-[Manage another person's mail and calendar items](https://support.microsoft.com/office/afb79d6b-2967-43b9-a944-a6b953190af5) (article)\

-If you don't want to pay for a license after someone leaves your organization, you need to remove their Microsoft 365 license and then delete it from your subscription. You can assign a license to another user if you don't delete it.

-[Profile cards in Microsoft 365](https://support.microsoft.com/office/profile-cards-in-microsoft-365-e80f931f-5fc4-4a59-ba6e-c1e35a85b501) (article)

-As a global admin, you can manage Enhanced Teams Apps on the Microsoft 365 App (formerly known as Office.com) via Integrated Apps on the Microsoft 365 Admin Center.

-This feature is currently available to global admins only and only targets the Microsoft 365 App. By default, all Enhanced Teams Apps will be allowed to all users in your organization on the Microsoft 365 App.

-For now, any changes made to an Enhanced Teams App will only appear in the Microsoft 365 App. Outlook and Teams is not supported at this time.

- :::image type="content" alt-text="Available apps list." source="../../media/apps-status.png" lightbox="../../media/apps-status.png":::

- :::image type="content" alt-text="Blocked apps list." source="../../media/blocked-apps.png" lightbox="../../media/blocked-apps.png":::

-Custom line-of-business Enhanced Teams Apps uploaded from Teams Admin Center or Microsoft 365 Admin Center can be viewed on Integrated Apps. These apps will appear in the store for Teams and the Microsoft 365 App based on the policies set for the app, similar to public apps submitted via the Partner Center.

-Since all Enhanced Teams Apps are allowed by default to all users on the Microsoft 365 App, all apps will show the status **All users in the organization can install**. This means that the app is available for all users in your organization to install and use on the Microsoft 365 App.

-You can block an app for all users in your organization to restrict them from downloading and using the app on the Microsoft 365 App.

-When you choose to block an app, it will be blocked for all users in your organization. Blocking an app overrides any previous admin deployment or user installation on the Microsoft 365 App so that the app can no longer be used.

-> Currently, the Enhanced Teams App will only be blocked in the Microsoft 365 App. Teams and Outlook will continue to honor the current setting for Teams Apps made in the Teams Admin Center and for Outlook add-ins made in the Exchange Admin Center.

-You can unblock an Enhanced Teams App so that it can start showing up in the Microsoft 365 App.

- :::image type="content" alt-text="How to unblock an app." source="../../media/to-unblock-app.png" lightbox="../../media/to-unblock-app.png":::

-As an example, the _Foo_ Teams app recently upgraded to an Enhanced Teams app and is now available for Teams, Outlook, and the Microsoft 365 App (formerly known as Office.com).

-| |Impact on Teams client|Impact on the Microsoft 365 App|Impact on Outlook client|

-|**If you had previously blocked the Foo Teams App on Teams Admin Center**|Users in your organization cannot download and use Foo on Teams.|Users in your organization can download and use Foo Enhanced Teams App on the Microsoft 365 App. This can be controlled by admins on the Microsoft 365 Admin Center.|Currently, users in your organization can access Outlook add-ins based on your settings in Exchange Admin Center.|

-|**If you had previously allowed the Foo Teams App on Teams Admin Center**|Users in your organization can download and use the Foo Enhanced Teams App on Teams.|Users in your organization can download and use Foo Enhanced Teams App on the Microsoft 365 App. This can be controlled by admins on the Microsoft 365 Admin Center.|Currently, users in your organization can access Outlook add-ins based on your settings in Exchange Admin Center.|

-| |Impact on Teams client|Impact on the Microsoft 365 App|Impact on Outlook client|

-|**If you block Foo Enhanced Teams App on Microsoft 365 Admin Center**|No impact. Users in your organization will continue to experience Teams behavior for Foo Enhanced Teams App based on the admin settings in Teams Admin Center.|Users in your organization cannot download the Foo Enhanced Teams App on the Microsoft 365 App, and cannot use any previously installed (by user/admin) Foo enhanced teams app.|Currently, users in your organization can access Outlook add-ins based on your settings in Exchange Admin Center.|

-|**If you unblock Foo Enhanced Teams App on Microsoft 365 Admin Center.**|No impact. Users in your organization will continue to experience Teams behavior for Foo Enhanced Teams App based on the admin settings in Teams Admin Center.|Users in your organization can download and use Foo Enhanced Teams App on the Microsoft 365 App. Users can use any previously installed (by user/admin) Foo Enhanced Teams App.|Currently, users in your organization can access Outlook add-ins based on your settings in Exchange Admin Center.|

-As a global admin, you can now deploy an Enhanced Teams App on Teams, Outlook, and the Microsoft 365 App (formerly known as Office.com) to a specific set of users, the entire organization, or just to yourself from Integrated Apps on Microsoft 365 Admin Center. Deploying an Enhanced Teams Apps means that it will be pre-installed for the selected users on the applicable hosts of the app.

-> The Enhanced Teams App will be deployed to all the applicable hosts to the assigned users, but will only show up in the Microsoft 365 App at this time. Once support for other hosts is built, the Enhanced Teams App will start to show up in those clients based on the last saved setting of the app.

-As a global admin, you can also take management actions on the Enhanced Teams Apps such as removing the deployment or editing user access to an Enhanced Teams App. Any changes made to an Enhanced Teams App will only apply to the Microsoft 365 App at this time. Once additional hubs are supported, the changes will be reflected based on the last saved settings of the app.

-

-The system will extract the column names from the sample file to create the schema, and will recommend base SITs to map the sample field data to. It must be formatted identically to your source sensitive information table file and should contain synthetic values that are representative of your actual data. The file can be saved in .csv (comma-separated values), .tsv (tab-separated values), or pipe-separated (|) format, but should be the same as your actual source sensitive information table file. The .tsv format is recommended in cases where your data values may included commas, such as street addresses.

-Creating and making an exact data match (EDM) based sensitive information type (SIT) available is a multi-phase process. You can use the *new experience* the existing *classic experience* or via PowerShell. This article helps you understand the differences between the two experiences and helps you pick the right one for your needs.

-You can find out what region your tenant is hosting data-at-rest in by following the procedures in [Where your Microsoft 365 customer data is stored](../enterprise/o365-data-locations.md) and referring to the data center city locations in the same article.

-With the new experience, the schema and SIT are created via one user experience meaning fewer clicks, better guidance on mapping primary elements to default SITs and default confidence levels for the rules.

-In the new experience you can provide a sample data file that has the same header values and enough rows (10-20) of representative data to the system. The system validates the format and creates the schema based on the headers. You then identify the primary fields in the schema and the system recommends the SITs that best match it to associate with the primary field. If you don't want to upload the file, you can enter the same values manually in the UI.

-> As *loosely defined SIT*, like a custom one that looks for all personal identification numbers, has detection rules that allow for greater variability in the items detected. A *strongly defined SIT*, like U.S. Social Security Number, has detection rules that only allow a narrow, well defined set of items to be detected.

- Because the new experience doesn't support mapping multiple SITs to the same schema, you are limited to creating and managing 10 EDM SITS. In the classic experience, you can map multiple EDM SITs to the same schema and so have more than 10 EDM SITs. Using the new flow, you'll receive an error if you try to create an eleventh EDM schema and you won't be able to view more than 10 EDM SITs.

-All schemas that are created using the classic experience or uploaded as a XML file using PowerShell are not viewable or manageable in the new experience.

-The sensitive data table is a text file containing rows of values against which you will be comparing content in your documents to identify sensitive data. These values might be personally identifiable information, product records, or other sensitive data in text form that you want to detect in content and take protective actions on.

-When defining your EDM sensitive type, one of the most critical decisions is to define which fields will be primary fields. Primary fields need to follow a detectable pattern and be defined as searchable fields (columns) in your EDM schema. Secondary fields do not need to follow any pattern since they will be compared against all the text surrounding matches to the primary fields.

-For example, if you have the columns `full name`, `date of birth`, `account number`, and `Social Security Number`, even if the first and last names are the columns that will be common to the different combinations of data you want to detect, such strings donΓÇÖt follow easily identifiable patterns and may be difficult to define as a sensitive information type. This is because some names might not even start with uppercase, they may be formed by two, three or more words and may even contain numbers or other non-alphabetical characters. Date of birth can be more easily identified, but since every email and most documents will contain at least one date it is also not a good candidate. Social security numbers and account numbers are good candidates for use as primary field.

- - Up to 5 columns (fields) marked as searchable

-3. Pay attention to the format of the sensitive data fields; in particular, fields that may contain commas in their content. For example, a street address that contains the value "Seattle,WA" would be parsed as two separate fields when parsed if the .csv format is selected. To avoid this, use the .tsv format or surrounded the comma containing values by double quotes in the sensitive data table. If comma containing values also contain spaces, you need to create a custom SIT that matches the corresponding format. For example, a SIT that detects multi-word string with commas and spaces in it.

-1. Request to download the Teams app in the [Epic App Orchard marketplace](https://apporchard.epic.com/Gallery?id=16793). Doing this triggers a request from Epic to the Microsoft EHR connector team.

-Microsoft Defender for Endpoint on Android threat information is applied by Intune App Protection Policies to protect these apps. App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. A managed application has app protection policies applied to it and can be managed by Intune.

-To enable this capability an administrator needs to configure the connection between Microsoft Defender for Endpoint and Intune, create the app protection policy, and apply the policy on targeted devices and applications.

-

- a. Go to security.microsoft.com.

-

-

- Block access or wipe data of a managed app based on Microsoft Defender for Endpoint risk signals by creating an app protection policy.

- Microsoft Defender for Endpoint can be configured to send threat signals to be used in app protection policies (APP, also known as MAM). With this capability, you can use Microsoft Defender for Endpoint to protect managed apps.

- 1. Create a policy.

- App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of actions that are prohibited or monitored when the user is inside the app.

- :::image type="content" source="images/create-policy.png" alt-text="The Create policy tab in the App protection policies page in the Microsoft 365 Defender portal." lightbox="images/create-policy.png":::

-

- a. Choose how you want to apply this policy to apps on different devices. Then add at least one app.

- Use this option to specify whether this policy applies to unmanaged devices. In Android, you can specify the policy applies to Android Enterprise, Device Admin, or Unmanaged devices. You can also choose to target your policy to apps on devices of any management state.

-Because mobile app management doesn't require device management, you can protect company data on both managed and unmanaged devices. The management is centered on the user identity, which removes the requirement for device management. Companies can use app protection policies with or without MDM at the same time. For example, consider an employee that uses both a phone issued by the company, and their own personal tablet. The company phone is enrolled in MDM and protected by app protection policies while the personal device is protected by app protection policies only.

- A managed app is an app that has app protection policies applied to it, and can be managed by Intune. Any app that has been integrated with the [Intune SDK](/mem/intune/developer/app-sdk) or wrapped by the [Intune App Wrapping Tool](/mem/intune/developer/apps-prepare-mobile-application-management) can be managed using Intune app protection Policies. See the official list of [Microsoft Intune protected apps](/mem/intune/apps/apps-supported-intune-apps) that have been built using these tools and are available for public use.

- *Example: Outlook as a managed app*

- :::image type="content" source="images/managed-app.png" alt-text="The Public apps pane in the Microsoft 365 Defender portal." lightbox="images/managed-app.png":::

- 3. Set sign-in security requirements for your protection policy.

-

-

- Select **Included groups**. Then add the relevant groups.

- - Intune Company Portal

-

-### End-user onboarding

-1. Sign in to a managed application, for example, Outlook. The device is registered and the application protection policy is synchronized to the device. The application protection policy recognizes the device's health state.

-3. Select **Download**. You will be redirected to the app store (Google play).

-

-6. Select **Continue** to log into the managed application.

-## Configure Web protection

- - **antiphishing**

- - **vpn**

-

-

-1. Add **DefenderMAMConfigs** key and set the value as 1.

-1. In Microsoft Endpoint Manager Admin center, navigate to **Apps > App configuration policies**. Create a new App configuration policy. Click Managed Apps.

-2. Provide a name and description to uniquely identify the policy. Target the policy to **'Selected apps'** and search for **'Microsoft Defender Endpoint for Android'**. Click the entry and then click **Select** and then **Next**.

-3. Add the key and value from the table below. Ensure that the **ΓÇ£DefenderMAMConfigsΓÇ¥** key is present in every policy that you create using Managed Apps route. For Managed Devices route, this key should not exist. When you are done, click **Next**.

- | Key | Value Type | Default (true-enable, false-disable) | Description |

- | | | | |

- | `DefenderNetworkProtectionEnable` | Integer | 0 | 1 - Enable , 0 - Disable ; This setting is used by IT admins to enable or disable the network protection capabilities in the defender app|

- |`DefenderAllowlistedCACertificates`| String | None | None-Disable; This setting is managed by an admin to establish trust for root CA and self signed certificates.|

- |`DefenderCertificateDetection`|Integer| 1 |0 - Disable , 1 - Audit mode , 2 - Enable ; When network protection is enabled, Audit mode for certificate detection is enabled by default. In audit mode, notification alerts are sent to SOC admins, but no end user notifications are displayed to the user when Defender detects a bad certificate. Admins can disable this detection with 0 as the value and enable full feature functionality by setting 2 as the value. When this feature is enabled with value as 2, end user notifications are sent to the user when Defender detects a bad certificate. Alerts are also sent to SOC Admins. |

- | `DefenderOpenNetworkDetection` | Integer | 0 | 1 - enable, 0 - disable; This setting is managed by IT Admins to enable or disable open network detection informational alerts with no end user detection experience. |

- | `DefenderEndUserTrustFlowEnable` | String | false | true - enable, false - disable; This setting is used by IT admins to enable or disable the end user in-app experience to trust and untrust the unsecure and suspicious networks. |

- | `DefenderNetworkProtectionAutoRemediation` | String | true | true - enable, false - disable; This setting is used by the IT admin to enable or disable the remediation alerts that are sent when a user performs remediation activities like switching to safer Wi-Fi access points or deleting suspicious certificates detected by Defender. |

- | `DefenderNetworkProtectionPrivacy` | String | true | true - enable, false - disable; This setting is managed by IT admins to enable or disable privacy in network protection. |

-

-4. Include or exclude the groups you want the policy to apply to. Proceed to review and submit the policy.

-1. In Settings page, under the General Configuration Settings add **DefenderExcludeURLInReport**, **DefenderExcludeAppInReport** as the keys and value as true.

-## Optional permissions

-Microsoft Defender for Endpoint on Android enables Optional Permissions in the onboarding flow. Currently the permissions required by MDE are mandatory in the onboarding flow. With this feature, admin can deploy MDE on Android devices with MAM policies without enforcing the mandatory VPN and Accessibility Permissions during onboarding. End Users can onboard the app without the mandatory permissions and can later review these permissions.

-1. In Settings page, select **Use configuration designer** and **DefenderOptionalVPN** or **DefenderOptionalAccessibility** or **both** as the key and value type as Boolean.

-### User flow

-> [!NOTE]

-> [!div class="mx-imgBorder"]

-> :::image type="content" source="images/asr-defender365-advanced-hunting3.png" alt-text="The Advanced hunting query command line in the Microsoft 365 Defender portal" lightbox="images/asr-defender365-advanced-hunting3.png":::

-> [!div class="mx-imgBorder"]

-> :::image type="content" source="images/asr-defender365-advanced-hunting4b.png" alt-text="The Advanced hunting query focused example in the Microsoft 365 Defender portal" lightbox="images/asr-defender365-advanced-hunting4b.png":::

-1. Go to **Settings** > **Device discovery** > **Authenticated scans** in the [Microsoft 365 Defender portal](https://security.microsoft.com).

-7. Select the **Scan interval:** By default, the scan will run every four hours, you can change the scan interval or have it only run once, by selecting ΓÇÿDo not repeatΓÇÖ.

->[!Note]

->To prevent device duplication in the network device inventory, make sure each IP address is configured only once across multiple scanning devices.

-You can schedule cron jobs to initiate Microsoft Defender Antivirus scans on a schedule. For more information, see [How to schedule scans with Microsoft Defender for Endpoint on Linux](linux-schedule-scan-mde.md). This process works well if the device is always up and running.

-But if the Linux devices are shut down or offline during the cron schedule, the scan won't run. In these situations, you can use **anacron** to read the timestamp and find the last executed job. If the device was shut down during the scheduled cron job, it needs to wait until the next scheduled time. By using **anacron**, the system will detect the last time the scan was run. If the device didn't run the cron job, it will automatically start it.

-1. Connect to the RedHat server using Putty.

-1. Edit the anacron file:

- ```vi /etc/anacron```

- :::image type="content" source="images/vi_etc_anacron.png" alt-text="anacron file":::

- ```

- # /etc/anacrontab: configuration file for anacron

- # See anacron (8) and anacrontab (5) for details.

- SHELL=/bin/sh

- PATH=/sbin:/bin:/usr/sbin:/usr/bin

- RANDOM_DELAY=45

- # Anacron jobs will start between 8pm and 11pm.

- START_HOURS_RANGE=20-23

- # delay will be 5 minutes + RANDOM_DELAY for cron.daily

- ```

- 1. **Shell:** Shell is referred as ```/bin/sh```, and not as ```/bin/bash```. Remember when writing the jobs.

- 1. **RANDOM_DELAY:** Describes the maximum time in minutes for the job. This value is used to offset the jobs so there wouldn't be too many jobs running at the same time. Using this delay is ideal for VDI solutions.

- 1. **START_HOURS_RANGE:** Describes the time range to run the job.

- 1. **cron.daily:** Describes 1 as the period of days required for the frequency of job executions. 5 is the delay in minutes that anacron waits after the device restarts.

- ```ls -lh /etc/cron*```

- :::image type="content" source="images/ls_lh_etc_cron.png" alt-text="anacron jobs":::

- ```

- [root@redhat7 /] # ls -lh /etc/cron*

- - rw

- - rw - r

- /etc/cron.d:

- total 28k

- - rw - r

- - rw - r

- - rw - r

- - rw - r

- - rw - r

- - rw - r

- - rw

- /etc/cron.daily:

- total 24k

- - rwxr - xr - x. 1 root root 127 Jun 14 16:49 avscandaily

- - rwx

- - rwxr - xr - x. 1 root root 618 Jul 10 2018 man-db.cron

- - rwx

- - rwx

- - rwxr - xr - x. 1 root root 114 Apr 8 2021 rhui-update-client

- /etc/cron.hourly:

- total 8.0k

- - rwxr - xr - x. 1 root root 392 Nov 30 2021 0anacron

- - rwxr - xr - x. 1 root root 131 Jun 14 17:05 update

- /etc/cron.monthly:

- total 0

- - rwxr - xr - x. 1 root root 0 Jun 14 17:47 mdatpupdate

-

- /etc/cron.weekly:

- total 0

- ```

-1. Ignore the ```/etc/cron.d``` directory, you will see ```/etc/corn.daily, hourly, monthly, and weekly```.

- ```cd /etc/cron.weekly```

- ``` vi mdavfullscan```

- ```Press Insert```

-

- :::image type="content" source="images/vi_mdavfullscan.png" alt-text="weekly antivirus scans":::

- #!/bin/sh

- set -e

- echo $(date) "Time Scan Begins" >>/logs/mdav_avacron_full_scan.log

- /bin/mdatp scan full >> /logs/mdav_avacron_full_scan.log

- echo $(date) "Time Scan Finished" >>/logs/mdav_avacron_full_scan.log

- exit 0

- ~

- ```

- ```Press Esc```

- ```Type: wq!```

-1. Change the file permissions to allow the file to be executed.

- ```Chmod 755 mdavfullscan```

- ```ls -la```

- :::image type="content" source="images/chmod-755-mdavfullscan.png" alt-text="7. Change file permissions":::

- ```

- [root@redhat7 cron.weekly]# ls -la

- total 16

- drwxr - xr ΓÇô x. 2 root root 26 Jun 14 19:19 .

- drwxr - xr ΓÇô x. 85 root root 8192 Jun 14 19:01 ..

- - rw - r

- [root@redhat7 cron.weekly] # chmod 755 mdavfullscan

- [root@redhat7 cron.weekly] # ls -lh

- total 4. 0k

- - rwxr - xr ΓÇô x. 1 root root 128 Jun 14 19:19 mdavfullscan

- [root@redhat7 cron.weekly] #

- ```

-

- ```./mdavfullscan```

- ```cat /logs/mdav_avacron_full_scan.log```

- ```

- Tue Jun 14 20:20:44 UTC 2022 Time Scan Begins

- Tue Jun 14 20:20:50 UTC 2022 Time Scan Finished

- [-TopScans [<Int32>]]

- [-TopPaths [<Int32>] [-TopPathsDepth [<Int32>]]]

- [-TopScansPerPath [<Int32>]]

- [-TopFilesPerPath [<Int32>]

- [-TopScansPerFilePerPath [<Int32>]]

- ]

- [-TopExtensionsPerPath [<Int32>]

- [-TopScansPerExtensionPerPath [<Int32>]]

- ]

- [-TopProcessesPerPath [<Int32>]

- [-TopScansPerProcessPerPath [<Int32>]]

- ]

- ]

- [-TopFiles [<Int32>]

- [-TopScansPerFile [<Int32>]]

- [-TopProcessesPerFile [<Int32>]

- [-TopScansPerProcessPerFile [<Int32>]]

- ]

- ]

- [-TopExtensions [<Int32>]

- [-TopScansPerExtension [<Int32>]

- [-TopPathsPerExtension [<Int32>] [-TopPathsDepth [<Int32>]]

- [-TopScansPerPathPerExtension [<Int32>]]

- ]

- [-TopProcessesPerExtension [<Int32>]

- [-TopScansPerProcessPerExtension [<Int32>]]

- ]

- [-TopFilesPerExtension [<Int32>]

- [-TopScansPerFilePerExtension [<Int32>]]

- ]

- ]

- [-TopProcesses [<Int32>]

- [-TopScansPerProcess [<Int32>]]

- [-TopExtensionsPerProcess [<Int32>]

- [-TopScansPerExtensionPerProcess [<Int32>]]

- ]

- [-TopPathsPerProcess [<Int32>] [-TopPathsDepth [<Int32>]]

- [-TopScansPerPathPerProcess [<Int32>]]

- ]

- [-TopFilesPerProcess [<Int32>]

- [-TopScansPerFilePerProcess [<Int32>]]

- ]

- ]

- [-MinDuration <String>]

- [-Raw]

->[!Note]

->Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).

-Similar to [network device](../defender-endpoint/network-devices.md) authenticated scan, you'll need a scanning device with the scanner installed. If you donΓÇÖt already have the scanner installed, see [Install the scanner](../defender-endpoint/network-devices.md#install-the-scanner) for steps on how to download and install it.

-```powershell

-New-ADServiceAccount -name gmsa1 -PrincipalsAllowedToRetrieveManagedPassword scanner-win11-i$ -KerberosEncryptionType RC4, AES128, AES256 ΓÇôverbose

-```

-```powershell

-Install-ADServiceAccount -Identity gmsa1

-```

-If your PowerShell doesnΓÇÖt recognize those commands, it probably means you're missing a required PowerShell module. Instructions on how to install the module vary depending on your operating system. For more information, see [Getting Started with Group Managed Service Accounts](/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts/).

->[!NOTE]

->[!NOTE]

->To configure and apply the permission to a group of devices to be scanned using a group policy, see [Configure a group of devices with a group policy](#configure-a-group-of-devices-with-a-group-policy).

-| Devices to be scanned requirements | Description |

-|Windows Management Instrumentation (WMI) is enabled | To enable remote Windows Management Instrumentation (WMI): </br> </br> - Verify the Windows Management Instrumentation service is running. </br> - Go to **Control Panel** &gt; **All Control Panel Items** &gt; **Windows Defender Firewall** &gt; **Allowed applications** and ensure Windows Management Instrumentation (WMI) is allowed through Windows Firewall.|

-|Scanning account is a member of Performance Monitor Users group| The scanning account must be a member of the **Performance Monitor Users** group on the device to be scanned.|

-|Performance Monitor Users group has 'Enable Account' and 'Remote Enable' permissions on Root/CIMV2 WMI namespace | To verify or enable these permissions: </br> </br> - Run wmimgmt.msc </br> - Right click **WMI Control (Local)** and select **Properties**</br> - Go to the Security tab</br> - Select the relevant WMI namespace and select **Security**</br> - Add the specified group and select to allow the specific permissions</br> - Select **Advanced**, choose the specified entry and select **Edit**</br> - Set **Applies To** to ΓÇ£This namespace and subnamespacesΓÇ¥|

-|**Performance Monitor Users** group should have permissions on DCOM operations| To verify or enable these permissions: </br></br> - Run dcomcnfg </br> - Navigate to **Component Services** > **Computers** > **My Computer** </br> - Right click My Computer and choose **Properties** </br> - Go to the COM Security tab </br> - Go to **Launch and Activation Permissions** and select **Edit Limits** </br> - Add the specified group and select to allow **Remote Activation** |

-| Step | Description |

-|:|:|

-|Create a new Group Policy Object| - On the domain controller open the Group Policy Management Console </br> - Follow these steps to [Create a Group Policy Object](/windows/security/threat-protection/windows-firewall/create-a-group-policy-object) </br> - Once your Group Policy Object (GPO) is created, right-click on your GPO and select **Edit** to open the Group Policy Management Editor console and complete the steps below |

-|Enable Windows Management Instrumentation (WMI)| To enable remote Windows Management Instrumentation (WMI): </br> </br> - Go to **Computer Configuration** &gt; **Policies** &gt; **Windows Settings** &gt; **Security Settings** &gt; **System Services** </br> - Right-click **Windows Management Instrumentation** </br> - Select the **Define this policy setting** box and choose **Automatic**|

-|Allow WMI through the firewall| To allow Windows Management Instrumentation (WMI) through the firewall: </br> </br> - Go to **Computer Configuration** &gt; **Policies** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Windows Defender Firewall and Advanced Security** &gt; **Inbound Rules** </br> - Right-click and select **New Rule** </br> - Choose **Predefined** and select **Windows Management Instrumentation (WMI)** from the list. Then select **Next** </br> - Select the **Windows Management Instrumentation (WMI-In)** checkbox. Then select **Next** </br> - Select **Allow the connection**. Then select **Finish** </br> - Right-click the newly added rule and select **Properties** </br> - Go to the **Advanced** tab and uncheck the **Private** and **Public** options as only **Domain** is required|

-|Grant permissions to perform DCOM operations| To grant permissions to perform DCOM operations: </br> </br> - Go to **Computer Configuration** &gt; **Policies** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Local Policies** &gt; **Security Operations** </br> - Right-click **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** and select **Properties** </br> - Select **Define this policy setting** box and select **Edit Security** </br> - Add the user or group you are granting permissions to and select **Remote Activation** |

-|Grant permissions to the Root\CIMV2 WMI namespace by running a PowerShell script via group policy: | - Create a PowerShell, see [Example PowerShell script](#example-powershell-script) for a recommended script you can modify according to your needs. </br> - Go to **Computer Configuration**&gt; **Policies** &gt; **Windows Settings** &gt;**Scripts (Startup/Shutdown)** &gt; **Startup** </br> - Go to the **PowerShell Scripts** tab </br> - Select **Show Files** and copy the script you created to this folder </br> - Return to the scripts configuration windows and select **Add** </br> - Enter the script name </br> |

-6. Select the **Scan interval:** By default, the scan will run every four hours, you can change the scan interval or have it only run once, by selecting ΓÇÿDo not repeatΓÇÖ.

-7. Choose your **Authentication method** - there are two options to choose from:

- >[!Note]

->[!Note]

->As the authenticated scanner currently uses an encryption algorithm that is not compliant with [Federal Information Processing Standards (FIPS)](/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing/), the scanner can't operate when an organization enforces the use of FIPS compliant algorithms.

->FIPS compliant algorithms are only used in relation to departments and agencies of the United States federal government.

->[!Note]

->This article describes security alerts in Microsoft 365 Defender. However, you can use activity alerts to send email notifications to yourself or other admins when users perform specific activities in Microsoft 365. For more information, see [Create activity alerts - Microsoft Purview | Microsoft Docs](../../compliance/create-activity-alerts.md).

-1. Go to the Microsoft 365 Defender portal ([security.microsoft.com](https://security.microsoft.com)), select **Settings** > **Microsoft 365 Defender**.

-You can also access **Alert service settings** directly from the **Incidents** page in the Microsoft 365 Defender portal.

- - **Reject the message with a non-delivery report (NDR)**

- - **Quarantine the message** (this is the default value)

-New-MalwareFilterPolicy -Name "<PolicyName>" [-AdminDisplayName "<OptionalComments>"] [-CustomNotifications <$true | $false>] [<Inbound notification options>] [<Outbound notification options>] [-QuarantineTag <QuarantineTagName>]

-New-MalwareFilterPolicy -Name "Contoso Malware Filter Policy" -EnableInternalSenderAdminNotifications $true -InternalSenderAdminAddress admin@contoso.com

-Organizations using the [Subscription Activation](/windows/deployment/windows-10-subscription-activation) feature to enable users to ΓÇ£step-upΓÇ¥ from one version of Windows to another, may want to exclude the Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f from their device compliance policy.

-Microsoft Defender Application Guard for Office (Application Guard for Office) helps prevent untrusted files from accessing trusted resources, keeping your enterprise safe from new and emerging attacks. This article walks admins through setting up supported devices for Application Guard for Office.

-* Microsoft 365 E5 or Microsoft 365 E5 Security

-* [Safe Documents in Microsoft 365](/microsoft-365/security/office-365-security/safe-documents-in-e5-plus-security-about)

-* **CPU**: 64-bit, 4 cores (physical or virtual), virtualization extensions (Intel VT-x OR AMD-V), Core i5 equivalent or higher recommended

-* **Physical memory**: 8-GB RAM

-* **Hard disk**: 10 GB of free space on the system drive (SSD recommended)

-* **Windows**: Windows 10 Enterprise edition, Client Build version 2004 (20H1) build 19041 or later. All versions of Windows 11 are supported.

-* **Office**: Microsoft 365 Apps with build 16.0.13530.10000 or later. For Current Channel and Monthly Enterprise Channel installations, this equals to version 2011. For Semi-Annual Enterprise Channel and Semi-Annual Enterprise Channel (Preview), the minimum version is 2108 or later. Both 32-bit and 64-bit versions are supported.

-* **Update package**: Windows 10 cumulative monthly security update [KB4571756](https://support.microsoft.com/help/4571756/windows-10-update-KB4571756)

-* A callout in the ribbon

-* The application icon with a shield in the taskbar

-> * Configure copy and paste from Office documents opened in Application Guard

-> * Disable hardware acceleration in Application Guard for Office

-> * Restrict printing for documents opened in Application Guard for Office

-> * Turn off camera and microphone access to documents opened in Application Guard for Office

-* Application Guard for Office is a protected mode that isolates untrusted documents so that they can't access trusted corporate resources, an intranet, the user's identity, and arbitrary files on the computer. As a result, if a user tries to access a feature that has a dependency on such accessΓÇöfor example, inserting a picture from a local file on diskΓÇöthe access fails and displays a prompt like the following example. To enable an untrusted document to access trusted resources, users must remove Application Guard protection from the document.

-* Active content like macros and ActiveX controls are disabled in Application Guard for Office. To enable active content, the Application Guard protection must be removed.

-* Untrusted files from network shares or files shared from OneDrive, OneDrive for Business, or SharePoint Online open as read-only in Application Guard. Users can save a local copy of such files to continue working in the container or remove protection to directly work with the original file.

-* Files that are protected by Information Rights Management (IRM) are blocked by default. If users want to open such files in Protected View, an administrator must configure policy settings for unsupported file types for the organization.

-* Any customizations to Office applications in Application Guard for Office do not persist after a user signs out and signs in again or after the device restarts.

-* Only Accessibility tools that use the UIA framework can provide an accessible experience for files opened in Application Guard for Office.

-* Network connectivity is required for the first launch of Application Guard after installation.

-* In the document's info section, the *Last Modified By* property may display **WDAGUtilityAccount** as the user. WDAGUtilityAccount is the anonymous account used by Application Guard. The desktop user's identity isn't available inside the Application Guard container.

-* The default setting for unsupported file types protection policy is to block opening untrusted unsupported file types that are encrypted or have Information Rights Management (IRM) set. This includes files that are encrypted by using sensitivity labels from Microsoft Purview Information Protection.

-* HTML files are not supported at this time.

-* Application Guard for Office currently does not work with NTFS compressed volumes. If you are seeing an error "ERROR_VIRTUAL_DISK_LIMITATION" please try uncompressing the volume.

-* If you are seeing an error mentioning that the hypervisor may not be enabled, check the following:

- * Virtualization is enabled in BIOS

- * Hyper-V is turned on

- * The Host Network Service is running

-* Updates to .NET might cause files to fail to open in Application Guard. This can be resolved by restarting the machine.

-* Application Guard requires "Virtual Machines" to be granted "Logon as a service" permission, and "wdagutilityaccount" must **not** be added to the "Deny logon as a service" security policy setting. 

-* Please see [Frequently asked questions - Microsoft Defender Application Guard for additional information.](/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard)

-|**Enable the common attachments filter** <br><br> _EnableFileFilter_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`|This setting quarantines messages that contain attachments based on file type, regardless of the attachment content. For the list of file types, see [Anti-malware policies](anti-malware-protection-about.md#anti-malware-policies).|

-|Common attachment filter notifications (**When these file types are found**) <br><br> _FileTypeAction_|**Quarantine the message** <br><br> `Quarantine`|**Quarantine the message** <br><br> `Quarantine`|**Quarantine the message** <br><br> `Quarantine`||

-|**Action on potentially malicious URLs within Emails**||||||

-|**On: Safe Links checks a list of known, malicious links when users click links in email** <br><br> _EnableSafeLinksForEmail_|Not selected <br><br> `$false`|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||

-|**Action for potentially malicious URLs in Microsoft Teams**||||||

-|**On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams** <br><br> _EnableSafeLinksForTeams_|Not selected <br><br> `$false`|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||

-|**Action for potentially malicious URLs in Microsoft Office apps**||||||

-|**On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps** <br><br> _EnableSafeLinksForOffice_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`|Use Safe Links in supported Office 365 desktop and mobile (iOS and Android) apps. For more information, see [Safe Links settings for Office apps](safe-links-about.md#safe-links-settings-for-office-apps).|

-You turn on or turn off Safe Links protection for Microsoft Teams in Safe Links policies. Specifically, you use the **On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams** setting. The recommended value is on (selected).

-You turn on or turn off Safe Links protection for Office apps in Safe Links policies. Specifically, you use the **On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps** setting. The recommended value is on (selected).

- - **Action on potentially malicious URLs within Emails (Email & Time of Click)** section:

- - **On: Safe Links checks a list of known, malicious links when users click links in email**: Select this option to turn on Safe Links protection for links in email messages. If you select this option, the following settings are available:

- - **Apply Safe Links to email messages sent within the organization (Email ΓÇô Intraorg & Time of Click)**: Select this option to apply the Safe Links policy to messages between internal senders and internal recipients. Turning this on will enable link wrapping for all intraorg messages.

- - **Apply real-time URL scanning for suspicious links and links that point to files (Email)**: Select this option to turn on real-time scanning of links in email messages from external senders. If you select this option, the following setting is available:

- - **Wait for URL scanning to complete before delivering the message (Email)**: Select this option to wait for real-time URL scanning to complete before delivering the message from external senders. The recommended setting is **On**.

- - **Do not rewrite URLs, do checks via SafeLinks API only (Time of Click)**: Select this option to prevent URL wrapping and skip reputation check during mail flow. Safe Links is called exclusively via APIs at the time of URL click by Outlook clients that support it.

- - **Do not rewrite the following URLs in email** section: Click **Manage (nn) URLs** to allow access to specific URLs that would otherwise be blocked by Safe Links.

- > [!NOTE]

- > Entries in the "Do not rewrite the following URLs" list are not scanned or wrapped by Safe Links during mail flow. Use [URL allow entries in the Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-urls-in-the-submissions-portal) to override the Safe Links URL verdict.

- 1. In the **Manage URLs to not rewrite** flyout that appears, click  **Add URLs**.

- 2. In the **Add URLs** flyout that appears, type the URL or value that you want, select the entry that appears below the box, and then click **Save**. Repeat this step as many times as necessary.

- For entry syntax, see [Entry syntax for the "Do not rewrite the following URLs" list](safe-links-about.md#entry-syntax-for-the-do-not-rewrite-the-following-urls-list).

- To remove an entry, click  next to the entry.

- When you're finished, click **Save**.

- 3. Back on the **Manage URLs to not rewrite** flyout, click **Done** or do maintenance on the list of entries:

- To remove entries from the list, can use the  **Search** box to find the entry.

- To select a single entry, click on the value in the **URLs** column.

- To select multiple entries one at a time, click the blank area to the left of the value.

- To select all entries at one, click the blank area to the left of the **URLs** column header.

- With one or more entries selected, click the  or  icons that appear.

- When you're finished, click **Done**.

- - **Actions for potentially malicious URLs in Microsoft Teams (Time of Click)** section:

- - **On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams**: Select this option to enable Safe Links protection for links in Teams. Note that this setting might take up to 24 hours to take effect.

- - **Actions for potentially malicious URLs in Microsoft Office apps (Time of Click)** section:

- - **On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps**: Select this option to enable Safe Links protection for links in files in supported Office desktop, mobile, and web apps.

-Set-EmailAddressPolicy -Name StudentsGroups -EnabledEmailAddressTemplates "SMTP:@students.groups.contoso.com","smtp:@groups.contoso.com", "smtp:@students.contoso.com" ManagedByFilter {Department -eq 'Students'} -Priority 2

-The [Get started with Microsoft Syntex](/training/paths/syntex-get-started) learning path will teach how you can use unstructured, freeform, and unstructured document processing models to classify documents, extract text, and label your documents for quick and easy knowledge management.