+6. For the page **Choose locations where you want to apply the label**: Select and specify locations for Exchange, SharePoint, and OneDrive. If you don't want to keep the default of **All** for your chosen locations, select the link to choose specific instances to include, or select the link to choose specific instances to exclude. Then select **Next**.

+For guidance and requirements for third-party data connectors, see the "Data connectors" section in [Microsoft 365 guidance for security & compliance - Service Descriptions | Microsoft Docs](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).

+- For multiple users to edit an encrypted file at the same time, they must all be using Office for the web or you've [enabled co-authoring for files encrypted with sensitivity labels](sensitivity-labels-coauthoring.md) and all users have [Office apps that support this feature](sensitivity-labels-coauthoring.md#prerequisites). If this isn't the case, and the file is already open:

+For information and guidance on security and compliance:

+- Download and see the eDiscovery and auditing section in the [Microsoft 365 Comparison table](https://aka.ms/M365EnterprisePlans).

+- See the [Microsoft 365 guidance for security & compliance - Service Descriptions | Microsoft Docs](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).

+4. In the list of people or role groups that can be added as members of the case, click to the left of the name of the people (or role groups) that you want to add. If you have a large list of people or role groups who can be added as members, use the **Search** box to search for a specific person or role group in the list.

+3. **[Export and download search results](export-content-in-core-ediscovery.md)**. After you search for and find data that's relevant to your investigation, you can export it out of Office 365 for review by people outside of the investigation team. Exporting data is a two-step process. The first step is to export the results of a search in the case out of Office 365. This is accomplished by copying the results of a search to a Microsoft-provided Azure Storage location. The next step is to use the eDiscovery Export tool to download the content to a local computer. In addition to the exported data files, the export package contains an export report, a summary report, and an error report.

+

+ One of the advantages of using the advanced query builder for these scopes is a wider choice of query operators:

+ - **and**

+ - **or**

+ - **not**

+ - **eq** (equals)

+ - **ne** (not equals)

+ - **lt** (less than)

+ - **gt** (greater than)

+ - **like** (string comparison

+ - **notlike** (string comparison

+

+ For example, because SharePoint sites scopes automatically include all SharePoint site types, which include Microsoft 365 group-connected and OneDrive sites, you can use the indexed site property **SiteTemplate** to include or exclude specific site types. The templates you can specify:

+ - SITEPAGEPUBLISHING for modern communication sites

+ - GROUP for Microsoft 365 group-connected sites

+ - TEAMCHANNEL for Microsoft Teams private channel sites

+ - STS for a classic SharePoint team site

+ - SPSPERS for OneDrive sites

+

+ So to create an adaptive scope that includes only modern communication sites and excludes Microsoft 365 goup-connected and OneDrive sites, specify the following KQL query:

+ ````console

+ SiteTemplate=SITEPAGEPUBLISHING

+ ````

+ Title: "Understand and choose between Microsoft Information Protection (MIP) built-in labeling for Office apps and the Azure Information Protection (AIP) client"

+f1.keywords:

+- CSH

+audience: Admin

+ms.localizationpriority: high

+- M365-security-compliance

+- m365initiative-compliance

+search.appverid:

+- MOE150

+- MET150

+description: Understand whether to use the AIP client for Windows computers or built-in labeling for Office apps.

+# Why choose MIP built-in labeling over the AIP add-in for Office apps

+>*[Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).*

+When you use [sensitivity labels](sensitivity-labels.md) in Microsoft 365 Apps on Windows computers, you have a choice of using labeling that's built into Office apps, or an add-in from the [Azure Information Protection (AIP) unified labeling client](/azure/information-protection/rms-client/aip-clientv2).

+Built-in labeling forms the cornerstone of a [Microsoft Information Protection (MIP) deployment](information-protection-solution.md) because this labeling technology extends across platforms (Windows, macOS, iOS, Android, and web), as well as across Microsoft apps and services, and beyond. Built-in labeling is also designed to work with other MIP capabilities, such as data classification and data loss prevention (DLP).

+Because built-in labels don't use an Office add-in, they benefit from more stability and better performance. They also support the latest MIP features, such as advanced classifiers.

+By default, built-in labeling is turned off in Office for Windows apps when the AIP client is installed. You can change this default behavior by using the instructions in the following section, [How to disable the AIP add-in to use built-in labeling for Office apps](#how-to-disable-the-aip-add-in-to-use-built-in-labeling-for-office-apps).

+When you keep the AIP client installed but disabled in Office apps, the other capabilities of the AIP client remain supported:

+- Right-click options in File Explorer for users to apply labels to all file types.

+- A viewer to display encrypted files for text, images, or PDF documents.

+- A PowerShell module to discover sensitive information in files on premises, and apply or remove labels and encryption from these files.

+- A scanner to discover sensitive information that's stored in on-premises data stores, and then optionally, label that content.

+For more information about these capabilities that extend labeling beyond Office apps, see the [Azure Information Protection unified labeling client administrator guide](/azure/information-protection/rms-client/clientv2-admin-guide) from the AIP documentation.

+Independently from labeling, you can continue to use the [AIPService](/powershell/module/aipservice) PowerShell module for tenant-level management of the encryption service. For example, configure super user access when you need to remove encryption for data recovery, track and revoke documents that have been opened by the AIP client, and configure the use license validity period for offline access. For more information, see [Administering protection from Azure Information Protection by using PowerShell](/azure/information-protection/administer-powershell).

+## Decide whether to use built-in labeling for Office apps or the AIP add-in

+Now that the AIP client is in [maintenance mode](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/announcing-aip-unified-labeling-client-maintenance-mode-and/ba-p/3043613), we don't recommend you use the AIP add-in for Office apps for the following reasons:

+- No new labeling features will be supported.

+- Add-ins are less stable because they can conflict with other add-ins that can result in Office apps hanging, crashing, or automatically disabling the add-in.

+- As an add-in, it runs more slowly, and can be disabled by users to bypass labeling requirements.

+- Any bug fixes will require reinstalling the Azure Information Protection client.

+- The labeling experience for users is slightly different from built-in labels that users have on their other devices (macOS, iOS, Android), and when they use Office for the web. This difference can increase costs for training and support.

+- There are already new Office labeling features released that are [only supported by built-in labeling](#features-supported-only-by-built-in-labeling-for-office-apps), and the list is growing all the time.

+Use the AIP add-in for your Windows Office apps only if you've already deployed it to users and you need time to migrate them to built-in labeling. Or, users need a feature that isn't supported by built-in labeling. Use the [feature parity information](#feature-parity-for-built-in-labeling-and-the-aip-add-in-for-office-apps) on this page to help you identify these features.

+## Features supported only by built-in labeling for Office apps

+> [!NOTE]

+> Many new labeling features are in planning or development, so expect the list in this section to grow over time.

+Some features are only supported by built-in labeling for Office apps, and won't be supported by the AIP add-in. These include:

+- For automatic and recommended labeling:

+ - Access to intelligent classification services that include [trainable classifiers](classifier-learn-about.md), [Exact Data Match (EDM)](sit-learn-about-exact-data-match-based-sits.md), and [named entities](named-entities-learn.md)

+ - Detection of sensitive information as users type

+ - In Word, users can review and remove the identified sensitive content

+- For labels that let users assign permissions, different permissions (Read or Change) can be granted to users or groups

+- Encrypt-Only for emails

+- Visibility of labels on the status bar

+- Support for account switching

+- Users can't disable labeling

+Example showing how users can review and optionally remove identified sensitive content in Word:

+

+To keep informed when new labeling capabilities become available for built-in labeling, see [What's new in Microsoft 365 compliance](whats-new.md) and the **Sensitivity labels** sections.

+## How to disable the AIP add-in to use built-in labeling for Office apps

+When you've installed the AIP client to extend labeling beyond Office apps but want to prevent the client's add-in from loading in Office apps, use the Group Policy setting **List of managed add-ins** as documented in [No Add-ins loaded due to group policy settings for Office 2013 and Office 2016 programs](https://support.microsoft.com/help/2733070/no-add-ins-loaded-due-to-group-policy-settings-for-office-2013-and-off).

+For your Windows Office apps that support built-in labeling, use the configuration for Microsoft Word 2016, Excel 2016, PowerPoint 2016, and Outlook 2016, specify the following programmatic identifiers (ProgID) for the AIP client, and set the option to **0: The add-in is always disabled (blocked)**

+|Application |ProgID |

+|||

+|Word | `MSIP.WordAddin` |

+|Excel | `MSIP.ExcelAddin` |

+|PowerPoint | `MSIP.PowerPointAddin` |

+|Outlook | `MSIP.OutlookAddin` |

+| | |

+Deploy this setting by using Group Policy, or by using the [Office cloud policy service](/DeployOffice/overview-office-cloud-policy-service).

+> [!IMPORTANT]

+> If you use the Group Policy setting **Use the Sensitivity feature in Office to apply and view sensitivity labels** and set this to **1**, there are some situations where the AIP add-in might still load in Office apps. Blocking the add-in from loading in each app prevents this happening.

+Alternatively, you can interactively disable or remove the **Microsoft Azure Information Protection** Office add-in from Word, Excel, PowerPoint, and Outlook. This method is suitable for a single computer, and ad-hoc testing. For instructions, see [View, manage, and install add-ins in Office programs](https://support.office.com/article/16278816-1948-4028-91e5-76dca5380f8d).

+Whichever method you choose, the changes take effect when Office apps restart.

+> [!NOTE]

+> Built-in labels require a subscription edition of Office apps. If you have standalone editions of Office, sometimes called "Office Perpetual", we recommend you upgrade to Microsoft 365 Apps for Enterprise to benefit from the [latest labeling capabilities](sensitivity-labels-office-apps.md#support-for-sensitivity-label-capabilities-in-apps).

+Remember, when you use this method to disable the AIP add-in, you can still use the AIP client to extend labeling beyond Office apps.

+## Feature parity for built-in labeling and the AIP add-in for Office apps

+Many of the labeling features supported by the AIP add-in are now supported by built-in labeling. For a more detailed list of capabilities, minimum versions that might be needed, and configuration information, see [Manage sensitivity labels in Office apps](sensitivity-labels-office-apps.md).

+More features are planned and in development. If there's a specific feature that you're interested in, check the [Microsoft 365 roadmap](https://aka.ms/MIPC/Roadmap) and consider joining the [Microsoft Information Protection in Office Private Preview](https://aka.ms/MIP/PreviewRing).

+Use the following information to help you identify if you're using a feature from the AIP add-in that isn't yet supported by built-in labeling:

+|AIP add-in feature or capability|Built-in labeling |

+|:-|:-:|

+|**Category: General** ||

+|Central reporting and auditing| |

+|Government Cloud||

+|Admin can disable labeling <br> - All apps| |

+|Admin can disable labeling <br> - Per app| In planning or development|

+|**Category: User Experience** ||

+|Labeling button on the ribbon||

+|Multilanguage support for label names and tooltips|  |

+|Label colors| In planning or development |

+|Visibility of labels on the toolbar| In planning or development |

+|**Category: Labeling actions** ||

+|Manual labeling |  <br>[Learn more](https://support.microsoft.com/office/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9) |

+|Mandatory labeling | |

+|Default labeling <br> - New and existing items <br> - Separate settings for email|  |

+|Recommended or automatic | |

+|Downgrade justification | |

+| **Category: Visual markings** | |

+|Headers, footers, watermark| |

+|Dynamic markings| |

+|Per app visual marking| |

+| **Category: Encryption** | |

+|Admin-defined permissions |  |

+|User-defined permissions <br> - Do Not Forward for Outlook <br> - User and group custom permissions for Word, Excel, PowerPoint| |

+|User-defined permissions <br> - Organization-wide custom permissions by specifying domains for Word, Excel, PowerPoint | In planning or development |

+|Co-authoring and AutoSave |  |

+|Double key encryption | In planning or development |

+|Document revocation for users | Under review |

+| | |

+### Support for PowerShell advanced settings

+The AIP client supports many customizations by using [PowerShell advanced settings](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#configuring-advanced-settings-for-the-client-via-powershell). Some of these advanced settings are now supported by built-in labeling, as documented in [New-Label](/powershell/module/exchange/new-label) or [Set-Label](/powershell/module/exchange/set-label), and [New-LabelPolicy](/powershell/module/exchange/new-labelpolicy) or [Set-LabelPolicy](/powershell/module/exchange/set-labelpolicy).

+However, you might find you don't need to use PowerShell to configure the supported settings because they're included in the standard configuration from the Microsoft 365 compliance center. For example, the ability to turn off mandatory labeling for Outlook and set a different default label.

+The following configurations from the AIP add-in aren't yet supported by built-in labeling include:

+- [Label inheritance from email attachments](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#for-email-messages-with-attachments-apply-a-label-that-matches-the-highest-classification-of-those-attachments)

+- [S/MIME for Outlook](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#configure-a-label-to-apply-smime-protection-in-outlook)

+- [Oversharing popup messages for Outlook](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#implement-pop-up-messages-in-outlook-that-warn-justify-or-block-emails-being-sent)

+- [Default sublabel for a parent label](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#specify-a-default-sublabel-for-a-parent-label)

+- [Remove external content markings](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#remove-headers-and-footers-from-other-labeling-solution )

+## Features not planned to be supported by built-in labeling for Office apps

+Although new capabilities for built-in labeling are being added all the time, the AIP Office add-in supports the following capabilities that aren't planned to be available in future releases for built-in labeling:

+- Application of labels to Microsoft Office 97-2003 formats, such as .doc files

+- Permanently disconnected computers

+- Standalone editions of Office (sometimes called "Office Perpetual") rather than subscription-based

+## Next steps

+For instructions to create and configure these labeling capabilities, see [Create and configure sensitivity labels and their policies](create-sensitivity-labels.md).

+> [!TIP]

+> If you already have sensitivity labels in the Microsoft 365 compliance center, you won't be eligible for the automatic creation of default labels. However, you might still find it useful to reference their configuration: [Default sensitivity labels](mip-easy-trials.md#default-sensitivity-labels).

+The labeling metadata includes information that identifies your tenant and applied sensitivity label. The change that this setting makes is the metadata format and location for Word, Excel, and PowerPoint files. You don't need to take any action for encrypted files or emails because the metadata change for encrypted files is backward-compatible, and there are no changes for emails. However, you do need to be aware of the metadata changes for encrypted files that can be automatically upgraded but aren't backward-compatible.

+- For files that are already labeled, the next time the file is opened and saved, if the file has metadata in the old format and location, that information is copied to the new format and location.

+ - **iOS**: Now in preview when you [opt in](#opt-in-to-the-preview-of-co-authoring-for-ios-and-android) with minimum version 2.58

+ - **Android**: Now in preview when you [opt in](#opt-in-to-the-preview-of-co-authoring-for-ios-and-android) with minimum version 16.0.14931

+### Opt in to the preview of co-authoring for iOS and Android

+To try the preview of co-authoring for iOS and Android, you must have the minimum versions stated in the previous section, and also request your tenant is added to the preview: [Consent to Enable co-authoring for files encrypted with sensitivity labels on mobile](https://ncv.microsoft.com/5Oob3oDj1O)

+- Supporting Office apps for iOS and Android are currently in [preview](https://office.com/insider).

+ For labels with any of these encryption configurations, the labels display in Office apps. However, when users select these labels and nobody else is editing the document, they're warned that co-authoring and AutoSave won't be available. If somebody else is editing the document, users see a message that the labels can't be applied.

+If you've already turned on this setting during the preview period, no further action is needed and you can skip this procedure.

+As you see from the screenshot when this setting has been turned on, you can contact [Microsoft Support](../admin/get-help-support.md) and request to turn off this setting. This request might take several days and you'll need to prove that you're a global administrator for your tenant. Expect usual support charges to apply.

+To use sensitivity labels that are built into Office desktop apps for Windows and Mac, you must use a subscription edition of Office. This labeling client doesn't support standalone editions of Office, sometimes called "Office Perpetual".

+If you can't upgrade to Microsoft 365 Apps for enterprise for the subscription versions of Office, for Windows computers, you can use the [Azure Information Protection unified labeling client](/azure/information-protection/rms-client/aip-clientv2).

+|[Support co-authoring and AutoSave](sensitivity-labels-coauthoring.md) for labeled and encrypted documents | Current Channel: 2107+ <br /><br> Monthly Enterprise Channel: 2107+ <br /><br> Semi-Annual Enterprise Channel: 2202+ | 16.51+ | Preview: 2.58+ when you [opt-in](sensitivity-labels-coauthoring.md#opt-in-to-the-preview-of-co-authoring-for-ios-and-android) | Preview: 16.0.14931+ when you [opt-in](sensitivity-labels-coauthoring.md#opt-in-to-the-preview-of-co-authoring-for-ios-and-android) | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |

+If users have the [Azure Information Protection (AIP) client](/azure/information-protection/rms-client/aip-clientv2) installed on their Windows computers, by default, built-in labels are turned off in [Windows Office apps that support them](#labeling-client-for-desktop-apps). Because built-in labels don't use an Office add-in, as used by the AIP client, they have the benefit of more stability and better performance. They also support the latest features, such as advanced classifiers.

+To learn more about labeling choices with the AIP client, see [Why choose MIP built-in labeling over the AIP add-in for Office apps](sensitivity-labels-aip.md).

+- SharePoint and OneDrive can't process some files that are labeled and encrypted from Office desktop apps when these files contain PowerQuery data, data stored by custom add-ins, or custom XML parts such as Cover Page Properties, content type schemas, custom Document Information Panel, and Custom XSN. This limitation also applies to files that include a [bibliography](https://support.microsoft.com/en-us/office/create-a-bibliography-citations-and-references-17686589-4824-4940-9c69-342c289fa2a5), and to files that have a [Document ID](https://support.microsoft.com/office/enable-and-configure-unique-document-ids-ea7fee86-bd6f-4cc8-9365-8086e794c984) added when they are uploaded.

+The sensitivity labels that are built into Microsoft 365 Apps on Windows, macOS, iOS, and Android look and behave very similarly across these devices to provide users with a consistent labeling experience. However, on Windows computers, you can also use the [Azure Information Protection (AIP) client](/azure/information-protection/rms-client/aip-clientv2). This client is now in [maintenance mode](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/announcing-aip-unified-labeling-client-maintenance-mode-and/ba-p/3043613).

+If you're using the AIP client, see [Why choose MIP built-in labeling over the AIP add-in for Office apps](sensitivity-labels-aip.md) to understand and manage your labeling choices for Windows computers.

+If your tenant isn't yet on the [unified labeling platform](/azure/information-protection/faqs#how-can-i-determine-if-my-tenant-is-on-the-unified-labeling-platform), you must first activate unified labeling before you can use sensitivity labels. For instructions, see [How to migrate Azure Information Protection labels to unified sensitivity labels](/azure/information-protection/configure-policy-migrate-labels).

+Broadens the scope of model 2. Rather than just sending a small group of defined endpoints direct, it instead sends all traffic directly to trusted services such Microsoft 365 and SalesForce. This further reduces the load on the corporate VPN infrastructure and improves the performance of the services defined. As this model is likely to take more time to assess the feasibility of and implement, it's likely a step that can be taken iteratively at a later date once model two is successfully in place.

+| Teams Media IPs (no URL) | UDP 3478, 3479, 3480, and 3481 | Relay Discovery allocation and real-time traffic. These are the endpoints used for Skype for Business and Microsoft Teams Media traffic (calls, meetings, etc.). Most endpoints are provided when the Microsoft Teams client establishes a call (and are contained within the required IPs listed for the service). Use of the UDP protocol is required for optimal media quality. |

+- Windows 10 Pro/Enterprise (with [KB5006738](https://support.microsoft.com/topic/october-26-2021-kb5006738-os-builds-19041-1320-19042-1320-and-19043-1320-preview-ccbce6bf-ae00-4e66-9789-ce8e7ea35541))

+- Windows 11 Pro/Enterprise

+ Title: Device registration methods in Microsoft Managed Desktop

+description: Information on the device registration methods in Microsoft Managed Desktop

+keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

+ms.localizationpriority: medium

+audience: Admin

+# Device registration methods

+Before Microsoft can manage your devices in Microsoft Managed Desktop, you must have devices registered with the service.

+## Registration process

+Microsoft Managed Desktop is powered by the Windows Autopilot service for the device registration workflow. Successful device registration requires a two-step process:

+1. The device's unique hardware identity, known as the hardware hash, is captured and uploaded to the Autopilot service.

+1. The device is associated to an Azure Active Directory tenant ID.

+Ideally, both steps are performed by the OEM, reseller, or distributor where the devices were purchased. An OEM, or other device provider, uses the registration authorization process to perform device registration on your behalf.

+## Registration methods

+Registration can also be performed within your organization by collecting the hardware identity from new or existing devices and uploading it manually. Below are the device registration methods Microsoft Managed Desktop supports:

+- OEM registration

+ - [Using the Partner portal](partner-registration.md#register-devices-using-the-partner-center)

+ - [Using OEM APIs](partner-registration.md#register-devices-by-using-the-oem-api)

+- [Manual registration](manual-registration.md)

+- [Manual registration for existing devices](manual-registration-existing-devices.md)

+## Recommended resources

+- [Overview of Windows Autopilot](/mem/autopilot/windows-autopilot)

+- [Windows Autopilot registration overview](/mem/autopilot/registration-overview)

+## Steps to get started with Microsoft Managed Desktop

+1. Access [admin portal](access-admin-portal.md).

+1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).

+1. [Adjust settings after enrollment](conditional-access.md).

+1. Deploy and assign [Intune Company Portal](company-portal.md).

+1. [Assign licenses](assign-licenses.md).

+1. [Deploy apps](deploy-apps.md).

+1. [Prepare devices](prepare-devices.md).

+1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).

+1. [Enable user support features](enable-support.md).

+1. [Get your users ready to use devices](get-started-devices.md).

+1. [Get started with app control](get-started-app-control.md).

+# Manual registration for existing devices

+# Manual registration

+# Partner registration

+# Prepare devices

+# Compliance

+You can find relevant information, including control and technical requirements, in the [Service Trust Portal (STP)](https://servicetrust.microsoft.com/). This portal is the central repository for such information about Microsoft Cloud Service offerings. You can download auditor reports, compliance certificates, and more from the [Audit Reports](https://servicetrust.microsoft.com/ViewPage/MSComplianceGuide) section of the STP.

+# What is Microsoft Managed Desktop?

+Your users will enjoy the latest versions of Windows 10 and Microsoft 365 Apps for Enterprise apps (and more), using devices and software that are curated and rigorously tested for best performance and reliability.

+Also, you'll never have to worry about keeping any of this software up to date because that happens automatically. The updates follow a careful rollout sequence that is monitored every step of the way. Registered devices are monitored 24 hours a day, seven days a week for technical and security issues. If something goes wrong, help will be on the way.

+Of course, there's nothing stopping you from obtaining and managing your own devices and Microsoft 365 deployments yourself. So what does Microsoft Managed Desktop offer?

+- At least twice the battery life.

+- About one-third as many device crashes per year.

+- Device mobility through [Enterprise State Roaming](/azure/active-directory/devices/enterprise-state-roaming-overview) to allow users to have the same experience no matter what device they sign into.

+- Insights dashboards constantly keeping you up to date on usage, reliability, device health, and other data on devices and users.

+- About *one-tenth* the amount of time needed to update 95% of devices.

+Microsoft Managed Desktop takes on the burden of managing registered devices and the Microsoft software they use.

+| Management | Description |

+| -- | -- |

+| Hardware management| Instead of your IT department researching and figuring out if a device is compatible with the service, we've provided specific hardware and software requirements, tools, and processes to streamline selection so you can choose devices with confidence.<br><br>You can find recommended devices by filtering for Microsoft Managed Desktop on the [Shop Windows Pro business devices](https://www.microsoft.com/windows/business/devices) site. You can either obtain devices yourself, work with a partner, or reuse devices you already have. Registering devices is easy and straightforward. Before they're deployed, you can also [customize](../working-with-managed-desktop/config-setting-overview.md) certain aspects of the device experience for your users. |

+| Update management | Microsoft Managed Desktop sets up and manages all aspects of [deployment groups](../service-description/updates.md) for Windows 10 quality and feature updates, drivers, firmware, anti-virus definitions, and Microsoft 365 Apps for enterprise updates.<br><br>This includes extensive testing and verification of all updates, assuring that registered devices are always up to date and minimizing disruptions, freeing your IT department from that ongoing task. |

+| Apps | As part of Microsoft 365 Enterprise, Microsoft provides and manages several key Microsoft apps for you.<br><br>However, you may also have other apps that you need for your business. Instead of your IT department having to test, package, and deploy those apps, Microsoft helps you deploy them through the [FastTrack](https://www.microsoft.com/FastTrack) program.<br><br>Additionally, Microsoft's [App Assure](/fasttrack/products-and-capabilities#app-assuree) program can help remediate any app compatibility issues that arise when migrating to the latest versions of our products. Learn more at [Apps in Microsoft Managed Desktop](../get-ready/apps.md).

+We also monitor device health and provide you with insights about device performance. For more information, see [Microsoft Managed Desktop operations and monitoring](../service-description/operations-and-monitoring.md).

+For more information about the value of Microsoft Managed Desktop, including customer stories, see [Microsoft Managed Desktop](https://aka.ms/mmd).

+Great places to get started:

+- [Roadmap](https://aka.ms/AA6jiam)

+- [Forrester Total Economic Impact case study](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/intro/downloads/forrester-tei-study.pdf)

+- Downloadable [one-page summary](https://aka.ms/AA6ob3h)

+You can find the latest news at the Microsoft Managed Desktop [blog](https://aka.ms/AA6l2dd).

+If Microsoft Managed Desktop seems right for your organization, you can delve into further documentation that explains:

+- More about the service.

+- How to prepare your organization to enroll.

+- How to get started with the service

+- Ongoing operations thereafter, including how you and your users can easily get help if needed.

+If you're already ready to come on board, start with contacting your [local account team](https://pages.email.office.com/contactmmd/).

+### More information

+| Information | Description |

+| -- | -- |

+| More overview and background | Primarily for technical and business decision makers, these articles detail the division of roles and responsibilities between your organization and Microsoft, technologies used in Microsoft Managed Desktop, and how the service fits into a broader strategy as part of the ITIL framework.<br><ul><li>[Microsoft Managed Desktop roles and responsibilities](roles-and-responsibilities.md)</li><li>[Microsoft Managed Desktop technologies](technologies.md)</li><li>[Microsoft Managed Desktop and ITIL](../MMD-and-ITSM.md)</li><li>[Compliance](compliance.md)</li><li>[Microsoft Managed Desktop service description](../service-description/index.md)</li></ul> |

+| Get ready for enrollment | These articles describe the steps you must take in your organization to prepare for enrollment, including checking that your environment meets key prerequisites, configuring networks, setting up certificates, and preparing your apps.<ul><li>[Prerequisites for Microsoft Managed Desktop](../get-ready/prerequisites.md)</li><li>[Network configuration for Microsoft Managed Desktop](../get-ready/network.md)</li><li>[Prepare on-premises resources access for Microsoft Managed Desktop](../get-ready/authentication.md)</li><li>[Prepare mapped drives for Microsoft Managed Desktop](../get-ready/mapped-drives.md)</li><li>[Prepare certificates and network profiles for Microsoft Managed Desktop](../get-ready/certs-wifi-lan.md)</li><li>[Apps in Microsoft Managed Desktop](../get-ready/apps.md)</li></ul> |

+| Get started | Once you're ready to enroll, this section includes the steps to follow to actually join the service, obtain and set up devices, prep your users, and deploy apps.<ul><li>[Add and verify admin contacts in the Admin portal](../get-started/add-admin-contacts.md)</li><li>[Adjust conditional access](../get-started/conditional-access.md)</li><li>[Assign licenses](../get-started/assign-licenses.md)</li><li>[Install Intune Company Portal on on devices](../get-started/company-portal.md)</li><li>[Enable Enterprise State Roaming](../get-started/enterprise-state-roaming.md)</li><li>[Prepare devices](../get-started/prepare-devices.md)</li><li>[Get your users ready to use devices](../get-started/get-started-devices.md)</li><li>[Deploy apps to devices](../get-started/deploy-apps.md)</li></ul> |

+| Working with Microsoft Managed Desktop | This section includes information about your day-to-day life with the service, such as how your IT admins can get support if needed, how your users get support, managing your apps once deployed, and how to work the customizable settings on devices.<ul><li>[Admin support for Microsoft Managed Desktop](../working-with-managed-desktop/admin-support.md)</li><li>[Getting help for users](../working-with-managed-desktop/end-user-support.md)</li><li>[Configurable settings - Microsoft Managed Desktop](../working-with-managed-desktop/config-setting-overview.md)</li><ul> |

+<!--When you enroll in Microsoft Managed Desktop, Microsoft provides you with devices that are configured to join your Azure Active Directory tenant. Windows 10, Office 365, and some apps and features associated with [Microsoft 365 Enterprise E5](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans) are installed (by Microsoft) on your devices. When your employees who are using these devices need help, they contact Microsoft Managed Desktop support (provided by Microsoft) through a custom chat app.-->

+<!--With Microsoft Managed Desktop, you get **software as a service** (Microsoft 365 E5), **Device as a service** (Microsoft Surface devices ready to use), and **IT support as a service** (Help desk and more).-->

+# Microsoft Managed Desktop roles and responsibilities

+| Role or responsibility | Description |

+| -- | -- |

+| MDM policy management | Microsoft will apply MDM policies according to best practices and consider requests for policy changes. We'll also make changes to your tenant as prescribed in [Device policies](../service-description/device-policies.md). |

+| User support | We provide a mechanism for elevated access to devices and for issues to get escalated through a support request if necessary. For more information, see [User support](../service-description/user-support.md).

+| Microsoft Managed Desktop service support | Microsoft will provide support to your IT department through a Microsoft Managed Desktop Operations Team. This team will support technical troubleshooting, change requests, and incident management for the customer's Microsoft Managed Desktop environment. For more information, see [Admin support for Microsoft Managed Desktop](../working-with-managed-desktop/admin-support.md). |

+| Security monitoring | Microsoft will monitor your Microsoft Managed Desktop devices using Microsoft Defender for Endpoint. If the Microsoft Managed Desktop Security Operations Center (SOC) detects a threat, we'll notify you, isolate the device, and rectify the issue remotely. For more information, see [Security](../service-description/security.md). |

+| Update monitoring and management | We actively monitor your Microsoft Managed Desktop devices to ensure that the latest quality and feature updates are installed for Microsoft Windows and Microsoft Office. For more information, see [How updates are handled](../service-description/updates.md). |

+| User and device grouping | Microsoft Managed Desktop operations team will create and manage required device and user groups as part of IT operations. No membership or configuration changes are allowed to these groups. Altering these groups can lead to unexpected configuration of devices and loss of functionality. For any issues or questions around these groups once established, IT administrators can contact Microsoft Managed Desktop operations. For more information, see [Admin support for Microsoft Managed Desktop](../working-with-managed-desktop/admin-support.md). |

+This set of common roles and responsibilities is required for deployment, but aren't provided by Microsoft. It's not exhaustive but is applicable for most organizations. There are a few items that both you and Microsoft share responsibility for.

+| Role or responsibility | Description |

+| -- | -- |

+| Change management | Microsoft will notify customers, in advance, when changes need to be made to their Microsoft Managed Desktop environment. For more information, see [service changes and communication](../service-description/servicechanges.md).<br><br>You must have your own change management process and have a contact established with Microsoft Managed Desktop Operations team. You also must have resources to review and approve these changes. For more information, see [Operations and monitoring](../service-description/operations-and-monitoring.md). |

+| Identity management | You're responsible for creating user accounts, assigning users to groups, and keeping metadata up to date. |

+| Microsoft 365 Apps for enterprise configuration and management | Microsoft is responsible for ensuring Office applications are deployed to users and those applications are kept up to date. <br><br> You're responsible for managing Microsoft 365 services and policies, including Exchange Online administration responsibilities:<br><ul><li>Email administration</li><li> Mailbox and rule configuration</li><li>Exchange on-premises management</li></ul><br>You're also responsible for collaboration tools, SharePoint server administration, domain management, and security and information policies that are set in the Microsoft 365 admin center. |

+| User support | Provide all user support and technical assistance from first contact through to resolution for the user, either by you or through a designated support partner. You must either provide user support directly or work with a partner to provide support for these areas: <br><ul><li>On-site infrastructure: all network and internet connectivity, VPN infrastructure and client configuration, local conference room equipment, printers, proxy server and configuration, and firewalls.</li><li>Company-wide cloud resources: email, SharePoint, collaboration services, and other cloud infrastructure that relates to the company-wide technology footprint.</li><li>Line of business and any other company-specific applications.</li></ul>

+| Apps | Roles and responsibilities vary somewhat for the apps provided as part of Microsoft Managed Desktop versus the apps you provide. <br><br>For apps provided by Microsoft (Microsoft 365 Apps for enterprise comprising Word, Excel, PowerPoint, Outlook, Publisher, Access, Skype for Business, Teams, and OneNote), **Microsoft** will provide full service for the deployment, update, and support. **You** must obtain and assign licenses for these apps, add users to security groups, and manage end of life and deploy any add-ons you need.<br><br>For apps you provide (such as your line-of-business apps), whether you package them yourself or engage a non-Microsoft vendor to do so, **you** are responsible for these actions: <br><ul><li>Identifying applications needed for targeted user groups</li><li>Creating and managing Azure AD groups for app deployment</li><li>Packaging apps to meet Microsoft Intune deployment standards</li><li> Uploading apps to Microsoft Intune</li><li>Testing apps in Microsoft Managed Desktop environment</li><li>Testing apps with your users</li><li>Managing and assigning users to applications</li><li>Identify and deploy application updates through Microsoft Intune</li><li>Uninstalling and removing applications when they've been retired</li><li>Procuring and assigning licenses</li><li>Providing user support for line-of-business apps</li><li> Managing app settings remotely</li></ul><br>**Microsoft** will provide Microsoft Intune deployment tools to deliver the applications to remote clients.<br><br>For more information, see [Apps](../get-ready/apps.md).

+| Security monitoring and response | You're responsible for investigating and resolving incidents for devices that aren't Microsoft Managed Desktop devices. You must ensure that the Microsoft Managed Desktop Operations Team is informed of any issues that may impact the service.

+| Operations support | You must provide a list of preferred contacts and subject matter experts in your organization. We need these contacts if there's an operational incident unrelated to Microsoft Managed Desktop. <br><br>You're also responsible for investigating and resolving incidents for devices and services that aren't in Microsoft Managed Desktop. You must ensure that the Microsoft Managed Desktop Operations Team is always informed.

+| Network infrastructure, including VPN | You're responsible for setup, configuration, and management (including troubleshooting and debugging) of all networking-related infrastructure and services. This also includes internet connectivity, network controls, proxy configuration, and remote connectivity infrastructure.<br><br>If a proxy is configured (in hardware or software), there's a collection of URLs that must be allowed by the proxy. You're responsible for troubleshooting any conflicts or incompatibilities due to multiple proxies. You can add network proxies specific to your organization using configurable settings. For more information, see [Configurable settings](../working-with-managed-desktop/config-setting-ref.md#proxy).<br><br>For more information, see [Proxy Configuration](../get-ready/network.md).

+| Printing | You're responsible for installing, maintaining, and administering printers and print queues. Cloud printing is a recommended solution, but it isn't required.

+# Microsoft Managed Desktop technologies

+This article summarizes the components included in the required Enterprise licenses, and how the service uses each component with Microsoft Managed Desktop devices. Specific roles and responsibilities for each area are detailed throughout Microsoft Managed Desktop documentation.

+| Product | Information |

+| -- | -- |

+| Microsoft 365 Apps for enterprise (64-bit) | The following Office applications will be shipped with the device:<br><ul><li>Word</li><li>Excel</li><li>PowerPoint</li><li>Outlook</li><li>Publisher</li><li>Access</li><li>Skype for Business</li><li>OneNote</li></ul><br>The 64-bit full versions of Microsoft Project and Microsoft Visio aren't included. However, since the installation of these applications depends on the Microsoft 365 Apps for Enterprise installation, Microsoft Managed Desktop created default Microsoft Intune deployments, and security groups that you can use to deploy these applications to licensed users. For more information, see [Install Microsoft Project or Microsoft Visio on Microsoft Managed Desktop devices](../get-started/project-visio.md). |

+| OneDrive | Azure Active Directory Single Sign On is enabled for users when they first sign in to OneDrive.<br><br>Known Folder Redirection for Desktop, Document, and Pictures folders are included. These folders are enabled and configured by Microsoft Managed Desktop. |

+| Store Apps | Microsoft Sway and Power BI aren't shipped with the device. These apps are available for download from Microsoft Store. |

+| Win32 Applications | Teams isn't shipped with the device, but it's packaged and provided by Microsoft for Microsoft Managed Desktop devices. Azure Information Protection Client isn't shipped with the device, but you can have it packaged for deployment. |

+| Web Applications | The following web applications aren't shipped with the device: <ul><li>Yammer</li><li>Office in a browser</li><li>Delve</li><li>Flow</li><li>StaffHub</li><li>Power Apps</li><li>Planner</li></ul> <br>Users can access the web version of these applications with a browser. |

+We recommend that your IT admins configure the following settings.

+> [!NOTE]

+> These settings aren't included or managed as part of Microsoft Managed Desktop.

+| Product | Information |

+| -- | -- |

+| Windows Hello for Business | You should implement Windows Hello for Business to replace passwords with strong two-factor authentication for Microsoft Managed Desktop devices. For more information, see [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification). |

+| Application Virtualization | You can deploy Application Virtualization (App-V) packages using the Intune Win32 app management client. For more information, see [Application Virtualization](/windows/application-management/app-v/appv-technical-reference). |

+| Microsoft 365 data loss prevention | You should implement Microsoft 365 data loss prevention to monitor the actions taken on items you've determined to be sensitive, and to help prevent the unintentional sharing of those items. For more information, see [Microsoft 365 data loss prevention](../../compliance/endpoint-dlp-learn-about.md). |

+Features included and managed as part of Microsoft Managed Desktop:

+| Product | Information |

+| -- | -- |

+| BitLocker Drive Encryption | BitLocker Drive Encryption is used to encrypt all system drives. For more information, see [BitLocker Drive Encryption](/windows/security/information-protection/bitlocker/bitlocker-overview). |

+| Windows Defender System Guard | Protects the integrity of the system at startup, and validates that system integrity has truly been maintained. For more information, see [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows). |

+| Windows Defender Credential Guard | Windows Defender Credential Guard uses Virtualization-based security to isolate secrets so that only privileged system software can access them. For more information, see [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows). |

+| Microsoft Defender for Endpoint - Endpoint Detection and Response | Microsoft Managed Desktop Security Operations responds to alerts and takes action to remediate threats using Endpoint Detection and Response. For more information, see [Microsoft Defender for Endpoint - Endpoint Detection and Response](/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response). |

+| Microsoft Defender for Endpoint - Threat Experts | Microsoft Managed Desktop integrates with Threat Experts insights and data through targeted attack notifications. You must provide additional consent before this service is enabled. For more information, see [Microsoft Defender for Endpoint - Threat Experts](/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts). |

+| Microsoft Defender for Endpoint - Threat and Vulnerability Management | Required for future use in the Microsoft Managed Desktop service plan. For more information, see [Microsoft Defender for Endpoint - Threat and Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt). |

+| Microsoft Defender for Endpoint - Attack Surface Reduction | Targets risky software behaviors that are often abused by attackers. For more information, see [Microsoft Defender for Endpoint - Attack Surface Reduction](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction). |

+| Microsoft Defender for Endpoint - Exploit Protection | Protects against malware that uses exploits to infect devices, and spreads by automatically applying exploit mitigation techniques to operating system processes and apps. For more information, see [Microsoft Defender for Endpoint - Exploit Protection](/windows/security/threat-protection/microsoft-defender-atp/exploit-protection). |

+| Microsoft Defender for Endpoint - Network Protection | Expands the scope of Microsoft Defender SmartScreen to block all outbound HTTP and HTTPS traffic that attempts to connect to low-reputation sources. For more information, see [Microsoft Defender for Endpoint - Network Protection](/windows/security/threat-protection/microsoft-defender-atp/network-protection). |

+| Microsoft Defender Tamper Protection | Windows Tamper Protection is used to prevent security settings such as anti-virus protection from being changed. For more information, see [Microsoft Defender Tamper Protection](/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection). |

+| Microsoft Defender Antivirus Behavior-based, heuristic, and real-time antivirus protection | Always on to scan for file and process threats that may not be detected as malware. For more information, see [Microsoft Defender Antivirus Behavior-based, heuristic, and real-time antivirus protection](../../security/defender-endpoint/microsoft-defender-antivirus-in-windows-10.md). |

+| Microsoft Defender Antivirus Cloud-delivered Protection | Provides dynamic near-instant, automated protection against new and emerging threats. For more information, see [Microsoft Defender Antivirus Cloud-delivered Protection](/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus). |

+| Microsoft Defender for Endpoint - "Block at first sight" | Provides detection and blocking of new malware when Windows detects a suspicious or unknown file. For more information, see [Microsoft Defender for Endpoint - Block at first sight](/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus). |

+| Microsoft Defender Antivirus Potentially Unwanted Applications | Used to block apps that can cause your machine to run slowly, display unexpected ads, or, at worst, install other software that might be unexpected or unwanted. For more information, see [Microsoft Defender Antivirus Potentially Unwanted Applications](/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). |

+| Windows Defender Firewall with Advanced Security | Host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. For more information, see [Windows Defender Firewall with Advanced Security](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security). |

+| User Account Control | User Account Control switches to the Secure Desktop when a task or action requires the administrator account-type access. Microsoft Managed Desktop users are assigned Standard user access at enrollment. For more information, see [User Account Control](/windows/security/identity-protection/user-account-control/how-user-account-control-works). |

+| Product | Information |

+| -- | -- |

+| Enterprise Mobility + Security E3<br><br>Azure Active Directory Premium P2 | You can use all features of Enterprise Mobility + Security E3 to manage MDM devices.<br><br>You can use Azure Active Directory Premium P2 as an optional feature with Microsoft Managed Desktop. |

+| Microsoft Defender for Cloud Apps | You can use this optional feature with Microsoft Managed Desktop.

+| Azure Information Protection P2 | You can use this optional feature with Microsoft Managed Desktop.

+# Microsoft Managed Desktop and Windows 11

+Following the announcement of Windows 11, you might have started planning Windows 11 migrations as part of your efforts to keep Windows 10 devices up to date.

+This article outlines important considerations and how Microsoft Managed Desktop will support smooth transitions in your environments. For information about Windows 11 itself, see [Windows 11 overview](/windows/whats-new/windows-11).

+Windows 11 became generally available on October 4, 2021. It's ready for consumer and enterprise deployment, and it's a fully supported platform.

+We'll begin scheduling deployments for all Microsoft Managed Desktop devices starting January 2023. However, we'll provide full support for those that wish to deploy Windows 11 sooner. We'll consult and advise admins to develop and implement migration plans for each tenant based on technical readiness and your business considerations.

+Microsoft Managed Desktop continues to support Windows 10 in parallel until it reaches end of enterprise support. See [Windows 10 release information](/windows/release-health/release-information) for life cycle information.

+More than 95% of Microsoft Managed Desktop devices are eligible for Windows 11. You might want to try the upgrade on test devices prior to production deployment. For more about Windows 11 system requirements, see [Windows 11 requirements](/windows/whats-new/windows-11-requirements).

+For devices that aren't managed by Microsoft Managed Desktop, you can read [Endpoint Manager guidance](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/endpoint-manager-simplifies-upgrades-to-windows-11/ba-p/2771886) to learn about deploying Windows 11. If you have devices running Windows 11 and later and enroll them in Microsoft Managed Desktop, they won't revert back to Windows 10.

+For those that opted into Windows 11 testing prior to general availability, devices may have preview builds installed.

+Microsoft Managed Desktop devices in this state won't be offered the Windows 11 general availability build. However, the devices will still be supported to resolve encountered issues. Microsoft Managed Desktop monitors all managed devices for security threats, and will respond to any alerts regardless if the device is running a Windows 11 preview build.

+Because we're committed to helping you migrate to Windows 11 while remaining productive, we encourage you to report defects you encounter with the platform. We prioritize:

+- Defects that block user productivity upon broad deployment of Windows 11.

+- Defects that block user productivity on Windows 10 devices.

+Application compatibility is one of the most common concerns in any platform migration because of the potential for productivity disruptions. We're using several proactive and reactive measures to help you feel confident about smooth app transitions to Windows 11.

+The following are some proactive measures:

+| Proactive measures | Description |

+| -- | -- |

+| Common apps | Microsoft extensively tests the most common enterprise applications and suites deployed on Windows 11 builds. We work with external software publishers and internal product teams to resolve any issues discovered during testing. For more information about our proactive compatibility testing effort, see the [Application Compatibility blog](https://blogs.windows.com/windowsexperience/2019/01/15/application-compatibility-in-the-windows-ecosystem/).

+| Line-of-business apps | [Test Base](https://www.microsoft.com/en-us/testbase) is a resource that app publishers and IT admins can use to submit apps and test cases for Microsoft to run on a virtual machine running Windows 11 builds in a secure Azure environment.<br><br>Results, test insights, and regression analysis for each test execution are available to you on a private Azure portal. Microsoft Managed Desktop will help you prioritize your line-of-business apps for validation based on app usage and reliability data. For more information about Test Base, see [Test Base for Microsoft 365](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/test-base-for-microsoft-365-microsoft-ignite-2021-updates/ba-p/2185566). |

+If you encounter app compatibility issues in test or production environments, you can receive no-cost support by opening a [support request](/microsoft-365/managed-desktop/working-with-managed-desktop/test-win11-mmd?view=o365-worldwide#report-issues).

+For Windows 11, support includes any functionality with the following apps that run on the latest operating system builds:

+- Office

+- Microsoft Edge

+- Teams

+- line-of-business applications

+Microsoft App Assure directly engages app publishers to prioritize and resolve app compatibility issues when needed.

+> [!NOTE]

+> Live response requires **Automated investigation** to be turned on before you can enable it in the advanced settings section in the Microsoft for Endpoint portal.

+|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | N | N |

+Cancel an already launched machine action that is not yet in final state (completed, canceled, failed).

+ - m365-initiative-defender-endpoint

+- m365-security-compliance

+- m365-initiative-defender-endpoint

+ Standard mode also leverages common discovery protocols that use multicast queries in the network to find even more devices, in addition to the ones that were observed using the passive method.

+Clicking any of the device names will take you to that device's view, where you can continue to investigate reported alerts, behaviors, and events.

+- m365-initiative-defender-endpoint

+- [Microsoft Defender for Endpoint Plan 1 and Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+ Title: Step 1. Create the Microsoft 365 Defender Evaluation Environment

+# Step 1. Create the Microsoft 365 Defender Evaluation Environment

+ Title: Step 4. Evaluate Microsoft Defender for Endpoint overview, including reviewing the architecture

+# Step 4. Evaluate Microsoft Defender for Endpoint overview

+ Title: Step 2. Evaluate Microsoft 365 Defender for Identity overview, set up evaluation

+# Step 2. Evaluate Microsoft Defender for Identity overview

+ Title: Step 6. Investigate and respond using Microsoft 365 Defender in a pilot environment

+# Step 6. Investigate and respond using Microsoft 365 Defender in a pilot environment

+ Title: Step 5. Evaluate Microsoft Defender for Cloud Apps overview

+# Step 5. Evaluate Microsoft Defender for Cloud Apps

+ Title: Step 3. Evaluate Microsoft Defender for Office 365 overview

+# Step 3. Enable and pilot Microsoft Defender for Office 365

+ Title: Step 7. Promote your Microsoft 365 Defender evaluation environment to Production

+# Step 7. Promote your Microsoft 365 Defender evaluation environment to production

+ - m365-initiative-defender-endpoint

+|Let users add new guests to the organization|On|When set to **Yes**, Azure AD members can invite guests via Azure AD; when set to **No**, they cannot. When set to **Yes**, Microsoft 365 group members can invite guests with owner approval; when set to **No**, Microsoft 365 group members can invite guests with owner approval but owners must be global administrators to approve. <p> Note that **Members can invite** refers to members in Azure AD (as opposed to guests) and not to site or group members in Microsoft 365. <p> This is identical to the **Members can invite** setting in Azure Active Directory Organizational relationships settings.|

+|Giphy content rating|Moderate|When set to **Allow all content**, guests can insert all Giphys in chats, regardless of the content rating. When set to **Moderate** guests can insert Giphys in chats, but will be moderately restricted from adult content. When set to **Strict** guests can insert Giphys in chats, but will be restricted from inserting adult content.|

+> [!NOTE]

+> Sharing settings for channel sites can only be changed by using the [Set-SPOSite](/powershell/module/sharepoint-online/set-sposite) PowerShell cmdlet.