+3. On the **Choose a group type** page, select **Microsoft 365**, and select **Next**.

+5. On the **Owners** page, choose the name of one or more people who will be designated to manage the group. Anyone who is a group owner will be able to delete email from the Group inbox. Other members won't be able to delete email from the Group inbox. Select **Next**.

+6. On the **Members** page, choose the name of one or more people who will be designated as members of the group. Select **Next**.

+7. On the **Settings** page, type a unique email address for the group, choose a privacy option and whether you want to add Microsoft Teams, and then select **Next**.

+8. After reviewing your settings and making any changes, select **Create group**.

+9. Select **Close**.

+[Upgrade distribution lists to Microsoft 365 groups](../manage/upgrade-distribution-lists.md) (article)

+description: "Learn how to verify your email and domain ownership to take over an unmanaged account created by a self-service user signup in Microsoft 365."

+ **[Check the Domains FAQ](../setup/domains-faq.yml)** if you don't find what you're looking for.

+If you're an admin and want to take over an unmanaged account created by a self-service user signup, you can perform an internal admin takeover by following the steps in this article.

+> A self-service sign up for any cloud service that uses Azure AD adds the user to an unmanaged or "shadow" Azure AD directory and creates an unmanaged account. An unmanaged account is a directory without a global administrator. To determine whether an account is managed or unmanaged, see [Determining Tenant Type](/power-platform/admin/powerapps-gdpr-dsr-guide-systemlogs#determining-tenant-type).

+## Before you begin

+When a user signs up for Microsoft 365 services using an email address, an account is automatically created for them. If an admin wants to manage the users on the account or purchase additional Microsoft 365 services, they must become an admin on the account by following these steps to perform an admin takeover.

+> If self-service is enabled in your account, users can subscribe to free services such as Power BI, on their own. These services are specifically for use in cases where a self-service user subscription has created the unmanaged account you want to take over as admin. In Step 1 you create a user account for the domain you want to remove by using Power BI to launch the admin takeover wizard so you can become the admin for the unmanaged domain account.

+## Step 2: Create a new account for admin access

+1. When you enter the verification code, you'll be brought to a page where you can create a new account.

+2. Fill in the user name and password fields with the account that you want to use, and then complete the steps to create the account.

+1. After you complete Step 2, select the admin center icon in the left navigation pane (alternatively, go to a browser and type in `https://admin.microsoft.com`).

+ You're redirected to the admin takeover wizard.

+1. Select **Next** and verify that you own the domain you want to take over by adding a TXT record to your domain registrar.

+ The wizard will give you the TXT record to add, as well as provide a link to your registrar's website, and a link to step-by-step instructions.

+1. On the **You're now the admin** page, select **Go to the admin center**.

+ You have the admin privileges required to manage the account in the admin center. For example, you can manage account users and groups, purchase new subscriptions and make user assignments, and manage the account domains.

+ If you want to remove your domain from this account so you can add it to another account, see [Remove a domain from another account](remove-a-domain-from-another-account.md).

+ Title: "Move a domain verified in an unmanaged account"

+f1.keywords:

+- CSH

+audience: Admin

+ms.localizationpriority: medium

+- M365-subscription-management

+- Adm_O365

+- Adm_NonTOC

+- AdminSurgePortfolio

+- AdminTemplateSet

+search.appverid:

+- BCS160

+- MET150

+- MOE150

+ms.assetid: b9707ec8-2247-4e25-9bad-f11ddbc686e4

+description: "Learn how to join an unmanaged account to remove the domain from the account and add the domain to your account."

+# Move a domain verified in an unmanaged account

+ **[Check the Domains FAQ](../setup/domains-faq.yml)** if you don't find what you're looking for.

+If you're an admin and you've tried to add a domain to your Microsoft 365 account, but you're blocked because the domain is verified for an unmanaged account, you can become the admin on the unmanaged account to remove the domain and add it to your account.

+> [!NOTE]

+> A self-service sign up for any cloud service that uses Azure AD adds the user to an unmanaged or "shadow" Azure AD directory and creates an unmanaged account. An unmanaged account is a directory without a global administrator. To determine whether an account is managed or unmanaged, see [Determining Tenant Type](/power-platform/admin/powerapps-gdpr-dsr-guide-systemlogs#determining-tenant-type).

+

+## Before you begin

+Sometimes you can't add a domain to your organization account because someone else has already signed up for Microsoft 365 using an email address associated with that domain name. But you can remove the domain from the other, unmanaged account and add it to your organization account.

+First, you'll need to join the unmanaged account and become an admin for that account (Steps 1 - 3). Then you can remove the domain from the account (Step 4), sign back into your organization account, and add the domain to your account (Step 5).

+## Step 1: Get an invitation to join the unmanaged account

+After you try to add a domain to your account, you might receive a message that someone has already signed up for Microsoft 365 using the email address. Step 1 is to request an invitation to join the other account and begin the process of performing an admin takeover.

+1. Go to the Microsoft 365 admin center > **Settings** > **Domains** > **+ Add domain**, and add the domain name.

+1. If you see a message that you can't add the domain because other people have already signed up using an email address for the domain, enter your account username, and then select **Send me the invitation**.

+1. Sign out of your current account, so you can sign into the unmanaged account.

+ Check your email for an invitation to help you join the unmanaged account, and select the link provided in the email.

+ Enter the **verification code** from the email to validate your email address.

+## Step 2: Complete signup with email instructions

+1. When you enter the verification code, you'll be brought to a page where you can create a new account.

+2. Fill in the username and password fields with the account that you want to use, and then complete the steps to create the account.

+## Step 3: Verify domain ownership and become the admin

+1. After you complete Step 2, select the admin center icon in the left navigation pane (alternatively, go to a browser and type in `https://admin.microsoft.com`).

+ You're redirected to the admin takeover wizard.

+1. Select **Next** and verify that you own the domain you want to take over by adding a TXT record to your domain registrar.

+ The wizard will give you the TXT record to add, as well as provide a link to your registrar's website, and a link to step-by-step instructions.

+1. On the **You're now the admin** page, select **Go to the admin center**.

+ You now have the admin privileges required to remove the domain from the formerly unmanaged account.

+## Step 4: Remove a domain from the unmanaged account

+1. Go to **Users** > **Active users** for the account you joined in Step 2, and then select the Display name for the username you're logged in with.

+1. Under **Username**, select **Manage username**, and move the user to the onmicrosoft domain by choosing the onmicrosoft.com domain from the dropdown list.

+1. Sign out of the account and sign back in using the new `username@account.onmicrosoft.com`.

+1. Select **Settings** > **Domains**, locate the domain you want to add to the other account and select **Remove domain**.

+ If you're asked to select another domain as the default, choose the onmicrosoft.com domain.

+ If other users are using the domain, you must remove them. Choose from the options to **Automatically remove**, manually move the users to your domain, or remove the users completely.

+ > [!NOTE]

+ > Check back as it can take some time for the domain to be removed from the account. Removal is complete when the domain disappears from the account.

+1. Sign out of the account.

+## Step 5: Add the domain to your account

+1. Log in to the account where you want to add the domain.

+1. Select **Settings** > **Domains** > **+ Add domain**, and then enter the domain name to continue with wizard steps to verify domain ownership in this account and complete adding the domain to your account.

+

+## Related content

+[Perform an internal admin takeover](become-the-admin.md) (article)

+ Title: "Remove a domain from another account"

+f1.keywords:

+- CSH

+audience: Admin

+ms.localizationpriority: medium

+- M365-subscription-management

+- Adm_O365

+- Adm_NonTOC

+- AdminSurgePortfolio

+- AdminTemplateSet

+search.appverid:

+- BCS160

+- MET150

+- MOE150

+ms.assetid: b9707ec8-2247-4e25-9bad-f11ddbc686e4

+description: "Learn how to join an unmanaged account created by a self-service user signup in Microsoft 365."

+# Perform an internal admin takeover

+ **[Check the Domains FAQ](../setup/domains-faq.yml)** if you don't find what you're looking for.

+If you are an admin and want to take over an unmanaged account created by a self-service user signup, you can do this by performing an internal admin takeover.

+> [!NOTE]

+> A self-service sign up for any cloud service that uses Azure AD adds the user to an unmanaged or "shadow" Azure AD directory and creates an unmanaged account. An unmanaged account is a directory without a global administrator. To determine whether an account is managed or unmanaged, see [Determining Tenant Type](/power-platform/admin/powerapps-gdpr-dsr-guide-systemlogs#determining-tenant-type).

+

+## Before you begin

+Sometimes you can't add a domain to your organization account because someone else has already signed up for Microsoft 365 using an email address associated with that domain name. But you can remove the domain from the other, unmanaged account and add it to your organization managed account.

+Before you can remove the domain from the other account and add it to your account though, you must join the unmanaged account and become an admin for that account. Then, you'll remove the domain from the unmanaged account, sign back into your account, and add the domain to your managed account.

+The steps in this article outline only how to join the other account (Steps 1 and 2) and follow the steps in the admin takeover wizard to become the admin on the unmanaged account (Step 3).

+After you've become an admin for the unmanaged account, you can remove the domain from the unmanaged account and add it to your account.

+## Step 1: Verify your email address

+> [!NOTE]

+> If self-service is enabled in your account, users can subscribe to free services such as Power BI, on their own. These services are specifically for use in cases where a self-service user subscription has created the unmanaged account you want to take over as admin. In Step 1 you create a user account for the domain you want to remove by using Power BI to launch the admin takeover wizard so you can become the admin for the unmanaged domain account.

+1. To sign up for Power BI, go to the [Power BI site](https://powerbi.com) and select **Start Free** > **Start free trial** (in Share with Power BI Pro box).

+2. Sign up with a user account that uses the domain name of your organization (like `powerbiadmin@contoso.com`). If your account is already in use, sign in using your current password.

+3. Check your email for the **verification code** and enter the code to validate your email address.

+## Step 2: Create a new account for admin access

+1. When you enter the verification code, you'll be brought to a page where you can create a new account.

+2. Fill in the user name and password fields with the account that you want to use, then select **Start**.

+## Step 3: Verify domain ownership and become the admin

+1. After you complete Step 2, select the admin center icon in the left navigation pane (alternatively, go to a browser and type in `https://admin.microsoft.com`).

+ You're redirected to the admin takeover wizard.

+1. Select **Next** and verify that you own the domain you want to take over by adding a TXT record to your domain registrar.

+ The wizard will give you the TXT record to add, as well as provide a link to your registrar's website, and a link to step-by-step instructions.

+1. On the **You're now the admin** page, select **Go to the admin center**.

+ You now have the admin privileges required to remove the domain from the other account.

+## Related content

+YouTube: [3 steps to do an IT Admin Takeover for Power BI and Microsoft 365](https://www.youtube.com/watch?v=xt5EsrQBZZk) (video)\

+[Admin takeover in Azure AD](/azure/active-directory/users-groups-roles/domains-admin-takeover) (article)\

+[Using self-service sign up in your organization](self-service-sign-up.md) (article)\

+[Understanding the Power BI service administrator role](/power-bi/service-admin-role) (article)

+In addition to the online documentation, you might find it useful to download a [deck with FAQs](https://aka.ms/MIPC/Blog-RecordsManagementWebinar) from a records management webinar. The recording of the actual webinar is no longer available.

+> If your Office apps don't support this capability, they apply the markings as the original text specified in the label configuration, rather than resolving the variables.

+ Title: Create documents using content assembly in Microsoft SharePoint Syntex

+audience: admin

+search.appverid:

+ - enabler-strategic

+ - m365initiative-syntex

+ms.localizationpriority: medium

+description: Learn how to automatically create documents and other content using content assembly in Microsoft SharePoint Syntex.

+# Create documents using content assembly in Microsoft SharePoint Syntex

+You can use SharePoint Syntex to help you automatically generate standard repetitive business documents, such as contracts, statements of work, service agreements, letters of consent, sales pitches, and correspondence. You can do all this quicker, more consistentently, and less prone to errors by using content assembly in SharePoint Syntex.

+With content assembly, you can use an existing document to create a *modern template*, and then use that template to automatically generate new content using SharePoint lists or user inputs as a data source.

+> [!NOTE]

+> You must be a licensed SharePoint Syntex user to access and use content assembly capabilities. You also must have permissions to manage SharePoint lists.

+## Create a modern template

+Follow these steps to create a modern template.

+1. From a Sharepoint document library, select **New** > **Create modern template**.

+

+ 

+2. Choose an existing Word document that you want to use as a basis for creating a modern template, and then select **Open**.

+

+ 

+ > [!NOTE]

+ > Currently, you can upload only Word documents (.docx extension) to create templates. Upload Word documents from your local storage or desktop.

+3. After you upload the document, the document is displayed in the template studio where you can convert the document to a template.

+

+ 

+4. At the upper-left corner of the template studio, select the name for the template. The default name is the name of the document used to create the template. If you want to rename the template, select the default name or the pencil icon next to the name, type the new name, and then select **Enter**.

+

+ 

+5. Create placeholders for all dynamic text in the document that users might want to change from one document to another. For example, you might want to create a placeholder for input such as company name, client name, address, phone number, or date.

+ To create a placeholder, select the text (such as the date). The **All placeholders** panel will open, where you'll give the placeholder a relevant name and choose the type of input you want to associate with the placeholder.

+

+ 

+ Currently, there are two ways for users to fill in a placeholder:

+ - [Enter text or select a date](#associate-a-placeholder-by-entering-text-or-selecting-a-date)

+ - [Select from choices in a column of a list or library](#associate-a-placeholder-by-selecting-from-choices-in-a-column-of-a-list-or-library)

+### Associate a placeholder by entering text or selecting a date

+On the **All placeholders** panel:

+1. In the **Name** field, enter a relevant name for the placeholder.

+ 

+2. In the **How authors fill in this placeholder** section, select **Enter text or select a date**.

+3. In the **Type of info** field, select the data type you want to associate with the placeholder. Currently, there are six options available: **Single line of text**, **Multiple lines of text**, **Number**, **Date and time**, **Email**, and **Hyperlink**.

+4. Select **Add**.

+### Associate a placeholder by selecting from choices in a column of a list or library

+On the **All placeholders** panel:

+1. In the **Name** field, enter a relevant name for the placeholder.

+ 

+2. In the **How authors fill in this placeholder** section, choose **Select from choices in a column of a list or library**, and then choose **Select**.

+3. On the **Select a list for adding a source column** page, select the list you want to use, and then select **Next**.

+ 

+4. On the **Select a source column from the existing list** page, select the column name you want to associate with the placeholder, and then select **Save**.

+ 

+ If you want to see the original page of lists again, select **Go to (list name)** link at the bottom of the list.

+5. When you're done, you'll see that the list field has been associated with the placeholder.

+ 

+6. If you want users to be able to add inputs manually, in addition to choosing from a list, select **Allow authors to add new choices**. In this case, the default for the manual input data type is *Single line of text*. Also the values input by the authors will only be used to generate the document. They won't be added to the SharePoint list.

+

+You can create as many placeholders as you think are necessary. When you're done, you can choose to save the template as a draft or publish the template.

+ - **Save draft** ΓÇô Saves the template as a draft and you can access it later. You can view, edit, or publish saved drafts from the **Modern templates** section by selecting **New** > **Edit New menu** from the document library.

+ - **Publish** ΓÇô Publishes the template to be used by other users in the organization to create documents. You can view, edit, or unpublish *published* templates from the **Modern templates** section by selecting **New** > **Edit New menu** from the document library.

+## Edit a modern template

+If you need to edit an existing template or to delete or unpublish a template, follow these steps.

+1. From a Sharepoint document library, select **New** > **Edit New menu**.

+

+ 

+2. On the **Edit New menu** panel, in the **Modern templates** section, select the published or draft template you want to edit.

+

+ 

+3. To edit a published template or a draft template:

+ - For **Published templates**, select **Edit** to open the template studio where you can edit the published template. You can also choose to delete or unpublish the template.

+

+ 

+ - For **Draft templates**, select **Edit** to open the template studio where you can edit the draft template. You can also choose to delete or publish the template.

+

+ 

+## Create a document from a modern template

+You can use a *published* modern template to quickly create similar documents without having to start from scratch. To create a document using a published template, follow these steps:

+1. From a Sharepoint document library, select **New**, and then select the modern template you want to use.

+

+ 

+2. The template opens in the template studio.

+3. On the **Create a document from a template** panel, enter the information, and then select **Create document**.

+ 

+ To help reduce time and effort involved in filling values for placeholders, SharePoint Syntex provides:

+ - Suggestions to help you easily pick values when selecting values from a list.

+ - Autofill placeholder values if able to uniquely identify a record for placeholders associated with the same list.

+> [!NOTE]

+> - Currently, only Microsoft Word documents (.docx extension) are supported for creating a template. Before uploading the document, ensure that the Word document doesn't have **Track changes** enabled or comments. If your document contains text placeholders for images, ensure that they are not text-wrapped.

+>- The template and the document are associated with one document library. To use the template in another document library, you will need to create the template again in that document library.

+>- You can create placeholders only for text. Currently, images, smart art, tables, and bullet lists are not supported.

+>- Once a document is created from a template, it is not associated with the template.

+

+- All remediation actions, whether pending or completed, are tracked in the Action Center ([https://security.microsoft.com](https://security.microsoft.com)).

+You can also offboard non-Windows devices by disabling the third-party integration. Enable coverage for devices running non-Windows platforms by [integrating third-party solutions](https://security.microsoft.com/interoperability/partners).

+ > [!NOTE]

+ > On Windows Server 2012R2, Microsoft Defender Antivirus will get installed by the installation package and will be active unless you set it to passive mode. On Windows Server 2016, Microsoft Defender Antivirus must be installed as a feature (see [Switch to MDE](/microsoft-365/security/defender-endpoint/switch-to-mde-phase-2#re-enable-microsoft-defender-antivirus-on-windows-server-2016)) first and fully updated before proceeding with the installation.

+ >

+ > If you are running a non-Microsoft antimalware solution ensure you add exclusions for Microsoft Defender Antivirus ([from this list of Microsoft Defender Processes on the Defender Processes tab](https://download.microsoft.com/download/8/e-urls.xlsx)) to the non-Microsoft solution before installation. It is also recommended to add non-Microsoft security solutions to the Defender Antivirus exclusion list.

+5. Install the installation package using any of the options to install Microsoft Defender Antivirus. The installation requires administrative permissions.

+> - The Onboarding package for Windows Server 2019 and Windows Server 2022 through Microsoft Endpoint Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](/configmgr/apps/deploy-use/packages-and-programs).

+> - A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, or Microsoft Endpoint Configuration Manager.

+- Windows 7 (ESU required)

+- Windows 8.1

+ enablerepo: packages-microsoft-[channel]

+1. Choose a [deployment channel](/mem/intune/fundamentals/whats-new#new-deployment-channel-setting-for-custom-device-configuration-profiles-on-macos-devices).

+### Supported output types

+Supports table and JSON format output types. For each command, there's a default output behavior. You can modify the output in your preferred output format using the following commands:

+`-output json`

+`-output table`

+ <integer>50</integer>

+3. Your scheduled scan will run at the date, time, and frequency you defined in your p-list. In the previous examples, the scan runs at 2:50 AM every Friday.

+ - The `Weekday` value of `StartCalendarInterval` uses an integer to indicate the fifth day of the week, or Friday. The range is between 0 and 7 with 7 representing Sunday.

+ - The `Day` value of `StartCalendarInterval` uses an integer to indicate the third day of the month. The range is between 1 and 31.

+ - The `Hour` value of `StartCalendarInterval` uses an integer to indicate the second hour of the day. The range is between 0 and 24.

+ The `Minute` value of `StartCalendarInterval` uses an integer to indicate fifty minutes of the hour. The range is between 0 and 59.

+

+

+|:|:|:|

+|Windows 10 <br/> Windows 11|Microsoft Defender Antivirus|Active mode|

+|Windows 10 <br/> Windows 11|A non-Microsoft antivirus/antimalware solution|Disabled mode (happens automatically)|

+|Windows Server 2022 <br/> Windows Server 2019<br/> Windows Server, version 1803, or newer <br/> Windows Server 2016 |Microsoft Defender Antivirus|Active mode|

+|Windows Server 2022<br/>Windows Server 2019<br/>Windows Server, version 1803, or newer <br/> Windows Server 2016 |A non-Microsoft antivirus/antimalware solution|Disabled (set manually) ^[[1](#fn1)]|

+The following table summarizes what happens with Microsoft Defender Antivirus when non-Microsoft antivirus/antimalware solutions are used together or without Microsoft Defender for Endpoint. <br/><br/>

+|:|:|:-|:-|

+| Windows 10 <br/> Windows 11| Microsoft Defender Antivirus | Yes | Active mode |

+| Windows 10 <br/> Windows 11 | Microsoft Defender Antivirus | No | Active mode |

+| Windows 10 <br/> Windows 11 | A non-Microsoft antivirus/antimalware solution | Yes | Passive mode (automatically) |

+| Windows 10 <br/> Windows 11 | A non-Microsoft antivirus/antimalware solution | No | Disabled mode (automatically) |

+| Windows Server 2022 <br/> Windows Server 2019 <br/>Windows Server, version 1803 or newer | Microsoft Defender Antivirus | Yes | Active mode |

+| Windows Server 2022 <br/> Windows Server 2019 <br/> Windows Server, version 1803 or newer | Microsoft Defender Antivirus | No | Active mode |

+| Windows Server 2022 <br/> Windows Server 2019 <p> Windows Server, version 1803 or newer | A non-Microsoft antivirus/antimalware solution | Yes | Microsoft Defender Antivirus must be set to passive mode (manually) <sup>[[2](#fn2)]<sup> |

+| Windows Server 2022 <br/> Windows Server 2019 <p> Windows Server, version 1803 or newer | A non-Microsoft antivirus/antimalware solution | No | Microsoft Defender Antivirus must be disabled (manually) <sup>[[3](#fn3)] |

+| Windows Server 2016 <br/> Windows Server 2012 R2 | Microsoft Defender Antivirus | Yes | Active mode |

+|Windows Server 2016 <br/> Windows Server 2012 R2 | Microsoft Defender Antivirus | No | Active mode |

+| Windows Server 2016 <br/> Windows Server 2012 R2 | A non-Microsoft antivirus/antimalware solution | Yes | Microsoft Defender Antivirus must be set to passive mode (manually) <sup>[[2](#fn2)]<sup> |

+|Windows Server 2016 <br/> Windows Server 2012 R2 | A non-Microsoft antivirus/antimalware solution | No | Microsoft Defender Antivirus must be disabled (manually) <sup>[[3](#fn3)]<sup> |

+ |:|:|:|:|:|

+ |:|:|

+ | Windows PowerShell <br/> (To confirm that Microsoft Defender Antivirus is running) | 1. On a Windows device, open Windows PowerShell. <br/>2. Run the following PowerShell cmdlet: `Get-Process`.<br/>3. Review the results. You should see **MsMpEng.exe** if Microsoft Defender Antivirus is enabled. |

+ | Windows PowerShell <br/>(To confirm that antivirus protection is in place) | You can use the [Get-MpComputerStatus PowerShell cmdlet](/powershell/module/defender/get-mpcomputerstatus).<br/>1. On a Windows device, open Windows PowerShell.<br/>2. Run following PowerShell cmdlet:<br/> Get-MpComputerStatus \| select AMRunningMode <br/>3. Review the results. You should see either **Normal** or **Passive** if Microsoft Defender Antivirus is enabled on the endpoint. |

+ |:|:|

+ - Red Hat Enterprise Linux 7.2 or higher

+ - Red Hat Enterprise Linux 8.x

+[Microsoft Endpoint Manager](/mem/endpoint-manager-overview) is a solution platform that unifies several services. It includes [Microsoft Intune](/mem/intune/fundamentals/what-is-intune)

+- [Microsoft 365 Defender](https://security.microsoft.com)

+|Fine-tune tamper protection settings in your organization <p> Use Intune (Microsoft Endpoint Manager) to turn tamper protection on or off. You can configure tamper protection for some or all users with this method.|[Manage tamper protection for your organization using Microsoft Endpoint Manager](#manage-tamper-protection-for-your-organization-using-microsoft-endpoint-manager)|

+- When you manage tamper protection in the Microsoft 365 Defender portal, the setting is applied tenant wide, affecting all of your devices that are running Windows 10, Windows 10 Enterprise multi-session, Windows 11, Windows 11 Enterprise multi-session, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 or Windows Server 2022. To fine-tune tamper protection (such as having tamper protection on for some devices but off for others), use either [Microsoft Endpoint Manager](#manage-tamper-protection-for-your-organization-using-microsoft-endpoint-manager) or [Configuration Manager with tenant attach](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006).

+ - Windows Server 2019

+ - Windows Server, version 1803 or later

+ - Windows Server 2016

+ - Windows Server 2012 R2

+- Your devices must be using anti-malware platform version `4.18.2010.7` (or above) and anti-malware engine version `1.1.17600.5` (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)

+## Manage tamper protection for your organization using Microsoft Endpoint Manager

+If your organization uses Microsoft Endpoint Manager (MEM) you can turn tamper protection on (or off) for your organization in the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)). Use Intune when you want to fine-tune tamper protection settings. For example, if you want to enable tamper protection on some devices, but not all, use Intune.

+### Requirements for managing tamper protection in Endpoint Manager

+- Your organization uses [Microsoft Endpoint Manager to manage devices](/mem/endpoint-manager-getting-started). (Microsoft Endpoint Manager (MEM) licenses are required; MEM is included in Microsoft 365 E3/E5, Enterprise Mobility + Security E3/E5, Microsoft 365 Business Premium, Microsoft 365 F1/F3, Microsoft 365 Government G3/G5, and corresponding education licenses.)

+- Your Windows devices must be running Windows 11 or Windows 10 [1709](/windows/release-health/status-windows-10-1709), [1803](/windows/release-health/status-windows-10-1803), [1809](/windows/release-health/status-windows-10-1809-and-windows-server-2019), or later. (For more information about releases, see [Windows 10 release information](/windows/release-health/release-information).)

+- Your devices must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version `1.1.15500.X` (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)

+### Turn tamper protection on (or off) in Microsoft Endpoint Manager

+

+1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** \> **Antivirus**, and then choose **+ Create Policy**.

+ - In the **Platform** list, select **Windows 10 and later**.

+ - In the **Profile** list, select **Windows Security experience**.

+2. Create a profile that includes the following setting:

+ - **Enable tamper protection to prevent Microsoft Defender being disabled: Enable**

+3. Assign the profile to one or more groups.

+

+### Manage tamper protection for your organization with Configuration Manager, version 2006

+#### Need help with this method?

+## Are you using Windows Server 2016, or Windows version 1709, 1803, or 1809?

+If you are using Windows Server 2016, Windows 10 version 1709, 1803, or [1809](/windows/release-health/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. Instead, you can use PowerShell to determine whether tamper protection is enabled.

+On Windows Server 2016, the Settings app will not accurately reflect the status of real-time protection when tamper protection is enabled.

+#### Use PowerShell to determine whether tamper protection and real-time protection are turned on

+1. Open the Windows PowerShell app.

+2. Use the [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus?preserve-view=true&view=win10-ps) PowerShell cmdlet.

+3. In the list of results, look for `IsTamperProtected` or `RealTimeProtectionEnabled`. (A value of *true* means tamper protection is enabled.)

+Using [endpoint detection and response](overview-endpoint-detection-response.md) and [advanced hunting](advanced-hunting-overview.md) capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts.

+Tamper protection integrates with [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) capabilities. [Security recommendations](tvm-security-recommendation.md) include making sure tamper protection is turned on. For example, you can search on *tamper*. In the results, you can select **Turn on Tamper Protection** to learn more and turn it on.

+To learn more about Threat & Vulnerability Management, see [Dashboard insights - threat and vulnerability management](tvm-dashboard-insights.md#dashboard-insightsthreat-and-vulnerability-management).

+- [Manage tamper protection using Microsoft Endpoint Manager](#manage-tamper-protection-for-your-organization-using-microsoft-endpoint-manager)

+2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights**.

+1. Log in to the [Microsoft 365 Defender](https://security.microsoft.com) as a ***Global Administrator*** or ***Security Administrator***.

+2. Go to the [Data export settings page](https://security.microsoft.com/interoperability/dataexport) in the Microsoft Defender portal.

+1. Log in to [Microsoft 365 Defender](https://security.microsoft.com) and go to [Advanced Hunting page](https://security.microsoft.com/hunting-package).

+1. Log in to [Microsoft 365 Defender](https://security.microsoft.com) as a ***Global Administrator*** or ***Security Administrator***.

+2. Go to [Data export settings page](https://security.microsoft.com/interoperability/dataexport) in Microsoft 365 Defender.

+1. Log in to [Microsoft 365 Defender](https://security.microsoft.com) and go to [Advanced Hunting page](https://security.microsoft.com/hunting-package).

+- [Azure Storage Account documentation](/azure/storage/common/storage-account-overview)

+ C:\Work\tools\MDEClientAnalyzer\MDEClientAnalyzer.cmd

+> On Windows 10/11, Windows Server 2019/2022, or Windows Server 2012R2/2016 with the [modern unified solution](configure-server-endpoints.md#new-functionality-in-the-modern-unified-solution-for-windows-server-2012-r2-and-2016-preview) installed, the client analyzer script calls into an executable file called `MDEClientAnalyzer.exe` to run the connectivity tests to cloud service URLs.

+> On Windows 8.1, Windows Server 2016 or any previous OS edition where Microsoft Monitoring Agent (MMA) is used for onboarding, the client analyzer script calls into an executable file called `MDEClientAnalyzerPreviousVersion.exe` to run connectivity tests for Command and Control (CnC) URLs while also calling into Microsoft Monitoring Agent connectivity tool `TestCloudConnection.exe` for Cyber Data channel URLs.

+Advanced hunting queries in the analyst reports have been vetted by Microsoft analysts and are ready for you to run in the [advanced hunting query editor](https://security.microsoft.com/advanced-hunting). You can also use the queries to create [custom detection rules](custom-detection-rules.md) that trigger alerts for future matches.

+- `https://*.security.microsoft.com`

+- `https://automatediracs-eus-prd.security.microsoft.com`

+- `https://security.microsoft.com`

+- The user account that has been assigned the alert.

+If an incident has not yet been assigned, you can select the **Assign to** box and specify the user account. To re-assign an incident, remove the current assignment account by selecting the "x" next to the account name and then select the **Assign to** box. Assigning ownership of an incident assigns the same ownership to all the alerts associated with it.

+- (GA) Assign incidents and alerts to user accounts

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Explorer** . To go directly to the **Explorer** page, use <https://security.microsoft.com/threatexplorer>.

+ - Outlook for Windows when opening saved EML or MSG files.

+- **MDO detonation**: Malicious files detected by [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md).

+- **File reputation**

+- **Date (UTC)**

+- **Attachment filename**

+- **Workload**

+- **File size**

+- **Last modifying user**

+- **Detection**: **Anti-malware engine**, **MDO detonation**, and **File detonation**

+- **Workload**: **Teams**, **SharePoint**, and **OneDrive**

+To manage who creates groups, the following people need Azure AD Premium licenses or Azure AD Basic EDU licenses assigned to them:

+The following people don't need Azure AD Premium or Azure AD Basic EDU licenses assigned to them: