Updates from: 11/11/2022 02:58:29
Category Microsoft Docs article Related commit history on GitHub Change details
business-premium M365bp Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-setup.md
audience: Admin
Previously updated : 10/18/2022 Last updated : 11/10/2022 ms.localizationpriority: high f1.keywords: NOCSH
Make sure that you meet the following requirements before you begin your setup p
| Permissions | To complete the initial setup process, you must be a Global Admin. [Learn more about admin roles](../admin/add-users/about-admin-roles.md). | | Browser requirements | Microsoft Edge, Safari, Chrome or Firefox. [Learn more about browser requirements](https://www.microsoft.com/microsoft-365/microsoft-365-and-office-resources#coreui-heading-uyetipy). | | Operating systems (client) | **Windows**: Windows 11, Windows 10, Windows 8.1<br/>**macOS**: One of the three most recent versions of macOS
-| Operating systems (servers) | Windows Server or Linux Server <br/>- Requires Microsoft Defender for Business servers (currently in preview)<br/>- See [How to get Microsoft Defender for Business servers (preview)](../security/defender-business/get-defender-business-servers.md). |
+| Operating systems (servers) | Windows Server or Linux Server <br/>(Requires [Microsoft Defender for Business servers](../security/defender-business/get-defender-business-servers.md).) |
> [!NOTE] > For more detailed information about Microsoft 365, Office, and system requirements, see [Microsoft 365 and Office Resources](https://www.microsoft.com/microsoft-365/microsoft-365-and-office-resources).
commerce Change Payment Frequency https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/change-payment-frequency.md
Last updated 05/24/2022
When you buy a subscription, you select a billing frequency. To change how often you are billed for a subscription, use the following steps. > [!NOTE]
-> If you have a billing profile, you con only change the billing frequency when you buy or upgrade a subscription. To find out if you have a billing profile, see [View my billing profiles](manage-billing-profiles.md#view-my-billing-profiles).
+> If you have a billing profile, you can only change the billing frequency when you buy or upgrade a subscription. To find out if you have a billing profile, see [View my billing profiles](manage-billing-profiles.md#view-my-billing-profiles).
1. In the admin center, go to the **Billing**\> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page. 2. On the **Products** tab, select the subscription that you want to change.
compliance Create Ediscovery Holds https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-ediscovery-holds.md
After you create an eDiscovery hold, it may take up to 24 hours for the hold to
When you create a hold, you have the following options to scope the content that's preserved in the specified content locations: - Create an infinite hold where all content in the specified locations is placed on hold. Alternatively, you can create a query-based hold where only the content in the specified locations that matches a search query is placed on hold.- - Specify a date range to preserve only the content that was sent, received, or created within that date range. Alternatively, you can hold all content in specified locations regardless of when it was sent, received, or created. [!INCLUDE [purview-preview](../includes/purview-preview.md)]
To create an eDiscovery hold that's associated with a eDiscovery (Standard) case
1. Go to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft Purview compliance portal</a> and sign in using the credentials for user account that has been assigned the appropriate eDiscovery permissions.
-2. In the left navigation pane, click **Show all**, and then click **eDiscovery > Core**.
+2. In the left navigation pane, select **Show all**, and then select **eDiscovery > Core**.
-3. On the **eDiscovery (Standard)** page, click the name of the case that you want to create the hold in.
+3. On the **eDiscovery (Standard)** page, select the name of the case that you want to create the hold in.
-4. On the **Home** page for the case, click the **Hold** tab.
+4. On the **Home** page for the case, select the **Hold** tab.
-5. On the **Hold** page, click **Create**.
+5. On the **Hold** page, select **Create**.
-6. On the **Name your hold** wizard page, give the hold a name and add an optional description, and then click **Next**. The name of the hold must be unique in your organization.
+6. On the **Name your hold** wizard page, give the hold a name and add an optional description, and then select **Next**. The name of the hold must be unique in your organization.
7. On the **Choose locations** wizard page, choose the content locations that you want to place on hold. You can place mailboxes, sites, and public folders on hold. ![Choose the content locations to place on hold.](../media/eDiscoveryHoldLocations.png)
- 1. **Exchange mailboxes**: Set the toggle to **On** and then click **Choose users, groups, or teams** to specify the mailboxes to place on hold. Use the search box to find user mailboxes and distribution groups (to place a hold on the mailboxes of group members) to place on hold. You can also place a hold on the associated mailbox for a Microsoft Team, Office 365 Group, and Yammer Group. For more information about the application data that is preserved when a mailbox is placed on hold, see [Content stored in mailboxes for eDiscovery](what-is-stored-in-exo-mailbox.md).
+ 1. **Exchange mailboxes**: Set the toggle to **On** and then select **Choose users, groups, or teams** to specify the mailboxes to place on hold. Use the search box to find user mailboxes and distribution groups (to place a hold on the mailboxes of group members) to place on hold. You can also place a hold on the associated mailbox for a Microsoft Team, Office 365 Group, and Yammer Group. For more information about the application data that is preserved when a mailbox is placed on hold, see [Content stored in mailboxes for eDiscovery](what-is-stored-in-exo-mailbox.md).
- 2. **SharePoint sites**: Set the toggle to **On** and then click **Choose sites** to specify SharePoint sites and OneDrive accounts to place on hold. Type the URL for each site that you want to place on hold. You can also add the URL for the SharePoint site for a Microsoft Team, Office 365 Group or a Yammer Group.
+ 2. **SharePoint sites**: Set the toggle to **On** and then select **Choose sites** to specify SharePoint sites and OneDrive accounts to place on hold. Type the URL for each site that you want to place on hold. You can also add the URL for the SharePoint site for a Microsoft Team, Office 365 Group or a Yammer Group.
3. **Exchange public folders**: Set the toggle to **On** to put all public folders in your Exchange Online organization on hold. You can't choose specific public folders to put on hold. Leave the toggle switch off if you don't want to put a hold on public folders. > [!IMPORTANT] > When adding Exchange mailboxes or SharePoint sites to a hold, you must explicitly add at least one content location to the hold. In other words, if you set the toggle to **On** for mailboxes or sites, you must select specific mailboxes or sites to add to the hold. Otherwise, the eDiscovery hold will be created but no mailboxes or sites will be added to the hold.
-8. When you're done adding locations to the hold, click **Next**.
+8. When you're done adding locations to the hold, select **Next**.
-9. To create a query-based hold using keywords or conditions, complete the following steps. To preserve all content in the specified content locations, click **Next**.
+9. To create a query-based hold using keywords or conditions, complete the following steps. To preserve all content in the specified content locations, select **Next**.
![Create a query-based hold with keyword and conditions.](../media/eDiscoveryHoldQuery.png) 1. In the box under **Keywords**, type a query to preserve only the content that matches the query criteria. You can specify keywords, email message properties, or site properties, such as file names. You can also use more complex queries that use a Boolean operator, such as **AND**, **OR**, or **NOT**.
- 2. Click **Add condition** to add one or more conditions to narrow the query for the hold. Each condition adds a clause to the KQL search query that is created and run when you create the hold. For example, you can specify a date range so that email or site documents that were created within the date ranged are preserved. A condition is logically connected to the keyword query (specified in the **Keywords** box) and other conditions by the **AND** operator. That means items have to satisfy both the keyword query and the condition to be preserved.
+ 2. Select **Add condition** to add one or more conditions to narrow the query for the hold. Each condition adds a clause to the KQL search query that is created and run when you create the hold. For example, you can specify a date range so that email or site documents that were created within the date ranged are preserved. A condition is logically connected to the keyword query (specified in the **Keywords** box) and other conditions by the **AND** operator. That means items have to satisfy both the keyword query and the condition to be preserved.
For more information about creating a search query and using conditions, see [Keyword queries and search conditions for eDiscovery](keyword-queries-and-search-conditions.md).
-10. After configuring a query-based hold, click **Next**.
+10. After configuring a query-based hold, select **Next**.
-11. Review your settings (and edit them if necessary), and then click **Submit**.
+11. Review your settings (and edit them if necessary), and then select **Submit**.
> [!NOTE] > When you create a query-based hold, all content from selected locations is initially placed on hold. Subsequently, any content that doesn't match the specified query is cleared from the hold every seven to 14 days. However, a query-based hold won't clear content if more than five holds of any type are applied to a content location, or if any item has indexing issues.
Keep the following things in mind when placing both Teams and Office 365 Groups
To collect a list of the URLs for the OneDrive for Business sites in your organization so you can add them to a hold or search associated with an eDiscovery case, see [Create a list of all OneDrive locations in your organization](/onedrive/list-onedrive-urls). The script in this article creates a text file that contains a list of all OneDrive sites in your organization. To run this script, you have to install and use the SharePoint Online Management Shell. Be sure to append the URL for your organization's MySite domain to each OneDrive site that you want to search. This is the domain that contains all your OneDrive; for example, `https://contoso-my.sharepoint.com`. Here's an example of a URL for a user's OneDrive site: `https://contoso-my.sharepoint.com/personal/sarad_contoso_onmicrosoft.com`. > [!IMPORTANT]
-> The URL for a user's OneDrive account includes their user principal name (UPN) (for example, `https://alpinehouse-my.sharepoint.com/personal/sarad_alpinehouse_onmicrosoft_com`). In the rare case that a person's UPN is changed, their OneDrive URL will also change to incorporate the new UPN. If a user's OneDrive account is part of an eDiscovery hold, old and their UPN is changed, you need to update the hold and you'll have to update the hold and add the user's new OneDrive URL and remove the old one. For more information, see [How UPN changes affect the OneDrive URL](/onedrive/upn-changes).
+> The URL for a user's OneDrive account includes their user principal name (UPN) (for example, `https://alpinehouse-my.sharepoint.com/personal/sarad_alpinehouse_onmicrosoft_com`). In the rare case that a person's UPN is changed, their OneDrive URL will also change to incorporate the new UPN. If a user's OneDrive account is part of an eDiscovery hold, and their UPN is changed, you need to update the hold by adding the user's new OneDrive URL and removing the old one. If the URL for the OneDrive site changes, previously placed holds on the site remain effective and content is preserved. For more information, see [How UPN changes affect the OneDrive URL](/onedrive/upn-changes).
## Removing content locations from an eDiscovery hold
compliance Identify A Hold On An Exchange Online Mailbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/identify-a-hold-on-an-exchange-online-mailbox.md
Title: "How to identify the hold on an Exchange Online mailbox"
-description: "Learn how to identify the different types of hold that can be placed on an Exchange Online mailbox in Microsoft 365."
+description: "Learn how to identify the different types of hold that can be placed on an Exchange Online mailbox in Microsoft Purview and Microsoft 365."
f1.keywords: - NOCSH
# How to identify the type of hold placed on an Exchange Online mailbox
-This article explains how to identify holds placed on Exchange Online mailboxes in Microsoft 365.
+This article explains how to identify holds placed on Exchange Online mailboxes in Microsoft Purview and Microsoft 365.
-Microsoft 365 offers several ways that your organization can prevent mailbox content from being permanently deleted. This allows your organization to retain content to meet compliance regulations or during legal and other types of investigations. Here's a list of the retention features (also called *holds*) in Office 365:
+Microsoft Purview offers several ways that your organization can prevent mailbox content from being permanently deleted. This allows your organization to retain content to meet compliance regulations or during legal and other types of investigations. Here's a list of the retention features (also called *holds*) in Microsoft Purview and Microsoft 365:
- **[Litigation Hold](create-a-litigation-hold.md):** Holds that are applied to user mailboxes in Exchange Online.--- **[eDiscovery hold](create-ediscovery-holds.md):** Holds that are associated with a Microsoft Purview eDiscovery (Standard) case in the security and compliance center. eDiscovery holds can be applied to user mailboxes and to the corresponding mailbox for Microsoft 365 Groups and Microsoft Teams.--- **[In-Place Hold](/Exchange/security-and-compliance/create-or-remove-in-place-holds):** Holds that are applied to user mailboxes by using the In-Place eDiscovery & Hold tool in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a> in Exchange Online.
+- **[eDiscovery hold](create-ediscovery-holds.md):** Holds that are associated with a Microsoft Purview eDiscovery (Standard) case in the Microsoft Purview compliance portal. eDiscovery holds can be applied to user mailboxes and to the corresponding mailbox for Microsoft 365 Groups and Microsoft Teams.
+- **[In-Place Hold](/Exchange/security-and-compliance/create-or-remove-in-place-holds):** Holds that are applied to user mailboxes by using the In-Place eDiscovery & Hold tool in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a> in Exchange Online.
> [!NOTE] > In-Place Holds have been retired and you can no longer create In-Place Holds or apply them to mailboxes. However, In-Place Holds might still be applied to mailboxes in your organization, which is why they are included in this article. For more information, see [Retirement of legacy eDiscovery tools](legacy-ediscovery-retirement.md#in-place-ediscovery-and-in-place-holds-in-the-exchange-admin-center). -- **[Microsoft 365 retention policies](retention.md):** Can be configured to retain (or retain and then delete) content in user mailboxes in Exchange Online and in the corresponding mailbox for Microsoft 365 Groups and Microsoft Teams. You can also create a retention policy to retain Skype for Business Conversations, which are stored in user mailboxes.
+- **[Microsoft Purview retention policies](retention.md):** Can be configured to retain (or retain and then delete) content in user mailboxes in Exchange Online and in the corresponding mailbox for Microsoft 365 Groups and Microsoft Teams. You can also create a retention policy to retain Skype for Business Conversations, which are stored in user mailboxes.
- There are two types of Microsoft 365 retention policies that can be assigned to mailboxes.
+ There are two types of Microsoft Purview retention policies that can be assigned to mailboxes.
- **Specific location retention policies:** These are policies that are assigned to the content locations of specific users. You use the **Get-Mailbox** cmdlet in Exchange Online PowerShell to get information about retention policies assigned to specific mailboxes. For more information about this type of retention policy, see the section [A policy with specific inclusions or exclusions](retention-settings.md#a-policy-with-specific-inclusions-or-exclusions) from the retention policy documentation.- - **Organization-wide retention policies:** These are policies that are assigned to all content locations in your organization. You use the **Get-OrganizationConfig** cmdlet in Exchange Online PowerShell to get information about organization-wide retention policies. For more information about this type of retention policy, see the section [A policy that applies to entire locations](retention-settings.md#a-policy-that-applies-to-entire-locations) from the retention policy documentation. -- **[Microsoft 365 retention labels](retention.md):** If a user applies a Microsoft 365 retention label (one that's configured to retain content or retain and then delete content) to *any* folder or item in their mailbox, a hold is placed on the mailbox as if the mailbox was placed on Litigation Hold or assigned to a Microsoft 365 retention policy. For more information, see the [Identifying mailboxes on hold because a retention label has been applied to a folder or item](#identifying-mailboxes-on-hold-because-a-retention-label-has-been-applied-to-a-folder-or-item) section in this article.
+- **[Microsoft Purview retention labels](retention.md):** If a user applies a Microsoft Purview retention label (one that's configured to retain content or retain and then delete content) to *any* folder or item in their mailbox, a hold is placed on the mailbox as if the mailbox was placed on Litigation Hold or assigned to a Microsoft Purview retention policy. For more information, see the [Identifying mailboxes on hold because a retention label has been applied to a folder or item](#identifying-mailboxes-on-hold-because-a-retention-label-has-been-applied-to-a-folder-or-item) section in this article.
-To manage mailboxes on hold, you may have to identify the type of hold that's placed on a mailbox so that you can perform tasks such as changing the hold duration, temporarily or permanently removing the hold, or excluding a mailbox from a Microsoft 365 retention policy. In these cases, the first step is to identify the type of hold placed on the mailbox. And because multiple holds (and different types of holds) can be placed on a single mailbox, you have to identify all holds placed on a mailbox if you want to remove or change a hold.
+To manage mailboxes on hold, you may have to identify the type of hold that's placed on a mailbox so that you can perform tasks such as changing the hold duration, temporarily or permanently removing the hold, or excluding a mailbox from a Microsoft Purview retention policy. In these cases, the first step is to identify the type of hold placed on the mailbox. And because multiple holds (and different types of holds) can be placed on a single mailbox, you have to identify all holds placed on a mailbox if you want to remove or change a hold.
[!INCLUDE [purview-preview](../includes/purview-preview.md)]
To manage mailboxes on hold, you may have to identify the type of hold that's pl
You can run the following two cmdlets in Exchange Online PowerShell to get the GUID of the holds that are placed on a mailbox. After you obtain a GUID, you use it to identify the specific hold in Step 2. A Litigation Hold isn't identified by a GUID. Litigation Holds are either enabled or disabled for a mailbox. -- **Get-Mailbox:** Use this cmdlet to determine whether Litigation Hold is enabled for a mailbox and to get the GUIDs for eDiscovery holds, In-Place Holds, and Microsoft 365 retention policies that are specifically assigned to a mailbox. The output of this cmdlet will also indicate if a mailbox has been explicitly excluded from an organization-wide retention policy.-
+- **Get-Mailbox:** Use this cmdlet to determine whether Litigation Hold is enabled for a mailbox and to get the GUIDs for eDiscovery holds, In-Place Holds, and Microsoft Purview retention policies that are assigned to a mailbox. The output of this cmdlet will also indicate if a mailbox has been explicitly excluded from an organization-wide retention policy.
- **Get-OrganizationConfig:** Use this cmdlet to get the GUIDs for organization-wide retention policies. To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). ### Get-Mailbox
-Run the following command to get information about the holds and Microsoft 365 retention policies applied to a mailbox.
+Run the following command to get information about the holds and Microsoft Purview retention policies applied to a mailbox.
```powershell Get-Mailbox <username> | FL LitigationHoldEnabled,InPlaceHolds
Get-Mailbox <username> | FL LitigationHoldEnabled,InPlaceHolds
The following table describes how to identify different types of holds based on the values in the *InPlaceHolds* property when you run the **Get-Mailbox** cmdlet.
-| Hold type | Example value | How to identify the hold |
-| | - | -- |
-| Litigation Hold | `True` | Litigation Hold is enabled for a mailbox when the *LitigationHoldEnabled* property is set to `True`. |
-| eDiscovery hold | `UniH7d895d48-7e23-4a8d-8346-533c3beac15d` | The *InPlaceHolds property* contains the GUID of any hold associated with an eDiscovery case in the security and compliance center. You can tell this is an eDiscovery hold because the GUID starts with the `UniH` prefix (which denotes a Unified Hold). |
-| In-Place Hold | `c0ba3ce811b6432a8751430937152491` <br/> or <br/> `cld9c0a984ca74b457fbe4504bf7d3e00de` | The *InPlaceHolds* property contains the GUID of the In-Place Hold that's placed on the mailbox. You can tell this is an In-Place Hold because the GUID either doesn't start with a prefix or it starts with the `cld` prefix. |
-| Microsoft 365 retention policy specifically applied to the mailbox | `mbxcdbbb86ce60342489bff371876e7f224:1` <br/> or <br/> `skp127d7cf1076947929bf136b7a2a8c36f:3` | The InPlaceHolds property contains GUIDs of any specific location retention policy that's applied to the mailbox. You can identify retention policies because the GUID starts with the `mbx` or the `skp` prefix. The `skp` prefix indicates that the retention policy is applied to Skype for Business conversations in the user's mailbox. |
-| Excluded from an organization-wide Microsoft 365 retention policy | `-mbxe9b52bf7ab3b46a286308ecb29624696` | If a mailbox is excluded from an organization-wide Microsoft 365 retention policy, the GUID for the retention policy that the mailbox is excluded from is displayed in the InPlaceHolds property and is identified by the `-mbx` prefix. |
+| Hold type | Example value| How to identify the hold|
+| :| :-- |:-- |
+| Litigation Hold | `True`| Litigation Hold is enabled for a mailbox when the *LitigationHoldEnabled* property is set to `True`.|
+| eDiscovery hold | `UniH7d895d48-7e23-4a8d-8346-533c3beac15d`| The *InPlaceHolds property* contains the GUID of any hold associated with an eDiscovery case in the compliance portal. You can tell this is an eDiscovery hold because the GUID starts with the `UniH` prefix (which denotes a Unified Hold).|
+| In-Place Hold| `c0ba3ce811b6432a8751430937152491` <br/> or <br/> `cld9c0a984ca74b457fbe4504bf7d3e00de`| The *InPlaceHolds* property contains the GUID of the In-Place Hold that's placed on the mailbox. You can tell this is an In-Place Hold because the GUID either doesn't start with a prefix or it starts with the `cld` prefix.|
+| Microsoft Purview retention policy applied to the mailbox | `mbxcdbbb86ce60342489bff371876e7f224:1` <br/> or <br/> `skp127d7cf1076947929bf136b7a2a8c36f:3` | The *InPlaceHolds* property contains GUIDs of any specific location retention policy that's applied to the mailbox. You can identify retention policies because the GUID starts with the `mbx` or the `skp` prefix. The `skp` prefix indicates that the retention policy is applied to Skype for Business conversations in the user's mailbox. |
+| Excluded from an organization-wide Microsoft Purview retention policy | `-mbxe9b52bf7ab3b46a286308ecb29624696`| If a mailbox is excluded from an organization-wide Microsoft Purview retention policy, the GUID for the retention policy that the mailbox is excluded from is displayed in the *InPlaceHolds* property and is identified by the `-mbx` prefix.|
### Get-OrganizationConfig
-If the *InPlaceHolds* property is empty when you run the **Get-Mailbox** cmdlet, there still may be one or more organization-wide Microsoft 365 retention policies applied to the mailbox. Run the following command in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) to get a list of GUIDs for organization-wide Microsoft 365 retention policies.
+
+If the *InPlaceHolds* property is empty when you run the **Get-Mailbox** cmdlet, there still may be one or more organization-wide Microsoft Purview retention policies applied to the mailbox. Run the following command in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) to get a list of GUIDs for organization-wide Microsoft Purview retention policies.
```powershell Get-OrganizationConfig | FL InPlaceHolds
Get-OrganizationConfig | FL InPlaceHolds
The following table describes the different types of organization-wide holds and how to identify each type based on the GUIDs contained in *InPlaceHolds* property when you run the **Get-OrganizationConfig** cmdlet.
-| Hold type | Example value | Description |
-| -- | | - |
-| Microsoft 365 retention policies applied to Exchange mailboxes, Exchange public folders, and Teams chats | `mbx7cfb30345d454ac0a989ab3041051209:2` | Organization-wide retention policies applied to Exchange mailboxes, Exchange public folders, and 1xN chats in Microsoft Teams are identified by GUIDs that start with the `mbx` prefix. Note 1xN chats are stored in the mailbox of the individual chat participants. |
-| Microsoft 365 retention policy applied to Microsoft 365 Groups and Teams channel messages | `grp1a0a132ee8944501a4bb6a452ec31171:3` | Organization-wide retention policies applied to Microsoft 365 groups and channel messages in Microsoft Teams are identified by GUIDs that start with the `grp` prefix. Note channel messages are stored in the group mailbox that is associated with a Microsoft Team. |
+| Hold type | Example value| Description |
+|: |: |:-- |
+| Microsoft Purview retention policies applied to Exchange mailboxes, Exchange public folders, and Teams chats | `mbx7cfb30345d454ac0a989ab3041051209:2` | Organization-wide retention policies applied to Exchange mailboxes, Exchange public folders, and 1xN chats in Microsoft Teams are identified by GUIDs that start with the `mbx` prefix. Note 1xN chats are stored in the mailbox of the individual chat participants. |
+| Microsoft Purview retention policy applied to Microsoft 365 Groups and Teams channel messages | `grp1a0a132ee8944501a4bb6a452ec31171:3` | Organization-wide retention policies applied to Microsoft 365 groups and channel messages in Microsoft Teams are identified by GUIDs that start with the `grp` prefix. Note channel messages are stored in the group mailbox that is associated with a Microsoft Team. |
For more information about retention policies applied to Microsoft Teams, see [Learn about retention policies for Microsoft Teams](retention-policies-teams.md). ### Understanding the format of the InPlaceHolds value for retention policies
-In addition to the prefix (mbx, skp, or grp) that identifies an item in the InPlaceHolds property as a Microsoft 365 retention policy, the value also contains a suffix that identifies the type of retention action that's configured for the policy. For example, the action suffix is highlighted in bold type in the following examples:
+In addition to the prefix (mbx, skp, or grp) that identifies an item in the InPlaceHolds property as a Microsoft Purview retention policy, the value also contains a suffix that identifies the type of retention action that's configured for the policy. For example, the action suffix is highlighted in bold type in the following examples:
`skp127d7cf1076947929bf136b7a2a8c36f`**:1**
In addition to the prefix (mbx, skp, or grp) that identifies an item in the InPl
The following table defines the three possible retention actions:
-| Value | Description |
-| -- | |
-| **1** | Indicates that the retention policy is configured to delete items. The policy doesn't retain items. |
-| **2** | Indicates that the retention policy is configured to hold items. The policy doesn't delete items after the retention period expires. |
-| **3** | Indicates that the retention policy is configured to hold items and then delete them after the retention period expires. |
+| Value | Description|
+| :- | : |
+| **1** | Indicates that the retention policy is configured to delete items. The policy doesn't retain items.|
+| **2** | Indicates that the retention policy is configured to hold items. The policy doesn't delete items after the retention period expires.|
+| **3** | Indicates that the retention policy is configured to hold items and then delete them after the retention period expires.|
For more information about retention actions, see the [Retaining content for a specific period of time](retention-settings.md#retaining-content-for-a-specific-period-of-time) section.
-
+ ## Step 2: Use the GUID to identify the hold After you obtain the GUID for a hold that is applied to a mailbox, the next step is to use that GUID to identify the hold. The following sections show how to identify the name of the hold (and other information) by using the hold GUID. ### eDiscovery holds
-Run the following commands in Security & Compliance PowerShell to identify an eDiscovery hold that's applied to the mailbox. Use the GUID (not including the UniH prefix) for the eDiscovery hold that you identified in Step 1.
+Run the following commands in [Security & Compliance PowerShell](/powershell/exchange/scc-powershell) to identify an eDiscovery hold that's applied to the mailbox. Use the GUID (not including the UniH prefix) for the eDiscovery hold that you identified in Step 1.
To connect to Security & Compliance PowerShell, see [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell).
If the GUID for the In-Place Hold starts with the `cld` prefix, be sure to inclu
> [!IMPORTANT] > As we continue to invest in different ways to preserve mailbox content, we're announcing the retirement of In-Place Holds in the Exchange admin center (EAC). Starting July 1, 2020 you won't be able to create new In-Place Holds in Exchange Online. But you'll still be able to manage In-Place Holds in the EAC or by using the **Set-MailboxSearch** cmdlet in Exchange Online PowerShell. However, starting October 1, 2020, you won't be able to manage In-Place Holds. You'll only be remove them in the EAC or by using the **Remove-MailboxSearch** cmdlet. For more information about the retirement of In-Place Holds, see [Retirement of legacy eDiscovery tools](legacy-ediscovery-retirement.md).
-### Microsoft 365 retention policies
+### Microsoft Purview retention policies
-[Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) and run the following command to identity the Microsoft 365 retention policy (organization-wide or specific location) that's applied to the mailbox. Use the GUID (not including the mbx, skp, or grp prefix or the action suffix) that you identified in Step 1.
+[Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) and run the following command to identity the Microsoft Purview retention policy (organization-wide or specific location) that's applied to the mailbox. Use the GUID (not including the mbx, skp, or grp prefix or the action suffix) that you identified in Step 1.
```powershell Get-RetentionCompliancePolicy <hold GUID without prefix or suffix> -DistributionDetail | FL Name,*Location
Get-RetentionCompliancePolicy <hold GUID without prefix or suffix> -Distribution
## Identifying mailboxes on hold because a retention label has been applied to a folder or item
-Whenever a user applies a retention label that's configured to *retain* or *retain and then delete* content to any folder or item in their mailbox, the *ComplianceTagHoldApplied* mailbox property is set to **True**. When this happens, the mailbox is treated similarly to if it was placed on hold, such as when assigned to a Microsoft 365 retention policy or placed on Litigation Hold, however with some caveats. When the *ComplianceTagHoldApplied* property is set to **True**, the following things occur:
+Whenever a user applies a retention label that's configured to *retain* or *retain and then delete* content to any folder or item in their mailbox, the *ComplianceTagHoldApplied* mailbox property is set to **True**. When this happens, the mailbox is treated similarly to if it was placed on hold, such as when assigned to a Microsoft Purview retention policy or placed on Litigation Hold, however with some caveats. When the *ComplianceTagHoldApplied* property is set to **True**, the following things occur:
- If the mailbox or the user's Microsoft 365 account is deleted, the mailbox becomes an [inactive mailbox](inactive-mailboxes-in-office-365.md). - You aren't able to disable the mailbox (either the primary mailbox or the archive mailbox, if it's enabled).-- Items that have been deleted from the mailbox will follow one of two paths depending on if they are labeled or not:
+- Items that have been deleted from the mailbox will follow one of two paths depending on if they're labeled or not:
- **Unlabeled items** will follow the same path deleted items take when no holds apply to the mailbox. The time that it takes for these items to be permanently deleted is determined by the [deleted item retention](/exchange/security-and-compliance/recoverable-items-folder/recoverable-items-folder#deleted-item-retention) configuration and whether [single item recovery](/exchange/security-and-compliance/recoverable-items-folder/recoverable-items-folder#single-item-recovery) is enabled for the mailbox or not.
- - **Labeled items** will be retained within the [recoverable items folder](/exchange/security-and-compliance/recoverable-items-folder/recoverable-items-folder#recoverable-items-folder) in the same way they would be if a Microsoft 365 retention policy applied, but at the individual item level. If multiple items have different labels that are configured to *retain* or *retain and then delete* content at different intervals, each item will be retained based on the configuration of the applied label.
-- Other holds, such as Microsoft 365 retention policies, eDiscovery holds or litigation hold can extend how long labeled items are retained based on the [principles of retention](retention.md#the-principles-of-retention-or-what-takes-precedence).
+ - **Labeled items** will be retained within the [recoverable items folder](/exchange/security-and-compliance/recoverable-items-folder/recoverable-items-folder#recoverable-items-folder) in the same way they would be if a Microsoft Purview retention policy applied, but at the individual item level. If multiple items have different labels that are configured to *retain* or *retain and then delete* content at different intervals, each item will be retained based on the configuration of the applied label.
+- Other holds, such as Microsoft Purview retention policies, eDiscovery holds or litigation hold can extend how long labeled items are retained based on the [principles of retention](retention.md#the-principles-of-retention-or-what-takes-precedence).
To view the value of the *ComplianceTagHoldApplied* property for a single mailbox, run the following command in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell):
For more information about retention labels, see [retention labels](retention.md
After any type of hold is removed from a mailbox, a *delay hold* is applied. This means that the actual removal of the hold is delayed for 30 days to prevent data from being permanently deleted (purged) from the mailbox. This gives admins an opportunity to search for or recover mailbox items that will be purged after a hold is removed. A delay hold is placed on a mailbox the next time the Managed Folder Assistant processes the mailbox and detects that a hold was removed. Specifically, a delay hold is applied to a mailbox when the Managed Folder Assistant sets one of the following mailbox properties to **True**: - **DelayHoldApplied:** This property applies to email-related content (generated by people using Outlook and Outlook on the web) that's stored in a user's mailbox.- - **DelayReleaseHoldApplied:** This property applies to cloud-based content (generated by non-Outlook apps such as Microsoft Teams, Microsoft Forms, and Microsoft Yammer) that's stored in a user's mailbox. Cloud data generated by a Microsoft app is typically stored in a hidden folder in a user's mailbox.
-When a delay hold is placed on the mailbox (when either of the previous properties is set to **True**), the mailbox is still considered to be on hold for an unlimited hold duration, as if the mailbox was on Litigation Hold. After 30 days, the delay hold expires, and Microsoft 365 will automatically attempt to remove the delay hold (by setting the DelayHoldApplied or DelayReleaseHoldApplied property to **False**) so that the hold is removed. After either of these properties are set to **False**, the corresponding items that are marked for removal are purged the next time the mailbox is processed by the Managed Folder Assistant.
+When a delay hold is placed on the mailbox (when either of the previous properties is set to **True**), the mailbox is still considered to be on hold for an unlimited hold duration, as if the mailbox was on Litigation Hold. After 30 days, the delay hold expires, and Microsoft 365 will automatically attempt to remove the delay hold (by setting the *DelayHoldApplied* or *DelayReleaseHoldApplied* property to **False**) so that the hold is removed. After either of these properties are set to **False**, the corresponding items that are marked for removal are purged the next time the mailbox is processed by the Managed Folder Assistant.
> [!NOTE]
-> If the user account for the mailbox is disabled, the mailbox isn't processed by the Managed Folder Assistant and the delay hold remains after the 30 days have expired.
+> If the user account for the mailbox is disabled, the mailbox isn't processed by the Managed Folder Assistant and the delay hold remains after the 30 days have expired. For more information, see [Delay hold considerations](#delay-hold-considerations).
To view the values for the DelayHoldApplied and DelayReleaseHoldApplied properties for a mailbox, run the following command in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
Set-Mailbox <DN or Exchange GUID> -InactiveMailbox -RemoveDelayReleaseHoldApplie
``` > [!TIP]
-> The best way to specify an inactive mailbox in the previous command is to use its Distinguished Name or Exchange GUID value. Using one of these values helps prevent accidentally specifying the wrong mailbox.
+> The best way to specify an inactive mailbox in the previous command is to use its Distinguished Name or Exchange GUID value. Using one of these values helps prevent accidentally specifying the wrong mailbox.
For more information about using these parameters for managing delay holds, see [Set-Mailbox](/powershell/module/exchange/set-mailbox).
-Keep the following things in mind when managing a mailbox on delay hold:
+### Delay hold considerations
-- If either the DelayHoldApplied or DelayReleaseHoldApplied property is set to **True** and a mailbox (or the corresponding user account) is deleted, the mailbox becomes an inactive mailbox. That's because a mailbox is considered to be on hold if either property is set to **True**, and deleting a mailbox on hold results in an inactive mailbox. To delete a mailbox and not make it an inactive mailbox, you have to set both properties to **False**.
+Keep the following things in mind when managing a mailbox on delay hold:
-- As previous stated, a mailbox is considered to be on hold for an unlimited hold duration if either the DelayHoldApplied or DelayReleaseHoldApplied property is set to **True**. However, that doesn't mean that *all* content in the mailbox is preserved. It depends on the value that's set to each property. For example, let's say both properties are set to **True** because holds are removed from the mailbox. Then you remove only the delay hold that's applied to non-Outlook cloud data (by using the *RemoveDelayReleaseHoldApplied* parameter). The next time the Managed Folder Assistant processes the mailbox, the non-Outlook items marked for removal are purged. Any Outlook items marked for removal won't be purged because the DelayHoldApplied property is still set to **True**. The opposite would also be true: if DelayHoldApplied is set to **False** and DelayReleaseHoldApplied is set to **True**, then only Outlook items marked for removal would be purged.
+- If either the *DelayHoldApplied* or *DelayReleaseHoldApplied* property is set to **True** and a mailbox (or the corresponding user account) is deleted, the mailbox becomes an inactive mailbox. That's because a mailbox is considered to be on hold if either property is set to **True**, and deleting a mailbox on hold results in an inactive mailbox. To delete a mailbox and not make it an inactive mailbox, you have to set both properties to **False**.
+- A mailbox is considered to be on hold for an unlimited hold duration if either the *DelayHoldApplied* or *DelayReleaseHoldApplied* property is set to **True**. However, that doesn't mean that *all* content in the mailbox is preserved. It depends on the value that's set to each property. For example, let's say both properties are set to **True** because holds are removed from the mailbox. Then you remove only the delay hold that's applied to non-Outlook cloud data (by using the *RemoveDelayReleaseHoldApplied* parameter). The next time the Managed Folder Assistant processes the mailbox, the non-Outlook items marked for removal are purged. Any Outlook items marked for removal won't be purged because the DelayHoldApplied property is still set to **True**. The opposite would also be true: if *DelayHoldApplied* is set to **False** and *DelayReleaseHoldApplied* is set to **True**, then only Outlook items marked for removal would be purged.
## How to confirm that an organization-wide retention policy is applied to a mailbox
-When an organization-wide retention policy is applied or removed to a mailbox, exporting the mailbox diagnostics logs can help you be certain that Exchange Online has actually applied or removed the retention policy to the mailbox. To view this information, you first need to validate a few things using [Exchange Online Powershell](/powershell/exchange/connect-to-exchange-online-powershell).
+When an organization-wide retention policy is applied or removed to a mailbox, exporting the mailbox diagnostics logs can help you be certain that Exchange Online has applied or removed the retention policy to the mailbox. To view this information, you first need to validate a few things using [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
### Obtain the GUIDs for any retention policies explicitly applied to a mailbox
The Hold Tracking Mailbox Diagnostics logs maintain a history of the holds appli
$ht = Export-MailboxDiagnosticLogs <username> -ComponentName HoldTracking $ht.MailboxLog | Convertfrom-Json ```
-
+ > [!NOTE] > Hold tracking logs aren't available if the user account has been disabled.
Use the following table to help you understand each of the previous values liste
| **hid** | Indicates the GUID for the retention policy. This value will correlate to the GUIDs that you collected for the explicit or organization-wide retention policies assigned to the mailbox.| | **lsd** | Indicates the Last start date, which is the date the retention policy was assigned to the mailbox.| | **osd** | Indicates the Original start date, which is the date that Exchange first recorded information about the retention policy. |
-|||
-When a retention policy is no longer applied to a mailbox, we will place a temporary delay hold on the user to prevent purging content. A delay hold can be disabled by running the `Set-Mailbox -RemoveDelayHoldApplied` command.
+When a retention policy is no longer applied to a mailbox, we'll place a temporary delay hold on the user to prevent purging content. A delay hold can be disabled by running the `Set-Mailbox -RemoveDelayHoldApplied` command.
## Next steps
-After you identify the holds that are applied to a mailbox, you can perform tasks such as changing the duration of the hold, temporarily or permanently removing the hold, or excluding an inactive mailbox from a Microsoft 365 retention policy. For more information about performing tasks related to holds, see one of the following topics:
--- Run the [Set-RetentionCompliancePolicy -Identity \<Policy Name> -AddExchangeLocationException \<user mailbox>](/powershell/module/exchange/set-retentioncompliancepolicy) command in [Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) to exclude a mailbox from an organization-wide Microsoft 365 retention policy. This command can only be used for retention policies where the value for the *ExchangeLocation* property equals `All`.
+After you identify the holds that are applied to a mailbox, you can perform tasks such as changing the duration of the hold, temporarily or permanently removing the hold, or excluding an inactive mailbox from a Microsoft Purview retention policy. For more information about performing tasks related to holds, see one of the following articles:
+- Run the [Set-RetentionCompliancePolicy -Identity \<Policy Name> -AddExchangeLocationException \<user mailbox>](/powershell/module/exchange/set-retentioncompliancepolicy) command in [Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) to exclude a mailbox from an organization-wide Microsoft Purview retention policy. This command can only be used for retention policies where the value for the *ExchangeLocation* property equals `All`.
- [Change the hold duration for an inactive mailbox](change-the-hold-duration-for-an-inactive-mailbox.md)- - [Delete an inactive mailbox](delete-an-inactive-mailbox.md)- - [Delete items in the Recoverable Items folder of cloud-based mailboxes on hold](delete-items-in-the-recoverable-items-folder-of-mailboxes-on-hold.md)
compliance Information Barriers Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-barriers-policies.md
To [manage IB policies](information-barriers-policies.md), you must be assigned
- Compliance administrator - IB Compliance Management
-To learn more about roles and permissions, see [Permissions in the Office 365 Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md).
+To learn more about roles and permissions, see [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md).
## Configuration concepts
To define policies with PowerShell, complete the following steps:
| Syntax | Example | |:--|:-|
- | `New-InformationBarrierPolicy -Name "policyname" -AssignedSegment "segment1name" -SegmentsBlocked "segment2name"` | `New-InformationBarrierPolicy -Name "Sales-Research" -AssignedSegment "Sales" -SegmentsBlocked "Research" -State Inactive` <p> In this example, we defined a policy called *Sales-Research* for a segment called *Sales*. When active and applied, this policy prevents users in *Sales* from communicating with users in a segment called *Research*. |
+ | `New-InformationBarrierPolicy -Name "policyname" -AssignedSegment "segmentAname" -SegmentsBlocked "segmentBname"` | `New-InformationBarrierPolicy -Name "Sales-Research" -AssignedSegment "Sales" -SegmentsBlocked "Research" -State Inactive` <p> In this example, we defined a policy called *Sales-Research* for a segment called *Sales*. When active and applied, this policy prevents users in *Sales* from communicating with users in a segment called *Research*. |
2. To define your second blocking segment, use the **New-InformationBarrierPolicy** cmdlet with the **SegmentsBlocked** parameter again, this time with the segments reversed.
To define policies with PowerShell, complete the following steps:
### Scenario 2: Allow a segment to communicate only with one other segment
-When you want to allow a segment to communicate with only one other segment, you define only one policy for that segment. The segment that is being communicated with doesn't require a similar directional policy (because they can communicate and collaborate with everyone by default).
+When you want to allow a segment to communicate with only one other segment, you define two policies: one for each direction. Each policy allows communication in one direction only.
-#### Create a policy using the compliance portal for Scenario 2
+In this example, you'd define two policies:
+
+- One policy allows Segment A to communicate with Segment B
+- A second policy to allow Segment B to communicate with Segment A
+
+#### Create policies using the compliance portal for Scenario 2
To define policies in the compliance portal, complete the following steps:
To define policies in the compliance portal, complete the following steps:
9. Select **Next**. 10. On the **Policy status** page, toggle the active policy status to **On**. Select **Next** to continue. 11. On the **Review your settings** page, review the settings you've chosen for the policy and any suggestions or warnings for your selections. Select **Edit** to change any of the policy segments and status or select **Submit** to create the policy.
+12. In this example, you would repeat the previous steps to create a second *Allow policy* to allow users in a segment called *Research* to communicate with users in a segment called *Sales*. You would have defined the *Research* segment in **Step 5** and you would assign *Sales* (or multiple segments) in the **Choose segment** option.
#### Create a policy using PowerShell for Scenario 2 To define policies with PowerShell, complete the following steps:
-1. To allow one segment to communicate with only one other segment, use the **New-InformationBarrierPolicy** cmdlet with the **SegmentsAllowed** parameter.
+1. To allow one segment to communicate with the other segment, use the **New-InformationBarrierPolicy** cmdlet with the **SegmentsAllowed** parameter.
| Syntax | Example | |:-|:-|
- | `New-InformationBarrierPolicy -Name "policyname" -AssignedSegment "segment1name" -SegmentsAllowed "segment2name","segment1name"` | `New-InformationBarrierPolicy -Name "Manufacturing-HR" -AssignedSegment "Manufacturing" -SegmentsAllowed "HR","Manufacturing" -State Inactive` <p> In this example, we defined a policy called *Manufacturing-HR* for a segment called *Manufacturing*. When active and applied, this policy allows users in *Manufacturing* to communicate only with users in a segment called *HR*. In this case, *Manufacturing* can't communicate with users who aren't part of *HR*. |
+ | `New-InformationBarrierPolicy -Name "policyname" -AssignedSegment "segmentAname" -SegmentsAllowed "segmentBname","segment1name"` | `New-InformationBarrierPolicy -Name "Manufacturing-HR" -AssignedSegment "Manufacturing" -SegmentsAllowed "HR","Manufacturing" -State Inactive` <p> In this example, we defined a policy called *Manufacturing-HR* for a segment called *Manufacturing*. When active and applied, this policy allows users in *Manufacturing* to communicate only with users in a segment called *HR*. In this case, *Manufacturing* can't communicate with users who aren't part of *HR*. |
**If needed, you can specify multiple segments with this cmdlet, as shown in the following example.** | Syntax | Example | |:|:-|
- | `New-InformationBarrierPolicy -Name "policyname" -AssignedSegment "segment1name" -SegmentsAllowed "segment2name", "segment3name","segment1name"` | `New-InformationBarrierPolicy -Name "Research-HRManufacturing" -AssignedSegment "Research" -SegmentsAllowed "HR","Manufacturing","Research" -State Inactive` <p> In this example, we defined a policy that allows the *Research* segment to communicate with only *HR* and *Manufacturing*. |
+ | `New-InformationBarrierPolicy -Name "policyname" -AssignedSegment "segmentAname" -SegmentsAllowed "segmentBname", "segmentCname","segmentDname"` | `New-InformationBarrierPolicy -Name "Research-HRManufacturing" -AssignedSegment "Research" -SegmentsAllowed "HR","Manufacturing","Research" -State Inactive` <p> In this example, we defined a policy that allows the *Research* segment to communicate with only *HR* and *Manufacturing*. |
Repeat this step for each policy you want to define to allow specific segments to communicate with only certain other specific segments.
-2. Proceed to one of the following actions:
+2. To define your second allowing segment, use the **New-InformationBarrierPolicy** cmdlet with the **SegmentsAllowed** parameter again, this time with the segments reversed.
+
+ | Example | Note |
+ |:--|:--|
+ | `New-InformationBarrierPolicy -Name "Research-Sales" -AssignedSegment "Research" -SegmentsAllowed "Sales" -State Inactive` | In this example, we defined a policy called *Research-Sales* to allow *Research* to communicate with *Sales*. |
+
+3. Proceed to one of the following actions:
- (If needed) [Define a policy to block communications between segments](#scenario-1-block-communications-between-segments) - (After all your policies are defined) [Apply IB policies](#step-4-apply-ib-policies)
compliance Managing Holds https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/managing-holds.md
# Manage holds in eDiscovery (Premium)
-You can use an Microsoft Purview eDiscovery (Premium) case to create holds to preserve content that might be relevant to your case. Using the eDiscovery (Premium) hold capabilities, you can place holds on custodians and their data sources. Additionally, you can place a non-custodial hold on mailboxes and OneDrive for Business sites. You can also place a hold on the group mailbox, SharePoint site, and OneDrive for Business site for a Microsoft 365 Group. Similarly, you can place a hold on the mailbox and site that are associated with Microsoft Teams. When you place content locations on hold, content is held until you release the custodian, remove a specific data location, or delete the hold policy entirely.
+You can use a Microsoft Purview eDiscovery (Premium) case to create holds to preserve content that might be relevant to your case. Using the eDiscovery (Premium) hold capabilities, you can place holds on custodians and their data sources. Additionally, you can place a non-custodial hold on mailboxes and OneDrive for Business sites. You can also place a hold on the group mailbox, SharePoint site, and OneDrive for Business site for a Microsoft 365 Group. Similarly, you can place a hold on the mailbox and site that are associated with Microsoft Teams. When you place content locations on hold, content is held until you release the custodian, remove a specific data location, or delete the hold policy entirely.
[!INCLUDE [purview-preview](../includes/purview-preview.md)] ## Manage custodian-based holds
-In some cases, you may have a set of custodians that you have identified and have decided to preserve their data during the case. In eDiscovery (Premium), when these custodians are placed on hold, the user and their selected data sources are automatically added to a custodian hold policy.
+In some cases, you may have a set of custodians that you've identified and have decided to preserve their data during the case. In eDiscovery (Premium), when these custodians are placed on hold, the user and their selected data sources are automatically added to a custodian hold policy.
To view the custodian hold policy:
-1. In the Microsoft Purview compliance portal, click **eDiscovery > Advanced** to display the list of cases in your organization.
+1. In the Microsoft Purview compliance portal, select **eDiscovery > Advanced** to display the list of cases in your organization.
2. Go to the **Sources** tab to add custodians within your case. To learn how you can add and place custodians on hold within an eDiscovery (Premium) case, see [Add Custodians to a case](add-custodians-to-case.md). If you have already added custodians and placed them on hold, go to step 3.
-3. Go to the **Holds** tab and click **CustodianHold\<HoldId>**.
+3. Go to the **Holds** tab and select **CustodianHold\<HoldId>**.
4. On the flyout page, you can perform actions like apply a query to your custodian-based hold. For more information about creating a hold query and using conditions, see [Keyword queries and search conditions for Content Search](keyword-queries-and-search-conditions.md).
When you create a hold, you have the following options to scope the content that
To create a non-custodial hold for an eDiscovery (Premium) case:
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">compliance portal</a>, click **eDiscovery > Advanced** to display the list of cases in your organization.
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">compliance portal</a>, select **eDiscovery > Advanced** to display the list of cases in your organization.
-2. Click **Open** next to the case that you want to create the holds in.
+2. Select **Open** next to the case that you want to create the holds in.
-3. From the home page for the case, click the **Holds** tab.
+3. From the home page for the case, select the **Holds** tab.
-4. On the **Holds** tab, click **Create**.
+4. On the **Holds** tab, select **Create**.
5. On the **Name your hold** page, give the hold a name. The name of the hold must be unique in your organization. 6. (Optional) In the **Description** box, add a description of the hold.
-7. Click **Next**.
+7. Select **Next**.
8. Choose the content locations that you want to place on hold. You can place mailboxes, sites, and public folders on hold.
- 1. **Exchange email** - Click **Choose users, groups, or teams** and then click **Choose users, groups, or teams** again to specify mailboxes to place on hold. Use the search box to find user mailboxes and distribution groups (to place a hold on the mailboxes of group members) to place on hold. You can also place a hold on the associated mailbox for a Microsoft 365 Group or a Microsoft Team. Select the user, group, team check box, click **Choose**, and then click **Done**.
+ 1. **Exchange email** - select **Choose users, groups, or teams** and then select **Choose users, groups, or teams** again to specify mailboxes to place on hold. Use the search box to find user mailboxes and distribution groups (to place a hold on the mailboxes of group members) to place on hold. You can also place a hold on the associated mailbox for a Microsoft 365 Group or a Microsoft Team. Select the user, group, team check box, select **Choose**, and then select **Done**.
> [!NOTE] > When you click **Choose users, groups, or teams** to specify mailboxes to place on hold, the mailbox picker that's displayed is empty. This is by design to enhance performance. To add people to this list, type a name (a minimum of 3 characters) in the search box.
- 1. **SharePoint Sites** - Click **Choose sites** and then click **Choose sites** again to specify SharePoint and OneDrive for Business sites to place on hold. Type the URL for each site that you want to place on hold. You can also add the URL for the SharePoint site for a Microsoft 365 Group or a Microsoft Team. Click **Choose**, and then click **Done**.
+ 1. **SharePoint Sites** - select **Choose sites** and then select **Choose sites** again to specify SharePoint and OneDrive for Business sites to place on hold. Type the URL for each site that you want to place on hold. You can also add the URL for the SharePoint site for a Microsoft 365 Group or a Microsoft Team. Select **Choose**, and then select **Done**.
> [!NOTE]
- > The URL for a user's OneDrive account includes their user principal name (UPN) (for example, `https://alpinehouse-my.sharepoint.com/personal/sarad_alpinehouse_onmicrosoft_com`). In the rare case that a person's UPN is changed, their OneDrive URL will also change to incorporate the new UPN. If a user's OneDrive account is part of a non-custodial hold and their UPN is changed, you need to update the hold and point to the new OneDrive URL. For more information, see [How UPN changes affect the OneDrive URL](/onedrive/upn-changes).
+ > The URL for a user's OneDrive account includes their user principal name (UPN) (for example, `https://alpinehouse-my.sharepoint.com/personal/sarad_alpinehouse_onmicrosoft_com`). In the rare case that a person's UPN is changed, their OneDrive URL will also change to incorporate the new UPN. If a user's OneDrive account is part of a non-custodial hold and their UPN is changed, you need to update the hold and point to the new OneDrive URL. If the URL for the OneDrive site changes, previously placed holds on the site remain effective and content is preserved. For more information, see [How UPN changes affect the OneDrive URL](/onedrive/upn-changes).
1. **Exchange public folders** - Move the toggle switch to the All position to put all public folders in your Exchange Online organization on hold. You can't choose specific public folders to put on hold. Leave the toggle switch set to **None** if you don't want to put a hold on public folders.
-9. When you're done adding content locations to the hold, click **Next**.
+9. When you're done adding content locations to the hold, select **Next**.
-10. To create a query-based hold with conditions, complete the following. Otherwise, just click **Next**.
+10. To create a query-based hold with conditions, complete the following. Otherwise, just select **Next**.
- In the box under **Keywords**, type a search query in the box so that only the content that meets the search criteria is placed on hold. You can specify keywords, message properties, or document properties, such as file names. You can also use more complex queries that use a Boolean operator, such as AND, OR, or NOT. If you leave the keyword box empty, then all content located in the specified content locations will be placed on hold.
- - Click **Add** conditions to add one or more conditions to narrow the search query for the hold. Each condition adds a clause to the KQL search query that is created and run when you create the hold. For example, you can specify a date range so that email or site documents that were created within the date ranged are placed on hold. A condition is logically connected to the keyword query (specified in the keyword box) by the AND operator. That means that items have to satisfy both the keyword query and the condition to be placed on hold.
+ - Select **Add** conditions to add one or more conditions to narrow the search query for the hold. Each condition adds a clause to the KQL search query that is created and run when you create the hold. For example, you can specify a date range so that email or site documents that were created within the date ranged are placed on hold. A condition is logically connected to the keyword query (specified in the keyword box) by the AND operator. That means that items have to satisfy both the keyword query and the condition to be placed on hold.
For more information about creating a search query and using conditions, see [Keyword queries and search conditions for Content Search](/office365/SecurityCompliance/keyword-queries-and-search-conditions).
-11. After configuring a query-based hold, click **Next**.
+11. After configuring a query-based hold, select **Next**.
-12. Review your settings, and then click **Create this hold**.
+12. Review your settings, and then select **Create this hold**.
> [!NOTE] > When you create a query-based hold, all content from selected locations is initially placed on hold. After the timer job in either Exchange or SharePoint runs, any content that doesn't match the specified query is cleared from the hold. After the character count across all queries on a single location exceeds 10,000 characters, the entire location is placed on hold.
Microsoft Teams is built on Office 365 Groups. Therefore, placing them on hold i
> [!NOTE] > To run the Get-UnifiedGroup cmdlet, you have to be assigned the View-Only Recipients role in Exchange Online or be a member of a role group that's assigned the View-Only Recipients role.
- - When a user's mailbox is searched, any Microsoft 365 Group or Microsoft Team that the user is a member of won't be searched. Similarly, when you place a Microsoft 365 Group or Microsoft Team hold, only the group mailbox and group site are placed on hold; the mailboxes and OneDrive for Business sites of group members aren't placed on hold unless you explicitly add them as custodians or place their data sources hold. Therefore, if you the need to place a Microsoft 365 Group or Microsoft Team on hold for a specific custodian, consider mapping the group site and group mailbox to the custodian (See Managing Custodians in eDiscovery (Premium)). If the Microsoft 365 Group or Microsoft Team is not attributable to a single custodian, consider adding the source to a non-custodial hold.
+ - When a user's mailbox is searched, any Microsoft 365 Group or Microsoft Team that the user is a member of won't be searched. Similarly, when you place a Microsoft 365 Group or Microsoft Team hold, only the group mailbox and group site are placed on hold; the mailboxes and OneDrive for Business sites of group members aren't placed on hold unless you explicitly add them as custodians or place their data sources hold. Therefore, if you need to place a Microsoft 365 Group or Microsoft Team on hold for a specific custodian, consider mapping the group site and group mailbox to the custodian (See Managing Custodians in eDiscovery (Premium)). If the Microsoft 365 Group or Microsoft Team isn't attributable to a single custodian, consider adding the source to a non-custodial hold.
- To get a list of the members of a Microsoft 365 Group or Microsoft Team, you can view the properties on the **Home** > [**Groups**](https://go.microsoft.com/fwlink/p/?linkid=2052855) page in the Microsoft 365 admin center. Alternatively, you can run the following command in Exchange Online PowerShell: ```powershell
compliance Sensitivity Labels Aip https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-aip.md
Use the following information to help you identify if the features you use with
|User-defined permissions <br> - Do Not Forward for Outlook <br> - User and group custom permissions for Word, Excel, PowerPoint| ![Supported.](../medi#let-users-assign-permissions)| |User-defined permissions <br> - Organization-wide custom permissions by specifying domains for Word, Excel, PowerPoint | [In preview](encryption-sensitivity-labels.md#support-for-organization-wide-custom-permissions) | |Co-authoring and AutoSave | ![Supported.](../medi) |
-| | |
Remember to use the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=Microsoft%20Information%20Protection&searchterms=label) to identify and track new features in development.
compliance Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md
Whether it be adding new solutions to the [Microsoft Purview compliance portal](
### Data loss prevention -- **In preview** Multiple updates for authorization groups in [Configure endpoint DLP settings](/microsoft-365/compliance/dlp-configure-endpoint-settings.md) and [Using Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-using.md).
- - [Printer groups](/microsoft-365/compliance/dlp-configure-endpoint-settings.md#printer-groups-preview)
- - [Removable USB storage device groups](/microsoft-365/compliance/dlp-configure-endpoint-settings.md#removable-storage-device-groups-preview)
- - [Network share paths](/microsoft-365/compliance/dlp-configure-endpoint-settings.md#network-share-groups-preview)
- - [Website groups](/microsoft-365/compliance/endpoint-dlp-using.md#scenario-4-avoid-looping-dlp-notifications-from-cloud-synchronization-apps-with-auto-quarantine-preview)
- - [VPN network location groups](/microsoft-365/compliance/dlp-configure-endpoint-settings.md#vpn-settings-preview)
- - [Sensitive service domains](/microsoft-365/compliance/dlp-configure-endpoint-settings.md#sensitive-service-domains)
+- **In preview** Multiple updates for authorization groups in [Configure endpoint DLP settings](/microsoft-365/compliance/dlp-configure-endpoint-settings) and [Using Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-using).
+ - [Printer groups](/microsoft-365/compliance/dlp-configure-endpoint-settings#printer-groups-preview)
+ - [Removable USB storage device groups](/microsoft-365/compliance/dlp-configure-endpoint-settings#removable-storage-device-groups-preview)
+ - [Network share paths](/microsoft-365/compliance/dlp-configure-endpoint-settings#network-share-groups-preview)
+ - [Website groups](/microsoft-365/compliance/endpoint-dlp-using#scenario-4-avoid-looping-dlp-notifications-from-cloud-synchronization-apps-with-auto-quarantine-preview)
+ - [VPN network location groups](/microsoft-365/compliance/dlp-configure-endpoint-settings#vpn-settings-preview)
+ - [Sensitive service domains](/microsoft-365/compliance/dlp-configure-endpoint-settings#sensitive-service-domains)
- **In preview** Polices can use grouping of conditions, nesting of groups and the use of boolean operators (AND/OR/NOT) between them.
- - [Complex rule design](/microsoft-365/compliance/dlp-policy-design.md#complex-rule-design-preview)
- - [Use trainable classifiers as conditions in DLP policies](/microsoft-365/compliance/dlp-policy-reference.md#location-support-for-how-content-can-be-defined)
+ - [Complex rule design](/microsoft-365/compliance/dlp-policy-design#complex-rule-design-preview)
+ - [Use trainable classifiers as conditions in DLP policies](/microsoft-365/compliance/dlp-policy-reference#location-support-for-how-content-can-be-defined)
- **In preview** For endpoints, support for detecting sensitive items that are password protected or encrypted.
- - [Conditions that devices support](/microsoft-365/compliance/dlp-policy-reference.md#conditions-devices-supports)
-- **Generally available** [100 new files types that can be scanned](/exchange/security-and-compliance/mail-flow-rules/inspect-message-attachments.md#supported-file-types-for-mail-flow-rule-content-inspection)
+ - [Conditions that devices support](/microsoft-365/compliance/dlp-policy-reference#conditions-devices-supports)
+- **Generally available** [100 new files types that can be scanned](/exchange/security-and-compliance/mail-flow-rules/inspect-message-attachments#supported-file-types-for-mail-flow-rule-content-inspection)
### Insider risk management
enterprise M365 Dr Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/m365-dr-overview.md
Microsoft 365 services are not deployed to all Microsoft data centers globally.
Over time, a particular service may deploy their software to additional _Geographies_, so the provisioning locations for new customers can change over time, and this does not necessarily cause customer data to be moved to a new _Geography_.
-In order to understand where your data, for a given service is stored, your primarily tool for understanding this is in the _Tenant_ Admin Center. As a _Tenant_ administrator you can find the actual data location by navigating to Admin->Settings->Org Settings->Organization Profile->Data Location. Currently the data location is available for Exchange Online, SharePoint Online and Microsoft Teams. In addition to this resource, please see the [Data Maps page](o365-data-locations.md).
+In order to understand where your data, for a given service is stored, your primary tool for understanding this is in the _Tenant_ Admin Center. As a _Tenant_ administrator you can find the actual data location by navigating to Admin->Settings->Org Settings->Organization Profile->Data Location. Currently the data location is available for Exchange Online, SharePoint Online and Microsoft Teams. In addition to this resource, please see the [Data Maps page](o365-data-locations.md).
Some examples:
Some examples:
**Example 4a:** For a _Tenant_ with the sign-up country as "Sweden" that has a new subscription that includes Microsoft Yammer, then the customer data for Yammer will be provisioned into the _Macro Region Geography 1 - EMEA_. Why? Because Yammer is deployed in _Macro Region Geography 1 - EMEA_ and Swedish _Tenants_ are best served out of that _Geography_.
-**Example 4b:** For a _Tenant_ with the sign-up country as "Sweden" that has a subscription that includes Microsoft Yammer from before Yammer was deployed to _Macro Regional Geography 1 - EMEA_, then the customer data for Yammer will be located in _Macro Region Geography 3 - Americas_. Why? Because, at that time, Yammer only had a single deployment for all customers at that time in _Macro Region Geography 3 - Americas_.
+**Example 4b:** For a _Tenant_ with the sign-up country as "Sweden" that has a subscription that includes Microsoft Yammer from before Yammer was deployed to _Macro Regional Geography 1 - EMEA_, then the customer data for Yammer will be located in _Macro Region Geography 3 - Americas_. Why? Because, at that time, Yammer only had a single deployment for all customers in _Macro Region Geography 3 - Americas_.
### Migrations/Moves
There are three methods for ensuring that the _Tenant_ data location for a parti
|**Service Name**|**Product Terms**|**Multi-Geo**|**ADR**| |:--|:--|:--|:--| |Exchange Online <br/> |X<sup>1</sup> <br/> |X<sup>2</sup> <br/> |X<sup>3</sup> <br/> |
-| SharePoint Online / OneDrive for Business <br/> |X<sup>1</sup> <br/> |X<sup>2</sup> <br/> |X<sup>2</sup> <br/> |
-| Microsoft Teams <br/> |X<sup>1</sup> <br/> |X<sup>2</sup> <br/> |X<sup>2</sup> <br/> |
-| Microsoft Defender for Office P1 <br/> |- <br/> |- <br/> |X<sup>2</sup> <br/> |
-| Office for the Web <br/> |- <br/> |- <br/> |X<sup>2</sup> <br/> |
-| Viva Connections <br/> |- <br/> |- <br/> |X<sup>2</sup> <br/> |
-| Viva Topics <br/> |- <br/> |- <br/> |X<sup>2</sup> <br/> |
-| Microsoft Purview <br/> |- <br/> |- <br/> |X<sup>2</sup> <br/> |
+| SharePoint Online / OneDrive for Business <br/> |X<sup>1</sup> <br/> |X<sup>2</sup> <br/> |X<sup>3</sup> <br/> |
+| Microsoft Teams <br/> |X<sup>1</sup> <br/> |X<sup>2</sup> <br/> |X<sup>3</sup> <br/> |
+| Microsoft Defender for Office P1 <br/> |- <br/> |- <br/> |X<sup>3</sup> <br/> |
+| Office for the Web <br/> |- <br/> |- <br/> |X<sup>3</sup> <br/> |
+| Viva Connections <br/> |- <br/> |- <br/> |X<sup>3</sup> <br/> |
+| Viva Topics <br/> |- <br/> |- <br/> |X<sup>3</sup> <br/> |
+| Microsoft Purview <br/> |- <br/> |- <br/> |X<sup>3</sup> <br/> |
1. Only available for _Local Region Geography_ countries, European Union and the United States. 1. Available in _Local Region Geography_, _Expanded Local Region Geography_ and _Regional Geography countries/regions_
enterprise Microsoft 365 Monitoring https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-monitoring.md
Microsoft's plan is to collect your feedback on the preview experience and then
### 4. Is this a free (included) or paid (extra) feature?
-This is a free feature that is in preview and only available for customers that meet the requirements in question 1. There isn't a paid option to receive this content.
+Microsoft 365 Monitoring features are in preview for eligible customers. While in preview, this feature is available at no additional charge for customers that meet the eligibility requirements.
### 5. How do I provide feedback?
enterprise Microsoft 365 Oab Size Limit Service Advisory https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-oab-size-limit-service-advisory.md
description: "Learn about service advisories for OAB size limits in Exchange Onl
# Service advisories for OAB size limits
-This alert informs you when your Offline Address Book has reached the size limit outlined in the [Address Book
+This advisory informs you when your Offline Address Book has reached the size limit outlined in the [Address Book
Limits](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#address-book-limits) within the [Exchange Online limits](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#address-book-limits).
-These alerts are displayed in the Microsoft 365 admin center. To view these alerts, navigate to **Health** \> **Service Health** \> **Exchange Online** and finally, the **Active Issues** tab. This alert will be listed as "Offline Address Book."
+These advisories are displayed in the Microsoft 365 admin center. To view these advisories, navigate to **Health** \> **Service Health** \> **Exchange Online** and finally, the **Active Issues** tab. This advisory will be listed as "Offline Address Book."
-## What Do These Service Alerts Indicate?
+## What Do These Service Advisories Indicate?
-This service alert informs you that the maximum size of a single Offline Address Book within your tenant has exceeded 1 GB. If you receive this alert, we ask that you review any recent changes made to the Offline Address Book(s) in your environment. Your users may observe missing or incomplete data if the size issue isn't corrected.
+This service advisory informs you that the maximum size of a single Offline Address Book within your tenant has exceeded 1 GB. If you receive this advisory, we ask that you review any recent changes made to the Offline Address Book(s) in your environment. Your users may observe missing or incomplete data if the size issue isn't corrected.
## More information
lighthouse M365 Lighthouse Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-whats-new.md
We're continuously adding new features to [Microsoft 365 Lighthouse](m365-lighth
> [!NOTE] > Some features get rolled out at different speeds to our customers. If you aren't seeing a feature yet, you should see it soon.
+## November 2022
+
+### Changes to Microsoft Defender Firewall and Microsoft Defender Antivirus deployment tasks
+
+We've updated the Microsoft Defender Firewall and Microsoft Defender Antivirus policy settings in our default baseline to provide enhanced protection for your customer tenants. If you previously deployed the **Configure Microsoft Defender Firewall for Windows 10 and later** or the **Configure Microsoft Defender Antivirus for Windows 10 and later** tasks, your customer tenants are still protected with the original policy settings. However, on the Deployment plan page, the deployment steps for these two tasks will show a status of **Not compliant** until you deploy the new enhanced policy settings. To activate these enhanced policy settings, you'll need to go through the deployment process again for both the Microsoft Defender Firewall and Microsoft Defender Antivirus deployment tasks. Once deployed, the deployment step statuses will show as **Compliant** again.
+
+### Capability to set up Granular Delegated Admin Privileges (GDAP)
+
+You can now establish GDAP relationships with multiple reseller customers at once from within Microsoft 365 Lighthouse and assign users in the partner tenant to security groups with various roles and levels of permissions. To do this, you'll create reusable templates based on tiers of support for your customers and for various groups of technicians. You'll see recommended roles for each tier of support during this process. Once created, these templates can then be reapplied as needed to new customers. This functionality allows you to quickly establish GDAP with your customers by using a least-privileged approach for users as a replacement for Delegated Admin Privileges (DAP).    
+
+For more information on GDAP in Microsoft 365 Lighthouse, see [Overview of permissions in Microsoft 365 Lighthouse](m365-lighthouse-overview-of-permissions.md).
+
+For more information on GDAP across all services, see [Introduction to granular delegated admin privileges (GDAP) - Partner Center](/partner-center/gdap-introduction).
+
+### Capability to collect diagnostics from Windows devices
+
+We've added the capability to collect diagnostics from Windows devices. You can access this feature from the Device compliance page. The Collect diagnostics remote action lets you collect and download logs without interrupting the user.
+
+### Manage shared mailboxes
+
+You can now manage all shared mailboxes and meeting rooms across your managed tenants under **Users** > **Account management** > **Shared mailboxes**. From this page, you can perform common management actions like delegating access to other users and securing shared mailboxes by blocking direct access.
+
+### File exclusion support in the antivirus policy
+
+You can now exclude certain non-malicious threats from showing up for tenants on the Threat management page in Microsoft 365 Lighthouse. Go to the tenant's deployment plan, select **Configure a Microsoft Defender Antivirus baseline policy**, and then specify the file, folder, or file-type exclusions.
+
+### Insights from Endpoint analytics
+
+We've added insights from Endpoint analytics in Microsoft Endpoint Manager to Microsoft 365 Lighthouse to help you proactively take measures to improve the health of user devices and apps within managed tenants. The insights from Endpoint analytics inform a deployment sub-task called **Enable Device Health Monitoring** within the default baseline under the **Set up device enrollment** task. Once the new sub-task is enabled and the deployment task is deployed, select **Devices** > **Device health** in the left navigation pane in Microsoft 365 Lighthouse to see the Endpoint analytics insights.ΓÇ»
+
+For more information, see [What is Endpoint analytics?](/mem/analytics/overview)
+
+### Deployment status
+
+Microsoft 365 Lighthouse now provides a deployment status for each tenant's deployment plan so you can optimize and prioritize your deployment efforts accordingly.
+
+### Deployment insights
+
+Microsoft 365 Lighthouse now provides deployment insights to help you understand how consistently and effectively you're establishing and maintaining the health and security of the tenants you manage. The insights provide tenant-specific and multi-tenant visibility into the deployment progress of each tenant, task, and user.
+
+These insights help you:
+
+- Establish and maintain a robust security posture across your entire portfolio.
+- Prioritize deployment activities to maximize security and minimize risk.
+- Audit exceptions like task dismissals and user exclusions.ΓÇ»
+
+### Enhanced baseline deployment with direct links to existing configurations
+
+We've enhanced the baseline deployment experience to make it faster and easier to ensure your managed tenants are healthy and secure. We've added links to detected managed tenant configurations so you can easily find, review, and modify these tenant configurations in the applicable management portal.
+
+### Enhanced deployment progress reporting
+
+Microsoft 365 Lighthouse now provides visibility into each managed tenant's deployment progress from the Tenants page so you can see how many of the assigned tasks are:
+
+- **Compliant** - All settings included in the task are Compliant.
+- **Not Compliant** - One or more settings included in the task are either Missing or Not compliant.
+- **Dismissed** - The task has been dismissed.
+- **Not Licensed** - The tenant is not licensed for the services required to deploy the configuration associated with the task.
+ ## October 2022 ### App protection policies
security Device Control Removable Storage Access Control Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control-faq.md
- tier3 Previously updated : 08/25/2022 Last updated : 11/10/2022 search.appverid: met150
DeviceFileEvents
4. Open **Details**, and select **Properties**. :::image type="content" alt-text="Screenshot of device property in Device Manager." source="https://user-images.githubusercontent.com/81826151/181859852-00bc8b11-8ee5-4d46-9770-fa29f894d13f.png":::
-
+
+
+## How do I find Sid or ComputerSid for AAD groud?
+Different from AD group, the Sid or ComputerSid is using Object Id for AAD group. You can find the Object Id from Azure portal.
+
+![image](https://user-images.githubusercontent.com/81826151/200895994-cc395452-472f-472e-8d56-351165d341a7.png)
+
security Device Control Removable Storage Access Control https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control.md
Previously updated : 09/29/2022 Last updated : 11/10/2022 search.appverid: met150
search.appverid: met150
## Overview
-Microsoft Defender for Endpoint Device Control Removable Storage Access Control feature enables you to audit, allow or prevent the read, write or execute access to removable storage with or without exclusion.
+Microsoft Defender for Endpoint Device Control Removable Storage Access Control feature enables you to audit, allow, or prevent the read, write, or execute access to removable storage with or without exclusions.
|Privilege|Permission| |||
Microsoft Defender for Endpoint Device Control Removable Storage Access Control
|User-based Support|Yes| |Machine-based Support|Yes|
-Microsoft Defender for Endpoint Device Control Removable Storage Access Control feature gives you the following capabilities:
- ### Prepare your endpoints Deploy Removable Storage Access Control on Windows 10 and Windows 11 devices that have the anti-malware client version **4.18.2103.3 or later**. - **4.18.2104 or later**: Add `SerialNumberId`, `VID_PID`, filepath-based GPO support, and `ComputerSid` -- **4.18.2105 or later**: Add Wildcard support for `HardwareId/DeviceId/InstancePathId/FriendlyNameId/SerialNumberId`, the combination of specific user on specific machine, removeable SSD (a SanDisk Extreme SSD)/USB Attached SCSI (UAS) support
+- **4.18.2105 or later**: Add Wildcard support for `HardwareId/DeviceId/InstancePathId/FriendlyNameId/SerialNumberId`, the combination of specific user on specific machine, removable SSD (a SanDisk Extreme SSD)/USB Attached SCSI (UAS) support
- **4.18.2107 or later**: Add Windows Portable Device (WPD) support (for mobile devices, such as tablets); add `AccountName` into [advanced hunting](device-control-removable-storage-access-control.md#view-data-in-microsoft-defender-for-endpoint) - **4.18.2205 or later**: Expand the default enforcement to **Printer**. If you set it to **Deny**, it will block Printer as well, so if you only want to manage storage, make sure to create a custom policy to allow Printer
+- **4.18.2207 or later**: Add **File** support, the common use case can be: block people from Read/Write/Execute access specific file on removable storage; add **Network** and **VPN Connection** support, the common use case can be: block people from access removable storage when the machine isn't connecting corporate network.
+ :::image type="content" source="images/powershell.png" alt-text="Screenshot of the PowerShell interface" lightbox="images/powershell.png"::: > [!NOTE]
The Removable Storage Access Control includes Removable storage group creation a
- Removable storage group allows you to create group. For example, authorized USB group or encrypted USB group. - Access policy rule allows you to create policy to restrict each removable storage group. For example, only allow authorized user to Write access-authorized USB group.-- To block a specific removable storage class but allow specific media, you can use '`IncludedIdList` a group through `PrimaryId` and `ExcludedIDList` a group through `DeviceId`\/`HardwareId`/etc.` For additional guidance, see [Deploy Removable Storage Access Control by using Intune OMA-URI](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri).
+- To block a specific removable storage class but allow specific media, you can use ΓÇÿ`IncludedIdList` a group through `PrimaryId` and `ExcludedIDList` a group through `DeviceId`\/`HardwareId`/etc.` For more information, see [Deploy Removable Storage Access Control by using Intune OMA-URI](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri).
Here are the properties you can use when you create the group and policy XML files.
-### Removable storage group
+### Group
+Group includes following types:
+- Device: if there's an explicit type setting, this setting is the default, including removable storage and Printer.
+- Network
+- VPN Connection
+
+The following table lists the properties you can use in **Group**:
|Property Name|Description|Options| ||||
-|**GroupId**|GUID, a unique ID, represents the group and will be used in the policy.||
-|**DescriptorIdList**|List the device properties you want to use to cover in the group. All properties are case sensitive. |**PrimaryId**: The Primary ID includes `RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, `PrinterDevices`. <p>**InstancePathId**: InstancePathId is a string that uniquely identifies the device in the system, for example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0`. It's the `Device instance path` in the Device Manager. The number at the end (for example &0) represents the available slot and may change from device to device. For best results, use a wildcard at the end. For example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*`. <p>**DeviceId**: To transform `Device instance path` to Device ID format, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers), for example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07` <p>**HardwareId**: A string that identifies the device in the system, for example, `USBSTOR\DiskGeneric_Flash_Disk___8.07`. It's `Hardware Ids` in the Device Manager. <br>**Note**: Hardware ID is not unique; different devices might share the same value.<p>**FriendlyNameId**: It's a string attached to the device, for example, `Generic Flash Disk USB Device`. It's the `Friendly name` in the Device Manager. <p>**BusId**: For example, USB, SCSI <p>**SerialNumberId**: You can find SerialNumberId from `Device instance path` in the Device Manager, for example, `03003324080520232521` is SerialNumberId in USBSTOR\DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00\\`03003324080520232521`&0 <p>**VID_PID**: Vendor ID is the four-digit vendor code that the USB committee assigns to the vendor. Product ID is the four-digit product code that the vendor assigns to the device. It supports wildcard. To transform `Device instance path` to Vendor ID and Product ID format, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers). For example: <br>`0751_55E0`: match this exact VID/PID pair<br>`_55E0`: match any media with PID=55E0 <br>`0751_`: match any media with VID=0751 <p> **Note**: See [How do I find the media property in the Device Manager?](device-control-removable-storage-access-control-faq.md#how-do-i-find-the-media-property-in-the-device-manager) to understand how to find the property in Device Manager.|
-|**MatchType**|When there are multiple device properties being used in the `DescriptorIDList`, MatchType defines the relationship.|**MatchAll**: Any attributes under the `DescriptorIdList` will be **And** relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, system will check to see whether the USB meets both values. <p> **MatchAny**: The attributes under the DescriptorIdList will be **Or** relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, system will do the enforcement as long as the USB has either an identical **DeviceID** or **InstanceID** value.|
+|**GroupId**|GUID, a unique ID, represents the group and will be used in the policy.| You can generate ID through [PowerShell[(/powershell/module/microsoft.powershell.utility/new-guid)|
+|**Type**|The type of the group. |**File** <p>**Device** <p> **Note**: Default type is Device that includes removable storage and printer. For any other group you define in your Group setting, make sure explicitly mark Type, for example, Type="File". |
+|**DescriptorIdList**|List the device properties you want to use to cover in the group. All properties are case sensitive. |**PrimaryId**: The Primary ID includes `RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, `PrinterDevices`. <p>**InstancePathId**: InstancePathId is a string that uniquely identifies the device in the system, for example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0`. It's the `Device instance path` in the Device Manager. The number at the end (for example &0) represents the available slot and may change from device to device. For best results, use a wildcard at the end. For example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*`. <p>**DeviceId**: To transform `Device instance path` to Device ID format, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers), for example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07` <p>**HardwareId**: A string that identifies the device in the system, for example, `USBSTOR\DiskGeneric_Flash_Disk___8.07`. It's `Hardware Ids` in the Device Manager. <br>**Note**: Hardware ID isn't unique; different devices might share the same value.<p>**FriendlyNameId**: It's a string attached to the device, for example, `Generic Flash Disk USB Device`. It's the `Friendly name` in the Device Manager. <p>**BusId**: For example, USB, SCSI <p>**SerialNumberId**: You can find SerialNumberId from `Device instance path` in the Device Manager, for example, `03003324080520232521` is SerialNumberId in USBSTOR\DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00\\`03003324080520232521`&0 <p>**VID_PID**: Vendor ID is the four-digit vendor code that the USB committee assigns to the vendor. Product ID is the four-digit product code that the vendor assigns to the device. It supports wildcard. To transform `Device instance path` to Vendor ID and Product ID format, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers). For example: <br>`0751_55E0`: match this exact VID/PID pair<br>`_55E0`: match any media with PID=55E0 <br>`0751_`: match any media with VID=0751 <p> **NameId**: The name of the Network or VPN Connection, support wildcard and only applicable for Network type or VPN Connection type Group. <p> **NetworkCategoryId**: only applicable for Network type Group and includes `Public`, `Private`, `DomainAuthenticated`. <p> **NetworkDomainId**: only applicable for Network type Group and includes `NonDomain`, `Domain`, `DomainAuthenticated`. <p> **VPNConnectionStatusId**: only applicable for VPN Connection type Group and includes `Connected`, `Disconnected`. <p> **VPNServerAddressId**: string, value of VPNServerAddress, support wildcard and only applicable for VPN Connection type Group. <p> **VPNDnsSuffixId**: string, value of VPNDnsSuffix, support wildcard and only applicable for VPN Connection type Group. <p> **PathId**: string, value of file path or name, support wildcard and only applicable for File type Group. <p> **Note**: See [How do I find the media property in the Device Manager?](device-control-removable-storage-access-control-faq.md#how-do-i-find-the-media-property-in-the-device-manager) to understand how to find the property in Device Manager.|
+|**MatchType**|When there are multiple device properties being used in the `DescriptorIDList`, MatchType defines the relationship.|**MatchAll**: Any attributes under the `DescriptorIdList` will be **And** relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, system will check to see whether the USB meets both values. <p> **MatchAny**: The attributes under the DescriptorIdList will be **Or** relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, system will do the enforcement as long as the USB has either an identical **DeviceID** or **InstanceID** value. <p> **MatchExcludeAll**: The attributes under the DescriptorIdList will be And relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAll, for every connected USB, system will do the enforcement as long as the USB doesn't have both identical DeviceID and InstanceID value. <p> **MatchExcludeAny**: The attributes under the DescriptorIdList will be Or relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAny, for every connected USB, system will do the enforcement as long as the USB doesn't have either an identical DeviceID or InstanceID value.|
### Access policy rule
-You can use the following properties to create the access control policy:
+Every access policy rule called **PolicyRule** can be used to define access restriction for each group through multiple **Entry**.
+
+The following table lists the properties you can use in **PolicyRule**:
| Property Name | Description | Options | ||||
-| **PolicyRule Id** | GUID, a unique ID, represents the policy and will be used in the reporting and troubleshooting. | |
+| **PolicyRule Id** | GUID, a unique ID, represents the policy and will be used in the reporting and troubleshooting. | You can generate ID through [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid)|
+| **Name** | String, the name of the policy and will display on the toast based on the policy setting. | |
| **IncludedIdList** | The group(s) that the policy will be applied to. If multiple groups are added, the policy will be applied to any media in all those groups.|The Group ID/GUID must be used at this instance. <p> The following example shows the usage of GroupID: <p> `<IncludedIdList> <GroupId> {EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1}</GroupId> </IncludedIdList>` | | **ExcludedIDList** | The group(s) that the policy won't be applied to. | The Group ID/GUID must be used at this instance. |
-| **Entry Id** | One PolicyRule can have multiple entries; each entry with a unique GUID tells Device Control one restriction.| |
+| **Entry** | One PolicyRule can have multiple entries; each entry with a unique GUID tells Device Control one restriction.| See Entry properties table below to get details.|
++
+The following table lists the properties you can use in **Entry**:
+
+| Property Name | Description | Options |
+||||
+| **Entry Id** | GUID, a unique ID, represents the entry and will be used in the reporting and troubleshooting.| You can generate ID through [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid)|
| **Type** | Defines the action for the removable storage groups in IncludedIDList. <p>Enforcement: Allow or Deny <p>Audit: AuditAllowed or AuditDenied<p> | Allow<p>Deny <p>AuditAllowed: Defines notification and event when access is allowed <p>AuditDenied: Defines notification and event when access is denied; has to work together with **Deny** entry.<p> When there are conflict types for the same media, the system will apply the first one in the policy. An example of a conflict type is **Allow** and **Deny**. |
-| **SID** | Local user SID or user SID group or the SID of the AD object, defines whether to apply this policy over a specific user or user group. One entry can have a maximum of one SID and an entry without any SID means applying the policy over the machine. | |
-| **ComputerSID** | Local computer SID or computer SID group or the SID of the AD object, defines whether to apply this policy over a specific machine or machine group. One entry can have a maximum of one ComputerSID and an entry without any ComputerSID means applying the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both SID and ComputerSID into the same Entry. | |
+| **SID** | Local user SID or user SID group or the SID of the AD object or the Object ID of the Azure AD object, defines whether to apply this policy over a specific user or user group. One entry can have a maximum of one SID and an entry without any SID means to apply the policy over the machine. | |
+| **ComputerSID** | Local computer SID or computer SID group or the SID of the AD object or the Object Id of the AAD object, defines whether to apply this policy over a specific machine or machine group. One entry can have a maximum of one ComputerSID and an entry without any ComputerSID means to apply the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both SID and ComputerSID into the same Entry. | |
| **Options** | Defines whether to display notification or not |**When Type Allow is selected**: <p>0: nothing<p>4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Allow** happens and the AuditAllowed is setting configured, the system won't send event. <p>8: capture file information and have a copy of the file as evidence for Write access. <p>16: capture file information for Write access. <p>**When Type Deny is selected**: <p>0: nothing<p>4: disable **AuditDenied** for this Entry. Even if **Block** happens and the AuditDenied is setting configured, the system won't show notification. <p>**When Type **AuditAllowed** is selected**: <p>0: nothing <p>1: nothing <p>2: send event<p> **When Type **AuditDenied** is selected**: <p>0: nothing <p>1: show notification <p>2: send event<p>3: show notification and send event | |AccessMask|Defines the access. | **Disk level access**: <p>1: Read <p>2: Write <p>4: Execute <p>**File system level access**: <p>8: File system Read <p>16: File system Write <p>32: File system Execute <p><p>You can have multiple access by performing binary OR operation, for example, the AccessMask for Read and Write and Execute will be 7; the AccessMask for Read and Write will be 3.|
+|Parameters|Condition for this Entry, for example Network condition. | Can add groups (non Devices type) or even put Parameters into Parameters. See Parameters properties table below to get details.|
+
+The following table lists the properties you can use in **Parameters**:
+
+| Property Name | Description | Options |
+||||
+|**MatchType**|When there are multiple device properties being used in the `DescriptorIDList`, MatchType defines the relationship.|**MatchAll**: Any attributes under the `DescriptorIdList` will be **And** relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, system will check to see whether the USB meets both values. <p> **MatchAny**: The attributes under the DescriptorIdList will be **Or** relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, system will do the enforcement as long as the USB has either an identical **DeviceID** or **InstanceID** value. <p> **MatchExcludeAll**: The attributes under the DescriptorIdList will be And relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAll, for every connected USB, system will do the enforcement as long as the USB doesn't have both identical DeviceID and InstanceID value. <p> **MatchExcludeAny**: The attributes under the DescriptorIdList will be Or relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAny, for every connected USB, system will do the enforcement as long as the USB doesn't have either an identical DeviceID or InstanceID value.|
+| **File** <p> **VPN Connection** <p> **Network** | You can use one or multiple File or Network or VPN Connection group(s) as parameter for this Entry, and then define MatchType for the relationship between those groups.|
+| **Parameters** | You can embed Parameters inside Parameters with MatchType.|
For specific guidance, see:
-| Topic | Description |
+| Article | Description |
||| | [Deploying Removable Storage Access Control by using Group Policy](deploy-manage-removable-storage-group-policy.md) | Use Group Policy to deploy the policy.| | [Deploying Removable Storage Access Control by using Intune OMA-URI](deploy-manage-removable-storage-intune.md) | Use Intune to deploy the policy.|
DeviceEvents
``` :::image type="content" source="images/block-removable-storage.png" alt-text="The screen depicting the blockage of the removable storage.":::
+![image](https://user-images.githubusercontent.com/81826151/200893727-a3311c48-a008-456f-acb5-c2c0aaf0500e.png)
security Investigate Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-files.md
- m365-security - tier2 Previously updated : 04/24/2018 Last updated : 11/10/2022 search.appverid: met150
You can get information from the following sections in the file view:
- File details, Malware detection, File prevalence - File PE metadata (if it exists)-- Deep analysis - Alerts - Observed in organization - Deep analysis - File names
+- Action center
You can also take action on a file from this page.
Along the top of the profile page, above the file information cards. Actions you
- Add/edit indicator - Download file - Consult a threat expert-- Action center
+- Manual actions
For more information on these actions, see [Take response action on a file](respond-file-alerts.md).
The file prevalence card shows where the file was seen in devices in the organiz
> [!NOTE] > Different users may see dissimilar values in the *devices in organization* section of the file prevalence card. This is because the card displays information based on the RBAC scope that a user has. Meaning, if a user has been granted visibility on a specific set of devices, they will only see the file organizational prevalence on those devices.
-## Alerts
+![Screenshot showing file prevalence.](https://user-images.githubusercontent.com/96785904/200525998-e11576f7-e495-4d16-98fb-940d8bd9a0d6.png)
+
-The **Alerts** tab provides a list of alerts that are associated with the file, as well as the incident the alert is linked to. This list covers much of the same information as the Alerts queue, except for the device group, if any, the affected device belongs to. You can choose what kind of information is shown by selecting **Customize columns** from the toolbar above the column headers.
+## Incidents and alerts
+
+The **Incidents and alerts** tab provides a list of incidents that are associated with the file, as well as the alerts the file is linked to. This list covers much of the same information as the incidents queue. You can choose what kind of information is shown by selecting **Customize columns** from the toolbar above the column headers.
+
+![Screenshot showing incidents and alerts.](https://user-images.githubusercontent.com/96785904/200527005-1fd139dc-7483-4e4c-83ad-855cd198f153.png)
## Observed in organization
The **File names** tab lists all names the file has been observed to use, within
The **Action center** displays the action center filtered on a specific file, so you can see pending actions and the history of actions taken on the file.
+![Screenshot showing the action center](https://user-images.githubusercontent.com/96785904/200527287-0c09dd24-6192-4a7d-990a-824d35b97460.png)
+ ## Related topics - [View and organize the Microsoft Defender for Endpoint queue](alerts-queue.md)
security Manage Updates Baselines Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md
All our updates contain
- Performance improvements - Serviceability improvements - Integration improvements (Cloud, [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender))+ <br/><br/> <details>
-<summary>October-2022 (Platform: 4.18.2210.5 | Engine: 1.1.19800.4)</summary>
+<summary>October-2022 (Platform: 4.18.2210.6 | Engine: 1.1.19800.4)</summary>
&ensp;Security intelligence update version: **1.379.4.0**<br/>
-&ensp;Release date: **November 7, 2022**<br/>
-&ensp;Platform: **4.18.2210.5**<br/>
+&ensp;Release date: **November 10, 2022**<br/>
+&ensp;Platform: **4.18.2210.6**<br/>
&ensp;Engine: **1.1.19800.4**<br/> &ensp;Support phase: **Security and Critical Updates**<br/>
Security intelligence update version: 1.379.4.0<br/>
### What's new
+- Addressed a quality issue that could result in poor responsiveness/usability
- Improved hang detection in antivirus engine -- Added opt-in for Defender updates during OOBE (out of box experience) process - Improved [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) capability - Changed threat & vulnerability management (TVM)-warn and TVM-block action to block to resolve Intune's report - Removed Clean Action from Intune policy for `ThreadSeverityDefaultAction`
Security intelligence update version: 1.373.1647.0 <br/>
### What's new
+- Starting with platform version 4.18.2207.7, the default behavior of dynamic signature expiration reporting changes to reduce potential 2011 event notification flooding. See: **Event ID: 2011** in [Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md)
- Fixed Unified agent installer issues on WS2012R2 Server and Windows Server 2016 - Fixed remediation issue for custom detection - Fixed Race condition related to behavior monitoring
Security intelligence update version: 1.369.88.0<br/>
- Added AMSI disk usage limits for The History Store - Added fix for Defender service refusing to accept signature updates
-### Known Issues
+### Known issues
No known issues
Security intelligence update version: 1.363.817.0<br/>
- Resolves issues with high resource utilization (CPU and/or memory) related to the earlier March 2022 Microsoft Defender engine update (1.1.19100.5)
-### Known Issues
+### Known issues
No known issues
Security intelligence update version: 1.361.1449.0<br/>
- Improved [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) capabilities - Added a fix for [real-time protection](configure-protection-features-microsoft-defender-antivirus.md) getting disabled in some cases when using `SharedSignaturesPath` config. For more details about the `SharedSignaturesPath` parameter, see [Set-MpPreference](/powershell/module/defender/set-mppreference).
-### Known Issues
+### Known issues
- Potential for high resource utilization (CPU and/or memory). See the Platform 4.18.2203.5 and Engine 1.1.19200.5 update for March 2022.
Security intelligence update version: 1.361.14.0 <br/>
- Fixed VDI device update bug for network FileShares - EDR in block mode now supports granular device targeting with new CSPs. See [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md).
-### Known Issues
+### Known issues
No known issues
Security intelligence update version: 1.357.8.0 <br/>
- Tamper protection improvements - Replaced `ScanScheduleTime` with new `ScanScheduleOffest` cmdlet in [Set-MpPreference](/powershell/module/defender/set-mppreference). This policy configures the number of minutes after midnight to perform a scheduled scan. - Added the `-ServiceHealthReportInterval` setting to [Set-MpPreference](/powershell/module/defender/set-mppreference). This policy configures the time interval (in minutes) to perform a scheduled scan.-- Added the `AllowSwitchToAsyncInspection` setting to [Set-MpPreference](/powershell/module/defender/set-mppreference). This policy enables a performance optimization, that allows synchronously inspected network flows, to switch to async inspection once they've been checked and validated.
+- Added the `AllowSwitchToAsyncInspection` setting to [Set-MpPreference](/powershell/module/defender/set-mppreference). This policy enables a performance optimization that allows synchronously inspected network flows to switch to async inspection once they've been checked and validated.
- Performance Analyzer v2 updates: Remote PowerShell and PowerShell 7.x support added. See [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md). - Fixed potential duplicate packet bug in Microsoft Defender Antivirus network inspection system driver.
-### Known Issues
+### Known issues
No known issues
Security intelligence update version: 1.355.2.0
- Fixed performance recording session leak when using `New-MpPerformanceRecording` in PowerShell 7.x, remote sessions, and PowerShell ISE
-### Known Issues
+### Known issues
No known issues <br/> </details><details>
Security intelligence update version: 1.353.3.0
- Fix for alerts on blocked tampering attempts not appearing in Security Center - Improvements to tamper resilience in Microsoft Defender service
-### Known Issues
+### Known issues
No known issues <br/> </details><details>
Security intelligence update version: 1.351.7.0
- New delay ring for Microsoft Defender Antivirus engine and platform updates. Devices that opt into this ring will receive updates with a 48-hour delay. The new delay ring is suggested for critical environments only. See [Manage the gradual rollout process for Microsoft Defender updates](manage-gradual-rollout.md). - Improvements to Microsoft Defender update gradual rollout process
-### Known Issues
+### Known issues
No known issues <br/> </details><details>
No known issues
- Microsoft Defender Antivirus hardened against the TrustedInstaller bypass - Extending file change notifications to include more data for Human-Operated Ransomware (HumOR)
-### Known Issues
+### Known issues
No known issues <br/> </details><details>
No known issues
- Scheduled scans for Group Policy Object managed systems will adhere to user configured scan time - Improvements to the behavior monitoring engine
-### Known Issues
+### Known issues
No known issues <br/>
No known issues
- Improvements to the rollout of antimalware definitions - Extended Microsoft Edge network event inspections
-### Known Issues
+### Known issues
No known issues <br/> </details><details>
No known issues
- Improvements to [behavior monitoring](client-behavioral-blocking.md) - Fixed [network protection](network-protection.md) notification filtering feature
-### Known Issues
+### Known issues
No known issues <br/> </details><details>
No known issues
- Added new controls to manage the gradual rollout process for [Microsoft Defender updates](manage-gradual-rollout.md)
-### Known Issues
+### Known issues
No known issues <br/> </details><details>
No known issues
- Expanded network brute-force-attack mitigations - More failed tampering attempt event generation when [Tamper Protection](prevent-changes-to-security-settings-with-tamper-protection.md) is enabled
-### Known Issues
+### Known isues
No known issues <br/> </details><details>
No known issues
- Improved service recovery through [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) - Extend tamper protection scope
-### Known Issues
+### Known issues
No known issues <br/> </details><details>
No known issues
- Improved support for ARM x64 emulation - Fix: EDR Block notification remains in threat history after real-time protection performed initial detection
-### Known Issues
+### Known issues
No known issues <br/> </details><details>
No known issues
- Improved [SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) status support logging
-### Known Issues
+### Known issues
No known issues <br/> </details><details>
No known issues
- Improved host address allow/block capabilities - New option in Defender CSP to Ignore merging of local user exclusions
-### Known Issues
+### Known issues
No known issues <br/>
No known issues
- Improved visibility into TPM measurements - Improved Office VBA module scanning
-### Known Issues
+### Known issues
No known issues <br/>
No known issues
- [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) is ignored. Microsoft Defender Antivirus automatically turns itself off when it detects another antivirus program.
-### Known Issues
+### Known issues
No known issues <br/> </details>
No known issues
- Improved telemetry for BITS - Improved Authenticode code signing certificate validation
-### Known Issues
+### Known issues
No known issues <br/> </details>
No known issues
- Fixed registry query - Fixed scantime randomization in ADMX
-### Known Issues
+### Known issues
No known issues <br/> </details>
No known issues
- Fixed AMSI Cloud blocking - Fixed Security update install log
-### Known Issues
+### Known issues
No known issues <br/> </details>
No known issues
- UEFI scan capability - Extend logging for updates
-### Known Issues
+### Known issues
No known issues <br/> </details>
No known issues
- Extend AMSI engine internal log capability - Improve notification for process blocking
-### Known Issues
+### Known issues
[**Fixed**] Microsoft Defender Antivirus is skipping files when running a scan. <br/>
No known issues
### What's new
-### Known Issues
+### Known issues
No known issues <br/> </details>
Engine: **1.1.16700.2**<br/>
- extend Emergency signature update to [passive mode](./microsoft-defender-antivirus-compatibility.md) - Fix 4.18.1911.3 hang
-### Known Issues
+### Known issues
[**Fixed**] devices utilizing [modern standby mode](/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform. <br/>
Support phase: **No support**<br/>
- Improve notifications (PUA) - add MRT logs to support files
-### Known Issues
+### Known issues
When this update is installed, the device needs the jump package 4.18.2001.10 to be able to update to the latest platform version. <br/> </details>
security Troubleshoot Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus.md
Message:
</tr> <tr> <td>
+Change to default behavior:
+</td>
+<td >
+<dl>
+<dt><b>Change to dynamic signature event reporting default behavior</b></dt>
+<dt>When a dynamic signature is received by MDE, a 2010 event is reported. However, when the dynamic signature expires or is manually deleted a 2011 event is reported. In some cases, when a new signature is delivered to MDE sometimes hundreds of dynamic signatures will expire at the same time; therefore hundreds of 2011 events are reported. The generation of so many 2011 events can cause a Security information and event management (SIEM) server to become flooded.</dt>
+<dt>To avoid the above situation - starting with platform version 4.18.2207.7 - by default, MDE will now <i>not</i> report 2011 events:<ul>
+<li>This new default behavior is controlled by registry entry: <b>HKLM\SOFTWARE\Microsoft\Windows&nbsp;Defender\Reporting\EnableDynamicSignatureDroppedEventReporting</b>.</li>
+<li>The default value for <b>EnableDynamicSignatureDroppedEventReporting</b> is <b>false</b>, which means <i>2011 events are not reported</i>. If it's set to true, 2011 events <i>are reported</i>.</li>
+</ul>
+</dt>
+<dt>Because 2010 signature events are timely distributed sporadically - and will not cause a spike - 2010 signature event behavior is unchanged.</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<td>
Description: </td> <td >
security Configure Your Spam Filter Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-your-spam-filter-policies.md
Creating a custom anti-spam policy in the Microsoft 365 Defender portal creates
|Action|Spam|High<br>confidence<br>spam|Phishing|High<br>confidence<br>phishing|Bulk| ||::|::|::|::|::|
- |**Move message to Junk Email folder**: The message is delivered to the mailbox and moved to the Junk Email folder.<sup>1</sup>|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>|Γ£ö|Γ£ö|Γ£ö<sup>\*</sup>|
+ |**Move message to Junk Email folder**: The message is delivered to the mailbox and moved to the Junk Email folder.<sup>1</sup>|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>|Γ£ö||Γ£ö<sup>\*</sup>|
|**Add X-header**: Adds an X-header to the message header and delivers the message to the mailbox. <p> You enter the X-header field name (not the value) later in the **Add this X-header text** box. <p> For **Spam** and **High confidence spam** verdicts, the message is moved to the Junk Email folder.<sup>1,2</sup>|Γ£ö|Γ£ö|Γ£ö||Γ£ö| |**Prepend subject line with text**: Adds text to the beginning of the message's subject line. The message is delivered to the mailbox and moved to the Junk email folder.<sup>1,2</sup> <p> You enter the text later in the **Prefix subject line with this text** box.|Γ£ö|Γ£ö|Γ£ö||Γ£ö| |**Redirect message to email address**: Sends the message to other recipients instead of the intended recipients. <p> You specify the recipients later in the **Redirect to this email address** box.|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|
solutions Create Secure Guest Sharing Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/create-secure-guest-sharing-environment.md
It's important to note that for SharePoint and OneDrive locations, documents wil
[Create an access review of groups or applications in Azure AD access reviews](/azure/active-directory/governance/create-access-review)
-## Set up web-only access for guests
+## Set up web-only access for guests with unmanaged devices
-You can require guests to access your teams, sites, and files by using a web browser only. This reduces the chance that they might download sensitive files and leave them on an unmanaged device. This is also useful when sharing with environments that use shared devices.
+If your guests use devices that are not managed by your organization or another organization that you have a trust relationship with, you can require them to access your teams, sites, and files by using a web browser only. This reduces the chance that they might download sensitive files and leave them on an unmanaged device. This is also useful when sharing with environments that use shared devices.
For Microsoft 365 Groups and Teams, this is done with an Azure AD conditional access policy. For SharePoint, this is configured in the SharePoint admin center. (You can also [use sensitivity labels to restrict guests to web-only access](../compliance/sensitivity-labels-teams-groups-sites.md).)