected.</li><li>VPNServerAddressId: The value of VPNServerAddress (string). Wildcards are supported.</li><li>VPNDnsSuffixId: The value of VPNDnsSuffix (string). Wildcards are supported.</li></ul> <p> **When the Group type is PrintJob, you can use the following attributes inside DescriptorIdList**: <ul><li>PrintOutputFileNameId: The output destination file path for print to file. Wildcards are supported. For example, `C:\*\Test.pdf`</li><li>PrintDocumentNameId: The source file path. Wildcards are supported. This path may not exist. For example, add text to a new file in Notepad, and then print without saving the file.</li></ul>|

+|MatchType|When there are multiple device properties being used in the `DescriptorIDList`, MatchType defines the relationship.|<ul><li>**MatchAll**: Any attributes under the DescriptorIdList will be And relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will check to see whether the USB meets both values. </li><li>**MatchAny**: The attributes under the DescriptorIdList will be Or relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will do the enforcement as long as the USB has either an identical DeviceID or InstanceID value.</li><li>**MatchExcludeAll**: The attributes under the DescriptorIdList will be And relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAll, for every connected USB, system will do the enforcement as long as the USB doesn't have both identical DeviceID and InstanceID value.</li><li>**MatchExcludeAny**: The attributes under the DescriptorIdList will be Or relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAny, for every connected USB, system will do the enforcement as long as the USB doesn't have either an identical DeviceID or InstanceID value.</li></ul>|

+Every access policy rule called PolicyRule can be used to define access restriction for each Device type group through multiple Entry.

+The table below lists the properties you can use in **PolicyRule**:

+|PolicyRule ID|GUID, a unique ID, represents the policy and will be used in the reporting and troubleshooting.|You can generate the group ID through [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid?view=powershell-7.3&preserve-view=true)|

+|Name|String, the name of the policy and will display on the toast based on the policy setting and will be captured in the reporting.|

+|IncludedIdList|The group(s) that the policy will be applied to. If multiple groups are added, the policy will be applied to any media in all those groups.|The Group ID/GUID must be used at this instance. The following example shows the usage of GroupID: {EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1} <p> **Note**: You shouldn't add multiple groups inside IncludedIdList. Instead, add all groups into a new group and then add the new group inside IncludedIdList.|

+|ExcludedIDList|The group(s) that the policy won't be applied to.|The Group ID/GUID must be used at this instance.|

+|Entry|One PolicyRule can have multiple entries; each entry with a unique GUID tells Device Control one restriction.|See Entry properties table below for more details.|

+The table below lists the properties you can use in **Entry**:

+|PolicyRule ID|GUID, a unique ID, represents the policy and will be used in the reporting and troubleshooting.|You can generate the group ID through [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid?view=powershell-7.3&preserve-view=true)|

+|Type|Defines the action for the removable storage groups in IncludedIDList. <ul><li>Enforcement: Allow or Deny</li><li>Audit: AuditAllowed or AuditDenied</li></ul>|<ul><li>Allow</li><li>Deny</li><li>AuditAllowed: Defines event when access is allowed</li><li>AuditDenied: Defines notification and event when access is denied; has to work together with Deny entry.</li></ul> <p> When there are conflict types for the same media, the system will apply the first one in the policy. An example of a conflict type is **Allow** and **Deny**.|

+|Sid|Local user Sid or user Sid group or the Sid of the AD object or the Object ID of the Azure AD object, defines whether to apply this policy over a specific user or user group. One entry can have a maximum of one SID and an entry without any SID means to apply the policy over the machine.|

+|ComputerSid|Local computer Sid or computer Sid group or the Sid of the AD object or the Object ID of the AAD object, defines whether to apply this policy over a specific machine or machine group. One entry can have a maximum of one ComputerSID and an entry without any ComputerSID means to apply the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both SID and ComputerSID into the same Entry.|

+|Options|Defines whether to display notification or not|**When Type Allow is selected:** <ul><li>0: nothing</li><li>4: disable AuditAllowed and AuditDenied for this Entry. Even if Allow happens and the AuditAllowed is setting configured, the system won't send events.</li><li>8: capture a copy of the file as evidence; must be used together with the **Set location for a copy of the file** setting.</li></ul> <p> **When Type Deny is selected:**<ul><li>0: nothing</li><li>4: disable AuditDenied for this entry. Even if Block happens and the AuditDenied is setting configured, the system won't show notifications.</li></ul> <p> **When Type AuditAllowed is selected:** <ul><li>0: nothing</li><li>1: nothing</li><li>2: send event</li></ul> <p> **When Type AuditDenied is selected:** </ul><li>0: nothing</li><li>1: show notification</li><li>2: send events</li><li>3: show notification and send events</li><li>4: print</li></ul>|

+|AccessMask|Defines the access.|64: Print|

+|Parameters|Condition for this Entry, for example, network condition.|Can add groups (non-devices type) or even put Parameters into Parameters. See Parameters properties table below for more details.|

+The table below lists the properties you can use in **Parameters**:

+|MatchType|When there are multiple device properties being used in the DescriptorIDList, MatchType defines the relationship.|**MatchAll:** <ul><li> Any attributes under the DescriptorIdList will be And relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will check to see whether the USB meets both values.</li></ul> <p> **MatchAny:** <ul></li>The attributes under the DescriptorIdList will be Or relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will do the enforcement as long as the USB has either an identical DeviceID or InstanceID value.</li></ul> <p> **MatchExcludeAll:** <ul><li>The attributes under the DescriptorIdList will be And relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAll, for every connected USB, system will do the enforcement as long as the USB doesn't have both identical DeviceID and InstanceID value.</li></ul> <p> **MatchExcludeAny:** <ul><li>The attributes under the DescriptorIdList will be Or relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAny, for every connected USB, system will do the enforcement as long as the USB doesn't have either an identical DeviceID or InstanceID value.</li></ul>|

+|PrintJob Network VPNConnection|The PrintJob or Network or VPNConnection group(s) created above.|Use the GroupId of the PrintJob or Network or VPNConnection group(s) created above.|

+|Parameters|You can embed Parameters inside Parameters with MatchType.|

+

+> - For non-Windows platforms, response capabilities (such as isolate device) are dependent on the third-party capabilities.

+>[!NOTE]

+>The notification is not available on Windows Server 2016 and Windows Server 2012 R2.

+> - Isolating devices from the network is not currently supported for devices running macOS. For macOS, use live response to run the action. For more information on live response, see [Investigate entities on devices using live response](live-response.md).

+>- You can use the device isolation capability **in public preview** on all supported Microsoft Defender for Endpoint on Linux listed in [System requirements](microsoft-defender-endpoint-linux.md#system-requirements).

+>- The feature supports VPN connection.

+>- You must have at least one the following role permissions: 'Active remediation actions'. For more information, see [Create and manage roles](user-roles.md).

+>- You must have access to the device based on the device group settings. For more information, see [Create and manage device groups](machine-groups.md).

+>- Exclusion for Linux isolation is not supported.

+>[!NOTE]

+>The notification is not available on non-Windows platforms.

+description: Move to Microsoft Defender for Endpoint, which includes Microsoft Defender Antivirus for your endpoint protection solution.

+description: Get ready to move to Microsoft Defender for Endpoint. Update your devices and configure your network connections.

+> The standalone versions of Defender for Endpoint Plan 1 and Plan 2 do not include server licenses. To onboard servers, you'll need an additional license, such as either Defender for Endpoint for Servers, or [Defender for Servers Plan 1 or Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan). To learn more, see [Defender for Endpoint onboarding Windows Server](onboard-windows-server.md).

+description: Move to Defender for Endpoint. Review the setup process, which includes installing Microsoft Defender Antivirus.

+**Congratulations**! You've completed the Setup phase of [migrating to Defender for Endpoint](switch-to-mde-overview.md#the-migration-process)!

+description: Move to Microsoft Defender for Endpoint. Onboard devices and then uninstall your non-Microsoft solution.

+# Migrate to Microsoft Defender for Endpoint - Phase 3: Onboard

+> The standalone versions of Defender for Endpoint Plan 1 and Plan 2 do not include server licenses. To onboard servers, you'll need an additional license, such as either Defender for Endpoint for Servers, or [Defender for Servers Plan 1 or Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan). To learn more, see [Defender for Endpoint onboarding Windows Server](onboard-windows-server.md).

+Then your next step is to uninstall your non-Microsoft antivirus, antimalware, and endpoint protection solution. When you uninstall your non-Microsoft solution, Microsoft Defender Antivirus changes from passive mode to active mode. In most cases, this happens automatically.

+## Next step

+ Title: Troubleshooting issues when moving to Microsoft Defender for Endpoint

+description: Learn how to troubleshoot issues when you migrate to Microsoft Defender for Endpoint.

+# Troubleshooting issues when migrating to Microsoft Defender for Endpoint

+This article provides troubleshooting information for security administrators who are experiencing issues when moving from a non-Microsoft endpoint protection solution to Microsoft Defender for Endpoint.

+When you migrate to Defender for Endpoint, you begin with your non-Microsoft antivirus/antimalware protection in active mode. As part of the setup process, you configure Microsoft Defender Antivirus in passive mode. Occasionally, your non-Microsoft antivirus/antimalware solution might prevent Microsoft Defender Antivirus from running on Windows Server. In fact, it can look like Microsoft Defender Antivirus has been removed from Windows Server.

+<th colspan="2">Event ID: 1121</th>

+</tr>

+<tr><td>

+Symbolic name:

+</td>

+<td >

+<b>(TBD)</b>

+</td>

+</tr>

+<tr>

+<td>

+Message:

+</td>

+<td >

+<b>Event when an attack surface reduction rule fires in block mode.</b>

+</td>

+</tr>

+<tr>

+<td>

+Description:

+</td>

+<td >

+TBD.

+<dl>

+<dt>Current Platform Version: &lt;Current platform version&gt;</dt>

+<dt>Threat Resource Path: &lt;Path&gt;</dt>

+<dt>Hashes: &lt;Hashes&gt;</dt>

+</dl>

+</td>

+</tr>

+<tr>

+<td></td>

+<td >

+<div class="alert"><b>Note: whatgoeshere?: <b>TBD</b>.</div>

+<div> </div>

+</td>

+</tr>

+<tr>

+- [Tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) can now protect exclusions when deployed with Microsoft Intune. See [What about exclusions](prevent-changes-to-security-settings-with-tamper-protection.md#what-about-exclusions)?

+When you select a model from the list, a flyout panel will open with the model software details.

+ :::image type="content" source="../../media/defender-vulnerability-management/processors.png" alt-text="Screenshot of the Processors page" lightbox="../../media/defender-vulnerability-management/processors.png":::

+ Title: Authenticated scan for Windows in Defender Vulnerability Management

+description: Find out about how to create Authenticated scans for Windows

+# Authenticated scan for Windows

+Authenticated scan for Windows provides the ability to run scans on unmanaged Windows devices. You can remotely target by IP ranges or hostnames and scan Windows services by providing Microsoft Defender Vulnerability Management with credentials to remotely access the devices. Once configured the targeted unmanaged devices will be scanned regularly for software vulnerabilities.

+The following section lists the pre-requisites you need to configure to use Authenticated scan for Windows.

+### Authenticated scan for Windows APIs

+description: The Defender Experts for Hunting service publishes reports to help you understand all the threats the hunting service surfaced in your environment

+Microsoft Defender Experts for Hunting layers human intelligence and expert-trained technology to help Microsoft 365 Defender customers understand the significant threats they face. It highlights how Defender Expert's threat hunting skills, thorough understanding of the threat landscape, and knowledge of emerging threats can help you identify, prioritize, and address those threats in your environment.

+The Defender Experts for Hunting service generates reports to help you understand all the threats the hunting service surfaced in your environment, alongside the alerts generated by your Microsoft 365 Defender products. You can view the report in the current (running) month, or in one-, three-, or six-month periods.

+To view the report in your Microsoft 365 Defender portal, go to **Reports**, select **Defender Experts** > **Defender Experts for Hunting report**. Each section of the report is designed to provide more insights into the threats and suspicious activities our Defender Experts found in your environment.

+

+## Identify prevalent threats and other potential attack entry points

+Signals from Microsoft 365 Defender and investigations by Defender Experts for Hunting help identify suspicious activities in your environment. Significant threat activities will have corresponding [Defender Experts Notifications](/microsoft-365/security/defender/onboarding-defender-experts-for-hunting#receive-defender-experts-notifications), which also provide recommendations to remediate and defend your organization.

+The report provides you with the total number of Defender Experts Notifications our experts have sent for your chosen period:

+

+To view these notifications, select **View Defender Experts Notifications**. This button redirects you to the Microsoft 365 Defender incidents page. Defender Expert for Hunting alerts or Defender Experts Notifications are labeled with **Defender Experts**.

+> The **View Defender Experts Notifications** button only appears if the number of threats identified is at least 1.

+All other identified suspicious activities are summarized in a table in the **Threat categories** section of the report. The columns represent the different threat attack tactics and categories to help you visualize what an activity is trying to achieve in each attack phase so you can plan the corresponding containment and remediation actions.

+If an activity has a related Defender Expert Notification, its corresponding icon also appears under the activity name.

+Selecting an identified suspicious activity opens a flyout panel detailing the impacted devices and users:

+

+If applicable, the page also provides links to view related Defender Expert Notifications.

+## Know and understand the security weak spots in your environment

+The **Top trending suspicious activities** section of the report identifies up to 20 suspicious activities that were consistently observed in your environment in the last three months, sorted based on their severity rating and frequency of occurrence:

+

+By showing the most critical and frequently observed activities, you can assess and evaluate their impact and develop strategies to prevent or mitigate potential threats to your environment

+Select **View details** in each card to open a flyout panel detailing the impacted devices and users. If applicable, the page also provides links to view related Defender Expert Notifications.

+- [Deploy Microsoft Defender for Identity with Microsoft 365 Defender](/defender-for-identity/deploy-defender-identity)

+| **[UrlClickEvents](advanced-hunting-urlclickevents-table.md)**|Public preview |Not available |Not available |Not available |

+- The new Microsoft Defender Experts for Hunting report is now available. The report's new interface now lets customers have more contextual details about the suspicious activities Defender Experts have observed in their environments. It also shows which suspicious activities have been continuously trending from month to month. For details, see [Understand the Defender Experts for Hunting report in Microsoft 365 Defender](defender-experts-report.md).

+ > You can specify a maximum of 50 custom domains in each anti-phishing policy.

+ |Messages quarantined by anti-malware policies (malware messages).|30 days|No|If you turn on common attachments filtering in anti-malware policies (in the default policy or in custom policies), file attachments in email messages to the affected recipients are treated as malware based solely on the file extension. A predefined list of mostly executable file types is used by default, but you can customize the list. For more information, see [Anti-malware policies](anti-malware-protection-about.md#anti-malware-policies).|

+1. On the main page for the specific report, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png"::: **Create schedule**.

+<! [!VIDEO https://videoplayercdn.osi.office.net/hub/?csid=ux-cms-en-us-msoffice&uuid=RE2jvOb&AutoPlayVideo=false] >

+Once a user reports a suspicious message that's delivered to the reporting mailbox, the user and admins can't undo the reported message. The user can recover the messages from their Deleted Items or Junk Email folders.

+ Title: Errors during admin submissions

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+ - m365-security

+description: Learn about the errors that admins might encounter when they try to report email, URLs, and email attachments to Microsoft as false positives and false negatives.

+search.appverid: met150

+# Errors during admin submissions

+**Applies to**

+- [Exchange Online Protection](eop-about.md)

+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)

+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)

+This article attempts to explain the common error messages tha you might receive as you try to [report emails, URLs, and email attachments to Microsoft](submissions-admin.md)

+## This message didn't pass through our mail flow system, or the message metadata isn't available yet error

+If you encounter this error message, then either of the following conditions might have occured:

+- You tried to submit an email message that wasn't filtered by Exchange Online Protection (EOP) or Microsoft Defender for Office 365 at the time of delivery.

+ It's hard for us to determine why the message was missed or delivered when it wasn't filtered by Microsoft's protection stack.

+- You tried to submit an email message that was filtered by EOP or Defender for Office 365, but we're still in the process of collecting the required metadata (descriptive data) about the message.

+ If you wait "a while" and submit the message again, the submission will be successful.

+|[The Submissions page in the Microsoft 365 Defender portal](submissions-admin.md)|Admin|Admins use this method to submit good (false positive) and bad (false negative) entities including user-reported messages to Microsoft for further analysis. Tabs include **Email**, **Email attachments**, **URLs**, and **Files**. Note that **Files** is only available to users with Microsoft Defender for Endpoint P2 license, Microsoft Defender for Office P2 license, and Microsoft 365 Defender E5 license.. The Submissions page is available to organizations who have Exchange Online mailboxes as part of a Microsoft 365 subscription (not available in standalone EOP).|

+> [!TIP]

+> Information is blocked from going outside the organization when data isn't supposed to leave the tenant boundary for compliance purposes (for example, in U.S. Government organizations: Microsoft 365 GCC, GCC High, and DoD). Reporting a message or file to Microsoft from one of these organizations will have the following message in the result details:

+> **Further investigation needed**. Your tenant doesn't allow data to leave the environment, so nothing was found during the initial scan. You'll need to contact Microsoft support to have this item reviewed.

+> [!NOTE]

+> When you report an email entity to Microsoft, everything associated with the email is copied to include it in the continual algorithm reviews. This copy includes the email content, email headers, and related data about email routing. Any message attachments are also included.

+> Microsoft treats your feedback as your organization's permission to analyze all the information to fine tune the message hygiene algorithms. Your message is held in secured and audited data centers in the USA. The submission is deleted as soon as it's no longer required. Microsoft personnel might read your submitted messages and attachments, which is normally not permitted for email in Microsoft 365. However, your email is still treated as confidential between you and Microsoft, and your email or attachments isn't shared with any other party as part of the review process.

+The Tenant Allow/Block List in the Microsoft 365 Defender portal gives you a way to manually override the Microsoft 365 filtering verdicts. The Tenant Allow/Block List is used during mail flow for incoming messages from external senders. Note that it doesn't apply to messages within the organization.

+Use the Submissions portal (also known as *admin submission*) at <https://security.microsoft.com/reportsubmission> to create block entries for the following types of items as you report them as false negatives to Microsoft:

+- **Files**: Email messages that contain these blocked files are marked as malware and moved to quarantine.

+You can make the following modifications to entries for domains and email addresses in the Tenant Allow/Block list:

+- **Block enries**: The expiration date and notes.

+- **Allow entries**: Notes.

+ - **Remove block entry after**: You can extend block entries for a maximum of 90 days after the creation date or set them to **Never expire**.

+You can make the following modifications to entries for files in the Tenant Allow/Block list:

+- **Block enries**: The expiration date and notes.

+- **Allow entries**: Notes.

+ - **Remove block entry after**: You can extend block entries for a maximum of 90 days after the creation date or set them to **Never expire**.

+You can make the following modifications to entries for URLs in the Tenant Allow/Block list:

+- **Block enries**: The expiration date and notes.

+- **Allow entries**: Notes.

+-

+ - **Remove block entry after**: You can extend block entries for a maximum of 90 days after the creation date or set them to **Never expire**.

+ Title: Create a rule to move or copy a file from one document library to another in Microsoft Syntex

+audience: admin

+search.appverid:

+ - enabler-strategic

+ - m365initiative-syntex

+ms.localizationpriority: medium

+description: Learn how to create a rule to move or copy a file to another SharePoint document library in Microsoft Syntex.

+# Create a rule to move or copy a file from one document library to another in Microsoft Syntex

+Microsoft Syntex lets you build simple rules-driven actions in document libraries based on metadata. From a document library, you can create rules to automate tasks such as sending a notification when metadata changes in a file, when a new file is created in the library, or when files are moved or copied based on metadata extracted by Syntex models.

+You'll choose a condition that triggers the rule and the action that the rule will take.

+For example, you can create a rule to move files tagged with a specific customer to a specific library or folder. These rules help you structure your content architecture with the power of AI-driven processing.

+Document libraries can have multiple move and copy rules to support moving and copying files to different destination libraries based on metadata criteria.

+> [!NOTE]

+> This feature is available only for users who are licensed for Syntex.

+## Move or copy a file

+To move or copy a file from one document library to another, follow these steps.

+1. In the document library, select **Automate** > **Rules** > **Create a rule**.

+ 

+2. On the **Create a rule** page, select a condition that triggers the rule and the action that the rule will take. In this case, select **A new file is added**.

+ 

+ Your selection here creates a rule statement that you'll complete in the next step.

+3. To complete the rule statement, under **When a new file is added**:

+ 1. Select **Choose action**, and then:

+ - To copy a file, select **copy file to**.

+ - To move a file, select **move file to**.

+ 

+ 2. Select **Enter a site name or address**, and then select the site that contains the document library you want the file moved or copied to.

+ 

+ When you select **Enter a site name or address**, you can either select from the list of recent sites or enter the name or URL of another site.

+ 3. Select **Choose a library**, and then select the document library you want the file moved or copied to.

+ 

+ When you select **Choose a library**, you can either select from the list of suggested libraries or enter the name of another library.

+ > [!NOTE]

+ > If you try to set up a rule to move or copy a file to a library that already has a move or copy rule applied, you'll receive a message saying that you need to disable all move or copy rules on the destination library. To disable a rule, see [Manage a rule](#manage-a-rule).<br>

+ >

+4. When your rule statement is complete, select **Create**. You'll see the new rule on the **Manage rules** page.

+## Manage a rule

+1. In the document library, select **Automate** > **Rules** > **Manage rules**.

+ 

+2. On the **Manage rules** page, you can see the rules that have been applied. You can turn on or off a rule or [create a new rule](#move-or-copy-a-file) to automate actions on a specific document library.

+ 

+## View the activity feed of a document library

+When a file is moved or copied, you'll see an update in the source library activity feed. The updates occur in both the source library and the target library.

+In the document library, in the upper-right corner of the page, select the details pane icon () to view the recent history, activity, and rules that have been applied to the library.

+ 

+> [!NOTE]

+> Currently, the activity feed shows only move activity. Copy activity will be available in a future release.

+|  | **OCR considerations** <br>This model uses optical character recognition (OCR) technology to scan .pdf files, image files, and .tiff files. OCR processing works best on documents that meet the following requirements: <br> - File format of .jpg, .png, or .pdf (text or scanned). Text-embedded .pdf files are better, because there won't be any errors in character extraction and location. <br> - If your .pdf files are password-locked, you must remove the lock before submitting them. <br> - The combined file size of the documents used for training per collection must not exceed 50 MB, and PDF documents shouldn't have more than 500 pages. <br> - For images, dimensions must be between 50 x 50 and 10,000 x 10,000 pixels. Images that are very wide or have odd dimensions (for example, floor plans) might get truncated in the OCR process and lose accuracy. <br> - For .pdf files, dimensions must be at most 11 x 17 inches, corresponding to Legal or A3 paper sizes and smaller. <br> - If scanned from paper documents, scans should be high-quality images. <br> - Must use the Latin alphabet (English characters). <br> Note the following differences about Microsoft Office text-based files and OCR-scanned files (.pdf, image, or .tiff): <br> - Office files: Truncated at 64,000 characters (in training and when run against files in a document library). <br> - OCR-scanned files: There's a 500-page limit. Only PDF and image file types are processed by OCR. |

+|  | **OCR considerations** <br>This model uses optical character recognition (OCR) technology to scan .pdf files, image files, and .tiff files. OCR processing works best on documents that meet the following requirements: <br> - File format of .jpg, .png, or .pdf (text or scanned). Text-embedded .pdf files are better, because there won't be any errors in character extraction and location. <br> - For .pdf and .tiff files, up to 2,000 pages can be processed. <br> - The file size must be less than 50 MB. <br> - For images, dimensions must be between 50 x 50 and 10,000 x 10,000 pixels. <br> - For .pdf files, dimensions must be at most 11 x 17 inches, corresponding to Legal or A3 paper sizes and smaller. <br> - The total size of the training data is 500 pages or less. <br> Note the following differences about Microsoft Office text-based files and OCR-scanned files (.pdf, image, or .tiff): <br> - Office files: Truncated at 64,000 characters (in training and when run against files in a document library). <br> - OCR-scanned files: There's a 20-page limit.|

+|  | **OCR considerations** <br>This model uses optical character recognition (OCR) technology to scan .pdf files, image files, and .tiff files. OCR processing works best on documents that meet the following requirements: <br> - File format of .jpg, .png, or .pdf (text or scanned). Text-embedded .pdf files are better, because there won't be any errors in character extraction and location. <br> - For .pdf and .tiff files, up to 2,000 pages can be processed. <br> - The file size must be less than 50 MB. <br> - For images, dimensions must be between 50 x 50 and 10,000 x 10,000 pixels. <br> - For .pdf files, dimensions must be at most 11 x 17 inches, corresponding to Legal or A3 paper sizes and smaller. <br> - The total size of the training data is 500 pages or less. <br> Note the following differences about Microsoft Office text-based files and OCR-scanned files (.pdf, image, or .tiff): <br> - Office files: Truncated at 64,000 characters (in training and when run against files in a document library). <br> - OCR-scanned files: There's a 20-page limit.|