Updates from: 02/05/2022 02:13:18
Category Microsoft Docs article Related commit history on GitHub Change details
admin Manage Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/manage-groups.md
This option is great if you want to have a company email address such as info@co
4. Select **Save**. > [!NOTE]
-> It may take up to 30 minutes before users outside the organication can email the group.
+> It may take up to 30 minutes before users outside the organization can email the group.
## Permanently delete a Microsoft 365 group
commerce Manage Partners https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/manage-partners.md
- commerce_subscriptions - admindeeplinkMAC search.appverid: MET150
-description: "Learn how to work with Microsoft-certified solution providers (partners) to purchase and manage products and services for your organization or school."
Previously updated : 04/13/2021
+description: "Learn how to work with Microsoft-certified solution providers (partners) to buy and manage products and services for your organization or school."
Last updated : 02/04/2022 # Manage partner relationships
There are several ways that a partner can work with you. Based on your stated bu
| Partner type | Description | | | - |
-| Reseller | Partners that sell Microsoft products to your organization or school. |
-| Delegated administrator | Partners that manage products and services for your organization or school. In Azure Active Directory (AD), the partner is a Global Administrator for your tenant. This role lets them manage services like creating user accounts, assigning and managing licenses, and password resets. |
-| Reseller & delegated administrator | Partners that sell and manage Microsoft products and services to your organization or school. |
+| Granular delegated administrator | Partners who manage products and services for your organization or school, but who have limited access to what they can do in the Microsoft 365 admin center. Granular delegated administrator privileges (GDAP) lets partners complete tasks in the admin center without having global admin permission. By giving GDAP to partners, you ensure they have the least-permissive roles and limit the risk to your organization. |
+| Reseller | Partners who sell Microsoft products to your organization or school. |
+| Delegated administrator | Partners who manage products and services for your organization or school. In Azure Active Directory (AD), the partner is a Global Administrator for your tenant. This role lets them manage services like creating user accounts, assigning and managing licenses, and password resets. |
+| Reseller & delegated administrator | Partners who sell and manage Microsoft products and services to your organization or school. |
| Partner | You give your partner a user account in your tenant, and they work with other Microsoft services on your behalf. | | Advisor | Partners can reset passwords and handle support incidents for you. | | Microsoft Products & Services Agreement (MPSA) partner | If you've worked with multiple partners through the MPSA program, you can allow them to see purchases made by each other. |
If you already have a partner but havenΓÇÖt yet signed a Microsoft Customer Agre
Depending on the request made by the partner, when you accept the invitation, you agree to give them Global and Helpdesk admin roles. When you give these admin roles to a partner, you automatically grant them delegated admin privileges in Azure AD. To learn more, see [Delegated admin privileges in Azure AD](/partner-center/customers_revoke_admin_privileges#delegated-admin-privileges-in-azure-ad).
-If you don't want to give the admin roles to the partner, cancel the invitation instead of accepting it.
+The new granular delegated administrative privileges (GDAP) feature gives partners more granular and time-bound access to their customersΓÇÖ workloads. This means that partners are better able to address their customersΓÇÖ security concerns. Partners can also provide more services to customers who are uncomfortable with the current levels of partner access and who have regulatory requirements to provide only least-privileged access to partners. With GDAP, you agree to give partners roles specified in their request. These roles are customizable, so you can discuss with your partner if certain permissions are not approved by you.
+
+If you don't want to give admin roles to the partner, cancel the invitation instead of accepting it.
You can remove admin roles from a partner at any time. Removing the admin roles doesnΓÇÖt remove the partner relationship. They can still work with you in a different capacity, such as a Reseller. If you decide that you donΓÇÖt want to work with a partner anymore, contact your partner to end the relationship.
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
This ability to apply sensitivity labels to content automatically is important b
- Users no longer need to know about your policiesΓÇöthey can instead focus on their work.
-When content has been manually labeled, that label will never be replaced by automatic labeling. However, automatic labeling can replace a [lower priority label](sensitivity-labels.md#label-priority-order-matters) that was automatically applied.
- There are two different methods for automatically applying a sensitivity label to content in Microsoft 365: - **Client-side labeling when users edit documents or compose (also reply or forward) emails**: Use a label that's configured for auto-labeling for files and emails (includes Word, Excel, PowerPoint, and Outlook).
There are two different methods for automatically applying a sensitivity label t
Specific to auto-labeling for SharePoint and OneDrive: - Office files for Word (.docx), PowerPoint (.pptx), and Excel (.xlsx) are supported.
- - These files can be auto-labeled at rest before or after the auto-labeling policies are created. Files cannot be auto-labeled if they're part of an open session (the file is open).
+ - These files can be auto-labeled at rest before or after the auto-labeling policies are created. Files can't be auto-labeled if they're part of an open session (the file is open).
- Currently, attachments to list items aren't supported and won't be auto-labeled. - Maximum of 25,000 automatically labeled files in your tenant per day. - Maximum of 100 auto-labeling policies per tenant, each targeting up to 100 sites (SharePoint or OneDrive) when they're specified individually. You can also specify all sites, and this configuration is exempt from the 100 sites maximum.
- - Existing values for modified, modified by, and the date are not changed as a result of auto-labeling policiesΓÇöfor both simulation mode and when labels are applied.
+ - Existing values for modified, modified by, and the date aren't changed as a result of auto-labeling policiesΓÇöfor both simulation mode and when labels are applied.
- When the label applies encryption, the [Rights Management issuer and Rights Management owner](/azure/information-protection/configure-usage-rights#rights-management-issuer-and-rights-management-owner) is the account that last modified the file. If this account is no longer in Azure Active Directory, the label won't be applied because these values can't be set. Specific to auto-labeling for Exchange:
- - Unlike manual labeling or auto-labeling with Office apps, PDF attachments as well as Office attachments are also scanned for the conditions you specify in your auto-labeling policy. When there is a match, the email is labeled but not the attachment.
+ - Unlike manual labeling or auto-labeling with Office apps, PDF attachments as well as Office attachments are also scanned for the conditions you specify in your auto-labeling policy. When there's a match, the email is labeled but not the attachment.
- For PDF files, if the label applies encryption, these files are encrypted by using [Office 365 Message Encryption (OME)](ome.md) when your tenant is [enabled for PDF attachments](ome-faq.yml#are-pdf-file-attachments-supported-). - For these Office files, Word, PowerPoint, and Excel are supported. If the label applies encryption, they're encrypted by using [Office 365 Message Encryption (OME)](ome.md). - If you have Exchange mail flow rules or data loss prevention (DLP) policies that apply IRM encryption: When content is identified by these rules or policies and an auto-labeling policy, the label is applied. If that label applies encryption, the IRM settings from the Exchange mail flow rules or DLP policies are ignored. However, if that label doesn't apply encryption, the IRM settings from the mail flow rules or DLP policies are applied in addition to the label.
- - Email that has IRM encryption with no label will be replaced by a label with any encryption settings when there is a match by using auto-labeling.
- - Incoming email is labeled when there is a match with your auto-labeling conditions. If the label is configured for [encryption](encryption-sensitivity-labels.md), that encryption is applied when the sender is from your organization but not applied when the sender is outside your organization.
- - If the label is configured to apply [dynamic markings](sensitivity-labels-office-apps.md#dynamic-markings-with-variables), be aware that this configuration can result in the names of people outside your organization.
- - When the label applies encryption, the [Rights Management issuer and Rights Management owner](/azure/information-protection/configure-usage-rights#rights-management-issuer-and-rights-management-owner) is the person who sends the email.
+ - Email that has IRM encryption with no label will be replaced by a label with any encryption settings when there's a match by using auto-labeling.
+ - Incoming email is labeled when there is a match with your auto-labeling conditions. If this label is configured for [encryption](encryption-sensitivity-labels.md), that encryption is always applied when the sender is from your organization. By default, that encryption isn't applied when the sender is outside your organization but can be applied by configuring **Additional settings for email** and specifying a Rights Management owner.
+ - When the label applies encryption, the [Rights Management issuer and Rights Management owner](/azure/information-protection/configure-usage-rights#rights-management-issuer-and-rights-management-owner) is the person who sends the email when the sender is from your own organization. When the sender is outside your organization, you can specify a Rights Management owner for incoming email that's labeled and encrypted by your policy.
+ - If the label is configured to apply [dynamic markings](sensitivity-labels-office-apps.md#dynamic-markings-with-variables), be aware that for incoming email, this configuration can result in displaying the names of people outside your organization.
## Compare auto-labeling for Office apps with auto-labeling policies
Use the following table to help you identify the differences in behavior for the
|Apply visual markings |Yes |Yes (email only) | |Override IRM encryption applied without a label|Yes if the user has the minimum usage right of Export |Yes (email only) | |Label incoming email|No |Yes|
+|Assign a Rights Management owner for emails sent from another organization |No |Yes|
+|For emails, replace existing label that has same or lower priority |No |Yes (configurable)|
\* Auto-labeling isn't currently available in all regions because of a backend Azure dependency. If your tenant can't support this functionality, the **Auto-labeling** tab isn't visible in the compliance center. For more information, see [Azure dependency availability by country](/troubleshoot/azure/general/dependency-availability-by-country).
To use automatic labeling with sublabels, make sure you publish both the parent
For more information on parent labels and sublabels, see [Sublabels (grouping labels)](sensitivity-labels.md#sublabels-grouping-labels).
+## Will an existing label be overridden?
+
+> [!NOTE]
+> A recently added setting for email auto-labeling polices let you specify that a matching sensitivity label will always override an existing label.
+
+Default behavior whether automatic labeling will override an existing label:
+
+- When content has been manually labeled, that label won't be replaced by automatic labeling.
+
+- Automatic labeling will replace a [lower priority sensitivity label](sensitivity-labels.md#label-priority-order-matters) that was automatically applied, but not a higher priority label.
+
+ > [!TIP]
+ > For example, the sensitivity label at the top of the list in the compliance center is named **Public** with an order number (priority) of 0, and the sensitivity label at the bottom of the list is named **Highly Confidential** with an order number (priority of 4). The **Highly Confidential** label can override the **Public** label but not the other way around.
+
+For email auto-labeling policies only, you can select a setting to always override an existing sensitivity label, regardless of how it was applied.
+
+|Existing label |Override with label setting: Auto-labeling for files and emails |Override with policy: Auto-labeling|
+|:--|:--|:--|
+|Manually applied, any priority|Word, Excel, PowerPoint: No <br /><br> Outlook: No |SharePoint and OneDrive: No <br /><br> Exchange: No by default, but configurable |
+|Automatically applied, lower priority |Word, Excel, PowerPoint: Yes <br /><br> Outlook: Yes | SharePoint and OneDrive: Yes <br /><br> Exchange: Yes |
+|Automatically applied, higher priority |Word, Excel, PowerPoint: No <br /><br> Outlook: No |SharePoint and OneDrive: No <br /><br> Exchange: No by default, but configurable |
+
+The configurable setting for email auto-labeling policies is on the **Additional settings for email** page. This page displays after you've selected a sensitivity label for an auto-labeling policy that includes the Exchange location.
+ ## How to configure auto-labeling for Office apps For built-in labeling in Office apps, check the [minimum versions required](sensitivity-labels-office-apps.md#support-for-sensitivity-label-capabilities-in-apps) for automatic labeling in Office apps.
If you configure a sensitivity label with only EDM for your sensitive informatio
### Configuring trainable classifiers for a label
-If you use this option, make sure you have published in your tenant at least one other sensitivity label that's configured for auto-labeling and the [sensitive info types option](#configuring-sensitive-info-types-for-a-label).
+If you use this option, make sure you've published in your tenant at least one other sensitivity label that's configured for auto-labeling and the [sensitive info types option](#configuring-sensitive-info-types-for-a-label).
When you select the **Trainable classifiers** option, select one or more of the pre-trained or custom trainable classifiers:
In all cases, matched files are labeled until the OneDrive account is permanentl
9. For the **Choose a label to auto-apply** page: Select **+ Choose a label**, select a label from the **Choose a sensitivity label** pane, and then select **Next**.
+10. If your policy includes the Exchange location: Specify optional configurations on the **Additional settings for email** page:
+
+ - **Automatically replace existing labels that have the same or lower priority**: Applicable for both incoming and outgoing emails, when you select this setting, it ensures a matching sensitivity label will always be applied. If you don't select this setting, a matching sensitivity label won't be applied to emails that have an existing sensitivity label with a [higher priority](sensitivity-labels.md#label-priority-order-matters) or that were manually labeled.
+
+ - **Apply encryption to email received from outside your organization**: When you select this option, you must assign a [Rights Management owner](/azure/information-protection/configure-usage-rights#rights-management-issuer-and-rights-management-owner) to ensure that an authorized person in your organization has Full Control [usage rights](/azure/information-protection/configure-usage-rights#usage-rights-and-descriptions) for emails sent from your outside your organization and your policy labels with encryption. This role might be needed to later remove the encryption, or assign different usage rights for users in your organization.
+
+ For **Assign a Rights Management owner**, specify a single user by an email address that's owned by your organization. Don't specify a mail contact, a shared mailbox, or any group type, because these aren't supported for this role.
+ 10. For the **Decide if you want to test out the policy now or later** page: Select **Run policy in simulation mode** if you're ready to run the auto-labeling policy now, in simulation mode. Otherwise, select **Leave policy turned off**. Select **Next**: ![Test out the configured auto-labeling policy.](../media/simulation-mode-auto-labeling-wizard.png)
Although auto-labeling is one of the most efficient ways to classify, label, and
- When you use the [Azure Information Protection unified labeling client](/azure/information-protection/rms-client/aip-clientv2):
- - For files in on-premises data stores such as network shares and SharePoint Server libraries: Use the [scanner](/azure/information-protection/deploy-aip-scanner) to discover sensitive information in these files and label them appropriately. If you're planning to migrate or upload these files to SharePoint in Microsoft 365, use the scanner to label the files before you move them to the cloud.
+ - For files in on-premises data stores, such as network shares and SharePoint Server libraries: Use the [scanner](/azure/information-protection/deploy-aip-scanner) to discover sensitive information in these files and label them appropriately. If you're planning to migrate or upload these files to SharePoint in Microsoft 365, use the scanner to label the files before you move them to the cloud.
- If you've used another labeling solution before using sensitivity labels: Use PowerShell and [an advanced setting to reuse labels](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#migrate-labels-from-secure-islands-and-other-labeling-solutions) from these solutions.
compliance Communication Compliance Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-policies.md
The following table explains more about each condition.
| **Content matches any of these classifiers** | Apply to the policy when any classifiers are included or excluded in a message. Some classifiers are pre-defined in your tenant, and custom classifiers must be configured separately before they're available for this condition. Only one classifier can be defined as a condition in a policy. For more information about configuring classifiers, see [Learn about trainable classifiers (preview)](classifier-learn-about.md). | | **Content contains any of these sensitive info types** | Apply to the policy when any sensitive information types are included or excluded in a message. Some classifiers are pre-defined in your tenant, and custom classifiers can be configured separately or as part of the condition assignment process. Each sensitive information type you choose is applied separately and only one of these sensitive information types must apply for the policy to apply to the message. For more information about custom sensitive information types, see [Learn about sensitive information types](sensitive-information-type-learn-about.md). | | **Message is received from any of these domains** <br><br> **Message is not received from any of these domains** | Apply the policy to include or exclude specific domains or email addresses in received messages. Enter each domain or email address and separate multiple domains or email addresses with a comma. Each domain or email address entered is applied separately, only one domain or email address must apply for the policy to apply to the message. <br><br> If you want to scan all email from a specific domain, but want to exclude messages that don't need review (newsletters, announcements, and so on), you must configure a **Message is not received from any of these domains** condition that excludes the email address (example "newsletter@contoso.com"). |
-| **Message is sent to any of these domains** <br><br> **Message is not sent to any of these domains** | Apply the policy to include or exclude specific domains or email addresses in sent messages. Enter each domain or email address and separate multiple domains or email addresses with a comma. Each domain or email address is applied separately, only one domain or email address must apply for the policy to apply to the message. <br><br> If you want to scan all email sent to a specific domain, but want to exclude sent messages that don't need review, you must configure two conditions: <br> - A **Message is sent to any of these domains** condition that defines the domain ("contoso.com"), AND <br> - A **Message is not sent to any of these domains** condition that excludes the email address ("subscriptions@contoso.com"). |
+| **Message is sent to any of these domains** <br><br> **Message is not sent to any of these domains** | Apply the policy to include or exclude specific domains in sent messages. Enter each domain and separate multiple domains with a comma. Each domain is applied separately, only one domain must apply for the policy to apply to the message. <br><br> If you want to exclude all emails sent to two specific domains, you'd configure the **Message is not sent to any of these domains** condition with the two domains (example 'contoso.com,wingtiptoys.com'). |
| **Message is classified with any of these labels** <br><br> **Message is not classified with any of these labels** | To apply the policy when certain retention labels are included or excluded in a message. Retention labels must be configured separately and configured labels are chosen as part of this condition. Each label you choose is applied separately (only one of these labels must apply for the policy to apply to the message). For more information about retention labels, see [Learn about retention policies and retention labels](retention.md).| | **Message contains any of these words** <br><br> **Message contains none of these words** | To apply the policy when certain words or phrases are included or excluded in a message, enter each word separated with a comma. For phrases of two words or more, use quotation marks around the phrase. Each word or phrase you enter is applied separately (only one word must apply for the policy to apply to the message). For more information about entering words or phrases, see the next section [Matching words and phrases to emails or attachments](communication-compliance-policies.md#Matchwords).| | **Attachment contains any of these words** <br><br> **Attachment contains none of these words** | To apply the policy when certain words or phrases are included or excluded in a message attachment (such as a Word document), enter each word separated with a comma. For phrases of two words or more, use quotation marks around the phrase. Each word or phrase you enter is applied separately (only one word must apply for the policy to apply to the attachment). For more information about entering words or phrases, see the next section [Matching words and phrases to emails or attachments](communication-compliance-policies.md#Matchwords).|
compliance Compliance Easy Trials Compliance Playbook https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-easy-trials-compliance-playbook.md
Help your organization assess risks and efficiently respond to nations, regional
[More information on the Compliance Manager premium assessments trial](compliance-easy-trials-compliance-manager-assessments.md).
+[Trial playbook: Microsoft Compliance Manager premium assessments](compliance-easy-trials-compliance-manager-assessment-playbook.md)
+ ### Microsoft Priva Privacy Risk Management and Microsoft Priva Subject Rights Requests **Identify & prevent privacy risks**
compliance Encryption Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/encryption-sensitivity-labels.md
Encrypting your most sensitive documents and emails helps to ensure that only au
- If a label that applies encryption is added by using an Office app when the document is [checked out in SharePoint](https://support.microsoft.com/office/check-out-check-in-or-discard-changes-to-files-in-a-library-7e2c12a9-a874-4393-9511-1378a700f6de), and the user then discards the checkout, the document remains labeled and encrypted. -- The following actions for encrypted files aren't supported from Office apps (Windows, Mac, Android, and iOS), and users see an error message that something went wrong. However, SharePoint functionality can be used as an alternative:
+- Unless you have [enabled co-authoring for files encrypted with sensitivity labels](sensitivity-labels-coauthoring.md), the following actions for encrypted files aren't supported from Office apps (Windows, Mac, Android, and iOS), and users see an error message that something went wrong. However, SharePoint functionality can be used as an alternative:
- View, restore, and save copies of previous versions. As an alternative, users can do these actions using Office on the web when you [enable and configure versioning for a list or library](https://support.office.com/article/enable-and-configure-versioning-for-a-list-or-library-1555d642-23ee-446a-990a-bcab618c7a37). - Change the name or location of files. As an alternative, users can [rename a file, folder, or link in a document library](https://support.microsoft.com/office/rename-a-file-folder-or-link-in-a-document-library-bc493c1a-921f-4bc1-a7f6-985ce11bb185) in SharePoint.
compliance Event Driven Retention https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/event-driven-retention.md
Finally, choose the date when the event occurred; this date is used as the start
After creating an event, the retention settings take effect for the content that's already labeled and indexed. If the retention label is added to new content after the event is created, you must create a new event with the same details.
-Deleting an event doesn't cancel the retention settings that are now in effect for the content that's already labeled. To do that, create a new event with the same details, but leave the date blank.
+Deleting an event doesn't cancel the retention settings that are now in effect for the content that's already labeled. Currently, you can't cancel events after they're triggered.
## Use Content Search to find all content with a specific label or asset ID
contentunderstanding Document Understanding Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/document-understanding-overview.md
Document understanding models support the following file types:
- xls - xlsx
+### Supported languages
+
+Document understanding models support the following languages:
+- French
+- German
+- Italian
+- Spanish
## See Also
Document understanding models support the following file types:
[Form processing overview](form-processing-overview.md)
-[SharePoint Syntex Accessibility Mode](accessibility-mode.md)
+[SharePoint Syntex Accessibility Mode](accessibility-mode.md)
enterprise Deploy Identity Solution Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/deploy-identity-solution-overview.md
Review this two-page poster to quickly ramp up on identity concepts and configur
You can [download this poster](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/m365e-identity-infra.pdf) and can print it in letter, legal, or tabloid (11 x 17) format.
+This solution is the first step to build out the Microsoft 365 Zero Trust deployment stack.
+
+![The Microsoft 365 Zero Trust deployment stack](../media/deploy-identity-solution-overview/zero-trust-deployment-stack.png)
+
+For more information, see the [Microsoft 365 Zero Trust deployment plan](/microsoft-365/security/microsoft-365-zero-trust).
+ ## WhatΓÇÖs in this solution This solution steps you through the deployment of an identity infrastructure for your Microsoft 365 tenant to provide access for your employees and protection against identity-based attacks.
enterprise Modern Desktop Deployment And Management Lab https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab.md
description: Learn about where to access the Windows and Office Deployment Lab K
# Windows and Office 365 deployment lab kit
-The Windows and Office 365 deployment lab kit is designed to help you plan, test, and validate your deployment and management of desktops running Windows 10 Enterprise or Windows 11 Enterprise and Microsoft 365 Apps for enterprise. The labs in the kit cover using Microsoft Endpoint Configuration Manager, Desktop Analytics, the Office Customization Tool, OneDrive, Windows Autopilot, and more.
-
-This kit is highly recommended for organizations preparing for Windows 8.1 upgrades to Windows 10. It also applies if you're currently using Windows 10, Microsoft 365 Apps for enterprise (formerly Office 365 ProPlus), or Office 2019. As an isolated environment, the resulting lab is ideal for exploring deployment tool updates and testing your deployment-related automation.
+The Windows and Office 365 deployment lab kit is designed to help you plan, test, and validate your deployment and management of desktops running Windows 10 Enterprise or Windows 11 Enterprise and Microsoft 365 Apps for enterprise. The labs in the kit cover using Microsoft Endpoint Configuration Manager, the Office Customization Tool, OneDrive, Windows Autopilot, and more. This kit is highly recommended for organizations preparing for desktop upgrades. As an isolated environment, the lab is also ideal for exploring deployment tool updates and testing your deployment-related automation.
**Windows 10 and Windows 11 versions of the lab kit are now available for free download in the Microsoft Evaluation Center.**
The lab provides you with an automatically provisioned virtual lab environment,
|Windows 10 Lab |Windows 11 Lab | ||| |Windows 10 Enterprise, Version 21H1 | Windows 11 Enterprise |
-|Microsoft Endpoint Configuration Manager, Version 2103 | Microsoft Endpoint Configuration Manager, Version 2107 |
+|Microsoft Endpoint Configuration Manager, Version 2103 | Microsoft Endpoint Configuration Manager, Version 2111 |
|Windows Assessment and Deployment Kit for Windows 10 | Windows Assessment and Deployment Kit for Windows 11 | |Windows Server 2019 | Windows Server 2022 |
The labs are also designed to be connected to trials for:
## Step-by-step labs
-Detailed lab guides take you through multiple deployment and management scenarios. The labs have been updated for the latest versions of Intune and Configuration Manager.
-
-Note: The Windows 11 version of the lab includes the Windows 10 lab guide. A Windows 11 version of the lab guide will be available soon.
+Detailed lab guides take you through multiple deployment and management scenarios. The labs have been updated for the latest versions of Intune and Configuration Manager. Note: A new Windows 11 version of the lab is now available. The lab guides include the following scenarios:
### Plan and prepare infrastructure -- Desktop Analytics-- Cloud Management Gateway & Cloud Distribution Point-- NEW! Tenant attach and co-management-- NEW! Endpoint analytics-- Remote access (VPN)-
-### Prepare configuration
--- Optimize Windows 10 update delivery-- Servicing Windows 10 using Group Policy-- Servicing Windows 10 using Microsoft Intune-- Servicing Windows 10 with Configuration Manager-- Servicing Microsoft 365 Apps for enterprise using Configuration Manager-- Servicing Microsoft 365 Apps for enterprise using Intune-- Security and compliance
+- Cloud Management Gateway
+- Tenant attach and co-management
+- Endpoint analytics
+- Optimize update delivery
-### Prepare applications
+### Deploy Windows
-- Readiness Toolkit for Office-- MSIX Packaging and Conversion of Win32 applications
+- OS deployment task sequences in Configuration Manager
+- Windows Autopilot
-### Deploy Windows 10
+### Service Windows
-- OS Deployment task sequences in Configuration Manager-- OS Deployment task sequences in the Microsoft Deployment Toolkit (MDT)-- Windows Autopilot-- Deploy and manage the new Microsoft Edge
+- Servicing Windows using Group Policy
+- Servicing Windows using Microsoft Intune
+- Servicing Windows with Configuration Manager
### Deploy Microsoft 365 Apps for enterprise
Note: The Windows 11 version of the lab includes the Windows 10 lab guide. A Win
- Microsoft 365 Apps for enterprise Deployment on Non-AD Joined Devices - Enterprise managed deployment using Configuration Manager - Enterprise managed deployment using Microsoft Intune
+- Servicing Microsoft 365 Apps for enterprise using Configuration Manager
+- Servicing Microsoft 365 Apps for enterprise using Intune
- LOB Deployment and Management with Microsoft Intune - Deploy Microsoft Teams-- NEW! Assignment filters
+- Assignment filters
+
+### Managing Microsoft Edge
+
+- Deploy and Update Edge
+- IE Mode
+- Setup Enterprise New Tab Page
-### Deploy Windows Virtual Desktop
+### Security and Compliance
-- Prepare, deploy, optimize
+- BitLocker
+- Microsoft Defender Antivirus
+- Windows Hello for Business
## Download the lab [Download the Windows 10 and Office 365 deployment lab kit](https://www.microsoft.com/evalcenter/evaluate-lab-kit)<br> [Download the Windows 11 and Office 365 deployment lab kit](https://www.microsoft.com/evalcenter/evaluate-windows-11-office-365-lab-kit) > [!NOTE]
-> Please use a broadband internet connection to download this content and allow 30-45 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The Windows 10 lab expires February 15, 2022. The Windows 11 lab expires March 10, 2022. New versions will be published prior to expiration.
+> Please use a broadband internet connection to download this content and allow approximately 30 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The Windows 10 lab expires February 15, 2022. The Windows 11 lab expires April 11, 2022. New versions will be published prior to expiration.
## Additional guidance
managed-desktop Company Portal https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/company-portal.md
# Install Intune Company Portal on devices
-Microsoft Managed Desktop requires that IT administrators install Intune Company Portal for their users with Microsoft Managed Desktop devices. Here are some benefits for your organization:
-- Users have one place to browse and install available applications.
+Microsoft Managed Desktop requires that IT administrators install the Intune Company Portal for their users with Microsoft Managed Desktop devices. The benefits to your organization include:
+
+- Users have one place to browse and install available applications.
- IT administrators can organize applications by categories for their users. - Some applications (like Microsoft Project and Microsoft Visio) require Company Portal to deploy with Microsoft Managed Desktop.-- IT administrators can customize Company Portal for their organization. This includes brand imaging, adding in local support contacts, and more. For more information, see [How to Configure the Microsoft Intune Company Portal app](/intune/company-portal-app).
+- IT administrators can customize Company Portal for their organization. Customizations includes brand imaging, adding in local support contacts, and more. For more information, see [How to Configure the Microsoft Intune Company Portal app](/intune/company-portal-app).
+
+This article documents the process for deploying the Intune Company Portal to your Microsoft Managed Desktop users. The overall process looks like this:
+
+1. [Purchase Company Portal from Microsoft Store for Business and sync with Intune](#step-1-purchase-company-portal-from-microsoft-store-for-business-and-sync-with-intune).
+2. [Assign Company Portal to your users](#step-2-assign-company-portal-to-your-users).
+3. [Communicate change to your users.](#step-3-communicate-change-to-your-users)
+
+## Step 1: Purchase Company Portal from Microsoft Store for Business and sync with Intune
+
+For information on how to purchase the apps and sync with Intune, see [Microsoft Store for Business apps](deploy-apps.md#msfb-apps) in *Deploy apps to Microsoft Managed Desktop devices*.
+
+This article provides info on how to:
+
+- Purchase Company Portal from Microsoft Store for Business.
+- Force sync between Intune and Microsoft Store for Business.
+- Verify active sync between Intune and Microsoft Store for Business.
-This topic documents the process for deploying the Intune Company Portal to your Microsoft Managed Desktop users. The overall process looks like this:
-1. Purchase Company Portal from Microsoft Store for Business and sync with Intune
-2. Assign Company Portal to your users
-3. Communicate change to your users
+## Step 2: Assign Company Portal to your users
-## Step 1 - Purchase Company Portal from Microsoft Store for Business and sync with Intune
-For info on how to purchase the apps and sync with Intune, see [Microsoft Store for Business apps](deploy-apps.md#msfb-apps) in *Deploy apps to Microsoft Managed Desktop devices*.
+Following your enrollment in Microsoft Managed Desktop, we'll automatically deploy Company Portal to your tenant and install the app on Microsoft Managed Desktop devices in your organization.
-This topic provides info on how to:
-- Purchase Company Portal from Microsoft Store for Business -- Force sync between Intune and Microsoft Store for Business-- Verify active sync between Intune and Microsoft Store for Business
+## Step 3: Communicate change to your users
-## Step 2 - Assign Company Portal to your users
-Following your enrollment in Microsoft Managed Desktop, we will automatically deploy Company Portal to your tenant and install the app on Microsoft Managed Desktop devices in your organization.
+As the IT administrator for your organization, it's important to let your users know how to use Company Portal in your organization. Microsoft Managed Desktop recommends:
-## Step 3 - Communicate change to your users
-As the IT administrator for your organization, itΓÇÖs important to let your users know how to use Company Portal in your organization. Microsoft Managed Desktop recommends:
- Steps on installing applications from the Company Portal. For more information, see [Install and share apps on your device](/intune-user-help/install-apps-cpapp-windows).-- How to send requests to IT administrators for applications that are not currently available. For more information, see [Request an app for work or school](/intune-user-help/install-apps-cpapp-windows#request-an-app-for-work-or-school).
+- How to send requests to IT administrators for applications that aren't currently available. For more information, see [Request an app for work or school](/intune-user-help/install-apps-cpapp-windows#request-an-app-for-work-or-school).
## Steps to get started with Microsoft Managed Desktop
managed-desktop Enterprise State Roaming https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/enterprise-state-roaming.md
Title: Enable Enterprise State Roaming
-description:
+description: This article describes how to enable enterprise state roaming
keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation
# Enable Enterprise State Roaming
-[Enterprise State Roaming](/azure/active-directory/devices/enterprise-state-roaming-overview) lets users securely synchronize user and application settings data to the cloud. This means they'll have the same experience no matter which Windows device they sign into. For example, if you replace one of their Microsoft Managed Desktop devices with a new one, it will look and behave exactly the same as the last one. Enterprise State Roaming is an optional feature for the Microsoft Managed Desktop service that you can configure for your users and isn't included or managed as part of Microsoft Managed Desktop.
+[Enterprise State Roaming](/azure/active-directory/devices/enterprise-state-roaming-overview) lets users securely synchronize user and application settings data to the cloud. This means they'll have the same experience no matter which Windows device they sign into. For example, if you replace one of their Microsoft Managed Desktop devices with a new device, it will look and behave exactly the same as the last one.
+
+Enterprise State Roaming is an optional feature for the Microsoft Managed Desktop service that you can configure for your users. It isn't included or managed as part of Microsoft Managed Desktop.
To enable Enterprise State Roaming, follow the steps in [Enable Enterprise State Roaming in Azure Active Directory](/azure/active-directory/devices/enterprise-state-roaming-enable).
To enable Enterprise State Roaming, follow the steps in [Enable Enterprise State
## Steps to get started with Microsoft Managed Desktop
-1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md)
-2. [Adjust conditional access](conditional-access.md)
-3. [Assign licenses](assign-licenses.md)
-4. [Deploy Intune Company Portal](company-portal.md)
-5. Enable Enterprise State Roaming (this topic)
-6. [Set up devices](set-up-devices.md)
-7. [Get your users ready to use devices](get-started-devices.md)
-8. [Deploy apps](deploy-apps.md)
+1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).
+2. [Adjust conditional access](conditional-access.md).
+3. [Assign licenses](assign-licenses.md).
+4. [Deploy Intune Company Portal](company-portal.md).
+5. Enable Enterprise State Roaming (this topic).
+6. [Set up devices](set-up-devices.md).
+7. [Get your users ready to use devices](get-started-devices.md).
+8. [Deploy apps](deploy-apps.md).
managed-desktop Esp First Run https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/esp-first-run.md
Enrollment Status Page and Autopilot for pre-provisioned deployment are enabled
Microsoft Managed Desktop uses these settings in the Autopilot profile used for your users' devices:
-****
- | Setting | Value | | -- | -- | | Deployment mode | User Driven |
Microsoft Managed Desktop uses these settings in the Autopilot profile used for
Microsoft Managed Desktop uses these settings for the Enrollment Status Page experience:
-****
- | Setting | Value |
-| -- | -- |
+| | |
| Show app and profile configuration progress | Yes | | Show an error when installation takes longer than specified number of minutes | 60 | | Show custom message when time limit error occurs | No |
Microsoft Managed Desktop uses these settings for the Enrollment Status Page exp
| Block device use until all apps and profiles are installed | Yes | | Allow users to reset device if installation error occurs | Yes | | Allow users to use device if installation error occurs | Yes |
-| Block device use until these required apps are installed if they're assigned to the user/device|Modern Workplace - Time Correction | Modern Workplace - Client Library |
+| Block device use until these required apps are installed if they're assigned to the user/device <ul><li> Modern Workplace - Time Correction</li><li>Modern Workplace - Client Library</li></ul> | Yes |
The Enrollment Status Page experience occurs in three phases. For more, see [Enrollment Status Page tracking information](/mem/intune/enrollment/windows-enrollment-status#enrollment-status-page-tracking-information).
managed-desktop Get Started App Control https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/get-started-app-control.md
Title: Get started with app control
-description:
+description: This article describes how to enable app control
keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation
managed-desktop Localization https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/localization.md
audience: Admin
# Localize the user experience
-Users of Microsoft Managed Desktop devices can select the language of their choice either during the setup process (the "out of box experience") or afterwards.
+Users of Microsoft Managed Desktop devices can select the language of their choice either during the setup process (the "out of box experience"), or afterwards.
## During setup (the "out of box experience")
-During the process of completing setup, users can select the language of their choice. This selection affects these attributes:
+During setup, users can select the language of their choice. This selection affects these attributes:
-- Windows 10 language features:
- - Display language
- - Keyboard language
- - Language-related Features on Demand
--- Microsoft 365 Apps for Enterprise language features:
- - Display language
- - Proofing and authoring tools
+| Attribute | Description |
+| | |
+| Windows 10 language features | <ul><li>Display language</li><li>Keyboard language</li><li>Language-related Features on Demand</li><ul> |
+| Microsoft 365 Apps for Enterprise language features | <ul><li>Display language</li><li>Proofing and authoring tools</li></ul> |
> [!NOTE] > Users can only get language-related Features On Demand by selecting the language during the setup process. ## After completing setup
-Users can select the language of their choice for Windows 10 and Microsoft 365 Apps for Enterprise anytime after the setup process is complete. Specifically:
--- Windows 10 language features:
- - Display language
- - Keyboard language
+Users can select the language of their choice for Windows 10, and Microsoft 365 Apps for Enterprise anytime after the setup process is complete. Specifically:
-- Microsoft 365 Apps for Enterprise language features:
- - Display language
- - Proofing and authoring tools
+| Feature | Description |
+| | |
+| Windows 10 language features | <ul><li>Display language</li><li>Keyboard language</li><ul> |
+| Microsoft 365 Apps for Enterprise language features | <ul><li>Display language</li><li>Proofing and authoring tools</li></ul> |
To make the [Supported languages](#supported-languages) for Microsoft 365 Apps for Enterprise available for your users to install, add the users to the **Modern Workplace-Office-Language_Packs** group. The languages will be available in the Intune Company Portal. - ## Supported languages
-For new devices, your manufacturer must provide device images that include the languages you require. If your manufacturer's image includes languages other than those provided in the supported languages list it is still supported by the service.
+For new devices, your manufacturer must provide device images that include the languages you require. If your manufacturer's image includes languages that aren't included in the supported languages list, the device is still supported by the service.
-If you are reusing existing devices, you might need to work with your Microsoft account representative to obtain appropriate images. For more information, see [Device images](../service-description/device-images.md).
+If you're reusing existing devices, you might need to work with your Microsoft account representative to obtain appropriate images. For more information, see [Device images](../service-description/device-images.md).
The [universal image](../service-description/device-images.md#universal-image) provided by Microsoft Managed Desktop includes these languages and for Windows 10:
The [universal image](../service-description/device-images.md#universal-image) p
- Dutch - English (US, GB, AU, CA, IN) - Estonian-- Finnish
+- Finnish
- French (France, Canada) - German - Greek
The [universal image](../service-description/device-images.md#universal-image) p
- Portuguese (Brazil) - Portuguese (Portugal) - Romanian-- Russian
+- Russian
- Serbian (Latin alphabet) - Slovak - Slovenian
The [universal image](../service-description/device-images.md#universal-image) p
- Ukrainian - Vietnamese
-Microsoft 365 Apps for Enterprise might support a slightly different list.
+> [!NOTE]
+> Microsoft 365 Apps for Enterprise might support a slightly different list.
If your users need a language other than the ones listed here, file a [support request](../working-with-managed-desktop/admin-support.md) by using the [Admin portal](access-admin-portal.md). ## Languages for support and operations ### User support
-Microsoft Managed Desktop provides support only in English. If users choose another language in the Get Help app, they will get support from the general Microsoft support channels, rather than support directly from Microsoft Managed Desktop. For more information, see [Getting help for users](../working-with-managed-desktop/end-user-support.md).
+
+Microsoft Managed Desktop provides support only in English. If users choose another language in the Get Help app, they'll get support from the general Microsoft support channels, rather than support directly from Microsoft Managed Desktop. For more information, see [Getting help for users](../working-with-managed-desktop/end-user-support.md).
If your users need support in other languages, you'll have to provide that through non-Microsoft support sources or from your own organization. ### Admin support and operations
-Microsoft Managed Desktop provides admin support only in English. This includes the Admin portal and all communications with Microsoft Managed Desktop Operations. You should assume that all admin-related interactions and interfaces will be in English, unless specified otherwise.
-
+Microsoft Managed Desktop provides admin support only in English. This support includes the Admin portal and all communications with Microsoft Managed Desktop Operations. You should assume that all admin-related interactions and interfaces will be in English, unless specified otherwise.
managed-desktop Register Devices Partner https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/register-devices-partner.md
audience: Admin
# Steps for Partners to register devices
+This article describes the steps for Partners to register devices. The process for registering devices yourself is documented in [Register devices in Microsoft Managed Desktop yourself](register-devices-self.md).
-This article describes the steps for Partners to follow to register devices. The process for registering devices yourself is documented in [Register devices in Microsoft Managed Desktop yourself](register-devices-self.md).
---
-## Prepare for registration
-Before completing registration for a customer, you must first establish a relationship with them at the [Partner Center](https://partner.microsoft.com/dashboard). See the [consent documentation](/windows/deployment/windows-autopilot/registration-auth#csp-authorization) for more details on that process. Any CSP partner can add devices on behalf of any customer, as long as the customer consents. You can also learn more about partner relationships and Autopilot permissions at [Partner Center help](/partner-center/customers_revoke_admin_privileges#windows-autopilot).
+## Prepare for registration
+Before completing registration for a customer, you must first establish a relationship with them in the [Partner Center](https://partner.microsoft.com/dashboard). For more information on that process, see the [consent documentation](/windows/deployment/windows-autopilot/registration-auth#csp-authorization). Any CSP partner can add devices on behalf of any customer, as long as the customer consents. You can also learn more about partner relationships and Autopilot permissions at [Partner Center help](/partner-center/customers_revoke_admin_privileges#windows-autopilot).
> [!NOTE] > This documentation is only for Partners and OEMs. The process for self-registration is documented in [Register devices in Microsoft Managed Desktop yourself](register-devices-self.md).
+## Register devices using the Partner Center
-## Register devices by using Partner Center
+Once you've established the relationship with your customers, you can use Partner Center to add devices to Autopilot for any of the customers.
-Once you have established the relationship with your customers, you can use Partner Center to add devices to Autopilot for any of the customers that you have a relationship with by following these steps:
+**To register devices using the Partner Center:**
-1. Navigate to [Partner Center](https://partner.microsoft.com/dashboard)
+1. Navigate to [Partner Center](https://partner.microsoft.com/dashboard).
2. Select **Customers** from the Partner Center menu and then select the customer whose devices you want to manage. 3. On the customer's detail page, select **Devices**. 4. Under **Apply profiles** to devices, select **Add devices**. 5. Enter the appropriate Group Tag for the device profile you've selected (as shown in the following table) and then select **Browse** to upload the customer's list (in .csv file format) to Partner Center.
-|[Device profile](../service-description/profiles.md) |Group Tag |
-|||
-|Sensitive data |**Microsoft365Managed\_SensitiveData** |
-|Power user | **Microsoft365Managed\_PowerUser** |
-|Standard | **Microsoft365Managed\_Standard** |
+| [Device profile](../service-description/profiles.md) | Group Tag |
+| -- | --|
+| Sensitive data | **Microsoft365Managed\_SensitiveData** |
+| Power user | **Microsoft365Managed\_PowerUser** |
+| Standard | **Microsoft365Managed\_Standard** |
> [!IMPORTANT] > The Group Name must match those listed in the table exactly, including capitalization and special characters. This will allow the newly registered devices to be assigned with the Microsoft Managed Desktop Autopilot profile. >[!NOTE]
-> You should have received this .csv file with your device purchase. If you didn't receive a .csv file, you can create one yourself by following the steps in [Adding devices to Windows Autopilot](/windows/deployment/windows-autopilot/add-devices#collecting-the-hardware-id-from-existing-devices-using-powershell). Extra columns are not supported. Quotes are not supported. Only ANSI-format text files can be used (not Unicode). Headers are case-sensitive. Editing the file in Excel and saving it as a CSV file will not generate a usable file due to these requirements. Ensure that you preserve any leading zeroes in the device serial numbers. Partners should use [Get-WindowsAutoPilotInfo](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) to register devices for Microsoft Managed Desktop devices in Partner Center.
+> You should have received this .csv file with your device purchase. If you didn't receive a .csv file, you can create one yourself by following the steps in [Adding devices to Windows Autopilot](/windows/deployment/windows-autopilot/add-devices#collecting-the-hardware-id-from-existing-devices-using-powershell). Requirements: <ul><li>Extra columns are not supported.</li> <li>Quotes are not supported.</li> <li>Only ANSI-format text files can be used (not Unicode).</li> <li>Headers are case-sensitive.</li></ul> Editing the file in Excel and saving it as a CSV file will not generate a usable file due to these requirements. Ensure that you preserve any leading zeroes in the device serial numbers. Partners should use [Get-WindowsAutoPilotInfo](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) to register devices for Microsoft Managed Desktop devices in Partner Center.
-If you get an error message while trying to upload the .csv file, check the format of the file. Make sure the column order matches what is described in [Use Windows Autopilot profiles on new devices to customize a customer's out-of-box experience](/partner-center/autopilot#add-devices-to-a-customers-account). You can also use the sample .csv file provided from the link next to **Add devices** to create a device list.
-
-For more information about Autopilot in Partner scenarios, see [Add devices to a customerΓÇÖs account](/partner-center/autopilot#add-devices-to-a-customers-account).
+If you receive an error message while trying to upload the .csv file, check the format of the file. Make sure the column order matches what is described in [Use Windows Autopilot profiles on new devices to customize a customer's out-of-box experience](/partner-center/autopilot#add-devices-to-a-customers-account). You can also use the sample .csv file provided from the link next to **Add devices** to create a device list.
+For more information about Autopilot in Partner scenarios, see [Add devices to a customer's account](/partner-center/autopilot#add-devices-to-a-customers-account).
## Register devices by using the OEM API
Before completing registration for a customer, you must first establish a relati
Once you've established the relationship, you can start registering devices for customers using the appropriate Group Tag for each device profile they've selected: -
-|Device profile |Group Tag |
-|||
-|Sensitive data | **Microsoft365Managed\_SensitiveData** |
-|Power user | **Microsoft365Managed\_PowerUser** |
-|Standard | **Microsoft365Managed\_Standard** |
+| Device profile | Group Tag |
+| -- | -- |
+| Sensitive data | **Microsoft365Managed\_SensitiveData** |
+| Power user | **Microsoft365Managed\_PowerUser** |
+| Standard | **Microsoft365Managed\_Standard** |
> [!IMPORTANT] > The Group Tags must match those listed in the table exactly, including capitalization and special characters. This will allow the newly registered devices to be assigned with the Microsoft Managed Desktop Autopilot profile.
managed-desktop Register Devices Self https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/register-devices-self.md
audience: Admin
# Register new devices yourself
-Microsoft Managed Desktop can work with brand-new devices, or you can reuse devices you might already have (which will require that you reimage them). You can register devices with Microsoft Managed Desktop in the Microsoft Endpoint Manager portal.
+Microsoft Managed Desktop can work with brand-new devices, or you can reuse devices you might already have. If you reuse devices, you must reimage them. You're able to register devices with Microsoft Managed Desktop in the Microsoft Endpoint Manager portal.
> [!NOTE] > Working with a partner to obtain devices? If so, you don't need to worry about getting the hardware hashes; they'll take care of that for you. Make sure your partner establishes a relationship with you at the [Partner Center](https://partner.microsoft.com/dashboard). Your partner can learn more at [Partner Center help](/partner-center/request-a-relationship-with-a-customer). Once this relationship established, your partner will simply register devices on your behalf ΓÇô no further action required from you. If you want to see the details, or your partner has questions, see [Steps for Partners to register devices](register-devices-partner.md). Once the devices are registered, you can proceed with [checking the image](#check-the-image) and [delivering the devices](#deliver-the-device) to your users.
Microsoft Managed Desktop can work with brand-new devices, or you can reuse devi
Once you have the new devices in hand, you'll follow these steps: 1. [Obtain the hardware hash for each device.](#obtain-the-hardware-hash)
-2. [Merge the hash data](#merge-hash-data)
+2. [Merge the hash data](#merge-hash-data).
3. [Register the devices in Microsoft Managed Desktop](#register-devices-by-using-the-admin-portal). 4. [Double-check that the image is correct.](#check-the-image)
-5. [Deliver the device](#deliver-the-device)
+5. [Deliver the device](#deliver-the-device).
### Obtain the hardware hash
-Microsoft Managed Desktop identifies each device uniquely by referencing its hardware hash. You have three options for getting this information:
+Microsoft Managed Desktop identifies each device uniquely by referencing its hardware hash. You have three options for getting this information.
+
+**To obtain the hardware hash:**
- Ask your OEM supplier for the AutoPilot registration file, which will include the hardware hashes. - Run a [Windows PowerShell script](#powershell-script-method) on each device and collect the results in a file.-- Start each device--but don't complete the Windows setup experience--and [collect the hashes on a removable flash drive](#flash-drive-method).
+- Start each device, but don't complete the Windows setup experience, and [collect the hashes on a removable flash drive](#flash-drive-method).
#### PowerShell script method You can use the [Get-WindowsAutoPilotInfo.ps1](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) PowerShell script on the PowerShell Gallery website. For more information about device identification and hardware hash, see [Adding devices to Windows Autopilot](/mem/autopilot/add-devices#device-identification).
+**To use the Powershell script method:**
+ 1. Open a PowerShell prompt with administrative rights.
-2. Run `Install-Script -Name Get-WindowsAutoPilotInfo`
-3. Run `powershell -ExecutionPolicy Unrestricted Get-WindowsAutoPilotInfo -OutputFile <path>\hardwarehash.csv`
+2. Run `Install-Script -Name Get-WindowsAutoPilotInfo`.
+3. Run `powershell -ExecutionPolicy Unrestricted Get-WindowsAutoPilotInfo -OutputFile <path>\hardwarehash.csv`.
4. Run `powershell -ExecutionPolicy restricted` to prevent subsequent unrestricted scripts from running. #### Flash drive method
+**To use the flash drive method:**
+ 1. On a device other than the one you're registering, insert a USB drive. 2. Open a PowerShell prompt with administrative rights. 3. Run `Save-Script -Name Get-WindowsAutoPilotInfo -Path <pathToUsb>`
-4. Turn on the device you are registering, but *do not start the setup experience*. If you accidentally start the setup experience, you'll have to reset or reimage the device.
+4. Turn on the device you're registering, but *don't start the setup experience*. If you accidentally start the setup experience, you'll have to reset or reimage the device.
5. Insert the USB drive, and then press SHIFT + F10. 6. Open a PowerShell prompt with administrative rights, and then run `cd <pathToUsb>`. 7. Run `Set-ExecutionPolicy -ExecutionPolicy Unrestricted`
You'll need to have the data in the CSV files combined into a single file to com
### Register devices by using the Admin Portal
-In [Microsoft Endpoint Manager](https://endpoint.microsoft.com/), select **Devices** in the left navigation pane. Look for the Microsoft Managed Desktop section of the menu and select **Devices**. In the Microsoft Managed Desktop Devices workspace, Select **+ Register devices**, which opens a fly-in to register new devices.
+In [Microsoft Endpoint Manager](https://endpoint.microsoft.com/), select **Devices** in the left navigation pane. In the Microsoft Managed Desktop section, select **Devices**. In the Microsoft Managed Desktop Devices workspace, Select **+ Register devices**, which opens a fly-in to register new devices.
<!-- [![Fly-in after selecting Register devices, listing devices with columns for assigned users, serial number, status, last-seen date, and age.](../../media/new-registration-ui.png)](../../media/new-registration-ui.png) --> <!--Registering any existing devices with Managed Desktop will completely re-image them; make sure you've backed up any important data prior to starting the registration process.-->
-Follow these steps:
+**To register devices using the Admin Portal:**
1. In **File upload**, provide a path to the CSV file you created previously. 2. Select a [device profile](../service-description/profiles.md) in the drop-down menu.
Follow these steps:
> [!NOTE] > If you manually change the Azure Active Directory (AAD) group membership of a device, it will be automatically reassigned to the group for its device profile and removed from any conflicting groups.
-You can monitor the progress of device registration on the main page. Possible states reported there include:
+You can monitor the progress of device registration on the main page. Possible states reported include:
| State | Description |
-||-|
-| Registration Pending | Registration is not done yet. Check back later. |
-| Registration failed | Registration could not be completed. Refer to [Troubleshooting device registration](#troubleshooting-device-registration) for more information. |
-| Ready for user | Registration succeeded and the device is now ready to be delivered to the user. Microsoft Managed Desktop will guide them through first-time set-up, so thereΓÇÖs no need for you to do any further preparations. |
-| Active | The device has been delivered to the user and they have registered with your tenant. This state also indicates that they are regularly using the device. |
-| Inactive | The device has been delivered to the user and they have registered with your tenant. However, they have not used the device recently (in the last 7 days). |
+| --|--|
+| Registration Pending | Registration isn't completed yet. Check back later. |
+| Registration failed | Registration couldn't be completed. For more information, see [Troubleshooting device registration](#troubleshooting-device-registration). |
+| Ready for user | Registration succeeded. The device is now ready to be delivered to the user. Microsoft Managed Desktop will guide them through first-time set-up, so there's no need for you to do any further preparations. |
+| Active | The device has been delivered to the user and they've registered with your tenant. This state also indicates that they're regularly using the device. |
+| Inactive | The device has been delivered to the user and they've registered with your tenant. However, they haven't used the device recently (in the last seven days). |
#### Troubleshooting device registration | Error message | Details |
-||-|
-| Device not found | We couldnΓÇÖt register this device because we could not find a match for the provided manufacturer, model, or serial number. Confirm these values with your device supplier. |
-| Hardware hash not valid | The hardware hash you provided for this device was not formatted correctly. Double-check the hardware hash and then resubmit. |
+|--| -- |
+| Device not found | We couldn't register this device because we couldn't find a match for the provided manufacturer, model, or serial number. Confirm these values with your device supplier. |
+| Hardware hash not valid | The hardware hash you provided for this device wasn't formatted correctly. Double-check the hardware hash and then resubmit. |
| Device already registered | This device is already registered to your organization. No further action required. | | Device claimed by another organization | This device has already been claimed by another organization. Check with your device supplier. |
-| Unexpected error | Your request could not be automatically processed. Contact Support and provide the Request ID: \<requestId\> |
+| Unexpected error | Your request couldn't be automatically processed. Contact Support and provide the Request ID: `<requestId>` |
### Check the image If your device has come from a Microsoft Managed Desktop partner supplier, the image should be correct.
-YouΓÇÖre also welcome to apply the image on your own if you prefer. To get started, contact the Microsoft representative youΓÇÖre working with and they will provide you the location and steps for applying the image.
+You're also welcome to apply the image on your own if you prefer. To get started, contact the Microsoft representative you're working with. The representative will provide you the location and steps for applying the image.
### Autopilot group tag
-When you use the Admin portal to register devices, we automatically assign the Autopilot Group Tag associated with the device profile listed in [Register devices by using Partner Center](register-devices-partner.md#register-devices-by-using-partner-center).
+When you use the Admin portal to register devices, we automatically assign the Autopilot Group Tag associated with the device profile listed in [Register devices by using Partner Center](register-devices-partner.md).
The service monitors all Microsoft Managed Desktop devices daily and assigns the group tag to any that don't already have it. ### Deliver the device
The service monitors all Microsoft Managed Desktop devices daily and assigns the
> [!IMPORTANT] > Before you hand off the device to your user, make sure you have obtained and applied the [appropriate licenses](../get-ready/prerequisites.md) for that user.
-If all the licenses are applied, you can [get your users ready to use devices](get-started-devices.md), and then your user can start up the device and proceed through the Windows setup experience.
+If all the licenses are applied, you can [get your users ready to use devices](get-started-devices.md). Then, your user can start up the device and proceed through the Windows setup experience.
managed-desktop Register Reused Devices Self https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/register-reused-devices-self.md
Microsoft Managed Desktop can work with brand-new devices, or you can reuse devi
### Obtain the hardware hash
-**To obtain the hardware hash:**
+Microsoft Managed Desktop identifies each device uniquely by referencing its hardware hash. You have four options for getting this information from devices you're already using.
-Microsoft Managed Desktop identifies each device uniquely by referencing its hardware hash. You have four options for getting this information from devices you're already using:
+**To obtain the hardware hash:**
- Ask your OEM supplier for the AutoPilot registration file, which will include the hardware hashes. - Collect information in [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager).
managed-desktop Set Up Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/set-up-devices.md
audience: Admin
You can use both new and existing devices in Microsoft Managed Desktop.
-## To obtain new devices
+## Obtain new devices
-We recommend working with one of our approved device partners. You can work with your Microsoft account contact for more help setting up a device partnership. In essence, however, the process is like this:
+We recommend working with one of our approved device partners. You can work with your Microsoft account contact for more help setting up a device partnership.
-1. Review the list of currently recommended devices by filtering for Microsoft Managed Desktop on the [Shop Windows Pro business devices](https://www.microsoft.com/windows/business/devices) site.
-2. Order one or a few examples of the devices you want to use with a compliant image. Ordering might require [specific ordering steps](../service-description/device-images.md).
-3. [Validate](validate-device.md) the example devices.
-5. After successful validation, order the devices, working with an approved device partner.
-6. Once they've arrived, do either of the following:
- - [Register new devices yourself](register-devices-self.md)
- - Work with a partner to register the devices
-7. [Get your users ready](get-started-devices.md) to use Microsoft Managed Desktop devices
+**To obtain new devices:**
-## To reuse existing devices
+1. Review the list of currently recommended devices by filtering for Microsoft Managed Desktop in the [Shop Windows Pro business devices](https://www.microsoft.com/windows/business/devices) site.
+1. Order one or a few examples of the devices you want to use with a compliant image. Ordering might require [specific ordering steps](../service-description/device-images.md).
+1. [Validate](validate-device.md) the example devices.
+1. After successful validation, order the devices, working with an approved device partner.
+1. Once they've arrived, do either:
+ - [Register new devices yourself](register-devices-self.md).
+ - Work with a partner to register the devices.
+1. [Get your users ready](get-started-devices.md) to use Microsoft Managed Desktop devices.
-1. Check that your existing devices meet our [device requirements](../service-description/device-requirements.md). You can also use the downloadable [readiness assessment checker](../get-ready/readiness-assessment-downloadable.md) to verify that a given device meets the necessary requirements.
-2. If you reuse an existing device, you may have to reimage it. For image options, see [Device images](../service-description/device-images.md).
-3. Select one or a few examples of the devices you want to reuse, and then [validate them](validate-device.md).
-4. After successful validation, do either of the following:
- - [Register existing devices yourself](register-reused-devices-self.md)
- - Work with a partner to register the devices
-5. [Get your users ready](get-started-devices.md) to use Microsoft Managed Desktop devices
+## Reuse existing devices
+
+> [!IMPORTANT]
+>Check that your existing devices meet our [device requirements](../service-description/device-requirements.md). You can also use the downloadable [readiness assessment checker](../get-ready/readiness-assessment-downloadable.md) to verify that a given device meets the necessary requirements. <br><br>If you reuse an existing device, you may have to reimage it. For image options, see [Device images](../service-description/device-images.md).
+
+**To reuse existing devices:**
+
+1. Select one or a few examples of the devices you want to reuse, and then [validate them](validate-device.md).
+1. After successful validation, do either:
+ - [Register existing devices yourself](register-reused-devices-self.md).
+ - Work with a partner to register the devices.
+1. [Get your users ready](get-started-devices.md) to use Microsoft Managed Desktop devices.
## Steps to get started with Microsoft Managed Desktop
We recommend working with one of our approved device partners. You can work with
1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md). 1. [Enable user support features](enable-support.md). 1. [Get your users ready to use devices](get-started-devices.md).
-1. [Get started with app control](get-started-app-control.md).
+1. [Get started with app control](get-started-app-control.md).
managed-desktop Validate Device https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/validate-device.md
audience: Admin
# Validate new devices
-Whether you're completely new to Microsoft Managed Desktop or a long-time subscriber, it's best to test an example of any device model you're enrolling in the service for the first time. This is true whether you're ordering brand-new devices or reusing existing ones, including devices recommended for Microsoft Managed Desktop on the [Shop Windows Pro business devices](https://www.microsoft.com/en-us/windowsforbusiness/view-all-devices) site. At that site, view the devices recommended for use with the service by expanding **Features** in the **Filter by** area, and then selecting **Microsoft Managed Desktop**. Validating devices ensures that they'll deliver the user experience you expect.
+Whether you're new to Microsoft Managed Desktop or a long-time subscriber, it's recommended to test an example of any device model you're enrolling in the service for the first time. This is true whether you're ordering brand-new devices or reusing existing ones including devices recommended for Microsoft Managed Desktop.
+
+## View devices
+
+**To view devices recommended for use with the service:**
+
+1. Go to [Shop Windows Pro business devices](https://www.microsoft.com/en-us/windowsforbusiness/view-all-devices) site.
+1. In the **Filter by** section in the left pane, expand the **Features** filter.
+1. Select **Microsoft Managed Desktop**.
+
+Validating devices ensures that they'll deliver the user experience you expect.
## Validate devices
+**To validate devices:**
+ 1. Take one or more examples of new models through the steps in the following articles: - [Set up Microsoft Managed Desktop devices](set-up-devices.md) - [Localize the user experience](localization.md)
Whether you're completely new to Microsoft Managed Desktop or a long-time subscr
- [Get started with app control](get-started-app-control.md) - [Deploy apps to devices](deploy-apps.md) 2. Verify that the following experiences work without any failures, errors, or prompts:
- - The Autopilot experience after joining the network and the user signs in
+ - The Autopilot experience after joining the network and the user signs in.
- If you've enabled the [Enrollment Status Page](esp-first-run.md), it works.
- - User can sign into to Office applications
- - OneDrive folders sync, including Windows Desktop, Documents, and Pictures
- - Device receives updates, policies, and line-of-business applications
+ - User can sign into to Office applications.
+ - OneDrive folders sync, including Windows Desktop, Documents, and Pictures.
+ - Device receives updates, policies, and line-of-business applications.
3. Review the reported devices and hardware requirements in the [Device inventory report](../working-with-managed-desktop/device-inventory-report.md) to check that they match what you expect. If any problems occur, you can [request support](../working-with-managed-desktop/admin-support.md) in the Admin portal.
security Attack Surface Reduction Rules Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference.md
ms.technology: mde Previously updated : 1/18/2022 Last updated : 02/04/2022
LSASS authenticates users who sign in on a Windows computer. Microsoft Defender
> [!NOTE] > In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is no need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
+
+> [!IMPORTANT]
+> The default state for the Attack Surface Reduction (ASR) rule ΓÇ£Block credential stealing from the Windows local security authority subsystem (lsass.exe)ΓÇ¥ will change from **Not Configured** to **Configured** and the default mode set to **Block**. All other ASR rules will remain in their default state: **Not Configured**. Additional filtering logic has already been incorporated in the rule to reduce end user notifications. Customers can configure the rule to **Audit**, **Warn** or **Disabled** modes, which will override the default mode. The functionality of this rule is the same, whether the rule is configured in the on-by-default mode, or if you enable Block mode manually. ΓÇ»
Intune name: `Flag credential stealing from the Windows local security authority subsystem`
security Configure Server Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus.md
Previously updated : 02/02/2022 Last updated : 02/04/2022
Keep the following important points in mind:
- Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a full, quick, or on-demand scan. - Custom and duplicate exclusions do not conflict with automatic exclusions. - Microsoft Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.-- Windows Server 2012 R2 does not automatically include Microsoft Defender Antivirus. When you onboard those servers to Defender for Endpoint, you will install Windows Defender Antivirus, and exclusions for operating system files are included by default. However, automatic exclusions for server roles don't work, and you should add exclusions as appropriate. To learn more, see [Onboard Windows servers to the Microsoft Defender for Endpoint service](configure-server-endpoints.md).
+- Windows Server 2012 R2 does not have Microsoft Defender Antivirus as an installable feature. When you onboard those servers to Defender for Endpoint, you will install Windows Defender Antivirus, and default exclusions for operating system files are applied. However, exclusions for server roles (as specified below) don't apply automatically, and you should configure these exclusions as appropriate. To learn more, see [Onboard Windows servers to the Microsoft Defender for Endpoint service](configure-server-endpoints.md).
This article provides an overview of exclusions for Microsoft Defender Antivirus on Windows Server 2016 or later.
security Data Collection Analyzer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-collection-analyzer.md
Run '**MDEClientAnalyzer.cmd /?**' to see the list of available parameters and t
![Image of client analyzer parameters in command line.](images/d89a1c04cf8441e4df72005879871bd0.png) > [!NOTE]
-> When any advanced troubleshooting parameter is used, the analyzer also calls into [MpCmdRun.exe] [https://docs.microsoft.com/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus?view=o365-worldwide) to collect Microsoft Defender Antivirus related support logs.
+> When any advanced troubleshooting parameter is used, the analyzer also calls into [MpCmdRun.exe](/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus) to collect Microsoft Defender Antivirus related support logs.
**-h** - Calls into [Windows Performance Recorder](/windows-hardware/test/wpt/wpr-command-line-options) to collect a verbose general performance trace in addition to the standard log set.
security Manage Updates Baselines Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md
ms.technology: mde Previously updated : 02/02/2022 Last updated : 02/04/2022 - M365-security-compliance - m365initiative-defender-endpoint
We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Wind
For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images). <details>
+<summary>20220203.1</summary>
+
+&ensp;Package version: **20220203.1**<br/>
+&ensp;Platform version: **4.18.2111.5**<br/>
+&ensp;Engine version: **1.1.18900.2**<br/>
+&ensp;Signature version: **1.357.32.0**<br/>
+
+### Fixes
+- None
+
+### Additional information
+- None
+<br/>
+</details><details>
<summary>20220105.1</summary> &ensp;Package version: **20220105.1**<br/>
security Microsoft Defender Endpoint Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux.md
If you experience any installation failures, refer to [Troubleshooting installat
- For 6.9: 2.6.32-696.* - For 6.10: 2.6.32.754.2.1.el6.x86_64 to 2.6.32-754.41.2:
- |||||
- |--|--|--|--|
- |2.6.32-754.2.1.el6.x86_64|2.6.32-754.17.1.el6.x86_64|2.6.32-754.29.1.el6.x86_64|2.6.32-754.3.5.el6.x86_64|
- |2.6.32-754.18.2.el6.x86_64|2.6.32-754.29.2.el6.x86_64|2.6.32-754.6.3.el6.x86_64|2.6.32-754.22.1.el6.x86_64|
- |2.6.32-754.30.2.el6.x86_64|2.6.32-754.9.1.el6.x86_64|2.6.32-754.23.1.el6.x86_64|2.6.32-754.33.1.el6.x86_64|
- |2.6.32-754.10.1.el6.x86_64|2.6.32-754.24.2.el6.x86_64|2.6.32-754.35.1.el6.x86_64|2.6.32-754.11.1.el6.x86_64|
- |2.6.32-754.24.3.el6.x86_64|2.6.32-754.39.1.el6.x86_64|2.6.32-754.12.1.el6.x86_64|2.6.32-754.25.1.el6.x86_64|
- |2.6.32-754.41.2.el6.x86_64|2.6.32-754.14.2.el6.x86_64|2.6.32-754.27.1.el6.x86_64|2.6.32-754.15.3.el6.x86_64|
- |2.6.32-754.28.1.el6.x86_64|
+ - 2.6.32-754.10.1.el6.x86_64
+ - 2.6.32-754.11.1.el6.x86_64
+ - 2.6.32-754.12.1.el6.x86_64
+ - 2.6.32-754.14.2.el6.x86_64
+ - 2.6.32-754.15.3.el6.x86_64
+ - 2.6.32-754.17.1.el6.x86_64
+ - 2.6.32-754.18.2.el6.x86_64
+ - 2.6.32-754.2.1.el6.x86_64
+ - 2.6.32-754.22.1.el6.x86_64
+ - 2.6.32-754.23.1.el6.x86_64
+ - 2.6.32-754.24.2.el6.x86_64
+ - 2.6.32-754.24.3.el6.x86_64
+ - 2.6.32-754.25.1.el6.x86_64
+ - 2.6.32-754.27.1.el6.x86_64
+ - 2.6.32-754.28.1.el6.x86_64
+ - 2.6.32-754.29.1.el6.x86_64
+ - 2.6.32-754.29.2.el6.x86_64
+ - 2.6.32-754.3.5.el6.x86_64
+ - 2.6.32-754.30.2.el6.x86_64
+ - 2.6.32-754.33.1.el6.x86_64
+ - 2.6.32-754.35.1.el6.x86_64
+ - 2.6.32-754.39.1.el6.x86_64
+ - 2.6.32-754.41.2.el6.x86_64
+ - 2.6.32-754.6.3.el6.x86_64
+ - 2.6.32-754.9.1.el6.x86_64
+ > [!NOTE] > After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that that are listed in this section are provided for technical upgrade support only.
security Microsoft Defender Endpoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint.md
Defender for Endpoint directly integrates with various Microsoft solutions, incl
- Microsoft Defender for Office - Skype for Business
-**[Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/defender/microsoft-365-defende)**
+**[Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender)**
With Microsoft 365 Defender, Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.
security Respond Machine Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md
As part of the investigation or response process, you can remotely initiate an a
>[!IMPORTANT] >- This action is not currently supported for macOS and Linux. Use live response to run the action. For more information on live response, see [Investigate entities on devices using live response](live-response.md)
->- A Microsoft Defender Antivirus (Microsoft Defender AV) scan can run alongside other antivirus solutions, whether Microsoft Defender AV is the active antivirus solution or not. Microsoft Defender AV can be in Passive mode. For more information, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide).
+>- A Microsoft Defender Antivirus (Microsoft Defender AV) scan can run alongside other antivirus solutions, whether Microsoft Defender AV is the active antivirus solution or not. Microsoft Defender AV can be in Passive mode. For more information, see [Microsoft Defender Antivirus compatibility](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).
One you have selected **Run antivirus scan**, select the scan type that you'd like to run (quick or full) and add a comment before confirming the scan.
security Run Av Scan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-av-scan.md
Initiate Microsoft Defender Antivirus scan on a device.
> [!IMPORTANT] > > - This action is available for devices on Windows 10, version 1709 or later, and on Windows 11.
-> - A Microsoft Defender Antivirus (Microsoft Defender AV) scan can run alongside other antivirus solutions, whether Microsoft Defender Antivirus is the active antivirus solution or not. Microsoft Defender Antivirus can be in Passive mode. For more information, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide).
+> - A Microsoft Defender Antivirus (Microsoft Defender AV) scan can run alongside other antivirus solutions, whether Microsoft Defender Antivirus is the active antivirus solution or not. Microsoft Defender Antivirus can be in Passive mode. For more information, see [Microsoft Defender Antivirus compatibility](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).
## Permissions
security Alert Grading Playbook Email Forwarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/alert-grading-playbook-email-forwarding.md
Threat actors can use compromised user accounts for several malicious purposes,
Emails can be forwarded either manually or automatically using forwarding rules. Automatic forwarding can be implemented in multiple ways like Inbox Rules, Exchange Transport Rule (ETR), and SMTP Forwarding. While manual forwarding requires direct action from users, they might not be aware of all the auto-forwarded emails. In Microsoft 365, an alert is raised when a user auto-forwards an email to a potentially malicious email address.
-This playbook helps you investigate alerts for suspicious email forwarding and quickly grade them as either a True Positive (TP) or a False Positive (FP). You can then take recommended actions for the TP alerts to remediate the attack.
+This playbook helps you investigate Suspicious Email Forwarding Activity alerts and quickly grade them as either a True Positive (TP) or a False Positive (FP). You can then take recommended actions for the TP alerts to remediate the attack.
For an overview of alert grading for Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps, see the [introduction article](alert-grading-playbooks.md).
The results of using this playbook are:
## Email forwarding rules
-Email forwarding rule allows users to set up a rule to forward email messages sent to a user's mailbox to another user's mailbox inside or outside of the organization. Some email users, particularly those with multiple mailboxes, configure forwarding rules to move employer emails to their private email accounts. Email forwarding is a useful feature but can also pose a security risk because of the potential disclosure of information. Attackers might use this information to attack your organization or its partners.
+Email forwarding rules allow users to create a rule to forward email messages sent to a user's mailbox to another user's mailbox inside or outside of the organization. Some email users, particularly those with multiple mailboxes, configure forwarding rules to move employer emails to their private email accounts. Email forwarding is a useful feature but can also pose a security risk because of the potential disclosure of information. Attackers might use this information to attack your organization or its partners.
-### Suspicious email forwarding rules
+### Suspicious email forwarding activity
Attackers might set up email rules to hide incoming emails in the compromised user mailbox to obscure their malicious activities from the user. They might also set rules in the compromised user mailbox to delete emails, move the emails into another less noticeable folder such as an RSS folder, or forward emails to an external account.
For more information, see these blog posts:
## Alert details
-To review the specific alert, open the **Alerts** page to see the **Activity list** section. Here's an example.
+To review the Suspicious Email Forwarding Activity alert, open the **Alerts** page to see the **Activity list** section. Here's an example.
:::image type="content" source="../../media/alert-grading-playbook-email-forwarding/alert-grading-playbook-email-forwarding-activity-list.png" alt-text="List of activities related to the alert" lightbox="../../media/alert-grading-playbook-email-forwarding/alert-grading-playbook-email-forwarding-activity-list.png":::
To use [advanced Hunting](advanced-hunting-overview.md) queries to gather inform
- IdentityLogonEvents - Contains login information for all users.
-Here's an example.
--
-Use queries to gather information for the following questions.
- >[!Note] >Certain parameters are unique to your organization or network. Fill in these specific parameters as instructed in each query. >
security Investigate Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-alerts.md
Alerts from different Microsoft security solutions like Microsoft Defender for E
By default, the alerts queue in the Microsoft 365 Defender portal displays the new and in progress alerts from the last 30 days. The most recent alert is at the top of the list so you can see it first.
-From the default alerts queue, you can select **Filters** to see a **Filters** pane, from which you can specify a subset of the alerts. Here's an example.
+From the default alerts queue, you can select **Filter** to see a **Filter** pane, from which you can specify a subset of the alerts. Here's an example.
:::image type="content" source="../../media/investigate-alerts/alerts-ss-alerts-filter.png" lightbox="../../media/investigate-alerts/alerts-ss-alerts-filter.png" alt-text="Example of the filters pane for the alerts queue in the Microsoft 365 Defender portal.":::
+<!--
+UPDATE SCREENSHOT
+-->
+ You can filter alerts according to these criteria: - Severity - Status - Service sources-- Impacted assets
+- Entities (the impacted assets)
- Automated investigation state ## Required roles for Defender for Office 365 alerts
The list of additional actions depends on the type of alert.
## Resolve an alert
-Once you're done analyzing an alert and it can be resolved, go to the **Manage alert** pane for the alert and mark the it status as **Resolved** and classify it as either a **False alert** or **True alert**. For true alerts, specify the alert's threat type in the **Determination** field.
+Once you're done analyzing an alert and it can be resolved, go to the **Manage alert** pane for the alert and mark the status as **Resolved** and classify it as either a **False alert** or **True alert**. For true alerts, specify the alert's threat type in the **Determination** field.
Classifying alerts and specifying their determination helps tune Microsoft 365 Defender to provide more true alerts and less false alerts.
security Attack Simulation Training Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-get-started.md
If your organization has Microsoft 365 E5 or Microsoft Defender for Office 365 P
- For more information about the availability of Attack simulation training across different Microsoft 365 subscriptions, see [Microsoft Defender for Office 365 service description](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description). - You need to be assigned permissions in **Azure Active Directory** before you can do the procedures in this article. Specifically, you need to be a member of one of the following roles:
- - **Organization Management**
+ - **Global Administrator**
- **Security Administrator** - **Attack Simulation Administrators**<sup>\*</sup>: Create and manage all aspects of attack simulation campaigns. - **Attack Payload Author**<sup>\*</sup>: Create attack payloads that an admin can initiate later.
security Configure Your Spam Filter Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-your-spam-filter-policies.md
To increase the effectiveness of spam filtering, you can create custom anti-spam
- For our recommended settings for anti-spam policies, see [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings).
+- You can't completely turn off spam filtering, but you can use a mail flow rule (also known as a transport rule) to bypass most spam filtering on incoming message (for example, if you route email through a third-party protection service or device before delivery to Microsoft 365). For more information, see [Use mail flow rules to set the spam confidence level (SCL) in messages](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl).
+ - High confidence phishing messages are still filtered. Other features in EOP are not affected (for example, messages are always scanned for malware).
+ - If you need to bypass spam filtering for SecOps mailboxes or phishing simulations, don't use mail flow rules. For more information, see [Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes](configure-advanced-delivery.md).
+ ## Use the Microsoft 365 Defender portal to create anti-spam policies Creating a custom anti-spam policy in the Microsoft 365 Defender portal creates the spam filter rule and the associated spam filter policy at the same time using the same name for both.
security Quarantine Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-policies.md
The global settings for quarantine policies allow you to customize the quarantin
![Selected languages in the second language box in the global quarantine notification settings of quarantine policies.](../../media/quarantine-tags-esn-customization-selected-languages.png)
- - **Use my company logo**: Select this option to replace the default Microsoft logo that's use at the top of quarantine notifications. Before you do this, you need to follow the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your custom logo.
+ - **Use my company logo**: Select this option to replace the default Microsoft logo that's used at the top of quarantine notifications. Before you do this, you need to follow the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your custom logo.
The following screenshot shows a custom logo in a quarantine notification:
security Use The Delist Portal To Remove Yourself From The Office 365 Blocked Senders Lis https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-the-delist-portal-to-remove-yourself-from-the-office-365-blocked-senders-lis.md
You will know you have been added to the list when you receive a response to a m
where _IP address_ is the IP address of the computer on which the mail server runs.
-### To use delist portal to remove yourself from the blocked senders list
+## Verify senders before removing them from the blocked senders list
+
+There are good reasons for senders to wind up on the blocked senders list, but mistakes can happen. Take a look at this video for a balanced explanation of blocked senders and delisting.
+<p>
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWMhvD]
++
+## To use delist portal to remove yourself from the blocked senders list
1. In a web browser, go to <https://sender.office.com>.
where _IP address_ is the IP address of the computer on which the mail server r
See [Create safe sender lists in EOP](create-safe-sender-lists-in-office-365.md) and [Outbound spam protection in EOP](outbound-spam-controls.md) to prevent an IP from being blocked.
-## More information
+### What about error code 5.7.511?
+
+When there's a problem delivering an email message that you sent, Microsoft 365 or Office 365 sends an email to let you know. The email you receive is a delivery status notification, also known as a DSN or bounce message. The most common type is called a non-delivery report (NDR) and they tell you that a message wasn't delivered. In certain situations, Microsoft must conduct additional investigations against traffic from your IP, and if youΓÇÖre receiving the NDR code 5.7.511, you **will not** be able to use the delist portal.
+
+> 550 5.7.511 Access denied, banned sender[xxx.xxx.xxx.xxx]. To request removal from this list, forward this message to delist@messaging.microsoft.com. For more information, go to https://go.microsoft.com/fwlink/?LinkId=526653.
+
+In the email to request removal from this list, provide the full NDR code and IP address. Microsoft will contact you within 48 hours with the next steps.
+## More information
+
The delisting form for **Outlook.com, the consumer service** can be found [here](https://support.microsoft.com/supportrequestform/8ad563e3-288e-2a61-8122-3ba03d6b8d75). Be sure to read the [FAQ](https://sendersupport.olc.protection.outlook.com/pm/troubleshooting.aspx) first for *submission* direction.
solutions Ransomware Protection Microsoft 365 Security Baselines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/ransomware-protection-microsoft-365-security-baselines.md
These baselines contain configuration settings and rules that are well-known by
First, assess and measure your security posture using [Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score) and follow instructions to improve it as needed.
-Next, use [attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) to help block suspicious activity and vulnerable content. These rules include preventing:
+Next, use [attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment) to help block suspicious activity and vulnerable content. These rules include preventing:
- All Office applications from creating child processes - Executable content from email client and webmail
test-base Contentguideline https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/contentguideline.md
audience: Software-Vendor Previously updated : 07/06/2021 Last updated : 02/04/2022 ms.localizationpriority: medium
These binaries should include everything necessary for installation of the appli
> [!NOTE] > The uploaded zip file cannot have any spaces or special characters in its name
+## 5. Application/Test rules
+
+In order for your applications/tests to run correctly under the Test Base infrastructure, they need to comply to the rules described in [Application/Test rules
+](rules.md).
+ ## Next steps Advance to the next article to view some **Frequently Asked Questions (FAQ)**
test-base Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/rules.md
audience: Software-Vendor Previously updated : 07/06/2021 Last updated : 02/04/2022 ms.localizationpriority: medium
All applications or tests in Test Base need to comply with the following rules:
The following folders are used by the Test Base infrastructure: * %SYSTEMDRIVE%\USL
+* %SYSTEMDRIVE%\EtlExport
* %SYSTEMDRIVE%\Ffmpeg * %SYSTEMDRIVE%\Monitoring * %SYSTEMDRIVE%\powershell-yaml
test-base Testtask https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/testtask.md
On the tasks tab, you are expected to provide the paths to your test scripts wh
- **Out of Box Test Scripts:** Type in the relative paths to your install, launch, close and uninstall scripts. You also have the option to select additional settings for the install script. - **Functional Test Scripts:** Type in the relative path to each functional test script uploaded. Additional functional test scripts can be added using the ```Add Script``` button. You need a minimum of one (1) script and can add up to eight (8) functional test scripts.
- The scripts are run in upload sequence and a failure in a particular script will stop subsequent scripts from executing.
+ The scripts run in the sequence they are listed. A failure in a particular script stops subsequent scripts from executing.
You also have the option of selecting additional settings for each script provided. ## Set script path