Updates from: 02/17/2022 02:13:41
Category Microsoft Docs article Related commit history on GitHub Change details
admin Mover Migrate Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/moveto-microsoft-365/mover-migrate-files.md
- Title: "Migrate Google files to Microsoft 365 for business "-- NOCSH-------- M365-subscription-management -- Adm_O365--- AdminSurgePortfolio-- adminvideo
-monikerRange: 'o365-worldwide'
-- BCS160-- MET150-- MOE150
-description: "Learn how to Migrate Google files to Microsoft 365 for business by using Mover."
--
-# Migrate Google files to Microsoft 365 for business
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4MhaD?autoplay=false]
-
-When you move to Microsoft 365 for business, you'll want to migrate your files from Google Drive. You can use the Mover app to move files from personal and shared Drives. For more information, see [Mover Cloud Migration](/sharepointmigration/mover-plan-migration).
-
-> [!NOTE]
-> Mover will make a copy of the files and move the copies to Microsoft 365 for business. The original files will stay in Google Drives also.
-
-## Before you start
-
-All the users should have signed in to Microsoft 365 for business and set up their OneDrive for Business. To do this, go to [office.com](https://office.com), sign in with your Microsoft 365 for business credentials, and then choose OneDrive.
-
-## Try it!
-
-### Install Mover
-
-1. Sign in to your Google Workspace admin console at [admin.google.com](https://admin.google.com).
-
-1. Choose **Apps** > **Google Workspace Marketplace apps** > **Add app to Domain Install list**.
-
-1. Search for Mover and select it.
-
-1. Choose **Domain Install**, then **Continue**.
-
-1. Review the permissions, select the checkbox to agree to the terms,then select **Allow**, choose **Next**, then **Done**.
-
-### Create Connectors and run the migration
-
-1. Return to **Google Workspace Marketplace apps**.
-1. Refresh your browser, and select the **Mover** app.
-1. Scroll down and choose the universal navigation link.
-1. Select **Authorize New Connector**, locate **G Suite (Admin)**, and choose **Authorize**.
-1. Change the **Display Name**, if you want, then select **Authorize**.
-1. Choose a Google admin account, review the permissions,then select **Allow**.
-
- Mover displays the number of team drives and user drives it discovered.
-
-1. Under **Select destination**, choose **Authorize New Connector**, locate **Office 365**, and select **Authorize**.
-1. To grant permissions to the Mover app in your Azure Active Directory, navigate to [aka.ms/Office365MoverAuth](https://aka.ms/Office365MoverAuth).
-1. Select **Office 365 Mover**, **Permissions**, **Grant admin consent for your company**.
-1. Choose your account, review the permissions, and select **Accept**.
-1. Choose **Properties** and verify that **User assignment required?** is turned on.
-1. Return to the Mover app, change the **Display Name**, if you want, choose **Authorize**,then select a Microsoft admin account.
-
- Mover will inform you about the number of SharePoint Online (or SPO) sites and users it discovered.
-1. Choose **Continue Migration Setup**, select **Add Users**, then **Automatically Discover and Add Users**.
-
- The Mover app will attempt to map drives from the Source Path in Google, to the Destination Path in Microsoft 365.
-
- If a drive doesn't map automatically, add its destination path to a CSV file, which we'll use later to migrate the shared drive to a SharePoint document library.
-
-1. In this case, we have added a SharePoint site called Migrated files, and taken note of the URL for the documents page.
-1. We then created a CSV file using the format of Source Path, Destination Path, and Tags.
-
- For details see [aka.ms/movercsv](/sharepointmigration/mover-create-migration-csv).
-
- When adding the Destination Path URL, remove everything after Shared Documents. For example, this full URL won't work:
-`https://TENANT01.sharepoint.com/sites/SiteName/Shared Documents/Forms/AllItems.aspx`
-
- Change it to:
-`https://TENANT01.sharepoint.com/sites/SiteName/Shared Documents`
-
-1. Once your CSV file is ready, select **Migration Actions**, **Add to Migration**, **Choose a file to upload**.
-1. Navigate to your CSV file, select it,then choose **Open**.
-1. Select the user drives whose files you want to migrate, then choose **Start Migrating Users**.
-1. Review the migration information, choose when to start the migration, agree to the **Terms and Conditions**, then select **Continue**.
-
-The Mover app will inform you when the migration process is complete.
compliance Insider Risk Management Browser Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-browser-support.md
Web browsers are often used by users to access both sensitive and non-sensitive
- Files transferred or copied to a network share - Files copied to USB devices
-Signals for these events are detected in Microsoft Edge using built-in browser capabilities and using the *Microsoft Insider Risk Extension* add-on. In Google Chrome, customers use the *Microsoft Compliance Extension* for signal detection.
+Signals for these events are detected in Microsoft Edge using built-in browser capabilities and using the *Microsoft Compliance Extension* add-on. In Google Chrome, customers use the *Microsoft Compliance Extension* for signal detection.
The following table summarizes detected activities and extension support for each browser:
The following table summarizes detected activities and extension support for eac
## Common requirements
-Before installing either the *Microsoft Insider Risk Extension* or the *Microsoft Compliance Extension,* customers need to ensure that devices for in-scope policy users meet the following requirements
+Before installing the Microsoft Edge add-on or Google Chrome extension, customers need to ensure that devices for in-scope policy users meet the following requirements:
- Latest Windows 10 x64 build is recommended, minimum Windows 10 x64 build 1809 for signal detection support. Browser signal detection isn't currently supported on non-Windows devices. - Current [Microsoft 365 subscription](/microsoft-365/compliance/insider-risk-management-configure#subscriptions-and-licensing) with insider risk management support.
For specific browser configuration requirements, see the Microsoft Edge and Goog
- Meet the common requirements - Microsoft Edge x64, 91.0.864.41 version or higher-- *Microsoft Insider Risk Extension* add-on version 1.0.0.44 or higher
+- *Microsoft Compliance Extension* add-on version 1.0.0.44 or higher
- Edge.exe is not configured as an unallowed browser ### Option 1: Basic setup (recommended for testing with Edge)
Use this option to configure single machine selfhost for each device in your org
For the basic setup option, complete the following steps:
-1. Navigate to [Microsoft Insider Risk Extension](https://microsoftedge.microsoft.com/addons/detail/microsoft-insider-risk-ex/lcmcgbabdcbngcbcfabdncmoppkajglo).
+1. Navigate to [Microsoft Compliance Extension](https://microsoftedge.microsoft.com/addons/detail/microsoft-compliance-exte/lcmcgbabdcbngcbcfabdncmoppkajglo).
2. Install the extension. ### Option 2: Intune setup for Edge
For the Group Policy setup option, complete the following steps:
Devices must be manageable using Group Policies and all [Microsoft Edge Administrative Templates](https://www.microsoft.com/edge/business/download) need to be imported into the Group Policy Central Store. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).
-**Step 2: Add the *Microsoft Insider Risk Management Extension* add-on to the *Force Install* list.**
+**Step 2: Add the *Microsoft Compliance Extension* add-on to the *Force Install* list.**
Complete the following steps to add the extension:
compliance Retention Policies Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-teams.md
Other mailbox types, such as RoomMailbox that is used for Teams conference rooms
Teams uses an Azure-powered chat service as its primary storage for all messages (chats and channel messages). If you need to delete Teams messages for compliance reasons, retention policies for Teams can delete messages after a specified period, based on when they were created. Messages are then permanently deleted from both the Exchange mailboxes where they stored for compliance operations, and from the primary storage used by the underlying Azure-powered chat service. For more information about the underlying architecture, see [Security and compliance in Microsoft Teams](/MicrosoftTeams/security-compliance-overview) and specifically, the [Information Protection Architecture](/MicrosoftTeams/security-compliance-overview#information-protection-architecture) section.
-Although this data from Teams chats and channel messages are stored in mailboxes, you must configure a retention policy for the **Teams channel messages** and **Teams chats** locations. Teams chats and channel messages are not included in retention policies that are configured for Exchange user or group mailboxes. If a user is added to a chat, a copy of all messages shared with them are ingested into their mailbox. The created date of those messages does not change for the new user and remains the same for all users.
+Although this data from Teams chats and channel messages are stored in mailboxes, you must configure a retention policy for the **Teams channel messages** and **Teams chats** locations. Teams chats and channel messages are not included in retention policies that are configured for Exchange user or group mailboxes. Similarly, retention policies for Teams don't affect other email items stored mailboxes.
+
+If a user is added to a chat, a copy of all messages shared with them are ingested into their mailbox. The created date of those messages does not change for the new user and remains the same for all users.
> [!NOTE] > If a user is included in an active retention policy that retains Teams messages and you delete a mailbox of a user who is included in this policy, the mailbox is converted into an [inactive mailbox](inactive-mailboxes-in-office-365.md) to retain the Teams data. If you don't need to retain this Teams data for the user, exclude the user account from the retention policy and [wait for this change to take effect](create-retention-policies.md#how-long-it-takes-for-retention-policies-to-take-effect) before you delete their mailbox.
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
For built-in labeling, identify the minimum versions of Outlook that support the
When the Outlook app supports a default label setting that's different from the default label setting for documents: -- In the label policy wizard, on the **Apply a default label to emails** page, you can specify your choice of sensitivity label that will be applied to all unlabeled emails, or no default label. This setting is independent from the **Apply this label by default to documents** setting on the previous **Policy settings for documents** page of the wizard.
+- In the label policy configuration from the Microsoft 365 compliance center, on the **Apply a default label to emails** page: You can specify your choice of sensitivity label that will be applied to all unlabeled emails, or no default label. This setting is independent from the **Apply this label by default to documents** setting on the previous **Policy settings for documents** page of the configuration.
-When the Outlook app doesn't support a default label setting that's different from the default label setting for documents: Outlook will always use the value you specify for **Apply this label by default to documents** on the **Policy settings for documents** page of the label policy wizard.
+When the Outlook app doesn't support a default label setting that's different from the default label setting for documents: Outlook will always use the value you specify for **Apply this label by default to documents** on the **Policy settings for documents** page of the label policy configuration.
When the Outlook app supports turning off mandatory labeling: -- In the label policy wizard, on the **Policy settings** page, select **Require users to apply a label to their email or documents**. Then select **Next** > **Next** and clear the checkbox **Require users to apply a label to their emails**. Keep the checkbox selected if you want mandatory labeling to apply to emails as well as to documents.
+- In the label policy configuration from the Microsoft 365 compliance center, on the **Policy settings** page: Select **Require users to apply a label to their email or documents**. Then select **Next** > **Next** and clear the checkbox **Require users to apply a label to their emails**. Keep the checkbox selected if you want mandatory labeling to apply to emails as well as to documents.
When the Outlook app doesn't support turning off mandatory labeling: If you select **Require users to apply a label to their email or documents** as a policy setting, Outlook will always prompt users to select a label for unlabeled emails. > [!NOTE] > If you have configured the PowerShell advanced settings **OutlookDefaultLabel** and **DisableMandatoryInOutlook** by using the [Set-LabelPolicy](/powershell/module/exchange/set-labelpolicy) or [New-LabelPolicy](/powershell/module/exchange/new-labelpolicy) cmdlets: >
-> Your chosen values for these PowerShell settings are reflected in the label policy wizard and automatically work for Outlook apps that support these settings. The other PowerShell advanced settings remain supported for the Azure Information Protection unified labeling client only.
+> Your chosen values for these PowerShell settings are reflected in the label policy configuration in the compliance center, and they automatically work for Outlook apps that support these settings. The other PowerShell advanced settings remain supported for the Azure Information Protection unified labeling client only.
## Auditing labeling activities For information about the auditing events that are generated by sensitivity label activities, see the [Sensitivity label activities](search-the-audit-log-in-security-and-compliance.md#sensitivity-label-activities) section from [Search the audit log in the compliance center](search-the-audit-log-in-security-and-compliance.md).
-This auditing information is visually represented in [content explorer](data-classification-content-explorer.md) and [activity explorer](data-classification-activity-explorer.md) to help you understand how your sensitivity labels are being used and where this labeled content is located.
+This auditing information is visually represented in [content explorer](data-classification-content-explorer.md) and [activity explorer](data-classification-activity-explorer.md) to help you understand how your sensitivity labels are being used and where this labeled content is located. You can also create custom reports with your choice of security information and event management (SIEM) software when you [export and configure the audit log records](export-view-audit-log-records.md).
## End-user documentation
lighthouse M365 Lighthouse Compare Compliance Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-compare-compliance-policies.md
description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthous
> [!NOTE] > The features described in this article are in Preview, are subject to change, and are only available to partners who meet the [requirements](m365-lighthouse-requirements.md). If your organization does not have Microsoft 365 Lighthouse, see [Sign up for Microsoft 365 Lighthouse](m365-lighthouse-sign-up.md).
-Microsoft 365 Lighthouse lets you view compliance policies across your tenants in a single view. You can drive security and standardization across your tenants by comparing policies. You can filter views to see settings that have been configured (versus settings that were left not configured), settings that differ in their configurations, or just the settings that match. You can also search for specific settings youΓÇÖre interested in and see how that compares among the policies.
+Microsoft 365 Lighthouse lets you view compliance policies across your tenants in a single view. You can drive security and standardization across your tenants by comparing policies. You can filter views to see settings that have been configured (versus settings that were left not configured), settings that differ in their configurations, or settings that match. You can also search for specific settings to see how they compare across policies.
## Before you begin -- Devices must have an Intune license and be enrolled in Microsoft Endpoint Manager (MEM).
+Make sure devices have a Microsoft Intune license and are enrolled in Microsoft Endpoint Manager (MEM).
## Compare policy settings
Microsoft 365 Lighthouse lets you view compliance policies across your tenants i
2. Select the **Policies** tab.
-3. From the **Filters** drop-down list, select an operating system/platform.
+3. From the **Filters** drop-down list, select an operating system or platform.
> [!NOTE]
- > You can only compare policies with the same operating system/platform.
+ > You can only compare policies with the same operating system or platform.
-4. From the filtered list, select up to three policies you want to compare.
+4. From the filtered list, select up to three policies that you want to compare.
5. Select **Compare**.
lighthouse M365 Lighthouse Deploy Baselines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-deploy-baselines.md
Select **Baselines** from the left navigation pane to open the Baselines page. Y
## Deploy a baseline configuration
-1. In the left navigation page, select **Tenants** to view a list of your onboarded tenants.
+1. In the left navigation pane in Lighthouse, select **Tenants** to view a list of your onboarded tenants.
2. Select the tenant you want to deploy the baseline configuration to.
lighthouse M365 Lighthouse Reset User Password https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-reset-user-password.md
description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthous
> [!NOTE] > The features described in this article are in Preview, are subject to change, and are only available to partners who meet the [requirements](m365-lighthouse-requirements.md). If your organization does not have Microsoft 365 Lighthouse, see [Sign up for Microsoft 365 Lighthouse](m365-lighthouse-sign-up.md).
-Microsoft 365 Lighthouse lets you change or reset user passwords. You can reset a single user or multiple risky users across different tenants.
+Microsoft 365 Lighthouse lets you change or reset user passwords. You can reset the password for a single user or for multiple risky users across different tenants.
## Reset a password for a user
Microsoft 365 Lighthouse lets you change or reset user passwords. You can reset
2. Select the **Search users** tab.
-3. In the search box, enter a userΓÇÖs name.
+3. In the search box, enter a user's name.
4. From the search results list, select the user.
Microsoft 365 Lighthouse lets you change or reset user passwords. You can reset
6. In the Reset password pane, select **Autogenerate a password** or **Let me create a password**.
- a. If you choose to create a password, enter a password.
+ - If you choose to create a password, enter a password.
- b. If you want the user to change their password after first sign in, select the checkbox.
+ - If you want the user to change their password after first sign-in, select the checkbox.
7. Select **Reset password**.
-## Reset password for risky users
+## Reset a password for a risky user
1. In the left navigation pane in Lighthouse, select **Users**.
Microsoft 365 Lighthouse lets you change or reset user passwords. You can reset
5. In the Reset password pane, select **Autogenerate a password** or **Let me create a password**.
- 1. If you choose to create a password, enter a password.
+ - If you choose to create a password, enter a password.
- 1. If you want the user to change their password after first sign in, select the checkbox.
+ - If you want the user to change their password after first sign-in, select the checkbox.
6. Select **Reset password**. ## Related content
-[Manage Microsoft 365 user accounts](../enterprise/manage-microsoft-365-accounts.md)\
-[Block user sign-in](m365-lighthouse-block-user-signin.md)
+[Manage Microsoft 365 user accounts](../enterprise/manage-microsoft-365-accounts.md) (article)\
+[Block user sign-in](m365-lighthouse-block-user-signin.md) (article)
lighthouse M365 Lighthouse Review Audit Logs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-review-audit-logs.md
Microsoft 365 Lighthouse audit logs record actions that generate a change in Lig
To view audit logs, you must have one of the following permissions: -- Azure AD role - Global Administrator of partner tenant
+- Azure Active Directory (Azure AD) role - Global Administrator of partner tenant
-- Partner Center role - Admin Agent
+- Microsoft Partner Center role - Admin agent
-## Review logs
+## Review audit logs
1. In the left navigation pane in Lighthouse, select **Audit logs**. > [!NOTE] > It might take up to 1 hour to see new logs. Go to the respective service to see the most recent changes.
-2. To filter the logs, refine the list using the following options:
+2. Filter the logs, as needed, by using the following options:
- **Date range** - Previous month, week, or day. - **Tenants** - Tenant tags or customer tenant names.
- - **Activity** - Microsoft 365 activity type that corresponds to the action taken. For more information, see Activity Types table.
+ - **Activity** - Microsoft 365 activity type that corresponds to the action taken. For more information, see the [Activities](#activities) table.
- **Initiated by** - Who initiated the action.
-3. Select a log from the list to see full details including the **Request** body.
-
-Select **Export**, to export log data to a comma-separated values (.csv) file.
-
-## Activity Types
-
-The following table is a list of activity types captured within Lighthouse audit logs. The list is subject to change as new actions are created. You can use the activity value from the audit log to see what action was initiated.
-
-| Activity name | Area in Microsoft 365 Lighthouse | Action initiated | Service impacted |
-||-|-|-|
-|**apply** | Tenants | Apply deployment plan | Azure AD, Microsoft Endpoint Manager |
-|**assignTag** | Tenants | Apply a tag from a customer | Microsoft 365 Lighthouse |
-|**changeDeploymentStatus** | Tenants | Action plan status for deployment plan | Microsoft 365 Lighthouse |
-|**offboardTenant** | Tenants | Inactivate a customer | Microsoft 365 Lighthouse |
-|**resetTenantOnboardingStatus** | Tenants | Reactive a customer | Microsoft 365 Lighthouse |
-|**tenantTags** | Tenants | Create or delete a tag | Microsoft 365 Lighthouse |
-|**tenantCustomizedInformation** | Tenants | Create, update, or delete customer website or contact information | Microsoft 365 Lighthouse |
-|**unassignTag** | Tenants | Remove a tag from a customer | Microsoft 365 Lighthouse |
-| **blockUserSignin** | Users | Block sign-in | Azure AD |
-| **confirmUsersCompromised** | Users | Confirm user compromised | Azure AD |
-| **dismissUsersRisk** | Users | Dismiss user risk | Azure AD |
-| **resetUserPassword** | Users | Reset password | Azure AD |
-| **setCustomerSecurityDefaultsEnabledStatus** | Users | Enable MFA with Security Defaults | Azure AD |
-|**restartDevice** | Devices | Restart | Microsoft Endpoint Manager |
-| **syncDevice** | Devices | Sync | Microsoft Endpoint Manager |
-| **rebootNow** | Threat management | Reboot | Microsoft Endpoint Manager |
-| **reprovision** | Windows 365 | Retry Provisioning | Windows 365 |
-| **windowsDefenderScanFull** | Threat management | Full scan | Microsoft Endpoint Manager |
-| **windowsDefenderScan** | Threat management | Quick scan | Microsoft Endpoint Manager |
-| **windowsDefenderUpdateSignatures** | Threat management | Update antivirus | Microsoft Endpoint Manager |
+3. Select a log from the list to see full details, including the **Request** body.
+
+ To export log data to a comma-separated values (.csv) file, select **Export**.
+
+## Activities
+
+The following table lists activities captured within Lighthouse audit logs. The list is subject to change as new actions are created. You can use the activity listed in the audit log to see which action was initiated.<br><br>
+
+| Activity name | Area in Lighthouse | Action initiated | Service impacted |
+|--|--|--|--|
+| **apply** | Tenants | Apply deployment plan | Azure AD, Microsoft Endpoint Manager (MEM) |
+| **assignTag** | Tenants | Apply a tag from a customer | Lighthouse |
+| **changeDeploymentStatus** | Tenants | Action plan status for deployment plan | Lighthouse |
+| **offboardTenant** | Tenants | Inactivate a customer | Lighthouse |
+| **resetTenantOnboardingStatus** | Tenants | Reactive a customer | Lighthouse |
+| **tenantTags** | Tenants | Create or delete a tag | Lighthouse |
+| **tenantCustomizedInformation** | Tenants | Create, update, or delete a customer website or contact information | Lighthouse |
+| **unassignTag** | Tenants | Remove a tag from a customer | Lighthouse |
+| **blockUserSignin** | Users | Block sign-in | Azure AD |
+| **confirmUsersCompromised** | Users | Confirm a user is compromised | Azure AD |
+| **dismissUsersRisk** | Users | Dismiss user risk | Azure AD |
+| **resetUserPassword** | Users | Reset password | Azure AD |
+| **setCustomerSecurityDefaultsEnabledStatus** | Users | Enable multifactor authentication (MFA) with security defaults | Azure AD |
+| **restartDevice** | Devices | Restart | MEM |
+| **syncDevice** | Devices | Sync | MEM |
+| **rebootNow** | Threat management | Reboot | MEM |
+| **reprovision** | Windows 365 | Retry provisioning | Windows 365 |
+| **windowsDefenderScanFull** | Threat management | Full scan | MEM |
+| **windowsDefenderScan** | Threat management | Quick scan | MEM |
+| **windowsDefenderUpdateSignatures** | Threat management | Update antivirus | MEM |
## Next steps
-If you need more information, you can use Microsoft Graph API to access more audit events. For more information, see [Overview for multi-tenant management using the Microsoft 365 Lighthouse API](/graph/managedtenants-concept-overview).
+If you need more information, use Microsoft Graph API to access more audit events. For more information, see [Overview for multi-tenant management using the Microsoft 365 Lighthouse API](/graph/managedtenants-concept-overview).
## Related content
managed-desktop Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/support.md
# Admin support
-Microsoft will provide proactive and reactive incident management. Microsoft tracks incidents in the Microsoft Managed Desktop admin portal. They are classified according to [severity definitions](../working-with-managed-desktop/admin-support.md#sev).
+Microsoft will provide proactive and reactive incident management.
-Customers can contact Microsoft Managed Desktop operations for:
-- Information requests on the Microsoft Managed Desktop tenant or configuration-- Change requests to the configuration of Microsoft Managed Desktop devices-- Reporting an incident or outage-
-## What's included?
-
-Microsoft Managed Desktop support includes:
+Microsoft tracks incidents in the Microsoft Managed Desktop Admin portal. They're classified according to the [severity definitions](../working-with-managed-desktop/admin-support.md#support-request-severity-definitions).
-- A team of engineers dedicated to Microsoft Managed Desktop devices-- Support options for users with Microsoft Managed Desktop devices-- Grants limited administrative access to Microsoft Managed Desktop devices for engineers managing Microsoft Managed Desktop devices -
-Supported products:
--- Windows 10 with Microsoft Defender for Endpoint-- These Microsoft 365 Apps for enterprise apps: Outlook, Word, PowerPoint, Excel, Skype for Business client, Microsoft Teams -- Microsoft Store for Business -- OneDrive client
+Customers can contact Microsoft Managed Desktop operations for:
-Support details:
+- Information requests on the Microsoft Managed Desktop tenant or configuration.
+- Change requests to the configuration of Microsoft Managed Desktop devices.
+- Reporting an incident or outage.
-- Current: United States, Canada (excluding Quebec), United Kingdom, Belgium, Luxembourg, the Netherlands, Australia, and New Zealand (24x7x365) -- English is the only supported language for phone and chat conversations with customers -- We are partnering with, not replacing, your corporate helpdesk; line-of-Business (LOB) apps, network resources, etc. are still handled by your helpdesk -- Microsoft Managed Desktop devices in the "Test" group and devices not part of Microsoft Managed Desktop are out of scope
+## What's included?
+| Support for | Includes |
+| | |
+| Microsoft Managed Desktop | <ul><li>A team of engineers dedicated to Microsoft Managed Desktop devices.</li><li>Support options for users with Microsoft Managed Desktop devices.</li><li>Grants limited administrative access to Microsoft Managed Desktop devices for engineers managing Microsoft Managed Desktop devices.</li></ul> |
+| Products | <ul><li>Windows 10 with Microsoft 365 Defender for Endpoint.</li><li>The following Microsoft 365 Apps for Enterprise apps: Outlook, Word, PowerPoint, Excel, Skype for Business client, Microsoft Teams.</li><li>Microsoft Store for Business.</li><li>OneDrive client.</li></ul> |
+| Geography | Currently, the United States, Canada (excluding Quebec), United Kingdom, Belgium, Luxembourg, the Netherlands, Australia, and New Zealand (24x7x365) are supported. |
+| Language |English is the only supported language for phone and chat conversations with customers. |
+| HelpDesk | We're partnering with, not replacing, your corporate helpdesk; line-of-Business (LOB) apps, network resources, etc. are still handled by your helpdesk. |
+| Test group and other devices | Microsoft Managed Desktop devices in the "Test" group and devices not part of Microsoft Managed Desktop are out of scope. |
-## Related topics
+## Related articles
- [Learn how IT administrators can get support](../working-with-managed-desktop/admin-support.md) - [Learn how users can get support](../working-with-managed-desktop/end-user-support.md)
managed-desktop Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/updates.md
# How updates are handled in Microsoft Managed Desktop - <!--This topic is the target for a "Learn more" link in the Admin Portal (aka.ms/update-rings); do not delete.--> <!--Update management -->
-Microsoft Managed Desktop connects all devices to a modern cloud-based infrastructure. Keeping Windows, Office, drivers, firmware, and Microsoft Store for Business applications up to date is a balance of speed and stability. We use update groups to ensure operating system updates and policies are rolled out in a safe manner. For more information, see the video [Microsoft Managed Desktop Change and Release Process](https://www.microsoft.com/videoplayer/embed/RE4mWqP).
+Microsoft Managed Desktop connects all devices to a modern cloud-based infrastructure.
-Updates released by Microsoft are cumulative and are categorized as quality or feature updates.
-For more information, see [Windows Update for Business: Update types](/windows/deployment/update/waas-manage-updates-wufb#update-types).
+Keeping Windows, Office, drivers, firmware, and Microsoft Store for Business applications up to date is a balance of speed and stability. We use update groups to ensure operating system updates and policies are rolled out in a safe manner. For more information, see the video [Microsoft Managed Desktop Change and Release Process](https://www.microsoft.com/videoplayer/embed/RE4mWqP).
-## Update groups
+Updates released by Microsoft are cumulative and are categorized as quality or feature updates. For more information, see [Windows Update for Business: Update types](/windows/deployment/update/waas-manage-updates-wufb#update-types).
+## Update groups
Microsoft Managed Desktop uses four Azure AD groups to manage updates: -- **Test**: Used to validate Microsoft Managed Desktop policy changes, operating system updates, feature updates, and other changes pushed to the Azure AD organization ("tenant"). Best for testing or users who can provide early feedback. The test group is exempt from any established service level agreements and user support. This group is available for use to validate compatibility of applications with new policy or operating system changes. -- **First**: Contains early software adopters and devices that could be subject to pre-release updates. Devices in this group might experience outages if there are scenarios that were not covered during testing in the test ring.-- **Fast**: Prioritizes speed over stability. Useful for detecting quality issues before they are offered to the Broad group. This group serves as a next layer of validation but is typically more stable than the Test and First groups. -- **Broad**: Last group to have feature and quality updates available. This group contains most of users in the Azure AD organization, and therefore favors stability over speed in deployment. Testing of apps should be done here as the environment is most stable.
+| Group | Description |
+| | |
+| Test | Used to validate Microsoft Managed Desktop policy changes, operating system updates, feature updates, and other changes pushed to the Azure AD organization ("tenant"). The Test group is: <ul><li>Best for testing or users who can provide early feedback.</li><li>Exempt from any established service level agreements and user support.</li><li>Available to validate compatibility of applications with new policy or operating system changes.</li></ul> |
+| First | Contains early software adopters and devices that could be subject to pre-release updates. <br><br> Devices in this group might experience outages if there are scenarios that weren't covered during testing in the test ring. |
+| Fast | Prioritizes speed over stability. The Fast group is: <ul><li>Useful for detecting quality issues before they're offered to the Broad group.</li> <li>The next layer of validation, and is typically more stable than the Test and First groups.</li></ul> |
+| Broad | This group is the last group to have feature and quality updates available. <br><br> The Broad group contains most of users in the Azure AD organization, and therefore favors stability over speed in deployment. Testing of apps should be done with this group because the environment is the most stable. |
### Moving devices between update groups+ You might want some devices to receive updates last and others that you want to go first. To move these devices into the appropriate update group, see [Assign devices to a deployment group](../working-with-managed-desktop/assign-deployment-group.md). For more information on roles and responsibilities within these deployment groups, see [Microsoft Managed Desktop Roles and responsibilities](../intro/roles-and-responsibilities.md)
-### Using Microsoft Managed Desktop update groups
+### Using Microsoft Managed Desktop update groups
+ There are parts of the service that you manage, like app deployment, where it might be necessary to target all managed devices.
-## How update deployment works:
-1. Microsoft Managed Desktop deploys a new feature or quality update according to the schedule specified in the following table.
-2. During deployment, Microsoft Managed Desktop monitors for signs of failure or disruption based on diagnostic data and the user support system. If any are detected, we immediately pause the deployment to all current and future groups.
- - Example: If an issue is discovered while deploying a quality update to the First group, then update deployments to First, Fast, and Broad will all be paused until the issue is mitigated.
- - You can report compatibility issues by filing a ticket in the Microsoft Managed Desktop Admin portal.
- - Feature and quality updates are paused independently. Pause is in effect for 35 days by default, but can be reduced or extended depending on whether the issue is mitigated.
-3. Once the groups are unpaused, deployment resumes according to the schedule in the table.
-4. Users are empowered to respond to restart notifications for a set period (known as the deadline and measured from the time the update is offered to the device), during which time the device will only automatically restart outside active hours. After this period expires, the deadline has been reached and the device will restart at the next available opportunity, regardless of active hours. The deadline for quality updates is three days; for feature updates it is five days.
-
-This deployment process applies to both feature and quality updates, though the timeline varies for each.
--
-<table>
- <tr><th colspan="5">Update deployment settings</th></tr>
- <tr><th>Update type</th><th>Test</th><th>First</th><th>Fast</th><th>Broad</th></tr>
- <tr><td>Quality updates for operating system</td><td>0 days</td><td>0 days</td><td>0 days</td><td>7 days</td></tr>
- <tr><td>Feature updates for operating system</td><td>0 days</td><td>30 days</td><td>60 days</td><td>90 days</td></tr>
- <tr><td>Drivers/firmware</td><td colspan="4">Follows the schedule for quality updates</td></tr>
- <tr><td>Anti-virus definition</td><td colspan="4">Updated with each scan</td></tr>
- <tr><td>Microsoft 365 Apps for enterprise</td><td colspan="4"><a href="/microsoft-365/managed-desktop/get-started/m365-apps#updates-to-microsoft-365-apps">Learn more</a></td></tr>
- <tr><td>Microsoft Edge</td><td colspan="4"><a href="/microsoft-365/managed-desktop/get-started/edge-browser-app#updates-to-microsoft-edge">Learn more</a></td></tr>
- <tr><td>Microsoft Teams</td><td colspan="4"><a href="/microsoft-365/managed-desktop/get-started/teams#updates">Learn more</a></td></tr>
-</table>
+## Update deployment
+
+Below describes how update deployment works.
+
+| Step | Description |
+| | |
+| Step 1 | Microsoft Managed Desktop deploys a new feature or quality update according to the schedule specified in the following table.|
+| Step 2 | During deployment, Microsoft Managed Desktop monitors for signs of failure, or disruption based on diagnostic data and the user support system. If any are detected, we immediately pause the deployment to all current and future groups.<br><br> For example, if an issue is discovered while deploying a quality update to the First group, then update deployments to First, Fast, and Broad groups will be paused until the issue is mitigated. <br><br> You can report compatibility issues by filing a ticket in the Microsoft Managed Desktop Admin portal. <br><br> Feature and quality updates are paused independently. The pause is in effect for 35 days by default. However, it can be reduced or extended depending on whether the issue is mitigated. |
+| Step 3 | Once the groups are unpaused, deployment resumes according to the schedule in the table. |
+| Step 4| Users are empowered to respond to restart notifications for a set period. This period is known as the deadline, and it's measured from the time the update is offered to the device. <br><br> During this time, the device will only automatically restart outside active hours. After this period expires, the deadline has been reached and the device will restart at the next available opportunity, regardless of active hours. <br><br> The deadline for quality updates is three days; for feature updates it's five days. |
+
+> [!NOTE]
+> This deployment process applies to both feature and quality updates, though the timeline varies for each.
+
+## Deployment settings
+
+Update deployment settings listed below:
+
+| Update type | Test | First | Fast | Broad |
+| | | | | |
+| Quality updates for operating system | Zero days | Zero days | Zero days | Seven days |
+| Feature updates for operating system | Zero days | 30 days | 60 days | 90 days |
+| Drivers/firmware | Follows the schedule for quality updates. | Follows the schedule for quality updates. | Follows the schedule for quality updates. | Follows the schedule for quality updates. |
+| Anti-virus definition | Updated with each scan. | Updated with each scan. | Updated with each scan. | Updated with each scan. |
+| Microsoft 365 Apps for Enterprise | [Learn more](../get-started/m365-apps.md#updates-to-microsoft-365-apps) | [Learn more](../get-started/m365-apps.md#updates-to-microsoft-365-apps) | [Learn more](../get-started/m365-apps.md#updates-to-microsoft-365-apps) | [Learn more](../get-started/m365-apps.md#updates-to-microsoft-365-apps) |
+| Microsoft Edge | [Learn more](../get-started/edge-browser-app.md#updates-to-microsoft-edge) | [Learn more](../get-started/edge-browser-app.md#updates-to-microsoft-edge) | [Learn more](../get-started/edge-browser-app.md#updates-to-microsoft-edge) | [Learn more](../get-started/edge-browser-app.md#updates-to-microsoft-edge) |
+| Microsoft Teams | [Learn more](../get-started/teams.md#updates) | [Learn more](../get-started/teams.md#updates) | [Learn more](../get-started/teams.md#updates) | [Learn more](../get-started/teams.md#updates) |
>[!NOTE]
->These deferral periods are intentionally designed to ensure high security and performance standards for all users. Furthermore, based on data gathered across all Microsoft Managed Desktop devices and the varying scope and impact of updates, Microsoft Managed Desktop reserves flexibility to modify the length of the above deferral periods for any and all deployment groups on an ad hoc basis.
+>These deferral periods are intentionally designed to ensure high security and performance standards for all users.<br><br> Based on data gathered across all Microsoft Managed Desktop devices and the varying scope and impact of updates, Microsoft Managed Desktop reserves flexibility to modify the length of the above deferral periods for any and all deployment groups on an ad hoc basis.
>
->Microsoft Managed Desktop conducts an independent assessment of each Windows feature release to evaluate its necessity and usefulness to its managed tenants. Consequently, Microsoft Managed Desktop might or might not deploy all Windows feature updates.
+>Microsoft Managed Desktop conducts an independent assessment of each Windows feature release to evaluate its necessity and usefulness to its managed tenants. Consequently, Microsoft Managed Desktop might or might not deploy all Windows feature updates.
## Windows Insider Program
-Microsoft Managed Desktop does not support devices that are part of the Windows Insider program. The Windows Insider program is used to validate pre-release Windows software and is intended for devices that aren't mission critical. While it's an important Microsoft initiative, it's not intended for broad deployment in production environments.
+Microsoft Managed Desktop doesn't support devices that are part of the Windows Insider program.
+
+The Windows Insider program is used to validate pre-release Windows software. It's intended for devices that aren't mission critical. While it's an important Microsoft initiative, it's not intended for broad deployment in production environments.
-Any devices found with Windows Insider builds might be put into the Test group and will be exempt from update service level agreements and user support from Microsoft Managed Desktop.
+Any devices found with Windows Insider builds might be put into the Test group. These devices will be exempt from update service level agreements and user support from Microsoft Managed Desktop.
## Bandwidth management
managed-desktop Admin Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/admin-support.md
You can submit support tickets or feedback requests to Microsoft using the Micro
## Open a new support request
-Support requests are triaged and managed according to severity outlined in the [severity definition table](#sev). Feedback is reviewed and a response provided where requested.
+Support requests are triaged and managed according to severity outlined in the [severity definition table](#support-request-severity-definitions). Feedback is reviewed and a response provided where requested.
**To open a new support request:** 1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant administration** menu.
-2. In the Microsoft Managed Desktop section, select **Service requests**.
+2. In the **Microsoft Managed Desktop** section, select **Service requests**.
3. In the **Service requests** section, select **+ New support request**. 4. Select the **Request type** that matches the help you need. The table below outlines the options.
-5. Select the **Severity** level. For more information, see [Support request severity definitions](#sev).
+5. Select the **Severity** level. For more information, see [severity definition table](#support-request-severity-definitions).
6. Provide as much information about the request as possible to help the team respond quickly. Depending on the type of request, you may be required to provide different details. 7. Review all the information you provided for accuracy. 8. When you're ready, select **Create**.
We appreciate your feedback and use it to improve the admin support experience.
When you're the primary contact on for a support request, you'll receive an email from Microsoft Managed Desktop Operations. The email will ask about your experience after your issue has been resolved. Feedback is actively monitored and shared with engineering to improve the service and prioritize future features. Be sure to focus on your experience and not include personal information in the feedback form. For more information about privacy, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement).
-<span id="sev" />
- ## Support request severity definitions The initial response time is the period from when you submit your support request until a Microsoft Managed Desktop engineer contacts you, and starts working on your support request. The initial response time varies with the business impact of the request. It's based on the severity of the request.
The initial response time is the period from when you submit your support reques
| Severity level | Situation | Initial response time | Expected response from you | | -- | -- |-- | -- | | **Severity A: <br> Critical Impact** | **Critical business impact** <br>Your business has significant loss or degradation of services and requires immediate attention.<p>**Major application compatibility impact**<br>Your entire business is experiencing financial impact due to devices not responding or loss of critical functionality. | **Initial:** < 1 hour <p> **Update**: 60 minutes <br> 24-hour support every day is available.</p> | When you select Severity A, you confirm that the issue has critical business impact, with severe loss and degradation of services. <br><br> The issue demands an immediate response, and you commit to continuous engagement every day with the Microsoft team until resolution. Otherwise, Microsoft can, at its discretion, decrease the Severity to level B.<br><br> You also ensure that Microsoft has your accurate contact information.
-**Severity B: <br> Moderate Impact** | **Moderate business impact**<br>Your business has moderate loss or degradation of services, but work can reasonably continue in an impaired manner.<p>**Moderate application compatibility impact**<br>A specific business group is no longer productive, due to devices not responding or loss of critical functionality.| **Initial**: < 4 hours. <p> **Update**: 12 hours; 24 hours a day during admin support hours (Monday through Friday).| When you select Severity B, you confirm that the issue has moderate impact to your business with loss and degradation of services. However, workarounds enable reasonable, albeit temporary, business continuity. <br><br> The issue demands an urgent response. If you select all day every day support when you submit the support request, you commit to continuous engagement every day with the Microsoft team until resolution. Otherwise, Microsoft might, at its discretion, decrease the severity to level C. If you select admin support-hours support when you submit a Severity B incident, Microsoft will contact you during admin support hours only.<br><br>You also ensure that Microsoft has your accurate contact information.
+**Severity B: <br> Moderate Impact** | **Moderate business impact**<br>Your business has moderate loss or degradation of services, but work can reasonably continue in an impaired manner.<p>**Moderate application compatibility impact**<br>A specific business group is no longer productive, due to devices not responding or loss of critical functionality.| **Initial**: < 4 hours. <p> **Update**: 12 hours; 24 hours a day during admin support hours (Monday through Friday).| When you select Severity B, you confirm that the issue has moderate impact to your business with loss and degradation of services. However, workarounds enable reasonable, albeit temporary, business continuity. <br><br> The issue demands an urgent response. If you select *all day every day support* when you submit the support request, you commit to continuous engagement every day with the Microsoft team until resolution. Otherwise, Microsoft might, at its discretion, decrease the severity to level C. If you select *admin support-hours support* when you submit a Severity B incident, Microsoft will contact you during admin support hours only.<br><br>You also ensure that Microsoft has your accurate contact information.
**Severity C: <br> Minimal Impact** | **Minimum business impact**<br> Your business is functioning with minor impediments of services.<p>**Minor application compatibility impact**<br>Potentially unrelated users experience minor compatibility issues that don't prevent productivity. | **Initial**: < 8 hours.<p> **Update**: 24 hours; Support 24 hours a day during admin support hours (Monday through Friday). | When you select Severity C, you confirm that the issue has minimum impact to your business with minor impediment of service.<br><br> For a Severity C incident, Microsoft will contact you during admin support hours only.<br><br> You also ensure that Microsoft has your accurate contact information. ### More support request information
security Mdb Configure Security Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-configure-security-settings.md
audience: Admin Previously updated : 12/29/2021 Last updated : 02/14/2022 ms.prod: m365-security ms.technology: mdb localization_priority: Normal-+ f1.keywords: NOCSH - SMB
The following table describes settings to view (and if necessary, edit) in Defen
| **Microsoft 365 Defender** | **Account** | View details, such where your data is stored, your tenant ID, and your organization (org) ID. | | **Microsoft 365 Defender** | **Preview features** | Turn on preview features to try upcoming features and new capabilities. You can be among the first to preview new features and provide feedback. | | **Endpoints** | **Email notifications** | Set up or edit your email notification rules. When vulnerabilities are detected or an alert is created, the recipients specified in your email notification rules will receive an email. [Learn more about email notifications](mdb-email-notifications.md). |
-| **Endpoints** | **Device management** > **Onboarding** | Onboard devices to Defender for Business by using a downloadable script. To learn more, see [Onboard a device using a local script in Defender for Business](mdb-onboard-devices.md#onboard-a-device-using-a-local-script-in-defender-for-business). |
-| **Endpoints** | **Device management** > **Offboarding** | Offboard (remove) devices from Defender for Business (preview). When you offboard a device, it no longer sends data to Defender for Business (preview), but data received prior to offboarding is retained. To learn more, see [Offboard a device](mdb-onboard-devices.md#what-if-i-want-to-offboard-a-device). |
+| **Endpoints** | **Device management** > **Onboarding** | Onboard devices to Defender for Business by using a downloadable script. To learn more, see [Onboard devices to Microsoft Defender for Business (preview)](mdb-onboard-devices.md). |
+| **Endpoints** | **Device management** > **Offboarding** | Offboard (remove) devices from Defender for Business (preview). When you offboard a device, it no longer sends data to Defender for Business (preview), but data received prior to offboarding is retained. To learn more, see [Offboarding a device](mdb-onboard-devices.md#offboarding-a-device). |
### Access your settings in the Microsoft 365 Defender portal
security Mdb Manage Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-manage-devices.md
audience: Admin Previously updated : 02/09/2022 Last updated : 02/14/2022 ms.prod: m365-security ms.technology: mdb localization_priority: Normal
See [Onboard devices to Microsoft Defender for Business (preview)](mdb-onboard-d
## Offboard a device
-See [Offboard a device](mdb-onboard-devices.md#what-if-i-want-to-offboard-a-device).
+See [Offboarding a device](mdb-onboard-devices.md#offboarding-a-device).
## Next steps
security Mdb Onboard Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-onboard-devices.md
audience: Admin Previously updated : 02/07/2022 Last updated : 02/16/2022 ms.prod: m365-security ms.technology: mdb localization_priority: Normal
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+The device onboarding experience in Defender for Business was built on the same device onboarding processes that are used in Microsoft Defender for Endpoint. Watch the following video to see how it works:<br/><br/>
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4bGqr]
+ With Microsoft Defender for Business (preview), you have several options to choose from for onboarding your organization's devices. This article walks you through your options and includes an overview of how onboarding works.
-## What to do
+> [!TIP]
+> To view more detailed information about device onboarding in Defender for Endpoint, see [Onboard devices and configure Microsoft Defender for Endpoint capabilities](../defender-endpoint/onboard-configure.md).
-1. [Learn about onboarding methods](#types-of-onboarding-methods), and determine whether you're using automatic onboarding or manual onboarding.
+## What to do
-2. Do one of the following:
+1. See your options for [onboarding devices](#device-onboarding-methods).
- - If you're using automatic onboarding, proceed to [Step 5: Configure your security settings and policies in Microsoft Defender for Business (preview)](mdb-configure-security-settings.md).
- - If you're onboarding devices manually, choose an onboarding method in [Types of onboarding methods](#types-of-onboarding-methods), and then follow the instructions for that method.
- - If you're already using Microsoft Intune, proceed to [Onboard devices using Microsoft Intune](#onboard-devices-using-microsoft-intune).
+2. Onboard a device by using one of the following methods:
+ - [Automatic onboarding for Windows devices enrolled in Microsoft Endpoint Manager](#automatic-onboarding-for-windows-devices-enrolled-in-microsoft-endpoint-manager)
+ - [A local script for Windows, macOS, and Linux devices](#onboard-devices-using-a-local-script-in-defender-for-business)
+ - [Microsoft Endpoint Manager for computers, tablets, and phones](#onboard-devices-using-microsoft-endpoint-manager)
+ - [Group Policy for Windows devices](#onboard-windows-devices-using-group-policy)
+ - [Another method not listed here](#onboard-devices-using-a-method-not-listed-here)
-3. [Run a detection test](#run-a-detection-test) for newly onboarded devices.
+3. [Run a detection test](#run-a-detection-test) for newly onboarded Windows devices.
-4. [See next steps](#next-steps).
+4. [See your next steps](#next-steps).
-This article also includes information about [how to offboard a device](#what-if-i-want-to-offboard-a-device).
+This article also includes information about [Offboarding a device](#offboarding-a-device).
-## Types of onboarding methods
+## Device onboarding methods
-The following table describes the types of onboarding methods that are supported in Defender for Business during preview.
-<br/><br/>
+The following table describes the most commonly used methods to onboard devices to Defender for Business.
| Onboarding method | Description | |||
-| **Automatic onboarding**<br/>(*available to customers who are already using Microsoft Endpoint Manager*) | If you were already using Microsoft Endpoint Manager before getting Defender for Business (preview), Defender for Business will detect that. You'll be asked if you want to use the automatic onboarding process for devices that were previously onboarded to Microsoft Endpoint Manager. <br/><br/>Automatic onboarding sets up a connection between Defender for Business (preview) and Microsoft Endpoint Manager, and then onboards devices to Defender for Business (preview). This option enables you to onboard devices to Defender for Business (preview) quickly and efficiently. All Windows devices that are currently enrolled in Microsoft Endpoint Manager will be onboarded to Defender for Business. <br/><br/>If you choose automatic onboarding, skip the procedures in this article and proceed to [Step 5: Configure your security settings and policies in Microsoft Defender for Business (preview)](mdb-configure-security-settings.md). |
-| **Local script**<br/>(*recommended during preview; useful for onboarding a few devices at a time*) | During preview, you can onboard devices in Defender for Business (preview) by using a script that you download and run on macOS, Windows 10 or 11, and Linux devices. Running the script on a device creates a trust with Azure Active Directory (Azure AD) and enrolls the device with Microsoft Intune. The process is similar to that of [onboarding devices to Microsoft Defender for Endpoint](../defender-endpoint/onboarding.md).<br/><br/>To use this method, proceed to [Onboard a device using a local script in Microsoft 365 Defender](#onboard-a-device-using-a-local-script-in-defender-for-business). |
-| **Microsoft Intune** <br/>(*available to customers who are already using Microsoft Intune*) | If you were already using [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) before getting Defender for Business (preview), you can use Microsoft Intune to onboard devices. During preview, you can use Microsoft Intune to onboard Windows, iOS, macOS, Linux, and Android devices to Defender for Business (preview). <br/><br/>To use this method, see [Device enrollment in Intune](/mem/intune/enrollment/device-enrollment). |
-| **Group Policy** | [Group Policy](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831791(v=ws.11)) is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences. A Group Policy object (GPO) is a logical object composed a Group Policy container and a Group Policy template. If your organization is already using Group Policy, you can create GPOs and apply them to your organization's devices in Defender for Business (preview).<br/><br/>To learn more about this method, see [Onboard Windows devices using Group Policy](../defender-endpoint/configure-endpoints-gp.md). |
-| **VDI onboarding script** | If your organization is using non-persistent virtual desktop infrastructure (VDI) devices, you can onboard those endpoints using a downloadable script. <br/><br/>To learn more about this method, see [Onboard non-persistent VDI devices](../defender-endpoint/configure-endpoints-vdi.md). |
+| **Automatic onboarding**<br/>(*available to customers who are already using Microsoft Endpoint Manager*) | Automatic onboarding sets up a connection between Defender for Business (preview) and Microsoft Endpoint Manager, and then onboards Windows devices to Defender for Business (preview). Devices must already be enrolled in Endpoint Manager.<br/><br/>To learn more, see [Use automatic onboarding for Windows devices enrolled in Microsoft Endpoint Manager](#automatic-onboarding-for-windows-devices-enrolled-in-microsoft-endpoint-manager). |
+| **Local script**<br/>(*recommended during preview; useful for onboarding a few devices at a time*) | You can onboard computers to Defender for Business (preview) by using a script that you download and run on Windows, macOS, or Linux devices. The script sets up a trust with Azure Active Directory and enrolls the device.<br/><br/>To use this method, see [Onboard devices using a local script in Defender for Business](#onboard-devices-using-a-local-script-in-defender-for-business). |
+| **Microsoft Intune** or **Microsoft Endpoint Manager**<br/>(*available to customers who are already using Microsoft Intune or Endpoint Manager*) | [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Mobile Device Management](/mem/intune/enrollment/device-enrollment) are part of Endpoint Manager. If you were already using Endpoint Manager before you got Defender for Business (preview), you can opt to continue using Endpoint Manager to onboard and manage devices<br/><br/>To use this method, see [Onboard devices using Microsoft Endpoint Manager](#onboard-devices-using-microsoft-endpoint-manager). |
+| **Group Policy** | If your organization is already using Group Policy, you can create GPOs and apply them to your organization's devices in Defender for Business (preview).<br/><br/>To learn more about this method, see [Onboard Windows devices using Group Policy](#onboard-windows-devices-using-group-policy). |
+> [!IMPORTANT]
+> If something goes wrong and your onboarding process fails, see [Microsoft Defender for Business troubleshooting](mdb-troubleshooting.yml).
-> [!TIP]
-> If something goes wrong while onboarding devices, see [Microsoft Defender for Business (preview) troubleshooting](mdb-troubleshooting.yml).
+## Automatic onboarding for Windows devices enrolled in Microsoft Endpoint Manager
+
+The automatic onboarding option applies to Windows devices only. This option is available if your organization was already using Microsoft Endpoint Manager, Microsoft Intune, or Mobile Device Management (MDM) in Microsoft Intune before you got Defender for Business (preview), and you already have Windows devices enrolled in Endpoint Manager.
+
+If Windows devices are already enrolled in Endpoint Manager, Defender for Business will detect those devices while you are in the process of setting up and configuring Defender for Business. You'll be asked if you want to use automatic onboarding for all or some of your Windows devices.
+
+The automatic onboarding process sets up a connection between Defender for Business and Endpoint Manager, and then onboards devices to Defender for Business. You can choose to onboard all enrolled Windows devices at one time, or select a set of Windows devices to onboard.
-## Onboard a device using a local script in Defender for Business
+To learn more, see step 3 in [Use the wizard to set up Microsoft Defender for Business (preview)](mdb-use-wizard.md).
+
+## Onboard devices using a local script in Defender for Business
+
+You can use a local script to onboard Windows, macOS, and Linux devices to Defender for Business. When you run the onboarding script on a device, it creates a trust with Azure Active Directory, enrolls the device in Microsoft Endpoint Manager, and onboards the device to Defender for Business. This method is useful for onboarding devices in Defender for Business and for onboarding a few devices at a time.
1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.
The following table describes the types of onboarding methods that are supported
- macOS devices: [Manual deployment for Microsoft Defender for Endpoint on macOS](../defender-endpoint/mac-install-manually.md#client-configuration) - Linux devices: [Deploy Microsoft Defender for Endpoint on Linux manually](../defender-endpoint/linux-install-manually.md#client-configuration)
-6. Proceed to [Run a detection test](#run-a-detection-test) for Windows devices.
- > [!IMPORTANT] > If something goes wrong and your onboarding process fails, see [Microsoft Defender for Business (preview) troubleshooting](mdb-troubleshooting.yml).
-## Onboard devices using Microsoft Intune
+## Onboard devices using Microsoft Endpoint Manager
+
+If you were already using Microsoft Intune before getting Defender for Business (preview), you can continue to use Microsoft Intune to onboard devices. With Endpoint Manager, you can onboard computers, tablets, and phones.
+
+See [Device enrollment in Microsoft Intune](/mem/intune/enrollment/device-enrollment).
+
+## Onboard Windows devices using Group Policy
+
+[Group Policy](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831791(v=ws.11)) is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences. A Group Policy object (GPO) is a logical object composed a Group Policy container and a Group Policy template.
+
+If your organization is already using Group Policy to manage devices, you can use Group Policy to onboard devices to Defender for Business. If you're brand new to Group Policy,we recommend using another method, such as Endpoint Manager or a local script instead.
+
+See [Onboard Windows devices using Group Policy](../defender-endpoint/configure-endpoints-gp.md).
+
+## Onboard devices using a method not listed here
-If you were already using Microsoft Intune before getting Defender for Business (preview), you can use Microsoft Intune to onboard devices. To get help with this, see [Device enrollment in Microsoft Intune](/mem/intune/enrollment/device-enrollment).
+If you want to use another method that is not listed in this article to onboard devices, see [Onboarding and configuration tool options](../defender-endpoint/onboard-configure.md#onboarding-and-configuration-tool-options).
## Run a detection test
-After you've onboarded a Windows device manually, you can run a detection test to make sure that everything is working correctly with Defender for Business (preview).
+After you've onboarded Windows devices to Defender for Business (preview), you can run a detection test on a Windows device to make sure that everything is working correctly.
1. On the Windows device, create a folder: `C:\test-MDATP-test`.
After you've onboarded a Windows device manually, you can run a detection test t
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe' ```
-After the command has run, the Command Prompt window will close automatically. If successful, the detection test will be marked as completed, and a new alert will appear in the Microsoft 365 Defender portal for the newly onboarded device in about 10 minutes.
+After the command has run, the Command Prompt window will close automatically. If successful, the detection test will be marked as completed, and a new alert will appear in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) for the newly onboarded device in about 10 minutes.
-## What if I want to onboard devices gradually?
+## Gradual device onboarding
If you want to onboard your organization's devices in phases, follow these steps:
If you want to onboard your organization's devices in phases, follow these steps
> [!TIP] > You don't have to use the same onboarding package every time you onboard devices. For example, you can use a local script to onboard some devices, and later on, you can choose another method to onboard more devices.
-## What if I want to offboard a device?
+## Offboarding a device
If you want to offboard a device, follow these steps:
security Mdb Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-requirements.md
audience: Admin Previously updated : 02/08/2022 Last updated : 02/14/2022 ms.prod: m365-security ms.technology: mdb localization_priority: Normal
The following table lists the basic requirements to configure and use Microsoft
| Permissions | To sign up for Microsoft Defender for Business (preview), you must be a Global Admin.<br/><br/>To access the Microsoft 365 Defender portal, users must have one of the following [roles in Azure AD](mdb-roles-permissions.md) assigned: <br/>- Security Reader<br/>- Security Admin<br/>- Global Admin<br/><br/>To learn more, see [Roles and permissions in Microsoft Defender for Business (preview)](mdb-roles-permissions.md). | | Browser requirements | Microsoft Edge or Google Chrome | | Operating system | To manage devices in Microsoft Defender for Business (preview), your devices must be running one of the following operating systems: <br/>- Windows 10 Business or later <br/>- Windows 10 Professional or later <br/>- Windows 10 Enterprise or later <br/><br/>Make sure that [KB5006738](https://support.microsoft.com/topic/october-26-2021-kb5006738-os-builds-19041-1320-19042-1320-and-19043-1320-preview-ccbce6bf-ae00-4e66-9789-ce8e7ea35541) is installed. <br/><br/>If you're already managing devices in Microsoft Intune (or Microsoft Endpoint Manager), or if you're using a non-Microsoft device management solution, your devices must be running one of the [operating systems that are supported in Microsoft Defender for Endpoint](../defender-endpoint/minimum-requirements.md). |
-| Integration with Microsoft Endpoint Manager | **During preview, you can onboard devices using a local script, which does not require integration with Microsoft Endpoint Manager**. But if you plan to onboard devices to Defender for Business (preview) manually by using downloadable packages for Microsoft Endpoint Manager, Group Policy, System Center Configuration Manager, or Mobile Device Management, then the following requirements must be met: <br/><br/>Devices must be running Windows 10 or 11 Professional/Enterprise (with [KB5006738](https://support.microsoft.com/topic/october-26-2021-kb5006738-os-builds-19041-1320-19042-1320-and-19043-1320-preview-ccbce6bf-ae00-4e66-9789-ce8e7ea35541) applied). <br/><br/>Prerequisites must be met for [Security Management for Microsoft Defender for Endpoint](/mem/intune/protect/mde-security-integration).<br/>- Azure AD must be configured such that trust is created between your organization's devices and Azure AD. <br/>- Defender for Business (preview) must have security management enabled in Microsoft Endpoint Manager.<br/><br/>Devices must be able to connect to the following URLs:<br/>- `enterpriseregistration.windows.net` (for registration in Azure AD)<br/>- `login.microsoftonline.com` (for registration in Azure AD)<br/>- `*.dm.microsoft.com` (The wildcard (*) supports the cloud-service endpoints that are used for enrollment, check-in, and reporting, and can change as the service scales.) |
+| Integration with Microsoft Endpoint Manager | **During preview, you can onboard devices using a local script, which does not require integration with Microsoft Endpoint Manager**. But if you plan to onboard devices to Defender for Business (preview) manually by using downloadable packages for Microsoft Endpoint Manager, Group Policy, System Center Configuration Manager, or Mobile Device Management, then the following requirements must be met:<br/><br/>Prerequisites must be met for [Security Management for Microsoft Defender for Endpoint](/mem/intune/protect/mde-security-integration).<br/>- Azure AD must be configured such that trust is created between your organization's devices and Azure AD. <br/>- Defender for Business (preview) must have security management enabled in Microsoft Endpoint Manager.<br/><br/>Devices must be able to connect to the following URLs:<br/>- `enterpriseregistration.windows.net` (for registration in Azure AD)<br/>- `login.microsoftonline.com` (for registration in Azure AD)<br/>- `*.dm.microsoft.com` (The wildcard (*) supports the cloud-service endpoints that are used for enrollment, check-in, and reporting, and can change as the service scales.) |
> [!NOTE] > [Azure Active Directory (Azure AD)](/azure/active-directory/fundamentals/active-directory-whatis) is used to manage user permissions and device groups. Azure AD is included in your Defender for Business (preview) subscription.
security Mdb Tutorials https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-tutorials.md
audience: Admin Previously updated : 01/06/2022 Last updated : 02/15/2022 ms.prod: m365-security ms.technology: mdb localization_priority: Normal
The following table summarizes several scenarios to try during the preview of De
| Scenario | Description | |||
-| Onboard devices using a local script | In Defender for Business (preview), you can onboard Windows 10 and 11 devices using a script that you download and run on each device. The script creates a trust with Azure Active Directory (Azure AD) and enrolls the device with Microsoft Intune. To learn more, see [Onboard a device using a local script in Defender for Business (preview)](mdb-onboard-devices.md#onboard-a-device-using-a-local-script-in-defender-for-business). |
+| Onboard devices using a local script | In Defender for Business (preview), you can onboard Windows 10 and 11 devices using a script that you download and run on each device. The script creates a trust with Azure Active Directory (Azure AD) and enrolls the device with Microsoft Intune. To learn more, see [Onboard devices using a local script in Defender for Business](mdb-onboard-devices.md#onboard-devices-using-a-local-script-in-defender-for-business). |
| Onboard devices using Microsoft Intune | If you were already using Microsoft Intune before getting Defender for Endpoint, you can use Microsoft Intune to onboard devices. Try onboarding macOS, iOS, Linux, and Android devices with Microsoft Intune. To learn more, see [Device enrollment in Microsoft Intune](/mem/intune/enrollment/device-enrollment). | | Edit security policies | If you're managing your security policies in Defender for Business (preview), use the **Device configuration** page to view and edit your policies. To learn more, see [View or edit policies in Microsoft Defender for Business (preview)](mdb-view-edit-policies.md). | | Execute a simulated attack | Several tutorials and simulations are available in Defender for Business (preview). These tutorials and simulations are designed to show you firsthand how the threat protection features of Defender for Business (preview) can work for your organization. To try one or more of the tutorials, see [Recommended tutorials for Microsoft Defender for Business (preview)](#recommended-tutorials-for-defender-for-business). |
security Mdb Use Wizard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-use-wizard.md
audience: Admin Previously updated : 02/08/2022 Last updated : 02/16/2022 ms.prod: m365-security ms.technology: mdb localization_priority: Normal
The wizard is designed to help you set up and configure Defender for Business qu
2. **Set up email notifications**. In this step, you determine who should receive email notifications in the event of a detected vulnerability or a new alert. Email notifications can help keep your security team informed, even if they're away from their desk. [Learn more about email notifications](mdb-email-notifications.md).
-3. **Onboard and configure Windows devices**. In this step, you can onboard your organization's Windows devices to Defender for Business quickly. Onboarding devices right away helps to protect those devices from day one. [Learn more about device onboarding](mdb-onboard-devices.md).
+3. **Onboard and configure Windows devices**. In this step, you can onboard your organization's Windows devices to Defender for Business quickly. Onboarding devices right away helps to protect those devices from day one.
- - If you're already using Microsoft Endpoint Manager (which includes Microsoft Intune), you'll be asked if you want to use automatic onboarding, which sets up a connection between Endpoint Manager and Defender for Business, and then onboards all Windows devices that are enrolled in Endpoint Manager.
- - If you're not already using Endpoint Manager, you can use gradual device onboarding and choose a set of devices to onboard to Defender for Business.
+ - If you're already using Microsoft Intune (part of Microsoft Endpoint Manager), and your organization has devices enrolled in Endpoint Manager, you'll be asked whether you want to use automatic onboarding for some or all of your enrolled Windows devices. Automatic onboarding sets up a connection between Endpoint Manager and Defender for Business, and then onboards Windows devices to Defender for Business seamlessly.
+
+ - If you're not already using Endpoint Manager, or if you have non-Windows devices enrolled in Endpoint Manager, you can onboard devices to Defender for Business (preview) manually.
+
+ - See [Onboard devices to Microsoft Defender for Business (preview)](mdb-onboard-devices.md).
4. **Configure your security policies**. Defender for Business includes default security policies that can be applied to your organization's devices. These default policies use recommended settings and are designed to provide strong protection for your devices. However, you can also create your own security policies if you wish. And, if you're already using Endpoint Manager, you can continue using that to manage your security policies.
security Ios Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-whatsnew.md
Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](
Microsoft Defender for Endpoint on iOS now has specialized ability on supervised iOS/iPadOS devices, given the increased management capabilities provided by the platform on these types of devices. It can also provide Web Protection **without setting up a local VPN on the device**. This gives end-users a seamless experience while still being protected from phishing and other web-based attacks. For details, visit [this documentation](ios-install.md#complete-deployment-for-supervised-devices)
+## Microsoft Defender for Endpoint is now Microsoft Defender in the App store
+
+Microsoft Defender for Endpoint is now available as **Microsoft Defender** in the app store. With this update, the app will be available as preview for **Consumers in the US region**. Based on how you log into the app with your work or personal account, you will have access to features for Microsoft Defender for Endpoint or to features for Microsoft Defender for individuals. For more information, see [this blog](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals).
+ ## Threat and Vulnerability Management On January 25, 2022, we announced the general availability of Threat and Vulnerability management on Android and iOS. For more details, see [the techcommunity post here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-general-availability-of-vulnerability-management/ba-p/3071663).
security Microsoft Defender Endpoint Ios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios.md
ms.technology: mde
**System Requirements** -- iOS device running iOS 12.0 and above. iPads are also supported.
+- iOS device running iOS 12.0 and above. iPads are also supported. *Note that starting 31-March-2022, the minimum supported iOS version by Microsoft Defender for Endpoint will be iOS 13.0.*
- The device is either enrolled with the [Intune Company Portal app](https://apps.apple.com/us/app/intune-company-portal/id719171358) or is registered with Azure Active Directory through [Microsoft Authenticator](https://apps.apple.com/app/microsoft-authenticator/id983156458) with the same account.
security Run Analyzer Macos Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux.md
ms.technology: m365d
# Run the client analyzer on macOS and Linux + **Applies to:** - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
ms.technology: m365d
1. Download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer) tool to the macOS or Linux machine you need to investigate. > [!NOTE]
- > The current SHA256 hash of 'XMDEClientAnalyzer.zip' that is downloaded from the above link is: '34C0DA20A6B38A16951394958991CD74EF7E07EB1DE06923547B351665A32DF6'.
+ > The current SHA256 hash of 'XMDEClientAnalyzer.zip' that is downloaded from the above link is: 'AA6E73A5F451C3B78B066C9D55EE6499CE3C2F1A6E05CCE691A6055F36F93A3B'.
2. Extract the contents of XMDEClientAnalyzer.zip on the machine.
security Migrate To Defender For Office 365 Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-prepare.md
Review your existing protection features in Microsoft 365 and consider removing
## Move features that modify messages into Microsoft 365
-You need to transfer any customizations or features that modify messages in any way into Microsoft 365. For example, your existing protection service adds an **External** tag to the subject or message body of messages from external senders.
+You need to transfer any customizations or features that modify messages in any way into Microsoft 365. For example, your existing protection service adds an **External** tag to the subject or message body of messages from external senders. Any link wrapping feature will also cause problems with some messages. If you're using such a feature today, you should prioritize the rollout of Safe Links as an alternative to minimize problems.
-If you don't disable this functionality in your existing protection service, you can expect the following negative results in Microsoft 365:
+If you don't turn off message modification features in your existing protection service, you can expect the following negative results in Microsoft 365:
-- DKIM will break.-- [Spoof intelligence](anti-spoofing-protection.md) will not work properly.
+- DKIM will break. Not all senders rely on DKIM, but those that do will fail authentication.
+- [Spoof intelligence](anti-spoofing-protection.md) and the tuning step later in this guide will not work properly.
- You'll probably get a high number of false positives (good mail marked as bad).
-To recreate this functionality in Microsoft 365, you have the following options:
+To recreate external sender identification in Microsoft 365, you have the following options:
- The [Outlook external sender call-out feature](https://techcommunity.microsoft.com/t5/exchange-team-blog/native-external-sender-callouts-on-email-in-outlook/ba-p/2250098), together with [first contact safety tips](set-up-anti-phishing-policies.md#first-contact-safety-tip). - Mail flow rules (also known as transport rules). For more information, see [Organization-wide message disclaimers, signatures, footers, or headers in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/disclaimers-signatures-footers-or-headers).
+Microsoft is working with the industry to support the Authenticated Received Chain (ARC) standard in the near future. If you wish to leave any message modification features enabled at your current mail gateway provider, then we recommend contacting them about their plans to support this standard.
+ ## Account for any active phishing simulations If you have active third-party phishing simulations, you need to prevent the messages, links, and attachments from being identified as phishing by Defender for Office 365. For more information, see [Configure third-party phishing simulations in the advanced delivery policy](configure-advanced-delivery.md#use-the-microsoft-365-defender-portal-to-configure-third-party-phishing-simulations-in-the-advanced-delivery-policy).