+ 1. After completing the instructions in the prerequisites section, select the newly created entity and click Next. Otherwise follow the instructions to create the integration user in ServiceNow, and then select the entity.

+ Title: "Audit New Search"

+# Audit New Search

+The Audit New Search builds upon the existing search functionalities and includes the following key improvements:

+- Completed search jobs are now stored for 30 days, giving customers the ability to reference historical audit searches. These search jobs are presented in the UI, listing the search name, search job status, progress %, Number of results, Creation Time, and Searched by.

+- Each admin Audit account user can have a maximum of 10 concurrent search jobs in progress with a maximum of one unfiltered search job.

+1. Sign into the [Microsoft Purview compliance portal](https://compliance.microsoft.com)

+2. Select the **Audit** tab on the left panel of the homepage to navigate to the Audit tool

+3. Select **New Search** tab at the top of the **Audit** page

+ 

+4. Test different search jobs in the Audit New Search tool using various search criteria.

+ 

+5. Initiate another 2-9 searches in the compliance portal. A maximum of 10 search jobs can be run in parallel in one account.

+6. Explore the search job history and select different search jobs to get their corresponding data from the search job results. Results can be sorted by their creation time by selecting the corresponding button at the top of the table.

+ 

+7. Select a search job to see the results of the job displayed in a line-item format. Explore the various functionalities in the UI, including:

+ - Selecting various results for more information in the fly-out window

+ 

+ - Search jobs can be *Queued*, *In Progress*, and *Completed*

+ - A maximum of 10 *In Progress* search jobs can be completed simultaneously per user

+- Export is fully functional and exports all search job items to a .csv file. Export supports results up to 50KB.

+ There's a maximum of 10 *In progress* search jobs per user. If a user requires more than 10 search jobs, they must wait for an *In progress* job to finish or delete a search job. We would appreciate your feedback on this limit.

+> [!IMPORTANT]

+> Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory compliance violations (for example SEC or FINRA), such as sensitive or confidential information, harassing or threatening language, and sharing of adult content. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to ensure user-level privacy.

+

+

+> [!IMPORTANT]

+> If a policy is deactivated due to reaching the storage and message limits, be sure to evaluate how to manage the deactivated policy. If you delete the policy, all messages, associated attachments, and message alerts will be permanently deleted. If you need to maintain these items for future use, do not delete the deactivated policy.

+> Policies using Threat, Harassment, and Profanity classifiers in the English language will inspect and evaluate messages with a word count of three or greater. Messages containing less than three words aren't evaluated in policies using these types of classifiers. To identify and take action on shorter messages containing inappropriate content, we recommend including a custom keyword dictionary to communication compliance policies detecting this type of content.

+End users, as well as administrators, can manually apply retention labels from the following locations:

+Users can also apply the retention labels directly in Teams, from the **Files** tab:

+

+ Title: "Install and configure the Microsoft Purview Information Protection scanner"

+f1.keywords:

+audience: Admin

+ms.localizationpriority: normal

+- purview-compliance

+- tier3

+description: Learn how to install and configure the Microsoft Purview Information Protection scanner to discover, classify, and protect files on data stores.

+# Configuring and installing the information protection scanner

+> [!NOTE]

+> The Microsoft Purview Information Protection scanner was formerly named Azure Information Protection unified labeling scanner, or the on-premises scanner. Configuration has moved from the Azure portal to the Microsoft Purview compliance portal.

+This article describes how to configure and install the Microsoft Purview Information Protection scanner, formerly named Azure Information Protection unified labeling scanner, or the on-premises scanner.

+> [!TIP]

+> While most customers will perform these procedures in the admin portal, you may need to work in PowerShell only.

+>

+> For example, if you are working in an environment without access to the admin portal, such as [Azure China 21Vianet scanner servers](/microsoft-365/admin/services-in-china/parity-between-azure-information-protection#manage-azure-information-protection-content-scan-jobs), follow the instructions in [Use PowerShell to configure the scanner](#use-powershell-to-configure-the-scanner).

+>

+## Overview

+Before you start, verify that your system complies with the [required prerequisites](deploy-scanner-prereqs.md).

+Then, use the following steps to configure and install the scanner:

+1. [Configure the scanner settings](#configure-the-scanner-settings)

+2. [Install the scanner](#install-the-scanner)

+3. [Get an Azure AD token for the scanner](#get-an-azure-ad-token-for-the-scanner)

+4. [Configure the scanner to apply classification and protection](#configure-the-scanner-to-apply-classification-and-protection)

+Next, perform the following configuration procedures as needed for your system:

+|Procedure |Description |

+|||

+|[Change which file types to protect](#change-which-file-types-to-protect) |You may want to scan, classify, or protect different file types than the default. For more information, see [The scanning process](deploy-scanner.md#the-scanning-process). |

+|[Upgrading your scanner](#upgrade-your-scanner) | Upgrade your scanner to use the latest features and improvements.|

+|[Editing data repository settings in bulk](#edit-data-repository-settings-in-bulk)| Use import and export options to make changes in bulk for multiple data repositories.|

+|[Use the scanner with alternative configurations](#use-the-scanner-with-alternative-configurations)| Use the scanner without configuring labels with any conditions |

+|[Optimize performance](#optimize-scanner-performance)| Guidance to optimize your scanner performance|

+If you don't have access to the scanner pages in the compliance portal, configure any scanner settings in PowerShell only. For more information, see [Use PowerShell to configure the scanner](#use-powershell-to-configure-the-scanner) and [Supported PowerShell cmdlets](#supported-powershell-cmdlets).

+## Configure the scanner settings

+Before you install the scanner, or upgrade it from an older general availability version, configure or verify your scanner settings.

+**To configure your scanner in the Microsoft Purview compliance portal:**

+1. Sign in to the [Microsoft Purview compliance portal](https://compliance.microsoft.com) with one of the following roles:

+ - **Compliance administrator**

+ - **Compliance data administrator**

+ - **Security administrator**

+ - **Global administrator**

+ Then, navigate to the **Settings** pane.

+ Within the **Settings** pane, select **Information protection scanner**.

+2. [Create a scanner cluster](#create-a-scanner-cluster). This cluster defines your scanner and is used to identify the scanner instance, such as during installation, upgrades, and other processes.

+3. [Create a content scan job](#create-a-content-scan-job) to define the repositories you want to scan.

+### Create a scanner cluster

+**To create a scanner cluster in the Microsoft Purview compliance portal:**

+1. From the tabs on the **Information protection scanner** page, select **Clusters**.

+2. On the **Clusters** tab, select **Add** .

+3. On the **New cluster** pane, enter a meaningful name for the scanner, and an optional description.

+ The cluster name is used to identify the scanner's configurations and repositories. For example, you might enter **Europe** to identify the geographical locations of the data repositories you want to scan.

+ You'll use this name later on to identify where you want to install or upgrade your scanner.

+4. Select **Save** to save your changes.

+### Create a content scan job

+Deep dive into your content to scan specific repositories for sensitive content.

+**To create your content scan job on the Microsoft Purview compliance portal:**

+1. From the tabs on the **Information protection scanner** page, select **Content scan jobs**.

+2. On the **Content scan jobs** pane, select **Add** .

+3. For this initial configuration, configure the following settings, and then select **Save**.

+ |Setting |Description |

+ |||

+ |**Content scan job settings** | - **Schedule**: Keep the default of **Manual** <br />- **Info types to be discovered**: Change to **Policy only**

+ |**DLP policy** | If you're using a data loss prevention policy, set **Enable DLP rules** to **On**. For more information, see [Use a DLP policy](#use-a-dlp-policy). |

+ |**Sensitivity policy** | - **Enforce sensitivity labeling policy**: Select **Off** <br />- **Label files based on content**: Keep the default of **On** <br />- **Default label**: Keep the default of **Policy default** <br />- **Relabel files**: Keep the default of **Off** |

+ |**Configure file settings** | - **Preserve "Date modified", "Last modified" and "Modified by"**: Keep the default of **On** <br />- **File types to scan**: Keep the default file types for **Exclude** <br />- **Default owner**: Keep the default of **Scanner Account** <br /> - **Set repository owner**: Use this option only when [using a DLP policy](#use-a-dlp-policy). |

+ | | |

+4. Open the content scan job that was saved, and select the **Repositories** tab to specify the data stores to be scanned.

+ Specify UNC paths and SharePoint Server URLs for SharePoint on-premises document libraries and folders.

+ > [!NOTE]

+ > SharePoint Server 2019, SharePoint Server 2016, and SharePoint Server 2013 are supported for SharePoint. SharePoint Server 2010 is also supported when you have [extended support for this version of SharePoint](https://support.microsoft.com/lifecycle/search?alpha=SharePoint%20Server%202010).

+ >

+ To add your first data store, while on the **Repositories** tab:

+ 1. On the **Repositories** pane, select **Add**:

+ 2. On the **Repository** pane, specify the path for the data repository, and then select **Save**.

+ - For a network share, use `\\Server\Folder`.

+ - For a SharePoint library, use `http://sharepoint.contoso.com/Shared%20Documents/Folder`.

+ - For a local path: `C:\Folder`

+ - For a UNC path: `\\Server\Folder`

+ > [!NOTE]

+ > Wildcards are not supported and WebDav locations are not supported.

+ >

+ If you add a SharePoint path for **Shared Documents**:

+ - Specify **Shared Documents** in the path when you want to scan all documents and all folders from Shared Documents.

+ For example: `http://sp2013/SharedDocuments`

+ - Specify **Documents** in the path when you want to scan all documents and all folders from a subfolder under Shared Documents.

+ For example: `http://sp2013/Documents/SalesReports`

+ - Or, specify only the **FQDN** of your Sharepoint, for example `http://sp2013` to [discover and scan all SharePoint sites and subsites under a specific URL](deploy-scanner-prereqs.md#discover-and-scan-all-sharepoint-sites-and-subsites-under-a-specific-url) and subtitles under this URL. Grant scanner **Site Collector Auditor** rights to enable this.

+ >

+ For the remaining settings on this pane, don't change them for this initial configuration, but keep them as **Content scan job default**. The default setting means that the data repository inherits the settings from the content scan job.

+ Use the following syntax when adding SharePoint paths:

+ |Path |Syntax |

+ |||

+ |**Root path** | `http://<SharePoint server name>` <br /><br />Scans all sites, including any site collections allowed for the scanner user. <br />Requires [additional permissions](deploy-scanner-prereqs.md#discover-and-scan-all-sharepoint-sites-and-subsites-under-a-specific-url) to automatically discover root content |

+ |**Specific SharePoint subsite or collection** | One of the following: <br />- `http://<SharePoint server name>/<subsite name>` <br />- `http://SharePoint server name>/<site collection name>/<site name>` <br /><br />Requires [additional permissions](deploy-scanner-prereqs.md#discover-and-scan-all-sharepoint-sites-and-subsites-under-a-specific-url) to automatically discover site collection content |

+ |**Specific SharePoint library** | One of the following: <br />- `http://<SharePoint server name>/<library name>` <br />- `http://SharePoint server name>/.../<library name>` |

+ |**Specific SharePoint folder** | `http://<SharePoint server name>/.../<folder name>` |

+ | | |

+5. Repeat the previous steps to add as many repositories as needed.

+You're now ready to install the scanner with the content scanner job that you've created. Continue with [Install the scanner](#install-the-scanner).

+## Install the scanner

+After you've [configured the scanner](#configure-the-scanner-settings), perform the following steps to install the scanner. This procedure is performed fully in PowerShell.

+1. Sign in to the Windows Server computer that will run the scanner. Use an account that has local administrator rights and that has permissions to write to the SQL Server master database.

+ > [!IMPORTANT]

+ > You must have the AIP unified labeling client installed on your machine before installing the scanner.

+ >

+ > For more information, see [Prerequisites for installing and deploying the information protection scanner](deploy-scanner-prereqs.md).

+ >

+2. Open a Windows PowerShell session with the **Run as an administrator** option.

+3. Run the [Install-AIPScanner](/powershell/module/azureinformationprotection/Install-AIPScanner) cmdlet, specifying your SQL Server instance on which to create a database for the Azure Information Protection scanner, and the scanner cluster name that you [specified in the preceding section](#create-a-scanner-cluster):

+ ```PowerShell

+ Install-AIPScanner -SqlServerInstance <name> -Cluster <cluster name>

+ ```

+ Examples, using the scanner cluster name of **Europe**:

+ - For a default instance: `Install-AIPScanner -SqlServerInstance SQLSERVER1 -Cluster Europe`

+ - For a named instance: `Install-AIPScanner -SqlServerInstance SQLSERVER1\AIPSCANNER -Cluster Europe`

+ - For SQL Server Express: `Install-AIPScanner -SqlServerInstance SQLSERVER1\SQLEXPRESS -Cluster Europe`

+ When you're prompted, provide the Active Directory credentials for the scanner service account.

+ Use the following syntax: `\<domain\user name>`. For example: `contoso\scanneraccount`

+4. Verify that the service is now installed by using **Administrative Tools** > **Services**.

+ The installed service is named **Azure Information Protection Scanner** and is configured to run by using the scanner service account that you created.

+Now that you've installed the scanner, you need to [get an Azure AD token for the scanner](#get-an-azure-ad-token-for-the-scanner) service account to authenticate, so that the scanner can run unattended.

+## Get an Azure AD token for the scanner

+An Azure AD token allows the scanner to authenticate to the Azure Information Protection service, enabling the scanner to run non-interactively.

+For more information, see [How to label files non-interactively for Azure Information Protection](/azure/information-protection/rms-client/clientv2-admin-guide-powershell#how-to-label-files-non-interactively-for-azure-information-protection).

+**To get an Azure AD token**:

+1. Open the [Azure portal](https://portal.azure.com/) to create an Azure AD application to specify an access token for authentication.

+2. From the Windows Server computer, if your scanner service account has been granted the **Log on locally** right for the installation, sign in with this account and start a PowerShell session.

+ Run [Set-AIPAuthentication](/powershell/module/azureinformationprotection/set-aipauthentication), specifying the values that you copied from the previous step:

+ ```PowerShell

+ Set-AIPAuthentication -AppId <ID of the registered app> -AppSecret <client secret sting> -TenantId <your tenant ID> -DelegatedUser <Azure AD account>

+ ```

+ For example:

+ ```PowerShell

+ $pscreds = Get-Credential CONTOSO\scanner

+ Set-AIPAuthentication -AppId "77c3c1c3-abf9-404e-8b2b-4652836c8c66" -AppSecret "OAkk+rnuYc/u+]ah2kNxVbtrDGbS47L4" -DelegatedUser scanner@contoso.com -TenantId "9c11c87a-ac8b-46a3-8d5c-f4d0b72ee29a" -OnBehalfOf $pscreds

+ Acquired application access token on behalf of CONTOSO\scanner.

+ ```

+ > [!TIP]

+ > If your scanner service account cannot be granted the **Log on locally** right for the installation, use the *OnBehalfOf* parameter with [Set-AIPAuthentication](/powershell/module/azureinformationprotection/set-aipauthentication), as described in [How to label files non-interactively for Azure Information Protection](/azure/information-protection/rms-client/clientv2-admin-guide-powershell#how-to-label-files-non-interactively-for-azure-information-protection).

+ >

+The scanner now has a token to authenticate to Azure AD. This token is valid for one year, two years, or never, according to your configuration of the **Web app /API** client secret in Azure AD. When the token expires, you must repeat this procedure.

+Continue using one of the following steps, depending on whether you're using the compliance portal to configure your scanner, or PowerShell only:

+# [Admin portal only](#tab/azure-portal-only)

+You're now ready to run your first scan in discovery mode. For more information, see [Run a discovery cycle and view reports for the scanner](deploy-scanner-manage.md#run-a-discovery-cycle-and-view-reports-for-the-scanner).

+Once you've run your initial discovery scan, continue with [Configure the scanner to apply classification and protection](#configure-the-scanner-to-apply-classification-and-protection).

+# [PowerShell only](#tab/powershell-only)

+If you are configuring and installing your scanner using PowerShell instead of the scanner pages in the compliance portal, continue with step 5 in [Use PowerShell to configure the scanner](#powershell).

+Then:

+- [Run a discovery cycle and view reports for the scanner](deploy-scanner-manage.md#run-a-discovery-cycle-and-view-reports-for-the-scanner)

+- [Use PowerShell to configure the scanner to apply classification and protection](#use-powershell-to-configure-the-scanner-to-apply-classification-and-protection)

+- [Use PowerShell to configure a DLP policy with the scanner](#use-powershell-to-configure-a-dlp-policy-with-the-scanner)

+> [!NOTE]

+> For more information, see [How to label files non-interactively for Azure Information Protection](/azure/information-protection/rms-client/clientv2-admin-guide-powershell#how-to-label-files-non-interactively-for-azure-information-protection)

+## Configure the scanner to apply classification and protection

+The default settings configure the scanner to run once, and in reporting-only mode. To change these settings, edit the content scan job.

+> [!TIP]

+> If you're working in PowerShell only, see [Configure the scanner to apply classification and protection - PowerShell only](#use-powershell-to-configure-the-scanner-to-apply-classification-and-protection).

+>

+**To configure the scanner to apply classification and protection in the Microsoft Purview compliance portal**:

+1. In the Microsoft Purview compliance portal, on the **Content scan jobs** tab, select a specific content scan job to edit it.

+2. Select the content scan job, change the following, and then select **Save**:

+ - From the **Content scan job** section: Change the **Schedule** to **Always**

+ - From the **Enforce sensitivity labeling policy** section: Change the radio button to **On**

+3. Make sure a node for the content scan job is online, then start the content scan job again by selecting **Scan now**. The **Scan now** button only appears when a node for the selected content scan job is online.

+The scanner is now scheduled to run continuously. When the scanner works its way through all configured files, it automatically starts a new cycle so that any new and changed files are discovered.

+## Use a DLP policy

+Using a data loss prevention policy enables the scanner to detect potential data leaks by matching DLP rules to files stored in file shares and SharePoint Server.

+- **Enable DLP rules in your content scan job** to reduce the exposure of any files that match your DLP policies. When your DLP rules are enabled, the scanner may reduce file access to data owners only, or reduce exposure to network-wide groups, such as **Everyone**, **Authenticated Users**, or **Domain Users**.

+- **In the Microsoft Purview compliance portal**, determine whether you are just testing your DLP policy or whether you want your rules enforced and your file permissions changed according to those rules. For more information, see [Turn on a DLP policy](create-test-tune-dlp-policy.md#turn-on-a-dlp-policy).

+DLP policies are configured in the Microsoft Purview compliance portal. For more information about DLP licensing, see [Get started with the data loss prevention on-premises scanner](dlp-on-premises-scanner-get-started.md).

+> [!TIP]

+> Scanning your files, even when just testing the DLP policy, also creates file permission reports. Query these reports to investigate specific file exposures or explore the exposure of a specific user to scanned files.

+>

+> To use PowerShell only, see [Use a DLP policy with the scanner - PowerShell only](#use-powershell-to-configure-a-dlp-policy-with-the-scanner).

+>

+**To use a DLP policy with the scanner in the Microsoft Purview compliance portal**:

+1. In the Microsoft Purview compliance portal, navigate to the **Content scan jobs** tab and select a specific content scan job. For more information, see [Create a content scan job](#create-a-content-scan-job).

+2. Under **Enable DLP policy rules**, set the radio button to **On**.

+

+ > [!IMPORTANT]

+ > Do not set **Enable DLP rules** to **On** unless you actually have a DLP policy configured in Microsoft 365.

+ >

+ >Turning this feature on without a DLP policy will cause the scanner to generate errors.

+3. (Optional) Set the **Set repository owner** to **On**, and define a specific user as the repository owner.

+

+ This option enables the scanner to reduce the exposure of any files found in this repository, which match the DLP policy, to the repository owner defined.

+### DLP policies and *make private* actions

+If you are using a DLP policy with a *make private* action, and are also planning to use the scanner to automatically label your files, we recommend that you also define the unified labeling client's [**UseCopyAndPreserveNTFSOwner**](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#preserve-ntfs-owners-during-labeling-public-preview) advanced setting.

+This setting ensures that the original owners retain access to their files.

+For more information, see [Create a content scan job](#create-a-content-scan-job) and [Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md).

+## Change which file types to protect

+By default the scanner protects Office file types and PDF files only.

+Use PowerShell commands to change this behavior as needed, such as to configure the scanner to protect all file types, just as the client does, or to protect additional, specific file types.

+For a label policy that applies to the user account downloading labels for the scanner, specify a PowerShell advanced setting named **PFileSupportedExtensions**.

+For a scanner that has access to the internet, this user account is the account that you specify for the *DelegatedUser* parameter with the Set-AIPAuthentication command.

+**Example 1**: PowerShell command for the scanner to protect all file types, where your label policy is named "Scanner":

+```PowerShell

+Set-LabelPolicy -Identity Scanner -AdvancedSettings @{PFileSupportedExtensions="*"}

+```

+**Example 2**: PowerShell command for the scanner to protect .xml files and .tiff files in addition to Office files and PDF files, where your label policy is named "Scanner":

+```PowerShell

+Set-LabelPolicy -Identity Scanner -AdvancedSettings @{PFileSupportedExtensions=ConvertTo-Json(".xml", ".tiff")}

+```

+For more information, see [Change which file types to protect](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#change-which-file-types-to-protect).

+## Upgrade your scanner

+If you've previously installed the scanner and want to upgrade, use the instructions described in [Upgrading the information protection scanner](/previous-versions/azure/information-protection/rms-client/client-admin-guide#upgrading-the-azure-information-protection-scanner).

+Then, [configure](deploy-scanner-configure-install.md) and [use your scanner](deploy-scanner-manage.md) as usual, skipping the steps to install your scanner.

+## Edit data repository settings in bulk

+Use the **Export** and **Import** buttons to make changes for your scanner across several repositories.

+This way, you don't need to make the same changes several times, manually, in the Azure portal or Microsoft Purview compliance portal.

+For example, if you've a new file type on several SharePoint data repositories, you may want to update the settings for those repositories in bulk.

+**To make changes in bulk across repositories in the Microsoft Purview compliance portal:**

+1. In the Microsoft Purview compliance portal, select a specific content scan job and navigate to the **Repositories** tab within the pane. Select the **Export** option.

+2. Manually edit the exported file to make your change.

+3. Use the **Import** option on the same page to import the updates back across your repositories.

+## Use the scanner with alternative configurations

+The scanner usually looks for conditions specified for your labels in order to classify and protect your content as needed.

+In the following scenarios, the scanner is also able to scan your content and manage labels, without any conditions configured:

+- [Apply a default label to all files in a data repository](#apply-a-default-label-to-all-files-in-a-data-repository)

+- [Remove existing labels from all files in a data repository](#remove-existing-labels-from-all-files-in-a-data-repository)

+- [Identify all custom conditions and known sensitive information types](#identify-all-custom-conditions-and-known-sensitive-information-types)

+### Apply a default label to all files in a data repository

+In this configuration, all unlabeled files in the repository are labeled with the default label specified for the repository or the content scan job. Files are labeled without inspection.

+Configure the following settings:

+|Setting |Description |

+|||

+|**Label files based on content** |Set to **Off** |

+|**Default label** | Set to **Custom**, and then select the label to use |

+|**Enforce default label** | Select to have the default label applied to all files, even if they're already labeled by turning **Relabel files** and **Enforce default label** on |

+### Remove existing labels from all files in a data repository

+In this configuration, all existing labels are removed, including protection, if protection was applied with the label. Protection applied independently of a label is retained.

+Configure the following settings:

+|Setting |Description |

+|||

+|**Label files based on content** |Set to **Off** |

+|**Default label** | Set to **None** |

+|**Relabel files** | Set to **On**, with the **Enforce default label** set to **On**|

+### Identify all custom conditions and known sensitive information types

+This configuration enables you to find sensitive information that you might not realize you had, at the expense of scanning rates for the scanner.

+Set the **Info types to be discovered** to **All**.

+To identify conditions and information types for labeling, the scanner uses any custom sensitive information types specified, and the list of built-in sensitive information types that are available to select, as defined in your labeling management center.

+## Optimize scanner performance

+> [!NOTE]

+> If you're looking to improve the responsiveness of the scanner computer rather than the scanner performance, use an advanced client setting to [limit the number of threads used by the scanner](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#limit-the-number-of-threads-used-by-the-scanner).

+Use the following options and guidance to help you optimize scanner performance:

+|Option |Description |

+|||

+|**Have a high speed and reliable network connection between the scanner computer and the scanned data store** | For example, place the scanner computer in the same LAN, or preferably, in the same network segment as the scanned data store. <br /><br />The quality of the network connection affects the scanner performance because, to inspect the files, the scanner transfers the contents of the files to the computer running the scanner service. <br /><br />Reducing or eliminating the network hops required for the data to travel also reduces the load on your network. |

+|**Make sure the scanner computer has available processor resources** | Inspecting the file contents and encrypting and decrypting files are processor-intensive actions. <br /><br />Monitor the typical scanning cycles for your specified data stores to identify whether a lack of processor resources is negatively affecting the scanner performance. |

+|**Install multiple instances of the scanner** | The scanner supports multiple configuration databases on the same SQL server instance when you specify a custom cluster name for the scanner. <br /><br />**Tip**: Multiple scanners can also share the same cluster, resulting in quicker scanning times. If you plan to install the scanner on multiple machines with the same database instance, and want your scanners to run in parallel, you must install all your scanners using the same cluster name.|

+|**Check your alternative configuration usage** |The scanner runs more quickly when you use the [alternative configuration](#use-the-scanner-with-alternative-configurations) to apply a default label to all files because the scanner doesn't inspect the file contents. <br/><br />The scanner runs more slowly when you use the [alternative configuration](#use-the-scanner-with-alternative-configurations) to identify all custom conditions and known sensitive information types.|

+### Additional factors that affect performance

+Additional factors that affect the scanner performance include:

+|Factor |Description |

+|||

+|**Load/response times** |The current load and response times of the data stores that contain the files to scan will also affect scanner performance. |

+|**Scanner mode** (Discovery / Enforce) | Discovery mode typically has a higher scanning rate than enforce mode. <br /><br />Discovery requires a single file read action, whereas enforce mode requires read and write actions. |

+|**Policy changes** |Your scanner performance may be affected if you've made changes to the autolabeling in the label policy. <br /><br />Your first scan cycle, when the scanner must inspect every file, will take longer than subsequent scan cycles that by default, inspect only new and changed files. <br /><br />If you change the conditions or autolabeling settings, all files are scanned again. For more information, see [Rescanning files](deploy-scanner-manage.md#rescanning-files).|

+|**Regex constructions** | Scanner performance is affected by how your regex expressions for custom conditions are constructed. <br /><br /> To avoid heavy memory consumption and the risk of timeouts (15 minutes per file), review your regex expressions for efficient pattern matching. <br /><br />For example: <br />- Avoid [greedy quantifiers](/dotnet/standard/base-types/quantifiers-in-regular-expressions) <br />- Use non-capturing groups such as `(?:expression)` instead of `(expression)` |

+|**Log level** | Log level options include **Debug**, **Info**, **Error** and **Off** for the scanner reports.<br /><br />- **Off** results in the best performance <br />- **Debug** considerably slows down the scanner and should be used only for troubleshooting. <br /><br />For more information, see the *ReportLevel* parameter for the [Set-AIPScannerConfiguration](/powershell/module/azureinformationprotection/Set-AIPScannerConfiguration) cmdlet. |

+|**Files being scanned** |- With the exception of Excel files, Office files are more quickly scanned than PDF files. <br /><br />- Unprotected files are quicker to scan than protected files. <br /><br />- Large files obviously take longer to scan than small files. |

+## Use PowerShell to configure the scanner

+This section describes the steps required to configure and install the scanner when you don't have access to the scanner pages in the Microsoft Purview compliance portal, and must use PowerShell only.

+> [!IMPORTANT]

+> - Some steps require Powershell whether or not you are able to access the scanner pages in the compliance portal, and are identical. For these steps, see the earlier instructions in this article as indicated.

+>

+> - If you're working with the scanner for Azure China 21Vianet, additional steps are required in addition to the instructions detailed here. For more information, see [Azure Information Protection support for Office 365 operated by 21Vianet](/microsoft-365/admin/services-in-china/parity-between-azure-information-protection).

+For more information, see [Supported PowerShell cmdlets](#supported-powershell-cmdlets).

+**To configure and install your scanner**:

+1. Start with PowerShell closed. If you've previously installed the AIP client and scanner, make sure that the **AIPScanner** service is stopped.

+2. Open a Windows PowerShell session with the **Run as an administrator** option.

+3. Run the [Install-AIPScanner](/powershell/module/azureinformationprotection/install-aipscanner) command to install your scanner on your SQL server instance, with the **Cluster** parameter to define your cluster name.

+ This step is identical whether or not you're able to access the scanner pages in the compliance portal. For more information, see the earlier instructions in this article: [Install the scanner](#install-the-scanner)

+4. Get an Azure token to use with your scanner, and then reauthenticate.

+ This step is identical whether or not you're able to access the scanner pages in the compliance portal. For more information, see the earlier instructions in this article: [Get an Azure AD token for the scanner](#get-an-azure-ad-token-for-the-scanner).

+5. <a name="powershell"></a>Run the [Set-AIPScannerConfiguration](/powershell/module/azureinformationprotection/set-aipscannerconfiguration) cmdlet to set the scanner to function in offline mode. Run:

+ ```powershell

+ Set-AIPScannerConfiguration -OnlineConfiguration Off

+ ```

+6. Run the [Set-AIPScannerContentScanJob](/powershell/module/azureinformationprotection/set-aipscannercontentscanjob) cmdlet to create a default content scan job.

+ The only required parameter in the **Set-AIPScannerContentScanJob** cmdlet is **Enforce**. However, you might want to define other settings for your content scan job at this time. For example:

+ ```powershell

+ Set-AIPScannerContentScanJob -Schedule Manual -DiscoverInformationTypes PolicyOnly -Enforce Off -DefaultLabelType PolicyDefault -RelabelFiles Off -PreserveFileDetails On -IncludeFileTypes '' -ExcludeFileTypes '.msg,.tmp' -DefaultOwner <account running the scanner>

+ ```

+ The syntax above configures the following settings while you continue the configuration:

+ - Keeps the scanner run scheduling to *manual*

+ - Sets the information types to be discovered based on the sensitivity label policy

+ - Does *not* enforce a sensitivity label policy

+ - Automatically labels files based on content, using the default label defined for the sensitivity label policy

+ - Does *not* allow for relabeling files

+ - Preserves file details while scanning and auto-labeling, including *date modified*, *last modified*, and *modified by* values

+ - Sets the scanner to exclude .msg and .tmp files when running

+ - Sets the default owner to the account you want to use when running the scanner

+7. Use the [Add-AIPScannerRepository](/powershell/module/azureinformationprotection/add-aipscannerrepository) cmdlet to define the repositories you want to scan in your content scan job. For example, run:

+ ```powershell

+ Add-AIPScannerRepository -OverrideContentScanJob Off -Path 'c:\repoToScan'

+ ```

+ Use one of the following syntaxes, depending on the type of repository you're adding:

+ - For a network share, use `\\Server\Folder`.

+ - For a SharePoint library, use `http://sharepoint.contoso.com/Shared%20Documents/Folder`.

+ - For a local path: `C:\Folder`

+ - For a UNC path: `\\Server\Folder`

+ > [!NOTE]

+ > Wildcards are not supported and WebDav locations are not supported.

+ >

+ > To modify the repository later on, use the [Set-AIPScannerRepository](/powershell/module/azureinformationprotection/set-aipscannerrepository) cmdlet instead.

+ If you add a SharePoint path for **Shared Documents**:

+ - Specify **Shared Documents** in the path when you want to scan all documents and all folders from Shared Documents.

+ For example: `http://sp2013/SharedDocuments`

+ - Specify **Documents** in the path when you want to scan all documents and all folders from a subfolder under Shared Documents.

+ For example: `http://sp2013/Documents/SalesReports`

+ - Or, specify only the **FQDN** of your Sharepoint, for example `http://sp2013` to [discover and scan all SharePoint sites and subsites under a specific URL](deploy-scanner-prereqs.md#discover-and-scan-all-sharepoint-sites-and-subsites-under-a-specific-url) and subtitles under this URL. Grant scanner **Site Collector Auditor** rights to enable this.

+ Use the following syntax when adding SharePoint paths:

+ |Path |Syntax |

+ |||

+ |**Root path** | `http://<SharePoint server name>` <br /><br />Scans all sites, including any site collections allowed for the scanner user. <br />Requires [additional permissions](/previous-versions/azure/information-protection/quickstart-findsensitiveinfo#permission-users-to-scan-sharepoint-repositories) to automatically discover root content |

+ |**Specific SharePoint subsite or collection** | One of the following: <br />- `http://<SharePoint server name>/<subsite name>` <br />- `http://SharePoint server name>/<site collection name>/<site name>` <br /><br />Requires [additional permissions](/previous-versions/azure/information-protection/quickstart-findsensitiveinfo#permission-users-to-scan-sharepoint-repositories) to automatically discover site collection content |

+ |**Specific SharePoint library** | One of the following: <br />- `http://<SharePoint server name>/<library name>` <br />- `http://SharePoint server name>/.../<library name>` |

+ |**Specific SharePoint folder** | `http://<SharePoint server name>/.../<folder name>` |

+Continue with the following steps as needed:

+- [Configuration for customers in China](/microsoft-365/admin/services-in-china/parity-between-azure-information-protection)

+- [Run a discovery cycle and view reports for the scanner](deploy-scanner-manage.md#run-a-discovery-cycle-and-view-reports-for-the-scanner)

+- [Use PowerShell to configure the scanner to apply classification and protection](#use-powershell-to-configure-the-scanner-to-apply-classification-and-protection)

+- [Use PowerShell to configure a DLP policy with the scanner](#use-powershell-to-configure-a-dlp-policy-with-the-scanner)

+### Use PowerShell to configure the scanner to apply classification and protection

+1. Run the [Set-AIPScannerContentScanJob](/powershell/module/azureinformationprotection/set-aipscannercontentscanjob) cmdlet to update your content scan job to set your scheduling to always and enforce your sensitivity policy.

+ ```powershell

+ Set-AIPScannerContentScanJob -Schedule Always -Enforce On

+ ```

+ > [!TIP]

+ > You may want to change other settings on this pane, such as whether file attributes are changed and whether the scanner can relabel files. For more information about the settings available, see the full [PowerShell documentation](/powershell/module/azureinformationprotection/set-aipscannercontentscanjob).

+2. Run the [Start-AIPScan](/powershell/module/azureinformationprotection/start-aipscan) cmdlet to run your content scan job:

+ ```PowerShell

+ Start-AIPScan

+ ```

+The scanner is now scheduled to run continuously. When the scanner works its way through all configured files, it automatically starts a new cycle so that any new and changed files are discovered.

+### Use PowerShell to configure a DLP policy with the scanner

+Run the [Set-AIPScannerContentScanJob](/powershell/module/azureinformationprotection/set-aipscannercontentscanjob) cmdlet again with the **-EnableDLP** parameter set to **On**, and with a specific repository owner defined.

+For example:

+```powershell

+Set-AIPScannerContentScanJob -EnableDLP On -RepositoryOwner 'domain\user'

+```

+## Supported PowerShell cmdlets

+This section lists PowerShell cmdlets supported for the information protection scanner and instructions for configuring and installing the scanner with PowerShell only.

+Supported cmdlets for the scanner include:

+- [Add-AIPScannerRepository](/powershell/module/azureinformationprotection/add-aipscannerrepository)

+- [Export-AIPLogs](/powershell/module/azureinformationprotection/Export-AIPLogs)

+- [Get-AIPScannerConfiguration](/powershell/module/azureinformationprotection/Get-AIPScannerConfiguration)

+- [Get-AIPScannerContentScanJob](/powershell/module/azureinformationprotection/get-aipscannercontentscanjob)

+- [Get-AIPScannerRepository](/powershell/module/azureinformationprotection/get-aipscannerrepository)

+- [Get-AIPScannerStatus](/powershell/module/azureinformationprotection/Get-AIPScannerStatus)

+- [Get-MIPNetworkDiscoveryConfiguration](/powershell/module/azureinformationprotection/Get-MIPNetworkDiscoveryConfiguration)

+- [Get-MIPNetworkDiscoveryJobs](/powershell/module/azureinformationprotection/Get-MIPNetworkDiscoveryJobs)

+- [Get-MIPNetworkDiscoveryStatus](/powershell/module/azureinformationprotection/Get-MIPNetworkDiscoveryStatus)

+- Get-MIPScannerContentScanJob

+- [Get-AIPScannerRepository](/powershell/module/azureinformationprotection/get-aipscannerrepository)

+- [Import-AIPScannerConfiguration](/powershell/module/azureinformationprotection/Import-AIPScannerConfiguration)

+- [Set-MIPNetworkDiscovery](/powershell/module/azureinformationprotection/set-mipnetworkdiscovery)

+- [Import-MIPNetworkDiscoveryConfiguration](/powershell/module/azureinformationprotection/Import-MIPNetworkDiscoveryConfiguration)

+- [Install-AIPScanner](/powershell/module/azureinformationprotection/Install-AIPScanner)

+- [Install-MIPNetworkDiscovery](/powershell/module/azureinformationprotection/Install-MIPNetworkDiscovery)

+- Remove-MIPScannerContentScanJob

+- [Remove-AIPScannerRepository](/powershell/module/azureinformationprotection/remove-aipscannerrepository)

+- [Set-AIPScanner](/powershell/module/azureinformationprotection/Set-AIPScanner)

+- [Set-AIPScannerConfiguration](/powershell/module/azureinformationprotection/Set-AIPScannerConfiguration)

+- [Set-AIPScannerContentScanJob](/powershell/module/azureinformationprotection/set-aipscannercontentscanjob)

+- [Set-AIPScannerRepository](/powershell/module/azureinformationprotection/set-aipscannerrepository)

+- [Set-MIPNetworkDiscoveryConfiguration](/powershell/module/azureinformationprotection/Set-MIPNetworkDiscoveryConfiguration)

+- Set-MIPScannerContentScanJob

+- [Set-AIPScannerRepository](/powershell/module/azureinformationprotection/set-aipscannerrepository)

+- [Start-AIPScan](/powershell/module/azureinformationprotection/Start-AIPScan)

+- [Start-AIPScanDiagnostics](/powershell/module/azureinformationprotection/Start-AIPScannerDiagnostics)

+- [Start-MIPNetworkDiscovery](/powershell/module/azureinformationprotection/Start-MIPNetworkDiscovery)

+- [Stop-AIPScan](/powershell/module/azureinformationprotection/Stop-AIPScan)

+- [Remove-AIPScannerContentScanJob](/powershell/module/azureinformationprotection/remove-aipscannercontentscanjob)

+- [Remove-AIPScannerRepository](/powershell/module/azureinformationprotection/remove-aipscannerrepository)

+- [Uninstall-AIPScanner](/powershell/module/azureinformationprotection/Uninstall-AIPScanner)

+- [Uninstall-MIPNetworkDiscovery](/powershell/module/azureinformationprotection/Uninstall-MIPNetworkDiscovery)

+- [Update-AIPScanner](/powershell/module/azureinformationprotection/Update-AIPScanner)

+## Next steps

+Once you've installed and configured your scanner, start [scanning your files](deploy-scanner-manage.md).

+ Title: "Running the Microsoft Purview Information Protection scanner"

+f1.keywords:

+audience: Admin

+ms.localizationpriority: normal

+- purview-compliance

+- tier3

+description: Instructions for running the scanner from Microsoft Purview Information Protection to discover, classify, and protect files on data stores.

+# Running the information protection scanner

+Once you've confirmed your [system requirements](deploy-scanner-prereqs.md) and [configured and installed your scanner](deploy-scanner-configure-install.md), [run a discovery scan](#run-a-discovery-cycle-and-view-reports-for-the-scanner) to get started.

+Use other steps detailed below to manage your scans moving forward.

+- [Stop a scan](#stopping-a-scan)

+- [Rescanning files](#rescanning-files)

+For more information, see [Learn about the Microsoft Purview Information Protection scanner](deploy-scanner.md).

+> [!TIP]

+> While most customers will perform these procedures in the admin portal, you may need to work in PowerShell only.

+>

+> For example, if you are working in an environment without access to the Azure portal, such as [Azure China 21Vianet scanner servers](/microsoft-365/admin/services-in-china/parity-between-azure-information-protection#manage-azure-information-protection-content-scan-jobs), authenticate to the [AzureInformationProtection](/powershell/module/azureinformationprotection) PowerShell module, and then continue with instructions in this article for PowerShell only.

+>

+## Run a discovery cycle and view reports for the scanner

+Use the following procedure after you've [configured and installed your scanner](deploy-scanner-configure-install.md) to get an initial understanding of your content.

+Perform these steps again as needed when your content changes.

+1. Start a scan on your content scan job.

+ Do either of the following to start a content scan job:

+ - **Use the Microsoft Purview compliance portal.** On the **Information protection scanner - Content scan jobs** pane, select your content scan jobs, and then select the **Scan now** option. The **Scan now** option only appears once a content scan job is selected.

+

+ - **Use a PowerShell command.** Run `Start-AIPScan` to start the scan.

+1. Wait for the scanner to complete its cycle. The scan completes when the scanner has crawled through all the files in the specified data stores.

+ Do either of the following to monitor scanner progress:

+ - **Use the Microsoft Purview compliance portal.** On the **Information protection scanner - Content scan jobs** pane, select **Refresh**.

+ Wait until you see values for the **LAST SCAN RESULTS** column and the **LAST SCAN (END TIME)** column.

+

+ - **Use a PowerShell command.** Run `Get-AIPScannerStatus` to monitor the status change.

+1. When the scan is complete, review the reports stored in the **%*localappdata*%\Microsoft\MSIP\Scanner\Reports** directory.

+ - The .txt summary files include the time taken to scan, the number of scanned files, and how many files had a match for the information types.

+ - The .csv files have more details for each file. This folder stores up to 60 reports for each scanning cycle and all but the latest report is compressed to help minimize the required disk space.

+ When a scan is completed, a `Summary_<x>.txt` file is created with the scan summary.

+> [!NOTE]

+> Scanners send collected data information to Microsoft Purview Information Protection every five minutes, so that you can view the results in near real time from the admin portal. For more information, see [Analytics and central reporting for Azure Information Protection](/azure/information-protection/reports-aip).

+>

+> The admin portal displays information about the last scan only. If you need to see the results of previous scans, return to the reports that are stored on the scanner computer, in the %*localappdata*%\Microsoft\MSIP\Scanner\Reports folder.

+>

+[Initial configurations](deploy-scanner-configure-install.md#configure-the-scanner-settings) instruct you to set the **Info types to be discovered** to **Policy only**. This configuration means that only files that meet the conditions you've configured for automatic classification are included in the detailed reports.

+If you don't see any labels applied, check that your label configuration includes automatic rather than recommended classification, or enable **Treat recommended labeling as automatic** (available in scanner version 2.7.x.x and above).

+If the results are still not as you expect, you might need to reconfigure the conditions that you specified for your labels. If that's the case, reconfigure the conditions as needed, and repeat this procedure until you're satisfied with the results. Then, update your configuration automatically, and optionally protection.

+### Changing log levels or locations

+Change the level of logging by using the *ReportLevel* parameter with [Set-AIPScannerConfiguration](/powershell/module/azureinformationprotection/set-aipscannerconfiguration).

+The report folder location or name can't be changed. If you want to store reports in a different location, consider using a directory junction for the folder.

+For example, use the [Mklink](/windows-server/administration/windows-commands/mklink) command: `mklink /j D:\Scanner_reports C:\Users\aipscannersvc\AppData\Local\Microsoft\MSIP\Scanner\Reports`

+If you've performed these steps after an initial configuration and installation, continue with [Configure the scanner to apply classification and protection](deploy-scanner-configure-install.md#configure-the-scanner-to-apply-classification-and-protection).

+## Stopping a scan

+To stop a currently running scan before it's complete, use either of the following methods:

+- **Microsoft Purview compliance portal.** Select **Stop scan**:

+- **Run a PowerShell command.** Run the following command:

+ ```PowerShell

+ Stop-AIPScan

+ ```

+## Rescanning files

+For the [first scan cycle](#run-a-discovery-cycle-and-view-reports-for-the-scanner), the scanner inspects all files in the configured data stores. For subsequent scans, only new or modified files are inspected.

+It is useful to inspect all files again when you want the reports to include all files, when you have changes that you want to apply across all files, and when the scanner runs in discovery mode.

+**To manually run a full rescan in the Microsoft Purview compliance portal**:

+1. Navigate to the **Information protection scanner - Content scan jobs** pane in the Microsoft Purview compliance portal.

+2. Select your content scan job from the list, and then select the **Rescan all files** option:

+When a full scan is complete, the scan type automatically changes to incremental so that for subsequent scans, only new or modified files are scanned again.

+> [!TIP]

+> If you've made changes to your [content scan job](deploy-scanner-configure-install.md#create-a-content-scan-job), the compliance portal will prompt you to skip a full rescan. To ensure that your rescan occurs, make sure to select **No** in the prompt that appears.

+>

+### Trigger a full rescan by modifying your settings

+Earlier versions of the scanner scanned all files whenever the scanner detected new or changed settings for automatic and recommended labeling. The scanner automatically refreshed the policy every four hours.

+In scanner versions 2.8.85.0 or later, the information protection scanner skips the full rescan for updated settings to ensure consistent performance. Make sure that you [run a full rescan manually](#rescanning-files) as needed.

+For example, if youΓÇÖve changed **Sensitivity policy** settings from **Enforce = Off** to **Enforce = On**, make sure to run a full rescan to apply your labels across your content.

+> [!NOTE]

+> In scanner version [2.7.101.0](/azure/information-protection/rms-client/unifiedlabelingclient-version-release-history#general-availability-versions-that-are-no-longer-supported) and lower, you may want to refresh the policy sooner than every four hours, such as while testing. In such cases, manually delete the contents of the **%LocalAppData%\Microsoft\MSIP\mip\<processname>\mip** directory and restart the Azure Information Protection service.

+>

+> If you've also changed encryption settings for your sensitivitiy labels, wait an extra 15 minutes from when you saved the updated encryption settings before restarting the Azure Information Protection service.

+>

+## Next steps

+You can also use PowerShell to interactively classify and protect files from your desktop computer. For more information about this and other scenarios that use PowerShell, see [Using PowerShell with the Azure Information Protection unified labeling client](/azure/information-protection/rms-client/clientv2-admin-guide-powershell).

+ Title: "Get started with the Microsoft Purview Information Protection scanner"

+f1.keywords:

+audience: Admin

+ms.localizationpriority: normal

+- purview-compliance

+- tier3

+description: Lists prerequisites for installing and deploying the Microsoft Purview Information Protection scanner.

+# Get started with the information protection scanner

+Before installing the scanner from Microsoft Purview Information Protection, make sure that your system complies with basic [Azure Information Protection requirements](/azure/information-protection/requirements).

+Additionally, the following requirements are specific for the scanner:

+- [Windows Server requirements](#windows-server-requirements)

+- [Service account requirements](#service-account-requirements)

+- [SQL server requirements](#sql-server-requirements)

+- [Azure Information Protection client requirements](#azure-information-protection-client-requirements)

+- [Label configuration requirements](#label-configuration-requirements)

+- [SharePoint requirements](#sharepoint-requirements)

+- [Microsoft Office requirements](#microsoft-office-requirements)

+- [File path requirements](#file-path-requirements)

+If you can't meet all the requirements listed for the scanner because they are prohibited by your organization policies, see the [alternative configurations](#deploying-the-scanner-with-alternative-configurations) section.

+When deploying the scanner in production or testing the performance for multiple scanners, see [Storage requirements and capacity planning for SQL Server](#storage-requirements-and-capacity-planning-for-sql-server).

+When you're ready to start installing and deploying your scanner, continue with [Configuring and installing the information protection scanner](deploy-scanner-configure-install.md).

+## Windows Server requirements

+You must have a Windows Server computer to run the scanner, which has the following system specifications:

+|Specification |Details |

+|||

+|**Processor** |4 core processors |

+|**RAM** |8 GB |

+|**Disk space** |10-GB free space (average) for temporary files. </br></br>The scanner requires sufficient disk space to create temporary files for each file that it scans, four files per core. </br></br>The recommended disk space of 10 GB allows for 4 core processors scanning 16 files that each have a file size of 625 MB.

+|**Operating system** |64-bit versions of: <br><br>- Windows Server 2019 </br>- Windows Server 2016 </br>- Windows Server 2012 R2 </br></br>**Note**: For testing or evaluation purposes in a non-production environment, you can also use any Windows operating system that is [supported by the Azure Information Protection client](/azure/information-protection/requirements#client-devices).

+|**Network connectivity** | Your scanner computer can be a physical or virtual computer with a fast and reliable network connection to the data stores to be scanned. </br></br> If internet connectivity is not possible because of your organization policies, see [Deploying the scanner with alternative configurations](#deploying-the-scanner-with-alternative-configurations). </br></br>Otherwise, make sure that this computer has internet connectivity that allows the following URLs over HTTPS (port 443):</br><br />- \*.aadrm.com <br />- \*.azurerms.com<br />- \*.informationprotection.azure.com <br /> - informationprotection.hosting.portal.azure.net <br /> - \*.aria.microsoft.com <br />- \*.protection.outlook.com |

+|**NFS shares** |To support scans on NFS shares, services for NFS must be deployed on the scanner machine. <br><br>On your machine, navigate to the **Windows Features (Turn Windows features on or off)** settings dialog, and select the following items: **Services for NFS** > **Administrative Tools** and **Client for NFS**. |

+| **Microsoft Office iFilter** |When your scanner is installed on a Windows server machine, you must also install the Microsoft Office iFilter in order to scan .zip files for sensitive information types. <br><br>For more information, see the [Microsoft download site](https://www.microsoft.com/en-us/download/details.aspx?id=17062).|

+## Service account requirements

+You must have a service account to run the scanner service on the Windows Server computer, as well as authenticate to Azure AD and download the scanner's policy.

+Your service account must be an Active Directory account and synchronized to Azure AD.

+If you cannot synchronize this account because of your organization policies, see [Deploying the scanner with alternative configurations](#deploying-the-scanner-with-alternative-configurations).

+This service account has the following requirements:

+|Requirement |Details |

+|||

+|**Log on locally** user right assignment |Required to install and configure the scanner, but not required to run scans. </br></br>Once you've confirmed that the scanner can discover, classify, and protect files, you can remove this right from the service account. </br></br>If granting this right even for a short period of time is not possible because of your organization policies, see [Deploying the scanner with alternative configurations](#deploying-the-scanner-with-alternative-configurations). |

+|**Log on as a service** user right assignment. | This right is automatically granted to the service account during the scanner installation and this right is required for the installation, configuration, and operation of the scanner. |

+|**Permissions to the data repositories** |- **File shares or local files**: Grant **Read**, **Write**, and **Modify** permissions for scanning the files and then applying classification and protection as configured. <br /><br />- **SharePoint**: You must grant **Full Control** permissions for scanning the files and then applying classification and protection to the files that meet the conditions in the Azure Information Protection policy. <br /><br />- **Discovery mode**: To run the scanner in discovery mode only, **Read** permission is sufficient. |

+|**For labels that reprotect or remove protection** | To ensure that the scanner always has access to encrypted files, make this account a [super user](/azure/information-protection/configure-super-users) for Azure Information Protection, and ensure that the super user feature is enabled. </br></br>Additionally, if you've implemented [onboarding controls](/azure/information-protection/activate-service#configuring-onboarding-controls-for-a-phased-deployment) for a phased deployment, make sure that the service account is included in the onboarding controls you've configured.|

+|**Specific URL level scanning** |To scan and discover sites and subsites [under a specific URL](#deploying-the-scanner-with-alternative-configurations), grant **Site Collector Auditor** rights to the scanner account on the farm level.|

+|**License for information protection** | Required to provide file classification, labeling, or protection capabilities to the scanner service account. <br><br>For more information, see the [Microsoft 365 guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection-sensitivity-labeling). |

+## SQL server requirements

+To store the scanner configuration data, use an SQL server with the following requirements:

+- **A local or remote instance.**

+ We recommend hosting the SQL server and the scanner service on different machines, unless you're working with a small deployment. Additionally, we recommend having a dedicated SQL instance that serves the scanner database only, and that is not shared with other applications.

+ If you're working on a shared server, make sure that the [recommended number of cores](#windows-server-requirements) are free for the scanner database to work.

+ SQL Server 2016 is the minimum version for the following editions:

+ - SQL Server Enterprise

+ - SQL Server Standard

+ - SQL Server Express (recommended for test environments only)

+- **An account with Sysadmin role to install the scanner.**

+ The Sysadmin role enables the installation process to automatically create the scanner configuration database and grant the required **db_owner** role to the service account that runs the scanner.

+ If you cannot be granted the Sysadmin role or your organization policies require databases to be created and configured manually, see [Deploying the scanner with alternative configurations](#deploying-the-scanner-with-alternative-configurations).

+- **Capacity.** For capacity guidance, see [Storage requirements and capacity planning for SQL Server](#storage-requirements-and-capacity-planning-for-sql-server).

+- **[Case insensitive collation](/sql/relational-databases/collations/collation-and-unicode-support).**

+> [!NOTE]

+> Multiple configuration databases on the same SQL server are supported when you specify a custom cluster name for the scanner, or when you use the preview version of the scanner.

+### Storage requirements and capacity planning for SQL Server

+The amount of disk space required for the scanner's configuration database and the specification of the computer running SQL Server can vary for each environment, so we encourage you to do your own testing. Use the following guidance as a starting point.

+For more information, see [Optimizing the performance of the scanner](deploy-scanner-configure-install.md#optimize-scanner-performance).

+The disk size for the scanner configuration database will vary for each deployment. Use the following equation as guidance:

+```cli

+100 KB + <file count> *(1000 + 4* <average file name length>)

+```

+For example, to scan 1 million files that have an average file name length of 250 bytes, allocate 2-GB disk space.

+For multiple scanners:

+- **Up to 10 scanners**, use:

+ - 4 core processors

+ - 8-GB RAM recommended

+- **More than 10 scanners** (maximum 40), use:

+ - 8 core processes

+ - 16-GB RAM recommended

+## Azure Information Protection client requirements

+You must have either the [current general availability version](/azure/information-protection/rms-client/unifiedlabelingclient-version-release-history) of the Azure Information Protection client installed on the Windows Server computer.

+For more information, see the [Azure Information Protection unified labeling client administrator guide](/azure/information-protection/rms-client/clientv2-admin-guide#installing-the-azure-information-protection-scanner).

+> [!IMPORTANT]

+> You must install the full client for the scanner. Do not install the client with just the PowerShell module.

+>

+## Label configuration requirements

+You must have at least one sensitivity label configured in the Microsoft Purview compliance portal for the scanner account, to apply classification and, optionally, encryption.

+The *scanner account* is the account that you'll specify in the **DelegatedUser** parameter of the [Set-AIPAuthentication](/powershell/module/azureinformationprotection/set-aipauthentication) cmdlet, run when configuring your scanner.

+If your labels don't have auto-labeling conditions, see the [instructions for alternative configurations](#restriction-your-labels-do-not-have-auto-labeling-conditions) below.

+For more information, see:

+- [Learn about sensitivity labels](sensitivity-labels.md)

+- [Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md)

+- [Restrict access to content by using encryption in sensitivity labels](encryption-sensitivity-labels.md)

+- [Configuring and installing the information protection scanner](deploy-scanner-configure-install.md)

+## SharePoint requirements

+To scan SharePoint document libraries and folders, ensure that your SharePoint server complies with the following requirements:

+|Requirement |Description |

+|||

+|**Supported versions** | Supported versions include: SharePoint 2019, SharePoint 2016, and SharePoint 2013. <br> Other versions of SharePoint are not supported for the scanner. |

+|**Versioning** | When you use [versioning](/sharepoint/governance/versioning-content-approval-and-check-out-planning), the scanner inspects and labels the last published version. <br><br>If the scanner labels a file and [content approval](/sharepoint/governance/versioning-content-approval-and-check-out-planning#plan-content-approval) is required, that labeled file must be approved to be available for users. |

+|**Large SharePoint farms** |For large SharePoint farms, check whether you need to increase the list view threshold (by default, 5,000) for the scanner to access all files. <br><br>For more information, see [Manage large lists and libraries in SharePoint](https://support.office.com/article/manage-large-lists-and-libraries-in-sharepoint-b8588dae-9387-48c2-9248-c24122f07c59#__bkmkchangelimit&ID0EAABAAA=Server). |

+|**Long file paths** |If you have long file paths in SharePoint, ensure that your SharePoint server's [httpRuntime.maxUrlLength](/dotnet/api/system.web.configuration.httpruntimesection.maxurllength) value is larger than the default 260 characters. <br><br>For more information, see [Avoid scanner timeouts in SharePoint](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#avoid-scanner-timeouts-in-sharepoint). |

+## Microsoft Office requirements

+To scan Office documents, your documents must be in one of the following formats:

+- Microsoft Office 97-2003

+- Office Open XML formats for Word, Excel, and PowerPoint

+For more information, see [File types supported by the Azure Information Protection unified labeling client](/azure/information-protection/rms-client/clientv2-admin-guide-file-types).

+## File path requirements

+By default, to scan files, your file paths must have a maximum of 260 characters.

+To scan files with file paths of more than 260 characters, install the scanner on a computer with one of the following Windows versions, and configure the computer as needed:

+|Windows version |Description |

+|||

+|**Windows 2016 or later** | Configure the computer to support long paths |

+|**Windows 10 or Windows Server 2016** | Define the following [group policy setting](/archive/blogs/jeremykuhne/net-4-6-2-and-long-paths-on-windows-10): **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** > **All Settings** > **Enable Win32 long paths**. </br></br>For more information long file path support in these versions, see the [Maximum Path Length Limitation](/windows/desktop/FileIO/naming-a-file#maximum-path-length-limitation) section from the Windows 10 developer documentation. |

+|**Windows 10, version 1607 or later** | Opt in for the updated **MAX_PATH** functionality. For more information, see [Enable Long Paths in Windows 10 versions 1607 and later](/windows/win32/fileio/naming-a-file#enable-long-paths-in-windows-10-version-1607-and-later). |

+## Deploying the scanner with alternative configurations

+The prerequisites listed above are the default requirements for the scanner deployment, and recommended because they support the simplest scanner configuration.

+The default requirements should be suitable for initial testing, so that you can check the capabilities of the scanner.

+However, in a production environment, your organization's policies may be different than the default requirements. The scanner can accommodate the following changes with additional configuration:

+- [Discover and scan all sites and subsites under a specific URL](#discover-and-scan-all-sharepoint-sites-and-subsites-under-a-specific-url)

+- [Restriction: The scanner server cannot have internet connectivity](#restriction-the-scanner-server-cannot-have-internet-connectivity)

+- [Restriction: The scanner service account cannot be synchronized to Azure Active Directory but the server has internet connectivity](#restriction-the-scanner-service-account-cannot-be-synchronized-to-azure-active-directory-but-the-server-has-internet-connectivity)

+- [Restriction: The service account for the scanner cannot be granted the **Log on locally** right](#restriction-the-service-account-for-the-scanner-cannot-be-granted-the-log-on-locally-right)

+- [Restriction: You cannot be granted Sysadmin or databases must be created and configured manually](#restriction-you-cannot-be-granted-sysadmin-or-databases-must-be-created-and-configured-manually)

+- [Restriction: Your labels do not have auto-labeling conditions](#restriction-your-labels-do-not-have-auto-labeling-conditions)

+### Discover and scan all Sharepoint sites and subsites under a specific URL

+The scanner can discover and scan all Sharepoint sites and subsites under a specific URL with the following configuration:

+1. Start **SharePoint Central Administration**.

+1. On the **SharePoint Central Administration** website, in the **Application Management** section, click **Manage web applications**.

+1. Click to highlight the web application whose permission policy level you want to manage.

+1. Choose the relevant farm and then select **Manage Permissions Policy Levels**.

+1. Select **Site Collection Auditor** in the **Site Collection Permissions** options, then grant **View Application Pages** in the Permissions list, and finally, name the new policy level **AIP scanner site collection auditor and viewer**.

+1. Add your scanner user to the new policy and grant **Site collection** in the Permissions list.

+1. Add a URL of the SharePoint that hosts sites or subsites that need to be scanned. For more information, see [Configure the scanner settings](/azure/information-protection/deploy-scanner-configure-install#configure-the-scanner-settings).

+To learn more about how to manage your SharePoint policy levels see, [manage permission policies for a web application](/sharepoint/administration/manage-permission-policies-for-a-web-application).

+### Restriction: The scanner server cannot have internet connectivity

+While the unified labeling client cannot apply encryption without an internet connection, the scanner can still apply labels based on imported policies.

+To support a disconnected computer, use one of the following methods:

+- [Use the Azure portal](#use-the-azure-portal-with-a-disconnected-computer) (recommended when possible)

+- [Use PowerShell](#use-powershell-with-a-disconnected-computer)

+#### Use the Azure portal with a disconnected computer

+To support a disconnected computer from the Azure portal, perform the following steps:

+1. Configure labels in your policy, and then use the [procedure to support disconnected computers](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#support-for-disconnected-computers) to enable offline classification and labeling.

+1. Enable offline management for content jobs as follows:

+ **Enable offline management for content scan jobs**:

+ 1. Set the scanner to function in **offline** mode, using the [Set-AIPScannerConfiguration](/powershell/module/azureinformationprotection/set-aipscannerconfiguration) cmdlet.

+ 1. Configure the scanner in the compliance portal by creating a scanner cluster. For more information, see [Configure the scanner settings](deploy-scanner-configure-install.md#configure-the-scanner-settings).

+ 1. Export your content job from the **Information protection - Content scan jobs** pane using the **Export** option.

+ 1. Import the policy using the [Import-AIPScannerConfiguration](/powershell/module/azureinformationprotection/import-aipscannerconfiguration) cmdlet.

+ Results for offline content scan jobs are located at: **%localappdata%\Microsoft\MSIP\Scanner\Reports**

+#### Use PowerShell with a disconnected computer

+Perform the following procedure to support a disconnected computer using PowerShell only.

+> [!IMPORTANT]

+> Admins of [Azure China 21Vianet scanner servers](/microsoft-365/admin/services-in-china/parity-between-azure-information-protection#manage-azure-information-protection-content-scan-jobs) *must* use this procedure in order to manage their content scan jobs.

+>

+**Manage your content scan jobs using PowerShell only**:

+1. Set the scanner to function in **offline** mode, using the [Set-AIPScannerConfiguration](/powershell/module/azureinformationprotection/set-aipscannerconfiguration) cmdlet.

+1. Create a new content scan job using the [Set-AIPScannerContentScanJob](/powershell/module/azureinformationprotection/set-aipscannercontentscanjob) cmdlet, making sure to use the mandatory `-Enforce On` parameter.

+1. Add your repositories using the [Add-AIPScannerRepository](/powershell/module/azureinformationprotection/add-aipscannerrepository) cmdlet, with the path to the repository you want to add.

+ > [!TIP]

+ > To prevent the repository from inheriting settings from your content scan job, add the `OverrideContentScanJob On` parameter, as well as values for additional settings.

+ >

+ > To edit details for an existing repository, use the [Set-AIPScannerRepository](/powershell/module/azureinformationprotection/set-aipscannerrepository) command.

+ >

+

+1. Use the [Get-AIPScannerContentScanJob](/powershell/module/azureinformationprotection/get-aipscannercontentscanjob) and [Get-AIPScannerRepository](/powershell/module/azureinformationprotection/get-aipscannerrepository) cmdlets to return information about your content scan job's current settings.

+1. Use the [Set-AIPScannerRepository](/powershell/module/azureinformationprotection/set-aipscannerrepository) command to update details for an existing repository.

+1. Run your content scan job immediately if needed, using the [Start-AIPScan](/powershell/module/azureinformationprotection/start-aipscan) cmdlet.

+ Results for offline content scan jobs are located at: **%localappdata%\Microsoft\MSIP\Scanner\Reports**

+1. If you need to remove a repository or an entire content scan job, use the following cmdlets:

+ - [Remove-AIPScannerContentScanJob](/powershell/module/azureinformationprotection/remove-aipscannercontentscanjob)

+ - [Remove-AIPScannerRepository](/powershell/module/azureinformationprotection/remove-aipscannerrepository)

+### Restriction: You cannot be granted Sysadmin or databases must be created and configured manually

+Use the following procedures to manually create databases and grant the **db_owner** role, as needed.

+- [Procedure for the scanner database](#manually-create-a-database-and-user-for-the-scanner-and-grant-db_owner-rights)

+If you can be granted the Sysadmin role *temporarily* to install the scanner, you can remove this role when the scanner installation is complete.

+Do one of the following, depending on your organization's requirements:

+|Restriction |Description |

+|||

+|**You can have the Sysadmin role temporarily** | If you temporarily have the Sysadmin role, the database is automatically created for you and the service account for the scanner is automatically granted the required permissions. <br><br>However, the user account that configures the scanner still requires the **db_owner** role for the scanner configuration database. If you only have the Sysadmin role until the scanner installation is complete, grant the **db_owner** role to the user account manually. |

+|**You cannot have the Sysadmin role at all** | If you cannot be granted the Sysadmin role even temporarily, you must ask a user with Sysadmin rights to manually create a database before you install the scanner. <br><br>For this configuration, the **db_owner** role must be assigned to the following accounts: <br>- Service account for the scanner<br>- User account for the scanner installation<br>- User account for scanner configuration <br><br>Typically, you will use the same user account to install and configure the scanner. If you use different accounts, they both require the **db_owner** role for the scanner configuration database. Create this user and rights as needed. If you specify your own cluster name, the configuration database is named **AIPScannerUL_<cluster_name>**. |

+Additionally:

+- You must be a local administrator on the server that will run the scanner

+- The service account that will run the scanner must be granted Full Control permissions to the following registry keys:

+ - `HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIPC\Server`

+ - `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\Server`

+If, after configuring these permissions, you see an error when you install the scanner, the error can be ignored and you can manually start the scanner service.

+#### Manually create a database and user for the scanner, and grant db_owner rights

+If you need to manually create your scanner database and/or create a user and grant **db_owner** rights on the database, ask your Sysadmin to perform the following steps:

+1. Create a database for scanner:

+ ```sql

+ **CREATE DATABASE AIPScannerUL_[clustername]**

+ **ALTER DATABASE AIPScannerUL_[clustername] SET TRUSTWORTHY ON**

+ ```

+2. Grant rights to the user that runs the installation command and is used to run scanner management commands. Use the following script:

+ ```sql

+ if not exists(select * from master.sys.server_principals where sid = SUSER_SID('domain\user')) BEGIN declare @T nvarchar(500) Set @T = 'CREATE LOGIN ' + quotename('domain\user') + ' FROM WINDOWS ' exec(@T) END

+ USE DBName IF NOT EXISTS (select * from sys.database_principals where sid = SUSER_SID('domain\user')) BEGIN declare @X nvarchar(500) Set @X = 'CREATE USER ' + quotename('domain\user') + ' FROM LOGIN ' + quotename('domain\user'); exec sp_addrolemember 'db_owner', 'domain\user' exec(@X) END

+ ```

+3. Grant rights to scanner service account. Use the following script:

+ ```sql

+ if not exists(select * from master.sys.server_principals where sid = SUSER_SID('domain\user')) BEGIN declare @T nvarchar(500) Set @T = 'CREATE LOGIN ' + quotename('domain\user') + ' FROM WINDOWS ' exec(@T) END

+ ```

+### Restriction: The service account for the scanner cannot be granted the **Log on locally** right

+If your organization policies prohibit the **Log on locally** right for service accounts, use the *OnBehalfOf* parameter with Set-AIPAuthentication.

+For more information, see [How to label files non-interactively for Azure Information Protection](/azure/information-protection/rms-client/clientv2-admin-guide-powershell#how-to-label-files-non-interactively-for-azure-information-protection).

+### Restriction: The scanner service account cannot be synchronized to Azure Active Directory but the server has internet connectivity

+You can have one account to run the scanner service and use another account to authenticate to Azure Active Directory:

+- **For the scanner service account**, use a local Windows account or an Active Directory account.

+- **For the Azure Active Directory account**, specify the AAD user in the [Set-AIPAuthentication](/powershell/module/azureinformationprotection/set-aipauthentication) cmdlet, in the *DelegatedUser* parameter.

+ If you are running the scan under any user other than the scanner account, make sure to specify the scanner account in *OnBehalfOf* parameter as well.

+ For more information, see [How to label files non-interactively for Azure Information Protection](/azure/information-protection/rms-client/clientv2-admin-guide-powershell#how-to-label-files-non-interactively-for-azure-information-protection).

+### Restriction: Your labels do not have auto-labeling conditions

+If your labels do not have any auto-labeling conditions, plan to use one of the following options when configuring your scanner:

+|Option |Description |

+|||

+|**Discover all info types** | In your [content scan job](deploy-scanner-configure-install.md#create-a-content-scan-job), set the **Info types to be discovered** option to **All**. </br></br>This option sets the content scan job to scan your content for all sensitive information types. |

+|**Use recommended labeling** | In your [content scan job](deploy-scanner-configure-install.md#create-a-content-scan-job), set the **Treat recommended labeling as automatic** option to **On**.</br></br> This setting configures the scanner to automatically apply all recommended labels on your content. |

+|**Define a default label** | Define a default label in your [policy](sensitivity-labels.md#what-label-policies-can-do), [content scan job](deploy-scanner-configure-install.md#create-a-content-scan-job), or [repository](deploy-scanner-configure-install.md#apply-a-default-label-to-all-files-in-a-data-repository). </br></br>In this case the scanner applies the default label on all files found. |

+## Next steps

+Once you've confirmed that your system complies with the scanner prerequisites, continue with [Configuring and installing the information protection scanner](deploy-scanner-configure-install.md).

+For an overview about the scanner, see [Learn about the information protection scanner](deploy-scanner.md).

+ Title: "Learn about the Microsoft Purview Information Protection scanner"

+f1.keywords:

+audience: Admin

+ms.localizationpriority: normal

+- purview-compliance

+- tier3

+description: Learn how the scanner from Microsoft Purview Information Protection can discover, classify, and protect files on data stores.

+# Learn about the information protection scanner

+Use the information in this section to learn about the Microsoft Purview information protection scanner, and then how to successfully install, configure, run and if necessary, troubleshoot it.

+The scanner runs as a service on Windows Server and lets you discover, classify, and protect files on the following data stores:

+- **UNC paths** for network shares that use the SMB or NFS (Preview) protocols.

+- **SharePoint document libraries and folder** for SharePoint Server 2019 through SharePoint Server 2013.

+To classify and protect your files, the scanner uses [sensitivity labels](sensitivity-labels.md) configured in the Microsoft Purview compliance portal.

+## Overview of the scanner

+The information protection scanner can inspect any files that Windows can index. If you've configured sensitivity labels to apply automatic classification, the scanner can label discovered files to apply that classification, and optionally apply or remove protection.

+The following image shows the scanner architecture, where the scanner discovers files across your on-premises and SharePoint servers.

+To inspect your files, the scanner uses IFilters installed on the computer. To determine whether the files need labeling, the scanner uses sensitive information types and pattern detection, or regex patterns.

+The scanner uses the Azure Information Protection client, and can classify and protect the same types of files as the client. For more information, see [File types supported by the Azure Information Protection unified labeling client](/azure/information-protection/rms-client/clientv2-admin-guide-file-types).

+Do any of the following to configure your scans as needed:

+- **Run the scanner in discovery mode only** to create reports that check to see what happens when your files are labeled.

+- **Run the scanner to discover files with sensitive information**, without configuring labels that apply automatic classification.

+- **Run the scanner automatically** to apply labels as configured.

+- **Define a file types list** to specify specific files to scan or to exclude.

+> [!NOTE]

+> The scanner does not discover and label in real time. It systematically crawls through files on data stores that you specify. Configure this cycle to run once, or repeatedly.

+> [!TIP]

+> The scanner supports scanner clusters with multiple nodes, enabling your organization to scale out, achieving faster scan times and broader scope.

+>

+> Deploy multiple nodes right from the start, or start with a single-node cluster and add additional nodes later on as you grow. Deploy multiple nodes by using the same cluster name and database for the **Install-AIPScanner** cmdlet.

+>

+## The scanning process

+When scanning files, the information protection scanner runs through the following steps:

+[1. Determine whether files are included or excluded for scanning](#1-determine-whether-files-are-included-or-excluded-for-scanning)

+[2. Inspect and label files](#2-inspect-and-label-files)

+[3. Label files that can't be inspected](#3-label-files-that-cant-be-inspected)

+For more information, see [Files not labeled by the scanner](#files-not-labeled-by-the-scanner).

+### 1. Determine whether files are included or excluded for scanning

+The scanner automatically skips files that are excluded from classification and protection, such as executable files and system files. For more information, see [File types excluded from classification and protection](/azure/information-protection/rms-client/clientv2-admin-guide-file-types#file-types-excluded-from-classification-and-protection).

+The scanner also considers any file lists explicitly defined to scan, or exclude from scanning. File lists apply for all data repositories by default, and can also be defined for specific repositories only.

+To define file lists for scanning or exclusion, use the **File types to scan** setting in the content scan job. For example:

+

+For more information, see [Deploying the scanner to automatically classify and protect files](deploy-scanner-configure-install.md).

+### 2. Inspect and label files

+After identifying excluded files, the information protection scanner filters again to identify files supported for inspection.

+These filters are the same ones used by the operating system for Windows Search and indexing, and require no extra configuration. Windows IFilter is also used to scan file types that are used by Word, Excel, and PowerPoint, and for PDF documents and text files.

+For a full list of file types supported for inspection, and other instructions for configuring filters to include .zip and .tiff files, see [File types supported for inspection](/azure/information-protection/rms-client/clientv2-admin-guide-file-types#file-types-supported-for-inspection).

+After inspection, supported file types are labeled using the conditions specified for your labels. If you're using discovery mode, these files can either be reported to contain the conditions specified for your labels, or reported to contain any known sensitive information types.

+#### Stopped scanner processes

+If the scanner stops and doesn't complete a scan for a large number of files in your repository, you may need to increase the number of dynamic ports for the operating system hosting the files.

+For example, server hardening for SharePoint is one reason why the scanner would exceed the number of allowed network connections, and therefore stop.

+To check whether server hardening for SharePoint is the cause of the scanner stopping, check for the following error message in the scanner logs at **%localappdata%\Microsoft\MSIP\Logs\MSIPScanner.iplog** (multiple logs are compressed into a zip file):

+`Unable to connect to the remote server > System.Net.Sockets.SocketException: Only one usage of each socket address (protocol/network address/port) is normally permitted IP:port`

+For more information about how to view the current port range and increase it if needed, see [Settings that can be modified to improve network performance](/biztalk/technical-guides/settings-that-can-be-modified-to-improve-network-performance).

+> [!TIP]

+> For large SharePoint farms, you may need to increase the list view threshold, which has a default of **5,000**.

+>

+> For more information, see the [Manage large lists and libraries in SharePoint](https://support.office.com/article/manage-large-lists-and-libraries-in-sharepoint-b8588dae-9387-48c2-9248-c24122f07c59#__bkmkchangelimit&ID0EAABAAA=Server).

+>

+### 3. Label files that can't be inspected

+For any file types that can't be inspected, the scanner applies the default label from its sensitivity label policy, or the default label configured for the scanner.

+### Files not labeled by the scanner

+The scanner cannot label files under the following circumstances:

+- When the label applies classification, but not protection, and the file type does not support classification-only by the client. For more information, see [File types supported for classification only](/azure/information-protection/rms-client/clientv2-admin-guide-file-types#file-types-supported-for-classification-only).

+- When the label applies classification and protection, but the scanner does not support the file type.

+

+ By default, the scanner protects only Office file types, and PDF files when they are protected by using the ISO standard for PDF encryption.

+ Other types of files can be added for protection when you [change the types of files to protect](deploy-scanner-configure-install.md#change-which-file-types-to-protect).

+**Example**: After inspecting .txt files, the scanner can't apply a label that's configured for classification only, because the .txt file type doesn't support classification only.

+However, if the label is configured for both classification and protection, and the .txt file type is included for the scanner to protect, the scanner can label the file.

+## Next steps

+For more information about deploying the scanner, see the following articles:

+- [Scanner deployment prerequisites](deploy-scanner-prereqs.md)

+- [Configuring and installing the scanner](deploy-scanner-configure-install.md)

+- [Running scans using the scanner](deploy-scanner-manage.md)

+**More information**:

+- [Watch our scanner end-to-end demo video!](https://www.youtube.com/watch?v=f1gy1KalSts) Watch a step-by-step review of the scanner architecture, architecture, recommendation, installation and configuration.

+- Check out our blog on best practices for the scanner: [Best practices for deploying and using the AIP UL scanner](https://aka.ms/AIPScannerBestPractices)

+- Interested in how the Core Services Engineering and Operations team in Microsoft implemented this scanner? Read the technical case study: [Automating data protection with Azure Information Protection scanner](https://www.microsoft.com/itshowcase/Article/Content/1070/Automating-data-protection-with-Azure-Information-Protection-scanner).

+- You can also use PowerShell to interactively classify and protect files from your desktop computer. For more information about this and other scenarios that use PowerShell, see [Using PowerShell with the Azure Information Protection unified labeling client](./

+- .md).

+The **User activity report** for the selected user contains the **User activity**, **Activity explorer**, and **Forensic evidence (preview)** tabs:

+- **Forensic evidence (preview)**: The **Forensic evidence (preview)** tab provides access to forensic evidence captures associated with activities that may result in security incidents for users. Forensic evidence enables customizable visual capturing across devices to help your organization better mitigate, understand, and respond to potential data risks like unauthorized data exfiltration of sensitive data. To learn more about using forensic evidence, see [Learn about insider risk management forensic evidence](/microsoft-365/compliance/insider-risk-management-forensic-evidence).

+The Activity explorer provides risk investigators and analysts with a comprehensive analytic tool that provides detailed information about alerts. With the Activity explorer, reviewers can quickly review a timeline of detected risky activity and identify and filter all risk activities associated with alerts.

+Use the *Activity scope* and *Risk insight* filters to display and sort activities and insights for the following areas.

+|**Item**|**Retention/Limit**|

+|:-|:|

+### Forensic evidence (preview)

+The **Forensic evidence (preview)** tab allows risk investigators to review visual captures associated with risk activities included in cases. For example, as part of the case management actions, investigators may need to help clarify the context of the user activity under review. Viewing the actual clips of the activity can help the investigator determine if the user activity is potentially risky and may lead to a security incident.

+For more information about forensic evidence, see the [Learn about insider risk management forensic evidence](/microsoft-365/compliance/insider-risk-management-forensic-evidence) article.

+|**Actions**|**Insider Risk Management**|**Insider Risk Management Admin**|**Insider Risk Management Analysts**|**Insider Risk Management Investigators**|**Insider Risk Management Auditors**|**Insider Risk Management Approvers**|

+||||||||

+|Configure policies and settings|Yes|Yes|No|No|No|No|

+|Access analytics insights|Yes|Yes|Yes|No|No|No|

+|Access & investigate alerts|Yes|No|Yes|Yes|No|No|

+|Access & investigate cases|Yes|No|Yes|Yes|No|No|

+|Access & view the Content Explorer|Yes|No|No|Yes|No|No|

+|Configure notice templates|Yes|No|Yes|Yes|No|No|

+|View & export audit logs|Yes|No|No|No|Yes|No|

+|Access & view forensic evidence captures|Yes|No|No|Yes|No|No|

+|Create forensic evidence capturing request|Yes|Yes|No|No|No|No|

+|Approve forensic evidence capturing requests|Yes|No|No|No|No|Yes|

+|View device health report|Yes|Yes|No|No|No|No|

+#### Configure forensic evidence (optional)

+Having visual context is crucial for security teams during forensic investigations to get better insights into risky user activities that may lead to a security incident. With customizable event triggers and built-in user privacy protection controls, forensic evidence enables customizable capturing across devices to help your organization better mitigate, understand, and respond to potential data risks like unauthorized data exfiltration of sensitive data.

+See the [Get started with insider risk management forensic evidence](/microsoft-365/compliance/insider-risk-management-forensic-evidence-configure) article for step-by-step guidance to configure forensic evidence for your organization.

+12. Select **Save** to enable these settings for your insider risk policies.

+ Title: Get started with insider risk management forensic evidence (preview)

+description: Get started with insider risk management forensic evidence in Microsoft Purview. Forensic evidence is an investigative tool for viewing captured security-related user activity to help determine whether the user's actions pose a risk and may lead to a security incident.

+keywords: Microsoft 365, Microsoft Purview, insider risk, risk management, compliance

+ms.localizationpriority: medium

+f1.keywords:

+- NOCSH

+audience: itpro

+# Get started with insider risk management forensic evidence (preview)

+>[!IMPORTANT]

+>Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

+## Configure forensic evidence

+Configuring forensic evidence in your organization is similar to configuring other policies from insider risk management policy templates. In general, you'll follow the same basic configuration steps to set up forensic evidence, but there are a few areas that need feature-specific configuration actions before your get started with the basic configuration steps.

+### Step 1: Confirm your subscription and configure data storage access

+Before you get started with forensic evidence, you should confirm your [insider risk management subscription](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-insider-risk-management) and any add-ons.

+Additionally, you'll need to add the following domain to your firewall allowlist to support forensic evidence capture storage for your organization:

+- *compliancedrive.microsoft.com*

+Captures and capture data are stored at this domain and is assigned only to your organization. No other Microsoft 365 organization has access to forensic evidence captures for your organization.

+### Step 2: Configure supported devices

+User devices eligible for forensic evidence capturing must be onboarded to the [Microsoft Purview compliance portal](/microsoft-365/compliance/microsoft-365-compliance-center) and must have the Microsoft Purview Client installed.

+>[!IMPORTANT]

+>The Microsoft Purview Client automatically collects general diagnostic data related to device configuration and performance metrics. This includes data on critical errors, RAM consumption, process failures, and other data. This data helps us assess the client's health and identify any issues. For more details about how diagnostic data may be used, see the Use of Software with Online Services on the [Microsoft Product Terms](https://www.microsoft.com/licensing/product-licensing/products).

+Visual captures in forensic evidence are supported for the following devices/configurations:

+- Latest Windows 10 or Windows 11 x64 build

+- A maximum of 4 monitors per device

+To onboard devices, complete the steps outlined in the [Onboard Windows 10 and Windows 11 devices into Microsoft 365 overview](/microsoft-365/compliance/device-onboarding-overview) article.

+To install the Microsoft Purview Client, complete the following steps:

+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence (preview)** > **Client installation**.

+2. Select **Download installer package (x64 version)** to download the installation package for Windows.

+3. After downloading the installation package, use your preferred method to install the client on users' devices. These options may include manually installing the client on devices or tools to help automate the client installation:

+ - **Microsoft Endpoint Manager**: [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) is an integrated solution for managing all of your devices. Microsoft brings together [Configuration Manager](/mem/configmgr/core/understand/introduction) and [Intune](/mem/intune/fundamentals/what-is-intune), without a complex migration, and with simplified licensing.

+ - **Third-party device management solutions**: If your organization is using third-party device management solutions, see the documentation for these tools to install the client.

+### Step 3: Configure settings

+Forensic evidence has several configuration settings that provide flexibility for the types of security-related user activity captured, capturing parameters, bandwidth limits, and offline capturing options. Forensic evidence capturing enables you to create policies based on your requirements in just a few steps and adding users to a policy requires dual authorization.

+To configure forensic evidence settings, complete the following steps:

+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence (preview)** > **Forensic evidence settings**.

+2. Select **Forensic evidence capturing** to enable capturing support in your forensic evidence policies. If this is turned off later, this will remove all previously added users for forensic evidence policies.

+ >[!IMPORTANT]

+ >The Microsoft Purview Client used to capture activity on users' devices is licensed under the Use of Software with the Online Services on the [Microsoft Product Terms](https://www.microsoft.com/licensing/product-licensing/products). Note that customers are solely responsible for using the insider risk management solution, including the Microsoft Purview Client, in compliance with all applicable laws.

+

+1. In the **Capturing window** section, define when to start and stop activity capturing. Available values are *10 seconds*, *30 seconds*, *1 minute*, *3 minutes*, or *5 minutes*.

+1. In the **Upload bandwidth limit** section, define the amount of capture data to upload into your data storage account per user, per day. Available values are *100 MB*, *250 MB*, *500 MB*, *1 GB*, or *2 GB*.

+1. In the **Offline capturing** section, enable offline capturing if needed. When enabled, users' offline activity is captured and uploaded to your data storage account the next time they're online.

+1. In the **Offline capturing cache limit** section, define the maximum cache size to store on users' devices when offline capturing is enabled. Available values are *100 MB*, *250 MB*, *500 MB*, *1 GB*, or *2 GB*.

+1. Select **Save**.

+### Step 4: Create a policy

+Forensic evidence policies define the scope of security-related user activity to capture on configured devices. You can have one policy that captures all activities approved users perform on their devices (all keystrokes, mouse movements, and so on) and additional policies that capture only specific activities (such as printing or exfiltrating files). Once created, you'll include these policies in forensic evidence requests to control what activity to capture for users whose requests are approved.

+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence (preview)** > **Forensic evidence policies**.

+2. Select **Create forensic evidence policy**.

+3. On the **Scope** page, you'll choose the scope of security-related user activity to capture. Select one of the following options:

+ - **Specific activities**: This option only captures activities detected by policies that users are included in. These activities are defined by the indicators selected in forensic evidence policies. Captures for this option will be available for review on the **Forensic evidence (preview)** tab on the **Alerts** or **Cases** dashboard.

+ - **All activities**: This option captures any activity performed by users. This includes mouse movement, keystrokes, and all activities defined by insider risk indicators. Captures for this option will be available for review on the **Forensic evidence (preview)** tab on the **User activity reports (preview)** dashboard.

+4. Select **Next**.

+5. On the **Name and description** page, complete the following fields:

+ - **Name (required)**: Enter a friendly name for the forensic evidence policy. This name can't be changed after the policy is created.

+ - **Description (optional)**: Enter a description for the forensic evidence policy.

+6. Select **Next**.

+7. If you've selected the **All Activities** option in Step 3, the **Device activities** page directs you the final step in the policy wizard. There aren't any device activities to configure when the **All activities** option is selected.

+ If you've selected the **Specific activities** option in Step 3, you'll select device activities to capture on the **Device activities** page. Only the activities selected will be captured by the policy. If the indicators aren't selectable, you'll need to turn on these indicators for your organization before you can select these indicators in the forensic evidence policy.

+ After you've selected indicators, select **Next**.

+8. On the **Finish** page, review the settings you've chosen for the policy and any suggestions or warnings for your selections. Select **Edit** to change any of the policy values or select **Submit** to create and activate the policy.

+After you've completed the policy configuration steps, continue to Step 5.

+### Step 5: Define and approve users for capturing

+Before security-related user activities can be captured, admins must follow the dual authorization process in forensic evidence. This process mandates that enabling visual capturing for specific users is both defined and approved by applicable people in your organization.

+>[!IMPORTANT]

+>For the preview release, a maximum of 5 concurrent users are eligible for forensic evidence capturing. Capturing for groups isn't supported in the preview release.

+You must request that forensic evidence capturing is enabled for specific users. When a request is submitted, approvers in your organization are notified in email and can approve or reject the request. If approved, the user will appear on the **Approved users** tab and will be eligible for capturing.

+- To request approval for forensic evidence capturing for users, complete [these configuration steps](/microsoft-365/compliance/insider-risk-management-forensic-evidence-manage#request-capturing-approvals).

+- To approve (or reject) requests for forensic evidence capturing for users, complete [these configuration steps](/microsoft-365/compliance/insider-risk-management-forensic-evidence-manage#approve-capturing-requests).

+## Next steps

+After you've configured your forensic evidence policy, it may take up to 48 hours for the first eligible clip captures to be available for review in alerts for other policies or as activity in **User Activity Reports**. For more information about managing forensic evidence and reviewing clip captures, see the [Manage information risk management forensic evidence](/microsoft-365/compliance/insider-risk-management-forensic-evidence-manage) article.

+ Title: Manage insider risk management forensic evidence (preview)

+description: Manage insider risk management forensic evidence in Microsoft Purview. Forensic evidence is an investigative tool for viewing captured security-related user activity to help determine whether the user's actions pose a risk and may lead to a security incident.

+keywords: Microsoft 365, Microsoft Purview, insider risk, risk management, compliance

+ms.localizationpriority: medium

+f1.keywords:

+- NOCSH

+audience: itpro

+# Manage insider risk management forensic evidence (preview)

+>[!IMPORTANT]

+>Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

+After you've completed the configuration steps and created your forensic evidence policy, you'll start to see alerts for potentially risky security-related user activities that meet the conditions for indicators that are defined in the policy.

+## Dashboard

+The forensic evidence dashboard is the summary view of key areas of the forensic evidence configuration in your organization. For the preview, the dashboard includes only a **Forensic evidence device health** section. Select **View device health report** to open the **Device health** tab and report. Other sections will be included in future releases.

+## Managing users

+You must request and approve specific users before they're eligible for forensic evidence capturing. Simply adding users to a forensic evidence policy doesn't automatically make those users eligible for capturing. You can request and approve users before or after forensic evidence policies are created, but the clip captures associated with policy indicators will only be created and available for reviewing once the users are approved.

+Users assigned to the *Insider Risk Management* or *Insider Risk Management Admins* role groups can submit approval requests to users assigned to the *Insider Risk Management Approvers* role group.

+### Request capturing approvals

+You must request that forensic evidence capturing be turned on for specific users. When a request is submitted, approvers in your organization are notified in email and can approve or reject the request. If approved, the user or will appear on the **Approved users** tab and will be eligible for capturing. If not addressed, the request will expire 6 months from the day it was submitted.

+To configure approved users for forensic evidence capturing, complete the following steps:

+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence (preview)** > **User management**.

+2. Select the **Manage forensic evidence requests** tab.

+3. Select **Create request**.

+4. On the **Users** page, select **Add users**.

+5. Use **Search** to locate a specific user or select one or more users from the list. Select **Add**, then select **Next**.

+6. On the **Forensic evidence policy** page, select a forensic evidence policy for the added users. The policy you choose determines the scope of activity to capture for users.

+7. Select **Next**.

+8. On the **Justification** page, let the reviewer know why you're requesting that capturing be enabled for the users you added in the **Justification for turning on forensic evidence capturing** text box. This is a required field. When complete, select **Next**.

+9. On the **Email notifications** page, you can use a notification template to send an email to users letting them know that forensic evidence capturing will be turned on for their device in accordance with your organization's policies. The email will be sent to users only if their request is approved.

+ Select the **Send an email notification to approved users** checkbox. Choose an existing template o create a new one. To create a new template, select **Create a notification template** and complete the following required fields in the **New email notification template** pane.

+10. Select **Next**.

+11. On the **Finish** page, review your settings before submitting the request. Select **Edit users** or **Edit justification** to change any of the request values or select **Submit** to create and send the request to reviewers.

+To view pending approval requests, navigate to **Insider risk management** > **Forensic evidence (preview)** > **Pending requests**. Here you'll see the users with pending requests, their email address, the request submission date, and who submitted the approval request. If no users are displayed, there aren't any pending approval requests for any users.

+Users assigned to the *Insider Risk Management Approvers* role group can select a user on the **Forensic evidence request (preview)** tab and review the request. After reviewing the request, these users can approve or reject the forensic evidence capturing request. Approving or rejecting the capturing request removes the pending request for users from this view.

+### Approve or reject capturing requests

+After requests are complete, users assigned to the *Insider Risk Management Approvers* role group will receive an email notification for the approval request. To approve or reject requests, reviewers must complete the following steps:

+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence (preview)** > **Pending requests**.

+2. Select a user to review.

+3. On the **Review forensic evidence request (preview)** pane, review the justification submitted by the requestor. Select **Approve** or **Reject** as applicable.

+4. On the **Request approved** or **Request rejected** page, select **Close**.

+

+### Revoke capturing approvals

+If needed, you can revoke approval for specific users and exclude them from forensic evidence capturing. Revoking approval doesn't delete or remove any existing captures for these users, only future capturing of activity for these users is disabled.

+To revoke approvals for users, users assigned to the *Insider Risk Management Approvers* role group must complete the following steps:

+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence (preview)** > **User management**.

+2. Select the **Approved users** tab.

+3. Select a user, then select **Remove**.

+4. On the removal confirmation page, select **Remove** to revoke capturing approval or select **Cancel** to close the confirmation page.

+## Creating and managing notification templates

+You can create and use a notification template to send an email to users letting them know that forensic evidence capturing will be turned on for their device in accordance with your organization's policies. The email is sent to users only if their request is approved.

+

+To create a new notification template, complete the following steps:

+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence (preview)** > **Notification templates**.

+2. Select **Create notification template**.

+3. On the **New email notification template** pane, complete the following required fields:

+ - Template name

+ - Send from

+ - Subject

+ - Message body

+4. Select **Save**

+To delete an existing notification template, select a template and select **Delete**.

+## Viewing capture clips

+If you've selected the option to only capture activities defined by the indicators selected in forensic evidence policies, capture clips are available as part of the alert and are accessible on the **Forensic evidence (preview)** tab on the **Alerts dashboard**. If alerts are later escalated to cases, the associated clips are accessible on the **Forensic evidence (preview)** tab on the **Cases** dashboard.

+If you've selected the option to capture any security-related activity performed by users included in forensic evidence policies, you'll view the clips for individual users on the **User activity report** dashboard.

+>[!IMPORTANT]

+>Forensic evidence clips are deleted 120 days after they're captured or at the end of the preview period, whichever is sooner. You can download or transfer forensic evidence clips before they're deleted.

+### Reviewing capture clips included with alerts

+For alerts generated by policies, forensic evidence captures for users are available for review on the **Forensic evidence (preview)** tab on the **Alerts** dashboard. If one or more captures are available for the alert, you'll also see a **View forensic evidence** notification in the Activity that generated this alert header section. You can select the notification link or the **Forensic evidence (preview)** tab to review the activity captures.

+

+Overall, reviewing an alert for potentially risky activity that may contain forensic evidence captures is essentially the same as reviewing an alert without forensic evidence captures. The significant difference is the inclusion of any applicable captures. The **Forensic evidence (preview)** tab provides access to all available captures associated with the alert. Each capture is displayed and includes the following information:

+- **Date/time (UTC)**: The date, time (UTC), and duration of the capture.

+- **Device**: The name of the device in Windows 10/11.

+- **Activity type**: The insider risk management activity type included in the capture. These activities are based on global and policy indicators assigned to the associated policy.

+- **Capture events**: Each capture contains events within the capture to help focus your review on specific activities for the capturing session.

+To view a capture clip, complete the following steps:

+1. If needed, configure the filters for the available captures. You can filter by the **Dates (UTC)** or by **Activity**.

+2. Select a clip to review.

+3. Select the device monitor to review. Each monitor connected to the device (up to 4) is eligible for forensic evidence capturing and are listed as *Display 1*, *Display 2*, etc.

+4. Using the video player controls, select the *Play control* to review the entire clip from beginning to end.

+5. If you want to scope the review to a specific event in the clip, select the event from the **Capture events** lists to the right of the video player.

+### Reviewing capture clips included with cases

+If alerts are escalated to cases, all associated forensic evidence captures are included as part of the case. Reviewing forensic evidence captures for cases follows the same process as when you review captures as part of examining alerts.

+### Reviewing capture clips without alerts

+To view clips for activity not associated with alerts, you'll use [User activity reports](/microsoft-365/compliance/insider-risk-management-activities#user-activity-reports). User activity reports allow you to examine activities for specific users for a defined time period without having to assign them temporarily or explicitly to an insider risk management policy. If these user activities include activities supported by forensic evidence capturing, clips are included with the user activity.

+If you've configured forensic evidence to capture all security-related user activity, regardless of whether they're included in a forensic evidence policy, you'll review these captures by selecting **Insider risk management** > **User activity reports** and then selecting a specific user and selecting the **Forensic evidence (preview)** tab.

+## Device health report (preview)

+After devices are configured to support forensic evidence, you can review the Microsoft Purview Client health status for all devices in your organization by navigating to **Insider risk management** > **Forensic evidence (preview)** > **Device health**.

+

+The report allows you to view the status and health of all devices that have the forensic evidence agent installed. Each report widget on the report displays information for last 24 hours.

+- **Devices online**: The total number of devices currently online.

+- **Devices offline**: The total number of devices currently offline.

+- **Devices with warnings**: The total number of devices with a warning.

+- **Devices with errors**: The total number of devices with an error.

+The device health queue lists all the devices in configured for forensic evidence in your organization. In addition, the report lists the status of the following device attributes:

+- **Device name**: The name of the device, defined by the *ComputerName* attribute of the device.

+- **Device status**: The status of the Microsoft Purview Client on the device. Status values are as follows:

+ - ***Healthy***: The client on the device is working properly and forensic evidence capture features are fully supported.

+ - ***Warning***: The client on the device has a warning and forensic evidence capture features may not be fully supported.

+ - ***Error***: The client on the device has an error and forensic evidence capture features are disabled or not fully supported.

+- **Status details**: More information about the device status.

+- **Last sync (UTC)**: Date and time of the last status sync for the device.

+- **User name**: The user name for the user logged into the device when the status sync was performed.

+- **Windows version**: The version of Microsoft Windows installed on the device.

+- **Client version**: The version of the Microsoft Purview Client installed on the device.

+The device health status gives you insights into potential issues with your devices and the Microsoft Purview Client. The **Device status** column on the **Device health** page can alert you to device issues that may prevent user activity from being captured or why the volume of forensic evidence capturing is unusual. The device health status can also confirm that the devices included in forensic evidence capturing are healthy and don't need attention or configuration changes. The following table lists potential status detail messages and recommended actions you can take to address warnings and errors:

+|**Status Details**|**Status**|**Suggested Action**|

+|:-|:-|:-|

+| An internal server error occurred. As a result, capture data might be missing. | Error | Create a support ticket with Microsoft for further investigation |

+| Upload bandwidth has reached 90% of the configured limit on this device. Captures might be overwritten soon. | Warning | Increase the upload bandwidth limit on the [Forensic evidence settings](/microsoft-365/compliance/insider-risk-management-forensic-evidence-configure) page. |

+| The configured upload bandwidth limit has been reached on this device. No more captures will be uploaded for the day. | Error | Increase the upload bandwidth limit on the [Forensic evidence settings](/microsoft-365/compliance/insider-risk-management-forensic-evidence-configure) page. |

+| Offline storage has reached 90% of the configured limit on this device. Captures might be overwritten soon. | Warning | Increase the offline capturing cache limit on the [Forensic evidence settings](/microsoft-365/compliance/insider-risk-management-forensic-evidence-configure) page. |

+| The configured offline storage limit has been reached on this device. As a result, offline captures are being overwritten. | Error | Increase the offline capturing cache limit on the [Forensic evidence settings](/microsoft-365/compliance/insider-risk-management-forensic-evidence-configure) page. |

+| CPU usage on the device has exceeded the maximum threshold. | Error | The capture process has been stopped and will restart in a few minutes. |

+| Memory usage on the device has exceeded the maximum threshold. | Error | The capture process has been stopped and will restart in a few minutes. |

+| GPU usage on the device has exceeded the maximum threshold. | Error | The capture process has been stopped and will restart in a few minutes. |

+| The Microsoft Purview Client installed on the device in unable to sync with the forensic evidence policy. | Warning | Connect to network & reinstall client |

+| The Microsoft Purview Client installed on the device hasn't synced with the forensic evidence policy in over 24 hours. | Error | Connect to network & reinstall client |

+| The Microsoft Purview Client is unable to capture activity because no graphics card is detected on this device. | Error | Add a graphics card or replace the device with one that has a graphics card |

+| The Microsoft Purview Client is unable to capture activity because no display monitors are detected on this device. | Error | Add display monitors for this device |

+| The Microsoft Purview Client is unable to capture activity because display monitors on this device were turned off or disconnected. | Error | Connect/Turn on display monitors for the device |

+| Device is unable to access the directory that stores forensic evidence captures. | Error | Reinstall the client on this device |

+| Encoder initialization failed. | Error | Reinstall the client on this device. |

+Contact Microsoft Support if the recommended actions don't resolve issues with the client.

+ Title: Learn about insider risk management forensic evidence (preview)

+description: Learn about insider risk management forensic evidence in Microsoft Purview. Forensic evidence is an investigative tool for viewing captured user activity to help determine whether the user's actions pose a risk and may lead to a security incident.

+keywords: Microsoft 365, Microsoft Purview, insider risk, risk management, compliance

+ms.localizationpriority: medium

+f1.keywords:

+- NOCSH

+audience: itpro

+# Learn about insider risk management forensic evidence (preview)

+>[!IMPORTANT]

+>Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

+Having visual context is crucial for security teams during forensic investigations to get better insights into potentially risky security-related user activities. With customizable event triggers and built-in user privacy protection controls, Forensic evidence enables customizable visual activity capturing across devices to help your organization better mitigate, understand, and respond to potential data risks like unauthorized data exfiltration of sensitive data. You set the right policies for your organization, including what risky events are the highest priority for capturing forensic evidence, what data is most sensitive, and whether users are notified when forensic capturing is activated. Forensic evidence capturing is off by default and policy creation requires dual authorization.

+## Feature capabilities

+- **Visual capturing** allows organizations to capture clips of key security-related user activities, allowing for more secure or compliant visibility and meeting organizational needs.

+- **Protected user privacy** through multiple levels of approval for the activation of the capturing feature.

+- **Customizable triggers and capturing options** mean that security teams can set up forensic evidence to meet their needs, whether it be based on incidents (for example, *Capture 5 min before and 10 min after a user has downloaded 'SecretResearchPlans.docx'*), or based on continuous capturing needs.

+- **User-centric policy targeting** means that security and compliance teams can focus on activity by user, not device, for better contextual insights.

+- **Strong role-based access controls (RBAC)** mean that the ability to set up and review forensic clips is tightly controlled and only available to individuals in the organization with the right permissions.

+- **Deep integration with current insider risk management features**, making for easier onboarding and more familiar workflows for insider risk management administrators and a trusted single-platform approach.

+## Capturing options

+[Triggering events, global indicators, and policy indicators](/microsoft-365/compliance/insider-risk-management-settings#indicators) play an important role in all insider risk management policies, including forensic evidence policies. Triggering events are user actions that determine if users are brought into scope for evaluation in insider risk management policies. Global settings indicators are used to determine what activities are collected by insider risk management. Policy indicators are used to determine a risk score for an in-scope user.

+Depending how your organization decides to configure forensic evidence, there are two capturing options:

+- **Specific activities**: This policy option captures activity only when a triggering event has brought an approved user into scope for the forensic evidence policy and when the conditions for a policy indicator are detected for the user. For example, a user approved for forensic evidence capturing is brought in-scope to the forensic evidence policy and the user copies data to personal cloud storage services or portable storage devices. Capturing is scoped only to the configured time frame when the user is copying the data to the personal cloud storage service or portable storage device. Captures for this option will be available for review on the **Forensic evidence (preview)** tab on the **Alerts** dashboard.

+- **All activities**: This policy option captures any activity performed by users. This includes mouse movement, keystrokes, and all activities defined by insider risk indicators. For example, your organization has a time-sensitive need for capturing activities for an approved user that is actively involved in potentially risky activities that may lead to a security incident. Policy indicators may not have reached the threshold for an alert to be generated by the policy and the potentially risky activity may not be documented. Continuous capturing help prevents the potentially risky activity from being missed or going undetected. Captures for this option will be available for review on the **Forensic evidence (preview)** tab on the **User activity reports (preview)** dashboard.

+>[!IMPORTANT]

+>Forensic evidence clips are deleted 120 days after they're captured or at the end of the preview period, whichever is sooner. You can download or transfer forensic evidence clips before they're deleted.

+## Workflow

+The overall workflow for detecting, investigating, and remediating alerts that contain clip capturing follows the [same basic steps](/microsoft-365/compliance/insider-risk-management#workflow) as other insider risk management policies. However, there are some notable differences for forensic evidence when configured in your organization:

+- **Users subject to capturing must have explicit capturing requests and approvals**: This is an extra process not included as a part of configuring other insider risk management policies. Users assigned to the *Insider Risk Management* or *Insider Risk Management Admins* role groups must submit a request to users assigned to the *Insider Risk Management Approvers* role group before any user in your organization is eligible for any clip capturing options. For example, this requirement helps support organizational scenarios where your insider risk management admins must get explicit approval from your designated legal or human resources personnel before capturing for any user is enabled.

+- **Devices must be onboarded and have the Microsoft Purview client installed**: Before forensic evidence can collect and store clips captured for eligible users, their devices must be onboarded to the Microsoft Purview compliance portal. Additionally, each device must have the Microsoft Purview Client installed. These prerequisites enable support for both online and offline device capturing.

+## Ready to get started?

+- See [Get started with insider risk management forensic evidence](/microsoft-365/compliance/insider-risk-management-forensic-evidence-configure) for step-by-step guidance to configure forensic evidence capturing in your organization.

+- See [Get started with insider risk management](/microsoft-365/compliance/insider-risk-management-configure) to configure prerequisites, create policies, and start receiving alerts.

+|**Actions**|**Insider Risk Management**|**Insider Risk Management Admin**|**Insider Risk Management Analysts**|**Insider Risk Management Investigators**|**Insider Risk Management Auditors**|**Insider Risk Management Approvers**|

+||||||||

+|Configure policies and settings|Yes|Yes|No|No|No|No|

+|Access analytics insights|Yes|Yes|Yes|No|No|No|

+|Access & investigate alerts|Yes|No|Yes|Yes|No|No|

+|Access & investigate cases|Yes|No|Yes|Yes|No|No|

+|Access & view the Content Explorer|Yes|No|No|Yes|No|No|

+|Configure notice templates|Yes|No|Yes|Yes|No|No|

+|View & export audit logs|Yes|No|No|No|Yes|No|

+|Access & view forensic evidence captures|Yes|No|No|Yes|No|No|

+|Create forensic evidence capturing request|Yes|Yes|No|No|No|No|

+|Approve forensic evidence capturing requests|Yes|No|No|No|No|Yes|

+|View device health report|Yes|Yes|No|No|No|No|

+- [Get started with insider risk management forensic evidence](/microsoft-365/compliance/insider-risk-management-forensic-evidence-configure) for step-by-step guidance to configure forensic evidence capturing in your organization.

+|Forensic evidence|5 users for preview release|

+With priority physical assets enabled and the [Physical badging data connector](import-physical-badging-data.md) configured, insider risk management integrates signals from your physical control and access systems with other user risk activities. By examining patterns of behavior across physical access systems and correlating these activities with other insider risk events, insider risk management can help compliance investigators and analysts make more informed response decisions for alerts. Access to priority physical assets is scored and identified in insights differently from access to non-priority assets.

+### Visual context for potentially risky user activities with forensic evidence (preview)

+Having visual context is crucial for security teams during forensic investigations to get better insights into potentially risky user activities that may lead to a security incident. This may include visual capturing of these activities to help evaluate if they are indeed risky or taken out of context and not potentially risky. For activities that are determined to be risky, having forensic evidence captures can help investigators and your organization better mitigate, understand, and respond to these activities. To help with this scenario, [enable forensic evidence capturing](insider-risk-management-forensic-evidence.md) for online and offline devices in your organization.

+Teams chats messages, channel messages, and private channel messages can be deleted by using retention policies for Teams, and in addition to the text in the messages, the following items can be retained for compliance reasons: [Video clips](https://support.microsoft.com/office/record-a-video-clip-in-teams-0c57dae5-2974-4214-9c46-7a2136386f1c), embedded images, tables, hypertext links, links to other Teams messages and files, and [card content](/microsoftteams/platform/task-modules-and-cards/what-are-cards). Chat messages and private channel messages include all the names of the people in the conversation, and channel messages include the team name and the message title (if supplied).

+> * [Set up Microsoft 365 and Teams](#set-up-microsoft-365-and-teams)

+| Built-in protection (preview) is rolling out | Customers who have opted to receive preview features are receiving [notification](#what-does-the-notification-look-like) that built-in protection is coming. If it's not already configured, tamper protection will be turned on for customers who have Defender for Endpoint Plan 2 or Microsoft 365 E5. |

+If you're currently using Intune to configure and manage tamper protection, you should continue using Intune.

+When tamper protection is turned on and you use Group Policy to make changes to Microsoft Defender Antivirus settings, the settings that are tamper protected will be ignored.

+## If we use Microsoft Intune to configure tamper protection, does it apply only to the entire organization?

+No. Local admins can't change or modify tamper protection settings.

+|Malware Protection (Android-Only)||||

+Network protection for iOS is already enabled for your tenant. End-users who are testing Network protection feature can install the preview version of the app via TestFlight. Browse to https://aka.ms/mdeiospp on the iOS device. This will prompt you to install the TestFlight app on your device or open TestFlight in case it is already installed. On the TestFlight app, follow the onscreen instructions to install Microsoft Defender Endpoint. Please verify that the version number of MDE is 1.1.33070102.

+|Endpoint Detection and Response|Set early preview |`mdatp edr early-preview [enabled\|disabled]`|

+The standalone versions of [Defender for Endpoint Plan 1 and Plan 2](defender-endpoint-plan-1-2.md), even when they are included as part of other Microsoft 365 plans, do not include server licenses. To onboard servers to those plans, you'll need Defender for Servers Plan 1 or Plan 2 as part of the [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction) offering. To learn more, see the overview of [Microsoft Defender for Servers](/azure/defender-for-cloud/defender-for-servers-introduction).

+ - Windows Server 2019 and later

+ - Windows Server 2019 core edition

+> Built-in protection includes turning tamper protection on by default. To learn more about built-in protection, see:

+Safety Scanner helps remove malicious software from computers running Windows 11, Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2. For details, refer to the [Microsoft Lifecycle Policy](/lifecycle/).

+> [!TIP]

+> If your organization's subscription includes [Microsoft Defender for Endpoint Plan 2](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint), [Microsoft Defender for Office 365 Plan 2](/microsoft-365/security/office-365-security/defender-for-office-365), or [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender), you can use the [new unified submissions portal](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/unified-submissions-in-microsoft-365-defender-now-generally/ba-p/3270770). To learn more, see [Submit files in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/admin-submissions-mde).

+> [!NOTE]

+> The MVI Program is not currently accepting new applications for membership. Please contact MVI@microsoft.com for more information.

+Admins can follow the [recommended bulk threshold values](recommended-settings-for-eop-and-office365.md#anti-spam-anti-malware-and-anti-phishing-protection-in-eop) or choose a bulk threshold value that suits the needs of their organization.

+During a Teams meeting, external and shared device accounts (typically used in Surface Hubs and Teams Rooms devices) have more capability for temporary

+collaboration. Users can temporarily view and collaborate on whiteboards that are shared in a meeting, in a similar way to PowerPoint Live sharing.

+> [!NOTE]

+During a Teams meeting, external and shared device accounts (typically used in Surface Hubs and Teams Rooms devices) have more capability for temporary

+collaboration. Users can temporarily view and collaborate on whiteboards that are shared in a meeting, in a similar way to PowerPoint Live sharing.

+> By default, the Teams meeting setting **Anonymous users can interact with apps in meetings** is enabled by default. If you have disabled it, any anonymous user (as opposed to guests or federated users) will not have access to the whiteboard during the meeting

+> [!NOTE]

+During a Teams meeting, external and shared device accounts (typically used in Surface Hubs and Teams Rooms devices) have more capability for temporary

+collaboration. Users can temporarily view and collaborate on whiteboards that are shared in a meeting, in a similar way to PowerPoint Live sharing.

+> By default, the Teams meeting setting **Anonymous users can interact with apps in meetings** is enabled. If you have disabled it, any anonymous user (as opposed to guests or federated users) won't have access to the whiteboard during the meeting.

+> [!NOTE]