| Category | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| admin | Activity Reports | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/activity-reports.md | People who have the following permissions: - Reports reader -- Teams Service Administrator+- Teams Administrator - Teams Communications Administrator |
| admin | Restore User | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/restore-user.md | Here are a couple of tips: - Make sure licenses are available to assign to the account. -- If your business uses Active Directory, for instrutcions on restoring a user account, see [How to troubleshoot deleted user accounts in Office 365](/office365/troubleshoot/active-directory/restore-deleted-user-accounts). +- If your business uses Active Directory, for instructions on restoring a user account, see [How to troubleshoot deleted user accounts in Office 365](/office365/troubleshoot/active-directory/restore-deleted-user-accounts). ## Restore one or more user accounts To fix this, replace the active user account with the one that you are restoring 4. A message pops up that says there was a problem restoring the account. Do one of the following: - - Cancel the restore and rename the current active user. Then attempt the restore again. + - Cancel the restore and rename the current active user. Then attempt the restore again. - - OR, type a new primary email address for the user and select **Restore**. + - OR, type a new primary email address for the user and select **Restore**. 5. Review the results, and then select **Close**. |
| compliance | Compliance Easy Trials | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-easy-trials.md | See the [terms and conditions](terms-conditions.md) for Microsoft 365 compliance ## Set up a compliance trial -You can sign up for a trial in the Microsoft 365 compliance center using the **Trials** link in the left navigation pane. +You can sign up for a trial in the [Microsoft 365 compliance center](https://go.microsoft.com/fwlink/p/?linkid=2077149) using the **Trials** link in the left navigation pane. ## Licensing |
| compliance | Device Onboarding Offboarding Macos Jamfpro | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/device-onboarding-offboarding-macos-jamfpro.md | To get access to this feature, you must register your tenant with Microsoft. See |accessibility |[accessibility.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/accessibility.mobileconfig)| full disk access |[fulldisk.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig)| |Network filter| [netfilter.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/netfilter.mobileconfig)-|System extensions |[sysext.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/systext.mobileconfig) +|System extensions |[sysext.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/sysext.mobileconfig) |MDE preference |[schema.json](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/data_loss_prevention/schema.json)| |MAU preference|[com.microsoft.autoupdate2.plist](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/microsoft_auto_update/com.microsoft.autoupdate2.plist)| |Installation package |downloaded from the compliance portal **Installation package**, file name *\*wdav.pkg*\* | Onboarding a macOS device into Compliance solutions is a multiphase process. - Distribution method: `install automatically` - Level: `computer level` -1. In **System extentions** profile, enter these values: +1. In **System extensions** profile, enter these values: - Display Name: `Microsoft Corp. System Extensions`- - System Extenstion Types: `Allowed System Extensions` + - System Extension Types: `Allowed System Extensions` - Team Identifier: `UBF8T346G9` - Allowed System Extensions: `com.microsoft.wdav.epsext`, and `com.microsoft.wdav.netext` Onboarding a macOS device into Compliance solutions is a multiphase process. ### Configure Network extension -1. Use the **netfilter.mobileconfig** file that you downloaded from Github. +1. Use the **netfilter.mobileconfig** file that you downloaded from GitHub. 2. Upload to JAMF as described in [Deploying Custom Configuration Profiles using Jamf Pro](https://www.jamf.com/jamf-nation/articles/648/deploying-custom-configuration-profiles-using-jamf-pro). ### Grant accessibility access to DLP -1. Use the **accessibility.mobileconfig** file that you downloaded from Github. +1. Use the **accessibility.mobileconfig** file that you downloaded from GitHub. 2. Upload to JAMF as described in [Deploying Custom Configuration Profiles using Jamf Pro](https://www.jamf.com/jamf-nation/articles/648/deploying-custom-configuration-profiles-using-jamf-pro). |
| compliance | Insider Risk Management Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-configure.md | For step-by-step instructions to turn on auditing, see [Turn audit log search on ## Step 3 (optional): Enable and view insider risk analytics insights -Insider risk management analytics enables you to conduct an evaluation of potential insider risks in your organization without configuring any insider risk policies. This evaluation can help your organization identify potential areas of higher user risk and help determine the type and scope of insider risk management policies you may consider configuring. This evaluation may also help you determine needs for additional licensing or future optimization of existing policies. Analytics scan results may take up to 48 hours before insights are available as reports for review. To learn more about analytics insights, see [Insider risk management settings: Analytics (preview)](insider-risk-management-settings.md#analytics) and check out the [Insider Risk Management Analytics video](https://www.youtube.com/watch?v=5c0P5MCXNXk) to help understand how analytics can help accelerate the identification of potential insider risks and help you to quickly take action. +Insider risk management analytics enables you to conduct an evaluation of potential insider risks in your organization without configuring any insider risk policies. This evaluation can help your organization identify potential areas of higher user risk and help determine the type and scope of insider risk management policies you may consider configuring. This evaluation may also help you determine needs for additional licensing or future optimization of existing policies. Analytics scan results may take up to 48 hours before insights are available as reports for review. To learn more about analytics insights, see [Insider risk management settings: Analytics](insider-risk-management-settings.md#analytics) and check out the [Insider Risk Management Analytics video](https://www.youtube.com/watch?v=5c0P5MCXNXk) to help understand how analytics can help accelerate the identification of potential insider risks and help you to quickly take action. To enable insider risk Analytics, you must be a member of the *Insider Risk Management*, *Insider Risk Management Admin*, or Microsoft 365 *Global admin* role group. Complete the following steps to enable insider risk analytics: 1. In the [Microsoft 365 compliance center](https://compliance.microsoft.com), go to **Insider risk management**.-2. Select **Run scan** on the **Scan for insider risks in your organization** card on the insider risk management **Overview** tab. This action turns on analytics scanning for your organization. You can also turn on scanning in your organization by navigating to **Insider risk settings** > **Analytics (preview)** and enabling **Scan your tenant's user activity to identify potential insider risks**. +2. Select **Run scan** on the **Scan for insider risks in your organization** card on the insider risk management **Overview** tab. This action turns on analytics scanning for your organization. You can also turn on scanning in your organization by navigating to **Insider risk settings** > **Analytics** and enabling **Scan your tenant's user activity to identify potential insider risks**. 3. On the **Analytics details** pane, select **Run scan to start the scan for your organization**. Analytics scan results may take up to 24 hours before insights are available as reports for review. After reviewing the analytics insights, choose the insider risk policies and configure the associated prerequisites that best meet your organization's insider risk mitigation strategy. |
| compliance | Insider Risk Management Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-policies.md | The **Policy dashboard** allows you to quickly see the policies in your organiza  -## Policy recommendations from analytics (preview) +## Policy recommendations from analytics Insider risk analytics enables you to conduct an evaluation of potential insider risks in your organization without configuring any insider risk policies. This evaluation can help your organization identify potential areas of higher user risk and help determine the type and scope of insider risk management policies you may consider configuring. -To learn more about insider risk analytics and policy recommendations, see [Insider risk management settings: Analytics (preview)](insider-risk-management-settings.md#analytics). +To learn more about insider risk analytics and policy recommendations, see [Insider risk management settings: Analytics](insider-risk-management-settings.md#analytics). ## Policy templates |
| compliance | Insider Risk Management Settings | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-settings.md | Complete the following steps to enable insider risk analytics: ### Viewing analytics insights and creating new policies -After the first analytics scan is complete for your organization, you can view the insights and recommendations for potentially risky activities by your users. Daily scans will continue unless you turn off analytics for your organization. To view potential risks for your organization, go to the **Overview** tab and select **View results** on the **Insider risk analytics (preview)** card. If the scan for your organization isn't complete, you'll see a message that the scan is still active. +After the first analytics scan is complete for your organization, you can view the insights and recommendations for potentially risky activities by your users. Daily scans will continue unless you turn off analytics for your organization. To view potential risks for your organization, go to the **Overview** tab and select **View results** on the **Insider risk analytics** card. If the scan for your organization isn't complete, you'll see a message that the scan is still active.  |
| compliance | Insider Risk Management | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management.md | Insider risk management is centered around the following principles: - **Integrated**: Integrated workflow across Microsoft 365 compliance solutions. - **Actionable**: Provides insights to enable reviewer notifications, data investigations, and user investigations. -## Identifying potential risks with analytics (preview) +## Identifying potential risks with analytics Insider risk analytics enables you to conduct an evaluation of potential insider risks in your organization without configuring any insider risk policies. This evaluation can help your organization identify potential areas of higher user risk and help determine the type and scope of insider risk management policies you may consider configuring. This evaluation may also help you determine needs for additional licensing or future optimization of existing insider risk policies. |
| compliance | Sensitivity Labels Office Apps | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md | The numbers listed are the minimum Office application versions required for each |--|-:|-|-|--|-| |[Manually apply, change, or remove label](https://support.microsoft.com/en-us/office/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9)| Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Apply a default label](sensitivity-labels.md#what-label-policies-can-do) to new documents | Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |-|[Apply a default label](sensitivity-labels.md#what-label-policies-can-do) to existing documents | Preview: [Beta Channel](https://office.com/insider) | Preview: [Beta Channel](https://office.com/insider) | Under review | Under review | Rolling out: [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | +|[Apply a default label](sensitivity-labels.md#what-label-policies-can-do) to existing documents | Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) | Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) | Under review | Under review | Rolling out: [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Require a justification to change a label](sensitivity-labels.md#what-label-policies-can-do) | Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Provide help link to a custom help page](sensitivity-labels.md#what-label-policies-can-do) | Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Mark the content](sensitivity-labels.md#what-sensitivity-labels-can-do) | Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | The Office built-in labeling client downloads sensitivity labels and sensitivity To use the Office built-in labeling client, you must have one or more [label policies published](create-sensitivity-labels.md#publish-sensitivity-labels-by-creating-a-label-policy) to users from the compliance center, and a [supported version of Office](#support-for-sensitivity-label-capabilities-in-apps). -If both of these conditions are met but you need to turn off the built-in labels in Office apps, use the following Group Policy setting: +If both of these conditions are met but you need to turn off the built-in labels in Windows Office apps, use the following Group Policy setting: 1. Navigate to **User Configuration/Administrative Templates/Microsoft Office 2016/Security Settings**. 2. Set **Use the Sensitivity feature in Office to apply and view sensitivity labels** to **0**. -Deploy this setting by using Group Policy, or by using the [Office cloud policy service](/DeployOffice/overview-office-cloud-policy-service). The setting takes effect when Office apps restart. +Deploy this setting by using Group Policy, or by using the [Office cloud policy service](/DeployOffice/overview-office-cloud-policy-service). The setting takes effect when these Office apps restart. ++Because this setting is specific to Windows Office apps, it has no impact on other apps on Windows that support sensitivity labels (such as Power BI) or other platforms (such as macOS, mobile devices, and Office for the web). If you don't want some or all users to see and use sensitivity labels across all apps, all platforms, don't assign a sensitivity label policy to those users. ### Office built-in labeling client and the Azure Information Protection client -If users have the [Azure Information Protection client](/azure/information-protection/rms-client/aip-clientv2) installed on their Windows computers, by default, built-in labels are turned off in [Office apps that support them](#labeling-client-for-desktop-apps). Because built-in labels don't use an Office add-in, as used by the Azure Information Protection client, they have the benefit of more stability and better performance. They also support the latest features, such as advanced classifiers. +If users have the [Azure Information Protection client](/azure/information-protection/rms-client/aip-clientv2) installed on their Windows computers, by default, built-in labels are turned off in [Windows Office apps that support them](#labeling-client-for-desktop-apps). Because built-in labels don't use an Office add-in, as used by the Azure Information Protection client, they have the benefit of more stability and better performance. They also support the latest features, such as advanced classifiers. Rather than uninstalling the Azure Information Protection client, we recommend you prevent the Azure Information Protection add-in from loading in Office apps. Then, you get the benefits of built-in labeling in Office apps, and the benefits of the Azure Information Protection client labeling files outside Office apps. For example, the Azure Information Protection client can label all file types by using File Explorer and PowerShell. For more information about the labeling features supported outside Office apps, see [Sensitivity labels and Azure Information Protection](sensitivity-labels.md#sensitivity-labels-and-azure-information-protection). -To prevent the Azure Information Protection client add-in loading in Office apps, use the Group Policy setting **List of managed add-ins** as documented in [No Add-ins loaded due to group policy settings for Office 2013 and Office 2016 programs](https://support.microsoft.com/help/2733070/no-add-ins-loaded-due-to-group-policy-settings-for-office-2013-and-off). +To prevent the Azure Information Protection client add-in loading in Windows Office apps, use the Group Policy setting **List of managed add-ins** as documented in [No Add-ins loaded due to group policy settings for Office 2013 and Office 2016 programs](https://support.microsoft.com/help/2733070/no-add-ins-loaded-due-to-group-policy-settings-for-office-2013-and-off). -For your Office apps that support built-in labeling, use the configuration for Microsoft Word 2016, Excel 2016, PowerPoint 2016, and Outlook 2016, specify the following programmatic identifiers (ProgID) for the Azure Information Protection client, and set the option to **0: The add-in is always disabled (blocked)** +For your Windows Office apps that support built-in labeling, use the configuration for Microsoft Word 2016, Excel 2016, PowerPoint 2016, and Outlook 2016, specify the following programmatic identifiers (ProgID) for the Azure Information Protection client, and set the option to **0: The add-in is always disabled (blocked)** |Application |ProgID | ||| |
| contentunderstanding | Powershell Syntex Explanations | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/powershell-syntex-explanations.md | + + Title: Work with document understanding model explanations in PowerShell +++++audience: admin +++ - enabler-strategic + - m365initiative-syntex +search.appverid: MET150 +ms.localizationpriority: normal +description: "Learn about work with SharePoint Syntex document understanding model explanations in PowerShell" ++# Work with document understanding model explanations in PowerShell ++> [!IMPORTANT] +> The SharePoint Syntex PowerShell cmdlets and all other PnP components are open-source tools backed by an active community providing support for them. There is no SLA for open-source tool support from official Microsoft support channels. ++Custom explanation templates are stored in a list within a content center. Because these explanations are stored as list items, PowerShell can be used to interact with them. ++## List saved explanations ++This example shows how to view all of the custom explanation templates that have been saved on a specific content center. ++```PowerShell +$contentCenterURL = "https://contoso.sharepoint.com/sites/yourContentCenter" ++# Connect to content center +Connect-PnPOnline -url $contentCenterURL ++# Load explanation templates list and items +$explanationTemplatesList = Get-PnPList -Identity "/Explanations" +$explanations = Get-PnPListItem -List $explanationTemplatesList -Fields "Id", "Title", "ExplanationName", "ExplanationType", "ExplanationDescription","ExplanationContent" ++# Extract explanation components +$explanationValues = $explanations.fieldvalues +$explanationOutput = @() ++foreach ($explanation in $explanationValues) { + $content = $explanation.ExplanationContent + $content = $content.replace('false','"false"') + $content = $content.replace('true','"true"') + $contentArray = $content | ConvertFrom-Json ++ $output = New-Object -TypeName PSObject + Add-Member -InputObject $output -MemberType NoteProperty -Name "Explanation Name" -Value $explanation.ExplanationName + Add-Member -InputObject $output -MemberType NoteProperty -Name "Explanation Description" -Value $explanation.ExplanationDescription + Add-Member -InputObject $output -MemberType NoteProperty -Name "Explanation Type" -Value $contentArray.kind + Add-Member -InputObject $output -MemberType NoteProperty -Name "RegEx Pattern" -Value $contentArray.pattern + Add-Member -InputObject $output -MemberType NoteProperty -Name "Phrase List" -Value $contentArray.ngrams + Add-Member -InputObject $output -MemberType NoteProperty -Name "Case Sensitive" -Value $contentArray.caseSensitive + Add-Member -InputObject $output -MemberType NoteProperty -Name "Ignore Digit Identity" -Value $contentArray.ignoreDigitIdentity + Add-Member -InputObject $output -MemberType NoteProperty -Name "Ignore Letter Identity" -Value $contentArray.ignoreLetterIdentity ++ $explanationOutput += $output +} ++$explanationOutput +``` ++## Create a phrase list explanation ++This example shows how to create a custom phrase list explanation template. ++```PowerShell +$contentCenterURL = "https://contoso.sharepoint.com/sites/yourContentCenter" +$explanationName = "Phrase Explanation A" +$explanationDescription = "This is my explanation" +$phrases = "Phrase 1", "Phrase 2" +$caseSensitive = $false +$ignoreDigitIdentity= $false +$ignoreLetterIdentity = $false ++# Connect to content center +Connect-PnPOnline -url $contentCenterURL ++# Load explanation templates list +$explanationTemplatesList = Get-PnPList -Identity "/Explanations" ++#Generate GUID for explanation +$guid = New-Guid ++#Format phrase list +$phrases = $phrases -join "`",`"" ++#Convert booleans to lower case strings +$caseSensitive = ($caseSensitive.ToString()).ToLower() +$ignoreDigitIdentity= ($ignoreDigitIdentity.ToString()).ToLower() +$ignoreLetterIdentity = ($ignoreLetterIdentity.ToString()).ToLower() ++# Build explanation content +$explanationContent = "{`"id`":`"$guid`",`"kind`":`"dictionaryFeature`",`"name`":`"$explanationName`",`"active`":true,`"nGrams`":[`"$phrases`"],`"caseSensitive`":$caseSensitive,`"ignoreDigitIdentity`":$ignoreDigitIdentity,`"ignoreLetterIdentity`":$ignoreLetterIdentity}" ++# Create item in explanation list +Add-PnPListItem -List $explanationTemplatesList -Values @{"Title"= $explanationName; "ExplanationName" = $explanationName; "ExplanationDescription" = $explanationDescription; "ExplanationContent" = $explanationContent} +``` ++## Create a regular expression explanation ++This example shows how to create a custom regular expression explanation template. ++```PowerShell +$contentCenterURL = "https://contoso.sharepoint.com/sites/yourContentCenter" +$explanationName = "RegEx Explanation A" +$explanationDescription = "This is my explanation" +$pattern = "\b(https?):\/\/\S+" ++# Connect to content center +Connect-PnPOnline -url $contentCenterURL ++# Load explanation templates list +$explanationTemplatesList = Get-PnPList -Identity "/Explanations" ++#Generate GUID for explanation +$guid = New-Guid ++# Build explanation content +$pattern = $pattern.Replace('\','\\') +$explanationContent = "{`"id`":`"$guid`",`"kind`":`"regexFeature`",`"name`":`"$explanationName`",`"active`":true,`"pattern`":`"$pattern`"}" ++# Create item in explanation list +Add-PnPListItem -List $explanationTemplatesList -Values @{"Title"= $explanationName; "ExplanationName" = $explanationName; "ExplanationDescription" = $explanationDescription; "ExplanationContent" = $explanationContent} +``` ++## Create a phrase list explanation based on a term set ++This example shows how to create a custom phrase list explanation template, by taking the values from a term set. This includes the preferred term names and any synonyms. ++```PowerShell +$contentCenterURL = "https://contoso.sharepoint.com/sites/yourContentCenter" +$termSetName = "Terms" +$termGroupName = "GroupA" +$explanationName = "MMS Explanation A" +$explanationDescription = "This is my explanation" +$caseSensitive = $false +$ignoreDigitIdentity= $false +$ignoreLetterIdentity = $false ++# Connect to content center +Connect-PnPOnline -url $contentCenterURL ++# Load explanation templates list +$explanationTemplatesList = Get-PnPList -Identity "/Explanations" ++#Generate GUID for explanation +$guid = New-Guid ++#Get term set, including preferred labels and synonyms +$terms = Get-PnPTerm -TermGroup $termGroupName -TermSet $termSetName -Includes Labels +$phrases = $terms.labels.value ++#Format phrase list +$phrases = $phrases -join "`",`"" ++#Convert booleans to lower case strings +$caseSensitive = ($caseSensitive.ToString()).ToLower() +$ignoreDigitIdentity= ($ignoreDigitIdentity.ToString()).ToLower() +$ignoreLetterIdentity = ($ignoreLetterIdentity.ToString()).ToLower() ++# Build explanation content +$explanationContent = "{`"id`":`"$guid`",`"kind`":`"dictionaryFeature`",`"name`":`"$explanationName`",`"active`":true,`"nGrams`":[`"$phrases`"],`"caseSensitive`":$caseSensitive,`"ignoreDigitIdentity`":$ignoreDigitIdentity,`"ignoreLetterIdentity`":$ignoreLetterIdentity}" ++# Create item in explanation list +Add-PnPListItem -List $explanationTemplatesList -Values @{"Title"= $explanationName; "ExplanationName" = $explanationName; "ExplanationDescription" = $explanationDescription; "ExplanationContent" = $explanationContent} +``` |
| contentunderstanding | Powershell Syntex Import Export | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/powershell-syntex-import-export.md | + + Title: Export and import document understanding models with PowerShell +++++audience: admin +++ - enabler-strategic + - m365initiative-syntex +search.appverid: MET150 +ms.localizationpriority: normal +description: "Learn about how to export and import document understanding models with PowerShell in SharePoint Syntex" +++# Export and import document understanding models with PowerShell ++> [!IMPORTANT] +> The SharePoint Syntex PowerShell cmdlets and all other PnP components are open-source tools backed by an active community providing support for them. There is no SLA for open-source tool support from official Microsoft support channels. ++SharePoint Syntex models can be exported as PnP templates, enabling reuse across Content Centers or tenants. ++## Export all models in a Content Center ++To export all models in a Content Center into a single PnP template, use the following [PnP PowerShell](https://pnp.github.io/powershell/) cmdlets: ++```powershell +Connect-PnPOnline -Url "https://contoso.sharepoint.com/sites/yourContentCenter" ++Get-PnPSiteTemplate -Out MyModels.pnp -Handlers SyntexModels +``` ++## Export Specific Models ++To export specific models from a Content Center into a PnP template, use the following [PnP PowerShell](https://pnp.github.io/powershell/) cmdlets: ++```powershell +Connect-PnPOnline -Url "https://contoso.sharepoint.com/sites/yourContentCenter" ++Get-PnPSiteTemplate -Out MyModels.pnp -Configuration .\extract.json +``` ++The extract.json defines which models you want to export, allowing to specify model by name or ID and optionally configuring to not extract training data ++### Example- Specify model by name ++```json +{ + "$schema": "https://developer.microsoft.com/en-us/json-schemas/pnp/provisioning/202102/extract-configuration.schema.json", + "persistAssetFiles": true, + "handlers": [ + "SyntexModels" + ], + "syntexModels": { + "models": [ + { + "name": "Sample - benefits change notice.classifier" + } + ] + } +} +``` ++### Example- Specify model by ID ++```json +{ + "$schema": "https://developer.microsoft.com/en-us/json-schemas/pnp/provisioning/202102/extract-configuration.schema.json", + "persistAssetFiles": true, + "handlers": [ + "SyntexModels" + ], + "syntexModels": { + "models": [ + { + "id": 3, + "excludeTrainingData": true + } + ] + } +} +``` ++If you do not include the property "includeTrainingData", the default behavior is to include. ++> NOTE: training data is required for a model to be editable when imported to a destination Content Center ++## Import models to a content center +Document understanding models that have been exported to PnP templates can be imported to a content center on any tenant. If the export included training data, then the model will be editable once imported. ++To import a model, use the following commands: ++```PowerShell +Connect-PnPOnline -Url "https://contoso.sharepoint.com/sites/yourContentCenter" ++Invoke-PnPSiteTemplate -Path .\sampleModel.pnp +``` |
| contentunderstanding | Powershell Syntex Intro | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/powershell-syntex-intro.md | + + Title: Manage SharePoint Syntex with PowerShell +++++audience: admin +++ - enabler-strategic + - m365initiative-syntex +search.appverid: MET150 +ms.localizationpriority: normal +description: "Learn how to manage SharePoint Syntex with PowerShell" +++# Manage SharePoint Syntex with PowerShell ++> [!IMPORTANT] +> The SharePoint Syntex PowerShell cmdlets and all other PnP components are open-source tools backed by an active community providing support for them. There is no SLA for open-source tool support from official Microsoft support channels. ++For these scenarios, the SharePoint Syntex cmdlets in the PnP PowerShell module can be used to interact with models and explanations. To learn more about how to install this module, see [**PnP PowerShell overview**](/powershell/sharepoint/sharepoint-pnp/sharepoint-pnp-cmdlets) ++Select from the following topics to learn how to use PowerShell to manage Syntex: ++- [**Import and Export Models**](powershell-syntex-import-export.md) ++ Start here if you want to learn how to export document understanding models from a content center, and import to another content center or tenant. ++- [**Publishing**](powershell-syntex-publishing.md) ++ Start here if want to learn how to use PowerShell to publish document understanding models to document libraries. ++- [**Processing**](powershell-syntex-processing.md) ++ Start here if you want to learn how to use PowerShell to trigger document understanding processing on a document library ++- [**Explanations**](powershell-syntex-explanations.md) ++ Start here if want to learn how to create custom document understanding explanation templates using PowerShell. |
| contentunderstanding | Powershell Syntex Processing | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/powershell-syntex-processing.md | + + Title: Use PowerShell to request processing by a document understanding model +++++audience: admin +++ - enabler-strategic + - m365initiative-syntex +search.appverid: MET150 +ms.localizationpriority: normal +description: "Learn how to use PowerShell to request processing by a SharePoint Syntex document understanding model." +++# Use PowerShell to request processing by a document understanding model ++> [!IMPORTANT] +> The SharePoint Syntex PowerShell cmdlets and all other PnP components are open-source tools backed by an active community providing support for them. There is no SLA for open-source tool support from official Microsoft support channels. ++Document understanding models will process newly uploaded files to a library. It is also possible to manually request processing in the UI. However there may be scenarios where it is more efficient to trigger processing through PowerShell. ++## Request processing of all items that have not been previously classified ++You can request processing for all items in the library that have not previously been classified by using this command: ++```PowerShell +#Note: you're connecting here to the site that holds the document library you want to process +Connect-PnPOnline -Url "https://contoso.sharepoint.com/sites/finance" ++Request-PnPSyntexClassifyAndExtract -List "Documents" +``` ++For lower priority processing, you might also consider using the -OffPeak parameter, which will queue files for processing outside of business hours where your tenant is located. See [Request-PnPSyntexClassifyAndExtract](https://pnp.github.io/powershell/cmdlets/Request-PnPSyntexClassifyAndExtract.html) for more details. ++## Request processing of all items in a library ++You can request processing of all files in the library, even if they have previously been classified. This may be useful if you have updated a model or added another model to the library. ++```PowerShell +#Note: you're connecting here to the site that holds the document library you want to process +Connect-PnPOnline -Url "https://contoso.sharepoint.com/sites/finance" ++Request-PnPSyntexClassifyAndExtract -List "Documents" -Force +``` ++> [!NOTE] +> Using the -Force option with more than 5000 items will automatcially enable off peak processing. ++## Request processing of all items based on a property ++If you want to limit processing to a specific subset of items in a library, you can use a script to select a specific group of files. In the below example, the script allows a field to be selected, and a field value to filter by. More complex queries can be completed using [Get-PnPListItem](https://pnp.github.io/powershell/cmdlets/Get-PnPListItem.html). ++```PowerShell +#Note: you're connecting here to the site that holds the document library you want to process +Connect-PnPOnline -Url "https://contoso.sharepoint.com/sites/finance" +$list = Get-PnPList -Identity "Documents" +# Set the field name to filter items by +$fieldName = "Vendor" +# Set the field value to filter by +$fieldFilter = "Fabrikam" ++$listItems = (Get-PnPListItem -List $list -fields $fieldName).fieldValues +$targetItems = $listItems | Where-Object -Property Provider -EQ -Value $fieldFilter ++# Create a new batch +$batch = New-PnPBatch ++# Add files to classify to the batch +foreach ($listItem in $targetItems) { + Request-PnPSyntexClassifyAndExtract -FileUrl $listItem.FileRef -Batch $classifyBatch +} ++# Execute batch +Invoke-PnPBatch -Batch $batch +``` ++## Request processing of specific files ++Processing can also be requested for specific files. ++```PowerShell +#Note: you're connecting here to the site that holds the document library you want to process +Connect-PnPOnline -Url "https://contoso.sharepoint.com/sites/finance" ++Request-PnPSyntexClassifyAndExtract -FileUrl "/sites/finance/documents/contoso contract.docx" +``` +++```PowerShell +#Note: you're connecting here to the site that holds the document library you want to process +Connect-PnPOnline -Url "https://contoso.sharepoint.com/sites/finance" ++# Create a new batch +$batch = New-PnPBatch ++# Add files to classify to the batch +Request-PnPSyntexClassifyAndExtract -FileUrl "/sites/finance/documents/contoso contract.docx" -Batch $batch +Request-PnPSyntexClassifyAndExtract -FileUrl "/sites/finance/documents/relecloud contract.docx" -Batch $batch ++# Execute batch +Invoke-PnPBatch -Batch $batch +``` |
| contentunderstanding | Powershell Syntex Publishing | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/powershell-syntex-publishing.md | + + Title: Publish document understanding models with PowerShell +++++audience: admin +++ - enabler-strategic + - m365initiative-syntex +search.appverid: MET150 +ms.localizationpriority: normal +description: "Learn how to publish a SharePoint Syntex document understanding models with PowerShell." +++# Publish document understanding models with PowerShell ++> [!IMPORTANT] +> The SharePoint Syntex PowerShell cmdlets and all other PnP components are open-source tools backed by an active community providing support for them. There is no SLA for open-source tool support from official Microsoft support channels. ++SharePoint Syntex Models typically are deployed to document libraries across your tenant. This can be done by using the Content Center site, but this can also be done using [PnP PowerShell](https://pnp.github.io/powershell/) as explained in this article. ++## Listing the available models in a Content Center ++To get an overview of the models added to the current SharePoint Syntex Content Center site use the [Get-PnPSyntexModel](https://pnp.github.io/powershell/cmdlets/Get-PnPSyntexModel.html) cmdlet: ++```PowerShell +Connect-PnPOnline -Url "https://contoso.sharepoint.com/sites/yourContentCenter" +Get-PnPSyntexModel +``` ++## Apply a model to a library ++To apply a model to a library you can use the [Publish-PnPSyntexModel](https://pnp.github.io/powershell/cmdlets/Publish-PnPSyntexModel.html) cmdlet: ++```PowerShell +Connect-PnPOnline -Url "https://contoso.sharepoint.com/sites/yourContentCenter" +Publish-PnPSyntexModel -Model "Contract Notice" -ListWebUrl "https://contoso.sharepoint.com/sites/finance" -List "Documents" +``` ++## Understanding where a model is used ++Once you've deployed a model to many libraries you might want to review the list of libraries using your model. This can be done using the [Get-PnPSyntexModelPublication](https://pnp.github.io/powershell/cmdlets/Get-PnPSyntexModelPublication.html) cmdlet: ++```PowerShell +Connect-PnPOnline -Url "https://contoso.sharepoint.com/sites/yourContentCenter" +Get-PnPSyntexModelPublication -Identity "Contract Notice" +``` ++## Removing a model from a library ++Removing a model from a library follows the same pattern as applying and can be done using the [Unpublish-PnPSyntexModel](https://pnp.github.io/powershell/cmdlets/Unpublish-PnPSyntexModel.html) cmdlet either interactively or as batch of multiple actions. ++```PowerShell +Connect-PnPOnline -Url "https://contoso.sharepoint.com/sites/yourSite" +Unpublish-PnPSyntexModel -Model "Invoice model" -ListWebUrl "https://contoso.sharepoint.com/sites/finance" -List "Documents" +``` ++## Apply models in bulk ++If you want to publish multiple models to multiple libraries, then ++First, create an input CSV file listing the models and the target locations: ++```CSV +ModelName,TargetSiteUrl,TargetWebServerRelativeUrl,TargetLibraryServerRelativeUrl +Contract Notice,https://contoso.sharepoint.com/sites/Site1,/sites/Site1,/sites/site1/shared%20documents +Contract Notice,https://contoso.sharepoint.com/sites/Site1,/sites/Site1,/sites/site1/other +Trade Confirmation,https://contoso.sharepoint.com/sites/Site2,/sites/Site2,/sites/site2/shared%20documents +``` ++This CSV file can then be used as an input into a script that will publish the listed models to the appropriate libraries. In the below example batching is used to increase the efficiency of the requests ++```PowerShell +$contentCenterURL = "https://contoso.sharepoint.com/sites/yourSite" +$targetsCSV = "./Publish-SyntexModelBulk.csv" ++Connect-PnPOnline -url $contentCenterURL ++$targetLibraries = Import-Csv -Path $targetsCSV ++$batch = New-PnPBatch ++foreach ($target in $targetLibraries) { + Publish-PnPSyntexModel -Model $target.ModelName -TargetSiteUrl $target.TargetSiteUrl -TargetWebServerRelativeUrl $target.TargetWebServerRelativeUrl -TargetLibraryServerRelativeUrl $target.TargetLibraryServerRelativeUrl -Batch $batch +} ++Invoke-PnPBatch -Batch $batch +``` |
| includes | Microsoft 365 Content Updates | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-365-content-updates.md | +## Week of January 10, 2022 +++| Published On |Topic title | Change | +|||--| +| 1/10/2022 | [Automatically apply a sensitivity label to content in Microsoft 365](/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-21vianet) | modified | +| 1/10/2022 | [Create a DLP policy from a template](/microsoft-365/compliance/create-a-dlp-policy-from-a-template?view=o365-21vianet) | modified | +| 1/10/2022 | [Create, test, and tune a DLP policy](/microsoft-365/compliance/create-test-tune-dlp-policy?view=o365-21vianet) | modified | +| 1/10/2022 | [Get started with activity explorer](/microsoft-365/compliance/data-classification-activity-explorer?view=o365-21vianet) | modified | +| 1/10/2022 | [Get started with content explorer](/microsoft-365/compliance/data-classification-content-explorer?view=o365-21vianet) | modified | +| 1/10/2022 | [Learn about data classification](/microsoft-365/compliance/data-classification-overview?view=o365-21vianet) | modified | +| 1/10/2022 | [Get started with the data loss prevention alert dashboard](/microsoft-365/compliance/dlp-alerts-dashboard-get-started?view=o365-21vianet) | modified | +| 1/10/2022 | [Get started with the Microsoft Compliance Extension](/microsoft-365/compliance/dlp-chrome-get-started?view=o365-21vianet) | modified | +| 1/10/2022 | [Get started with Microsoft 365 data loss prevention on-premises scanner](/microsoft-365/compliance/dlp-on-premises-scanner-get-started?view=o365-21vianet) | modified | +| 1/10/2022 | [Get started with sensitivity labels](/microsoft-365/compliance/get-started-with-sensitivity-labels?view=o365-21vianet) | modified | +| 1/10/2022 | [Microsoft 365 Zero Trust deployment plan](/microsoft-365/security/microsoft-365-zero-trust?view=o365-21vianet) | modified | +| 1/10/2022 | [DeviceAlertEvents table in the advanced hunting schema](/microsoft-365/security/defender-endpoint/advanced-hunting-devicealertevents-table?view=o365-21vianet) | modified | +| 1/10/2022 | [Advanced hunting schema reference](/microsoft-365/security/defender-endpoint/advanced-hunting-schema-reference?view=o365-21vianet) | modified | +| 1/10/2022 | [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](/microsoft-365/security/defender-endpoint/android-intune?view=o365-21vianet) | modified | +| 1/10/2022 | [Integration with Microsoft Defender for Cloud](/microsoft-365/security/defender-endpoint/azure-server-integration?view=o365-21vianet) | modified | +| 1/10/2022 | [Configure automated investigation and remediation capabilities](/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation?view=o365-21vianet) | modified | +| 1/10/2022 | [Configure and manage Microsoft Threat Experts capabilities](/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts?view=o365-21vianet) | modified | +| 1/10/2022 | [Onboard Windows servers to the Microsoft Defender for Endpoint service](/microsoft-365/security/defender-endpoint/configure-server-endpoints?view=o365-21vianet) | modified | +| 1/10/2022 | [Fix unhealthy sensors in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/fix-unhealthy-sensors?view=o365-21vianet) | modified | +| 1/10/2022 | [Grant access to managed security service provider (MSSP)](/microsoft-365/security/defender-endpoint/grant-mssp-access?view=o365-21vianet) | modified | +| 1/10/2022 | [Investigate agent health issues](/microsoft-365/security/defender-endpoint/health-status?view=o365-21vianet) | modified | +| 1/10/2022 | [Helpful Microsoft Defender for Endpoint resources](/microsoft-365/security/defender-endpoint/helpful-resources?view=o365-21vianet) | modified | +| 1/10/2022 | [Create indicators for IPs and URLs/domains](/microsoft-365/security/defender-endpoint/indicator-ip-domain?view=o365-21vianet) | modified | +| 1/10/2022 | [Investigate connection events that occur behind forward proxies](/microsoft-365/security/defender-endpoint/investigate-behind-proxy?view=o365-21vianet) | modified | +| 1/10/2022 | [How to Deploy Defender for Endpoint on Linux with Chef](/microsoft-365/security/defender-endpoint/linux-deploy-defender-for-endpoint-with-chef?view=o365-21vianet) | modified | +| 1/10/2022 | [Set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro](/microsoft-365/security/defender-endpoint/mac-jamfpro-policies?view=o365-21vianet) | modified | +| 1/10/2022 | [Manage Microsoft Defender for Endpoint alerts](/microsoft-365/security/defender-endpoint/manage-alerts?view=o365-21vianet) | modified | +| 1/10/2022 | [Manage endpoint detection and response capabilities](/microsoft-365/security/defender-endpoint/manage-edr?view=o365-21vianet) | modified | +| 1/10/2022 | [Overview of management and APIs](/microsoft-365/security/defender-endpoint/management-apis?view=o365-21vianet) | modified | +| 1/10/2022 | [Microsoft Defender for Cloud Apps integration overview](/microsoft-365/security/defender-endpoint/microsoft-cloud-app-security-integration?view=o365-21vianet) | modified | +| 1/10/2022 | [Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios?view=o365-21vianet) | modified | +| 1/10/2022 | [Microsoft Defender Antivirus in the Windows Security app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus?view=o365-21vianet) | modified | +| 1/10/2022 | [Microsoft Threat Experts](/microsoft-365/security/defender-endpoint/microsoft-threat-experts?view=o365-21vianet) | modified | +| 1/10/2022 | [Managed security service provider (MSSP) partnership opportunities](/microsoft-365/security/defender-endpoint/mssp-support?view=o365-21vianet) | modified | +| 1/10/2022 | [Microsoft Defender for Endpoint for non-Windows platforms](/microsoft-365/security/defender-endpoint/non-windows?view=o365-21vianet) | modified | +| 1/10/2022 | [Onboard previous versions of Windows on Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/onboard-downlevel?view=o365-21vianet) | modified | +| 1/10/2022 | [Onboard Windows multi-session devices in Azure Virtual Desktop](/microsoft-365/security/defender-endpoint/onboard-windows-multi-session-device?view=o365-21vianet) | modified | +| 1/10/2022 | [Protect security settings with tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-21vianet) | modified | +| 1/10/2022 | [Pull Microsoft Defender for Endpoint detections using REST API](/microsoft-365/security/defender-endpoint/pull-alerts-using-rest-api?view=o365-21vianet) | modified | +| 1/10/2022 | [Take response actions on a device in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-21vianet) | modified | +| 1/10/2022 | [Server migration scenarios for the new version of Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/server-migration?view=o365-21vianet) | modified | +| 1/10/2022 | [What's new in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint?view=o365-21vianet) | modified | +| 1/10/2022 | [Use shared queries in Microsoft 365 Defender advanced hunting](/microsoft-365/security/defender/advanced-hunting-shared-queries?view=o365-21vianet) | modified | +| 1/10/2022 | [Create and manage custom detection rules in Microsoft 365 Defender](/microsoft-365/security/defender/custom-detection-rules?view=o365-21vianet) | modified | +| 1/10/2022 | [Step 2. Remediate your first incident](/microsoft-365/security/defender/first-incident-remediate?view=o365-21vianet) | modified | +| 1/10/2022 | [Details and results of an automated investigation](/microsoft-365/security/defender/m365d-autoir-results?view=o365-21vianet) | modified | +| 1/10/2022 | [Configure automated investigation and response capabilities in Microsoft 365 Defender](/microsoft-365/security/defender/m365d-configure-auto-investigation-response?view=o365-21vianet) | modified | +| 1/10/2022 | [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender?view=o365-21vianet) | modified | +| 1/10/2022 | [Microsoft Defender for Endpoint in Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-security-center-mde?view=o365-21vianet) | modified | +| 1/10/2022 | [Microsoft 365 Defender prerequisites](/microsoft-365/security/defender/prerequisites?view=o365-21vianet) | modified | +| 1/10/2022 | [Automated investigation and response in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-air?view=o365-21vianet) | modified | +| 1/10/2022 | [Permissions - Security & Compliance Center](/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center?view=o365-21vianet) | modified | +| 1/10/2022 | [Step 1. Implement App Protection Policies](/microsoft-365/solutions/manage-devices-with-intune-app-protection?view=o365-21vianet) | modified | +| 1/10/2022 | [Step 3. Set up compliance policies for devices with Intune](/microsoft-365/solutions/manage-devices-with-intune-compliance-policies?view=o365-21vianet) | modified | +| 1/10/2022 | [Step 5. Deploy device profiles in Microsoft Intune](/microsoft-365/solutions/manage-devices-with-intune-configuration-profiles?view=o365-21vianet) | modified | +| 1/10/2022 | [Step 7. Implement data loss prevention (DLP) with information protection capabilities](/microsoft-365/solutions/manage-devices-with-intune-dlp-mip?view=o365-21vianet) | modified | +| 1/10/2022 | [Step 2. Enroll devices into management with Intune](/microsoft-365/solutions/manage-devices-with-intune-enroll?view=o365-21vianet) | modified | +| 1/10/2022 | [Step 6. Monitor device risk and compliance to security baselines](/microsoft-365/solutions/manage-devices-with-intune-monitor-risk?view=o365-21vianet) | modified | +| 1/10/2022 | [Manage devices with Intune](/microsoft-365/solutions/manage-devices-with-intune-overview?view=o365-21vianet) | modified | +| 1/10/2022 | [Step 4. Require healthy and compliant devices with Intune](/microsoft-365/solutions/manage-devices-with-intune-require-compliance?view=o365-21vianet) | modified | +| 1/10/2022 | [Microsoft 365 alert policies](/microsoft-365/compliance/alert-policies?view=o365-21vianet) | modified | +| 1/10/2022 | [Microsoft Compliance Manager templates list](/microsoft-365/compliance/compliance-manager-templates-list?view=o365-21vianet) | modified | +| 1/10/2022 | [Set up a connector to import physical badging data](/microsoft-365/compliance/import-physical-badging-data?view=o365-21vianet) | modified | +| 1/10/2022 | [Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control?view=o365-21vianet) | modified | +| 1/10/2022 | [Turn on cloud protection in Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus?view=o365-21vianet) | modified | +| 1/10/2022 | [What's new in Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-whatsnew?view=o365-21vianet) | modified | +| 1/10/2022 | [Microsoft Defender for Endpoint Device Control Device Installation](/microsoft-365/security/defender-endpoint/mde-device-control-device-installation?view=o365-21vianet) | modified | +| 1/10/2022 | [Common Zero Trust identity and device access policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/identity-access-policies?view=o365-21vianet) | modified | +| 1/10/2022 | [Step 4. Deploy endpoint management for your devices, PCs, and other endpoints](/microsoft-365/solutions/empower-people-to-work-remotely-manage-endpoints?view=o365-21vianet) | modified | +| 1/10/2022 | [Step 2. Provide remote access to on-premises apps and services](/microsoft-365/solutions/empower-people-to-work-remotely-remote-access?view=o365-21vianet) | modified | +| 1/10/2022 | [Step 1. Increase sign-in security for hybrid workers with MFA](/microsoft-365/solutions/empower-people-to-work-remotely-secure-sign-in?view=o365-21vianet) | modified | +| 1/10/2022 | [Step 3: Deploy security and compliance for hybrid workers](/microsoft-365/solutions/empower-people-to-work-remotely-security-compliance?view=o365-21vianet) | modified | +| 1/10/2022 | [Step 6: Train your workers and address usage feedback](/microsoft-365/solutions/empower-people-to-work-remotely-train-monitor-usage?view=o365-21vianet) | modified | +| 1/10/2022 | [Set up your infrastructure for hybrid work with Microsoft 365](/microsoft-365/solutions/empower-people-to-work-remotely?view=o365-21vianet) | modified | +| 1/11/2022 | [Add staff to Bookings](/microsoft-365/bookings/add-staff?view=o365-21vianet) | modified | +| 1/11/2022 | Microsoft 365 small business training # < 60 chars | removed | +| 1/11/2022 | [Learn about trainable classifiers](/microsoft-365/compliance/classifier-learn-about?view=o365-21vianet) | modified | +| 1/11/2022 | [Microsoft 365 Zero Trust deployment plan](/microsoft-365/security/microsoft-365-zero-trust?view=o365-21vianet) | modified | +| 1/11/2022 | [Deploy Microsoft Defender for Endpoint in rings](/microsoft-365/security/defender-endpoint/deployment-rings?view=o365-21vianet) | modified | +| 1/11/2022 | Pilot Defender for Endpoint evaluation | removed | +| 1/11/2022 | Evaluate Microsoft 365 Defender for Endpoint overview | removed | +| 1/11/2022 | Experience Microsoft Defender for Endpoint (MDE) through simulated attacks | removed | +| 1/11/2022 | [Troubleshooting issues when switching to Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/switch-to-mde-troubleshooting?view=o365-21vianet) | modified | +| 1/11/2022 | [Performance analyzer for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus?view=o365-21vianet) | modified | +| 1/11/2022 | [Supported operating systems platforms and capabilities](/microsoft-365/security/defender-endpoint/tvm-supported-os?view=o365-21vianet) | modified | +| 1/11/2022 | [Create the Microsoft 365 Defender Evaluation Environment](/microsoft-365/security/defender/eval-create-eval-environment?view=o365-21vianet) | modified | +| 1/11/2022 | [Review Microsoft Defender for Endpoint architecture requirements and key concepts](/microsoft-365/security/defender/eval-defender-endpoint-architecture?view=o365-21vianet) | modified | +| 1/11/2022 | [Enable Microsoft Defender for Endpoint evaluation](/microsoft-365/security/defender/eval-defender-endpoint-enable-eval?view=o365-21vianet) | modified | +| 1/11/2022 | [Evaluate Microsoft Defender for Endpoint overview, including reviewing the architecture](/microsoft-365/security/defender/eval-defender-endpoint-overview?view=o365-21vianet) | modified | +| 1/11/2022 | [Pilot Microsoft Defender for Endpoint](/microsoft-365/security/defender/eval-defender-endpoint-pilot?view=o365-21vianet) | modified | +| 1/11/2022 | [Review architecture requirements and the technical framework for Microsoft Defender for Identity](/microsoft-365/security/defender/eval-defender-identity-architecture?view=o365-21vianet) | modified | +| 1/11/2022 | [Enable the evaluation environment for Microsoft Defender for Identity](/microsoft-365/security/defender/eval-defender-identity-enable-eval?view=o365-21vianet) | modified | +| 1/11/2022 | [Evaluate Microsoft 365 Defender for Identity overview, set up evaluation](/microsoft-365/security/defender/eval-defender-identity-overview?view=o365-21vianet) | modified | +| 1/11/2022 | [Pilot Microsoft Defender for Identity](/microsoft-365/security/defender/eval-defender-identity-pilot?view=o365-21vianet) | modified | +| 1/11/2022 | [Try Microsoft 365 Defender incident response capabilities in a pilot environment](/microsoft-365/security/defender/eval-defender-investigate-respond-additional?view=o365-21vianet) | modified | +| 1/11/2022 | [Investigate and respond using Microsoft 365 Defender in a pilot environment](/microsoft-365/security/defender/eval-defender-investigate-respond?view=o365-21vianet) | modified | +| 1/11/2022 | [Review architecture requirements and the structure for Microsoft Defender for Cloud Apps](/microsoft-365/security/defender/eval-defender-mcas-architecture?view=o365-21vianet) | modified | +| 1/11/2022 | [Enable the evaluation environment for Microsoft Defender for Cloud Apps](/microsoft-365/security/defender/eval-defender-mcas-enable-eval?view=o365-21vianet) | modified | +| 1/11/2022 | [Evaluate Microsoft Defender for Cloud Apps overview](/microsoft-365/security/defender/eval-defender-mcas-overview?view=o365-21vianet) | modified | +| 1/11/2022 | [Pilot Microsoft Defender for Cloud Apps with Microsoft 365 Defender](/microsoft-365/security/defender/eval-defender-mcas-pilot?view=o365-21vianet) | modified | +| 1/11/2022 | [Review architecture requirements and planning concepts for Microsoft Defender for Office 365](/microsoft-365/security/defender/eval-defender-office-365-architecture?view=o365-21vianet) | modified | +| 1/11/2022 | [Enable the evaluation environment for Microsoft Defender for Office 365 in your production environment](/microsoft-365/security/defender/eval-defender-office-365-enable-eval?view=o365-21vianet) | modified | +| 1/11/2022 | [Evaluate Microsoft Defender for Office 365 overview](/microsoft-365/security/defender/eval-defender-office-365-overview?view=o365-21vianet) | modified | +| 1/11/2022 | [Pilot Microsoft Defender for Office 365, use the evaluation in your production environment](/microsoft-365/security/defender/eval-defender-office-365-pilot?view=o365-21vianet) | modified | +| 1/11/2022 | [Promote your Microsoft 365 Defender evaluation environment to Production](/microsoft-365/security/defender/eval-defender-promote-to-production?view=o365-21vianet) | modified | +| 1/11/2022 | [Threat Explorer and Real-time detections](/microsoft-365/security/office-365-security/threat-explorer?view=o365-21vianet) | modified | +| 1/11/2022 | [How to use DKIM for email in your custom domain](/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-21vianet) | modified | +| 1/11/2022 | [User tags in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/user-tags?view=o365-21vianet) | modified | +| 1/11/2022 | [Archive third-party data](/microsoft-365/compliance/archiving-third-party-data?view=o365-21vianet) | modified | +| 1/11/2022 | [Disposition of content](/microsoft-365/compliance/disposition?view=o365-21vianet) | modified | +| 1/11/2022 | [Document metadata fields in Advanced eDiscovery](/microsoft-365/compliance/document-metadata-fields-in-advanced-ediscovery?view=o365-21vianet) | modified | +| 1/11/2022 | [Configure permissions filtering for eDiscovery](/microsoft-365/compliance/permissions-filtering-for-content-search?view=o365-21vianet) | modified | +| 1/11/2022 | [Set up compliance boundaries for eDiscovery investigations](/microsoft-365/compliance/set-up-compliance-boundaries?view=o365-21vianet) | modified | +| 1/11/2022 | [Send email notifications and show policy tips for DLP policies](/microsoft-365/compliance/use-notifications-and-policy-tips?view=o365-21vianet) | modified | +| 1/11/2022 | [Microsoft Defender for Endpoint for non-Windows platforms](/microsoft-365/security/defender-endpoint/non-windows?view=o365-21vianet) | modified | +| 1/11/2022 | [Top 12 tasks for security teams to support working from home](/microsoft-365/security/top-security-tasks-for-remote-work?view=o365-21vianet) | modified | +| 1/12/2022 | [Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view=o365-21vianet) | modified | +| 1/12/2022 | [Apply a document understanding model in Microsoft SharePoint Syntex](/microsoft-365/contentunderstanding/apply-a-model) | modified | +| 1/12/2022 | [Create a form processing model in Microsoft SharePoint Syntex](/microsoft-365/contentunderstanding/create-a-form-processing-model) | modified | +| 1/12/2022 | [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-21vianet) | modified | +| 1/12/2022 | [Deploy Microsoft Defender for Endpoint on Linux manually](/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-21vianet) | modified | +| 1/12/2022 | [Supported operating systems platforms and capabilities](/microsoft-365/security/defender-endpoint/tvm-supported-os?view=o365-21vianet) | modified | +| 1/12/2022 | [Understand device profiles](/microsoft-365/managed-desktop/service-description/profiles?view=o365-21vianet) | modified | +| 1/12/2022 | [Reassign device profiles](/microsoft-365/managed-desktop/working-with-managed-desktop/change-device-profile?view=o365-21vianet) | modified | +| 1/13/2022 | [Case study - Contoso quickly configures an inappropriate text policy for Microsoft Teams, Exchange, and Yammer communications](/microsoft-365/compliance/communication-compliance-case-study?view=o365-21vianet) | modified | +| 1/13/2022 | [Get started with communication compliance](/microsoft-365/compliance/communication-compliance-configure?view=o365-21vianet) | modified | +| 1/13/2022 | [Communication compliance policies](/microsoft-365/compliance/communication-compliance-policies?view=o365-21vianet) | modified | +| 1/13/2022 | [Learn about communication compliance](/microsoft-365/compliance/communication-compliance?view=o365-21vianet) | modified | +| 1/13/2022 | [Microsoft Managed Desktop and ITIL](/microsoft-365/managed-desktop/mmd-and-itsm?view=o365-21vianet) | modified | +| 1/13/2022 | [Change history for Microsoft Managed Desktop documentation](/microsoft-365/managed-desktop/change-history-managed-desktop?view=o365-21vianet) | modified | +| 1/13/2022 | [Address device name dependency](/microsoft-365/managed-desktop/get-ready/address-device-names?view=o365-21vianet) | modified | +| 1/13/2022 | [Working with Microsoft Consulting Services](/microsoft-365/managed-desktop/get-ready/apps-mcs?view=o365-21vianet) | modified | +| 1/13/2022 | [Apps in Microsoft Managed Desktop](/microsoft-365/managed-desktop/get-ready/apps?view=o365-21vianet) | modified | +| 1/13/2022 | [Prepare on-premises resources access for Microsoft Managed Desktop](/microsoft-365/managed-desktop/get-ready/authentication?view=o365-21vianet) | modified | +| 1/13/2022 | [Prepare certificates and network profiles for Microsoft Managed Desktop](/microsoft-365/managed-desktop/get-ready/certs-wifi-lan?view=o365-21vianet) | modified | +| 1/13/2022 | [Prerequisites for guest accounts](/microsoft-365/managed-desktop/get-ready/guest-accounts?view=o365-21vianet) | modified | +| 1/13/2022 | [Get ready for enrollment in Microsoft Managed Desktop](/microsoft-365/managed-desktop/get-ready/index?view=o365-21vianet) | modified | +| 1/13/2022 | [Prepare mapped drives for Microsoft Managed Desktop](/microsoft-365/managed-desktop/get-ready/mapped-drives?view=o365-21vianet) | modified | +| 1/13/2022 | [Network configuration for Microsoft Managed Desktop](/microsoft-365/managed-desktop/get-ready/network?view=o365-21vianet) | modified | +| 1/13/2022 | [Prerequisites for Microsoft Managed Desktop](/microsoft-365/managed-desktop/get-ready/prerequisites?view=o365-21vianet) | modified | +| 1/13/2022 | [Prepare printing resources for Microsoft Managed Desktop](/microsoft-365/managed-desktop/get-ready/printing?view=o365-21vianet) | modified | +| 1/13/2022 | [Downloadable readiness assessment checker](/microsoft-365/managed-desktop/get-ready/readiness-assessment-downloadable?view=o365-21vianet) | modified | +| 1/13/2022 | [Fix issues found by the readiness assessment tool](/microsoft-365/managed-desktop/get-ready/readiness-assessment-fix?view=o365-21vianet) | modified | +| 1/13/2022 | [Readiness assessment tools](/microsoft-365/managed-desktop/get-ready/readiness-assessment-tool?view=o365-21vianet) | modified | +| 1/13/2022 | [Access the Admin portal](/microsoft-365/managed-desktop/get-started/access-admin-portal?view=o365-21vianet) | modified | +| 1/13/2022 | [Add and verify admin contacts in the Admin portal](/microsoft-365/managed-desktop/get-started/add-admin-contacts?view=o365-21vianet) | modified | +| 1/13/2022 | [Assign licenses](/microsoft-365/managed-desktop/get-started/assign-licenses?view=o365-21vianet) | modified | +| 1/13/2022 | [Install Intune Company Portal on devices](/microsoft-365/managed-desktop/get-started/company-portal?view=o365-21vianet) | modified | +| 1/13/2022 | [Adjust settings after enrollment](/microsoft-365/managed-desktop/get-started/conditional-access?view=o365-21vianet) | modified | +| 1/13/2022 | [Deploy apps to devices](/microsoft-365/managed-desktop/get-started/deploy-apps?view=o365-21vianet) | modified | +| 1/13/2022 | [Windows 10 location service](/microsoft-365/managed-desktop/get-started/device-location?view=o365-21vianet) | modified | +| 1/13/2022 | [Order devices in Microsoft Managed Desktop](/microsoft-365/managed-desktop/get-started/devices?view=o365-21vianet) | modified | +| 1/13/2022 | [New Microsoft Edge](/microsoft-365/managed-desktop/get-started/edge-browser-app?view=o365-21vianet) | modified | +| 1/13/2022 | [Enable user support features](/microsoft-365/managed-desktop/get-started/enable-support?view=o365-21vianet) | modified | +| 1/13/2022 | [Enable Enterprise State Roaming](/microsoft-365/managed-desktop/get-started/enterprise-state-roaming?view=o365-21vianet) | modified | +| 1/13/2022 | [First-run experience with Autopilot and the Enrollment Status Page](/microsoft-365/managed-desktop/get-started/esp-first-run?view=o365-21vianet) | modified | +| 1/13/2022 | [Get started with app control](/microsoft-365/managed-desktop/get-started/get-started-app-control?view=o365-21vianet) | modified | +| 1/13/2022 | [Get your users ready to use devices](/microsoft-365/managed-desktop/get-started/get-started-devices?view=o365-21vianet) | modified | +| 1/13/2022 | [Get started with Microsoft Managed Desktop](/microsoft-365/managed-desktop/get-started/index?view=o365-21vianet) | modified | +| 1/13/2022 | [Localize the user experience](/microsoft-365/managed-desktop/get-started/localization?view=o365-21vianet) | modified | +| 1/13/2022 | [Microsoft 365 Apps for enterprise](/microsoft-365/managed-desktop/get-started/m365-apps?view=o365-21vianet) | modified | +| 1/13/2022 | [Microsoft OneDrive](/microsoft-365/managed-desktop/get-started/onedrive?view=o365-21vianet) | modified | +| 1/13/2022 | [Install Microsoft Project or Microsoft Visio on Microsoft Managed Desktop devices](/microsoft-365/managed-desktop/get-started/project-visio?view=o365-21vianet) | modified | +| 1/13/2022 | [Steps for Partners to register devices](/microsoft-365/managed-desktop/get-started/register-devices-partner?view=o365-21vianet) | modified | +| 1/13/2022 | [Register new devices yourself](/microsoft-365/managed-desktop/get-started/register-devices-self?view=o365-21vianet) | modified | +| 1/13/2022 | [Register existing devices yourself](/microsoft-365/managed-desktop/get-started/register-reused-devices-self?view=o365-21vianet) | modified | +| 1/13/2022 | [Set up devices for Microsoft Managed Desktop](/microsoft-365/managed-desktop/get-started/set-up-devices?view=o365-21vianet) | modified | +| 1/13/2022 | [Microsoft Teams](/microsoft-365/managed-desktop/get-started/teams?view=o365-21vianet) | modified | +| 1/13/2022 | [Validate new devices](/microsoft-365/managed-desktop/get-started/validate-device?view=o365-21vianet) | modified | +| 1/13/2022 | [Microsoft Managed Desktop documentation # < 60 chars](/microsoft-365/managed-desktop/index?view=o365-21vianet) | modified | +| 1/13/2022 | [Compliance](/microsoft-365/managed-desktop/intro/compliance?view=o365-21vianet) | modified | +| 1/13/2022 | [What is Microsoft Managed Desktop?](/microsoft-365/managed-desktop/intro/index?view=o365-21vianet) | modified | +| 1/13/2022 | [Microsoft Managed Desktop roles and responsibilities](/microsoft-365/managed-desktop/intro/roles-and-responsibilities?view=o365-21vianet) | modified | +| 1/13/2022 | [Microsoft Managed Desktop technologies](/microsoft-365/managed-desktop/intro/technologies?view=o365-21vianet) | modified | +| 1/13/2022 | [Microsoft Managed Desktop and Windows 11](/microsoft-365/managed-desktop/intro/win11-overview?view=o365-21vianet) | modified | +| 1/13/2022 | [App control](/microsoft-365/managed-desktop/service-description/app-control?view=o365-21vianet) | modified | +| 1/13/2022 | [Exceptions to the service plan](/microsoft-365/managed-desktop/service-description/customizing?view=o365-21vianet) | modified | +| 1/13/2022 | [Device deployment groups](/microsoft-365/managed-desktop/service-description/deployment-groups?view=o365-21vianet) | modified | +| 1/13/2022 | [Device images](/microsoft-365/managed-desktop/service-description/device-images?view=o365-21vianet) | modified | +| 1/13/2022 | [Device names](/microsoft-365/managed-desktop/service-description/device-names?view=o365-21vianet) | modified | +| 1/13/2022 | [Device configuration](/microsoft-365/managed-desktop/service-description/device-policies?view=o365-21vianet) | modified | +| 1/13/2022 | [Device requirements](/microsoft-365/managed-desktop/service-description/device-requirements?view=o365-21vianet) | modified | +| 1/13/2022 | [Microsoft Managed Desktop device services](/microsoft-365/managed-desktop/service-description/device-services?view=o365-21vianet) | modified | +| 1/13/2022 | [Diagnostic logs](/microsoft-365/managed-desktop/service-description/diagnostic-logs?view=o365-21vianet) | modified | +| 1/13/2022 | [Microsoft Managed Desktop service description](/microsoft-365/managed-desktop/service-description/index?view=o365-21vianet) | modified | +| 1/13/2022 | [Microsoft Managed Desktop app requirements](/microsoft-365/managed-desktop/service-description/mmd-app-requirements?view=o365-21vianet) | modified | +| 1/13/2022 | [Microsoft Managed Desktop operations and monitoring](/microsoft-365/managed-desktop/service-description/operations-and-monitoring?view=o365-21vianet) | modified | +| 1/13/2022 | [Privacy and personal data](/microsoft-365/managed-desktop/service-description/privacy-personal-data?view=o365-21vianet) | modified | +| 1/13/2022 | [Understand device profiles](/microsoft-365/managed-desktop/service-description/profiles?view=o365-21vianet) | modified | +| 1/13/2022 | [Supported regions](/microsoft-365/managed-desktop/service-description/regions-languages?view=o365-21vianet) | modified | +| 1/13/2022 | [Security operations in Microsoft Managed Desktop](/microsoft-365/managed-desktop/service-description/security-operations?view=o365-21vianet) | modified | +| 1/13/2022 | [Security technologies in Microsoft Managed Desktop](/microsoft-365/managed-desktop/service-description/security?view=o365-21vianet) | modified | +| 1/13/2022 | [Service changes and communication](/microsoft-365/managed-desktop/service-description/servicechanges?view=o365-21vianet) | modified | +| 1/13/2022 | [Shared devices](/microsoft-365/managed-desktop/service-description/shared-devices?view=o365-21vianet) | modified | +| 1/13/2022 | [Admin support](/microsoft-365/managed-desktop/service-description/support?view=o365-21vianet) | modified | +| 1/13/2022 | [How updates are handled in Microsoft Managed Desktop](/microsoft-365/managed-desktop/service-description/updates?view=o365-21vianet) | modified | +| 1/13/2022 | [User support](/microsoft-365/managed-desktop/service-description/user-support?view=o365-21vianet) | modified | +| 1/13/2022 | [Admin support for Microsoft Managed Desktop](/microsoft-365/managed-desktop/working-with-managed-desktop/admin-support?view=o365-21vianet) | modified | +| 1/13/2022 | [App usage report](/microsoft-365/managed-desktop/working-with-managed-desktop/app-usage-report?view=o365-21vianet) | modified | +| 1/13/2022 | [Assign devices to a deployment group](/microsoft-365/managed-desktop/working-with-managed-desktop/assign-deployment-group?view=o365-21vianet) | modified | +| 1/13/2022 | [Reassign device profiles](/microsoft-365/managed-desktop/working-with-managed-desktop/change-device-profile?view=o365-21vianet) | modified | +| 1/13/2022 | [Deploy configurable settings in Microsoft Managed Desktop](/microsoft-365/managed-desktop/working-with-managed-desktop/config-setting-deploy?view=o365-21vianet) | modified | +| 1/13/2022 | [Configurable settings for Microsoft Managed Desktop](/microsoft-365/managed-desktop/working-with-managed-desktop/config-setting-overview?view=o365-21vianet) | modified | +| 1/13/2022 | [Configurable settings reference for Microsoft Managed Desktop](/microsoft-365/managed-desktop/working-with-managed-desktop/config-setting-ref?view=o365-21vianet) | modified | +| 1/13/2022 | [Device inventory report](/microsoft-365/managed-desktop/working-with-managed-desktop/device-inventory-report?view=o365-21vianet) | modified | +| 1/13/2022 | [Device status report](/microsoft-365/managed-desktop/working-with-managed-desktop/device-status-report?view=o365-21vianet) | modified | +| 1/13/2022 | [Get user support for Microsoft Managed Desktop](/microsoft-365/managed-desktop/working-with-managed-desktop/end-user-support?view=o365-21vianet) | modified | +| 1/13/2022 | [Working with Microsoft Managed Desktop](/microsoft-365/managed-desktop/working-with-managed-desktop/index?view=o365-21vianet) | modified | +| 1/13/2022 | [Manage apps in Microsoft Managed Desktop](/microsoft-365/managed-desktop/working-with-managed-desktop/manage-apps?view=o365-21vianet) | modified | +| 1/13/2022 | [Remove devices](/microsoft-365/managed-desktop/working-with-managed-desktop/remove-devices?view=o365-21vianet) | modified | +| 1/13/2022 | [Work with reports](/microsoft-365/managed-desktop/working-with-managed-desktop/reports?view=o365-21vianet) | modified | +| 1/13/2022 | [Windows security updates report](/microsoft-365/managed-desktop/working-with-managed-desktop/security-updates-report?view=o365-21vianet) | modified | +| 1/13/2022 | [Preview and test Windows 11 with Microsoft Managed Desktop](/microsoft-365/managed-desktop/working-with-managed-desktop/test-win11-mmd?view=o365-21vianet) | modified | +| 1/13/2022 | [Work with app control](/microsoft-365/managed-desktop/working-with-managed-desktop/work-with-app-control?view=o365-21vianet) | modified | +| 1/13/2022 | [Configure automated investigation and response capabilities in Microsoft 365 Defender](/microsoft-365/security/defender/m365d-configure-auto-investigation-response?view=o365-21vianet) | modified | +| 1/13/2022 | [Continuous access evaluation for Microsoft 365 - Microsoft 365 for enterprise](/microsoft-365/security/office-365-security/microsoft-365-continuous-access-evaluation?view=o365-21vianet) | modified | +| 1/13/2022 | [Microsoft 365 Business Premium resources # < 60 chars](/microsoft-365/business/index?view=o365-21vianet) | modified | +| 1/13/2022 | [Get started with custom sensitive information types](/microsoft-365/compliance/create-a-custom-sensitive-information-type?view=o365-21vianet) | modified | +| 1/13/2022 | [Create eDiscovery holds in a Core eDiscovery case](/microsoft-365/compliance/create-ediscovery-holds?view=o365-21vianet) | modified | +| 1/13/2022 | [Data Loss Prevention policy reference](/microsoft-365/compliance/dlp-policy-reference?view=o365-21vianet) | modified | +| 1/13/2022 | [Microsoft 365 admin center help # < 60 chars](/microsoft-365/admin/index?view=o365-21vianet) | modified | +| 1/13/2022 | [Top 20 most-viewed admin help articles this month # < 60 chars](/microsoft-365/admin/top-m365-admin-articles?view=o365-21vianet) | modified | +| 1/13/2022 | [Delete items in the Recoverable Items folder of cloud mailbox's on hold](/microsoft-365/compliance/delete-items-in-the-recoverable-items-folder-of-mailboxes-on-hold?view=o365-21vianet) | modified | +| 1/13/2022 | [DLP policy conditions, exceptions, and actions](/microsoft-365/compliance/dlp-conditions-and-exceptions?view=o365-21vianet) | modified | +| 1/13/2022 | [What's new in Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-whatsnew?view=o365-21vianet) | modified | +| 1/13/2022 | [Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac?view=o365-21vianet) | modified | +| 1/13/2022 | [Microsoft recommendations for EOP and Defender for Office 365 security settings](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-21vianet) | modified | +| 1/13/2022 | [Service encryption with Customer Key](/microsoft-365/compliance/customer-key-overview?view=o365-21vianet) | modified | +| 1/13/2022 | [Minimum requirements for Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/minimum-requirements?view=o365-21vianet) | modified | +| 1/14/2022 | [Add staff to Bookings](/microsoft-365/bookings/add-staff?view=o365-21vianet) | modified | +| 1/14/2022 | [Microsoft 365 Business Premium resources # < 60 chars](/microsoft-365/business/index?view=o365-21vianet) | modified | +| 1/14/2022 | [Automatically apply a retention label to retain or delete content](/microsoft-365/compliance/apply-retention-labels-automatically?view=o365-21vianet) | modified | +| 1/14/2022 | [Automatically apply a sensitivity label to content in Microsoft 365](/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-21vianet) | modified | +| 1/14/2022 | [Learn about sensitive information types](/microsoft-365/compliance/sensitive-information-type-learn-about?view=o365-21vianet) | modified | +| 1/14/2022 | [Microsoft 365 Zero Trust deployment plan](/microsoft-365/security/microsoft-365-zero-trust?view=o365-21vianet) | modified | +| 1/14/2022 | [Microsoft Defender Antivirus on Windows Server](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server?view=o365-21vianet) | modified | +| 1/14/2022 | [Protect security settings with tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-21vianet) | modified | +| 1/14/2022 | [Step 1. Implement App Protection Policies](/microsoft-365/solutions/manage-devices-with-intune-app-protection?view=o365-21vianet) | modified | +| 1/14/2022 | [Step 3. Set up compliance policies for devices with Intune](/microsoft-365/solutions/manage-devices-with-intune-compliance-policies?view=o365-21vianet) | modified | +| 1/14/2022 | [Step 5. Deploy device profiles in Microsoft Intune](/microsoft-365/solutions/manage-devices-with-intune-configuration-profiles?view=o365-21vianet) | modified | +| 1/14/2022 | [Step 7. Implement data loss prevention (DLP) with information protection capabilities](/microsoft-365/solutions/manage-devices-with-intune-dlp-mip?view=o365-21vianet) | modified | +| 1/14/2022 | [Step 2. Enroll devices into management with Intune](/microsoft-365/solutions/manage-devices-with-intune-enroll?view=o365-21vianet) | modified | +| 1/14/2022 | [Step 6. Monitor device risk and compliance to security baselines](/microsoft-365/solutions/manage-devices-with-intune-monitor-risk?view=o365-21vianet) | modified | +| 1/14/2022 | [Manage devices with Intune](/microsoft-365/solutions/manage-devices-with-intune-overview?view=o365-21vianet) | modified | +| 1/14/2022 | [Step 4. Require healthy and compliant devices with Intune](/microsoft-365/solutions/manage-devices-with-intune-require-compliance?view=o365-21vianet) | modified | +| 1/14/2022 | [Office TLS Certificate Changes](/microsoft-365/compliance/encryption-office-365-tls-certificates-changes?view=o365-21vianet) | added | +| 1/14/2022 | [Use data connectors to import and archive third-party data in Microsoft 365](/microsoft-365/compliance/archiving-third-party-data?view=o365-21vianet) | modified | +| 1/14/2022 | [Get started with custom sensitive information types](/microsoft-365/compliance/create-a-custom-sensitive-information-type?view=o365-21vianet) | modified | +| 1/14/2022 | [Detailed properties in the audit log](/microsoft-365/compliance/detailed-properties-in-the-office-365-audit-log?view=o365-21vianet) | modified | +| 1/14/2022 | [Search the audit log in the Microsoft 365 compliance center](/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-21vianet) | modified | +| 1/14/2022 | [Manage sensitivity labels in Office apps](/microsoft-365/compliance/sensitivity-labels-office-apps?view=o365-21vianet) | modified | +| 1/14/2022 | [Licensing for SharePoint Syntex](/microsoft-365/contentunderstanding/syntex-licensing) | modified | +| 1/14/2022 | [View email security reports](/microsoft-365/security/office-365-security/view-email-security-reports?view=o365-21vianet) | modified | +| 1/14/2022 | [Keyword queries and search conditions for eDiscovery](/microsoft-365/compliance/keyword-queries-and-search-conditions?view=o365-21vianet) | modified | +| 1/14/2022 | [Microsoft Defender for Endpoint Device Control Device Installation](/microsoft-365/security/defender-endpoint/mde-device-control-device-installation?view=o365-21vianet) | modified | +| 1/14/2022 | [Set up and configure Microsoft Defender for Endpoint Plan 1](/microsoft-365/security/defender-endpoint/mde-p1-setup-configuration?view=o365-21vianet) | modified | +| 1/14/2022 | [Evaluate Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-evaluation?view=o365-21vianet) | modified | ++ ## Week of January 03, 2022 | 12/17/2021 | [Microsoft Defender Antivirus in the Windows Security app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus?view=o365-21vianet) | modified | | 12/17/2021 | [Protect security settings with tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-21vianet) | modified | | 12/17/2021 | [User tags in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/user-tags?view=o365-21vianet) | modified |---## Week of December 06, 2021 ---| Published On |Topic title | Change | -|||--| -| 12/6/2021 | [What is Microsoft 365 Business Premium](/microsoft-365/admin/admin-overview/what-is-microsoft-365?view=o365-21vianet) | renamed | -| 12/6/2021 | [Get support](/microsoft-365/admin/get-help-support?view=o365-21vianet) | renamed | -| 12/6/2021 | [Enable Corelight integration in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/corelight-integration?view=o365-21vianet) | added | -| 12/6/2021 | [Enable Microsoft Defender for IoT integration in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration?view=o365-21vianet) | added | -| 12/6/2021 | [Device list CSV-file](/microsoft-365/admin/misc/device-list?view=o365-21vianet) | modified | -| 12/6/2021 | [Migrate email and contacts to Microsoft 365](/microsoft-365/admin/setup/migrate-email-and-contacts-admin?view=o365-21vianet) | modified | -| 12/6/2021 | [Plan your setup of Microsoft 365 for business](/microsoft-365/admin/setup/plan-your-setup?view=o365-21vianet) | modified | -| 12/6/2021 | [Sign up for a Microsoft 365 Business Standard](/microsoft-365/admin/simplified-signup/signup-business-standard?view=o365-21vianet) | modified | -| 12/6/2021 | [Employee quick setup-guide](/microsoft-365/business-video/employee-quick-setup?view=o365-worldwide) | modified | -| 12/6/2021 | [Microsoft 365 small business training # < 60 chars](/microsoft-365/business-video/index?view=o365-21vianet) | modified | -| 12/6/2021 | [Microsoft 365 Business Premium resources # < 60 chars](/microsoft-365/business/index?view=o365-21vianet) | modified | -| 12/6/2021 | [What is the difference between device and app management](/microsoft-365/business/ui/mam-and-mdm?view=o365-21vianet) | modified | -| 12/6/2021 | [Technical reference details about encryption](/microsoft-365/compliance/technical-reference-details-about-encryption?view=o365-21vianet) | modified | -| 12/6/2021 | [What's new in Microsoft 365 compliance](/microsoft-365/compliance/whats-new?view=o365-21vianet) | modified | -| 12/6/2021 | [Configure scanning options for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus?view=o365-21vianet) | modified | -| 12/6/2021 | [Configure device discovery](/microsoft-365/security/defender-endpoint/configure-device-discovery?view=o365-21vianet) | modified | -| 12/6/2021 | [Device discovery overview](/microsoft-365/security/defender-endpoint/device-discovery?view=o365-21vianet) | modified | -| 12/6/2021 | [Configure Microsoft Defender Antivirus with Group Policy](/microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus?view=o365-21vianet) | modified | -| 12/6/2021 | [What's new in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint?view=o365-21vianet) | modified | -| 12/6/2021 | [Configure and validate exclusions based on extension, name, or location](/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus?view=o365-21vianet) | modified | -| 12/6/2021 | [Enable attack surface reduction rules](/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-21vianet) | modified | -| 12/6/2021 | [Evaluate network protection](/microsoft-365/security/defender-endpoint/evaluate-network-protection?view=o365-21vianet) | modified | -| 12/6/2021 | [Use role-based access control to grant fine-grained access to Microsoft 365 Defender portal](/microsoft-365/security/defender-endpoint/rbac?view=o365-21vianet) | modified | -| 12/6/2021 | [Quarantine policies](/microsoft-365/security/office-365-security/quarantine-policies?view=o365-21vianet) | modified | -| 12/6/2021 | [Azure Information Protection support for Office 365 operated by 21Vianet](/microsoft-365/admin/services-in-china/parity-between-azure-information-protection?view=o365-21vianet) | modified | -| 12/6/2021 | [Automatically apply a retention label to retain or delete content](/microsoft-365/compliance/apply-retention-labels-automatically?view=o365-21vianet) | modified | -| 12/6/2021 | [Microsoft 365 compliance solutions trial playbook](/microsoft-365/compliance/compliance-easy-trials-compliance-playbook?view=o365-21vianet) | modified | -| 12/6/2021 | [Create retention labels and apply them in apps to retain or delete content](/microsoft-365/compliance/create-apply-retention-labels?view=o365-21vianet) | modified | -| 12/6/2021 | [Use the KQL editor to build search queries](/microsoft-365/compliance/ediscovery-kql-editor?view=o365-21vianet) | modified | -| 12/6/2021 | [Restore an inactive mailbox](/microsoft-365/compliance/restore-an-inactive-mailbox?view=o365-21vianet) | modified | -| 12/6/2021 | [Enable Corelight integration in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/corelight-integration?view=o365-21vianet) | modified | -| 12/6/2021 | [Enable Microsoft Defender for IoT integration in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration?view=o365-21vianet) | modified | -| 12/7/2021 | [Automatically apply a retention label to retain or delete content](/microsoft-365/compliance/apply-retention-labels-automatically?view=o365-21vianet) | modified | -| 12/7/2021 | [Create retention labels and apply them in apps to retain or delete content](/microsoft-365/compliance/create-apply-retention-labels?view=o365-21vianet) | modified | -| 12/7/2021 | [Create and configure retention policies to automatically retain or delete content](/microsoft-365/compliance/create-retention-policies?view=o365-21vianet) | modified | -| 12/7/2021 | [What's new in Microsoft 365 compliance](/microsoft-365/compliance/whats-new?view=o365-21vianet) | modified | -| 12/7/2021 | [Microsoft 365 Network Connectivity Location Services](/microsoft-365/enterprise/office-365-network-mac-location-services?view=o365-21vianet) | modified | -| 12/7/2021 | [Microsoft 365 informed network routing](/microsoft-365/enterprise/office-365-network-mac-perf-cpe?view=o365-21vianet) | modified | -| 12/7/2021 | [Microsoft 365 Network Insights](/microsoft-365/enterprise/office-365-network-mac-perf-insights?view=o365-21vianet) | modified | -| 12/7/2021 | [Microsoft 365 network connectivity test tool](/microsoft-365/enterprise/office-365-network-mac-perf-onboarding-tool?view=o365-21vianet) | modified | -| 12/7/2021 | [Network connectivity in the Microsoft 365 Admin Center](/microsoft-365/enterprise/office-365-network-mac-perf-overview?view=o365-21vianet) | modified | -| 12/7/2021 | [Microsoft 365 network assessment](/microsoft-365/enterprise/office-365-network-mac-perf-score?view=o365-21vianet) | modified | -| 12/7/2021 | [Enable Microsoft Defender for IoT integration in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration?view=o365-21vianet) | modified | -| 12/7/2021 | [Step 2. Optimal networking for your Microsoft 365 for enterprise tenants](/microsoft-365/solutions/tenant-management-networking?view=o365-21vianet) | modified | -| 12/7/2021 | [Microsoft 365 Defender for US Government customers](/microsoft-365/security/defender/usgov?view=o365-21vianet) | added | -| 12/7/2021 | [Create a SharePoint communications site](/microsoft-365/campaigns/create-communications-site?view=o365-21vianet) | modified | -| 12/7/2021 | [Create a team in Microsoft Teams so your small business or campaign can collaborate](/microsoft-365/campaigns/create-teams-for-collaboration?view=o365-21vianet) | modified | -| 12/7/2021 | [Microsoft 365 for smaller businesses and campaigns](/microsoft-365/campaigns/index?view=o365-21vianet) | modified | -| 12/7/2021 | [Learn about data loss prevention](/microsoft-365/compliance/dlp-learn-about-dlp?view=o365-21vianet) | modified | -| 12/7/2021 | [Learn about Microsoft 365 Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-learn-about?view=o365-21vianet) | modified | -| 12/7/2021 | [Using Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-using?view=o365-21vianet) | modified | -| 12/7/2021 | [Encryption in Microsoft Dynamics 365](/microsoft-365/compliance/office-365-encryption-in-microsoft-dynamics-365?view=o365-21vianet) | modified | -| 12/7/2021 | [Compare Microsoft Defender for Endpoint Plan 1 to Plan 2](/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1-2?view=o365-21vianet) | modified | -| 12/7/2021 | [Overview of Microsoft Defender for Endpoint Plan 1](/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1?view=o365-21vianet) | modified | -| 12/7/2021 | [Microsoft Defender for Endpoint for US Government customers](/microsoft-365/security/defender-endpoint/gov?view=o365-21vianet) | modified | -| 12/7/2021 | [Manage Microsoft Defender for Endpoint Plan 1](/microsoft-365/security/defender-endpoint/mde-p1-maintenance-operations?view=o365-21vianet) | modified | -| 12/7/2021 | [Set up and configure Microsoft Defender for Endpoint Plan 1](/microsoft-365/security/defender-endpoint/mde-p1-setup-configuration?view=o365-21vianet) | modified | -| 12/7/2021 | [Get started with Microsoft Defender for Endpoint Plan 1](/microsoft-365/security/defender-endpoint/mde-plan1-getting-started?view=o365-21vianet) | modified | -| 12/7/2021 | [Minimum requirements for Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/minimum-requirements?view=o365-21vianet) | modified | -| 12/7/2021 | [Frequently asked questions when turning on Microsoft 365 Defender](/microsoft-365/security/defender/m365d-enable-faq?view=o365-21vianet) | modified | -| 12/7/2021 | [Microsoft 365 Defender prerequisites](/microsoft-365/security/defender/prerequisites?view=o365-21vianet) | modified | -| 12/7/2021 | [Microsoft 365 architecture diagram templates and icons](/microsoft-365/solutions/architecture-icons-templates?view=o365-21vianet) | modified | -| 12/7/2021 | [Microsoft cloud architecture models - enterprise resource planning](/microsoft-365/solutions/cloud-architecture-models?view=o365-21vianet) | modified | -| 12/7/2021 | Configure secure access to Microsoft 365 services | removed | -| 12/7/2021 | [Microsoft 365 Enterprise architecture design principles](/microsoft-365/solutions/design-principles?view=o365-21vianet) | modified | -| 12/7/2021 | [Microsoft 365 infographics for users](/microsoft-365/solutions/infographics-for-users?view=o365-21vianet) | modified | -| 12/7/2021 | Multi-national design principles for Microsoft 365 | removed | -| 12/7/2021 | [Microsoft 365 productivity illustrations](/microsoft-365/solutions/productivity-illustrations?view=o365-21vianet) | modified | -| 12/8/2021 | [Microsoft Defender for Office 365 trial playbook](/microsoft-365/security/office-365-security/trial-playbook-defender-for-office-365?view=o365-21vianet) | added | -| 12/8/2021 | [Manage Windows 10 Pro device policies with Microsoft 365 Business Premium](/microsoft-365/business-video/secure-win-10-pro-devices?view=o365-worldwide) | modified | -| 12/8/2021 | [Learn about data loss prevention](/microsoft-365/compliance/dlp-learn-about-dlp?view=o365-21vianet) | modified | -| 12/8/2021 | [How Exchange Online uses Transport Layer Security (TLS) to secure email connections](/microsoft-365/compliance/exchange-online-uses-tls-to-secure-email-connections?view=o365-21vianet) | modified | -| 12/8/2021 | [Configure Microsoft 365 Lighthouse portal security](/microsoft-365/lighthouse/m365-lighthouse-configure-portal-security?view=o365-21vianet) | modified | -| 12/8/2021 | [Deploy Microsoft 365 Lighthouse baselines](/microsoft-365/lighthouse/m365-lighthouse-deploy-baselines?view=o365-21vianet) | modified | -| 12/8/2021 | [Overview of using baselines to deploy standard tenant configurations](/microsoft-365/lighthouse/m365-lighthouse-deploy-standard-tenant-configurations-overview?view=o365-21vianet) | modified | -| 12/8/2021 | [Overview of Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-overview?view=o365-21vianet) | modified | -| 12/8/2021 | [Requirements for Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-requirements?view=o365-21vianet) | modified | -| 12/8/2021 | [Sign up for Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-sign-up?view=o365-21vianet) | modified | -| 12/8/2021 | [Get user support for Microsoft Managed Desktop](/microsoft-365/managed-desktop/working-with-managed-desktop/end-user-support?view=o365-21vianet) | modified | -| 12/8/2021 | [Microsoft Defender Antivirus Virtual Desktop Infrastructure deployment guide](/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus?view=o365-21vianet) | modified | -| 12/8/2021 | [Microsoft 365 Defender for US Government customers](/microsoft-365/security/defender/usgov?view=o365-21vianet) | modified | -| 12/8/2021 | [About the Microsoft Defender for Office 365 trial](/microsoft-365/security/office-365-security/about-defender-for-office-365-trial?view=o365-21vianet) | modified | -| 12/8/2021 | [Quarantine policies](/microsoft-365/security/office-365-security/quarantine-policies?view=o365-21vianet) | modified | -| 12/8/2021 | [Microsoft recommendations for EOP and Defender for Office 365 security settings](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-21vianet) | modified | -| 12/9/2021 | [Azure Information Protection support for Office 365 operated by 21Vianet](/microsoft-365/admin/services-in-china/parity-between-azure-information-protection?view=o365-21vianet) | modified | -| 12/9/2021 | [Set up a connector to import HR data](/microsoft-365/compliance/import-hr-data?view=o365-21vianet) | modified | -| 12/9/2021 | [Enable co-authoring for documents encrypted by sensitivity labels in Microsoft 365](/microsoft-365/compliance/sensitivity-labels-coauthoring?view=o365-21vianet) | modified | -| 12/9/2021 | [External Domain Name System records for Office 365](/microsoft-365/enterprise/external-domain-name-system-records?view=o365-21vianet) | modified | -| 12/9/2021 | [What's new in Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/android-whatsnew?view=o365-21vianet) | modified | -| 12/9/2021 | [Set preferences for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-preferences?view=o365-21vianet) | modified | -| 12/9/2021 | [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender?view=o365-21vianet) | modified | -| 12/9/2021 | [Anti-spoofing protection](/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-21vianet) | modified | -| 12/9/2021 | [Permissions - Security & Compliance Center](/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center?view=o365-21vianet) | modified | -| 12/9/2021 | [Microsoft cloud architecture models - enterprise resource planning](/microsoft-365/solutions/cloud-architecture-models?view=o365-21vianet) | modified | -| 12/9/2021 | Learn about Office 365 Germany | removed | -| 12/9/2021 | [Set app protection settings for Android or iOS devices](/microsoft-365/admin/devices/app-protection-settings-for-android-and-ios?view=o365-21vianet) | modified | -| 12/9/2021 | [Set up the Standard or Targeted release options](/microsoft-365/admin/manage/release-options-in-office-365?view=o365-21vianet) | modified | -| 12/9/2021 | Collaborate by using Outlook and Teams | removed | -| 12/9/2021 | Share your business files - overview | removed | -| 12/9/2021 | Secure Office apps on iOS | removed | -| 12/9/2021 | Upgrade Windows 10 Home to Windows 10 Pro | removed | -| 12/9/2021 | View, download, or print your bill | removed | -| 12/9/2021 | Work from anywhere - overview | removed | -| 12/9/2021 | [Manage Microsoft Defender Antivirus updates and apply baselines](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus?view=o365-21vianet) | modified | -| 12/9/2021 | [View email security reports](/microsoft-365/security/office-365-security/view-email-security-reports?view=o365-21vianet) | modified | -| 12/9/2021 | [View mail flow reports in the Reports dashboard](/microsoft-365/security/office-365-security/view-mail-flow-reports?view=o365-21vianet) | modified | -| 12/9/2021 | [View Defender for Office 365 reports](/microsoft-365/security/office-365-security/view-reports-for-mdo?view=o365-21vianet) | modified | -| 12/10/2021 | [Set up a connector to archive StarHub mobile network data in Microsoft 365](/microsoft-365/compliance/archive-starhub-network-archiver-data?view=o365-21vianet) | added | -| 12/10/2021 | [Mitigate threats with Microsoft Defender Antivirus](/microsoft-365/lighthouse/m365-lighthouse-mitigate-threats?view=o365-21vianet) | added | -| 12/10/2021 | [Get support](/microsoft-365/admin/get-help-support?view=o365-21vianet) | modified | -| 12/10/2021 | [Empower your small business with remote work](/microsoft-365/admin/misc/empower-your-small-business-with-remote-work?view=o365-21vianet) | modified | -| 12/10/2021 | [Increase threat protection for Microsoft 365 for Business](/microsoft-365/admin/security-and-compliance/increase-threat-protection?view=o365-21vianet) | modified | -| 12/10/2021 | [Multifactor authentication for Microsoft 365](/microsoft-365/admin/security-and-compliance/multi-factor-authentication-microsoft-365?view=o365-21vianet) | modified | -| 12/10/2021 | [Top 10 ways to secure Microsoft 365 for business plans](/microsoft-365/admin/security-and-compliance/secure-your-business-data?view=o365-21vianet) | modified | -| 12/10/2021 | [Set up multifactor authentication for users](/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide) | modified | -| 12/10/2021 | [Set up Microsoft 365 Business Premium](/microsoft-365/admin/setup/business-set-up?view=o365-21vianet) | modified | -| 12/10/2021 | [Set up Microsoft 365 Business Standard with a new or existing domain](/microsoft-365/admin/setup/setup-business-standard?view=o365-21vianet) | modified | -| 12/10/2021 | [Sign up for Microsoft 365 Apps for business](/microsoft-365/admin/setup/signup--apps-business?view=o365-21vianet) | modified | -| 12/10/2021 | [Invite users to Microsoft 365 Business Standard subscription](/microsoft-365/admin/simplified-signup/admin-invite-business-standard?view=o365-21vianet) | modified | -| 12/10/2021 | [Sign up for a Microsoft 365 Business Standard](/microsoft-365/admin/simplified-signup/signup-business-standard?view=o365-21vianet) | modified | -| 12/10/2021 | [Microsoft 365 usage analytics](/microsoft-365/admin/usage-analytics/usage-analytics?view=o365-21vianet) | modified | -| 12/10/2021 | [What's new in the Microsoft 365 admin center?](/microsoft-365/admin/whats-new-in-preview?view=o365-21vianet) | modified | -| 12/10/2021 | Review usage reports | removed | -| 12/10/2021 | Add an admin | removed | -| 12/10/2021 | Add a user to Microsoft 365 for business | removed | -| 12/10/2021 | Get the Admin mobile app | removed | -| 12/10/2021 | Turn on malware protection | removed | -| 12/10/2021 | Overview of Microsoft 365 Business Voice | removed | -| 12/10/2021 | Buy Microsoft 365 Business Voice | removed | -| 12/10/2021 | Buy new licenses | removed | -| 12/10/2021 | Move users to different subscriptions | removed | -| 12/10/2021 | Change a user's name or email address | removed | -| 12/10/2021 | Choose a Microsoft 365 subscription | removed | -| 12/10/2021 | Create a company-wide signature | removed | -| 12/10/2021 | Connect PCs to Microsoft 365 Business Premium | removed | -| 12/10/2021 | Create a website for your business | removed | -| 12/10/2021 | Import and redirect email | removed | -| 12/10/2021 | Install Microsoft Office apps | removed | -| 12/10/2021 | Overview of Microsoft 365 Business Premium Security | removed | -| 12/10/2021 | Create email rules for ransomware | removed | -| 12/10/2021 | Remove existing licenses | removed | -| 12/10/2021 | Reset user passwords | removed | -| 12/10/2021 | Manage Safe Links | removed | -| 12/10/2021 | Secure your Windows 10 PCs | removed | -| 12/10/2021 | Set up a new business email address | removed | -| 12/10/2021 | Let users reset their passwords | removed | -| 12/10/2021 | Set up Microsoft 365 Business Premium subscription | removed | -| 12/10/2021 | Set up anti-phishing protection | removed | -| 12/10/2021 | Overview of Microsoft 365 Business Premium setup | removed | -| 12/10/2021 | Sign up for Microsoft 365 Business Premium subscription | removed | -| 12/10/2021 | Turn on multifactor authentication | removed | -| 12/10/2021 | Update your payment method | removed | -| 12/10/2021 | What is an admin in Microsoft 365 for business | removed | -| 12/10/2021 | [Microsoft 365 Business Premium resources # < 60 chars](/microsoft-365/business/index?view=o365-21vianet) | modified | -| 12/10/2021 | [Setup overview for Microsoft 365 Business Premium](/microsoft-365/campaigns/microsoft-365-campaigns-setup-overview?view=o365-21vianet) | modified | -| 12/10/2021 | [Microsoft 365 alert policies](/microsoft-365/compliance/alert-policies?view=o365-21vianet) | modified | -| 12/10/2021 | [Archive third-party data](/microsoft-365/compliance/archiving-third-party-data?view=o365-21vianet) | modified | -| 12/10/2021 | [Compare Microsoft Defender for Business to other Microsoft 365 plans](/microsoft-365/security/defender-business/compare-mdb-m365-plans?view=o365-21vianet) | modified | -| 12/10/2021 | [Get Microsoft Defender for Business](/microsoft-365/security/defender-business/get-defender-business?view=o365-21vianet) | modified | -| 12/10/2021 | [Configure your security settings in Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-configure-security-settings?view=o365-21vianet) | modified | -| 12/10/2021 | [Device groups in Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-create-edit-device-groups?view=o365-21vianet) | modified | -| 12/10/2021 | [Create a new policy in Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-create-new-policy?view=o365-21vianet) | modified | -| 12/10/2021 | [Manage custom rules for firewall policies in Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-custom-rules-firewall?view=o365-21vianet) | modified | -| 12/10/2021 | [Set up email notifications for your security team](/microsoft-365/security/defender-business/mdb-email-notifications?view=o365-21vianet) | modified | -| 12/10/2021 | [Microsoft Defender for Business frequently asked questions](/microsoft-365/security/defender-business/mdb-faq?view=o365-21vianet) | modified | -| 12/10/2021 | [Firewall in Microsoft Defender for Business (preview)](/microsoft-365/security/defender-business/mdb-firewall?view=o365-21vianet) | modified | -| 12/10/2021 | [Get help and support for Microsoft Defender for Business (preview)](/microsoft-365/security/defender-business/mdb-get-help?view=o365-21vianet) | modified | -| 12/10/2021 | [Get started using Microsoft Defender for Business (preview)](/microsoft-365/security/defender-business/mdb-get-started?view=o365-21vianet) | modified | -| 12/10/2021 | [Microsoft 365 Lighthouse and Microsoft Defender for Business (preview)](/microsoft-365/security/defender-business/mdb-lighthouse-integration?view=o365-21vianet) | modified | -| 12/10/2021 | [Manage devices in Microsoft Defender for Business (preview)](/microsoft-365/security/defender-business/mdb-manage-devices?view=o365-21vianet) | modified | -| 12/10/2021 | [Understand next-generation protection configuration settings in Microsoft Defender for Business (preview)](/microsoft-365/security/defender-business/mdb-next-gen-configuration-settings?view=o365-21vianet) | modified | -| 12/10/2021 | [Onboard devices to Microsoft Defender for Business (preview)](/microsoft-365/security/defender-business/mdb-onboard-devices?view=o365-21vianet) | modified | -| 12/10/2021 | [Overview of Microsoft Defender for Business (preview)](/microsoft-365/security/defender-business/mdb-overview?view=o365-21vianet) | modified | -| 12/10/2021 | [Understand policy order in Microsoft Defender for Business (preview)](/microsoft-365/security/defender-business/mdb-policy-order?view=o365-21vianet) | modified | -| 12/10/2021 | [Reports in Microsoft Defender for Business (preview)](/microsoft-365/security/defender-business/mdb-reports?view=o365-21vianet) | modified | -| 12/10/2021 | [Requirements for Microsoft Defender for Business (preview)](/microsoft-365/security/defender-business/mdb-requirements?view=o365-21vianet) | modified | -| 12/10/2021 | [Respond to and mitigate threats in Microsoft Defender for Business (preview)](/microsoft-365/security/defender-business/mdb-respond-mitigate-threats?view=o365-21vianet) | modified | -| 12/10/2021 | [Review remediation actions in Microsoft Defender for Business (preview)](/microsoft-365/security/defender-business/mdb-review-remediation-actions?view=o365-21vianet) | modified | -| 12/10/2021 | [Assign roles and permissions in Microsoft Defender for Business (preview)](/microsoft-365/security/defender-business/mdb-roles-permissions?view=o365-21vianet) | modified | -| 12/10/2021 | [Set up and configure Microsoft Defender for Business (preview)](/microsoft-365/security/defender-business/mdb-setup-configuration?view=o365-21vianet) | modified | -| 12/10/2021 | [The simplified configuration process in Microsoft Defender for Business (preview)](/microsoft-365/security/defender-business/mdb-simplified-configuration?view=o365-21vianet) | modified | -| 12/10/2021 | [Microsoft Defender for Business (preview) troubleshooting](/microsoft-365/security/defender-business/mdb-troubleshooting?view=o365-21vianet) | modified | -| 12/10/2021 | [Tutorials and simulations in Microsoft Defender for Business (preview)](/microsoft-365/security/defender-business/mdb-tutorials?view=o365-21vianet) | modified | -| 12/10/2021 | [View or edit policies in Microsoft Defender for Business (preview)](/microsoft-365/security/defender-business/mdb-view-edit-policies?view=o365-21vianet) | modified | -| 12/10/2021 | [View and manage incidents in Microsoft Defender for Business (preview)](/microsoft-365/security/defender-business/mdb-view-manage-incidents?view=o365-21vianet) | modified | -| 12/10/2021 | [Compare Microsoft Defender for Endpoint Plan 1 to Plan 2](/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1-2?view=o365-21vianet) | modified | -| 12/10/2021 | [Microsoft Defender for Endpoint for US Government customers](/microsoft-365/security/defender-endpoint/gov?view=o365-21vianet) | modified | -| 12/10/2021 | [App-based deployment for Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/ios-install?view=o365-21vianet) | modified | -| 12/10/2021 | [Manage how and where Microsoft Defender Antivirus receives updates](/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus?view=o365-21vianet) | modified | -| 12/10/2021 | [Mitigate zero-day vulnerabilities - threat and vulnerability management](/microsoft-365/security/defender-endpoint/tvm-zero-day-vulnerabilities?view=o365-21vianet) | modified | -| 12/10/2021 | [Track your Microsoft Secure Score history and meet goals](/microsoft-365/security/defender/microsoft-secure-score-history-metrics-trends?view=o365-21vianet) | modified | -| 12/10/2021 | [View email security reports](/microsoft-365/security/office-365-security/view-email-security-reports?view=o365-21vianet) | modified | -| 12/10/2021 | [About the Exchange Online admin role](/microsoft-365/admin/add-users/about-exchange-online-admin-role?view=o365-21vianet) | modified | -| 12/10/2021 | [Give mailbox permissions to another user - Admin Help](/microsoft-365/admin/add-users/give-mailbox-permissions-to-another-user?view=o365-21vianet) | modified | -| 12/10/2021 | [Step 1 - Stop an employee from logging in to Microsoft 365](/microsoft-365/admin/add-users/remove-former-employee-step-1?view=o365-21vianet) | modified | -| 12/10/2021 | [Step 5 - Wipe and block a former employee's mobile device](/microsoft-365/admin/add-users/remove-former-employee-step-5?view=o365-21vianet) | modified | -| 12/10/2021 | [Create device security policies in Basic Mobility and Security](/microsoft-365/admin/basic-mobility-security/create-device-security-policies?view=o365-21vianet) | modified | -| 12/10/2021 | [Basic Mobility and Security frequently-asked questions (FAQ)](/microsoft-365/admin/basic-mobility-security/frequently-asked-questions?view=o365-21vianet) | modified | -| 12/10/2021 | [Convert a user mailbox to a shared mailbox](/microsoft-365/admin/email/convert-user-mailbox-to-shared-mailbox?view=o365-21vianet) | modified | -| 12/10/2021 | [Create a shared mailbox](/microsoft-365/admin/email/create-a-shared-mailbox?view=o365-21vianet) | modified | -| 12/10/2021 | [Create, edit, or delete a security group in the Microsoft 365 admin center](/microsoft-365/admin/email/create-edit-or-delete-a-security-group?view=o365-21vianet) | modified | -| 12/10/2021 | [Manage email app access in Microsoft 365 admin center](/microsoft-365/admin/email/manage-email-app-access?view=o365-21vianet) | modified | -| 12/10/2021 | [Upgrade distribution lists to Microsoft 365 Groups in Outlook](/microsoft-365/admin/manage/upgrade-distribution-lists?view=o365-21vianet) | modified | -| 12/10/2021 | [Pilot Microsoft 365 from my custom domain](/microsoft-365/admin/misc/pilot-microsoft-365-from-my-custom-domain?view=o365-21vianet) | modified | -| 12/10/2021 | [Increase threat protection](/microsoft-365/campaigns/m365-campaigns-increase-protection?view=o365-21vianet) | modified | -| 12/10/2021 | [Send encrypted email](/microsoft-365/campaigns/send-encrypted-email?view=o365-21vianet) | modified | -| 12/10/2021 | [Add your organization brand to your encrypted messages](/microsoft-365/compliance/add-your-organization-brand-to-encrypted-messages?view=o365-21vianet) | modified | -| 12/10/2021 | [Assign eDiscovery permissions in the Microsoft 365 compliance center](/microsoft-365/compliance/assign-ediscovery-permissions?view=o365-21vianet) | modified | -| 12/10/2021 | [Use a PowerShell script to search the audit log](/microsoft-365/compliance/audit-log-search-script?view=o365-21vianet) | modified | -| 12/10/2021 | [Search the audit log to troubleshoot common scenarios](/microsoft-365/compliance/auditing-troubleshooting-scenarios?view=o365-21vianet) | modified | -| 12/10/2021 | [Bulk import external contacts to Exchange Online](/microsoft-365/compliance/bulk-import-external-contacts?view=o365-21vianet) | modified | -| 12/10/2021 | [Case study - Contoso quickly configures an inappropriate content policy for Microsoft Teams, Exchange, and Yammer communications](/microsoft-365/compliance/communication-compliance-case-study?view=o365-21vianet) | modified | -| 12/10/2021 | [Create a custom sensitive information type using PowerShell](/microsoft-365/compliance/create-a-custom-sensitive-information-type-in-scc-powershell?view=o365-21vianet) | modified | -| 12/10/2021 | [Data Loss Prevention Reference](/microsoft-365/compliance/data-loss-prevention-policies?view=o365-21vianet) | modified | -| 12/10/2021 | [Define mail flow rules to encrypt email messages](/microsoft-365/compliance/define-mail-flow-rules-to-encrypt-email?view=o365-21vianet) | modified | -| 12/10/2021 | [Delete items in the Recoverable Items folder of cloud mailbox's on hold](/microsoft-365/compliance/delete-items-in-the-recoverable-items-folder-of-mailboxes-on-hold?view=o365-21vianet) | modified | -| 12/10/2021 | [Enable archive mailboxes in the Microsoft 365 compliance center](/microsoft-365/compliance/enable-archive-mailboxes?view=o365-21vianet) | modified | -| 12/10/2021 | [Manage mailbox auditing](/microsoft-365/compliance/enable-mailbox-auditing?view=o365-21vianet) | modified | -| 12/10/2021 | [Learn about Microsoft 365 Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-learn-about?view=o365-21vianet) | modified | -| 12/10/2021 | [Using Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-using?view=o365-21vianet) | modified | -| 12/10/2021 | [How DLP works with Security & Compliance Center & Exchange admin center](/microsoft-365/compliance/how-dlp-works-between-admin-centers?view=o365-21vianet) | modified | -| 12/10/2021 | [How to identify the type of hold placed on an Exchange Online mailbox](/microsoft-365/compliance/identify-a-hold-on-an-exchange-online-mailbox?view=o365-21vianet) | modified | -| 12/10/2021 | [Legacy information for Office 365 Message Encryption](/microsoft-365/compliance/legacy-information-for-message-encryption?view=o365-21vianet) | modified | -| 12/10/2021 | [Permissions in the Microsoft 365 compliance center](/microsoft-365/compliance/microsoft-365-compliance-center-permissions?view=o365-21vianet) | modified | -| 12/10/2021 | [Migrate legacy eDiscovery searches and holds to the Microsoft 365 compliance center](/microsoft-365/compliance/migrate-legacy-ediscovery-searches-and-holds?view=o365-21vianet) | modified | -| 12/10/2021 | [Create a sensitive information type policy using Office 365 Message Encryption](/microsoft-365/compliance/ome-sensitive-info-types?view=o365-21vianet) | modified | -| 12/10/2021 | [Set up an archive and deletion policy for mailboxes in your organization](/microsoft-365/compliance/set-up-an-archive-and-deletion-policy-for-mailboxes?view=o365-21vianet) | modified | -| 12/10/2021 | [Set up Basic Audit in Microsoft 365](/microsoft-365/compliance/set-up-basic-audit?view=o365-21vianet) | modified | -| 12/10/2021 | [Set up new Message Encryption capabilities](/microsoft-365/compliance/set-up-new-message-encryption-capabilities?view=o365-21vianet) | modified | -| 12/10/2021 | [Send email notifications and show policy tips for DLP policies](/microsoft-365/compliance/use-notifications-and-policy-tips?view=o365-21vianet) | modified | -| 12/10/2021 | [View custodian audit activity](/microsoft-365/compliance/view-custodian-activity?view=o365-21vianet) | modified | -| 12/10/2021 | [View the reports for data loss prevention](/microsoft-365/compliance/view-the-dlp-reports?view=o365-21vianet) | modified | -| 12/10/2021 | [Work with a partner to archive third-party data](/microsoft-365/compliance/work-with-partner-to-archive-third-party-data?view=o365-21vianet) | modified | -| 12/10/2021 | [Cross-tenant mailbox migration](/microsoft-365/enterprise/cross-tenant-mailbox-migration?view=o365-21vianet) | modified | -| 12/10/2021 | [Manage Microsoft 365 Groups with PowerShell](/microsoft-365/enterprise/manage-microsoft-365-groups-with-powershell?view=o365-21vianet) | modified | -| 12/10/2021 | [Mailbox utilization service alerts](/microsoft-365/enterprise/microsoft-365-mailbox-utilization-service-alerts?view=o365-21vianet) | modified | -| 12/10/2021 | [Use PowerShell to perform a cutover migration to Microsoft 365](/microsoft-365/enterprise/use-powershell-to-perform-a-cutover-migration-to-microsoft-365?view=o365-21vianet) | modified | -| 12/10/2021 | [Use PowerShell to perform a staged migration to Microsoft 365](/microsoft-365/enterprise/use-powershell-to-perform-a-staged-migration-to-microsoft-365?view=o365-21vianet) | modified | -| 12/10/2021 | [Use PowerShell to perform an IMAP migration to Microsoft 365](/microsoft-365/enterprise/use-powershell-to-perform-an-imap-migration-to-microsoft-365?view=o365-21vianet) | modified | -| 12/10/2021 | [Why you need to use PowerShell for Microsoft 365](/microsoft-365/enterprise/why-you-need-to-use-microsoft-365-powershell?view=o365-21vianet) | modified | -| 12/10/2021 | [Pilot Microsoft Defender for Office 365, use the evaluation in your production environment](/microsoft-365/security/defender/eval-defender-office-365-pilot?view=o365-21vianet) | modified | -| 12/10/2021 | [Redirecting accounts from Office 365 Security and Compliance Center to the new Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-security-mdo-redirection?view=o365-21vianet) | modified | -| 12/10/2021 | [Mail flow intelligence](/microsoft-365/security/office-365-security/mail-flow-intelligence-in-office-365?view=o365-21vianet) | modified | -| 12/10/2021 | [The Microsoft Defender for Office 365 email entity page](/microsoft-365/security/office-365-security/mdo-email-entity-page?view=o365-21vianet) | modified | -| 12/10/2021 | [Message trace in the Microsoft 365 Defender portal](/microsoft-365/security/office-365-security/message-trace-scc?view=o365-21vianet) | modified | -| 12/10/2021 | [Queues insight in the Mail flow dashboard](/microsoft-365/security/office-365-security/mfi-queue-alerts-and-queues?view=o365-21vianet) | modified | -| 12/10/2021 | [Fix slow mail flow rules insight](/microsoft-365/security/office-365-security/mfi-slow-mail-flow-rules-insight?view=o365-21vianet) | modified | -| 12/10/2021 | [Evaluate Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-evaluation?view=o365-21vianet) | modified | -| 12/10/2021 | [Permissions - Security & Compliance Center](/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center?view=o365-21vianet) | modified | -| 12/10/2021 | [Responding to a Compromised Email Account](/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-21vianet) | modified | -| 12/10/2021 | [Security recommendations for priority accounts in Microsoft 365, priority accounts, priority accounts in Office 365, priority accounts in Microsoft 365](/microsoft-365/security/office-365-security/security-recommendations-for-priority-accounts?view=o365-21vianet) | modified | -| 12/10/2021 | [Threat Explorer and Real-time detections](/microsoft-365/security/office-365-security/threat-explorer?view=o365-21vianet) | modified | -| 12/10/2021 | [User tags in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/user-tags?view=o365-21vianet) | modified | -| 12/10/2021 | [View mail flow reports in the Reports dashboard](/microsoft-365/security/office-365-security/view-mail-flow-reports?view=o365-21vianet) | modified | -| 12/10/2021 | [View Defender for Office 365 reports](/microsoft-365/security/office-365-security/view-reports-for-mdo?view=o365-21vianet) | modified | -| 12/10/2021 | [Allow members to send as or send on behalf of a group](/microsoft-365/solutions/allow-members-to-send-as-or-send-on-behalf-of-group?view=o365-21vianet) | modified | -| 12/10/2021 | [Manage who can create Microsoft 365 Groups](/microsoft-365/solutions/manage-creation-of-groups?view=o365-21vianet) | modified | |
| includes | Security Config Mgt Prerequisites | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/security-config-mgt-prerequisites.md | To use security management for Microsoft Defender for Endpoint, you need: *Any subscription* that grants Microsoft Defender for Endpoint licenses also grants your tenant access to the Endpoint security node of the Microsoft Endpoint Manager admin center. The Endpoint security node is where you'll configure and deploy policies to manage Microsoft Defender for Endpoint for your devices and monitor device status. +>[!NOTE] +> Currently, if a Microsoft Defender for Endpoint subscription is obtained through Azure Security Center/Defender for cloud, this Microsoft Defender for Endpoint license is not a qualifying license for this feature. ++ ## Architecture The following diagram is a conceptual representation of the Microsoft Defender for Endpoint security configuration management solution. |
| security | Active Content In Trusted Docs | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/active-content-in-trusted-docs.md | The updated Trust Center logic is described in the following diagram: ## What is a trusted document? -Trusted documents are Office documents that open without any security prompts for macros, ActiveX controls, and other types of active content in the document. Protected View or Application Guard is not used to open the document. When users open a Trusted Document, and all active content is enabled. Even if the document contains new active content or updates to existing active content, users won't receive security prompts the next time they open the document. +Trusted documents are Office documents that open without any security prompts for macros, ActiveX controls, and other types of active content in the document. Protected View or Application Guard is not used to open the document. When users open a Trusted Document, and all active content is enabled. Even if the document contains new active content or updates to existing active content, users won't receive security prompts the next time they open the document. Because of this behavior, users should clearly trust documents only if they trust the document source. Admins have many ways to configure Office in an organization. For example: - ***Settings catalog (preview)***: See instructions to use the [Settings catalog (preview)](/mem/intune/configuration/settings-catalog). - **Group policy**: Use your on-premise Active Directory to deploy group policy objects (GPOs) to users and computers. To create a GPO for this setting, download the latest [Administrative Template files (ADMX/ADML) and Office Customization Tool for Microsoft 365 Apps for enterprise, Office 2019, and Office 2016](https://www.microsoft.com/download/details.aspx?id=49030). +## Known issues ++- When the policy **VBA Macro notifications** (Access, PowerPoint, Visio, Word) or **Macro notifications** (Excel) is set to the value **Disable all except digitally signed macros**, the expected trust bar is not displayed, and **Security Information** in the backstage does not list details of macros blocked, even though the setting is working as expected. The Office team is working to resolve this issue. + ## Admin options for restricting active content There's a big difference in the level of trust in internally created content vs. content that users download from the internet. Consider allowing active content in internal documents and globally not allowing active content in documents from the internet. -If your users don't need specific types of active content, your most secure option is to use policies to turn off user access to that active content, and allow exceptions as needed +If your users don't need specific types of active content, your most secure option is to use policies to turn off user access to that active content, and allow exceptions as needed. The following policies are are available: The tables in the following sections describe the settings that control active c |ActiveX|Office|Load Controls in Forms3|**1**|**Yes** for the following values: <ul><li>**2**</li><li>**3**</li></ul>| |Add-ins & Extensibility|Excel <p> PowerPoint <p> Project <p> Publisher <p> Visio <p> Word|Disable Trust Bar Notification for unsigned application add-ins and block them|**Enabled**|**Yes** for the value **Disabled**.| |Add-ins & Extensibility|Excel <p> PowerPoint <p> Project <p> Publisher <p> Visio <p> Word|Require that application add-ins are signed by Trusted Publisher|**Enabled**|No|-|Add-ins & Extensibility|Excel|Do not show AutoRepublish warning alert|**Disabled**|No| +|Add-ins & Extensibility|Excel|Do not show AutoRepublish warning alert|**Disabled**|No| |Add-ins & Extensibility|Excel|WEBSERVICE Function Notification Settings|**Disable all with notification**|**Yes** for the following values: <ul><li>**Disable all with notification**</li><li>**Disabled**</li><li>**Not configured**</li></ul>| |Add-ins & Extensibility|Office|Disable the Office client from polling the SharePoint Server for published links|**Disabled**|No| |Add-ins & Extensibility|Office|Disable UI extending from documents and templates|Disallow in Word = True <p> Disallow in Project = False <p> Disallow in Excel = True <p> Disallow in Visio= False <p> Disallow in PowerPoint = True <p> Disallow in Access = True <p> Disallow in Outlook = True <p> Disallow in Publisher = True <p> Disallow in InfoPath = True|No| |Add-ins & Extensibility|Outlook|Configure Outlook object model prompt when accessing an address book|**Automatically Deny**|**Yes** for the following values: <ul><li>**Prompt user**</li><li>**Prompt user based on computer security**</li><li>**Disabled**</li><li>**Not configured**</li></ul>|-|Add-ins & Extensibility|Outlook|Configure Outlook object model prompt When accessing the Formula property of a UserProperty object|**Automatically Deny**|**Yes** for the following values: <ul><li>**Prompt user**</li><li>**Prompt user based on computer security**</li><li>**Disabled**</li><li>**Not configured**</li></ul>| +|Add-ins & Extensibility|Outlook|Configure Outlook object model prompt When accessing the Formula property of a UserProperty object|**Automatically Deny**|**Yes** for the following values: <ul><li>**Prompt user**</li><li>**Prompt user based on computer security**</li><li>**Disabled**</li><li>**Not configured**</li></ul>| |Add-ins & Extensibility|Outlook|Configure Outlook object model prompt when executing Save As|**Automatically Deny**|**Yes** for the following values: <ul><li>**Prompt user**</li><li>**Prompt user based on computer security**</li><li>**Disabled**</li><li>**Not configured**</li></ul>| |Add-ins & Extensibility|Outlook|Configure Outlook object model prompt when reading address information|**Automatically Deny**|**Yes** for the following values: <ul><li>**Prompt user**</li><li>**Prompt user based on computer security**</li><li>**Disabled**</li><li>**Not configured**</li></ul>| |Add-ins & Extensibility|Outlook|Configure Outlook object model prompt when responding to meeting and task requests|**Automatically Deny**|**Yes** for the following values: <ul><li>**Prompt user**</li><li>**Prompt user based on computer security**</li><li>**Disabled**</li><li>**Not configured**</li></ul>| The tables in the following sections describe the settings that control active c |Add-ins & Extensibility|Outlook|Set Outlook object model custom actions execution prompt|**Automatically Deny**|**Yes** for the following values: <ul><li>**Prompt user**</li><li>**Prompt user based on computer security**</li><li>**Disabled**</li><li>**Not configured**</li></ul>| |Add-ins & Extensibility|PowerPoint|Run Programs|**disable (don't run any programs)**|**Yes** for the value **Enable (prompt user before running)**| |Add-ins & Extensibility|Word <p> Excel|Disable Smart Document's use of manifests|**Enabled**|No|-|DDE|Excel|Don't allow Dynamic Data Exchange (DDE) server launch in Excel|**Enabled**|**Yes** for the value **Not configured**.| +|DDE|Excel|Don't allow Dynamic Data Exchange (DDE) server launch in Excel|**Enabled**|**Yes** for the value **Not configured**.| |DDE|Excel|Don't allow Dynamic Data Exchange (DDE) server lookup in Excel|**Enabled**|**Yes** for the following values: <ul><li>**Disabled**</li><li>**Not configured**</li></ul>| |DDE|Word|Dynamic Data Exchange|**Disabled**|No| |Jscript & VBScript|Outlook|Allow scripts in one-off Outlook forms|**Disabled**|No| |Jscript & VBScript|Outlook|Do not allow Outlook object model scripts to run for public folders|**Enabled**|No| |Jscript & VBScript|Outlook|Do not allow Outlook object model scripts to run for shared folders|**Enabled**|No|-|Macros|Access <p> Excel <p> PowerPoint <p> Project <p> Publisher <p> Visio <p> Word|VBA Macro Notification Settings|**Disable all except digitally signed macros** <p> and <p> **Require macros to be signed by a trusted publisher**|**Yes** for the following values: <ul><li>**Disabled**</li><li>**Not configured**</li></ul>| +|Macros|Excel|Macro Notifications|**Disable all except digitally signed macros**|**Yes** for the following values: <ul><li>**Disabled**</li><li>**Not configured**</li></ul>| +|Macros|Access <p> PowerPoint <p> Project <p> Publisher <p> Visio <p> Word|VBA Macro Notification Settings|**Disable all except digitally signed macros** <p> and <p> **Require macros to be signed by a trusted publisher**|**Yes** for the following values: <ul><li>**Disabled**</li><li>**Not configured**</li></ul>| |Macros|Access <p> Excel <p> PowerPoint <p> Visio <p> Word|Block macros from running in Office files from the Internet|**Enabled**|**Yes** for the following values: <ul><li>**Disabled**</li><li>**Not configured**</li></ul>| |Macros|Excel|Scan encrypted macros in Excel Open XML workbooks|**Scan encrypted macros (default)**|No|-|Macros|Office|Allow VBA to load typelib references by path from untrusted intranet locations|**Disabled**|No| +|Macros|Office|Allow VBA to load typelib references by path from untrusted intranet locations|**Disabled**|No| |Macros|Office|Automation Security|**Use application macro security level**|No| |Macros|Office|Disable additional security checks on VBA library references that may refer to unsafe locations on the local machine|**Disabled**|No| |Macros|Office|Macro Runtime Scan Scope|**Enable for all documents**|No| |Macros|Office|Only trust VBA macros that use V3 signatures|Not a security baseline setting.|No|-|Macros|Outlook|Outlook Security Mode|**Use Outlook Security Group Policy**|Required to enable all Outlook GPO settings. <p> Mentioned as a dependency (this policy doesn't block active content itself).| +|Macros|Outlook|Outlook Security Mode|**Use Outlook Security Group Policy**|Required to enable all Outlook GPO settings. <p> Mentioned as a dependency (this policy doesn't block active content itself).| |Macros|Outlook|Security setting for macros|**Warn for signed, disable unsigned**|**Yes** for the following values: <ul><li>**Always warn**</li><li>**Warn for signed, disable unsigned**</li><li>**Disabled**</li><li>**Not configured**</li></ul>| |Macros|PowerPoint|Scan encrypted macros in PowerPoint Open XML presentations|**Scan encrypted macros (default)**|No| |Macros|Publisher|Publisher Automation Security Level|**By UI (prompted)**|No| |
| security | TOC | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md | #### [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) #### [Create an onboarding or offboarding notification rule](onboarding-notification.md) -#### [Application license terms](mde-terms-windows.md) ### [Microsoft Defender for Endpoint on other Operating Systems]() ##### [Privacy](mac-privacy.md) ##### [Resources](mac-resources.md)-##### [Application license terms](mde-terms-mac.md) + #### [Microsoft Defender for Endpoint on Linux]() ##### [Overview of Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) ###### [Privacy](ios-privacy.md) -##### [Microsoft Defender for Endpoint application license terms](mde-terms-mobile.md) ### [Manage Microsoft Defender for Endpoint configuration settings on devices with Microsoft Endpoint Manager](security-config-management.md) #### [Understand and use attack surface reduction](overview-attack-surface-reduction.md) #### [Attack surface reduction (ASR) rules]() ##### [Learn about ASR rules](attack-surface-reduction.md)-##### [Deploy ASR rules](attack-surface-reduction-rules-deployment.md) -###### [ASR rules deployment phase 1 - plan](attack-surface-reduction-rules-deployment-phase-1.md) -###### [ASR rules deployment phase 2 - test](attack-surface-reduction-rules-deployment-phase-2.md) -###### [ASR rules deployment phase 3 - implement](attack-surface-reduction-rules-deployment-phase-3.md) -###### [ASR rules deployment phase 4 - operationalize](attack-surface-reduction-rules-deployment-phase-4.md) +##### [ASR rules deployment guide]() +###### [ASR rules deployment overview](attack-surface-reduction-rules-deployment.md) +###### [Phase 1: Plan](attack-surface-reduction-rules-deployment-phase-1.md) +###### [Phase 2: Test](attack-surface-reduction-rules-deployment-phase-2.md) +###### [Phase 3: Implement](attack-surface-reduction-rules-deployment-phase-3.md) +###### [Phase 4: Operationalize](attack-surface-reduction-rules-deployment-phase-4.md) ##### [ASR rules reference](attack-surface-reduction-rules-reference.md)-##### [Enable ASR rules alternate methods](enable-attack-surface-reduction.md) +##### [Enable ASR rules alternate congiguration methods](enable-attack-surface-reduction.md) #### [Attack surface reduction FAQ](attack-surface-reduction-faq.yml) ### Next-generation protection |
| security | Attack Surface Reduction Rules Deployment Phase 1 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-phase-1.md | -# Attack surface reduction rules deployment phase 1: plan +# ASR rules deployment phase 1: plan Starting to test ASR rules involves starting with the right business unit. YouΓÇÖll want to start with a small group of people in a specific business unit. You can identify some ASR champions within a particular business unit who can provide real-world impact to the ASR rules and help you tune your implementation. See: [Create a deployment plan for Windows](/windows/deployment/update/create-de ## Additional topics in this deployment collection -[ASR rules deployment guide - overview](attack-surface-reduction-rules-deployment.md) +[ASR rules deployment overview](attack-surface-reduction-rules-deployment.md) -[ASR rules deployment phase 2 - test](attack-surface-reduction-rules-deployment-phase-2.md) +[Phase 2: Test](attack-surface-reduction-rules-deployment-phase-2.md) -[ASR rules deployment phase 3 - implement](attack-surface-reduction-rules-deployment-phase-3.md) +[Phase 3: Implement](attack-surface-reduction-rules-deployment-phase-3.md) -[ASR rules deployment phase 4 - operationalize](attack-surface-reduction-rules-deployment-phase-4.md) +[Phase 4: Operationalize](attack-surface-reduction-rules-deployment-phase-4.md) |
| security | Attack Surface Reduction Rules Deployment Phase 2 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-phase-2.md | -# Attack surface reduction rules deployment phase 2: test +# ASR rules deployment phase 2: test Begin your ASR rules deployment with ring 1. Event ID | Description ## Additional topics in this deployment collection -[ASR rules deployment guide - overview](attack-surface-reduction-rules-deployment.md) +[ASR rules deployment overview](attack-surface-reduction-rules-deployment.md) -[ASR rules deployment phase 1 - plan](attack-surface-reduction-rules-deployment-phase-1.md) +[Phase 1: Plan](attack-surface-reduction-rules-deployment-phase-1.md) -[ASR rules deployment phase 3 - implement](attack-surface-reduction-rules-deployment-phase-3.md) +[Phase 3: Implement](attack-surface-reduction-rules-deployment-phase-3.md) -[ASR rules deployment phase 4 - operationalize](attack-surface-reduction-rules-deployment-phase-4.md) +[Phase 4: Operationalize](attack-surface-reduction-rules-deployment-phase-4.md) |
| security | Attack Surface Reduction Rules Deployment Phase 3 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-phase-3.md | -# Attack surface reduction rules deployment phase 3: implement +# ASR rules deployment phase 3: implement The implementation phase moves the ring from testing into functional state. You can customize the notification for when a rule is triggered and blocks an ap ## Additional topics in this deployment collection -[ASR rules deployment guide - overview](attack-surface-reduction-rules-deployment.md) +[ASR rules deployment overview](attack-surface-reduction-rules-deployment.md) -[ASR rules deployment phase 1 - plan](attack-surface-reduction-rules-deployment-phase-1.md) +[Phase 1: Plan](attack-surface-reduction-rules-deployment-phase-1.md) -[ASR rules deployment phase 2 - test](attack-surface-reduction-rules-deployment-phase-2.md) +[Phase 2: Test](attack-surface-reduction-rules-deployment-phase-2.md) -[ASR rules deployment phase 4 - operationalize](attack-surface-reduction-rules-deployment-phase-4.md) +[Phase 4: Operationalize](attack-surface-reduction-rules-deployment-phase-4.md) |
| security | Attack Surface Reduction Rules Deployment Phase 4 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-phase-4.md | -# Attack surface reduction rules deployment phase 4: operationalize +# ASR rules deployment phase 4: operationalize After you've fully deployed ASR rules, it's vital that you have processes in place to monitor and respond to ASR-related activities. For more information about hunting options, see: [Demystifying attack surface re ## Topics in this deployment collection -[ASR rules deployment guide - overview](attack-surface-reduction-rules-deployment.md) +[ASR rules deployment overview](attack-surface-reduction-rules-deployment.md) -[ASR rules deployment phase 1 - plan](attack-surface-reduction-rules-deployment-phase-1.md) +[Phase 1: Plan](attack-surface-reduction-rules-deployment-phase-1.md) -[ASR rules deployment phase 2 - test](attack-surface-reduction-rules-deployment-phase-2.md) +[Phase 2: Test](attack-surface-reduction-rules-deployment-phase-2.md) -[ASR rules deployment phase 3 - implement](attack-surface-reduction-rules-deployment-phase-3.md) +[Phase 4: Operationalize](attack-surface-reduction-rules-deployment-phase-4.md) |
| security | Attack Surface Reduction Rules Deployment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment.md | Title: Deploy attack surface reduction (ASR) rules + Title: ASR rules deployment overview description: Provides guidance to deploy attack surface reduction rules. keywords: Attack surface reduction rules deployment, ASR deployment, enable asr rules, configure ASR, host intrusion prevention system, protection rules, anti-exploit rules, anti-exploit, exploit rules, infection prevention rules, Microsoft Defender for Endpoint, configure ASR rules search.product: eADQiWindows 10XVcnh-# Attack surface reduction rules deployment guide +# ASR rules deployment overview ## Before you begin As with any new, wide-scale implementation which could potentially impact your l ## Additional topics in this deployment collection -[ASR rules deployment phase 1 - plan](attack-surface-reduction-rules-deployment-phase-1.md) +[Phase 1: Plan](attack-surface-reduction-rules-deployment-phase-1.md) -[ASR deployment phase 2 - test](attack-surface-reduction-rules-deployment-phase-2.md) +[Phase 2: Test](attack-surface-reduction-rules-deployment-phase-2.md) -[ASR rules deployment phase 3 - implement](attack-surface-reduction-rules-deployment-phase-3.md) +[Phase 3: Implement](attack-surface-reduction-rules-deployment-phase-3.md) -[ASR rules deployment phase 4 - operationalize](attack-surface-reduction-rules-deployment-phase-4.md) +[Phase 4: Operationalize](attack-surface-reduction-rules-deployment-phase-4.md) ## Reference |
| security | Configure Mssp Support | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-mssp-support.md | ms.technology: mde > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-mssp-support-abovefoldlink) You'll need to take the following configuration steps to enable the managed security service provider (MSSP) integration. |
| security | Configure Siem | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-siem.md | ms.technology: mde > > [Microsoft Defender for Endpoint Alert](alerts.md) is composed from one or more suspicious or malicious events that occurred on the device and their related details. The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). -Microsoft Defender for Endpoint supports security information and event management (SIEM) tools ingesting information from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for a registered AAD application representing the specific SIEM solution or connector installed in your environment. +Microsoft Defender for Endpoint supports security information and event management (SIEM) tools ingesting information from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for a registered AAD application representing the specific SIEM solution or connector installed in your environment. For more information, see: For more information, see: - [Get access with application context](exposed-apis-create-app-webapp.md) -Microsoft Defender for Endpoint currently supports the following SIEM solution integrations:  +Microsoft Defender for Endpoint currently supports the following SIEM solution integrations: - [Ingesting incidents and alerts from the Microsoft 365 Defender and Microsoft Defender for Endpoint incidents and alerts REST APIs](#ingesting-incidents-and-alerts-from-the-microsoft-365-defender-and-microsoft-defender-for-endpoint-incidents-and-alerts-rest-apis) - [Ingesting Microsoft Defender for Endpoint events from the Microsoft 365 Defender event streaming API](#ingesting-microsoft-defender-for-endpoint-events-from-the-microsoft-365-defender-event-streaming-api) For more information on the Microsoft Defender for Endpoint alerts API, see [ale ### Splunk -Using the Microsoft 365 Defender Add-on for Splunk that supports:  +Using the Microsoft 365 Defender Add-on for Splunk that supports: -- Ingesting Microsoft Defender for Endpoint alerts -- Updating alerts in Microsoft Defender for Endpoint from within Splunk +- Ingesting Microsoft Defender for Endpoint alerts +- Updating alerts in Microsoft Defender for Endpoint from within Splunk For more information on the Microsoft 365 Defender Add-on for Splunk, see [splunkbase](https://splunkbase.splunk.com/app/4959/). ### Micro Focus ArcSight -The new SmartConnector for Microsoft 365 Defender ingests incidents that contain alerts from all Microsoft 365 Defender products - including from Microsoft Defender for Endpoint - into ArcSight and maps these onto its Common Event Framework (CEF).  +The new SmartConnector for Microsoft 365 Defender ingests incidents that contain alerts from all Microsoft 365 Defender products - including from Microsoft Defender for Endpoint - into ArcSight and maps these onto its Common Event Framework (CEF). For more information on the new ArcSight SmartConnector for Microsoft 365 Defender, see [ArcSight Product documentation](https://community.microfocus.com/cyberres/productdocs/w/connector-documentation/39246/smartconnector-for-microsoft-365-defender). The SmartConnector replaces the previous FlexConnector for Microsoft 365 Defender.-   + ### IBM QRadar >[!NOTE] >->IBM QRadar integration with Microsoft Defender for Endpoint is now supported by the new Microsoft 365 Defender Device Support Module (DSM) that calls the [Microsoft 365 Defender Streaming API](../defender/streaming-api.md) that allows ingesting streaming event data from Microsoft 365 Defender products, including Microsoft Defender for Endpoint. For more information on supported event types, see [Supported event types](../defender/supported-event-types.md). +>IBM QRadar integration with Microsoft Defender for Endpoint is now supported by the new Microsoft 365 Defender Device Support Module (DSM) that calls the [Microsoft 365 Defender Streaming API](../defender/streaming-api.md) that allows ingesting streaming event data from Microsoft 365 Defender products, including Microsoft Defender for Endpoint. For more information on supported event types, see [Supported event types](../defender/supported-event-types.md). New customers are no longer being onboarded using the previous QRadar Microsoft Defender ATP Device Support Module (DSM), and existing customers are encouraged to adopt the new Microsoft 365 Defender DSM as their single point of integration with all Microsoft 365 Defender products. ## Ingesting Microsoft Defender for Endpoint events from the Microsoft 365 Defender event streaming API |
| security | Device Control Removable Storage Access Control | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control.md | Last updated 01/10/2022 - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) > [!NOTE]-> The Group Policy management of this product is now generally available (4.18.2106): See [Tech Community blog: Protect your removable storage and printer with Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/protect-your-removable-storage-and-printers-with-microsoft/ba-p/2324806) +> The Group Policy management of this product is now generally available (4.18.2106): See [Tech Community blog: Protect your removable storage and printer with Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/protect-your-removable-storage-and-printers-with-microsoft/ba-p/2324806) Microsoft Defender for Endpoint Device Control Removable Storage Access Control enables you to do the following task: To help familiarize you with Microsoft Defender for Endpoint Removable Storage A 1. Create groups 1. Group 1: Any removable storage and CD/DVD. An example of a removable storage and CD/DVD is: Group **9b28fae8-72f7-4267-a1a5-685f747a7146** in the sample [Any Removable Storage and CD-DVD Group.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.- + 2. Group 2: Approved USBs based on device properties. An example for this use case is: Instance ID - Group **65fa649a-a111-4912-9294-fb6337a25038** in the sample [Approved USBs Group.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file. To help familiarize you with Microsoft Defender for Endpoint Removable Storage A 2. Create policy 1. Policy 1: Block Write and Execute Access but allow approved USBs. An example for this use case is: PolicyRule **c544a991-5786-4402-949e-a032cb790d0e** in the sample [Scenario 1 Block Write and Execute Access but allow approved USBs.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.- + 2. Policy 2: Audit Write and Execute access to allowed USBs. An example for this use case is: PolicyRule **36ae1037-a639-4cff-946b-b36c53089a4c** in the sample [Scenario 1 Audit Write and Execute access to approved USBs.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file. ### Scenario 2: Audit Write and Execute access to all but block specific unapproved USBs To help familiarize you with Microsoft Defender for Endpoint Removable Storage A 1. Group 1: Any removable storage and CD/DVD. An example for this use case is: Group **9b28fae8-72f7-4267-a1a5-685f747a7146** in the sample [Any Removable Storage and CD-DVD Group.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.- + 2. Group 2: Unapproved USBs based on device properties, for example, Vendor ID / Product ID, Friendly Name – Group **65fa649a-a111-4912-9294-fb6337a25038** in the sample [Unapproved USBs Group.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file. > [!TIP] To help familiarize you with Microsoft Defender for Endpoint Removable Storage A 2. Create policy 1. Policy 1: Block Write and Execute access to all but block specific unapproved USBs. An example of this use case is: PolicyRule **23b8e437-66ac-4b32-b3d7-24044637fc98** in the sample [Scenario 2 Audit Write and Execute access to all but block specific unapproved USBs.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.- + 2. Policy 2: Audit Write and Execute access to others. An example of this use case is: PolicyRule **b58ab853-9a6f-405c-a194-740e69422b48** in the sample [Scenario 2 Audit Write and Execute access to others.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file. ## Deploying and managing policy via Group Policy The Removable Storage Access Control feature enables you to apply policy via Gro ### Licensing -Before you get started with Removable Storage Access Control, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Removable Storage Access Control, you must have Microsoft 365 E3 or Microsoft 365 E5. +Before you get started with Removable Storage Access Control, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Removable Storage Access Control, you must have Microsoft 365 E3 or Microsoft 365 E5. ### Deploying policy via Group Policy Before you get started with Removable Storage Access Control, you must confirm y :::image type="content" source="images/device-control.png" alt-text="The Device Control screen."::: -4. Default enforcement: allows you to set default access (Deny or Allow) to removable media if there is no policy. For example, you only have policy (either Deny or Allow) for RemovableMediaDevices, but do not have any policy for CdRomDevices or WpdDevices, and you set default Deny through this policy, Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked. +4. Default enforcement: allows you to set default access (Deny or Allow) to removable media if there is no policy. For example, you only have policy (either Deny or Allow) for RemovableMediaDevices, but do not have any policy for CdRomDevices or WpdDevices, and you set default Deny through this policy, Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked. - Once you deploy this setting, you will see **Default Allow** or **Default Deny**. :::image type="content" source="images/148609579-a7df650b-7792-4085-b552-500b28a35885.png" alt-text="Default Allow or Default Deny PowerShell code"::: 5. Enable or Disable Removable Storage Access Control: you can set this value to temporarily disable Removable Storage Access Control.- + :::image type="content" source="images/148608318-5cda043d-b996-4146-9642-14fccabcb017.png" alt-text="Device Control settings":::- - - Once you deploy this setting, you will see ‘Enabled’ or ‘Disabled’ - Disabled means this machine does not have Removable Storage Access Control policy running. ++ - Once you deploy this setting, you will see ‘Enabled’ or ‘Disabled’ - Disabled means this machine does not have Removable Storage Access Control policy running. :::image type="content" source="images/148609685-4c05f002-5cbe-4aab-9245-83e730c5449e.png" alt-text="Enabled or Disabled device control in PowerShell code":::- - + ## Deploying and managing policy via Intune OMA-URI The Removable Storage Access Control feature enables you to apply policy via OMA-URI to either user or device, or both. ### Licensing requirements -Before you get started with Removable Storage Access Control, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Removable Storage Access Control, you must have Microsoft 365 E3 or Microsoft 365 E5. +Before you get started with Removable Storage Access Control, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Removable Storage Access Control, you must have Microsoft 365 E3 or Microsoft 365 E5. ### Permission Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>) \> * - Data Type: String (XML file) - 3. Default enforcement: allows you to set default access (Deny or Allow) to removable media if there is no policy. For example, you only have policy (either Deny or Allow) for RemovableMediaDevices, but do not have any policy for CdRomDevices or WpdDevices, and you set default Deny through this policy, Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked. - OMA-URI: `./Vendor/MSFT/Defender/Configuration/DefaultEnforcement` - Data Type: Int- `DefaultEnforcementAllow = 1 - `DefaultEnforcementDeny = 2 ++ `DefaultEnforcementAllow = 1` + `DefaultEnforcementDeny = 2` - Once you deploy this setting, you will see **Default Allow** or **Default Deny** :::image type="content" source="images/148609590-c67cfab8-8e2c-49f8-be2b-96444e9dfc2c.png" alt-text="Default Enforcement Allow PowerShell code"::: - 4. Enable or Disable Removable Storage Access Control: you can set this value to temporarily disable Removable Storage Access Control. - OMA-URI: `./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled` Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>) \> * :::image type="content" source="images/148609770-3e555883-f26f-45ab-9181-3fb1ff7a38ac.png" alt-text="Removeable Storage Access Control in PowerShell code"::: - - ## Deploying and managing policy by using Intune user interface This capability is available in the Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>). Go to **Endpoint Security** > **Attack Surface Reduction** > **Create Policy**. Choose **Platform: Windows 10 and later** with **Profile: Device Control**. The [Microsoft 365 Defender portal](https://security.microsoft.com/advanced-hunt - Microsoft 365 for E5 reporting ```kusto-//events triggered by RemovableStoragePolicyTriggered +//events triggered by RemovableStoragePolicyTriggered DeviceEvents-| where ActionType == "RemovableStoragePolicyTriggered" -| extend parsed=parse_json(AdditionalFields) -| extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess)  -| extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict)  -| extend MediaBusType = tostring(parsed.BusType)  -| extend MediaClassGuid = tostring(parsed.ClassGuid) -| extend MediaClassName = tostring(parsed.ClassName) -| extend MediaDeviceId = tostring(parsed.DeviceId) -| extend MediaInstanceId = tostring(parsed.DeviceInstanceId) -| extend MediaName = tostring(parsed.MediaName) -| extend RemovableStoragePolicy = tostring(parsed.RemovableStoragePolicy)  -| extend MediaProductId = tostring(parsed.ProductId)  -| extend MediaVendorId = tostring(parsed.VendorId)  -| extend MediaSerialNumber = tostring(parsed.SerialNumber)  -|project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, RemovableStorageAccess, RemovableStoragePolicyVerdict, MediaBusType, MediaClassGuid, MediaClassName, MediaDeviceId, MediaInstanceId, MediaName, RemovableStoragePolicy, MediaProductId, MediaVendorId, MediaSerialNumber -| order by Timestamp desc +| where ActionType == "RemovableStoragePolicyTriggered" +| extend parsed=parse_json(AdditionalFields) +| extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess) +| extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict) +| extend MediaBusType = tostring(parsed.BusType) +| extend MediaClassGuid = tostring(parsed.ClassGuid) +| extend MediaClassName = tostring(parsed.ClassName) +| extend MediaDeviceId = tostring(parsed.DeviceId) +| extend MediaInstanceId = tostring(parsed.DeviceInstanceId) +| extend MediaName = tostring(parsed.MediaName) +| extend RemovableStoragePolicy = tostring(parsed.RemovableStoragePolicy) +| extend MediaProductId = tostring(parsed.ProductId) +| extend MediaVendorId = tostring(parsed.VendorId) +| extend MediaSerialNumber = tostring(parsed.SerialNumber) +|project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, RemovableStorageAccess, RemovableStoragePolicyVerdict, MediaBusType, MediaClassGuid, MediaClassName, MediaDeviceId, MediaInstanceId, MediaName, RemovableStoragePolicy, MediaProductId, MediaVendorId, MediaSerialNumber +| order by Timestamp desc ``` :::image type="content" source="images/block-removable-storage.png" alt-text="The screen depicting the blockage of the removable storage."::: If you are deploying and managing the policy via Group Policy, please make sure We don't backport the Group Policy configuration UX, but you can still get the related adml and admx files by clicking 'Raw' and 'Save as' at the [WindowsDefender.adml](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.adml) and [WindowsDefender.admx](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.admx) files. - + ### How can I know whether the latest policy has been deployed to the target machine? You can run ‘Get-MpComputerStatus’ on PowerShell as an Administrator. The following value will show whether the latest policy has been applied to the target machine. :::image type="icon" source="images/148609885-bea388a9-c07d-47ef-b848-999d794d24b8.png" border="false":::- - + ### How can I know which machine is using out of date antimalware client version in the organization? You can use following query to get antimalware client version on the Microsoft 365 security portal: |
| security | Device Discovery Faq | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-discovery-faq.md | ms.technology: m365d Find answers to frequently asked questions (FAQs) about device discovery. ## What is Basic discovery mode?-This mode allows every Microsoft Defender for Endpoint onboarded device to collect network data and discover neighboring devices. Onboarded endpoints passively collect events in the network and extract device information from them. No network traffic will be initiated. Onboarded endpoints will simply extract data from every network traffic that is seen by an onboarded device. This data used to list unmanaged devices in your network. +This mode allows every Microsoft Defender for Endpoint onboarded device to collect network data and discover neighboring devices. Onboarded endpoints passively collect events in the network and extract device information from them. No network traffic will be initiated. Onboarded endpoints will simply extract data from every network traffic that is seen by an onboarded device. This data used to list unmanaged devices in your network. ## Can I disable Basic discovery?+ You have the option to turn off device discovery through the [Advanced features](advanced-features.md) page. However, you will lose visibility on unmanaged devices in your network. Note that SenseNDR.exe will still be running on the onboarded devices regardless discovery is turned off. ## What is Standard discovery mode?- In this mode endpoints onboarded to Microsoft Defender for Endpoint can actively probe observed devices in the network to enrich collected data (with negligible amount of network traffic). Only devices that were observed by the basic discovery mode will be actively probed in standard mode. This mode is highly recommended for building a reliable and coherent device inventory. If you choose to disable this mode, and select Basic discovery mode, you will likely only gain limited visibility of unmanaged endpoints in your network. ++In this mode endpoints onboarded to Microsoft Defender for Endpoint can actively probe observed devices in the network to enrich collected data (with negligible amount of network traffic). Only devices that were observed by the basic discovery mode will be actively probed in standard mode. This mode is highly recommended for building a reliable and coherent device inventory. If you choose to disable this mode, and select Basic discovery mode, you will likely only gain limited visibility of unmanaged endpoints in your network. Standard mode also leverages common discovery protocols that use multicast queries in the network to find even more devices, in addition to the ones that were ovserved using the passive method. ## Can I control which devices perform Standard discovery?- You can customize the list of devices that are used to perform Standard discovery. You can either enable Standard discovery on all the onboarded devices that also support this capability (currently Windows 10 devices only) or select a subset or subsets of your devices by specifying their device tags. In this case, all other devices will be configured to run Basic discovery only. The configuration is available in the device discovery settings page. ++You can customize the list of devices that are used to perform Standard discovery. You can either enable Standard discovery on all the onboarded devices that also support this capability (currently Windows 10 devices only) or select a subset or subsets of your devices by specifying their device tags. In this case, all other devices will be configured to run Basic discovery only. The configuration is available in the device discovery settings page. ## Can I exclude unmanaged devices from the device inventory list?-Yes, you can apply filters to exclude unmanaged devices from the device inventory list. You can also use the onboarding status column on API queries to filter out unmanaged devices. +Yes, you can apply filters to exclude unmanaged devices from the device inventory list. You can also use the onboarding status column on API queries to filter out unmanaged devices. ## Which onboarded devices can perform discovery?- Onboarded devices running on Windows 10 version 1809 or later, or Windows 11 can perform discovery. Servers cannot perform discovery at this point. ++Onboarded devices running on Windows 10 version 1809 or later, or Windows 11 can perform discovery. Servers cannot perform discovery at this point. ## What happens if my onboarded devices is connected to my home network, or to public access point?- The discovery engine distinguishes between network events that are received in the corporate network versus outside of the corporate network. By correlating network identifiers across all tenant's clients, events are differentiated between ones that were received from private networks and corporate networks. For example, if the majority of the devices in the organization report that they are connected to the same network name, with the same default gateway and DHCP server address, it can be assumed that this network is likely a corporate network. Private network devices will not be listed in the inventory and will not be actively probed. ++The discovery engine distinguishes between network events that are received in the corporate network versus outside of the corporate network. By correlating network identifiers across all tenant's clients, events are differentiated between ones that were received from private networks and corporate networks. For example, if the majority of the devices in the organization report that they are connected to the same network name, with the same default gateway and DHCP server address, it can be assumed that this network is likely a corporate network. Private network devices will not be listed in the inventory and will not be actively probed. ## What protocols are you capturing and analyzing?- By default, all onboarded devices running on Windows 10 version 1809 or later, or Windows 11 are capturing and analyzing the following protocols: ++By default, all onboarded devices running on Windows 10 version 1809 or later, or Windows 11 are capturing and analyzing the following protocols: ARP, CDP, DHCP, DHCPv6, IP (headers), LLDP, LLMNR, mDNS, MNDP, NBNS, SSDP, TCP (SYN headers), UDP (headers), WSD ## Which protocols do you use for active probing in Standard discovery?- When a device is configured to run Standard discovery, exposed services are being probed by using the following protocols: ++When a device is configured to run Standard discovery, exposed services are being probed by using the following protocols: ARP, FTP, HTTP, HTTPS, ICMP, LLMNR, NBNS, RDP, SIP, SMTP, SNMP, SSH, Telnet, UPNP, WSD, SMB, NBSS, IPP, PJL, RPC, mDNS, DHCP, AFP, CrestonCIP, IphoneSync, WinRM, VNC, SLP ## How can I exclude targets from being probed with Standard discovery?- If there are devices on your network which should not be actively probed, you can also define a list of exclusions to prevent them from being scanned. The configuration is available in the device discovery settings page. ->[!NOTE] +If there are devices on your network which should not be actively probed, you can also define a list of exclusions to prevent them from being scanned. The configuration is available in the device discovery settings page. ++> [!NOTE] > Devices might still reply to multicast discovery attempts in the network. Those devices will be discovered but won't be actively probed. ## Can I exclude devices from being discovered?- As device discovery uses passive methods to discover devices in the network, any device that communicates with your onboarded devices in the corporate network can be discovered and listed in the inventory. You can exclude devices from active probing only. ++As device discovery uses passive methods to discover devices in the network, any device that communicates with your onboarded devices in the corporate network can be discovered and listed in the inventory. You can exclude devices from active probing only. ## How frequent is the active probing?- Devices will actively be probed when changes in device characteristics are observed to make sure the existing information is up-to-date (typically, devices probed no more than once in a three-week period) ++Devices will actively be probed when changes in device characteristics are observed to make sure the existing information is up-to-date (typically, devices probed no more than once in a three-week period) ## My security tool raised alert on UnicastScanner.ps1 or port scanning activity initiated by it, what should I do?- The active probing scripts are signed by Microsoft and are safe. You can add the following path to your exclusion list: -`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\*.ps1` +The active probing scripts are signed by Microsoft and are safe. You can add the following path to your exclusion list: +`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\*.ps1` ## What is the amount of traffic being generated by the Standard discovery active probe?- Active probing can generate up to 50Kb of traffic between the onboarded device and the probed device, every probing attempt ++Active probing can generate up to 50Kb of traffic between the onboarded device and the probed device, every probing attempt ## Why is there a discrepancy between "can be onboarded" devices in the device inventory, and the number of "devices to onboard" in the dashboard tile?+ You may notice differences between the number of listed devices under "can be onboarded" in the device inventory, "onboard to Microsoft Defender for Endpoint" security recommendation, and "devices to onboard" dashboard widget. The security recommendation and the dashboard widget are for devices that are stable in the network; excluding ephemeral devices, guest devices and others. The idea is to recommend on persistent devices, that also imply on the overall security score of the organization. ## Can I onboard unmanaged devices that were found?- Yes. You can onboard unmanaged devices manually. Unmanaged endpoints in your network introduce vulnerabilities and risks to your network. Onboarding them to the service can increase the security visibility on them. ++Yes. You can onboard unmanaged devices manually. Unmanaged endpoints in your network introduce vulnerabilities and risks to your network. Onboarding them to the service can increase the security visibility on them. ## I've noticed that unmanaged device health state is always "Active", why is that?-Temporarily, unmanaged device health state will be "Active" during the standard retention period of the device inventory, regardless of their actual state. +Temporarily, unmanaged device health state will be "Active" during the standard retention period of the device inventory, regardless of their actual state. ## Does standard discovery look like malicious network activity?-When considering Standard discovery, you may be wondering about the implications of probing, and specifically whether security tools might suspect such activity as malicious. The following subsection will explain why, in almost all cases, organizations should have no concerns around enabling Standard discovery.   ++When considering Standard discovery, you may be wondering about the implications of probing, and specifically whether security tools might suspect such activity as malicious. The following subsection will explain why, in almost all cases, organizations should have no concerns around enabling Standard discovery. ### Probing is distributed across all Windows devices on the network-As opposed to malicious activity, which would typically scan the entire network from a small number of compromised devices, Microsoft Defender for Endpoint’s Standard discovery probing is initiated from all onboarded Windows devices making the activity benign and non-anomalous. The probing is centrally managed from the cloud to balance the probing attempt between all the supported onboarded devices in the network.   ++As opposed to malicious activity, which would typically scan the entire network from a small number of compromised devices, Microsoft Defender for Endpoint’s Standard discovery probing is initiated from all onboarded Windows devices making the activity benign and non-anomalous. The probing is centrally managed from the cloud to balance the probing attempt between all the supported onboarded devices in the network. ### Active probing generates negligible amount of extra traffic-Unmanaged devices would typically get probed no more than once in a three-week period and generate less than 50KB of traffic. Malicious activity usually includes high repetitive probing attempts and in some cases data exfiltration that generates a significant amount of network traffic that can be identified as an anomaly by network monitoring tools.  -### Your Windows device already runs active discovery -Active discovery capabilities have always been embedded in the Windows operating system, to find nearby devices, endpoints, and printers, for easier "plug and play" experiences and file sharing between endpoints in the network. Similar functionality is implemented in mobile devices, network equipment and inventory applications just to name a few.   +Unmanaged devices would typically get probed no more than once in a three-week period and generate less than 50KB of traffic. Malicious activity usually includes high repetitive probing attempts and in some cases data exfiltration that generates a significant amount of network traffic that can be identified as an anomaly by network monitoring tools. ++### Your Windows device already runs active discovery -Standard discovery uses the same discovery methods to identify devices and to have a unified visibility for all the devices in your network in the Microsoft 365 Defender Device Inventory. For example – Standard discovery identifies nearby endpoints in the network the same way Windows lists available printers in the network.  +Active discovery capabilities have always been embedded in the Windows operating system, to find nearby devices, endpoints, and printers, for easier "plug and play" experiences and file sharing between endpoints in the network. Similar functionality is implemented in mobile devices, network equipment and inventory applications just to name a few. -Network security and monitoring tools are indifferent to such activities performed by devices on the network.  +Standard discovery uses the same discovery methods to identify devices and to have a unified visibility for all the devices in your network in the Microsoft 365 Defender Device Inventory. For example – Standard discovery identifies nearby endpoints in the network the same way Windows lists available printers in the network. ++Network security and monitoring tools are indifferent to such activities performed by devices on the network. ### Only unmanaged devices are being probed-The device discovery capabilities have been built to only discover and identify unmanaged devices on your network. This means that previously discovered devices that are already onboarded with Microsoft Defender for Endpoint won’t be probed.  -### You can exclude network lures from active probing -Standard discovery supports exclusion of devices or ranges (subnets) from active probing. If you have network lures deployed in place, you can use the Device Discovery settings to define exclusions based on IP addresses or subnets (a range of IP addresses). Defining those exclusions will ensure that those devices won’t be actively probed and won’t be alerted. Those devices will be discovered using passive methods only (similar to Basic discovery mode). +The device discovery capabilities have been built to only discover and identify unmanaged devices on your network. This means that previously discovered devices that are already onboarded with Microsoft Defender for Endpoint won’t be probed. ++### You can exclude network lures from active probing ++Standard discovery supports exclusion of devices or ranges (subnets) from active probing. If you have network lures deployed in place, you can use the Device Discovery settings to define exclusions based on IP addresses or subnets (a range of IP addresses). Defining those exclusions will ensure that those devices won’t be actively probed and won’t be alerted. Those devices will be discovered using passive methods only (similar to Basic discovery mode). |
| security | Device Timeline Event Flag | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-timeline-event-flag.md | ms.technology: mde Event flags in the Defender for Endpoint device timeline help you filter and organize specific events when you're investigate potential attacks. -The Defender for Endpoint device timeline provides a chronological view of the events and associated alerts observed on a device. This list of events provides full visibility into any events, files, and IP addresses observed on the device. The list can sometimes be lengthy. Device timeline event flags help you track events that could be related. +The Defender for Endpoint device timeline provides a chronological view of the events and associated alerts observed on a device. This list of events provides full visibility into any events, files, and IP addresses observed on the device. The list can sometimes be lengthy. Device timeline event flags help you track events that could be related. After you've gone through a device timeline, you can sort, filter, and export the specific events that you flagged. While navigating the device timeline, you can search and filter for specific eve ## Flag an event 1. Find the event that you want to flag-2. Click the flag icon in the Flag column. - 2. Click the flag icon in the Flag column. +  ++3. Click the flag icon in the Flag column. +  ## View flagged events 1. In the timeline **Filters** section, enable **Flagged events**. 2. Click **Apply**. Only flagged events are displayed.-You can apply additional filters by clicking on the time bar. This will only show events prior to the flagged event. - -2. Click **Apply**. Only flagged events are displayed. You can apply additional filters by clicking on the time bar. This will only show events prior to the flagged event. ++ You can apply additional filters by clicking on the time bar. This will only show events prior to the flagged event. ++  ++3. Click **Apply**. Only flagged events are displayed. You can apply additional filters by clicking on the time bar. This will only show events prior to the flagged event.  |
| security | Get Assessment Methods Properties | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-methods-properties.md | Title: Export assessment methods and properties per device -description: Provides information about the APIs that pull "threat and vulnerability management" data. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization. +description: Provides information about the APIs that pull "threat and vulnerability management" data. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization. keywords: api, apis, export assessment, per device assessment, per machine assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine, ms.prod: m365-security ms.mktglfcycl: deploy-Provides methods and property details about the APIs that pull threat and vulnerability management data on a per-device basis. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization. +Provides methods and property details about the APIs that pull threat and vulnerability management data on a per-device basis. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization. > [!NOTE] > Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**). GeneratedTime|String|The time that the export was generated. Property (ID)|Data type|Description :|:|:-CveId |String|Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system. +CveId |String|Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system. CvssScore|String|The CVSS score of the CVE. DeviceId|String|Unique identifier for the device in the service. DeviceName|String|Fully qualified domain name (FQDN) of the device. DiskPaths|Array[string]|Disk evidence that the product is installed on the device. EventTimestamp|String|The time the delta event was found.-ExploitabilityLevel|String|The exploitability level of the vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit) +ExploitabilityLevel|String|The exploitability level of the vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit) FirstSeenTimestamp|String|First time the CVE of the product was seen on the device.-Id|String|Unique identifier for the record.   +Id|String|Unique identifier for the record. LastSeenTimestamp|String|Last time the CVE was seen on the device.-OSPlatform|String|Platform of the operating system running on the device; specific operating systems with variations within the same family, such as Windows 10 and Windows 11. See tvm supported operating systems and platforms for details. +OSPlatform|String|Platform of the operating system running on the device; specific operating systems with variations within the same family, such as Windows 10 and Windows 11. See tvm supported operating systems and platforms for details. RbacGroupName|String|The role-based access control (RBAC) group. If this device isn't assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None." RecommendationReference|String|A reference to the recommendation ID related to this software.-RecommendedSecurityUpdate |String|Name or description of the security update provided by the software vendor to address the vulnerability. -RecommendedSecurityUpdateId |String|Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles -RegistryPaths |Array[string]|Registry evidence that the product is installed in the device. +RecommendedSecurityUpdate |String|Name or description of the security update provided by the software vendor to address the vulnerability. +RecommendedSecurityUpdateId |String|Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles +RegistryPaths |Array[string]|Registry evidence that the product is installed in the device. SoftwareName|String|Name of the software product. SoftwareVendor|String|Name of the software vendor. SoftwareVersion|String|Version number of the software product.-Status|String|**New** (for a new vulnerability introduced on a device). **Fixed** (for a vulnerability that doesn't exist anymore on the device, which means it was remediated). **Updated** (for a vulnerability on a device that has changed. The possible changes are: CVSS score, exploitability level, severity level, DiskPaths, RegistryPaths, RecommendedSecurityUpdate). +Status|String|**New** (for a new vulnerability introduced on a device). **Fixed** (for a vulnerability that doesn't exist anymore on the device, which means it was remediated). **Updated** (for a vulnerability on a device that has changed. The possible changes are: CVSS score, exploitability level, severity level, DiskPaths, RegistryPaths, RecommendedSecurityUpdate). VulnerabilitySeverityLevel|String|Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape. ## See also |
| security | Get Assessment Secure Config | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-secure-config.md | Data that is collected (using either _JSON response_ or _via files_) is the curr ### 1.1 API method description -This API response contains the Secure Configuration Assessment on your exposed devices, and returns an entry for every unique combination of DeviceId, ConfigurationId. +This API response contains the Secure Configuration Assessment on your exposed devices, and returns an entry for every unique combination of DeviceId, ConfigurationId. #### 1.1.1 Limitations GET https://api.securitycenter.microsoft.com/api/machines/SecureConfigurationsAs ```json {-    "@odata.context": "api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.AssetConfiguration)", -    "value": [ -        { -            "deviceId": "00013ee62c6b12345b10214e1801b217b50ab455c293d", -            "rbacGroupName": "hhh", -            "deviceName": "ComputerPII_5d96860d69c73fdd06fc8d1679e1eb73eceb8330", -            "osPlatform": "Windows10" "Windows11", -            "osVersion": "NT kernel 6.x", -            "timestamp": "2021-01-11 09:47:58.854", -            "configurationId": "scid-10000", -            "configurationCategory": "Network", -            "configurationSubcategory": "", -            "configurationImpact": 5, -            "isCompliant": true, -            "isApplicable": true, -            "isExpectedUserImpact": false, -            "configurationName": "Disable insecure administration protocol - Telnet", -            "recommendationReference": "sca-_-scid-10000" -        }, -        { -            "deviceId": "0002a1be533813b9a8c6de739785365bce7910", -            "rbacGroupName": "hhh", -            "deviceName": null, -            "osPlatform": "Windows10" "Windows11", -            "osVersion": "10.0", -            "timestamp": "2021-01-11 09:47:58.854", -            "configurationId": "scid-20000", -            "configurationCategory": "Security controls", -            "configurationSubcategory": "Onboard Devices", -            "configurationImpact": 9, -            "isCompliant": false, -            "isApplicable": true, -            "isExpectedUserImpact": false, -            "configurationName": "Onboard devices to Microsoft Defender for Endpoint", -            "recommendationReference": "sca-_-scid-20000" -        }, -        { -            "deviceId": "0002a1de123456a8c06de736785395d4ce7610", -            "rbacGroupName": "hhh", -            "deviceName": null, -            "osPlatform": "Windows10" "Windows11", -            "osVersion": "10.0", -            "timestamp": "2021-01-11 09:47:58.854", -            "configurationId": "scid-10000", -            "configurationCategory": "Network", -            "configurationSubcategory": "", -            "configurationImpact": 5, -            "isCompliant": true, -            "isApplicable": true, -            "isExpectedUserImpact": false, -            "configurationName": "Disable insecure administration protocol - Telnet", -            "recommendationReference": "sca-_-scid-10000" -        }, -        { -            "deviceId": "00044f912345bdaf756492dbe6db733b6a9c59ab4", -            "rbacGroupName": "hhh", -            "deviceName": "ComputerPII_18663d45912eed224b2be2f5ea3142726e63f16a.DomainPII_21eeb80b086e76bdfa178eadfa25e8de9acfa346.corp.contoso.com", -            "osPlatform": "Windows10" "Windows11", -            "osVersion": "10.0.17763.1637", -            "timestamp": "2021-01-11 09:47:58.854", -            "configurationId": "scid-39", -            "configurationCategory": "OS", -            "configurationSubcategory": "", -            "configurationImpact": 5, -            "isCompliant": true, -            "isApplicable": true, -            "isExpectedUserImpact": false, -            "configurationName": "Enable 'Domain member: Digitally sign secure channel data (when possible)'", -            "recommendationReference": "sca-_-scid-39" -        }, -        { -            "deviceId": "00044f912345daf759462bde6bd733d6a9c56ab4", -            "rbacGroupName": "hhh", -            "deviceName": "ComputerPII_18663b45612eeb224d2de2f5ea3142726e63f16a.DomainPII_21eed80d086e76dbfa178eadfa25e8be9acfa346.corp.contoso.com", -            "osPlatform": "Windows10" "Windows11", -            "osVersion": "10.0.17763.1637", -            "timestamp": "2021-01-11 09:47:58.854", -            "configurationId": "scid-6093", -            "configurationCategory": "Security controls", -            "configurationSubcategory": "Antivirus", -            "configurationImpact": 5, -            "isCompliant": false, -            "isApplicable": false, -            "isExpectedUserImpact": false, -            "configurationName": "Enable Microsoft Defender Antivirus real-time behavior monitoring for Linux", -            "recommendationReference": "sca-_-scid-6093" -        } -    ], -    "@odata.nextLink": "https://api.securitycenter.microsoft.com/api/machines/SecureConfigurationsAssessmentByMachine?pagesize=5&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMS0wMS0xMS8xMTAxLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjV9" + "@odata.context": "api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.AssetConfiguration)", + "value": [ + { + "deviceId": "00013ee62c6b12345b10214e1801b217b50ab455c293d", + "rbacGroupName": "hhh", + "deviceName": "ComputerPII_5d96860d69c73fdd06fc8d1679e1eb73eceb8330", + "osPlatform": "Windows10" "Windows11", + "osVersion": "NT kernel 6.x", + "timestamp": "2021-01-11 09:47:58.854", + "configurationId": "scid-10000", + "configurationCategory": "Network", + "configurationSubcategory": "", + "configurationImpact": 5, + "isCompliant": true, + "isApplicable": true, + "isExpectedUserImpact": false, + "configurationName": "Disable insecure administration protocol - Telnet", + "recommendationReference": "sca-_-scid-10000" + }, + { + "deviceId": "0002a1be533813b9a8c6de739785365bce7910", + "rbacGroupName": "hhh", + "deviceName": null, + "osPlatform": "Windows10" "Windows11", + "osVersion": "10.0", + "timestamp": "2021-01-11 09:47:58.854", + "configurationId": "scid-20000", + "configurationCategory": "Security controls", + "configurationSubcategory": "Onboard Devices", + "configurationImpact": 9, + "isCompliant": false, + "isApplicable": true, + "isExpectedUserImpact": false, + "configurationName": "Onboard devices to Microsoft Defender for Endpoint", + "recommendationReference": "sca-_-scid-20000" + }, + { + "deviceId": "0002a1de123456a8c06de736785395d4ce7610", + "rbacGroupName": "hhh", + "deviceName": null, + "osPlatform": "Windows10" "Windows11", + "osVersion": "10.0", + "timestamp": "2021-01-11 09:47:58.854", + "configurationId": "scid-10000", + "configurationCategory": "Network", + "configurationSubcategory": "", + "configurationImpact": 5, + "isCompliant": true, + "isApplicable": true, + "isExpectedUserImpact": false, + "configurationName": "Disable insecure administration protocol - Telnet", + "recommendationReference": "sca-_-scid-10000" + }, + { + "deviceId": "00044f912345bdaf756492dbe6db733b6a9c59ab4", + "rbacGroupName": "hhh", + "deviceName": "ComputerPII_18663d45912eed224b2be2f5ea3142726e63f16a.DomainPII_21eeb80b086e76bdfa178eadfa25e8de9acfa346.corp.contoso.com", + "osPlatform": "Windows10" "Windows11", + "osVersion": "10.0.17763.1637", + "timestamp": "2021-01-11 09:47:58.854", + "configurationId": "scid-39", + "configurationCategory": "OS", + "configurationSubcategory": "", + "configurationImpact": 5, + "isCompliant": true, + "isApplicable": true, + "isExpectedUserImpact": false, + "configurationName": "Enable 'Domain member: Digitally sign secure channel data (when possible)'", + "recommendationReference": "sca-_-scid-39" + }, + { + "deviceId": "00044f912345daf759462bde6bd733d6a9c56ab4", + "rbacGroupName": "hhh", + "deviceName": "ComputerPII_18663b45612eeb224d2de2f5ea3142726e63f16a.DomainPII_21eed80d086e76dbfa178eadfa25e8be9acfa346.corp.contoso.com", + "osPlatform": "Windows10" "Windows11", + "osVersion": "10.0.17763.1637", + "timestamp": "2021-01-11 09:47:58.854", + "configurationId": "scid-6093", + "configurationCategory": "Security controls", + "configurationSubcategory": "Antivirus", + "configurationImpact": 5, + "isCompliant": false, + "isApplicable": false, + "isExpectedUserImpact": false, + "configurationName": "Enable Microsoft Defender Antivirus real-time behavior monitoring for Linux", + "recommendationReference": "sca-_-scid-6093" + } + ], + "@odata.nextLink": "https://api.securitycenter.microsoft.com/api/machines/SecureConfigurationsAssessmentByMachine?pagesize=5&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMS0wMS0xMS8xMTAxLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjV9" } ``` GET https://api.securitycenter.microsoft.com/api/machines/SecureConfigurationsAs ### 2.1 API method description -This API response contains the Secure Configuration Assessment on your exposed devices, and returns an entry for every unique combination of DeviceId, ConfigurationId. +This API response contains the Secure Configuration Assessment on your exposed devices, and returns an entry for every unique combination of DeviceId, ConfigurationId. #### 2.1.2 Limitations GET https://api.securitycenter.microsoft.com/api/machines/SecureConfigurationsAs ```json {-    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#contoso.windowsDefenderATP.api.ExportFilesResponse", -    "exportFiles": [ -        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/ScaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00393-e423630d-4c69-4490-8769-a4f5468c4f25.c000.json.gz?sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=...", -        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/ScaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00394-e423630d-4c69-4490-8769-a4f5468c4f25.c000.json.gz?sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=...", -        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/ScaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00394-e423630d-4c69-4490-8769-a4f5468c4f25.c001.json.gz?sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=..." -    ], -    "generatedTime": "2021-01-11T11:01:00Z" + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#contoso.windowsDefenderATP.api.ExportFilesResponse", + "exportFiles": [ + "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/ScaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00393-e423630d-4c69-4490-8769-a4f5468c4f25.c000.json.gz?sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=...", + "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/ScaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00394-e423630d-4c69-4490-8769-a4f5468c4f25.c000.json.gz?sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=...", + "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/ScaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00394-e423630d-4c69-4490-8769-a4f5468c4f25.c001.json.gz?sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=..." + ], + "generatedTime": "2021-01-11T11:01:00Z" } ``` |
| security | Get Assessment Software Inventory | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-software-inventory.md | Data that is collected (using either _Json response_ or _via files_) is the curr ### 1.1 API method description -This API response contains all the data of installed software per device. Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion. +This API response contains all the data of installed software per device. Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion. #### Limitations GET https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryByMac ```json {-    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(contoso.windowsDefenderATP.api.AssetSoftware)", -    "value": [ -        { -            "deviceId": "00044f68765bbaf712342dbe6db733b6a9c59ab4", -            "rbacGroupName": "hhh", -            "deviceName": "ComputerPII_18993b45912eeb224b2be2f5ea3142726e63f16a.DomainPII_21eeb80d086e79dbfa178eadfa25e8de9acfa346.corp.contoso.com", -            "osPlatform": "Windows10" "Windows11", -            "softwareVendor": "microsoft", -            "softwareName": "windows_10" "Windows_11", -            "softwareVersion": "10.0.17763.1637", -            "numberOfWeaknesses": 58, -            "diskPaths": [], -            "registryPaths": [], -            "softwareFirstSeenTimestamp": "2020-12-30 11:07:15", -            "endOfSupportStatus": "Upcoming EOS Version", -            "endOfSupportDate": "2021-05-11T00:00:00+00:00" -        }, -        { -            "deviceId": "00044f68765bbaf712342dbe6db733b6a9c59ab4", -            "rbacGroupName": "hhh", -            "deviceName": "ComputerPII_18993b45912eeb224b2be2f5ea3142726e63f16a.DomainPII_21eeb80d086e79dbfa178eadfa25e8de9acfa346.corp.contoso.com", -            "osPlatform": "Windows10" "Windows11", -            "softwareVendor": "microsoft", -            "softwareName": ".net_framework", -            "softwareVersion": "4.0.0.0", -            "numberOfWeaknesses": 0, -            "diskPaths": [], -            "registryPaths": [ -                "SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4.0\\Client\\Install" -            ], -            "softwareFirstSeenTimestamp": "2020-12-30 11:07:15", -            "endOfSupportStatus": "None", -            "endOfSupportDate": null -        }, -        { -            "deviceId": "00044f68765bbaf712342dbe6db733b6a9c59ab4", -            "rbacGroupName": "hhh", -            "deviceName": "ComputerPII_18993b45912eeb224b2be2f5ea3142726e63f16a.DomainPII_21eed80d086e79bdfa178eadfa25e8de9acfa346.corp.contoso.com", -            "osPlatform": "Windows10" "Windows11", -            "softwareVendor": "microsoft", -            "softwareName": "system_center_2012_endpoint_protection", -            "softwareVersion": "4.7.214.0", -            "numberOfWeaknesses": 0, -            "diskPaths": [], -            "registryPaths": [ -                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft Security Client" -            ], -            "softwareFirstSeenTimestamp": "2020-12-30 11:07:15", -            "endOfSupportStatus": "None", -            "endOfSupportDate": null -        }, -        { -            "deviceId": "00044f68765ddaf71234bde6bd733d6a9c59ad4", -            "rbacGroupName": "hhh", -            "deviceName": "ComputerPII_18993b45912eeb224b2be2f5ea3142726e63f16a.DomainPII_21eeb80d086e79dbfa178aedfa25e8be9acfa346.corp.contoso.com", -            "osPlatform": "Windows10" "Windows11", -            "softwareVendor": "microsoft", -            "softwareName": "configuration_manager", -            "softwareVersion": "5.0.8634.1000", -            "numberOfWeaknesses": 0, -            "diskPaths": [], -            "registryPaths": [ -                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{B7D3A842-E826-4542-B39B-1D883264B279}" -            ], -            "softwareFirstSeenTimestamp": "2020-12-30 11:07:15", -            "endOfSupportStatus": "None", -            "endOfSupportDate": null -        }, -        { -            "deviceId": "00044f38765bbaf712342dbe6db733b6a9c59ab4", -            "rbacGroupName": "hhh", -            "deviceName": "ComputerPII_18993b45912eeb224b2de2f5ea3142726e63f16a.DomainPII_21eeb80d086e79bdfa178eadfa25e8be9acfa346.corp.contoso.com", -            "osPlatform": "Windows10" "Windows11", -            "softwareVendor": "microsoft", -            "softwareName": "system_center_2012_endpoint_protection", -            "softwareVersion": "4.10.209.0", -            "numberOfWeaknesses": 0, -            "diskPaths": [], -            "registryPaths": [ -                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft Security Client" -            ], -            "softwareFirstSeenTimestamp": "2020-12-30 11:07:15", -            "endOfSupportStatus": "None", -            "endOfSupportDate": null -        } -    ], -    "@odata.nextLink": "https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryByMachine?pagesize=5&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMS0wMS0yNS8wMjAwLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjV9" + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(contoso.windowsDefenderATP.api.AssetSoftware)", + "value": [ + { + "deviceId": "00044f68765bbaf712342dbe6db733b6a9c59ab4", + "rbacGroupName": "hhh", + "deviceName": "ComputerPII_18993b45912eeb224b2be2f5ea3142726e63f16a.DomainPII_21eeb80d086e79dbfa178eadfa25e8de9acfa346.corp.contoso.com", + "osPlatform": "Windows10" "Windows11", + "softwareVendor": "microsoft", + "softwareName": "windows_10" "Windows_11", + "softwareVersion": "10.0.17763.1637", + "numberOfWeaknesses": 58, + "diskPaths": [], + "registryPaths": [], + "softwareFirstSeenTimestamp": "2020-12-30 11:07:15", + "endOfSupportStatus": "Upcoming EOS Version", + "endOfSupportDate": "2021-05-11T00:00:00+00:00" + }, + { + "deviceId": "00044f68765bbaf712342dbe6db733b6a9c59ab4", + "rbacGroupName": "hhh", + "deviceName": "ComputerPII_18993b45912eeb224b2be2f5ea3142726e63f16a.DomainPII_21eeb80d086e79dbfa178eadfa25e8de9acfa346.corp.contoso.com", + "osPlatform": "Windows10" "Windows11", + "softwareVendor": "microsoft", + "softwareName": ".net_framework", + "softwareVersion": "4.0.0.0", + "numberOfWeaknesses": 0, + "diskPaths": [], + "registryPaths": [ + "SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4.0\\Client\\Install" + ], + "softwareFirstSeenTimestamp": "2020-12-30 11:07:15", + "endOfSupportStatus": "None", + "endOfSupportDate": null + }, + { + "deviceId": "00044f68765bbaf712342dbe6db733b6a9c59ab4", + "rbacGroupName": "hhh", + "deviceName": "ComputerPII_18993b45912eeb224b2be2f5ea3142726e63f16a.DomainPII_21eed80d086e79bdfa178eadfa25e8de9acfa346.corp.contoso.com", + "osPlatform": "Windows10" "Windows11", + "softwareVendor": "microsoft", + "softwareName": "system_center_2012_endpoint_protection", + "softwareVersion": "4.7.214.0", + "numberOfWeaknesses": 0, + "diskPaths": [], + "registryPaths": [ + "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft Security Client" + ], + "softwareFirstSeenTimestamp": "2020-12-30 11:07:15", + "endOfSupportStatus": "None", + "endOfSupportDate": null + }, + { + "deviceId": "00044f68765ddaf71234bde6bd733d6a9c59ad4", + "rbacGroupName": "hhh", + "deviceName": "ComputerPII_18993b45912eeb224b2be2f5ea3142726e63f16a.DomainPII_21eeb80d086e79dbfa178aedfa25e8be9acfa346.corp.contoso.com", + "osPlatform": "Windows10" "Windows11", + "softwareVendor": "microsoft", + "softwareName": "configuration_manager", + "softwareVersion": "5.0.8634.1000", + "numberOfWeaknesses": 0, + "diskPaths": [], + "registryPaths": [ + "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{B7D3A842-E826-4542-B39B-1D883264B279}" + ], + "softwareFirstSeenTimestamp": "2020-12-30 11:07:15", + "endOfSupportStatus": "None", + "endOfSupportDate": null + }, + { + "deviceId": "00044f38765bbaf712342dbe6db733b6a9c59ab4", + "rbacGroupName": "hhh", + "deviceName": "ComputerPII_18993b45912eeb224b2de2f5ea3142726e63f16a.DomainPII_21eeb80d086e79bdfa178eadfa25e8be9acfa346.corp.contoso.com", + "osPlatform": "Windows10" "Windows11", + "softwareVendor": "microsoft", + "softwareName": "system_center_2012_endpoint_protection", + "softwareVersion": "4.10.209.0", + "numberOfWeaknesses": 0, + "diskPaths": [], + "registryPaths": [ + "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft Security Client" + ], + "softwareFirstSeenTimestamp": "2020-12-30 11:07:15", + "endOfSupportStatus": "None", + "endOfSupportDate": null + } + ], + "@odata.nextLink": "https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryByMachine?pagesize=5&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMS0wMS0yNS8wMjAwLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjV9" } ``` GET https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryByMac ### 2.1 API method description -This API response contains all the data of installed software per device. Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion. +This API response contains all the data of installed software per device. Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion. #### 2.1.1 Limitations GET https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryExpor ```json {-    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.ExportFilesResponse", -    "exportFiles": [ -        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/SoftwareInventory/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00393-e423630d-4c69-4490-8769-a4f5468c4f25.c000.json.gz?sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=...", -        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/SoftwareInventory/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00394-e423630d-4c69-4490-8769-a4f5468c4f25.c000.json.gz?sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=...", -        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/SoftwareInventory/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00394-e423630d-4c69-4490-8769-a4f5468c4f25.c001.json.gz?sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=..." -    ], -    "generatedTime": "2021-01-11T11:01:00Z" + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.ExportFilesResponse", + "exportFiles": [ + "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/SoftwareInventory/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00393-e423630d-4c69-4490-8769-a4f5468c4f25.c000.json.gz?sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=...", + "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/SoftwareInventory/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00394-e423630d-4c69-4490-8769-a4f5468c4f25.c000.json.gz?sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=...", + "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/SoftwareInventory/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00394-e423630d-4c69-4490-8769-a4f5468c4f25.c001.json.gz?sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=..." + ], + "generatedTime": "2021-01-11T11:01:00Z" } ``` |
| security | Get Assessment Software Vulnerabilities | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-software-vulnerabilities.md | Title: Export software vulnerabilities assessment per device -description: The API response is per device and contains vulnerable software installed on your exposed devices and any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. +description: The API response is per device and contains vulnerable software installed on your exposed devices and any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. keywords: api, apis, export assessment, per device assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine, ms.prod: m365-security ms.mktglfcycl: deploy Data that is collected (using either _Json response_ or _via files_) is the curr ### 1.1 API method description -This API response contains all the data of installed software per device. Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CVEID. +This API response contains all the data of installed software per device. Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CVEID. #### 1.1.1 Limitations GET https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilitie ```json {-    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.AssetVulnerability)", -    "value": [ -        { -            "id": "00044f612345baf759462dbe6db733b6a9c59ab4_edge_10.0.17763.1637__", -            "deviceId": "00044f612345daf756462bde6bd733b9a9c59ab4", -            "rbacGroupName": "hhh", -            "deviceName": "ComputerPII_18663b45912eed224b2de2f5ea3142726e63f16a.DomainPII_21eeb80d089e79bdfa178eabfa25e8de9acfa346.corp.contoso.com", -            "osPlatform": "Windows10" "Windows11", -            "osVersion": "10.0.17763.1637", -            "osArchitecture": "x64", -            "softwareVendor": "microsoft", -            "softwareName": "edge", -            "softwareVersion": "10.0.17763.1637", -            "cveId": null, -            "vulnerabilitySeverityLevel": null, -            "recommendedSecurityUpdate": null, -            "recommendedSecurityUpdateId": null, -            "recommendedSecurityUpdateUrl": null, -            "diskPaths": [], -            "registryPaths": [], -            "lastSeenTimestamp": "2020-12-30 14:17:26", -            "firstSeenTimestamp": "2020-12-30 11:07:15", -            "exploitabilityLevel": "NoExploit", -            "recommendationReference": "va-_-microsoft-_-edge" -        }, -        { -            "id": "00044f912345baf756462bde6db733b9a9c56ad4_.net_framework_4.0.0.0__", -            "deviceId": "00044f912345daf756462bde6db733b6a9c59ad4", -            "rbacGroupName": "hhh", -            "deviceName": "ComputerPII_18663b45912eed224b2be2f5ea3142726e63f16a.DomainPII_21eeb80b086e79bdfa178eabfa25e8de6acfa346.corp.contoso.com", -            "osPlatform": "Windows10" "Windows11", -            "osVersion": "10.0.17763.1637", -            "osArchitecture": "x64", -            "softwareVendor": "microsoft", -            "softwareName": ".net_framework", -            "softwareVersion": "4.0.0.0", -            "cveId": null, -            "vulnerabilitySeverityLevel": null, -            "recommendedSecurityUpdate": null, -            "recommendedSecurityUpdateId": null, -            "recommendedSecurityUpdateUrl": null, -            "diskPaths": [], -            "registryPaths": [ -                "SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4.0\\Client\\Install" -            ], -            "lastSeenTimestamp": "2020-12-30 13:18:33", -            "firstSeenTimestamp": "2020-12-30 11:07:15", -            "exploitabilityLevel": "NoExploit", -            "recommendationReference": "va-_-microsoft-_-.net_framework" -        }, -        { -            "id": "00044f912345baf756462dbe6db733d6a9c59ab4_system_center_2012_endpoint_protection_4.10.209.0__", -            "deviceId": "00044f912345daf756462bde6db733b6a9c59ab4", -            "rbacGroupName": "hhh", -            "deviceName": "ComputerPII_18663b45912eed224b2be2f5ea3142726e63f16a.DomainPII_21eed80b089e79bdfa178eadfa25e8be6acfa346.corp.contoso.com", -            "osPlatform": "Windows10" "Windows11", -            "osVersion": "10.0.17763.1637", -            "osArchitecture": "x64", -            "softwareVendor": "microsoft", -            "softwareName": "system_center_2012_endpoint_protection", -            "softwareVersion": "4.10.209.0", -            "cveId": null, -            "vulnerabilitySeverityLevel": null, -            "recommendedSecurityUpdate": null, -            "recommendedSecurityUpdateId": null, -            "recommendedSecurityUpdateUrl": null, -            "diskPaths": [], -            "registryPaths": [ -                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft Security Client" -            ], -            "lastSeenTimestamp": "2020-12-30 14:17:26", -            "firstSeenTimestamp": "2020-12-30 11:07:15", -            "exploitabilityLevel": "NoExploit", -            "recommendationReference": "va-_-microsoft-_-system_center_2012_endpoint_protection" -        }, -        { -            "id": "00044f612345bdaf759462dbe6bd733b6a9c59ab4_onedrive_20.245.1206.2__", -            "deviceId": "00044f91234daf759492dbe6bd733b6a9c59ab4", -            "rbacGroupName": "hhh", -            "deviceName": "ComputerPII_189663d45612eed224b2be2f5ea3142729e63f16a.DomainPII_21eed80b086e79bdfa178eadfa25e8de6acfa346.corp.contoso.com", -            "osPlatform": "Windows10" "Windows11", -            "osVersion": "10.0.17763.1637", -            "osArchitecture": "x64", -            "softwareVendor": "microsoft", -            "softwareName": "onedrive", -            "softwareVersion": "20.245.1206.2", -            "cveId": null, -            "vulnerabilitySeverityLevel": null, -            "recommendedSecurityUpdate": null, -            "recommendedSecurityUpdateId": null, -            "recommendedSecurityUpdateUrl": null, -            "diskPaths": [], -            "registryPaths": [ -                "HKEY_USERS\\S-1-5-21-2944539346-1310925172-2349113062-1001\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\OneDriveSetup.exe" -            ], -            "lastSeenTimestamp": "2020-12-30 13:18:33", -            "firstSeenTimestamp": "2020-12-30 11:07:15", -            "exploitabilityLevel": "NoExploit", -            "recommendationReference": "va-_-microsoft-_-onedrive" -        }, -        { -            "id": "00044f912345daf759462bde6db733b6a9c56ab4_windows_10_10.0.17763.1637__", -            "deviceId": "00044f912345daf756462dbe6db733d6a9c59ab4", -            "rbacGroupName": "hhh", -            "deviceName": "ComputerPII_18663b45912eeb224d2be2f5ea3142729e63f16a.DomainPII_21eeb80d086e79bdfa178eadfa25e8de6acfa346.corp.contoso.com", -            "osPlatform": "Windows10" "Windows11", -            "osVersion": "10.0.17763.1637", -            "osArchitecture": "x64", -            "softwareVendor": "microsoft", -            "softwareName": "windows_10" "Windows_11", -            "softwareVersion": "10.0.17763.1637", -            "cveId": null, -            "vulnerabilitySeverityLevel": null, -            "recommendedSecurityUpdate": null, -            "recommendedSecurityUpdateId": null, -            "recommendedSecurityUpdateUrl": null, -            "diskPaths": [], -            "registryPaths": [], -            "lastSeenTimestamp": "2020-12-30 14:17:26", -            "firstSeenTimestamp": "2020-12-30 11:07:15", -            "exploitabilityLevel": "NoExploit", -            "recommendationReference": "va-_-microsoft-_-windows_10" "va-_-microsoft-_-windows_11" -        } -    ], -    "@odata.nextLink": "https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilitiesByMachine?pagesize=5&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMS0wMS0xMS8xMTAxLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjV9" + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.AssetVulnerability)", + "value": [ + { + "id": "00044f612345baf759462dbe6db733b6a9c59ab4_edge_10.0.17763.1637__", + "deviceId": "00044f612345daf756462bde6bd733b9a9c59ab4", + "rbacGroupName": "hhh", + "deviceName": "ComputerPII_18663b45912eed224b2de2f5ea3142726e63f16a.DomainPII_21eeb80d089e79bdfa178eabfa25e8de9acfa346.corp.contoso.com", + "osPlatform": "Windows10" "Windows11", + "osVersion": "10.0.17763.1637", + "osArchitecture": "x64", + "softwareVendor": "microsoft", + "softwareName": "edge", + "softwareVersion": "10.0.17763.1637", + "cveId": null, + "vulnerabilitySeverityLevel": null, + "recommendedSecurityUpdate": null, + "recommendedSecurityUpdateId": null, + "recommendedSecurityUpdateUrl": null, + "diskPaths": [], + "registryPaths": [], + "lastSeenTimestamp": "2020-12-30 14:17:26", + "firstSeenTimestamp": "2020-12-30 11:07:15", + "exploitabilityLevel": "NoExploit", + "recommendationReference": "va-_-microsoft-_-edge" + }, + { + "id": "00044f912345baf756462bde6db733b9a9c56ad4_.net_framework_4.0.0.0__", + "deviceId": "00044f912345daf756462bde6db733b6a9c59ad4", + "rbacGroupName": "hhh", + "deviceName": "ComputerPII_18663b45912eed224b2be2f5ea3142726e63f16a.DomainPII_21eeb80b086e79bdfa178eabfa25e8de6acfa346.corp.contoso.com", + "osPlatform": "Windows10" "Windows11", + "osVersion": "10.0.17763.1637", + "osArchitecture": "x64", + "softwareVendor": "microsoft", + "softwareName": ".net_framework", + "softwareVersion": "4.0.0.0", + "cveId": null, + "vulnerabilitySeverityLevel": null, + "recommendedSecurityUpdate": null, + "recommendedSecurityUpdateId": null, + "recommendedSecurityUpdateUrl": null, + "diskPaths": [], + "registryPaths": [ + "SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4.0\\Client\\Install" + ], + "lastSeenTimestamp": "2020-12-30 13:18:33", + "firstSeenTimestamp": "2020-12-30 11:07:15", + "exploitabilityLevel": "NoExploit", + "recommendationReference": "va-_-microsoft-_-.net_framework" + }, + { + "id": "00044f912345baf756462dbe6db733d6a9c59ab4_system_center_2012_endpoint_protection_4.10.209.0__", + "deviceId": "00044f912345daf756462bde6db733b6a9c59ab4", + "rbacGroupName": "hhh", + "deviceName": "ComputerPII_18663b45912eed224b2be2f5ea3142726e63f16a.DomainPII_21eed80b089e79bdfa178eadfa25e8be6acfa346.corp.contoso.com", + "osPlatform": "Windows10" "Windows11", + "osVersion": "10.0.17763.1637", + "osArchitecture": "x64", + "softwareVendor": "microsoft", + "softwareName": "system_center_2012_endpoint_protection", + "softwareVersion": "4.10.209.0", + "cveId": null, + "vulnerabilitySeverityLevel": null, + "recommendedSecurityUpdate": null, + "recommendedSecurityUpdateId": null, + "recommendedSecurityUpdateUrl": null, + "diskPaths": [], + "registryPaths": [ + "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft Security Client" + ], + "lastSeenTimestamp": "2020-12-30 14:17:26", + "firstSeenTimestamp": "2020-12-30 11:07:15", + "exploitabilityLevel": "NoExploit", + "recommendationReference": "va-_-microsoft-_-system_center_2012_endpoint_protection" + }, + { + "id": "00044f612345bdaf759462dbe6bd733b6a9c59ab4_onedrive_20.245.1206.2__", + "deviceId": "00044f91234daf759492dbe6bd733b6a9c59ab4", + "rbacGroupName": "hhh", + "deviceName": "ComputerPII_189663d45612eed224b2be2f5ea3142729e63f16a.DomainPII_21eed80b086e79bdfa178eadfa25e8de6acfa346.corp.contoso.com", + "osPlatform": "Windows10" "Windows11", + "osVersion": "10.0.17763.1637", + "osArchitecture": "x64", + "softwareVendor": "microsoft", + "softwareName": "onedrive", + "softwareVersion": "20.245.1206.2", + "cveId": null, + "vulnerabilitySeverityLevel": null, + "recommendedSecurityUpdate": null, + "recommendedSecurityUpdateId": null, + "recommendedSecurityUpdateUrl": null, + "diskPaths": [], + "registryPaths": [ + "HKEY_USERS\\S-1-5-21-2944539346-1310925172-2349113062-1001\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\OneDriveSetup.exe" + ], + "lastSeenTimestamp": "2020-12-30 13:18:33", + "firstSeenTimestamp": "2020-12-30 11:07:15", + "exploitabilityLevel": "NoExploit", + "recommendationReference": "va-_-microsoft-_-onedrive" + }, + { + "id": "00044f912345daf759462bde6db733b6a9c56ab4_windows_10_10.0.17763.1637__", + "deviceId": "00044f912345daf756462dbe6db733d6a9c59ab4", + "rbacGroupName": "hhh", + "deviceName": "ComputerPII_18663b45912eeb224d2be2f5ea3142729e63f16a.DomainPII_21eeb80d086e79bdfa178eadfa25e8de6acfa346.corp.contoso.com", + "osPlatform": "Windows10" "Windows11", + "osVersion": "10.0.17763.1637", + "osArchitecture": "x64", + "softwareVendor": "microsoft", + "softwareName": "windows_10" "Windows_11", + "softwareVersion": "10.0.17763.1637", + "cveId": null, + "vulnerabilitySeverityLevel": null, + "recommendedSecurityUpdate": null, + "recommendedSecurityUpdateId": null, + "recommendedSecurityUpdateUrl": null, + "diskPaths": [], + "registryPaths": [], + "lastSeenTimestamp": "2020-12-30 14:17:26", + "firstSeenTimestamp": "2020-12-30 11:07:15", + "exploitabilityLevel": "NoExploit", + "recommendationReference": "va-_-microsoft-_-windows_10" "va-_-microsoft-_-windows_11" + } + ], + "@odata.nextLink": "https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilitiesByMachine?pagesize=5&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMS0wMS0xMS8xMTAxLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjV9" } ``` GET https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilitie ### 2.1 API method description -This API response contains all the data of installed software per device. Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CVEID. +This API response contains all the data of installed software per device. Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CVEID. #### 2.1.2 Limitations GET https://api-us.securitycenter.contoso.com/api/machines/SoftwareVulnerabiliti ```json {-    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.ExportFilesResponse", -    "exportFiles": [ -        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/VaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00393-bcc26c4f-e531-48db-9892-c93ac5d72d5c.c000.json.gz?sv=2019-12-12&st=2021-01-11T11%3A35%3A13Z&se=2021-01-11T14%3A35%3A13Z&sr=b&sp=r&sig=...", -        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/VaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00393-bcc26c4f-e531-48db-9892-c93ac5d72d5c.c001.json.gz?sv=2019-12-12&st=2021-01-11T11%3A35%3A13Z&se=2021-01-11T14%3A35%3A13Z&sr=b&sp=r&sig=...", -        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/VaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00393-bcc26c4f-e531-48db-9892-c93ac5d72d5c.c002.json.gz?sv=2019-12-12&st=2021-01-11T11%3A35%3A13Z&se=2021-01-11T14%3A35%3A13Z&sr=b&sp=r&sig=..." -    ], -    "generatedTime": "2021-01-11T11:01:00Z" + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.ExportFilesResponse", + "exportFiles": [ + "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/VaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00393-bcc26c4f-e531-48db-9892-c93ac5d72d5c.c000.json.gz?sv=2019-12-12&st=2021-01-11T11%3A35%3A13Z&se=2021-01-11T14%3A35%3A13Z&sr=b&sp=r&sig=...", + "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/VaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00393-bcc26c4f-e531-48db-9892-c93ac5d72d5c.c001.json.gz?sv=2019-12-12&st=2021-01-11T11%3A35%3A13Z&se=2021-01-11T14%3A35%3A13Z&sr=b&sp=r&sig=...", + "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/VaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00393-bcc26c4f-e531-48db-9892-c93ac5d72d5c.c002.json.gz?sv=2019-12-12&st=2021-01-11T11%3A35%3A13Z&se=2021-01-11T14%3A35%3A13Z&sr=b&sp=r&sig=..." + ], + "generatedTime": "2021-01-11T11:01:00Z" } ``` Each returned record contains all the data from the full export software vulnera Property (ID)|Data type|Description|Example of returned value :|:|:|:-CveId |String|Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system.|CVE-2020-15992   -CvssScore|String|The CVSS score of the CVE.|6.2   -DeviceId|String|Unique identifier for the device in the service.|9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1   -DeviceName|String|Fully qualified domain name (FQDN) of the device.|johnlaptop.europe.contoso.com   -DiskPaths|Array[string]|Disk evidence that the product is installed on the device.|["C:\Program Files (x86)\Microsoft\Silverlight\Application\silverlight.exe"]   +CveId |String|Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system.|CVE-2020-15992 +CvssScore|String|The CVSS score of the CVE.|6.2 +DeviceId|String|Unique identifier for the device in the service.|9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1 +DeviceName|String|Fully qualified domain name (FQDN) of the device.|johnlaptop.europe.contoso.com +DiskPaths|Array[string]|Disk evidence that the product is installed on the device.|["C:\Program Files (x86)\Microsoft\Silverlight\Application\silverlight.exe"] EventTimestamp|String|The time this delta event was found.|2021-01-11T11:06:08.291Z-ExploitabilityLevel|String|The exploitability level of this vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit)|ExploitIsInKit   -FirstSeenTimestamp|String|First time the CVE of this product was seen on the device.|2020-11-03 10:13:34.8476880   -Id|String|Unique identifier for the record.|123ABG55_573AG&mnp!   -LastSeenTimestamp|String|Last time the CVE was seen on the device.|2020-11-03 10:13:34.8476880   -OSPlatform|String|Platform of the operating system running on the device; specific operating systems with variations within the same family, such as Windows 10 and Windows 11. See tvm supported operating systems and platforms for details.|Windows10 and Windows 11  -RbacGroupName|String|The role-based access control (RBAC) group. If this device isn't assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."|Servers   -RecommendationReference|string|A reference to the recommendation ID related to this software.|va--microsoft--silverlight   -RecommendedSecurityUpdate |String|Name or description of the security update provided by the software vendor to address the vulnerability.|April 2020 Security Updates   -RecommendedSecurityUpdateId |String|Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles|4550961   -RegistryPaths |Array[string]|Registry evidence that the product is installed in the device.|[ "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome" ]   -SoftwareName|String|Name of the software product.|Chrome   -SoftwareVendor|String|Name of the software vendor.|Google   -SoftwareVersion|String|Version number of the software product.|81.0.4044.138   -Status|String|**New** (for a new vulnerability introduced on a device) (1) **Fixed** (if this vulnerability doesn't exist anymore on the device, which means it was remediated). (2) **Updated** (if a vulnerability on a device has changed. The possible changes are: CVSS score, exploitability level, severity level, DiskPaths, RegistryPaths, RecommendedSecurityUpdate). |Fixed +ExploitabilityLevel|String|The exploitability level of this vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit)|ExploitIsInKit +FirstSeenTimestamp|String|First time the CVE of this product was seen on the device.|2020-11-03 10:13:34.8476880 +Id|String|Unique identifier for the record.|123ABG55_573AG&mnp! +LastSeenTimestamp|String|Last time the CVE was seen on the device.|2020-11-03 10:13:34.8476880 +OSPlatform|String|Platform of the operating system running on the device; specific operating systems with variations within the same family, such as Windows 10 and Windows 11. See tvm supported operating systems and platforms for details.|Windows10 and Windows 11 +RbacGroupName|String|The role-based access control (RBAC) group. If this device isn't assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."|Servers +RecommendationReference|string|A reference to the recommendation ID related to this software.|va--microsoft--silverlight +RecommendedSecurityUpdate |String|Name or description of the security update provided by the software vendor to address the vulnerability.|April 2020 Security Updates +RecommendedSecurityUpdateId |String|Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles|4550961 +RegistryPaths |Array[string]|Registry evidence that the product is installed in the device.|[ "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome" ] +SoftwareName|String|Name of the software product.|Chrome +SoftwareVendor|String|Name of the software vendor.|Google +SoftwareVersion|String|Version number of the software product.|81.0.4044.138 +Status|String|**New** (for a new vulnerability introduced on a device) (1) **Fixed** (if this vulnerability doesn't exist anymore on the device, which means it was remediated). (2) **Updated** (if a vulnerability on a device has changed. The possible changes are: CVSS score, exploitability level, severity level, DiskPaths, RegistryPaths, RecommendedSecurityUpdate). |Fixed VulnerabilitySeverityLevel|String|Severity level that is assigned to the security vulnerability. It's based on the CVSS score and dynamic factors influenced by the threat landscape.|Medium | GET https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilityC ```json {-    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.DeltaAssetVulnerability)", -    "value": [ -        { -            "id": "008198251234544f7dfa715e278d4cec0c16c171_chrome_87.0.4280.88__", -            "deviceId": "008198251234544f7dfa715e278b4cec0c19c171", -            "rbacGroupName": "hhh", -            "deviceName": "ComputerPII_1c8fee370690ca24b6a0d3f34d193b0424943a8b8.DomainPII_0dc1aee0fa366d175e514bd91a9e7a5b2b07ee8e.corp.contoso.com", -            "osPlatform": "Windows10" "Windows11", -            "osVersion": "10.0.19042.685", -            "osArchitecture": "x64", -            "softwareVendor": "google", -            "softwareName": "chrome", -            "softwareVersion": "87.0.4280.88", -            "cveId": null, -            "vulnerabilitySeverityLevel": null, -            "recommendedSecurityUpdate": null, -            "recommendedSecurityUpdateId": null, -            "recommendedSecurityUpdateUrl": null, -            "diskPaths": [ -                "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" -            ], -            "registryPaths": [ -                "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Google Chrome" -            ], -            "lastSeenTimestamp": "2021-01-04 00:29:42", -            "firstSeenTimestamp": "2020-11-06 03:12:44", -            "exploitabilityLevel": "NoExploit", -            "recommendationReference": "va-_-google-_-chrome", -            "status": "Fixed", -            "eventTimestamp": "2021-01-11T11:06:08.291Z" -        }, -        { -            "id": "00e59c61234533860738ecf488eec8abf296e41e_onedrive_20.64.329.3__", -            "deviceId": "00e56c91234533860738ecf488eec8abf296e41e", -            "rbacGroupName": "hhh", -            "deviceName": "ComputerPII_82c13a8ad8cf3dbaf7bf34fada9fa3aebc124116.DomainPII_21eeb80d086e79dbfa178eadfa25e8de9acfa346.corp.contoso.com", -            "osPlatform": "Windows10" "Windows11", -            "osVersion": "10.0.18363.1256", -            "osArchitecture": "x64", -            "softwareVendor": "microsoft", -            "softwareName": "onedrive", -            "softwareVersion": "20.64.329.3", -            "cveId": null, -            "vulnerabilitySeverityLevel": null, -            "recommendedSecurityUpdate": null, -            "recommendedSecurityUpdateId": null, -            "recommendedSecurityUpdateUrl": null, -            "diskPaths": [], -            "registryPaths": [ -                "HKEY_USERS\\S-1-5-21-2127521184-1604012920-1887927527-24918864\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\OneDriveSetup.exe" -            ], -            "lastSeenTimestamp": "2020-12-11 19:49:48", -            "firstSeenTimestamp": "2020-12-07 18:25:47", -            "exploitabilityLevel": "NoExploit", -            "recommendationReference": "va-_-microsoft-_-onedrive", -            "status": "Fixed", -            "eventTimestamp": "2021-01-11T11:06:08.291Z" -        }, -        { -            "id": "01aa8c73095bb12345918663f3f94ce322107d24_firefox_83.0.0.0_CVE-2020-26971_", -            "deviceId": "01aa8c73065bb12345918693f3f94ce322107d24", -            "rbacGroupName": "hhh", -            "deviceName": "ComputerPII_42684eb981bea2d670027e7ad2caafd3f2b381a3.DomainPII_21eed80b086e76dbfa178eabfa25e8de9acfa346.corp.contoso.com", -            "osPlatform": "Windows10" "Windows11", -            "osVersion": "10.0.19042.685", -            "osArchitecture": "x64", -            "softwareVendor": "mozilla", -            "softwareName": "firefox", -            "softwareVersion": "83.0.0.0", -            "cveId": "CVE-2020-26971", -            "vulnerabilitySeverityLevel": "High", -            "recommendedSecurityUpdate": "193220", -            "recommendedSecurityUpdateId": null, -            "recommendedSecurityUpdateUrl": null, -            "diskPaths": [ -                "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe" -            ], -            "registryPaths": [ -                "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox 83.0 (x86 en-US)" -            ], -            "lastSeenTimestamp": "2021-01-05 17:04:30", -            "firstSeenTimestamp": "2020-05-06 12:42:19", -            "exploitabilityLevel": "NoExploit", -            "recommendationReference": "va-_-mozilla-_-firefox", -            "status": "Fixed", -            "eventTimestamp": "2021-01-11T11:06:08.291Z" -        }, -        { -            "id": "026f0fcb12345fbd2decd1a339702131422d362e_project_16.0.13701.20000__", -            "deviceId": "029f0fcb13245fbd2decd1a336702131422d392e", -            "rbacGroupName": "hhh", -            "deviceName": "ComputerPII_a5706750acba75f15d69cd17f4a7fcd268d6422c.DomainPII_f290e982685f7e8eee168b4332e0ae5d2a069cd6.corp.contoso.com", -            "osPlatform": "Windows10" "Windows11", -            "osVersion": "10.0.19042.685", -            "osArchitecture": "x64", -            "softwareVendor": "microsoft", -            "softwareName": "project", -            "softwareVersion": "16.0.13701.20000", -            "cveId": null, -            "vulnerabilitySeverityLevel": null, -            "recommendedSecurityUpdate": null, -            "recommendedSecurityUpdateId": null, -            "recommendedSecurityUpdateUrl": null, -            "diskPaths": [], -            "registryPaths": [ -                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\ProjectProRetail - en-us" -            ], -            "lastSeenTimestamp": "2021-01-03 23:38:03", -            "firstSeenTimestamp": "2019-08-01 22:56:12", -            "exploitabilityLevel": "NoExploit", -            "recommendationReference": "va-_-microsoft-_-project", -            "status": "Fixed", -            "eventTimestamp": "2021-01-11T11:06:08.291Z" -        }, -        { -            "id": "038df381234510b357ac19d0113ef622e4e212b3_chrome_81.0.4044.138_CVE-2020-16011_", -            "deviceId": "038df381234510d357ac19b0113ef922e4e212b3", -            "rbacGroupName": "hhh", -            "deviceName": "ComputerPII_365f5c0bb7202c163937dad3d017969b2d760eb4.DomainPII_29596a43a2ef2bbfa00f6a16c0cb1d108bc63e32.DomainPII_3c5fefd2e6fda2f36257359404f6c1092aa6d4b8.net", -            "osPlatform": "Windows10" "Windows11", -            "osVersion": "10.0.18363.1256", -            "osArchitecture": "x64", -            "softwareVendor": "google", -            "softwareName": "chrome", -            "softwareVersion": "81.0.4044.138", -            "cveId": "CVE-2020-16011", -            "vulnerabilitySeverityLevel": "High", -            "recommendedSecurityUpdate": "ADV 200002", -            "recommendedSecurityUpdateId": null, -            "recommendedSecurityUpdateUrl": null, -            "diskPaths": [ -                "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" -            ], -            "registryPaths": [ -                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{C4EBFDFD-0C55-3E5F-A919-E3C54949024A}" -            ], -            "lastSeenTimestamp": "2020-12-10 22:45:41", -            "firstSeenTimestamp": "2020-07-26 02:13:43", -            "exploitabilityLevel": "NoExploit", -            "recommendationReference": "va-_-google-_-chrome", -            "status": "Fixed", -            "eventTimestamp": "2021-01-11T11:06:08.291Z" -        } -    ], -    "@odata.nextLink": "https://wpatdadi-eus-stg.cloudapp.net/api/machines/SoftwareVulnerabilitiesTimeline?sincetime=2021-01-11&pagesize=5&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMS0wMS0xMS8xMTAxLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjV9" + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.DeltaAssetVulnerability)", + "value": [ + { + "id": "008198251234544f7dfa715e278d4cec0c16c171_chrome_87.0.4280.88__", + "deviceId": "008198251234544f7dfa715e278b4cec0c19c171", + "rbacGroupName": "hhh", + "deviceName": "ComputerPII_1c8fee370690ca24b6a0d3f34d193b0424943a8b8.DomainPII_0dc1aee0fa366d175e514bd91a9e7a5b2b07ee8e.corp.contoso.com", + "osPlatform": "Windows10" "Windows11", + "osVersion": "10.0.19042.685", + "osArchitecture": "x64", + "softwareVendor": "google", + "softwareName": "chrome", + "softwareVersion": "87.0.4280.88", + "cveId": null, + "vulnerabilitySeverityLevel": null, + "recommendedSecurityUpdate": null, + "recommendedSecurityUpdateId": null, + "recommendedSecurityUpdateUrl": null, + "diskPaths": [ + "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" + ], + "registryPaths": [ + "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Google Chrome" + ], + "lastSeenTimestamp": "2021-01-04 00:29:42", + "firstSeenTimestamp": "2020-11-06 03:12:44", + "exploitabilityLevel": "NoExploit", + "recommendationReference": "va-_-google-_-chrome", + "status": "Fixed", + "eventTimestamp": "2021-01-11T11:06:08.291Z" + }, + { + "id": "00e59c61234533860738ecf488eec8abf296e41e_onedrive_20.64.329.3__", + "deviceId": "00e56c91234533860738ecf488eec8abf296e41e", + "rbacGroupName": "hhh", + "deviceName": "ComputerPII_82c13a8ad8cf3dbaf7bf34fada9fa3aebc124116.DomainPII_21eeb80d086e79dbfa178eadfa25e8de9acfa346.corp.contoso.com", + "osPlatform": "Windows10" "Windows11", + "osVersion": "10.0.18363.1256", + "osArchitecture": "x64", + "softwareVendor": "microsoft", + "softwareName": "onedrive", + "softwareVersion": "20.64.329.3", + "cveId": null, + "vulnerabilitySeverityLevel": null, + "recommendedSecurityUpdate": null, + "recommendedSecurityUpdateId": null, + "recommendedSecurityUpdateUrl": null, + "diskPaths": [], + "registryPaths": [ + "HKEY_USERS\\S-1-5-21-2127521184-1604012920-1887927527-24918864\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\OneDriveSetup.exe" + ], + "lastSeenTimestamp": "2020-12-11 19:49:48", + "firstSeenTimestamp": "2020-12-07 18:25:47", + "exploitabilityLevel": "NoExploit", + "recommendationReference": "va-_-microsoft-_-onedrive", + "status": "Fixed", + "eventTimestamp": "2021-01-11T11:06:08.291Z" + }, + { + "id": "01aa8c73095bb12345918663f3f94ce322107d24_firefox_83.0.0.0_CVE-2020-26971_", + "deviceId": "01aa8c73065bb12345918693f3f94ce322107d24", + "rbacGroupName": "hhh", + "deviceName": "ComputerPII_42684eb981bea2d670027e7ad2caafd3f2b381a3.DomainPII_21eed80b086e76dbfa178eabfa25e8de9acfa346.corp.contoso.com", + "osPlatform": "Windows10" "Windows11", + "osVersion": "10.0.19042.685", + "osArchitecture": "x64", + "softwareVendor": "mozilla", + "softwareName": "firefox", + "softwareVersion": "83.0.0.0", + "cveId": "CVE-2020-26971", + "vulnerabilitySeverityLevel": "High", + "recommendedSecurityUpdate": "193220", + "recommendedSecurityUpdateId": null, + "recommendedSecurityUpdateUrl": null, + "diskPaths": [ + "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe" + ], + "registryPaths": [ + "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox 83.0 (x86 en-US)" + ], + "lastSeenTimestamp": "2021-01-05 17:04:30", + "firstSeenTimestamp": "2020-05-06 12:42:19", + "exploitabilityLevel": "NoExploit", + "recommendationReference": "va-_-mozilla-_-firefox", + "status": "Fixed", + "eventTimestamp": "2021-01-11T11:06:08.291Z" + }, + { + "id": "026f0fcb12345fbd2decd1a339702131422d362e_project_16.0.13701.20000__", + "deviceId": "029f0fcb13245fbd2decd1a336702131422d392e", + "rbacGroupName": "hhh", + "deviceName": "ComputerPII_a5706750acba75f15d69cd17f4a7fcd268d6422c.DomainPII_f290e982685f7e8eee168b4332e0ae5d2a069cd6.corp.contoso.com", + "osPlatform": "Windows10" "Windows11", + "osVersion": "10.0.19042.685", + "osArchitecture": "x64", + "softwareVendor": "microsoft", + "softwareName": "project", + "softwareVersion": "16.0.13701.20000", + "cveId": null, + "vulnerabilitySeverityLevel": null, + "recommendedSecurityUpdate": null, + "recommendedSecurityUpdateId": null, + "recommendedSecurityUpdateUrl": null, + "diskPaths": [], + "registryPaths": [ + "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\ProjectProRetail - en-us" + ], + "lastSeenTimestamp": "2021-01-03 23:38:03", + "firstSeenTimestamp": "2019-08-01 22:56:12", + "exploitabilityLevel": "NoExploit", + "recommendationReference": "va-_-microsoft-_-project", + "status": "Fixed", + "eventTimestamp": "2021-01-11T11:06:08.291Z" + }, + { + "id": "038df381234510b357ac19d0113ef622e4e212b3_chrome_81.0.4044.138_CVE-2020-16011_", + "deviceId": "038df381234510d357ac19b0113ef922e4e212b3", + "rbacGroupName": "hhh", + "deviceName": "ComputerPII_365f5c0bb7202c163937dad3d017969b2d760eb4.DomainPII_29596a43a2ef2bbfa00f6a16c0cb1d108bc63e32.DomainPII_3c5fefd2e6fda2f36257359404f6c1092aa6d4b8.net", + "osPlatform": "Windows10" "Windows11", + "osVersion": "10.0.18363.1256", + "osArchitecture": "x64", + "softwareVendor": "google", + "softwareName": "chrome", + "softwareVersion": "81.0.4044.138", + "cveId": "CVE-2020-16011", + "vulnerabilitySeverityLevel": "High", + "recommendedSecurityUpdate": "ADV 200002", + "recommendedSecurityUpdateId": null, + "recommendedSecurityUpdateUrl": null, + "diskPaths": [ + "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" + ], + "registryPaths": [ + "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{C4EBFDFD-0C55-3E5F-A919-E3C54949024A}" + ], + "lastSeenTimestamp": "2020-12-10 22:45:41", + "firstSeenTimestamp": "2020-07-26 02:13:43", + "exploitabilityLevel": "NoExploit", + "recommendationReference": "va-_-google-_-chrome", + "status": "Fixed", + "eventTimestamp": "2021-01-11T11:06:08.291Z" + } + ], + "@odata.nextLink": "https://wpatdadi-eus-stg.cloudapp.net/api/machines/SoftwareVulnerabilitiesTimeline?sincetime=2021-01-11&pagesize=5&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMS0wMS0xMS8xMTAxLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjV9" } ``` |
| security | Get Remediation All Activities | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-remediation-all-activities.md | completerEmail|String|If the remediation activity was manually completed by some completerId|String|If the remediation activity was manually completed by someone, this column contains their object ID|Null completionMethod|String|A remediation activity can be completed "automatically" (if all the devices are patched) or "manually" by a person who selects "mark as completed"|Automatic createdOn|DateTime|Time this remediation activity was created|2021-01-12T18:54:11.5499478Z-Description|String|Description of this remediation activity|Update Microsoft Silverlight  to a later version to mitigate known vulnerabilities affecting your devices. +Description|String|Description of this remediation activity|Update Microsoft Silverlight to a later version to mitigate known vulnerabilities affecting your devices. dueOn|DateTime|Due date the creator set for this remediation activity|2021-01-13T00:00:00Z fixedDevices|.|The number of devices that have been fixed|2 ID|String|ID of this remediation activity|097d9735-5479-4899-b1b7-77398899df92 nameId|String|Related product name|Microsoft Silverlight Priority|String|Priority the creator set for this remediation activity (High\Medium\Low)|High productId|String|Related product ID|microsoft-_-silverlight productivityImpactRemediationType|String|A few configuration changes could be requested only for devices that don't affect users. This value indicates the selection between "all exposed devices" or "only devices with no user impact."|AllExposedAssets-rbacGroupNames|String|Related device group names|[ "Windows Servers", "Windows 11", "Windows 10" ] +rbacGroupNames|String|Related device group names|[ "Windows Servers", "Windows 11", "Windows 10" ] recommendedProgram|String|Recommended program to upgrade to|Null recommendedVendor|String|Recommended vendor to upgrade to|Null recommendedVersion|String|Recommended version to update/upgrade to|Null Scid|String|SCID of the related security recommendation|Null Status|String|Remediation activity status (Active/Completed)|Active statusLastModifiedOn|DateTime|Date when the status field was updated|2021-01-12T18:54:11.5499487Z targetDevices|Long|Number of exposed devices that this remediation is applicable to|43-Title|String|Title of this remediation activity|Update Microsoft Silverlight +Title|String|Title of this remediation activity|Update Microsoft Silverlight Type|String|Remediation type|Update vendorId|String|Related vendor name|Microsoft |
| security | Get Remediation Methods Properties | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-remediation-methods-properties.md | Title: Remediation activity methods and properties -description: The API response contains threat & vulnerability management remediation activities created in your tenant. You can request all the remediation activities, only one remediation activity, or information about exposed devices for a selected remediation task. +description: The API response contains threat & vulnerability management remediation activities created in your tenant. You can request all the remediation activities, only one remediation activity, or information about exposed devices for a selected remediation task. keywords: apis, remediation, remediation api, get, remediation tasks, remediation methods, remediation properties, ms.prod: m365-security ms.mktglfcycl: deploy-The API response contains [Threat & vulnerability management](next-gen-threat-and-vuln-mgt.md) remediation activities that have been created in your tenant. +The API response contains [Threat & vulnerability management](next-gen-threat-and-vuln-mgt.md) remediation activities that have been created in your tenant. ## Methods |
| security | Get Remediation One Activity | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-remediation-one-activity.md | completerEmail|String|If the remediation activity was manually completed by some completerId|String|If the remediation activity was manually completed by someone, this column contains their object ID|Null completionMethod|String|A remediation activity can be completed "automatically" (if all the devices are patched) or "manually" by a person who selects "mark as completed"|Automatic createdOn|DateTime|Time this remediation activity was created|2021-01-12T18:54:11.5499478Z-Description|String|Description of this remediation activity|Update Microsoft Silverlight  to a later version to mitigate known vulnerabilities affecting your devices. +Description|String|Description of this remediation activity|Update Microsoft Silverlight to a later version to mitigate known vulnerabilities affecting your devices. dueOn|DateTime|Due date the creator set for this remediation activity|2021-01-13T00:00:00Z fixedDevices||The number of devices that have been fixed|2 ID|String|ID of this remediation activity|097d9735-5479-4899-b1b7-77398899df92 nameId|String|Related product name|Microsoft Silverlight Priority|String|Priority the creator set for this remediation activity (High\Medium\Low)|High productId|String|Related product ID|microsoft-_-silverlight productivityImpactRemediationType|String|A few configuration changes could be requested only for devices that don't affect users. This value indicates the selection between "all exposed devices" or "only devices with no user impact."|AllExposedAssets-rbacGroupNames|String|Related device group names|[ "Windows Servers", "Windows 11", "Windows 10" ] +rbacGroupNames|String|Related device group names|[ "Windows Servers", "Windows 11", "Windows 10" ] recommendedProgram|String|Recommended program to upgrade to|Null recommendedVendor|String|Recommended vendor to upgrade to|Null recommendedVersion|String|Recommended version to update/upgrade to|Null |
| security | Indicator File | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-file.md | There are three ways you can create indicators for files: It's important to understand the following prerequisites prior to creating indicators for files: -- This feature is available if your organization uses **Microsoft Defender Antivirus (in active mode)** and **Cloud-based protection is enabled**. For more information, see [Manage cloud-based protection](/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).+- This feature is available if your organization uses **Microsoft Defender Antivirus (in active mode)** and **Cloud-based protection is enabled**. For more information, see [Manage cloud-based protection](/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus). - The Antimalware client version must be 4.18.1901.x or later. See [Monthly platform and engine versions](manage-updates-baselines-microsoft-defender-antivirus.md#monthly-platform-and-engine-versions) It's important to understand the following prerequisites prior to creating indic >[!NOTE] >Windows Server 2016 and Windows Server 2012 R2 will need to be onboarded using the instructions in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2012-r2-and-windows-server-2016) for this feature to work. -- To start blocking files, you first need to [turn on the "block or allow" feature](advanced-features.md) in Settings.+- To start blocking files, you first need to [turn on the "block or allow" feature](advanced-features.md) in Settings. -This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over time. +This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over time. ## Create an indicator for files from the settings page -1. In the navigation pane, select **Settings** \> **Endpoints** \> **Indicators** (under **Rules**). +1. In the navigation pane, select **Settings** \> **Endpoints** \> **Indicators** (under **Rules**). -2. Select the **File hashes** tab. +2. Select the **File hashes** tab. -3. Select **Add indicator**. +3. Select **Add indicator**. 4. Specify the following details: - Indicator - Specify the entity details and define the expiration of the indicator. This feature is designed to prevent suspected malware (or potentially malicious ## Create a contextual indicator from the file details page -One of the options when taking [response actions on a file](respond-file-alerts.md) is adding an indicator for the file. When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a device in your organization attempts to run it. +One of the options when taking [response actions on a file](respond-file-alerts.md) is adding an indicator for the file. When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a device in your organization attempts to run it. Files automatically blocked by an indicator won't show up in the file's Action center, but the alerts will still be visible in the Alerts queue. |
| security | Indicator Ip Domain | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-ip-domain.md | The threat intelligence data set for this has been managed by Microsoft. By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. You can also warn users with a prompt if they open a risky app. The prompt won't stop them from using the app but you can provide a custom message and links to a company page that describes appropriate usage of the app. Users can still bypass the warning and continue to use the app if they need. - You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others. > [!NOTE] > Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported. ## Before you begin+ It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains: - URL/IP allow and block relies on the Defender for Endpoint component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md). - The Antimalware client version must be 4.18.1906.x or later. - Supported on machines on Windows 10, version 1709 or later, Windows 11, Windows Server 2016, Windows Server 2012 R2, Windows Server 2019, and Windows Server 2022.- - >[!NOTE] - >Windows Server 2016 and Windows Server 2012 R2 will need to be onboarded using the instructions in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2012-r2-and-windows-server-2016) for this feature to work. -- Ensure that **Custom network indicators** is enabled in **Microsoft 365 DefenderΓÇ»> Settings > Advanced features**. For more information, see [Advanced features](advanced-features.md).+ > [!NOTE] + > Windows Server 2016 and Windows Server 2012 R2 will need to be onboarded using the instructions in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2012-r2-and-windows-server-2016) for this feature to work. ++- Ensure that **Custom network indicators** is enabled in **Microsoft 365 Defender** \> **Settings** \> **Advanced features**. For more information, see [Advanced features](advanced-features.md). - For support of indicators on iOS, see [Configure custom indicators](/microsoft-365/security/defender-endpoint/ios-configure-features#configure-custom-indicators). > [!IMPORTANT] |
| security | Linux Install With Puppet | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-puppet.md | tree install_mdatp ```Output install_mdatp ├── files-│   └── mdatp_onboard.json +│ └── mdatp_onboard.json └── manifests └── init.pp ``` |
| security | Linux Preferences | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-preferences.md | Determines whether the antivirus engine runs in passive mode or not. In passive #### Enable/disable behavior-monitoring -Determines whether behavior monitoring and blocking capability is enabled on the device or not. To improve effectiveness of security protection, we recommend keeping this feature turned on. +Determines whether behavior monitoring and blocking capability is enabled on the device or not. To improve effectiveness of security protection, we recommend keeping this feature turned on. <br> The following configuration profile contains entries for all settings described } ``` - ## Add tag or group ID to the configuration profile +## Add tag or group ID to the configuration profile When you run the `mdatp health` command for the first time, the value for the tag and group ID will be blank. To add tag or group ID to the `mdatp_managed.json` file, follow the below steps: When you run the `mdatp health` command for the first time, the value for the ta > [!NOTE] > Don’t forget to add the comma after the closing curly bracket at the end of the `cloudService` block. Also, make sure that there are two closing curly brackets after adding Tag or Group ID block (please see the above example). - ## Configuration profile validation +## Configuration profile validation The configuration profile must be a valid JSON-formatted file. There are a number of tools that can be used to verify this. For example, if you have `python` installed on your device: |
| security | Live Response | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response.md | Before you can initiate a session on a device, make sure you fulfill the followi - [Version 1803 (RS 4)](/windows/whats-new/whats-new-windows-10-version-1803) with [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795) - [Version 1709 (RS 3)](/windows/whats-new/whats-new-windows-10-version-1709) with [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816) - - **macOS** - Only applicable for Public Preview, minimum required version: 101.43.84 + - **macOS** - Only applicable for Public Preview, minimum required version: 101.43.84 - - **Linux** - Only applicable for Public Preview, minimum required version: 101.45.13 - + - **Linux** - Only applicable for Public Preview, minimum required version: 101.45.13 + - **Windows Server 2012 R2** - with [KB5005292](https://support.microsoft.com/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f69773-f17f-420f-91f4-a8e5167284ac) - **Windows Server 2016** - with [KB5005292](https://support.microsoft.com/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f69773-f17f-420f-91f4-a8e5167284ac) Before you can initiate a session on a device, make sure you fulfill the followi - **Windows Server 2019** - Version 1903 or (with [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384)) later - Version 1809 (with [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818))- - - **Windows Server 2022** - + - **Windows Server 2022** - **Enable live response from the advanced settings page**. The following commands are available for user roles that are granted the ability | run | Runs a PowerShell script from the library on the device. | Y | Y | Y | | library | Lists files that were uploaded to the live response library. | Y | Y | Y | | putfile | Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default. | Y | Y | Y |-| remediate | Remediates an entity on the device. The remediation action will vary depending on the entity type: File: delete Process: stop, delete image file Service: stop, delete image file Registry entry: delete Scheduled task: remove Startup folder item: delete file NOTE: This command has a prerequisite command. You can use the -auto command in conjunction with remediate to automatically run the prerequisite command. | Y | Y | Y | +| remediate | Remediates an entity on the device. The remediation action will vary depending on the entity type: File: delete Process: stop, delete image file Service: stop, delete image file Registry entry: delete Scheduled task: remove Startup folder item: delete file NOTE: This command has a prerequisite command. You can use the -auto command in conjunction with remediate to automatically run the prerequisite command. | Y | Y | Y | | scan | Disconnects the device from the network while retaining connectivity to the Defender for Endpoint service | N | Y | Y | | undo | Restores an entity that was remediated. | Y | Y | Y | - ## Use live response commands The commands that you can use in the console follow similar principles as [Windows Commands](/windows-server/administration/windows-commands/windows-commands#BKMK_c). |
| security | Manage Updates Baselines Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md | Engine: **1.1.16700.2**<br/> </details> <details>-<summary> November-2019 (Platform: 4.18.1911.3 | Engine: 1.1.16600.7)</summary> +<summary> November-2019 (Platform: 4.18.1911.3 | Engine: 1.1.16600.7)</summary> -Security intelligence update version: **1.307.13.0**<br/> -Released: **December 7, 2019**<br/> -Platform: **4.18.1911.3**<br/> -Engine: **1.1.17000.7**<br/> +Security intelligence update version: **1.307.13.0**<br/> +Released: **December 7, 2019**<br/> +Platform: **4.18.1911.3**<br/> +Engine: **1.1.17000.7**<br/> Support phase: **No support**<br/> ### What's new |
| security | Mde Device Control Device Installation | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-device-control-device-installation.md | -# Microsoft Defender for Endpoint Device Control Device Installation +# Microsoft Defender for Endpoint Device Control Device Installation **Applies to** - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) Deploy Device Installation on Windows 10, Windows 11 devices, Windows Server 202 The following device properties are supported by Device Installation support: -- Device ID -- Hardware ID -- Compatible ID -- Device Class -- ΓÇÿRemovable DeviceΓÇÖ Device type: Some devices could be classified as Removable Device. A device is considered removable when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected. +- Device ID +- Hardware ID +- Compatible ID +- Device Class +- ΓÇÿRemovable DeviceΓÇÖ Device type: Some devices could be classified as Removable Device. A device is considered removable when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected. For more information, see [Device Installation in Windows](/windows/client-management/manage-device-installation-with-group-policy). ## Policies When this policy setting is enabled together with the **Apply layered order of e - Prevent installation of devices that match these device IDs. - Prevent installation of devices that match any of these device instance IDs. -If the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. +If the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. > [!NOTE] > The **Prevent installation of devices not described by other policy settings** policy setting has been replaced by the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting for supported target Windows 10 versions and Windows 11. It is recommended that you use the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting when possible. -### Allow installation of devices that match any of these device instance IDs +### Allow installation of devices that match any of these device instance IDs -This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. This policy setting is intended to be used only when the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting is enabled. +This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. This policy setting is intended to be used only when the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting is enabled. When this policy setting is enabled together with the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: -- Prevent installation of devices that match any of these device instance IDs +- Prevent installation of devices that match any of these device instance IDs -If the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. +If the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. -### Allow installation of devices using drivers that match these device setup classes +### Allow installation of devices using drivers that match these device setup classes This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is allowed to install. This policy setting is intended to be used only when the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting is enabled. -When this policy setting is enabled together with the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: +When this policy setting is enabled together with the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: -- Prevent installation of devices for these device classes -- Prevent installation of devices that match these device IDs -- Prevent installation of devices that match any of these device instance IDs +- Prevent installation of devices for these device classes +- Prevent installation of devices that match these device IDs +- Prevent installation of devices that match any of these device instance IDs If the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. -### Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria +### Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria This policy setting will change the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. Enable this policy setting to ensure that overlapping device match criteria is applied based on an established hierarchy where more specific match criteria supersedes less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match criteria is as follows: -**Device instance IDs > Device IDs > Device setup class > Removable devices** +**Device instance IDs** \> **Device IDs** \> **Device setup class** \> **Removable devices** -#### Device instance IDs +#### Device instance IDs 1. Prevent installation of devices using drivers that match these device instance IDs. 2. Allow installation of devices using drivers that match these device instance IDs. -#### Device IDs +#### Device IDs 1. Prevent installation of devices using drivers that match these device IDs. 2. Allow installation of devices using drivers that match these device IDs. -#### Device setup class +#### Device setup class 1. Prevent installation of devices using drivers that match these device setup classes. 2. Allow installation of devices using drivers that match these device setup classes. -#### Removable devices +#### Removable devices -Prevent installation of removable devices +Prevent installation of removable devices > [!NOTE]-> This policy setting provides more granular control than the **Prevent installation of devices not described by other policy settings** policy setting. If these conflicting policy settings are enabled at the same time, the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting will be enabled and the other policy setting will be ignored. +> This policy setting provides more granular control than the **Prevent installation of devices not described by other policy settings** policy setting. If these conflicting policy settings are enabled at the same time, the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting will be enabled and the other policy setting will be ignored. -### Prevent installation of devices that match any of these device IDs +### Prevent installation of devices that match any of these device IDs This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device. > [!NOTE]-> To enable the **Allow installation of devices that match any of these device instance IDs** policy setting to supersede this policy setting for applicable devices, enable the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting. +> To enable the **Allow installation of devices that match any of these device instance IDs** policy setting to supersede this policy setting for applicable devices, enable the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting. If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. +If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. -### Prevent installation of devices that match any of these device instance IDs +### Prevent installation of devices that match any of these device instance IDs -This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. +This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. -If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. +If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. -### Prevent installation of devices using drivers that match these device setup classes +### Prevent installation of devices using drivers that match these device setup classes This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is prevented from installing. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device. > [!NOTE] > To enable the **Allow installation of devices that match any of these device IDs** and **Allow installation of devices that match any of these device instance IDs** policy settings to supersede this policy setting for applicable devices, enable the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting. -If you enable this policy setting, Windows is prevented from installing or updating driver packages whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +If you enable this policy setting, Windows is prevented from installing or updating driver packages whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or don't configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. +If you disable or don't configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. -### Prevent installation of removable devices +### Prevent installation of removable devices -This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it's connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device. +This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it's connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device. > [!NOTE] > To enable the **Allow installation of devices using drivers that match these device setup classes**, **Allow installation of devices that match any of these device IDs**, and **Allow installation of devices that match any of these device instance IDs** policy settings to supersede this policy setting for applicable devices, enable the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting. If you disable or don't configure this policy setting, Windows can install and u To help familiarize you with Microsoft Defender for Endpoint Removable Storage Access Control, we have put together some common scenarios for you to follow. -### Scenario 1: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb-drive +### Scenario 1: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb-drive For this scenario, following policies will be used: For this scenario, following policies will be used: - Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria. - Allow installation of devices that match any of these device instance IDs or Allow installation of devices that match any of these device IDs. -#### Deploying and managing policy via Intune +#### Deploying and managing policy via Intune The Device installation feature allows you to apply policy through Intune to device. -#### Licensing +#### Licensing -Before you get started with Device installation, you should confirm yourΓÇ»[Microsoft 365 subscription](https://www.microsoft.com/en-in/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Device installation, you must have Microsoft 365 E3. +Before you get started with Device installation, you should confirm your [Microsoft 365 subscription](https://www.microsoft.com/en-in/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Device installation, you must have Microsoft 365 E3. -#### Permission +#### Permission -For Policy deployment in Intune, the account must have permissions to create, edit, update, or delete device configuration profiles. You can create custom roles or use any of the built-in roles with these permissions: +For Policy deployment in Intune, the account must have permissions to create, edit, update, or delete device configuration profiles. You can create custom roles or use any of the built-in roles with these permissions: - Policy and profile Manager role - Or custom role with Create/Edit/Update/Read/Delete/View Reports permissions turned on for Device Configuration profiles - Or Global admin -#### Deploying policy +#### Deploying policy -In Microsoft Endpoint Manager [https://endpoint.microsoft.com/](https://endpoint.microsoft.com/) +In Microsoft Endpoint Manager [https://endpoint.microsoft.com/](https://endpoint.microsoft.com/) 1. Configure **Prevent installation of devices using drivers that match these device setup classes**. - Open Endpoint security > Attack surface reduction > Create Policy > Platform: Windows 10 (and later) & Profile: Device control.- + :::image type="content" source="../../media/devicepolicy-editprofile.png" alt-text="edit profile":::- + 2. Plug in a USB, device and you will see following error message: :::image type="content" source="../../media/devicepolicy-errormsg.png" alt-text="error message"::: In Microsoft Endpoint Manager [https://endpoint.microsoft.com/](https://endpoint 3. Enable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria**. - **only support OMA-URI for now**: Devices > Configuration profiles > Create profile > Platform: Windows 10 (and later) & Profile: Custom- + :::image type="content" source="../../media/devicepolicy-editrow.png" alt-text="edit row"::: 4. Enable and add allowed USB Instance ID ΓÇô **Allow installation of devices that match any of these device IDs**. - Update the step 1 Device control profile- + :::image type="content" source="../../media/devicepolicy-devicecontrol.png" alt-text="devicecontrol":::- - Adding PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST; USB\ROOT_HUB30; USB\ROOT_HUB20; USB\USB20_HUB on above screen capture is because it's not enough to enable only a single hardware ID to enable a single USB thumb-drive. You have to ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. You can open Device Manager and change view to ΓÇÿDevices by connectionsΓÇÖ to see the way devices are installed in the PnP tree. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well: - - ΓÇ£Intel(R) USB 3.0 eXtensible Host Controller ΓÇô 1.0 (Microsoft)ΓÇ¥ -> PCI\CC_0C03 - - ΓÇ£USB Root Hub (USB 3.0)ΓÇ¥ -> USB\ROOT_HUB30 + Adding PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST; USB\ROOT_HUB30; USB\ROOT_HUB20; USB\USB20_HUB on above screen capture is because it's not enough to enable only a single hardware ID to enable a single USB thumb-drive. You have to ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. You can open Device Manager and change view to ΓÇÿDevices by connectionsΓÇÖ to see the way devices are installed in the PnP tree. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well: ++ - ΓÇ£Intel(R) USB 3.0 eXtensible Host Controller ΓÇô 1.0 (Microsoft)ΓÇ¥ -> PCI\CC_0C03 + - ΓÇ£USB Root Hub (USB 3.0)ΓÇ¥ -> USB\ROOT_HUB30 - ΓÇ£Generic USB HubΓÇ¥ -> USB\USB20_HUB :::image type="content" source="../../media/devicepolicy-devicemgr.png" alt-text="device control"::: In Microsoft Endpoint Manager [https://endpoint.microsoft.com/](https://endpoint > [!NOTE] > Some devices in the system have several layers of connectivity to define their installation on the system. USB thumb drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic device IDs that are commonly used in systems and could provide a good start to build an "Allow list" in such cases. The following is one example (it is not always the same for all USBs; you need to understand the PnP tree of the device you want to manage through the Device Manager): >- > PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/ USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/ USB\USB20_HUB (for Generic USB Hubs)/ + > PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/ USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/ USB\USB20_HUB (for Generic USB Hubs)/ >- > Specifically for desktop machines, it's important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing its machine through HID devices. + > Specifically for desktop machines, it's important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing its machine through HID devices. >- > Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it's done. + > Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it's done. 5. Plug in the allowed USB again. YouΓÇÖll see that it's now allowed and available. The [Microsoft 365 security](https://sip.security.microsoft.com/homepage) portal - Microsoft 365 for E5 reporting ```kusto-//events triggered by Device Installation policies -DeviceEvents -| where ActionType == "PnpDeviceBlocked" or ActionType == "PnpDeviceAllowed" -| extend parsed=parse_json(AdditionalFields) -| extend MediaClassGuid = tostring(parsed.ClassGuid) -| extend MediaInstanceId = tostring(parsed.DeviceInstanceId) -| extend MediaDeviceId = tostring(parsed.MatchingDeviceId) -| project Timestamp , DeviceId, DeviceName, ActionType, MediaClassGuid, MediaDeviceId, MediaInstanceId, AdditionalFields -| order by Timestamp desc +//events triggered by Device Installation policies +DeviceEvents +| where ActionType == "PnpDeviceBlocked" or ActionType == "PnpDeviceAllowed" +| extend parsed=parse_json(AdditionalFields) +| extend MediaClassGuid = tostring(parsed.ClassGuid) +| extend MediaInstanceId = tostring(parsed.DeviceInstanceId) +| extend MediaDeviceId = tostring(parsed.MatchingDeviceId) +| project Timestamp , DeviceId, DeviceName, ActionType, MediaClassGuid, MediaDeviceId, MediaInstanceId, AdditionalFields +| order by Timestamp desc ``` :::image type="content" source="../../media/block-removable-storage2.png" alt-text="block storage"::: ## Frequently asked questions -### How can I know whether the target machine gets the deployed policy? +### How can I know whether the target machine gets the deployed policy? + You can use following query to get antimalware client version on the Microsoft 365 security portal: ```kusto-//check whether the Device installation policy has been deployed to the target machine, event only when modification happens -DeviceRegistryEvents -| where RegistryKey contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceInstall\\" +//check whether the Device installation policy has been deployed to the target machine, event only when modification happens +DeviceRegistryEvents +| where RegistryKey contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceInstall\\" | order by Timestamp desc ``` ## Why the Allow policy doesn't work?+ It is not enough to enable only a single hardware ID to enable a single USB thumb-drive. Ensure that all the USB devices that precede the target one aren't blocked (allowed) as well. :::image type="content" source="../../media/devicemgrscrnshot.png" alt-text="Device install faq":::- |
| security | Mde Terms Mac | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-terms-mac.md | - Title: Microsoft Defender ATP application license terms- -description: Describes the Microsoft Defender ATP license terms -keywords: microsoft, defender, Microsoft Defender ATP, license, terms, application, use, installation, service, feedback, scope -search.product: eADQiWindows 10XVcnh -ms.sitesec: library -ms.pagetype: security ----- - m365-security-compliance --hideEdit: true ---# Microsoft Defender ATP application license terms ---**Applies to:** -- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)--MICROSOFT DEFENDER ATP --IF YOU LIVE IN (OR ARE A BUSINESS WITH A PRINCIPAL PLACE OF BUSINESS IN) THE UNITED STATES, PLEASE READ THE “BINDING ARBITRATION AND CLASS ACTION WAIVER” SECTION BELOW. IT AFFECTS HOW DISPUTES ARE RESOLVED. --These license terms are an agreement between you and Microsoft Corporation (or one of its affiliates). They apply to the software named above and any Microsoft services or software updates (except to the extent such services or updates are accompanied by new or more terms, in which case those different terms apply prospectively and don't alter your or Microsoft’s rights relating to pre-updated software or services). IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW. BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT USE THE SOFTWARE. FOR APPLE USERS, INSTEAD, RETURN IT TO APPLE INC. ("APPLE") FOR A REFUND OR CREDIT IF APPLICABLE. “Apple user” means a user using this software that is obtained from an Apple store on an Apple OS-based device. --1. **INSTALLATION AND USE RIGHTS.** -- a) **General.** Apple users may install and use a copy of the software on an Apple OS-based device you own or control as permitted by Apple’s app store usage rules. All other users may install and use any number of copies of the software. -- b) **Work or School Accounts.** You can sign into the software with a work or school email address. If you do, you agree that the owner of the domain associated with your email address may control and administer your account, and access and process your data, including the contents of your communications and files. You further agree that your use of the software may be subject to: i) your organization’s guidelines and policies about the use of the software; and ii) the agreements Microsoft has with you or your organization, and in such case these terms may not apply. If you already have a Microsoft account and you use a separate work or school email address to access the software, you may be prompted to update the email address that is associated with your Microsoft account to continue accessing the software. -- c) **Third Party Components.** The software may include third-party components with separate legal notices or governed by other agreements, as may be described in the ThirdPartyNotices file(s) coming with the software. -- d) **Microsoft Services Agreement.** Some features of the software provide access to, or rely on, online services. The use of those services (but not the software) is governed by the separate terms and privacy policies in the [Microsoft Services Agreement](https://go.microsoft.com/fwlink/?linkid=398923). Read them. The services may not be available in all regions. -- e) **Competitive Benchmarking.** If you're a direct competitor, and you access or use the software for purposes of competitive benchmarking, analysis, or intelligence gathering, you waive as against Microsoft, its subsidiaries, and its affiliated companies (including prospectively) any competitive use, access, and benchmarking test restrictions that govern your software to the extent your terms of use are, or purport to be, more restrictive than Microsoft’s terms. If you don't waive any such purported restrictions in the terms that govern your software, you aren't allowed to access or use this software, and won't do so. --1. **PRE-RELEASE SOFTWARE.** If you're downloading a pre-release or beta version of the software, it may not operate correctly. It may be different -from the commercially released version. --1. **FEEDBACK.** If you give feedback about the software to Microsoft, you allow Microsoft, without charge, the right to use, share, and commercialize your feedback in any way and for any purpose. You won't give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because Microsoft includes your feedback in them. These rights survive this agreement. --1. **DATA.** -- a) **Data Collection.** The software may collect information about you and your use of the software, and send that to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may opt out of many of these scenarios, but not all, as described in the product documentation. There are also some features in the software that may enable you to collect data from users of your applications. If you use these features to enable data collection in your applications, you must follow applicable law, including providing appropriate notices to users of your applications. Learn more about data collection, use, and the privacy statement in the help documentation at [https://aka.ms/privacy](https://aka.ms/privacy). Your use of the software is your consent to these practices. -- b) **Processing of Personal Data.** If Microsoft is a processor or subprocessor of personal data of the software, Microsoft makes the commitments in the European Union General Data Protection Regulation Terms of the Online Services Terms to all customers effective May 25, 2018, at [https://docs.microsoft.com/legal/gdpr](/legal/gdpr). --1. **SCOPE OF LICENSE.** The software is licensed, not sold. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you won't (and have no right to): -- a) work around any technical limitations in the software that only allow you to use it in certain ways; -- b) reverse engineer, decompile or disassemble the software, or otherwise attempt to derive the source code for the software, except to the extent required by third party licensing terms governing the use of certain open-source components that may be included in the software; -- c) remove, minimize, block, or modify any notices of Microsoft or its suppliers in the software; -- d) reveal the results of any benchmark tests of the software to any third party without Microsoft’s prior written approval; -- e) use the software in any way that is against the law or to create or propagate malware; or -- f) share, publish, distribute, or lease the software, provide the software as a stand-alone offering for others to use, or transfer the software or this agreement to any third party. --1. **MICROSOFT 365 COMMERCIAL SUBSCRIPTION.** Use of the software requires a Microsoft 365 commercial subscription. Your access to the services provided through the software must follow the existing terms for Microsoft 365 that apply to you through your subscription or your organization's subscription. You may lose access to the service: i) if your or your organization’s Microsoft 365 subscription expires; or ii) your organization decides to end your license to access the services. --1. **TRANSFER TO ANOTHER DEVICE.** For Apple users, you may uninstall the software and install it on another device for your use. You may not share this license on multiple devices. --1. **EXPORT RESTRICTIONS.** Follow all domestic and international export laws and regulations that apply to the software, which include restrictions on destinations, end users, and end use. For further information on export restrictions, visit [https://aka.ms/exporting](https://aka.ms/exporting). --1. **LEGAL COMPLIANCE.** You represent and authorize that: - a. You aren't located in a country that is subject to a U.S. Government embargo, or that has been designated by the U.S. Government as a “terrorist supporting” country - b. You aren't listed on any U.S. Government list of prohibited or restricted parties. --1. **SUPPORT SERVICES.** Microsoft isn't obliged under this agreement to provide any support services for the software. Any support provided is “as is”, “with all faults”, and without warranty of any kind. You accept that Apple has no obligation at all to furnish any maintenance and support services about the software. --1. **UPDATES.** The software may periodically check for updates, and download and install them for you. You may obtain updates only from Microsoft or authorized sources. Microsoft may need to update your system to provide you with updates. You agree to receive these automatic updates without any extra notice. Updates may not include or support all existing software features, services, or peripheral devices. --1. **BINDING ARBITRATION AND CLASS ACTION WAIVER.** This Section applies if you live in (or, if a business, your principal place of business is in) the United States. If you and Microsoft have a dispute, you and Microsoft agree to try for 60 days to resolve it informally. If you and Microsoft can’t, you and Microsoft agree to abide by individual arbitration before the American Arbitration Association under the Federal Arbitration Act (“FAA”), and not to sue in court in front of a judge or jury. Instead, a neutral arbitrator will decide. Class action lawsuits, class-wide arbitrations, private attorney-general actions, and any other proceeding where someone acts in a representative capacity aren't allowed; nor is combining individual proceedings without the consent of all parties. The complete Arbitration Agreement contains more terms and is at [https://aka.ms/arb-agreement-4](https://aka.ms/arb-agreement-4). You and Microsoft agree to these terms. --1. **ENTIRE AGREEMENT.** This agreement, and any other terms Microsoft may provide for supplements, updates, or third-party applications, is the entire agreement for the software. --1. **APPLICABLE LAW AND PLACE TO RESOLVE DISPUTES.** If you acquired the software in the United States or Canada, the laws of the state or province where you live (or, if a business, where your principal place of business is located) govern the interpretation of this agreement, claims for its breach, and all other claims (including consumer protection, unfair competition, and tort claims), regardless of conflict of laws principles, except that the FAA governs everything that is related to arbitration. If you acquired the software in any other country, its laws apply, except that the FAA governs everything related to arbitration. If U.S. federal jurisdiction exists, you and Microsoft consent to exclusive jurisdiction and venue in the federal court in King County, Washington for all disputes heard in court (excluding arbitration). If not, you and Microsoft consent to exclusive jurisdiction and venue in the Superior Court of King County, Washington for all disputes heard in court (excluding arbitration). --1. **THIRD PARTY BENEFICIARY (APPLE USERS ONLY).** Apple users agree that Apple and its subsidiaries are third-party beneficiaries of this agreement, and Apple has the right to enforce this agreement. --1. **PRODUCT CLAIMS AND INTELLECTUAL PROPERTY RIGHTS.** Microsoft, not Apple, is responsible for addressing any claims that relate to the software or your possession and/or use of the software. If any third-party claim that the software or your possession and use of that software infringes that third party’s intellectual property rights, Microsoft, not Apple, will be solely responsible for the investigation, defense, settlement, and discharge of any such intellectual property infringement claim. --1. **CONSUMER RIGHTS; REGIONAL VARIATIONS.** This agreement describes certain legal rights. You may have other rights, including consumer rights, under the laws of your state, province, or country. Separate and apart from your relationship with Microsoft, you may also have rights to the party from which you acquired the software. This agreement doesn't change those other rights if the laws of your state, province, or country do not permit it to do so. For example, if you acquired the software in one of the below regions, or mandatory country law applies, then the following provisions apply to you: -- a) **Australia.** You have statutory guarantees under the Australian Consumer Law and nothing in this agreement is intended to affect those rights. -- b) **Canada.** If you acquired this software in Canada, you may stop receiving updates by turning off the automatic update feature, disconnecting your device from the Internet (if and when you reconnect to the Internet, however, the software will resume checking for and installing updates), or uninstalling the software. The product documentation, if any, may also specify how to turn off updates for your specific device or software. -- c) **Germany and Austria.**<br> - i) **Warranty**. The properly licensed software will perform substantially as described in any Microsoft materials that accompany the software. However, Microsoft gives no contractual guarantee in relation to the licensed software.<br> - ii) **Limitation of Liability.** If there is intentional conduct, gross negligence, claims based on the Product Liability Act, and, if there is death or personal or physical injury, Microsoft is liable according to the statutory law.<br> - Subject to the foregoing clause ii., Microsoft will only be liable for slight negligence if Microsoft is in breach of such material contractual obligations, the fulfillment of which facilitate the due performance of this agreement, the breach of which would endanger the purpose of this agreement and the compliance with which a party may constantly trust in (so-called "cardinal obligations"). In other cases of slight negligence, Microsoft will not be liable for slight negligence. -1. **DISCLAIMER OF WARRANTY.** THE SOFTWARE IS LICENSED “AS IS.” YOU BEAR THE RISK OF USING IT. FOR APPLE USERS, IF DESIRED, YOU MAY NOTIFY APPLE FOR A REFUND OF THE PURCHASE PRICE. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, APPLE WILL HAVE NO OTHER WARRANTY OBLIGATION WHATSOEVER. MICROSOFT GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS OR STATUTORY GUARANTEES UNDER YOUR LOCAL LAWS THAT THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT EXCLUDES ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. --1. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. IF YOU HAVE ANY BASIS FOR RECOVERING DAMAGES DESPITE THE PRECEDING DISCLAIMER OF WARRANTY, YOU CAN RECOVER FROM MICROSOFT, AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S.$5.00, UNLESS YOU ARE AN APPLE USER, IN WHICH CASE, YOU CAN RECOVER FROM APPLE, MICROSOFT, AND MICROSOFT’S SUPPLIERS ONLY DIRECT DAMAGES UP TO THE AMOUNT YOU PAID FOR THE SOFTWARE. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT, OR INCIDENTAL DAMAGES. --This limitation applies to (a) anything related to the software, services, content (including code) on third-party Internet sites, or third-party applications; and (b) claims for breach of contract, warranty, guarantee, or condition; strict liability, negligence, or other tort; or any other claim; in each case to the extent permitted by applicable law. It also applies even if Microsoft or Apple (for Apple uses) knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your state, province, or country may not allow the exclusion or limitation of incidental, consequential, or other damages. --1. **CONTACT INFORMATION.** If you have questions, complaints or claims about the software, contact the Microsoft affiliate serving your country (see [https://aka.ms/msoffices](https://aka.ms/msoffices)). --Note that as this software is distributed in Canada, some of the clauses in this agreement are provided below in French. -Remarque: Ce logiciel étant distribué au Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français. -EXONÉRATION DE GARANTIE. Le logiciel visé par une licence est offert « tel quel ». Toute utilisation de ce logiciel est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection des consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues. -LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices. -Cette limitation concerne: --- tout ce qui est relié au logiciel, aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers; et-- les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.--Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre égard. -EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas. |
| security | Mde Terms Mobile | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-terms-mobile.md | - Title: Microsoft Defender for Endpoint Application license terms- -description: Describes the Microsoft Defender for Endpoint license terms -keywords: microsoft, defender, Microsoft Defender for Endpoint, license, terms, application, use, installation, service, feedback, scope -search.product: eADQiWindows 10XVcnh -ms.sitesec: library -ms.pagetype: security ----- - m365-security-compliance --hideEdit: true ---# Microsoft Defender for Endpoint application license terms --**Applies to:** -- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)----MICROSOFT SOFTWARE LICENSE TERMS: MICROSOFT DEFENDER FOR ENDPOINT --IF YOU LIVE IN (OR ARE A BUSINESS WITH A PRINCIPAL PLACE OF BUSINESS IN) THE UNITED STATES, PLEASE READ THE “BINDING ARBITRATION AND CLASS ACTION WAIVER” SECTION BELOW. IT AFFECTS HOW DISPUTES ARE RESOLVED. --These license terms are an agreement between you and Microsoft Corporation (or one of its affiliates). They apply to the software named above and any Microsoft services or software updates (except to the extent such services or updates are accompanied by new or more terms, in which case those different terms apply prospectively and don't alter your or Microsoft’s rights relating to pre-updated software or services). IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW. BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT USE THE SOFTWARE. FOR APPLE USERS, INSTEAD, RETURN IT TO APPLE INC. ("APPLE") FOR A REFUND OR CREDIT IF APPLICABLE. “Apple user” means a user using this software that is obtained from an Apple store on an Apple OS-based device. --1. **INSTALLATION AND USE RIGHTS.** -- a) **General.** Apple users may install and use one copy of the software on an Apple OS-based device you own or control as permitted by Apple’s app store usage rules. All other users may install and use any number of copies of the software. -- b) **Work or School Accounts.** You can sign into the software with a work or school email address. If you do, you agree that the owner of the domain associated with your email address may control and administer your account, and access and process your data, including the contents of your communications and files. You further agree that your use of the software may be subject to: i) your organization’s guidelines and policies about the use of the software; and ii) the agreements Microsoft has with you or your organization, and in such case these terms may not apply. If you already have a Microsoft account and you use a separate work or school email address to access the software, you may be prompted to update the email address that is associated with your Microsoft account to continue accessing the software. -- c) **Third Party Components.** The software may include third-party components with separate legal notices or governed by other agreements, as may be described in the ThirdPartyNotices file(s) coming with the software. -- d) **Microsoft Services Agreement.** Some features of the software provide access to, or rely on, online services. The use of those services (but not the software) is governed by the separate terms and privacy policies in the [Microsoft Services Agreement](https://go.microsoft.com/fwlink/?linkid=398923). Read them. The services may not be available in all regions. -- e) **Competitive Benchmarking.** If you're a direct competitor, and you access or use the software for purposes of competitive benchmarking, analysis, or intelligence gathering, you waive as against Microsoft, its subsidiaries, and its affiliated companies (including prospectively) any competitive use, access, and benchmarking test restrictions that govern your software as your terms of usage are, or purport to be, more restrictive than Microsoft’s terms. If you don't waive any such purported restrictions in the terms governing your software, you aren't allowed to access or use this software, and will not do so. --1. **PRE-RELEASE SOFTWARE.** If you're downloading a pre-release or beta version of the software, it may not operate correctly. It may be different -from the commercially released version. --1. **FEEDBACK.** If you give feedback about the software to Microsoft, you allow Microsoft, without charge, the right to use, share, and commercialize your feedback for any purpose. Don't give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because Microsoft includes your feedback in them. These rights survive this agreement. --1. **DATA.** -- a) **Data Collection.** The software may collect information about you and your use of the software, and send that to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may opt out of many of these scenarios, but not all, as described in the product documentation. There are also some features in the software that may enable you to collect data from users of your applications. If you use these features to enable data collection in your applications, you must follow applicable law, including providing appropriate notices to users of your applications. Learn more about data collection, use, and the privacy statement in the help documentation at [https://aka.ms/privacy](https://aka.ms/privacy). Your use of the software operates as your consent to these practices. -- b) **Processing of Personal Data.** If Microsoft is a processor or subprocessor of personal data of the software, Microsoft makes the commitments in the European Union General Data Protection Regulation Terms of the Online Services Terms to all customers effective May 25, 2018, at [https://docs.microsoft.com/legal/gdpr](/legal/gdpr). --1. **SCOPE OF LICENSE.** The software is licensed, not sold. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you won't (and have no right to): -- a) work around any technical limitations in the software that only allow you to use it in certain ways; -- b) reverse engineer, decompile or disassemble the software, or otherwise attempt to derive the source code for the software, except as required by third party licensing terms that govern the use of certain open-source components that may be included in the software; -- c) remove, minimize, block, or modify any notices of Microsoft or its suppliers in the software; -- d) reveal the results of any benchmark tests of the software to any third party without Microsoft’s prior written approval; -- e) use the software in any way that is against the law or to create or propagate malware; or -- f) share, publish, distribute, or lease the software, provide the software as a stand-alone offering for others to use, or transfer the software or this agreement to any third party. --1. **MICROSOFT 365 COMMERCIAL SUBSCRIPTION.** Use of the software requires a Microsoft 365 commercial subscription. Your access to the services provided through the software must follow the existing terms for Microsoft 365 that apply to you through your subscription or your organization's subscription. You may lose access to the service: i) if your or your organization’s Microsoft 365 subscription expires; or ii) your organization decides to end your license to access the services. --1. **TRANSFER TO ANOTHER DEVICE.** For Apple users, you may uninstall the software and install it on another device for your use. You may not share this license on multiple devices. --1. **EXPORT RESTRICTIONS.** Follow all domestic and international export laws and regulations that apply to the software, which include restrictions on destinations, end users, and end use. For further information on export restrictions, visit [https://aka.ms/exporting](https://aka.ms/exporting). --1. **LEGAL COMPLIANCE.** You represent and authorize that: - a. You are not located in a country that is subject to a U.S. Government embargo, or that has been designated by the U.S. Government as a “terrorist supporting” country. - b. You are not listed on any U.S. Government list of prohibited or restricted parties. --1. **SUPPORT SERVICES.** Microsoft isn't obliged under this agreement to provide any support services for the software. Any support provided is “as is”, “with all faults”, and without warranty of any kind. You acknowledge that Apple has no obligation at all to furnish any maintenance and support services about the software. --1. **UPDATES.** The software may periodically check for updates, and download and install them for you. You may obtain updates only from Microsoft or authorized sources. Microsoft may need to update your system to provide you with updates. You agree to receive these automatic updates without any extra notice. Updates may not include or support all existing software features, services, or peripheral devices. --1. **BINDING ARBITRATION AND CLASS ACTION WAIVER.** This Section applies if you live in (or, if a business, your principal place of business is in) the United States. If you and Microsoft have a dispute, you and Microsoft agree to try for 60 days to resolve it informally. If you and Microsoft can’t, you and Microsoft agree to abide by individual arbitration before the American Arbitration Association under the Federal Arbitration Act (“FAA”), and not to sue in court in front of a judge or jury. Instead, a neutral arbitrator will decide. Class action lawsuits, class-wide arbitrations, private attorney-general actions, and any other proceeding where someone acts in a representative capacity aren't allowed; nor is combining individual proceedings without the consent of all parties. The complete Arbitration Agreement contains more terms and is at [https://aka.ms/arb-agreement-4](https://aka.ms/arb-agreement-4). You and Microsoft agree to these terms. --1. **ENTIRE AGREEMENT.** This agreement, and any other terms Microsoft may provide for supplements, updates, or third-party applications, is the entire agreement for the software. --1. **APPLICABLE LAW AND PLACE TO RESOLVE DISPUTES.** If you acquired the software in the United States or Canada, the laws of the state or province where you live (or, if a business, where your principal place of business is located) govern the interpretation of this agreement, claims for its breach, and all other claims (including consumer protection, unfair competition, and tort claims), whatever conflict of laws principles, except that the FAA governs everything that is related to arbitration. If you acquired the software in any other country, its laws apply, except that the FAA governs everything related to arbitration. If U.S. federal jurisdiction exists, you and Microsoft consent to exclusive jurisdiction and venue in the federal court in King County, Washington for all disputes heard in court (excluding arbitration). If not, you and Microsoft consent to exclusive jurisdiction and venue in the Superior Court of King County, Washington for all disputes heard in court (excluding arbitration). --1. **THIRD PARTY BENEFICIARY (APPLE USERS ONLY).** Apple users agree that Apple and its subsidiaries are third-party beneficiaries of this agreement, and Apple has the right to enforce this agreement. --1. **PRODUCT CLAIMS AND INTELLECTUAL PROPERTY RIGHTS.** Microsoft, not Apple, is responsible for addressing any claims relating to the software or your possession and/or use of the software. If any third-party claim that the software or your possession and use of that software infringes that third party’s intellectual property rights, Microsoft, not Apple, will be solely responsible for the investigation, defense, settlement, and discharge of any such intellectual property infringement claim. --1. **CONSUMER RIGHTS; REGIONAL VARIATIONS.** This agreement describes certain legal rights. You may have other rights, including consumer rights, under the laws of your state, province, or country. Separate and apart from your relationship with Microsoft, you may also have rights to the party from which you acquired the software. This agreement doesn't change those other rights if the laws of your state, province, or country don't permit it to do so. For example, if you acquired the software in one of the below regions, or mandatory country law applies, then the following provisions apply to you: -- a) **Australia.** You have statutory guarantees under the Australian Consumer Law and nothing in this agreement is intended to affect those rights. -- b) **Canada.** If you acquired this software in Canada, you may stop receiving updates by turning off the automatic update feature, disconnecting your device from the Internet (if you reconnect to the Internet, however, the software will resume checking for and installing updates), or uninstalling the software. The product documentation, if any, may also specify how to turn off updates for your specific device or software. -- c) **Germany and Austria.**<br> - i) **Warranty**. The properly licensed software will perform substantially as described in any Microsoft materials that come with the software. However, Microsoft gives no contractual guarantee about the licensed software.<br> - ii) **Limitation of Liability.** If there is intentional conduct, gross negligence, claims based on the Product Liability Act, and, if there is death or personal or physical injury, Microsoft is liable according to the statutory law.<br> - Subject to the previous clause ii., Microsoft will only be liable for slight negligence if Microsoft is in breach of such material contractual obligations, the fulfillment of which helps the due performance of this agreement, the breach of which would endanger the purpose of this agreement and the compliance with which a party may constantly trust in (so-called "cardinal obligations"). In other cases of slight negligence, Microsoft won't be liable for slight negligence. -1. **DISCLAIMER OF WARRANTY.** THE SOFTWARE IS LICENSED “AS IS.” YOU BEAR THE RISK OF USING IT. FOR APPLE USERS, IF DESIRED, YOU MAY NOTIFY APPLE FOR A REFUND OF THE PURCHASE PRICE. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, APPLE WILL HAVE NO OTHER WARRANTY OBLIGATION WHATSOEVER. MICROSOFT GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS OR STATUTORY GUARANTEES UNDER YOUR LOCAL LAWS THAT THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT EXCLUDES ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. --1. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. IF YOU HAVE ANY BASIS FOR RECOVERING DAMAGES DESPITE THE PRECEDING DISCLAIMER OF WARRANTY, YOU CAN RECOVER FROM MICROSOFT, AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S.$5.00, UNLESS YOU ARE AN APPLE USER, IN WHICH CASE, YOU CAN RECOVER FROM APPLE, MICROSOFT, AND MICROSOFT’S SUPPLIERS ONLY DIRECT DAMAGES UP TO THE AMOUNT YOU PAID FOR THE SOFTWARE. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT, OR INCIDENTAL DAMAGES. --This limitation applies to (a) anything related to the software, services, content (including code) on third-party Internet sites, or third-party applications; and (b) claims for breach of contract, warranty, guarantee, or condition; strict liability, negligence, or other tort; or any other claim; in each case to the extent permitted by applicable law. It also applies even if Microsoft or Apple (for Apple uses) knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your state, province, or country may not allow the exclusion or limitation of incidental, consequential, or other damages. --1. **CONTACT INFORMATION.** If you have questions, complaints or claims about the software, contact the Microsoft affiliate serving your country (see [https://aka.ms/msoffices](https://aka.ms/msoffices)). --Note that as this software is distributed in Canada, some of the clauses in this agreement are provided below in French. -Remarque: Ce logiciel étant distribué au Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français. -EXONÉRATION DE GARANTIE. Le logiciel visé par une licence est offert « tel quel ». Toute utilisation de ce logiciel est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection des consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues. -LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices. -Cette limitation concerne: --- tout ce qui est relié au logiciel, aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers; et-- les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.--Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre égard. -EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas. |
| security | Troubleshoot Performance Issues | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-performance-issues.md | Alternatively, you can also use the command-line tool *wpr.exe*, which is availa  1. Select **File Name:** to determine where your trace file will be saved. By default, it is saved to `%user%\Documents\WPR Files\`.- 1. Select **Save**. + 1. Select **Save**. 14. Wait while the trace is being merged. |
| security | Troubleshoot Security Config Mgt | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-security-config-mgt.md | -# Troubleshoot onboarding issues related to Security Management for Microsoft Defender for Endpoint +# Troubleshoot onboarding issues related to Security Management for Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] ms.technology: mde - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -Security Management for Microsoft Defender for Endpoint is a capability for devices that aren’t managed by a Microsoft Endpoint Manager, either Microsoft Intune or Microsoft Endpoint Configuration Manager, to receive security configurations for Microsoft Defender for Endpoint directly from Endpoint Manager. +Security Management for Microsoft Defender for Endpoint is a capability for devices that aren't managed by a Microsoft Endpoint Manager, either Microsoft Intune or Microsoft Endpoint Configuration Manager, to receive security configurations for Microsoft Defender for Endpoint directly from Endpoint Manager. For more information on Security Management for Microsoft Defender for Endpoint, see [Manage Microsoft Defender for Endpoint on devices with Microsoft Endpoint Manager](/mem/intune/protect/mde-security-integration). For Security Management for Microsoft Defender for Endpoint onboarding instructions, see [Microsoft Defender for Endpoint Security Configuration Management](security-config-management.md) This end-to-end onboarding is designed to be frictionless and doesn't require us For more information about the client analyzer, see [Troubleshoot sensor health using Microsoft Defender for Endpoint Client Analyzer](/microsoft-365/security/defender-endpoint/overview-client-analyzer). ## Registering domain joined computers with Azure Active Directory+ To successfully register devices to Azure Active Directory, you'll need to ensure the following: -- Computers can authenticate with the domain controller +- Computers can authenticate with the domain controller - Computers have access to the following Microsoft resources from inside your organization's network: - https://enterpriseregistration.windows.net - https://login.microsoftonline.com To successfully register devices to Azure Active Directory, you'll need to ensur > Azure AD connect does not sync Windows Server 2012 R2 computer objects. If you need to register them with Azure AD for Security Management for Microsoft Defender for Endpoint, then you'll need to customize Azure AD connect sync rule to include those computer objects in sync scope. See [Instructions for applying Computer Join rule in Azure Active Directory Connect](). > [!NOTE]-> To successfully complete the onboarding flow, and independent of a device's Operating System, the Azure Active Directory state of a device can change, based on the devices' initial state:<br> +> To successfully complete the onboarding flow, and independent of a device's Operating System, the Azure Active Directory state of a device can change, based on the devices' initial state: +> +> <br> >-> | Starting Device State | New Device State | -> ||| -> | Already AADJ or HAADJ | Remains as is | -> | Not AADJ or Hybrid Azure Active Directory Join (HAADJ) + Domain joined | Device is HAADJ'd | -> | Not AADJ or HAADJ + Not domain joined | Device is AADJ’d | +>|Starting Device State|New Device State| +>||| +>|Already AADJ or HAADJ|Remains as is| +>|Not AADJ or Hybrid Azure Active Directory Join (HAADJ) + Domain joined|Device is HAADJ'd| +>|Not AADJ or HAADJ + Not domain joined|Device is AADJ'd| > > Where AADJ represents Azure Active Directory Joined and HAADJ represents Hybrid Azure Active Directory Joined. ## Troubleshoot errors from the Microsoft Defender for Endpoint portal +Through the Microsoft Defender for Endpoint portal, security administrators can now troubleshoot Security Management for Microsoft Defender for Endpoint onboarding. -Through the Microsoft Defender for Endpoint portal, security administrators can now troubleshoot Security Management for Microsoft Defender for Endpoint onboarding. ---In **Endpoints > Device inventory**, the **Managed By** column has been added to filter by management channel (for example, MEM). -+In **Endpoints** \> **Device inventory**, the **Managed By** column has been added to filter by management channel (for example, MEM). :::image type="content" alt-text="Image of device inventory page" source="./images/device-inventory-mde-error.png"::: To see a list of all devices that have failed the Security Management for Micros In the list, select a specific device to see troubleshooting details in the side panel, pointing to the root cause of the error, and corresponding documentation. - :::image type="content" alt-text="Image of device inventory page filtered" source="./images/secconfig-mde-error.png"::: --## Run Microsoft Defender for Endpoint Client Analyzer on Windows +## Run Microsoft Defender for Endpoint Client Analyzer on Windows Consider running the Client Analyzer on endpoints that are failing to complete the Security Management for Microsoft Defender for Endpoint onboarding flow. For more information about the client analyzer, see [Troubleshoot sensor health using Microsoft Defender for Endpoint Client Analyzer](overview-client-analyzer.md). For example, as part of the Security Management onboarding flow, it is required ## General troubleshooting -If you weren't able to identify the onboarded device in AAD or MEM, and did not receive an error during the enrollment, checking the registry key `Computer\\HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SenseCM\\EnrollmentStatus` can provide additional troubleshooting information. +If you weren't able to identify the onboarded device in AAD or MEM, and did not receive an error during the enrollment, checking the registry key `Computer\\HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SenseCM\\EnrollmentStatus` can provide additional troubleshooting information. :::image type="content" alt-text="Image of enrollment status." source="images/enrollment-status.png"::: The following table lists errors and directions on what to try/check in order to address the error. Note that the list of errors is not complete and is based on typical/common errors encountered by customers in the past: -| Error Code | Enrollment Status | Administrator Actions | -|-||| -| ``5-9``,``11-12``, ``26-33`` |General error |The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow. This could be due to the device not meeting [prerequisites for Microsoft Defender for Endpoint management channel](security-config-management.md). Running the [Client Analyzer](https://aka.ms/BetaMDEAnalyzer) on the device can help identify the root cause of the issue. If this doesn’t help, please contact support. | -| ``13-14``,``20``,``24``,``25``|Connectivity issue |The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow which could be due to a connectivity issue. Verify that the [Azure Active Directory and Microsoft Endpoint Manager endpoints](security-config-management.md#connectivity-requirements) are opened in your firewall. | -| ``10``,``42`` |General Hybrid join failure |The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow and the OS failed to perform hybrid join. Use [Troubleshoot hybrid Azure Active Directory-joined devices](/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current) for troubleshooting OS-level hybrid join failures. | -| ``15`` |Tenant mismatch |The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow because your Microsoft Defender for Endpoint tenant ID doesn't match your Azure Active Directory tenant ID. Make sure that the Azure Active Directory tenant ID from your Defender for Endpoint tenant matches the tenant ID in the SCP entry of your domain. For more details, [Troubleshoot onboarding issues related to Security Management for Microsoft Defender for Endpoint](troubleshoot-security-config-mgt.md).| -| ``16``,``17`` |Hybrid error - Service Connection Point|The device was successfully onboarded to Microsoft Defender for Endpoint. However, Service Connection Point (SCP) record is not configured correctly and the device couldn't be joined to Azure AD. This could be due to the SCP being configured to join Enterprise DRS. Make sure the SCP record points to AAD and SCP is configured following best practices. For more information, see [Configure a service connection point](/azure/active-directory/devices/hybrid-azuread-join-manual#configure-a-service-connection-point).    | -| ``18`` |Certificate error |The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow due to a device certificate error. The device certificate belongs to a different tenant. Verify that best practices are followed when creating [trusted certificate profiles](/mem/intune/protect/certificates-trusted-root#create-trusted-certificate-profiles). | -| ``36`` |LDAP API error |The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow. Verify the network topology and ensure the LDAP API is available to complete hybrid join requests.    | -| ``37`` |On-premise sync issue |The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow. Try again later. If that doesn't help, see [Troubleshoot object synchronization with Azure AD Connect sync](/azure/active-directory/hybrid/tshoot-connect-objectsync).| -| ``38``,``41`` |DNS error |The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow due to a DNS error. Check the internet connection and/or DNS settings on the device. The invalid DNS settings might be on the workstation's side. Active Directory requires you to use domain DNS to work properly (and not the router's address). For more information, see [Troubleshoot onboarding issues related to Security Management for Microsoft Defender for Endpoint](troubleshoot-security-config-mgt.md). | -| ``40`` |Clock sync issue |The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow. Verify that the clock is set correctly and is synced on the device where the error occurs. | +<br> ++**** ++|Error Code|Enrollment Status|Administrator Actions| +|||| +|`5-9`,`11-12`, `26-33`|General error|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow. This could be due to the device not meeting [prerequisites for Microsoft Defender for Endpoint management channel](security-config-management.md). Running the [Client Analyzer](https://aka.ms/BetaMDEAnalyzer) on the device can help identify the root cause of the issue. If this doesn't help, please contact support.| +|`13-14`,`20`,`24`,`25`|Connectivity issue|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow which could be due to a connectivity issue. Verify that the [Azure Active Directory and Microsoft Endpoint Manager endpoints](security-config-management.md#connectivity-requirements) are opened in your firewall.| +|`10`,`42`|General Hybrid join failure|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow and the OS failed to perform hybrid join. Use [Troubleshoot hybrid Azure Active Directory-joined devices](/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current) for troubleshooting OS-level hybrid join failures.| +|`15`|Tenant mismatch|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow because your Microsoft Defender for Endpoint tenant ID doesn't match your Azure Active Directory tenant ID. Make sure that the Azure Active Directory tenant ID from your Defender for Endpoint tenant matches the tenant ID in the SCP entry of your domain. For more details, [Troubleshoot onboarding issues related to Security Management for Microsoft Defender for Endpoint](troubleshoot-security-config-mgt.md).| +|`16`,`17`|Hybrid error - Service Connection Point|The device was successfully onboarded to Microsoft Defender for Endpoint. However, Service Connection Point (SCP) record is not configured correctly and the device couldn't be joined to Azure AD. This could be due to the SCP being configured to join Enterprise DRS. Make sure the SCP record points to AAD and SCP is configured following best practices. For more information, see [Configure a service connection point](/azure/active-directory/devices/hybrid-azuread-join-manual#configure-a-service-connection-point).| +|`18`|Certificate error|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow due to a device certificate error. The device certificate belongs to a different tenant. Verify that best practices are followed when creating [trusted certificate profiles](/mem/intune/protect/certificates-trusted-root#create-trusted-certificate-profiles).| +|`36`|LDAP API error|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow. Verify the network topology and ensure the LDAP API is available to complete hybrid join requests.| +|`37`|On-premise sync issue|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow. Try again later. If that doesn't help, see [Troubleshoot object synchronization with Azure AD Connect sync](/azure/active-directory/hybrid/tshoot-connect-objectsync).| +|`38`,`41`|DNS error|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow due to a DNS error. Check the internet connection and/or DNS settings on the device. The invalid DNS settings might be on the workstation's side. Active Directory requires you to use domain DNS to work properly (and not the router's address). For more information, see [Troubleshoot onboarding issues related to Security Management for Microsoft Defender for Endpoint](troubleshoot-security-config-mgt.md).| +|`40`|Clock sync issue|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow. Verify that the clock is set correctly and is synced on the device where the error occurs.| ## Azure Active Directory Runtime troubleshooting -### Azure Active Directory Runtime +### Azure Active Directory Runtime -The main mechanism to troubleshoot Azure Active Directory Runtime (AADRT) is to collect debug traces. Azure Active Directory Runtime on Windows uses **ETW provider with ID bd67e65c-9cc2-51d8-7399-0bb9899e75c1**. ETW traces need to be captured with the reproduction of the failure (for example if join failure occurs, the traces need to be enabled for the duration of time covering calls to AADRT APIs to perform join). +The main mechanism to troubleshoot Azure Active Directory Runtime (AADRT) is to collect debug traces. Azure Active Directory Runtime on Windows uses **ETW provider with ID bd67e65c-9cc2-51d8-7399-0bb9899e75c1**. ETW traces need to be captured with the reproduction of the failure (for example if join failure occurs, the traces need to be enabled for the duration of time covering calls to AADRT APIs to perform join). See below for a typical error in AADRT log and how to read it:  -From the information in the message, it's possible in most cases to understand what error was encountered, what Win32 API returned the error (if applicable), what URL (if applicable) was used and what AAD Runtime API error was encountered. - - +From the information in the message, it's possible in most cases to understand what error was encountered, what Win32 API returned the error (if applicable), what URL (if applicable) was used and what AAD Runtime API error was encountered. -## Instructions for applying Computer Join rule in AAD Connect +## Instructions for applying Computer Join rule in AAD Connect For Security Management for Microsoft Defender for Endpoint on Windows Server 2012 R2 domain joined computers, an update to Azure AD Connect sync rule "In from AD-Computer Join" is needed. This can be achieved by cloning and modifying the rule, which will disable the original "In from AD - Computer Join" rule. Azure AD Connect by default offers this experience for making changes to built-in rules. > [!NOTE] >These changes need to be applied on the server where AAD Connect is running. If you have multiple instances of AAD Connect deployed, these changes must be applied to all instances. -1. Open the Synchronization Rules Editor application from the start menu. In the rule list, locate the rule named **In from AD – Computer Join**. **Take note of the value in the 'Precedence' column for this rule.** +1. Open the Synchronization Rules Editor application from the start menu. In the rule list, locate the rule named **In from AD – Computer Join**. **Take note of the value in the 'Precedence' column for this rule.**  -2. With the **In from AD – Computer Join** rule highlighted, select **Edit**. In the **Edit Reserved Rule Confirmation** dialog box, select **Yes**. +2. With the **In from AD – Computer Join** rule highlighted, select **Edit**. In the **Edit Reserved Rule Confirmation** dialog box, select **Yes**.  -3. The **Edit inbound synchronization rule** window will be shown. Update the rule description to note that Windows Server 2012R2 will be synchronized using this rule. Leave all other options unchanged except for the Precedence value. Enter a value for Precedence that is higher than the value from the original rule (as seen in the rule list). +3. The **Edit inbound synchronization rule** window will be shown. Update the rule description to note that Windows Server 2012R2 will be synchronized using this rule. Leave all other options unchanged except for the Precedence value. Enter a value for Precedence that is higher than the value from the original rule (as seen in the rule list).  For Security Management for Microsoft Defender for Endpoint on Windows Server 20  -5. Scroll to the bottom of the list of transformations. Find the transformation for the **cloudFiltered** attribute. In the textbox in the **Source** column, select all of the text (Control-A) and delete it. The textbox should now be empty. --6. Paste the content for the new rule into the textbox. +5. Scroll to the bottom of the list of transformations. Find the transformation for the **cloudFiltered** attribute. In the textbox in the **Source** column, select all of the text (Control-A) and delete it. The textbox should now be empty. +6. Paste the content for the new rule into the textbox. ```command IIF( IsNullOrEmpty([userCertificate])- || + || ( (InStr(UCase([operatingSystem]),"WINDOWS") > 0)- && + && (Left([operatingSystemVersion],2) = "6.") && (Left([operatingSystemVersion],3) <> "6.3") ) || (- (Left([operatingSystemVersion],3) = "6.3") + (Left([operatingSystemVersion],3) = "6.3") && (InStr(UCase([operatingSystem]),"WINDOWS") > 0) && With( $validCerts, Where(- $c, - [userCertificate], + $c, + [userCertificate], IsCert($c) && CertNotAfter($c) > Now() && RegexIsMatch(CertSubject($c), "CN=[{]*" & StringFromGuid([objectGUID]) & "[}]*", "IgnoreCase")), Count($validCerts) = 0) ), True, NULL )- ``` -7. Select **Save** to save the new rule. +7. Select **Save** to save the new rule. > [!NOTE] > After this rule change is performed, a full synchronization of your Active Directory will be required. For large environments, it is recommended to schedule this rule change and full sync during on-premise Active Directory quiet periods. ## Related topic+ - [Manage Microsoft Defender for Endpoint on devices with Microsoft Endpoint Manager](/mem/intune/protect/mde-security-integration) |
| security | Web Protection Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-protection-overview.md | Kusto queries in advanced hunting can be used to summarize web protection blocks ```kusto DeviceEvents-| where ActionType == "SmartScreenUrlWarning" -| extend ParsedFields=parse_json(AdditionalFields) -| project DeviceName, ActionType, Timestamp, RemoteUrl, InitiatingProcessFileName, Experience=tostring(ParsedFields.Experience) +| where ActionType == "SmartScreenUrlWarning" +| extend ParsedFields=parse_json(AdditionalFields) +| project DeviceName, ActionType, Timestamp, RemoteUrl, InitiatingProcessFileName, Experience=tostring(ParsedFields.Experience) | where Experience == "CustomBlockList" ``` Similarly, you can use the query below to list all WCF blocks originating from Network Protection (for example, a WCF block in a third-party browser). Note that the ActionType has been updated and 'Experience' has been changed to 'ResponseCategory'. ```kusto-DeviceEvents +DeviceEvents | where ActionType == "ExploitGuardNetworkProtectionBlocked" | extend ParsedFields=parse_json(AdditionalFields) | project DeviceName, ActionType, Timestamp, RemoteUrl, InitiatingProcessFileName, ResponseCategory=tostring(ParsedFields.ResponseCategory) |
| security | Exclusions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/exclusions.md | -# Configure Defender for Identity detection exclusions in Microsoft 365 Defender (Preview) +# Configure Defender for Identity detection exclusions in Microsoft 365 Defender **Applies to:** |
| security | Advanced Hunting Aadsignineventsbeta Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-aadsignineventsbeta-table.md | ms.technology: m365d > [!IMPORTANT] > The `AADSignInEventsBeta` table is currently in beta and is being offered on a short-term basis to allow you to hunt through Azure Active Directory (AAD) sign-in events. Customers need to have an Azure Active Directory Premium P2 license to collect and view activities for this table. All sign-in schema information will eventually move to the `IdentityLogonEvents` table. -The `AADSignInEventsBeta` table in the advanced hunting schema contains information about Azure Active Directory interactive and non-interactive sign-ins. Learn more about sign-ins in [Azure Active Directory sign-in activity reports - preview](/azure/active-directory/reports-monitoring/concept-all-sign-ins). +The `AADSignInEventsBeta` table in the advanced hunting schema contains information about Azure Active Directory interactive and non-interactive sign-ins. Learn more about sign-ins in [Azure Active Directory sign-in activity reports - preview](/azure/active-directory/reports-monitoring/concept-all-sign-ins). -Use this reference to construct queries that return information from the table. For information on other tables in the advanced hunting schema, see the [advanced hunting reference](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference). +Use this reference to construct queries that return information from the table. For information on other tables in the advanced hunting schema, see the [advanced hunting reference](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference). <br> |
| security | Advanced Hunting Aadspnsignineventsbeta Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-aadspnsignineventsbeta-table.md | The `AADSpnSignInEventsBeta` table in the advanced hunting schema contains infor Use this reference to construct queries that return information from the table. -For information on other tables in the advanced hunting schema, see [the advanced hunting reference](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference). +For information on other tables in the advanced hunting schema, see [the advanced hunting reference](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference). <br> |
| security | Incidents Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incidents-overview.md | You manage incidents from **Incidents & alerts > Incidents** on the quick launch Selecting an incident name displays a summary of the incident and provides access to tabs with additional information. The additional tabs for an incident are: |
| security | Investigate Incidents | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-incidents.md | You can also open the main page for an incident by selecting the incident name f The **Summary** page gives you a snapshot glance at the top things to notice about the incident. Information is organized in these sections. |
| security | Whats New | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md | ms.technology: m365d [!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] > Want to experience Microsoft 365 Defender? You can [evaluate it in a lab environment](m365d-evaluation.md?ocid=cx-docs-MTPtriallab) or [run your pilot project in production](m365d-pilot.md?ocid=cx-evalpilot).-> The following features are in preview or generally available (GA) in the latest release of Microsoft 365 Defender. RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:+ ```http https://docs.microsoft.com/api/search/rss?search=%22Lists+the+new+features+and+functionality+in+Microsoft+365+defender%22&locale=en-us ``` For more information on what's new with other Microsoft Defender security produc - [What's new in Microsoft Cloud App Security](/cloud-app-security/release-notes) ## December 2021-- (GA) The `DeviceTvmSoftwareEvidenceBeta` table was added on a short-term basis in advanced hunting to allow you to view evidence of where a specific software was detected on a device. - ++- (GA) The `DeviceTvmSoftwareEvidenceBeta` table was added on a short-term basis in advanced hunting to allow you to view evidence of where a specific software was detected on a device. + ## November 2021 -- (Preview) The application governance add-on feature to Defender for Cloud Apps is now available in Microsoft 365 Defender. App governance provides a security and policy management capability designed for OAuth-enabled apps that access Microsoft 365 data through Microsoft Graph APIs. App governance delivers full visibility, remediation, and governance into how these apps and their users access, use, and share your sensitive data stored in Microsoft 365 through actionable insights and automated policy alerts and actions. [Learn more about application governance](/cloud-app-security/app-governance-manage-app-governance).+- (Preview) The application governance add-on feature to Defender for Cloud Apps is now available in Microsoft 365 Defender. App governance provides a security and policy management capability designed for OAuth-enabled apps that access Microsoft 365 data through Microsoft Graph APIs. App governance delivers full visibility, remediation, and governance into how these apps and their users access, use, and share your sensitive data stored in Microsoft 365 through actionable insights and automated policy alerts and actions. [Learn more about application governance](/cloud-app-security/app-governance-manage-app-governance). - (Preview) The [advanced hunting](advanced-hunting-overview.md) page now has multitab support, smart scrolling, streamlined schema tabs, quick edit options for queries, a query resource usage indicator, and other improvements to make querying smoother and easier to fine-tune.-- (Preview) You can now use the [link to incident](advanced-hunting-link-to-incident.md) feature to include events or records from the advanced hunting query results right into a new or existing incident that you are investigating. +- (Preview) You can now use the [link to incident](advanced-hunting-link-to-incident.md) feature to include events or records from the advanced hunting query results right into a new or existing incident that you are investigating. + ## October 2021-- (GA) In advanced hunting, more columns were added in the [CloudAppEvents](advanced-hunting-cloudappevents-table.md) table. You can now include `AccountType`, `IsExternalUser`, `IsImpersonated`, `IPTags`, `IPCategory`, and `UserAgentTags` to your queries. ++- (GA) In advanced hunting, more columns were added in the [CloudAppEvents](advanced-hunting-cloudappevents-table.md) table. You can now include `AccountType`, `IsExternalUser`, `IsImpersonated`, `IPTags`, `IPCategory`, and `UserAgentTags` to your queries. ## September 2021+ - (GA) Microsoft Defender for Office 365 event data is available in the Microsoft 365 Defender event streaming API. You can see the availability and status of event types in the [Supported Microsoft 365 Defender event types in streaming API](supported-event-types.md). - (GA) Microsoft Defender for Office 365 data available in advanced hunting is now generally available.-- (Preview) Assign incidents and alerts to user accounts <br> You can assign an incident, and all the alerts associated with it, to a user account from **Assign to:** on the **Manage incident** pane of an incident or the **Manage alert** pane of an alert.+- (Preview) Assign incidents and alerts to user accounts + You can assign an incident, and all the alerts associated with it, to a user account from **Assign to:** on the **Manage incident** pane of an incident or the **Manage alert** pane of an alert. ## August 2021+ - (Preview) Microsoft Defender for Office 365 data available in advanced hunting-<br>New columns in email tables can provide more insight into email-based threats for more thorough investigations using advanced hunting. You can now include the `AuthenticationDetails` column in [EmailEvents](./advanced-hunting-emailevents-table.md), `FileSize` in [EmailAttachmentInfo](./advanced-hunting-emailattachmentinfo-table.md), and `ThreatTypes` and `DetectionMethods` in [EmailPostDeliveryEvents](./advanced-hunting-emailpostdeliveryevents-table.md) tables. -- (Preview) Incident graph <br> A new **Graph** tab on the **Summary** tab of an incident shows the full scope of the attack, how the attack spread through your network over time, where it started, and how far the attacker went.+ New columns in email tables can provide more insight into email-based threats for more thorough investigations using advanced hunting. You can now include the `AuthenticationDetails` column in [EmailEvents](./advanced-hunting-emailevents-table.md), `FileSize` in [EmailAttachmentInfo](./advanced-hunting-emailattachmentinfo-table.md), and `ThreatTypes` and `DetectionMethods` in [EmailPostDeliveryEvents](./advanced-hunting-emailpostdeliveryevents-table.md) tables. ++- (Preview) Incident graph ++ A new **Graph** tab on the **Summary** tab of an incident shows the full scope of the attack, how the attack spread through your network over time, where it started, and how far the attacker went. ## July 2021-- [Professional services catalog](https://sip.security.microsoft.com/interoperability/professional_services)<br>Enhance the detection, investigation, and threat intelligence capabilities of the platform with supported partner connections.++- [Professional services catalog](https://sip.security.microsoft.com/interoperability/professional_services) ++ Enhance the detection, investigation, and threat intelligence capabilities of the platform with supported partner connections. ## June 2021-- (Preview) [View reports per threat tags](threat-analytics.md#view-reports-per-threat-tags)<br> Threat tags help you focus on specific threat categories and review the most relevant reports.-- (Preview) [Streaming API](../defender-endpoint/raw-data-export.md)<br> Microsoft 365 Defender supports streaming all the events available through Advanced Hunting to an Event Hubs and/or Azure storage account.-- (Preview) [Take action in advanced hunting](advanced-hunting-take-action.md)<br> Quickly contain threats or address compromised assets that you find in [advanced hunting](advanced-hunting-overview.md).-- (Preview) [In-portal schema reference](advanced-hunting-schema-tables.md#get-schema-information-in-the-security-center)<br> Get information about advanced hunting schema tables directly in the security center. In addition to table and column descriptions, this reference includes supported event types (`ActionType` values) and sample queries.-- (Preview) [DeviceFromIP() function](advanced-hunting-devicefromip-function.md)<br> Get information about which devices have been assigned a specific IP address or addresses at a given time range.- ++- (Preview) [View reports per threat tags](threat-analytics.md#view-reports-per-threat-tags) ++ Threat tags help you focus on specific threat categories and review the most relevant reports. ++- (Preview) [Streaming API](../defender-endpoint/raw-data-export.md) ++ Microsoft 365 Defender supports streaming all the events available through Advanced Hunting to an Event Hubs and/or Azure storage account. ++- (Preview) [Take action in advanced hunting](advanced-hunting-take-action.md) ++ Quickly contain threats or address compromised assets that you find in [advanced hunting](advanced-hunting-overview.md). ++- (Preview) [In-portal schema reference](advanced-hunting-schema-tables.md#get-schema-information-in-the-security-center) ++ Get information about advanced hunting schema tables directly in the security center. In addition to table and column descriptions, this reference includes supported event types (`ActionType` values) and sample queries. ++- (Preview) [DeviceFromIP() function](advanced-hunting-devicefromip-function.md) ++ Get information about which devices have been assigned a specific IP address or addresses at a given time range. ## May 2021 -- [New alert page in the Microsoft 365 Defender portal](https://techcommunity.microsoft.com/t5/microsoft-365-defender/easily-find-anomalies-in-incidents-and-alerts/ba-p/2339243) <br> Provides enhanced information for the context into an attack. You can see which other triggered alert caused the current alert and all the affected entities and activities involved in the attack, including files, users and mailboxes. See [Investigate alerts](/microsoft-365/security/defender/investigate-alerts) for more information.-- [Trend graph for incidents and alerts in the Microsoft 365 Defender portal](https://techcommunity.microsoft.com/t5/microsoft-365-defender/new-alert-page-for-microsoft-365-defender-incident-detections/ba-p/2350425) <br> Determine if there are several alerts for a single incident or that your organization is under attack with several different incidents. See [Prioritize incidents](/microsoft-365/security/defender/incident-queue) for more information.+- [New alert page in the Microsoft 365 Defender portal](https://techcommunity.microsoft.com/t5/microsoft-365-defender/easily-find-anomalies-in-incidents-and-alerts/ba-p/2339243) ++ Provides enhanced information for the context into an attack. You can see which other triggered alert caused the current alert and all the affected entities and activities involved in the attack, including files, users and mailboxes. See [Investigate alerts](/microsoft-365/security/defender/investigate-alerts) for more information. +- [Trend graph for incidents and alerts in the Microsoft 365 Defender portal](https://techcommunity.microsoft.com/t5/microsoft-365-defender/new-alert-page-for-microsoft-365-defender-incident-detections/ba-p/2350425) ++ Determine if there are several alerts for a single incident or that your organization is under attack with several different incidents. See [Prioritize incidents](/microsoft-365/security/defender/incident-queue) for more information. ## April 2021-- Microsoft 365 Defender<br> The improved [Microsoft 365 Defender](https://security.microsoft.com) portal is now available. This new experience brings together Defender for Endpoint, Defender for Office 365, Defender for Identity, and more into a single portal. This is the new home to manage your security controls. [Learn what's new](./microsoft-365-defender.md#the-microsoft-365-defender-portal). -- [Microsoft 365 Defender threat analytics report](threat-analytics.md)<br>- Threat analytics helps you respond to and minimize the impact of active attacks. You can also learn about attack attempts blocked by Microsoft 365 Defender solutions and take preventive actions that mitigate the risk of further exposure and increase resiliency. As part of the unified security experience, threat analytics is now available for Microsoft Defender for Endpoint and Microsoft Defender for Office E5 license holders. +- Microsoft 365 Defender ++ The improved [Microsoft 365 Defender](https://security.microsoft.com) portal is now available. This new experience brings together Defender for Endpoint, Defender for Office 365, Defender for Identity, and more into a single portal. This is the new home to manage your security controls. [Learn what's new](./microsoft-365-defender.md#the-microsoft-365-defender-portal). ++- [Microsoft 365 Defender threat analytics report](threat-analytics.md) ++ Threat analytics helps you respond to and minimize the impact of active attacks. You can also learn about attack attempts blocked by Microsoft 365 Defender solutions and take preventive actions that mitigate the risk of further exposure and increase resiliency. As part of the unified security experience, threat analytics is now available for Microsoft Defender for Endpoint and Microsoft Defender for Office E5 license holders. ## March 2021-- [CloudAppEvents table](advanced-hunting-cloudappevents-table.md) <br>Find information about events in various cloud apps and services covered by Microsoft Cloud App Security. This table also includes information previously available in the `AppFileEvents` table.++- [CloudAppEvents table](advanced-hunting-cloudappevents-table.md) ++ Find information about events in various cloud apps and services covered by Microsoft Cloud App Security. This table also includes information previously available in the `AppFileEvents` table. + ## February 2021+ - (Preview) The enhanced [Microsoft 365 Defender portal (https://security.microsoft.com)](https://security.microsoft.com) is now available in public preview. This new experience brings Defender for Endpoint and Defender for Office 365 to the center. [Learn more about what's changed](microsoft-365-defender.md#the-microsoft-365-defender-portal).-- **[(Preview) Microsoft 365 Defender APIs](api-overview.md)** - The top-level Microsoft 365 Defender APIs will enable you to automate workflows based on the shared incident and advanced hunting tables. ++- **[(Preview) Microsoft 365 Defender APIs](api-overview.md)** - The top-level Microsoft 365 Defender APIs will enable you to automate workflows based on the shared incident and advanced hunting tables. |
| security | Migrate To Defender For Office 365 Setup | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-setup.md | The SCL=-1 mail flow rule is important during the migration for the following re Before or during the cutover of your MX record to Microsoft 365, you'll disable this rule to turn on the full protection of the Microsoft 365 protection stack for all recipients in your organization. -For more information, see [Use mail flow rules to set the spam confidence level (SCL) in messages in Exchange Online](https://docs.microsoft.comexchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl). +For more information, see [Use mail flow rules to set the spam confidence level (SCL) in messages in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl). **Notes**: |