-

-To apply your model to to a SharePoint document library:

-2. You can then select the SharePoint site that contains the document library that you want to apply the model to. If the site does not show in the list, use the search box to find it.

-4. Because the model is associated to a content type, when you apply it to the library it will add the content type and its view with the labels you extracted showing as columns. By default, this view is the library's default view. However, you can optionally choose to not have it be the default view by selecting **Advanced settings** and clearing the **Set this new view as the default** checkbox.

- 

-The model identifies any files and folders with the modelΓÇÖs associated content type and lists them in your view. If your model has any extractors, the view displays columns for the data you are extracting from each file or folder.

-While an applied model processes all files and folder content uploaded to the document library after it is applied, you can also do the following to run the model on files and folder content that already exist in the document library prior to the model being applied:

-# Overview

-Microsoft Managed Desktop is an IT-as-a-Service (ITaaS) service for enterprise cloud customers designed to keep employeesΓÇÖ Windows devices deployed and updated. It also provides IT service management and operations, monitors security and incident response, as well as providing user support. This documentation provides additional details on data platform and privacy compliance for Microsoft Managed Desktop.

-Microsoft Managed Desktop provides its service to enterprise customers and properly administers customersΓÇÖ enrolled devices by using data from various sources. These sources, including Azure Active Directory, Microsoft Intune, Microsoft Windows 10, and Microsoft Defender for Endpoint, provide a comprehensive view of the devices that Microsoft Managed Desktop manages. The service also uses these Microsoft services to enable Microsoft Managed Desktop to provide ITaaS capabilities:

- - [Microsoft Azure Active Directory](/azure/active-directory/) - for authentication and identification of all user accounts.

- - [Microsoft Intune](/mem/intune/) ΓÇô for distributing device configurations, device management and application management.

- - [Endpoint Analytics](/mem/analytics/overview) ΓÇô for analytical insights about device and app usage.

- - [Windows Autopilot](/microsoft-365/windows/windows-autopilot) ΓÇô for device provisioning and deployment.

- - [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) ΓÇô provides security services such as device security monitoring and security intelligence data.

-Microsoft Managed Desktop relies on data from multiple Microsoft products and services to provide its service to enterprise customers. To accomplish the goal of protecting and maintaining enrolled devices, we process and copy data from these services to Microsoft Managed Desktop. When we process data, we follow the documented directions you provide, as referenced in the [Online Services Terms](https://www.microsoft.com/licensing/product-licensing/products) and [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft Managed DesktopΓÇÖs processor duties include ensuring appropriate confidentiality, security, and resilience. Microsoft Managed Desktop employs additional privacy and security measures to ensure proper handling of personal identifiable data.

-Microsoft Managed Desktop stores its data in the Azure data centers in the United States. Personal data obtained by Microsoft Managed Desktop and other services are required to keep the service operational. If a device is removed from Microsoft Managed Desktop, we keep personal data for a maximum of 30 days except for alert data collected by Microsoft Defender for Endpoint, which is stored for 180 days for security purposes. For more information on data retention, see [Data retention, deletion, and destruction in Microsoft 365](/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview).

-Microsoft Managed Desktop Engineering Operations and Security Operations teams are located in the United States and India.

-Microsoft Managed Desktop uses [Windows 10 Enhanced diagnostic data](/windows/privacy/windows-diagnostic-data) to keep Windows secure, up to date, troubleshoot problems, and make product improvements. The enhanced diagnostic data setting includes more detailed information about the devices enrolled in Microsoft Managed Desktop and their settings, capabilities, and device health. When enhanced diagnostic data is selected, data, including required diagnostic data, are collected. See [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection) for more information about the Windows 10 diagnostic data setting and data collection.

-The diagnostic data terminology will change in future versions of Windows. Microsoft Managed Desktop is committed to processing only the data that the service needs. While this will mean the diagnostic level will change to **Optional**, Microsoft Managed Desktop will implement the limited diagnostic policies to fine-tune diagnostic data collection required for the service. For more details, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection).

-Microsoft Managed Desktop only processes and stores system-level data from Windows 10 optional diagnostic data originating from enrolled devices such as application and device reliability and performance information. Microsoft Managed Desktop does not process and store customersΓÇÖ personal data such as chat and browser history, voice, text, or speech data.

-Microsoft Windows Update for Business uses data from Windows diagnostics to analyze update status and failures. Microsoft Managed Desktop leverages this data and uses it to mitigate and resolve problems to ensure that all registered devices are up to date based on a predefined update cadence.

-Identifying data used by Microsoft Managed Desktop is stored by Azure Active Directory (Azure AD) in a geographical location based on the location provided by the organization when subscribing to Microsoft online services, such as Microsoft Apps for enterprise and Azure. Identifying data used by Microsoft Managed Desktop is stored by Azure AD in a geographical location based on the location provided by the organization when subscribing to Microsoft online services such as Microsoft Apps for enterprise and Azure. For more information on where your Azure AD data is located, see [Azure Active Directory - Where is your data located?](https://msit.powerbi.com/view?r=eyJrIjoiODdjOWViZDctMWRhZS00ODUzLWI4MmQtNWM5NjBkZTBkNjFlIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9)

-Microsoft Intune collects, processes, and shares data to Microsoft Managed Desktop to support business operations and services. See [Data collection in Intune](/mem/intune/protect/privacy-data-collect) for more information about the data collected in Intune.

-Microsoft Defender for Endpoint collects and stores information for devices enrolled in Microsoft Managed Desktop for administration, tracking, and reporting purposes. Information collected includes file data (such as file names, size, and hashes), process data (running processes, hashes), registry data, network connection data, and device details (such as device identifiers, device names, and the operating system version). See [Microsoft Defender for Endpoint data storage and privacy](/microsoft-365/security/defender-endpoint/data-storage-privacy#what-data-does-microsoft-defender-atp-collect) for more information on Microsoft Defender for EndpointΓÇÖs data collection and storage locations.

-### Microsoft 365 Apps for enterprise

-Microsoft 365 Apps for enterprise collects and shares data with Microsoft Managed Desktop to ensure those apps are up to date with the latest version based on predefined update channels managed by Microsoft Managed Desktop. See [Microsoft Defender for Endpoint data storage and privacy](/microsoft-365/security/defender-endpoint/data-storage-privacy#what-data-does-microsoft-defender-atp-collect) for more information on Microsoft 365 Apps's data collection and storage locations.

-Microsoft Managed Desktop follows a change control process as outlined in our service communication framework. We notify customers through the Microsoft 365 Message Center and Microsoft Managed Desktop Admin portal of both security incidents and major changes to the service. Changes to the types of data gathered and where it is stored are considered a material change. We will provide a minimum of 30 days of advanced notification of this change as is standard practice for Microsoft 365 products and services. For more information, see [Service changes and communication](/microsoft-365/managed-desktop/service-description/servicechanges).

-Microsoft Managed Desktop has undergone external audits and obtained a comprehensive set of compliance offerings. You can find more information in Microsoft Managed Desktop [Compliance](/microsoft-365/managed-desktop/intro/compliance). Audit reports are available for download at the Microsoft [Service Trust Portal](https://aka.ms/stp), which serves as a central repository for Microsoft Enterprise Online Services. (Microsoft Managed Desktop is listed within these documents under the category ΓÇ£Monitoring and Management.ΓÇ¥)

-Microsoft Managed Desktop follows GDPR and CCPA privacy regulations, which give data subjects specific rights to their personal data. These rights include obtaining copies of personal data, requesting corrections to it, restricting the processing of it, deleting it, or receiving it in an electronic format so it can be moved to another controller. For more information about Data Subject Requests (DSRs) generally, see [Data Subject Requests and the GDPR and CCPA](/compliance/regulatory/gdpr-data-subject-requests).

-To exercise data subject requests on data collected by the Microsoft Managed Desktop case management system, see the following:

-**MicrosoftΓÇÖs privacy notice to end users of products provided by organizational customers** - The [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) notifies end users that when they sign in to Microsoft products with a work account, a) their organization can control and administer their account (including controlling privacy-related settings) and access and process their data, and b) Microsoft may collect and process the data to provide the service to the organization and end users.

-The Microsoft Managed Desktop Security Operations Center (SOC) partners with your information security staff to keep your desktop environment secure. Our team receives and responds to all security alerts on managed devices with expert analysis and, when needed, we drive security incident response activities. For more information about working with the SOC, review operational documentation at your Admin portal.

- - Preparation, detection, and analysis

- - Containment

- - Eradication

- - Recovery

- - Post-incident activity

-| Test | Used to validate Microsoft Managed Desktop policy changes, operating system updates, feature updates, and other changes pushed to the Azure AD organization ("tenant"). The Test group is: <ul><li>Best for testing or users who can provide early feedback.</li><li>Exempt from any established service level agreements and user support.</li><li>Available to validate compatibility of applications with new policy or operating system changes.</li></ul> |

-| Fast | Prioritizes speed over stability. The Fast group is: <ul><li>Useful for detecting quality issues before they're offered to the Broad group.</li> <li>The next layer of validation, and is typically more stable than the Test and First groups.</li></ul> |

-1. Download the [Microsoft Defender for Endpoint Client Analyzer tool](https://aka.ms/mdeanalyzer) to the PC, where Defender for Endpoint sensor is running on.

-2. On the **Simulation automations** tab, select  **Create simulation**.

- 

-The best method to block senders varies on the scope of impact. For a single user, the right solution could be Outlook Blocked Senders. For many users, one of the other options would be more appropriate. The following options are ranked by both impact scope and breadth. The list goes from narrow to broad, but *read the specifics* for full recommendations.

-A standard SMTP email message consists of a *message envelope* and message content. The message envelope contains information that's required for transmitting and delivering the message between SMTP servers. The message content contains message header fields (collectively called the *message header*) and the message body. The message envelope is described in RFC 5321, and the message header is described in RFC 5322. Recipients never see the actual message envelope because it's generated by the message transmission process, and it isn't actually part of the message.

-When multiple users are affected, the scope is wider, so the next best option is blocked sender lists or blocked domain lists in anti-spam policies. Messages from senders on the lists are marked as **High confidence spam**, and the action that you've configured for the **High confidence spam** filter verdict is taken on the message. For more information, see [Configure anti-spam policies](configure-your-spam-filter-policies.md).

-Regardless of the conditions or exceptions that you use to identify the messages, you configure the action to set the spam confidence level (SCL) of the message to 9, which marks the message a **High confidence spam**. For more information, see [Use mail flow rules to set the SCL in messages](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl).

-> It's easy to create rules that are *overly* aggressive, so it's important that you identify only the messages you want to block using very specific criteria. Also, be sure to enable auditing on the rule and test the results of the rule to ensure everything works as expected.

-When it's not possible to use one of the other options to block a sender, *only then* should you use the IP Block List in the connection filter policy. For more information, see [Configure the connection filter policy](configure-the-connection-filter-policy.md). It's important to keep the number of blocked IPs to a minimum, so blocking entire IP address ranges is *not* recommended.

-You should *especially* avoid adding IP address ranges that belong to consumer services (for example, outlook.com) or shared infrastructures, and also ensure that you review the list of blocked IP addresses as part of regular maintenance.

-EOP performs load balancing between datacenters but only within a region. If you're provisioned in one region all your messages will be processed using the mail routing for that region. The following list shows the how regional mail routing works for the EOP datacenters:

- - South America: Exchange Online mailboxes are located in datacenters in Brazil and Chile. All messages are routed through local datacenters for EOP filtering. Quarantined messages are stored in the datacenter where the tenant is located.

- - Canada: Exchange Online mailboxes are located in datacenters in Canada. All messages are routed through local datacenters for EOP filtering. Quarantined messages are stored in the datacenter where the tenant is located.

- - United States: Exchange Online mailboxes are located in U.S. datacenters. All messages are routed through local datacenters for EOP filtering. Quarantined messages are stored in the datacenter where the tenant is located.

- > [!NOTE]

- > The **Built-in protection** preset security policy is currently in General Availability, available to all organizations.

-

-For more information, see the [Manage endpoints with Intune and Microsoft 365](manage-devices-with-intune-overview.md) foundation solution.

-Endpoint Analytics is a cloud-based service that integrates with Configuration Manager and provides you with insight and intelligence so you can make informed decisions about your Windows clients. It combines data from your organization with data aggregated from millions of other devices connected to Microsoft cloud services.

-With Endpoint Analytics, you can:

-For more information, see this [overview of Endpoint Analytics](/mem/configmgr/desktop-analytics/overview)

-Here is the resulting traffic flow, in which most of the traffic to Microsoft 365 cloud apps bypass the VPN connection.

-

- - Policies to prevention information leakage

-Teams allows you to chat, meet, call, and collaborate all in one place. Millions of people get their work done in Teams every day because it brings together everything you need to work on-site or remotely into a hub for teamwork.

-Chat and threaded conversations are at the center of Teams with support for individual 1:1 chats and group chats and conversations. Remote workers can share information, opinions, and personality by using gifs, stickers, and emojis in group chats or one-to-one messages.

-Teams supports direct VoIP calling between users and even other organizations using federation. It uses the same codecs as meetings and provide great audio world-wide without additional PSTN charges. However, some users may need a dedicated phone number to take external calls when working on-site or remotely. Teams can quickly provide cloud phone service for these users to make and receive phone calls.

-To secure and optimize your workerΓÇÖs productivity and collaboration, you need to allow on-site and remote workers to easily and securely access your organization's on-premises and cloud-based information, tools, and resources. This solution steps through the deployment of key layers of infrastructure that empower your workers to do their best work, wherever they are.

-As a strongly recommended first step for ransomware attack detection and response in your Microsoft 365 tenant, [set up a trial environment](/microsoft-365/security/defender/eval-overview) to evaluate the features and capabilities of Microsoft 365 Defender.

-| [Microsoft 365 Defender](/microsoft-365/security/defender) | Combines signals and orchestrates capabilities into a single solution <br><br> Enables security professionals to stitch together threat signals and determine the full scope and impact of a threat <br><br> Automates actions to prevent or stop the attack and self-heal affected mailboxes, endpoints, and user identities | [Get started](/microsoft-365/security/defender/get-started) | [Incident response](/microsoft-365/security/defender/incidents-overview) |

-| [Microsoft Defender for Identity](/defender-for-identity/what-is) | Identifies, detects, and investigates advanced threats, compromised identities, and malicious insider actions directed at your organization through a cloud-based security interface uses your on-premises Active Directory Domain Services (AD DS) signals | [Overview](/defender-for-identity/what-is) | [Working with the Microsoft Defender for Identity portal](/defender-for-identity/workspace-portal) |

-| [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security) | Safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools <br><br> Protects against malware, phishing, spoofing, and other attack types | [Overview](/microsoft-365/security/office-365-security/overview) | [Threat hunting](/microsoft-365/security/office-365-security/threat-hunting-in-threat-explorer) |

-| [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) | Enables detection and response to advanced threats across endpoints (devices) | [Overview](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) | [Endpoint detection and response](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response) |

-| [Azure Active Directory (Azure AD) Identity Protection](/azure/active-directory/identity-protection/) | Automates detection and remediation of identity-based risks and investigation of those risks | [Overview](/azure/active-directory/identity-protection/overview-identity-protection) | [Investigate risk](/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk) |

->All of these tools require Microsoft 365 E5 or Microsoft 365 E3 with the Microsoft 365 E5 Security add-on.

-Use these tools to detect and respond to the following common threats from ransomware attackers:

- - Microsoft Defender for Identity

- - Microsoft Defender for Office 365

- - Microsoft Defender for Endpoint

- - Microsoft Defender for Office 365

- - Microsoft Defender for Cloud Apps

- - Microsoft Defender for Cloud Apps

- - Microsoft Defender for Office 365

- - Microsoft Defender for Cloud Apps with [anomaly detection policies](/cloud-app-security/anomaly-detection-policy#ransomware-activity)

-The following tools use Microsoft 365 Defender and its portal (https://security.microsoft.com) as a common threat collection and analysis point:

-Here is the ransomware protection for your tenant for steps 1 and 2.

-Continue with [Step 3](ransomware-protection-microsoft-365-identities.md) to protect identities in your Microsoft 365 tenant.

-To help protect devices against the initial access part of a ransomware attack:

-## Windows 10 devices

-To help protect against the lateral movement part of an attack from a Windows 10 device:

-Here is the ransomware protection for your tenant for steps 1-4.

-Here is the ransomware protection for your tenant for steps 1-3.

-To provide additional protection of your sensitive information in your Microsoft 365 tenant:

- - The user accounts who have access to it

- - The actions that are allowed to each account that has access to it

-Using strict permissions within your Microsoft 365 tenant is the principle of least privilege for locations and communications venues, which in Microsoft 365 are typically OneDrive folders, SharePoint sites and folders, and teams.

-Once a ransomware attacker has infiltrated your tenant, they try to escalate their privileges by compromising the credentials of user accounts with wider scope of permissions across your tenant, such as administrator role accounts or user accounts that have access to sensitive information.

-See [Set up secure collaboration with Microsoft 365 and Microsoft Teams](setup-secure-collaboration-with-teams.md) for detailed guidance. An example of a communication and collaboration venue with strict permissions for sensitive information is a [team with security isolation](/microsoft-365/solutions/secure-teams-security-isolation).

-To protect your sensitive information in case a ransomware attacker has access to it:

-Here is the ransomware protection for your tenant for steps 1-5.

-Here is the ransomware protection for your tenant after this step.

-However, Microsoft 365 online services have many built-in capabilities and controls to protect customer data from ransomware attacks. The following sections provide a summary. For more details about how Microsoft protects customer data, [Malware and ransomware protection in Microsoft 365](/compliance/assurance/assurance-malware-and-ransomware-protection).

- To minimize the burden on your security and helpdesk staff, train your users on how to [restore files from the recycle bin](https://support.microsoft.com/en-us/office/restore-deleted-items-from-the-site-collection-recycle-bin-5fa924ee-16d7-487b-9a0a-021b9062d14b).

- To minimize the burden on your security and IT helpdesk staff, train your users on [Files Restore](https://techcommunity.microsoft.com/t5/microsoft-onedrive-blog/announcing-new-onedrive-for-business-feature-files-restore/ba-p/147436).

- You can also use session policies for [Microsoft Defender for Cloud Apps Conditional Access App Control](/cloud-app-security/tutorial-dlp#how-to-discover-and-protect-sensitive-information-in-your-organization) to monitor the flow of information between a user and an application in real time.

-This solution steps you through the deployment of Microsoft 365 protection and mitigation features, configurations, and ongoing operations to minimize the ability of a ransomware attacker to use the critical data in your Microsoft 365 tenant to hold your organization for ransom.

-| Microsoft Secure Score | Measures the security posture of a Microsoft 365 tenant | Assess your security configuration and suggests improvements. | Microsoft 365 E3 or Microsoft 365 E5 |

-| Attack surface reduction rules | Reduces your organization's vulnerability to cyber attacks using a variety of configuration settings | Block suspicious activity and vulnerable content. | Microsoft 365 E3 or Microsoft 365 E5 |

-| Exchange email settings | Enables services that reduce your organization's vulnerability to an email-based attack | Prevent initial access to your tenant through phishing and other email-based attacks. | Microsoft 365 E3 or Microsoft 365 E5 |

-| Microsoft Windows, Microsoft Edge, and Microsoft 365 Apps for Enterprise settings | Provides industry-standard security configurations that are broadly known and well-tested | Prevent attacks through Windows, Edge, and Microsoft 365 Apps for Enterprise. | Microsoft 365 E3 or Microsoft 365 E5 |

-| Microsoft 365 Defender | Combines signals and orchestrates capabilities into a single solution <br><br> Enables security professionals to stitch together threat signals and determine the full scope and impact of a threat <br><br> Automates actions to prevent or stop the attack and self-heal affected mailboxes, endpoints, and user identities | Incidents, which are the combined alerts and data that make up an attack. | Microsoft 365 E5 or Microsoft 365 E3 with the Microsoft 365 E5 Security add-on |

-| Microsoft Defender for Identity | Identifies, detects, and investigates advanced threats, compromised identities, and malicious insider actions directed at your organization through a cloud-based security interface uses your on-premises Active Directory Domain Services (AD DS) signals | Credential compromise for AD DS accounts. | Microsoft 365 E5 or Microsoft 365 E3 with the Microsoft 365 E5 Security add-on |

-| Microsoft Defender for Office 365 | Safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools <br><br> Protects against malware, phishing, spoofing, and other attack types | Phishing attacks. | Microsoft 365 E5 or Microsoft 365 E3 with the Microsoft 365 E5 Security add-on |

-| Microsoft Defender for Endpoint | Enables detection and response to advanced threats across endpoints (devices) | Malware installation and device compromise. | Microsoft 365 E5 or Microsoft 365 E3 with the Microsoft 365 E5 Security add-on |

-| Azure Active Directory (Azure AD) Identity Protection | Automates detection and remediation of identity-based risks and investigation of those risks | Credential compromise for Azure AD accounts and privilege escalation. | Microsoft 365 E5 or Microsoft 365 E3 with the Microsoft 365 E5 Security add-on |

-| Microsoft Defender for Cloud Apps | A cloud access security broker for discovery, investigation, and governance across all your Microsoft and third-party cloud services | Lateral movement and data exfiltration. | Microsoft 365 E5 or Microsoft 365 E3 with the Microsoft 365 E5 Security add-on |

-|Azure AD Password Protection|Block passwords from a common list and custom entries.|Cloud or on-premises user account password determination.|Microsoft 365 E3 or Microsoft 365 E5|

-|MFA enforced with Conditional Access|Require MFA based on the properties of user sign-ins with Conditional Access policies.|Credential compromise and access.|Microsoft 365 E3 or Microsoft 365 E5|

-|MFA enforced with risk-based Conditional Access|Require MFA based on the risk of user sign-ins with Azure AD Identity protection |Credential compromise and access.|Microsoft 365 E5 or Microsoft 365 E3 with the Microsoft 365 E5 Security add-on|

-| Microsoft Intune | Manage devices and the applications that run on them | Device or app compromise and access. | Microsoft 365 E3 or E5 |

-For Windows 10 devices:

-| Controlled folder access | Protects your data by checking apps against a list of known, trusted apps | Prevent files from being altered or encrypted by ransomware. | Microsoft 365 E3 or Microsoft 365 E5 |

-| Data loss prevention (DLP) | Protects sensitive data and reduces risk by preventing users from sharing it inappropriately | Prevent data exfiltration. | Microsoft 365 E3 or Microsoft 365 E5 |

-| Microsoft Defender for Cloud Apps | A cloud access security broker for discovery, investigation, and governance | Detect lateral movement and prevent data exfiltration. | Microsoft 365 E5 or Microsoft 365 E3 with the Microsoft 365 E5 Security add-on |