-> Large or complex updates may take longer than others so that no users are adversely affected. There is no guarantee on the exact timeline of a release. Targeted release is now available for customers with either the Office 365 GCC plan or the Office 365 GCC High plan and DoD plan.

-| **Message is received from any of these domains** <br><br> **Message is not received from any of these domains** | Apply the policy to include or exclude specific domains in received messages. Enter each domain and separate multiple domains with a comma. Each domain entered is applied separately, only one domain must apply for the policy to apply to the message. If you want to use **Message is received from any of these domains** to look for messages from specific emails address you need to combine this with another condition like **Message contains any of these words** or **Content matches any of these classifiers** or you might get unexpected results. <br><br> If you want to scan all email from a specific domain, but want to exclude messages that don't need review (newsletters, announcements, and so on), you must configure a **Message is not received from any of these domains** condition that excludes the email address (example newsletter@contoso.com). |

-| **Message is sent to any of these domains** <br><br> **Message is not sent to any of these domains** | Apply the policy to include or exclude specific domains in sent messages. Enter each domain and separate multiple domains with a comma. Each domain is applied separately, only one domain must apply for the policy to apply to the message. <br><br> If you want to exclude all emails sent to two specific domains, you'd configure the **Message is not sent to any of these domains** condition with the two domains (example 'contoso.com,wingtiptoys.com'). |

-| **Message contains any of these words** <br><br> **Message contains none of these words** | To apply the policy when certain words or phrases are included or excluded in a message, enter each word separated with a comma. For phrases of two words or more, use quotation marks around the phrase. Each word or phrase you enter is applied separately (only one word must apply for the policy to apply to the message). For more information about entering words or phrases, see the next section [Matching words and phrases to emails or attachments](#matching-words-and-phrases-to-emails-or-attachments).|

-| **Attachment contains any of these words** <br><br> **Attachment contains none of these words** | To apply the policy when certain words or phrases are included or excluded in a message attachment (such as a Word document), enter each word separated with a comma. For phrases of two words or more, use quotation marks around the phrase. Each word or phrase you enter is applied separately (only one word must apply for the policy to apply to the attachment). For more information about entering words or phrases, see the next section [Matching words and phrases to emails or attachments](#matching-words-and-phrases-to-emails-or-attachments).|

-| **Attachment is any of these file types** <br><br> **Attachment is none of these file types** | To supervise communications that include or exclude specific types of attachments, enter the file extensions (such as .exe or .pdf). If you want to include or exclude multiple file extensions, enter file types separated by a comma (example *.exe,.pdf,.zip*). Only one attachment extension must match for the policy to apply.|

-Each word you enter and separate with a comma is applied separately (only one word must apply for the policy condition to apply to the email or attachment). For example, let's use the condition, **Message contains any of these words**, with the keywords "banker", "confidential", and "insider trading" separated by a comma (banker, confidential,"insider trading"). The policy applies to any messages that includes the word "banker", "confidential", or the phrase "insider trading". Only one of these words or phrases must occur for this policy condition to apply. Words in the message or attachment must exactly match what you enter.

-Compliance Manager detects signals from other Microsoft Purview solutions that your organization may subscribe to, including data lifecycle management, information protection, Microsoft Purview Data Loss Prevention, communication compliance, and insider risk management. Compliance Manager also detects signals from complementary improvement actions that are monitored by [Microsoft Secure Score](../security/defender/microsoft-secure-score.md). Using these signals, Compliance Manager can automatically test certain improvement actions in order to provide you with continuous control assessment. When an improvement action is successfully tested and implemented, you receive the maximum possible points for that action, which gets [credited to your overall compliance score](compliance-score-calculation.md#how-compliance-manager-continuously-assesses-controls).

-## Compare Microsoft Defender for Business to Microsoft 365 Business Premium

-Defender for Business provides advanced security protection for your devices, with next-generation protection, endpoint detection and response, and threat & vulnerability management. Microsoft 365 Business Premium includes Defender for Business plus additional cybersecurity and productivity capabilities.

-| **[Microsoft 365 Business Premium](../../business-premium/index.md)** | **Defender for Business capabilities, together with productivity and additional security capabilities**<ul><li>[Microsoft 365 Business Standard](../../admin/admin-overview/what-is-microsoft-365-for-business.md) (Office apps and services, and Microsoft Teams)</li><li>[Shared computer activation](/deployoffice/overview-shared-computer-activation) (for deploying Microsoft 365 Apps)</li><li>[Windows 10/11 Business](../../business-premium/m365bp-upgrade-windows-10-pro.md) (upgrade from previous versions of Windows Pro)</li><li>[Windows Autopilot](/mem/autopilot/windows-autopilot) (for setting up and configuring Windows devices)</li><li>[Exchange Online Protection](../office-365-security/eop-about.md) (antiphishing, antispam, antimalware, and spoof intelligence for email)</li><li>[Microsoft Defender for Office 365 Plan 1](/microsoft-365/security/office-365-security/defender-for-office-365) (advanced antiphishing, real-time detections, Safe Attachments, Safe Links)</li><li>[Auto-expanding archiving](../../compliance/autoexpanding-archiving.md) (for email)</li><li>[Azure Active Directory Premium Plan 1](/azure/active-directory/fundamentals/active-directory-whatis) (identity management)</li><li>[Microsoft Intune](/mem/intune/fundamentals/what-is-intune) (device onboarding and management)</li><li>[Azure Information Protection Premium Plan 1](/azure/information-protection/what-is-information-protection) (protection for sensitive information)</li><li>[Azure Virtual Desktop](/azure/virtual-desktop/overview) (centrally managed, secure virtual machines in the cloud)</li></ul> |

-## Compare Microsoft Defender for Business to Microsoft Defender for Endpoint Plans 1 and 2

-|[Microsoft 365 Lighthouse integration](../../lighthouse/m365-lighthouse-overview.md) <br/>(For viewing security incidents across customer tenants) ^[[8](#fn8)]|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: |

-(<a id="fn7">7</a>) See [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md).

-(<a id="fn8">8</a>) The ability to view incidents across tenants using Defender for Endpoint is new!

-> Advanced hunting capabilities are not included in Defender for Business. See [Compare Microsoft Defender for Business to Microsoft Defender for Endpoint Plans 1 and 2](../defender-business/compare-mdb-m365-plans.md#compare-microsoft-defender-for-business-to-microsoft-defender-for-endpoint-plans-1-and-2).

-> For Customers who are using a non-Microsoft HIPS and are transitioning to Microsoft Defender for Endpoint attack surface reduction rules: Microsoft advises customers to run their HIPS solution side-by-side with their ASR rules deployment until the moment you shift from Audit to Block mode. Keep in mind that you must reach out to your 3rd-party antivirus vendor for exclusion recommendations.

-Before you start, review [Overview of attack surface reduction](overview-attack-surface-reduction.md), and [Demystifying attack surface reduction rules - Part 1](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420) for foundational information. To understand the areas of coverage and potential impact, familiarize yourself with the current set of ASR rules; see [Attack surface reduction rules reference](attack-surface-reduction-rules-reference.md). While you are familiarizing yourself with the ASR rules set, take note of the per-rule GUID mappings; see: [ASR rule to GUID matrix](attack-surface-reduction-rules-reference.md#asr-rule-to-guid-matrix).

-ASR rules are only one capability of the attack surface reduction capabilities within Microsoft Defender for Endpoint. This document will go into more detail on deploying ASR rules effectively to stop advanced threats like human-operated ransomware and other threats.

->[!Note]

->There are multiple methods to configure ASR rules. ASR rules can be configured using: Microsoft Endpoint Manager (MEM), PowerShell, Group Policy, Microsoft System Center Configuration Manager (SCCM), MEM OMA-URI.

->If you are using a different infrastructure configuration than what is listed for _Infrastructure requirements_ (above), you can learn more about deploying attack surface reduction rules using other configurations here: [Enable attack surface reduction rules](enable-attack-surface-reduction.md).

-Most organizations use various devices and operating systems. Currently, Defender for Endpoint Plan 1 supports the following operating systems:

-> Advanced hunting capabilities are not included in Defender for Business. See [Compare Microsoft Defender for Business to Microsoft Defender for Endpoint Plans 1 and 2](../defender-business/compare-mdb-m365-plans.md#compare-microsoft-defender-for-business-to-microsoft-defender-for-endpoint-plans-1-and-2).

-> Advanced hunting capabilities are not included in Defender for Business. See [Compare Microsoft Defender for Business to Microsoft Defender for Endpoint Plans 1 and 2](../defender-business/compare-mdb-m365-plans.md#compare-microsoft-defender-for-business-to-microsoft-defender-for-endpoint-plans-1-and-2).

-> Advanced hunting capabilities are not included in Defender for Business. See [Compare Microsoft Defender for Business to Microsoft Defender for Endpoint Plans 1 and 2](../defender-business/compare-mdb-m365-plans.md#compare-microsoft-defender-for-business-to-microsoft-defender-for-endpoint-plans-1-and-2).

-> Advanced hunting capabilities are not included in Defender for Business. See [Compare Microsoft Defender for Business to Microsoft Defender for Endpoint Plans 1 and 2](../defender-business/compare-mdb-m365-plans.md#compare-microsoft-defender-for-business-to-microsoft-defender-for-endpoint-plans-1-and-2).

-> Advanced hunting capabilities are not included in Defender for Business. See [Compare Microsoft Defender for Business to Microsoft Defender for Endpoint Plans 1 and 2](../defender-business/compare-mdb-m365-plans.md#compare-microsoft-defender-for-business-to-microsoft-defender-for-endpoint-plans-1-and-2).

-> Advanced hunting capabilities are not included in Defender for Business. See [Compare Microsoft Defender for Business to Microsoft Defender for Endpoint Plans 1 and 2](../defender-business/compare-mdb-m365-plans.md#compare-microsoft-defender-for-business-to-microsoft-defender-for-endpoint-plans-1-and-2).

-To update Microsoft Defender for Endpoint on macOS, a program named Microsoft AutoUpdate (MAU) is used. By default, MAU automatically checks for updates daily, but you can change that to weekly, monthly, or manually.

-If you decide to deploy updates by using your software distribution tools, you should configure MAU to manually check for software updates. You can deploy preferences to configure how and when MAU checks for updates for the Macs in your organization.

-|**Comment**|This value is set in minutes.|

-|**Comment**|Note that AutomaticDownload will do a download and install silently if possible.|

-### Limit the telemetry that is sent from MAU

-Set to false to send minimal heartbeat data, no application usage, and no environment details.

-<br>

-****

-|Section|Value|

-|||

-|**Domain**|`com.microsoft.autoupdate2`|

-|**Key**|SendAllTelemetryEnabled|

-|**Data type**|Boolean|

-|**Possible values**|True (default) <p> False|

-|||

-> [!TIP]

-> In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to `Beta` or `Preview`.

-### JAMF

- <string>Production</string>

- <key>SendAllTelemetryEnabled</key>

- <true/>

- <string>Production</string>

- <key>SendAllTelemetryEnabled</key>

- <true/>

-To view and access Microsoft Defender for Endpoint data in Microsoft Cloud Apps Security, see [Investigate devices in Defender for Cloud Apps](/cloud-app-security/mde-integration#investigate-devices-in-cloud-app-security).

- <summary>Dec-2022 (Release version: 10.8210.*)</summary>

-|Global reader|Security operations \ Security data \ Security data basics (read)|_**Defender for Endpoint and Defender for Identity only permissions**_ </br> Configuration \ Security settings \ (read)</br>Configuration \ System settings \ (read) </br></br> _**Defender for Office only permissions**_ </br> Security operations \ Security data \ Response (manage)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)</br>Configuration \ Authorization \ (read) </br></br>_**Defender for Identity only permissions**_ </br>Security posture \ Posture management \ Vulnerability management (read)|

-|Security reader|Same as Global reader|Same as Global reader|

-Part of your incident investigation can include user accounts. You can see the details of user accounts identified in the alerts of an incident in the Microsoft 365 Defender portal from **Incidents & alerts** \> ***incident*** \> **Users**. Here's an example.

-To get a quick summary of a user account for the incident, select the check mark next to the user account name. Here's an example.

-> The user page shows Azure Active Directory (Azure AD) organization as well as groups, helping you understand the groups and permissions associated with a user.

-In this pane, you can review user threat information, including any current incidents, active alerts, and risk level as well as user exposure, accounts, devices, and more.

-In addition, you can take action directly in the Microsoft 365 Defender portal to address a compromised user, such as confirming the user account is compromised or requiring a new sign-in.

-From here, you can select **Go to user page** to see the details of a user account. Here's an example.

-You can also see this page by selecting the name of the user account from the list on the **Users** page.

-You can see group membership for the user by selecting the number under **Groups**. Selecting a group will open the **Groups** pane, which includes additional information such as the creation date and group membership.

-> [!NOTE]

-> Group membership only displays the first 1000 group members.

-By selecting the icon under **Manager**, you can see where the user is in the organization tree.

-The Microsoft 365 Defender portal user page combines information from Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps (depending on what licenses you have).

-This page shows information specific to the security risk of a user account, which includes a score that helps assess risk and recent events and alerts that contributed to the overall risk.

-From this page, you can do these additional actions:

-Here's an example.

-## View lateral movement paths

-By selecting the **Lateral movement paths** tab, you can view a fully dynamic and clickable map that provides you with a visual representation of the lateral movement paths to and from this user that can be used to infiltrate your network.

-The map provides you with a list of how many hops between computers or users an attacker would have to and from this user to compromise a sensitive account, and if the user has a sensitive account, you can see how many resources and accounts are directly connected.

-If a potential lateral movement path wasn't detected for the entity during the past two days, the graph doesn't display. Select a different date using View a different date to view previous lateral movement paths graphs discovered for this entity. The lateral movement path report is always available to provide you with information about the potential lateral movement paths discovered, and can be customized by time.

-For more information, see [Lateral movement paths](/defender-for-identity/use-case-lateral-movement-path).

-| Entity Activities | Advanced hunting |

- - The email address is not also in a block entry in the [Tenant Allow/Block List](tenant-allow-block-list-about.md) (messages from those senders will be quarantined).

-> [!IMPORTANT]

-> This article is for **business customers**.

->

-> But if you're using Outlook.com, ***Microsoft 365 Family, or Microsoft 365 Personal***, and you need info about ***Safe Links or Safe Attachments in Outlook*** blocking emails, see [Advanced Outlook.com security for Microsoft 365 subscribers](https://support.microsoft.com/office/advanced-outlook-com-security-for-microsoft-365-subscribers-882d2243-eab9-4545-a58a-b36fee4a46e2?storagetype=live).

-1. (Windows 10 only) Download and install **Windows 10 cumulative monthly security updates KB4571756**.

-1. Launch Word, Excel, or PowerPoint on a device where the policies have been deployed.

-|Don't allow copy/paste for Office documents opened in Application Guard for Office|Enabling this policy prevents a user from copying and pasting content from a document opened in Application Guard for Office to a document opened outside of the container.|

-> * Disable copy/paste for documents opened in Application Guard for Office

-* Selecting web links (`http` or `https`) doesn't open the browser.

-* The default setting for copy-paste protection policy is to enable clipboard access to text only.

-* CSV and HTML files are not supported at this time.

-* Updates to .NET might cause files to fail to open in Application Guard. As a workaround, users can restart their device when they come across this failure. Learn more about the issue at [Receiving an error message when attempting to open Windows Defender Application Guard or Windows Sandbox](https://support.microsoft.com/help/4575917/receiving-an-error-message-when-attempting-to-open-windows-defender-ap).

-2. On the **Conditional Access | Policies** blade, click **New policy**.

-3. In the **Name** field, type a name.

-4. Under **Assignments**, click **Users and groups**.

-5. On the **Users and groups** blade, select **Select users and groups**, select the **All guests and external users** check box.

-6. Under **Assignments**, click **Cloud apps or actions**.

-7. On the **Cloud apps or actions** blade, select **All cloud apps** on the **Include** tab.

-8. Under **Access controls**, click **Grant**.

-9. On the **Grant** blade, select the **Require multi-factor authentication** check box, and then click **Select**.

-10. On the **New** blade, under **Enable policy**, click **On**, and then click **Create**.

-2. Navigate to [Terms of use](https://aka.ms/catou).

-3. Click **New terms**.

-4. Type a **Name** and **Display name**.

-6. For **Terms of use document**, browse to the pdf file that you created and select it.

-7. Select the language for your terms of use document.

-8. Set **Require users to expand the terms of use** to **On**.

-9. Under **Conditional Access**, in the **Enforce with Conditional Access policy template** list choose **Create conditional access policy later**.

-10. Click **Create**.

-2. On the **Conditional Access | Policies** blade, click **New policy**.

-3. In the **Name** box, type a name.

-4. Under **Assignments**, click **Users and groups**.

-5. On the **Users and groups** blade, select **Select users and groups**, select the **All guests and external users** check box.

-6. Under **Assignments**, click **Cloud apps or actions**.

-7. On the **Include** tab, select **Select apps**, and then click **Select**.

-8. On the **Select** blade, select **Microsoft Teams**, **Office 365 SharePoint Online**, and **Outlook Groups**, and then click **Select**.

-9. Under **Access controls**, click **Grant**.

-10. On the **Grant** blade, select **Guest terms of use**, and then click **Select**.

-11. On the **New** blade, under **Enable policy**, click **On**, and then click **Create**.

-2. Click **New access review**.

-3. Choose the **Teams + Groups** option.

-4. Choose the **All Microsoft 365 groups with guest users** option. Click **Select group(s) to exclude** if you want to exclude any groups.

-5. Choose the **Guest users only** option, and then click **Next: Reviews**.

-6. Under **Select reviewers**, choose **Group Owner(s)**.

-7. Click **Select fallback reviewers**, choose who should be the fallback reviewers, and then click **Select**.

-8. Under **Specify recurrence of review**, choose **Quarterly**.

-9. Select a start date and duration.

-10. For **End**, choose **Never**, and then click **Next: Settings**.

-11. On the **Settings** tab, review the settings for compliance with your business rules.

-12. Click **Next: Review + Create**.

-13. Type a **Review name** and review the settings.

-14. Click **Create**.

-It's important to note that for SharePoint and OneDrive locations, documents will be proactively blocked right after detection of sensitive information, irrespective of whether the document is shared or not, for all guests, while internal users will continue to have access to the document.

-2. On the **Conditional Access - Policies** blade, click **New policy**.

-3. In the **Name** box, type a name.

-4. Under **Assignments**, click **Users and groups**.

-5. On the **Users and groups** blade, select **Select users and groups**, select the **All guests and external users** check box.

-6. Under **Assignments**, click **Cloud apps or actions**.

-7. On the **Include** tab, select **Select apps**, and then click **Select**.

-8. On the **Select** blade, select **Microsoft Teams** and **Outlook Groups**, and then click **Select**.

-9. Under **Assignments**, click **Conditions**.

-10. On the **Conditions** blade, click **Client apps**.

-11. On the **Client apps** blade, click **Yes** for **Configure**, and then select the **Mobile apps and desktop clients**, **Exchange ActiveSync clients**, and **Other clients** settings. Clear the **Browser** check box.

-12. Click **Done**.

-13. Under **Access controls**, click **Grant**.

-14. On the **Grant** blade, select **Require device to be marked as compliant** and **Require Hybrid Azure AD joined device**.

-15. Under **For multiple controls**, select **Require one of the selected controls**, and then click **Select**.

-16. On the **New** blade, under **Enable policy**, click **On**, and then click **Create**.

-To restrict guests to web-ony access for SharePoint

-1. In the SharePoint admin center, expand **Policies** and select <a href="https://go.microsoft.com/fwlink/?linkid=2185071" target="_blank">**Access control**</a>.

-2. Select **Unmanaged devices**.

-3. Select the **Allow limited, web-only access** option, and then select **Save**.

-Note that this setting in the SharePoint admin center creates a supporting conditional access policy in Azure AD.

-2. On the **Conditional Access - Policies** blade, click **New policy**.

-3. In the **Name** box, type *Guest session timeout*.

-4. Under **Assignments**, click **Users and groups**.

-5. On the **Users and groups** blade, select **Select users and groups**, select the **All guests and external users** check box.

-6. Under **Assignments**, click **Cloud apps or actions**.

-7. On the **Include** tab, select **Select apps**, and then click **Select**.

-8. On the **Select** blade, select **Microsoft Teams**, **Office 365 SharePoint Online**, and **Outlook Groups**, and then click **Select**.

-9. Under **Access controls**, click **Session**.

-10. On the **Session** blade, select **Sign-in frequency**.

-11. Select **1** and **Days** for the time period, and then click **Select**.

-12. On the **New** blade, under **Enable policy**, click **On**, and then click **Create**.

-1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com), in the left navigation, expand **Classification**, and then click **Sensitive info types**.

-2. Click **Create**.

-3. For **Name** and **Description**, type **Project Saturn**, and then click **Next**.

-4. Click **Add an element**.

-5. On the **Detect content containing** list, select **Keywords**, and then type *Project Saturn* in the keyword box.

-6. Click **Next**, and then click **Finish**.

-7. If asked if you would like to test the sensitive information type, click **No**.

-2. In the left navigation, click **Information protection**.

-3. On the **Auto-labeling** tab, click **Create auto-labeling policy**.

-4. On the **Choose info you want this label applied to** page, choose **Custom** and click **Next**.

-5. Type a name and description for the policy and click **Next**.

-6. On the **Choose locations where you want to apply the label** page, turn on **SharePoint sites** and click **Choose sites**.

-7. Add the URLs for the sites where you want to turn on auto-labeling and click **Done**.

-8. Click **Next**.

-9. On the **Set up common or advanced rules** page, choose **Common rules** and click **Next**.

-10. On the **Define rules for content in all locations** page, click **New rule**.

-11. On the **New rule** page, give the rule a name, click **Add condition**, and then click **Content contains sensitive info types**.

-12. Click **Add**, click **Sensitive info types**, choose the sensitive info types that you want to use, click **Add**, and then click **Save**.

-13. Click **Next**.

-14. Click **Choose a label**, select the label you want to use, and then click **Add**.

-15. Click **Next**.

-16. Leave the policy in simulation mode and click **Next**.

-17. Click **Create policy**, and then click **Done**.

-2. Click **Create policy**.

-3. Choose **Custom** and click **Next**.

-4. Type a name for the policy and click **Next**.

-5. On the **Locations to apply the policy** page turn off all settings except **SharePoint sites** and **OneDrive accounts**, and then click **Next**.

-6. On the **Define policy settings** page, click **Next**.

-7. On the **Customize advanced DLP rules** page, click **Create rule** and type a name for the rule.

-8. Under **Conditions**, click **Add condition**, and choose **Content contains**.

-9. Click **Add**, choose **Sensitivity labels**, choose the labels you want to use, and click **Add**.

-10. Under **Actions** click **Add an action** and choose **Restrict access or encrypt the content in Microsoft 365 locations**.

-11. Select the **Restrict access or encrypt the content in Microsoft 365 locations** check box and then choose the **Only people outside your organization** option.

-12. Click **Save** and then click **Next**.

-13. Choose your test options and click **Next**.

-14. Click **Submit**, and then click **Done**.