- :::image type="content" alt-text="The Usage dashboard." source="../../media/4c0f966d-9d2b-4a6f-a106-a6e2b9a2de07.png" lightbox="../../media/4c0f966d-9d2b-4a6f-a106-a6e2b9a2de07.png":::

-Billing notification emails are sent in your organizationΓÇÖs preferred language. To change the preferred language, use the following steps.

-4. In the **Add admins** pane, type the userΓÇÖs display name or username, and then select the user from the list of suggestions.

-5. Add multiple users until youΓÇÖre done.

-To change who receives your organizationΓÇÖs billing notifications, use the following steps to change the roles assigned to users.

-> If you follow these steps and the billing profiles list is empty, it means that you donΓÇÖt have a billing profile, and canΓÇÖt use this feature.

-> As of January 26, 2021, new bank accounts are no longer supported for customers in Belgium, France, Italy, Luxembourg, Portugal, Spain, and the United States. If youΓÇÖre an existing customer in one of those countries, you can continue paying for your subscription with an existing bank account that is in good standing. However, you can't add new subscriptions to the bank account.

-If youΓÇÖre not sure if your account has a billing profile, see [Understand billing profiles](manage-billing-profiles.md). If you donΓÇÖt have a billing profile, see [How to pay for your subscription](pay-for-your-subscription.md).

-As of 1 October 2021, automatic payments in India might block some credit card transactions, especially transactions exceeding 5,000 INR. Because of this regulation, you might have to make payments manually in the Microsoft 365 admin center. These regulations won't affect the total amount youΓÇÖre charged for your usage.

-If a credit check is required, youΓÇÖre notified when you buy your subscription. If you agree to be contacted, you get an email that includes more information about applying for credit approval. Credit checks are usually completed within two business days.

-If your billing profile is backed by an invoice, you get an email when your billing statement is ready to view. This email doesnΓÇÖt contain a copy of your billing statement. However, you can choose to [receive your organization's invoices as email attachments](manage-billing-notifications.md#receive-your-organizations-invoices-as-email-attachments). Your billing statement includes details about your options for making a payment, and where to send it. If you enter a purchase order (PO) number in your billing profile, the number appears on your billing statement. For information about accessing billing statements, see [View your bill or invoice](view-your-bill-or-invoice.md).

-If your billing profile is backed by credit or debit card, you can only change the payment method to another credit or debit card. You canΓÇÖt change to paying by invoice.

-If your billing profile is backed by invoice payments, you canΓÇÖt change the payment method. You can use the **Pay now** button on your invoice to pay with a credit or debit card, or by check or EFT.

-If thereΓÇÖs a problem with your request, the review team might require corrections to the withholding amount or replacement of the certificate or receipt. You must resubmit the request before it can be approved. The review team will either approve the request or ask for more changes.

-After your claim is approved, itΓÇÖs reflected in the next billing cycle. The WHT amount paid is included in the payment section of your next invoice. The amount is also displayed under the paid amount in the customer portal.

-If thereΓÇÖs a problem with your request, the review team might require corrections to the withholding amount or replacement of the TDS certificate. You must resubmit the request before it can be approved. The review team will either approve the request or ask for more changes.

-After your claim is approved, itΓÇÖs reflected in the next billing cycle. The WHT amount paid is included in the payment section of your next invoice. The amount is also displayed under the paid amount in the customer portal.

-If you disable self-service purchases in your organization, you can use licenses requests to manage the license request process for your users. When a user tries to make a self-service purchase for a product that youΓÇÖve blocked, they can submit a request for a license to you, the admin. When they make a request, they can add the names of other users who also need licenses for the product.

-> If you block users from making self-service purchases, Microsoft doesnΓÇÖt send them marketing emails. Also, if theyΓÇÖre using a trial version of a product, they donΓÇÖt see prompts to buy it. To learn more, see [Manage self-service purchases (Admin)](../subscriptions/manage-self-service-purchases-admins.md).

-When you return to the **Requests** list, you see the message **YouΓÇÖre using your own license request process**. To make changes to the message that is sent to users, select **Use your existing request process instead**.

-3. In the right pane, clear the **Use my organizationΓÇÖs request process** check box.

-3. To deny the entire request, select **DonΓÇÖt approve**, and in the dialog box, select **DonΓÇÖt approve**.

-8. When youΓÇÖre finished, select **Approve**. The right pane shows the details of the request.

-Depending on the ISV app that you bought, your next step might be to install the app into your organizationΓÇÖs environment. Installing the app makes it available for your users. Use the following steps to install an ISV app to your environment.

-If you want to cancel your subscription, the easiest way to do that is to [turn off recurring billing](renew-your-subscription.md). When you turn off recurring billing, you can continue to use your subscription until it expires at the end of the subscription term. If you want to cancel immediately, use the information and steps in this article to do that.

-You can cancel your free trial at any time to stop future charges. After your 1-month free trial ends, you will be charged the applicable subscription fee.

-> [!IMPORTANT]

-> - This article only applies to Dynamics 365, Intune, Power Platform, Windows 365, and Microsoft 365 for business subscriptions. If you have Microsoft 365 Family or Personal, see [Cancel a Microsoft 365 subscription](https://support.microsoft.com/office/cancel-a-microsoft-365-subscription-46e2634c-c64b-4c65-94b9-2cc9c960e91b?OCID=M365_DocsCancel_Link).

-> - If you bought your subscription through a Microsoft representative or a reseller partner, you have seven days to cancel for a pro-rated refund. Contact your seller or partner to help you cancel your subscription. [Learn more about partners](../manage-partners.md#what-can-a-partner-do-for-my-organization-or-school).

-> - If your organization is located in Chile, and you bought your subscription through a partner in Chile, you have 10 days to cancel for a pro-rated refund.

-If more than seven days have passed, [turn off recurring billing](renew-your-subscription.md). This prevents your subscription from renewing at the end of its term. You keep access to your products and services for the remainder of your subscription. If you have an annual subscription and are paying monthly, you are charged each month for the remainder of your subscription term.

-The steps to cancel your trial or paid subscription depend on the number of licenses in your subscription. The following table explains what steps you can take, based on your number of licenses.

-If you can't reduce the number of licenses, [turn off recurring billing](renew-your-subscription.md). This prevents you from being charged again for your subscription, and lets you keep your access to your products and services for the remainder of your subscription.

-> If you have multiple subscriptions to the same product, such as Microsoft 365 Business Premium, canceling one subscription won't impact the purchased licenses or services inside the others.

-Your subscription now appears in a **Disabled** state, and has reduced functionality until it's deleted. For more information about what you can expect when a paid Microsoft 365 for business subscription is canceled, see [What happens to my data and access when my Microsoft 365 for business subscription ends?](what-if-my-subscription-expires.md)

-> [!IMPORTANT]

-> If you explicitly delete a subscription, then it skips the **Expired** and **Disabled** states and the SharePoint Online data and content, including OneDrive, is deleted immediately.

-When you create a draft collection and the search results contain items that include cloud attachments, you have to the option of collecting the target of the cloud attachment when you commit the draft collection to a review set. When you select this option, eDiscovery (Premium) adds the documents that are linked to in the cloud attachment to the review set. This allows you to review the target documents and determine if the document is relevant to your case or investigation.

-For instructions committing a collection to a review set, see [Commit a draft collection to a review set](commit-draft-collection.md).

-After you've implemented the retention label and auto-apply the label to SharePoint documents, you still select the option to collect cloud attachments when committing a draft collection to a review set. When the cloud attachments are collected, both the current live version and the version that was originally shared are added to the review set.

-**How are historical versions different that the option to "collect all versions" when you commit a draft collection to a review set?**

-Currently, only the latest version of documents is indexed for search. That means when you run a draft collection, only the latest versions of documents are searched. If a document matches the keyword query for the collection, it is returned in the collection results. However, if the latest version of a document doesn't match a search query, the document won't be returned event if older versions of the document contain the keyword. To help mitigate this situation, eDiscovery (Premium) gives you the ability to collect all versions of the document when you [commit a collection to a review set](commit-draft-collection.md#commit-a-draft-collection-to-a-review-set). That means any older version that may contain the keyword will be added to the review set.

-> [!IMPORTANT]

-> While in preview, this classifier may capture a large volume of bulk sender/newsletter content due to a known issue. While they're in preview, you can address large volumes of bulk sender/newsletter content by adding the **Message is not sent to any of these domains condition** with a list of domains to exclude.

-> [!IMPORTANT]

-> While in preview, this classifier may capture a large volume of bulk sender/newsletter content due to a known issue. While they're in preview, you can address large volumes of bulk sender/newsletter content by adding the **Message is not sent to any of these domains condition** with a list of domains to exclude.

-> [!IMPORTANT]

-> While in preview, this classifier may capture a large volume of bulk sender/newsletter content due to a known issue. While they're in preview, you can address large volumes of bulk sender/newsletter content by adding the **Message is not sent to any of these domains condition** with a list of domains to exclude.

-> [!IMPORTANT]

-> While in preview, this classifier may capture a large volume of bulk sender/newsletter content due to a known issue. While they're in preview, you can address large volumes of bulk sender/newsletter content by adding the **Message is not sent to any of these domains condition** with a list of domains to exclude.

-> [!IMPORTANT]

-> While in preview, this classifier may capture a large volume of bulk sender/newsletter content due to a known issue. While they're in preview, you can address large volumes of bulk sender/newsletter content by adding the **Message is not sent to any of these domains condition** with a list of domains to exclude.

-> [!IMPORTANT]

-> While in preview, this classifier may capture a large volume of bulk sender/newsletter content due to a known issue. While they're in preview, you can address large volumes of bulk sender/newsletter content by adding the **Message is not sent to any of these domains condition** with a list of domains to exclude.

-description: "Learn how to access and use statistics and reports for draft collections and collections that have been committed to a review set in Microsoft Purview eDiscovery (Premium)."

-After you create a draft collection, you can view statistics on the retrieved items, such as the content locations that contain the most items that matched the search criteria and the number of items returned by the search query. You can also preview a subset of the results.

-## Statistics and reports for draft collections

-This section describes the statistics that are available for draft collections. These statistics are available on the **Search statistics** tab on the flyout page of a draft collection.

-

-

-### Collection contents

-This section of the **Summary** tab contains statistics and other information about the items that were collected from the data sources in the collection and added to the review set.

-

-### Indexing

-**New indexed items**. The number of items that were newly indexed before they were added to the review set. Examples of a newly indexed item are child items extracted from a parent item and then indexed before they're added to the review set. Also, items that aren't located in custodial data sources and non-custodial content locations listed on the **Data sources** tab in the case are indexed before they're added to the review. For example, newly indexed items would include items collected from additional locations.

-**Updated indexed items**. The number of partially indexed items that were successfully indexed and added to the review set. This statistic indicates the partially indexed items from custodial and non-custodial content locations **Data sources** tab that were successfully indexed when the collection was committed to the review set.

-**Indexing errors**. The number of partially indexed items that couldn't be indexed before they were added to the review set. These items might require error remediation.

-### Collection parameters

-This section displays the collection information that was used to collect the items that were added to the review set. This tab displays information that is similar to the information on the **Search statistics** tab. This section provides a quick snap shot of the search query used by the collection, the content locations that were searched, and the estimated collection results. As previously explained, the number of estimated items in this section would be equal to the number of parent items shown in the **Collection contents** section.

-### Search statistics tab

-The statistics displayed on the **Search statistics** tab are the same statistics from the last time that a draft collection was run. This includes collection estimates, condition report, and top locations. This information is preserved from the draft collection for historical reference, and can be compared to the actual collection that was committed to the review set.

-## Differences between draft collection estimates and the actual committed collection

-When you run a draft collection, an estimate of the number of items (and their total size) that meet the collection criteria is displayed on the **Summary** tab and in **Collection estimates** section of the **Search statistics** tab. After you commit a draft collection to a review set, the actual number of items (and their total size) added the review set are often different from the estimates. In most cases, more items are added to the review set than were estimated from the draft collection. The following list describes the most common reasons for these differences and tips for identifying them:

- For example, multiple versions of SharePoint documents aren't included in the estimate for the draft collection. But if you select the option to include all document versions when you commit a draft collection, the actual number (and total size) of items added to the review set will increase.

- For more information about these options, see [Commit a draft collection to a review set](commit-draft-collection.md#commit-a-draft-collection-to-a-review-set-in-ediscovery-premium).

-Here are other reasons why the estimated results from a draft collection can be different that the actual committed results.

- Alternatively, if the draft collection included specific content locations (which means that specific mailboxes or sites where specified on the **Additional locations** page in the draft collection wizard), then unindexed items (that aren't excluded by the collection criteria) from the content locations specified in the search will be exported. In this case, the estimated number of unindexed items and the number of unindexed items that are added to the review set should be the same.

-When organizations are faced with gathering the communications and content that may be relevant to an investigation or potential litigation, they face a significant challenge under the best of circumstances. In todayΓÇÖs modern workplace, the volume, variety, and velocity of content is enabling innovation and remote work, while also expanding the requirements and process for managing collections for eDiscovery investigations.

-The collection workflow poses significant technical challenges around extracting content from native locations and sources. It's also a critical point in the assessment and strategy for common litigation or investigations scenarios. As organizations begin to assess an investigation, the first questions asked are who was involved? After identifying who was involved, these custodians can quickly be placed on hold to preserve relevant content. The next question is what took place? To answer this second fundamental question of any investigation, managers must turn to the data. To quickly assess the most relevant content to the question of what took place, managers start to refine the target of the question to ensure that the collection results are comprehensive without being too broad.

-Collections in eDiscovery (Premium) help eDiscovery managers quickly scope a search for content across email, documents, Teams reactions, and other content in Microsoft 365. Collections provide managers with an estimate of the content that may be relevant to the case. This allows managers to make quick, informed decisions about the size and scope of content relevant to a case. eDiscovery managers can create a collection to search custodial data sources (such as mailboxes and SharePoint sites) and by using specific search criteria (such as keywords and date ranges) to quickly define the scope of their collection.

-After the collection is defined, eDiscovery managers can save the collection as a draft and get estimates, including estimates for data volume, the content locations that contain results, and the number of hits for search query condition. These insights can help to inform if the collection should be revised to narrow or expand the scope of the collection before moving on the review and analyze stages in the eDiscovery workflow.

-When the manager is satisfied with the scope of the collection and the estimated amount of content that's likely to be responsive, the manager can add or *commit* the content to a review set. When committing a collection to a review set, that manager also has the options to include chat conversations, cloud attachments, and document versions. The content in the collection also goes through another level of processing during ingestion into the review set. and the collection will be updated with the final collection summary. After content is added to the review set, eDiscovery managers can continue to query, group, and refine the content in to help with minimization and review. Additionally, the collection is updated with information and statistics about the content committed to the review set. This provides a historical reference about the content in the collection.

-With the release of collections in an eDiscovery (Premium), the **Searches** tab has been renamed to **Collections** in an eDiscovery (Premium) case in the Microsoft Purview compliance portal. The steps to define the scope and size of the collection follow the same process as search to define locations and conditions. Save as draft and get preview estimates enables quick validation of targeted scope of collections prior to committing a full search and collection into the review set. This enables improved job management, and targeted iterations for starting to minimize content during the search and collection process.

-

-1. **Create and run a draft collection**. The first step is to create a draft collection and define the custodial and non-custodial data sources to search. You can also search other data sources that haven't been added to the case. After you add the data sources, you configure the search query to search the data sources for content relevant to the case. You can keywords, properties, and conditions to build search queries that return content that's likely most relevant to the case. For more information, see [Create a draft collection](create-draft-collection.md).

-2. **Review estimates and statistics**. After you create a draft collection and run it, the next step is to view collection statistics to help you verify whether relevant content is being found and the content locations with the most hits. You can also preview a sample of the search results to further help you determine if the content is within scope of your investigation. For more information, see [Statistics and reports for draft collections](collection-statistics-reports.md#statistics-and-reports-for-draft-collections).

-3. **Revise and rerun a draft collection**. Based on the estimates and statistics returned by the collection, you can edit the draft collection by changing the data sources that are searched and the search query to expand or narrow the collection. You can update and rerun the draft collection until you're confident that collection contains the content that's most relevant to your case.

-4. **Commit a draft collection to a review set**. When you're satisfied that the collection returns the type content that is relevant to the case, you can commit the collection to the review set. When you commit a collection, you have the option to add conversation threads, cloud attachments, and document versions to the review set, all of which might be relevant to the case.

- For more information, see [Commit a draft collection to a review set](commit-draft-collection.md).

-5. **Review collection summary and statistics**. After you commit a collection to a review set, information about the collection is retained, such as statistics about extracted items, deep indexing, the search query used for the collection, and the content locations that items were collected from. Also, committed collections can't be edited or rerun. You can only copy or delete them. Preserving collections provides a historical record of the collected items that were added to a review set. For more information, see [Statistics and reports for committed collections](collection-statistics-reports.md#statistics-and-reports-for-committed-collections).

-description: "After you create and iterate on a draft collection, you can commit it to a review set. When you commit a draft collection, the collected items are added to review set in the case. After the collected items are in the review set, you can analyze, review, and export them."

-# Commit a draft collection to a review set in eDiscovery (Premium)

-When you're satisfied with the items you've collected in a draft collection and are ready to analyze, tag, and review them, you can add a collection to a review set in the case. When you commit a draft collection to a review set, collected items are copied from their original content location in Microsoft 365 to a review set. A review set is a secure, Microsoft-provided Azure Storage location in the Microsoft cloud.

-## Commit a draft collection to a review set

-1. In the Microsoft Purview compliance portal, open the Microsoft Purview eDiscovery (Premium) case, and then select the **Collections** tab to display a list of the collections in the case.

- > A value of `Estimated` in the **Status** column identifies the draft collections that can be added to a review set. A status of `Committed` indicates that a collection has already been added to a review set.

-2. On the **Collections** page, select the draft collection that you want to commit to a review set.

-3. On the bottom of the flyout page, select **Actions** > **Edit collection**.

-4. In the edit collection wizard, click **Next** until the **Save draft or collect** page is displayed.

- 1. Select **Collect items and add to review set**.

- 2. Decide whether to add the collection to a new review set (which is created after you submit the collection) or add it to an existing review set. Complete this section based on your decision.

- 3. Configure the additional collection settings:

- .

- a. **Teams and Yammer messages**: Select this option to add conversation threads to the collection that include the chat items returned by the search query in the collection. This means that the chat conversation that contains items that match the search criteria is reconstructed. This lets you review chat items in the context of the back and forth conversation. For more information, see [Conversation threading in eDiscovery (Premium)](conversation-review-sets.md).

- b. **Cloud attachments**: Select this option to include modern attachments or linked files when the collection results are added to the review set. This means the target file of a modern attachment or linked file is added to the review set.

- c. **Partially indexed items**: Select this option to add partially indexed items from additional data sources to the review set. If the collection searched additional data sources (as specified on the **Additional locations** page in the collections wizard), there may be partially indexed items from these locations that you want to add to the review set. Custodial and non-custodial data sources typically don't have partially indexed items. That's because the Advanced indexing process reindexes items when custodial and non-custodial data sources are added to a case. Also, Adding partially indexed items will increase the number of items added to the review set. <p> After partially indexed items are added to the review set, you can apply a filter to specifically view these items. For more information, see [Filter partially indexed items](review-set-search.md#filter-partially-indexed-items)

- d. **SharePoint versions**: Select this option to enable the collection of all versions of a SharePoint document per the version limits and search parameters of the collection. Selecting this option will significantly increase the size of items that are added to the review set. After document versions are added to the review set,

- 4. Configure the settings to define the scale of the collection to add to the review set:

- - **Add all collection results**: Select this option to add all the items that match the search criteria of the collection to the review set.

- - **Add a sample of the collection results**: Select this option to add a sample of the collection results to the review set instead of adding all results. If you select this option, click **Edit sample parameters** and choose one of the following options:

- - **Sample based on confidence**: Items from the collection are added to the review set will be determined by the statistical parameters that you set. If you typically use a confidence level and interval when sampling results, specify them in the drop-down boxes. Otherwise, use the default settings.

- - **Randomly sample**: Items from the collection are added to the review set based on a random selection of the specified percentage of the total number of items returned by the search.

-6. On the **Review your collection** page, you can review the collection settings that you configured on the previous page. Click **Edit** if you want to change them.

-7. Click **Submit** to create the draft collection. A page is displayed confirming that the collection was created.

-## What happens after you commit a draft collection

-When you commit a draft collection to a review set, the following things happen:

-Use the [eDiscovery (Premium) collection workflow](create-draft-collection.md#create-a-draft-collection) to quickly find email in Exchange mailboxes, documents in SharePoint sites and OneDrive locations, and instant messaging conversations in Teams. Collections in eDiscovery (Premium) help eDiscovery managers quickly scope a search for content across email, documents, Teams reactions, and other content in Microsoft 365. Collections provide managers with an estimate of the content that may be relevant to the case.

-## Step 1: Create a draft collection

-After you have identified relevant custodians and content locations, you can create a search to find potentially relevant content. On the **Collections** tab in the eDiscovery (Premium) case, you can create a collection by clicking **New collection** and following the wizard. For information about how you can create a collection, build a search query, and preview the search results, see [Create a draft collection](create-draft-collection.md).

-## Step 2: Commit a draft collection to a review set

-After you have reviewed and finalized the search query in a collection, you can add the search results to a review set. When you add your search results into a review set, the original data is copied to an Azure Storage area to facilitate the review and analysis process. For more information about adding search results to a review set, see [Commit a draft collection to a review set](commit-draft-collection.md).

-To enable the threaded conversations option, see [Commit a draft collection to a review set](commit-draft-collection.md#commit-a-draft-collection-to-a-review-set).

-Manually applying retention labels is supported in the new SharePoint experience only, and not the classic experience.

-description: "A draft collection is an eDiscovery search of custodial and non-custodial data sources in an eDiscovery (Premium) case that returns a search estimate that matches the search query of the collection. You can review search statistics, preview a sampling of items, and revise and rerun the collection before you commit the results to a review set."

-# Create a draft collection in eDiscovery (Premium)

-After you've identified custodians and any non-custodian data sources for the case, you're ready to identify and locate a set of documents that are relevant. You do this by using the Collections tool to search data sources for relevant content. You do this by creating a collection that searches specified data sources for content that matches your search criteria. You have the option to create a *draft collection*, which is an estimate of the items are found or you can create a collection that automatically adds the items to a review set. When you create a draft collection, you can views information about the estimated results that matched the search query, such as the total number and size of items found, the different data sources where they were found, and statistics about the search query. You can also preview a sample of items that were returned by the collection. Using these statistics, you can change the search query and rerun the draft collection to narrow your results. Once you're satisfied with the collection results, you can commit the collection to a review set. When you commit a draft collection, the items returned by the collection are added to a review set for review, analysis, and export.

-## Before you create a draft collection

- - [Add custodians to a case](add-custodians-to-case.md)

- - [Add non-custodial data sources to a case](non-custodial-data-sources.md)

-## Create a draft collection

-1. In the Microsoft Purview compliance portal, open the eDiscovery (Premium) case, and then select the **Collections** tab.

-2. On the **Collections** page, select **New collection** > **Standard collection**.

-3. Type a name (required) and description (optional) for the collection. After the collection is created, you can't change the name, but you can modify the description.

-4. On the **Custodial data sources** page, do one of the following things to identify the custodial data sources to collect content from:

- - Click **Select custodians** to search specific custodians that were added to the case. If you use this option, a list of the case custodians is displayed. Select one or more custodians. After you select and add the custodians, you can also select the specific data sources to search for each custodian. These data sources that are displayed were specified when the custodian was added to the case.

- - Click the **Select all** toggle to search all custodians that were added to the case. When you select this option, all data sources for all custodians are searched.

-5. On the **Non-custodial data sources** page, do one of the following things to identify the non-custodial data sources to collect content from:

- - Click **Select non-custodial data sources** to select specific non-custodial data sources that were added to the case. If you use this option, a list of data sources displayed. Select one or more of these data sources.

- - Click the **Select all** toggle to select all non-custodial data sources that were added to the case.

-6. On the **Additional data sources** page, you can select other mailboxes and sites to search as part of the collection. These types of data sources weren't added as custodial or non-custodial data locations in the case. You also have two options when searching additional data sources:

- - To search all content locations for a specific service (Exchange mailboxes, SharePoint and OneDrive sites, or Exchange public folders), click the corresponding **Select all** toggle in the **Status** column. This option will search all content locations in the selected service.

- - To search specific content location for a service, click the corresponding **Select all** toggle in the **Status** column, and then click **Users, groups or teams** (for Exchange mailboxes) or **Choose sites** for (SharePoint and OneDrive sites) to search specific content locations.

-7. On the **Conditions** page, you can create the search query that is used to collect items from the data sources that you've identified in the previous wizard pages. You can search for keywords, property:value pairs, or use a keyword list. You can also add various search conditions to narrow the scope of the collection. For more information, see [Build search queries for collections](building-search-queries.md).

-8. On the **Save as draft or add to review set** page, select **Save collection as draft**.

- > [!NOTE]

- > The other option on this page lets you collect items and add them direct to a review set. Instead of creating a draft collection that you can review statistics for and preview a sample of the collection results, this option skips that process and automatically adds the collection to a review set. If you select the second option to add the collection to a review set, you have additional settings to configure, such as collecting entire chat conversation threads in Microsoft Teams and Yammer and collecting cloud attachments (also called *modern attachments*). For more information about these settings, see [Commit a draft collection to a review set](commit-draft-collection.md).

-9. On the **Review your collection** page, you can review and update the collection settings that you configured on the previous pages.

- - **Summary** tab: Review and modify the name and description of the collection, the collection search criteria, additional data locations, and the collection type.

- - **Sources** tab: Review and modify the custodial and non-custodial data sources for the collection.

-10. Click **Submit** to create the draft collection. A page is displayed confirming that the collection was created.

-## What happens after you create a draft collection

-After you create a draft collection, it listed on the **Collections** page in the case and the status shows that it's in progress. A job named **Preparing search preview and estimates** is also created and displayed on the **Jobs** page in the case.

-During the draft collection process, eDiscovery (Premium) performs a search estimate using the search criteria and data sources that you specified in the collection. eDiscovery (Premium) also prepares a sampling of items that you can preview. When the collection is complete, the following columns and corresponding values on the **Collection** page are updated:

-

-## Next steps after a draft collection is complete

-After the draft collection is successfully completed, you can perform various tasks. To perform most of these tasks, just go the **Collections** tab and click the name of the draft collection to display the flyout page.

-

-## Manage a draft collection

-You can use the options in the **Actions** menu on the flyout page of a draft collection to perform various management tasks.

-

-Here's are descriptions of the management options.

- - The identity of each content location that contains items that match the search query in the draft collection. These locations are typically mailboxes or sites.

-

-

-> After a draft collection is committed to a review set, you can only copy the collection and export a report.

-|The maximum size of an item that can be viewed on the sample page of a draft collection.|10,000,000 bytes (approximately 9.5 MB)|

-|Estimating search results|After a user creates and runs or reruns a draft collection, the search tool searches the index for items that match the search query and prepares an estimate that includes the number and total size of all items by the search, and the number of data sources searched. For more information, see [Collect data for a case](collecting-data-for-ediscovery.md).|

-|Preparing search preview|After a user creates and runs a new draft collection (or reruns an existing draft collection), the search tool prepares a sample subset of items (that match the search query) that can be previewed. Previewing search results help you determine the effectiveness of the search. For more information, see [Collect data for a case](collecting-data-for-ediscovery.md#view-search-results-and-statistics).|

-If you selected the option to add partially indexed items from additional data sources when you committed the draft collection to a review set. You'll probably want to identify and view those items to determine if an item might be relevant to your investigation and whether you need to remediate the error that resulted in the item being partially indexed.

-## Step 2: Create a draft collection

-After you create a case, the next step is to create a draft collection to search for the Teams chat messages that you want to purge. The purge process you perform is Step 5 will purge all items that are found in the draft collection.

-In eDiscovery (Premium), a *collection* is an eDiscovery search of the Teams content locations that contain the chat messages that you want to purge. Create the draft collection in the case that you created in the previous step. For more information, see [Create a draft collection](create-draft-collection.md).

-To help ensure the most comprehensive collection of Teams chat conversations (including 1:1 and group chats, and chats from standard, shared, and private chats) use the **Type** condition and select the **Instant messages** option when you build the search query for the draft collection. We also recommend including a date range or several keywords to narrow the scope of the collection to items relevant to your search a purge investigation.

-As previously mentioned, the purge process in Step 5 will delete the items returned by the collection. So it's important that you review the draft collection results to ensure that the collection only returns the items that you want to purge. To review a sample of items in a draft collection, see the "Next steps after a draft collection is complete" section in [Create a draft collection](create-draft-collection.md#next-steps-after-a-draft-collection-is-complete).

-1. **Create a draft collection**. The first step is to create a *draft collection*, which is an estimate of the items that match your search criteria. You can view information about the results that matched the search query, such as the total number and size of items found, the different data sources where they were found, and statistics about the search query. You can also preview a sample of items that were returned by the collection. Using these statistics, you can change the search query and rerun the draft collection as many times as is necessary to narrow the results until you're satisfied you're collecting the content relevant to your case.

-2. **Commit a draft collection to a review set**. Once you're satisfied with the results of a draft collection, you can commit the collection to a review set. When you commit a draft collection, the items returned by the collection are added to a review set for review, analysis, and export.

-You also have the option of not running a draft collection and adding the collection results directly to a review set when you create and run the collection.

- - Remove custodians' OneDrive accounts from the collection scope (by unselecting the checkbox in the **Custodian's OneDrive** column for each custodian). This prevents the collection of duplicate files that were attached to 1:1 chats and group chats. Cloud attachments are automatically collected from each conversation found in the collection when you commit the draft collection to the review set. By using this method (instead of searching OneDrive accounts as part of the collection), files attached to 1:1 and group chats are grouped in the conversation they were shared in.

- - Unselect the checkbox in the **Additional site** column to remove the SharePoint sites containing files shared in private or shared channels. Doing this eliminates collecting duplicate files that were attached to private or shared channel conversations because these cloud attachments are automatically added to the review set when you commit the draft collection and grouped in the conversations they were shared in.

-9. On the **Save draft or collect** wizard page, do one of the following depending on whether you want to create a draft collection or commit the collection to a review set.

- 

- 1. **Save collection as draft**. Choose this option to create a draft collection. As previously explained, a draft collection doesn't add the collection results to a review set. It returns an estimate of the search results that match the search query for the data sources in the collection scope. This gives you the opportunity to view [collection statistics and reports[(collection-statistics-reports.md)] and edit and rerun the draft collection. When you satisfied with the result of a draft collection, you can commit it to a review set. For more information, see [Create a draft collection](create-draft-collection.md).

- 2. **Collect items and add to a review set**. Choose this option to run the collection and then add the results to a review set. You can add the collection to a new or existing review set. The options to collect contextual Teams conversation messages (also called *conversation threading*) and collect cloud attachments are selected by default and can't be unselected. These options are automatically applied because of the new case format that you used when you initially created the case for Teams content. For more information about committing collections to a review set, see [Commit a draft collection to a review set](commit-draft-collection.md).

-10. After you're finished configuring the collection, submit the collection to create a draft collection or collect items and add them to a review set.

-### OneNote Class Notebook LTI

-OneNote Class Notebook LTI can be used with your LMS to create a shared notebook and link it to educators' courses. Students enrolled in the LMS course can access the notebook automatically without having to add their names.

-For configuration steps, see [Microsoft OneNote Class Notebook LTI](https://www.onenote.com/lti/integratelti).

-Currently, we don't support editing an existing LTI registration after it's added.

-To change an LTI registration, you'll need to:

-1. [Delete the existing registration](#delete-an-lti-registration).

-2. Add a new registration.

-##### [Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-microsoft-defender-antivirus.md)

-##### [Investigate domains and URLs associated with a Microsoft Defender for Endpoint alert](investigate-domain.md)

-# Common REST API error codes

-* The error codes listed in the following table may be returned by an operation on any of Microsoft Defender for Endpoint APIs.

-InternalServerError|Internal Server Error (500)|(No error message, retry the operation)

-> Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.

-Many organizations exclude the Exchange directories from antivirus scans for performance reasons. Microsoft recommendeds to audit AV exclusions on Exchange systems and assess if they can be removed without impacting performance in your environment to ensure the highest level of protection. Exclusions can managed by using Group Policy, PowerShell, or systems management tools like Microsoft Endpoint Configuration Manager.

-description: Learn how to deploy Microsoft Defender Antivirus in a remote desktop or non-persistent virtual desktop environment.

-# Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment

-In addition to standard on-premises or hardware configurations, you can use Microsoft Defender Antivirus in a remote desktop (RDS) or non-persistent virtual desktop infrastructure (VDI) environment. With the ability to easily deploy updates to virtual machines (VMs) running in VDIs, you can get updates on your machines quickly and easily. You no longer need to create and seal golden images on a periodic basis, as updates are expanded into their component bits on the host server and are then downloaded directly to each VM when it's turned on.

-This guide describes how to configure your VMs for optimal protection and performance, including how to:

-For more information on Microsoft Remote Desktop Services and VDI support, see [Azure Virtual Desktop Documentation](/azure/virtual-desktop).

-For Azure-based virtual machines, see [Install Endpoint Protection in Microsoft Defender for Cloud](/azure/defender-for-cloud/endpoint-protection-recommendations-technical).

-> Although the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.

-> There are performance and feature improvements to the way in which Microsoft Defender Antivirus operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607.

-## Set up a dedicated VDI file share

-In Windows 10, version 1903, we introduced the shared security intelligence feature, which offloads the unpackaging of downloaded security intelligence updates onto a host machine, thus saving previous CPU, disk, and memory resources on individual machines. This feature has been backported and now works in Windows 10 version 1703 and above. You can set this feature with a Group Policy, or PowerShell.

-### Use Group Policy to enable the shared security intelligence feature:

-1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure, and then select **Edit**.

-2. In the Group Policy Management Editor, go to **Computer configuration**.

-3. Select **Administrative templates**.

-4. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Security Intelligence Updates**.

-5. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears.

-6. Enter `\\<sharedlocation\>\wdav-update` (for help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates)).

-7. Select **OK**.

-8. Deploy the GPO to the VMs you want to test.

-### Use PowerShell to enable the shared security intelligence feature

-Use the following cmdlet to enable the feature. You'll need to then push the update as you normally would push PowerShell-based configuration policies onto the VMs:

-```PowerShell

-Set-MpPreference -SharedSignaturesPath \\<shared location>\wdav-update

-```

-See the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what the \<shared location\> will be.

-This is possible when the devices have the share and NTFS permissions for the read access to the share so they can grab the updates. To do this:

-4. You can choose to configure more settings if you wish.

-You can initiate the update manually by right-clicking on the task and clicking **Run**.

-Exclusions can be added, removed, or customized to suit your needs.

-For more information, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-exclusions-microsoft-defender-antivirus.md).

-> [!TIP]

-> If you're looking for Antivirus related information for other platforms, see:

-> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md)

-> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)

-> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)

-> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md)

-> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)

-> - [Configure Defender for Endpoint on Android features](android-configure.md)

-> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)

-## Additional resources

-**Zeek is now generally available as a component of Microsoft Defender for Endpoint.**

-Microsoft has partnered with [Corelight](https://corelight.com/company/zeek-now-component-of-microsoft-windows), a leader in open source Network Detection and Response (NDR), to provide a new open-source integration with [Zeek](https://corelight.com/about-zeek/how-zeek-works) for Microsoft Defender for Endpoint. With this integration organizations can super-charge their investigation efforts with rich network signals and reduce the time it takes to detect network-based threats by having unprecedented visibility into network traffic from the endpoints' perspective.

-The new Zeek integration is available in the latest version of the Microsoft Defender for Endpoint agent via the following knowledge base articles: [KB5016691](https://support.microsoft.com/topic/august-25-2022-kb5016691-os-build-22000-918-preview-59097044-915a-49a0-8870-49823236adbd), [KB5016693](https://support.microsoft.com/topic/august-16-2022-kb5016693-os-build-20348-946-preview-ee90d0bc-c162-4124-b7c6-f963ee7b17ed), [KB5016688](https://support.microsoft.com/topic/august-26-2022-kb5016688-os-builds-19042-1949-19043-1949-and-19044-1949-preview-ec31ebdc-067d-44dd-beb0-eabcc984d843), and [KB5016690](https://support.microsoft.com/topic/august-23-2022-kb5016690-os-build-17763-3346-preview-b81d1ac5-75c7-42c1-b638-f13aa4242f42).

-> [!NOTE]

-> This integration doesnΓÇÖt currently support the use of custom scripts to gain visibility into extra signals.

-<br><br>

-This capability is similar to [advanced hunting in Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) and supports queries that check a broader data set coming from:

-| **How is Microsoft Defender Experts for XDR different from Microsoft Defender Experts for Hunting?** | [Microsoft Defender Experts for Hunting](../defender/defender-experts-for-hunting.md) provides threat hunting service to proactively find threats. This service is meant for customers that have a robust security operations center and want that deep expertise in hunting to expose advanced threats. Microsoft Defender Experts for XDR provides end-to-end security operations capabilities to monitor, investigate and respond to security alerts. This service is meant for customers with constrained security operations centers that are overburdened with alert volume, in need of skilled experts or both. Defender Experts for XDR also includes the proactive threat hunting offered by Defender Experts for Hunting|

-| **Does Defender Experts for XDR replace my security operations center (SOC) team?** | No. Defender Experts for XDR is meant to augment your SOC team reducing their workload and collaborating with them to protect your organization from threat actors. But we don't replace your SOC team or their processes. |

-| **What actions can XDR experts take during incident investigation?** | Our expert analysts can take actions based on the roles granted to them in your Microsoft 365 Defender portal. If our analysts are granted a security reader role, they can investigate and provide guided response for your SOC team to act on. If our analysts are granted a security operator role, they can also take specific remediation actions agreed upon with your SOC team. Finally, if they're granted a security administrator role, they can take higher privilege actions like managing certain settings as agreed upon with you. |

-| **Can XDR experts help me improve my security posture?** | Yes, we'll provide necessary guidance before and during the preview to improve your security posture. |

-By default, Defender Experts for XDR require the following permissions to investigate incidents and notify you when you need to take action:

-1. In the same Defender Experts setting page mentioned earlier, select **Manage permissions**.

-Apart from onboarding service delivery, our expertise on the Microsoft 365 Defender product suite enables Defender Experts for XDR to run an initial readiness engagement to help you get the most out of your Microsoft security products. This engagement will be based on your [Microsoft Secure Score](microsoft-secure-score.md) and Defender ExpertsΓÇÖ policy recommendations. Our Experts will help prioritizing and customizing our recommendations to fit your environment. They'll request your engagement to get those configurations implemented.

-Through a combination of automation and human expertise, our service triages Microsoft 365 Defender incidents, prioritize them on your behalf, filters out the noise, carries out detailed investigations, and provides detailed guided response to your security operations center (SOC) teams. Alternatively, our analysts can take a response step on your behalf.

- After you find an select the CSV file, the list of users are imported and shown on the **Targeted users** page. You can use the  **Search** box to find affected users. You can also click  **Delete** to remove specific users.

-On the **Landing page** page, you configure the web page that user are taken to if they open the payload in the simulation.

- - The language identifier for the **Display name** and **Disclaimer** values. Quarantine notifications are already localized based on the recipient's language settings. The **Display name** and **Disclaimer** values are used in quarantine notifications that apply to the recipient's language.

- Select the language in the **Choose language** box _before_ you enter values in the **Display name** and **Disclaimer** boxes. When you change the value in the **Choose language** box, the values in the **Display name** and **Disclaimer** boxes are emptied.

- 2. Enter values for **Display name** and **Disclaimer**. The values must be unique for each language. If you try to reuse a **Display name** or **Disclaimer** value for multiple languages, you'll get an error when you click **Save**.

- 3. Click the **Add** button.

- 4. Repeat the previous steps to create a maximum of three customized quarantine notifications based on the recipient's language. An unlabeled box shows the languages that you've configured:

- - **Use my company logo**: Select this option to replace the default Microsoft logo that's used at the top of quarantine notifications. Before you do this step, you need to follow the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your custom logo. This option is not supported if your organization has custom logo pointing to a URL instead of an uploaded custom logo file.

-|**Track user clicks** <br><br> _TrackUserClicks_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||

-After you go to **Explorer**, by default, you'll arrive on the **Malware** page, but use the **View** drop down to get familiar with your options. If you're hunting Phish, or digging into a threat campaign, choose those views.

-Once a security operations (Sec Ops) person selects the data they want to see, whether the scope is narrow view like user **Submissions**, or a wider view, like **All email**, they can use the **Sender** button to further filter. Remember to select Refresh to complete your filtering actions.

-Refinements can be made on date ranges by using the date range controls. Here you can see Explorer in **Malware** view, with a **Detection Technology** filter focus. But it's the **Advanced filter** button that lets Sec Ops teams dig deep.

-Clicking the **Advanced filter** pops a panel that will let Sec Ops hunters build queries themselves, letting them include or exclude the information they need to see. Both the chart and table on the Explorer page will reflect their results.