+Deciding on a plan can depend on your specific business needs. The Microsoft 365 plan chooser is designed to help you with this. The chooser will make recommendations based on your answers to questions such as the size of your business, your field of work, the devices you use, and what kind of features, IT support, and security you're looking for. See [Help me find the right plan for my business](https://go.microsoft.com/fwlink/p/?linkid=2224286).

+Deciding on a plan can depend on your specific business needs. The Microsoft 365 plan chooser is designed to help you with this. The chooser will make recommendations based on your answers to questions such as the size of your business, your field of work, the devices you use, and what kind of features, IT support, and security you're looking for. See [Help me find the right plan for my business](https://go.microsoft.com/fwlink/p/?linkid=2224175).

+Deciding on a plan can depend on your specific business needs. The Microsoft 365 plan chooser is designed to help you with this. The chooser will make recommendations based on your answers to questions such as the size of your business, your field of work, the devices you use, and what kind of features, IT support, and security you're looking for. See [Help me find the right plan for my business](https://go.microsoft.com/fwlink/p/?linkid=2224446).

+ [Sensitive information types ](#sensitive-information-types)

+ [Sharing and access request activities](#sharing-and-access-request-activities)

+ [Synchronization activities](#synchronization-activities)

+ [Site permissions activities](#site-permissions-activities)

+ [Site administration activities](#site-administration-activities)

+ [Exchange mailbox activities](#exchange-mailbox-activities)

+ [User administration activities](#user-administration-activities)

+ [Azure AD group administration activities](#azure-ad-group-administration-activities)

+ [Application administration activities](#application-administration-activities)

+ [Role administration activities](#role-administration-activities)

+ [Directory administration activities](#directory-administration-activities)

+ [eDiscovery activities](#ediscovery-activities)

+ [eDiscovery (Premium) activities](#ediscovery-premium-activities)

+ [Power BI activities](#power-bi-activities)

+ [Microsoft Workplace Analytics](#workplace-analytics-activities)

+ [Microsoft Teams activities](#microsoft-teams-activities)

+ [Microsoft Teams Healthcare activities](#microsoft-teams-healthcare-activities)

+ [Microsoft Teams Shifts activities](#microsoft-teams-shifts-activities)

+ [Yammer activities](#yammer-activities)

+ [Microsoft Power Automate activities](#microsoft-power-automate-activities)

+ [Microsoft Power Apps activities](#microsoft-power-apps-activities)

+ [Microsoft Stream activities](#microsoft-stream-activities)

+ [Content explorer activities](#content-explorer-activities)

+ [Quarantine activities](#quarantine-activities)

+ [Microsoft Forms activities](#microsoft-forms-activities)

+ [Sensitivity label activities](#sensitivity-label-activities)

+ [Retention policy and retention label activities](#retention-policy-and-retention-label-activities)

+ [Briefing email activities](#briefing-email-activities)

+ :::column-end:::

+ :::column:::

+ :::column-end:::

+ [Disposition review activities](#disposition-review-activities)

+ [Communication compliance activities](#communication-compliance-activities)

+ [Report activities](#report-activities)

+ :::column:::

+ [Exchange admin activities](#exchange-admin-audit-log)

+ :::column-end:::

+## Sensitive information types

+The following table describes the audit events for activities involving creation and updating of [sensitive information types](/microsoft-365/compliance/create-a-custom-sensitive-information-type).

+|Friendly name|Operation|Description|

+|:--|:--|:--|

+|Created new sensitive information type| CreateRulePackage / EditRulePackage* | A new sensitive information type was [created](/microsoft-365/compliance/create-a-custom-sensitive-information-type). This includes SIT created by copying an [out of the box SIT](/microsoft-365/compliance/create-a-custom-sensitive-information-type). </br><p>**Note**: This activity will surface under the audit activities ΓÇ£Created rule packageΓÇ¥ or ΓÇ£Edited rule package.ΓÇ¥ </p>|

+|Edited a sensitive information type|EditRulePackage| An existing sensitive information type was edited. This can include operations like adding/removing a pattern and editing the regex/keyword associated with the sensitive information type. </br><p>**Note:** This activity will surface under the audit activity "Edited rule package."</p> |

+| Deleted a sensitive information type|EditRulePackage / RemoveRulePackage | An existing sensitive information type was deleted. </br><p>**Note:** This activity will surface under the audit activity ΓÇ£Edited rule packageΓÇ¥ or ΓÇ£Removed rule package.ΓÇ¥</p> |

+|Organization settings updated |Organization settings updated |The user (typically Organization owners or admins) has updated organization specific settings on Viva Goals. |

+|OrganizationΓÇ» integrations updated |OrganizationΓÇ» integrations updated |The user (typically Organization owners or admins) has configured a third party integration or updated an existing third party integration for an organization on Viva Goals. |

+> [!NOTE]

+> If you select the **Pending** tab, you may notice that the count of policy matches in the **Pending** tab heading doesn't match the number of messages in the table (with attachments filtered out) in the lower part of the screen. This is due to new entries in the table that are not reflected in the **Pending** tab. Refresh the page to update both.

+### Printer groups

+### Removable storage device groups

+### Network share groups

+### VPN settings

+Network exceptions enables you to configure Allow, Audit only, Block with override, and Block actions to the file activities based on the network that users are accessing the file from. You can select from the [VPN settings](dlp-configure-endpoint-settings.md#vpn-settings) list you defined and **Corporate network** option. The actions can be applied individually or collectively to these user activities:

+- [Security policy violations by priority users (preview)](insider-risk-management-policy-templates.md#security-policy-violations-by-priority-users-preview)

+- [Patient data misuse (preview)](insider-risk-management-policy-templates.md#patient-data-misuse-preview)

+- [Risky browser usage (preview)](insider-risk-management-policy-templates.md#risky-browser-usage-preview)

+An information management policy is a set of rules for a type of content. Information management policies enable organizations to control and track things like how long content is retained and what actions users can take with that content. Information management policies can help organizations comply with legal or governmental regulations, or they can simply enforce internal business processes.

+ **Create an information management policy for a site content type in the top-level site's Site Content Type Gallery, and then add that content type to one or more lists or libraries** You can also create an information management policy directly for a site content type and then associate an instance of that site content type with multiple lists or libraries. If you create an information management policy this way, every item in the site collection of that content type or a content type that inherits from that content type has the policy. However, if you create an information management policy directly for a site content type, it is more difficult to reuse this information management policy in other site collections because policies that are created this way cannot be exported.

+

+> [!NOTE]

+> To control which policies are used in a site collection, site collection administrators can disable the ability to set policy features directly on a content type. When this restriction is in effect, users who create content types are limited to selecting

+policies from the site collection Policies list.

+> [!NOTE]

+> You can create an information management policy for a list or library only if that list or library does not support multiple content types. If a list or library supports multiple content types, you need to define an information management policy for each individual list content type that is associated with that list or library. (Instances of a site content type that are associated with a specific list or library are known as list content types.)

+ To control which policies are used in a site collection, site collection administrators can disable the ability to set policy features directly on a list or library. When this restriction is in effect, users who manage lists or libraries are limited to selecting policies from the site collection Policies list.

+An information management policy is a set of rules for a type of content. Information management policies enable organizations to control and track things like how long content is retained or what actions users can take with that content. Information management policies can help organizations comply with legal or governmental regulations, or they can simply enforce internal business processes. For example, an organization that must follow government regulations requiring that they demonstrate "adequate controls" of their financial statements might create one or more information management policies that audit specific actions in the authoring and approval process for all documents related to financial filings. For how-to information, see [Create and apply information management policies.](intro-to-info-mgmt-policies.md#__top)

+If you have configured SharePoint sites for content type policies or information management policies to retain content for a list or library, those policies are ignored while a retention policy or retention label policy is in effect.

+### Data lifecycle management and records management

+- **Rolling out in preview**: Auto-labeling retention policies now support [simulation mode](apply-retention-labels-automatically.md#learn-about-simulation-mode), so you can test out your policy configuration and view results before deploying in production.

+# Microsoft Teams Virtual Appointments in Call Quality Dashboard

+Call Quality Dashboard (CQD) is a self-service data environment that empowers you to access data on Teams usage throughout your organization, build reports to analyze call quality, and troubleshoot call issues. CQD tracks several hundred data points on your organization's Teams calls and stores them in a database that you can easily access using the Microsoft Call Quality connector for Power BI.

+When you access this data, you can use it to analyze high-level metrics such as daily call errors and total call volume. You can also use it to determine things such as why a participant dropped a call or why [a particular building](/microsoftteams/cqd-upload-tenant-building-data) has an unusually high rate of dropped calls. You can perform this analysis in Power BI by developing reports that can be published to the web, where they can automatically receive updated data at scheduled refresh times or at nearly real-time refresh rates. Once the reports are published to the web, you can distribute links within your organization and set permissions to allow users to explore the data themselves. This also allows users to export the underlying information to Excel.

+> [!NOTE]

+> Call Quality Dashboard is designed to be a quality and reliability analysis tool that relies on diagnostic telemetry returns from Teams service and client endpoints. Because of the unreliable nature of diagnostic telemetry, there may be slight variances in call counts or certain metrics. Keep this is mind as you use Call Quality Dashboard for [usage-focused reporting](/microsoftteams/cqd-frequently-asked-questions#im-trying-to-use-cqd-for-usage-type-reports-and-find-that-some-of-the-data-is-incomplete-why-is-that).

+To begin, you'll want to get familiar with [using Call Quality Dashboard](/microsoftteams/turning-on-and-using-call-quality-dashboard). You'll need [appropriate admin credentials](/microsoftteams/turning-on-and-using-call-quality-dashboard#assign-admin-roles-for-access-to-cqd) to [sign into CQD](https://cqd.teams.microsoft.com) and begin working with your data.

+You can also access CQD from Teams Admin Center:

+One you've logged into CQD, you can begin to analyze data from the existing dashboards. You can find these in the dropdown menu at the top of the page. You can also use [Power BI desktop](https://www.microsoft.com/p/power-bi-desktop/9ntxr16hnw1t#activetab=pivot:overviewtab) to create highly customizable reports. Use the [CQD Power BI template files](/microsoftteams/cqd-data-and-reports#import-the-cqd-report-templates) to get started. These template files contain many of the most frequently requested call quality metrics and charts.

+## Working with CQD data in Power BI

+Before you begin analyzing organizational call quality data, you'll need to [install](/p/power-bi-desktop/9ntxr16hnw1t#activetab=pivot:overviewtab) and [learn to use](https://powerbi.microsoft.com/learning/) Power BI desktop. To access the CQD database through Power BI, you'll need to [download and install the Microsoft Call Quality connector](/microsoftteams/cqd-power-bi-connector). Make sure to install the connector in the appropriate Documents folder.

+Once you've installed the connector, you'll be able to access your CQD data in Power BI.

+1. Search the connectors for **Microsoft Call Quality**.

+You can analyze Teams data in several different ways.

+- **[Teams Admin Center](https://admin.teams.microsoft.com/):** You can find a pre-made and easy to read set of reports and insights inside Teams Admin Center. However, you can't extensively customize these reports.

+- **[Call Quality Dashboard](https://cqd.teams.microsoft.com/):** Here you can filter and customize reports that provide quick answers to many frequently asked questions.

+- **[Call Quality connector for Power BI](/microsoftteams/cqd-power-bi-query-templates):** Using Power BI gives you the most customizable options for creating reports. Here you can use CQD data to understand user behavior, see usage patterns, and resolve individual call issues. You can use Power BI to supplement the aforementioned dashboards with answers that aren't available in the pre-made reports.

+To view the Microsoft 365 Lighthouse default baseline that applies to all tenants, select **Deployment > Baselines** in the left navigation pane in Lighthouse.

+## Watch: Deploy baselines

+Microsoft 365 Lighthouse lets you deploy configurations associated with eligible deployment tasks automatically. This capability helps ensure that the tenants you manage are healthy and secure.

+1. In the left navigation pane in Lighthouse, select **Tenants**.

+5. In the task details pane, select **Deploy**.

+ If existing configurations are detected, they'll be displayed in the detected configuration in the deployment plan comparison table. For each detected configuration, Lighthouse will determine whether the setting is **Compliant**, **Not compliant**, **Missing**, or **Extra**.

+ If there are no detected configurations, you'll be directed to the confirm and deploy page.

+11. From the **Confirm and deploy** page, confirm the configuration and select **Confirm**.

+1. In the left navigation pane in Lighthouse, select **Tenant**.

+5. From the task details pane, select **Mark as compliant**.

+1. In the left navigation pane in Lighthouse, select **Tenant**.

+ 1. In the left navigation pane in Lighthouse, select **Service health**.

+Once MFA is enabled, you can enable Azure Active Directory (Azure AD) self-service password reset (SSPR). SSPR gives users the ability to change or reset their password with no administrator or help desk involvement. For more information, see [Manage self-service password reset in Microsoft 365 Lighthouse](m365-lighthouse-manage-sspr.md).

+description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn how to manage self-service password reset (SSPR)."

+Microsoft 365 Lighthouse lets Managed Service Providers (MSPs) manage Azure Active Directory (Azure AD) self-service password reset (SSPR). SSPR gives users the ability to change or reset their password with no administrator or help desk involvement. If a user's account is locked or they forget their password, they can follow prompts to unblock themselves and get back to work. This ability reduces help desk calls and loss of productivity when a user can't sign in to their device or an application.

+Microsoft 365 Lighthouse lets you investigate and mitigate threats across all your tenants. You can also initiate antivirus scans on devices, make sure devices are getting the latest updates for Microsoft Defender Antivirus, and review pending actions following antivirus scans. Lighthouse only supports devices running Windows 10 or later.

+Given the broad permissions granted to partner tenant users with DAP roles, we recommend adopting GDAP as soon as possible.

+- Configuring multifactor authentication and self-service password reset (SSPR), including tools to help drive adoption by users.

+## Watch: Demonstration of Microsoft 365 Lighthouse

+You can access the information in Lighthouse by selecting **Home** in the left navigation pane, or by selecting **Data Protection** in the left navigation pane to open the Quarantined messages page.

+5. From the task details pane, select **Reinstate**.

+description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn how to set up Granular Delegated Administrative Privileges (GDAP) for your customers."

+You can now set up all your customers with Granular Delegated Administrative Privileges (GDAP) through Microsoft 365 Lighthouse, regardless of their licenses or size. Lighthouse lets you quickly transition your organization to GDAP and begin the journey to least-privilege for your delegated access to customers. By setting up your organization with GDAP for the customer tenants you manage, users in your organization have the permissions necessary to do their work while keeping customer tenants secure.

+Delegated access via DAP or GDAP is a prerequisite for customer tenants to be fully onboarded to Lighthouse. Therefore, creating GDAP relationships with your customers may be the first step in managing your customer tenants in Lighthouse.

+## Watch: Set up GDAP

+- You'll need to have specific permissions in the partner tenant:

+ - To establish GDAP security groups, add users, and create GDAP templates, you need to be a Global Administrator in the partner tenant. This role can be assigned in Azure Active Directory (Azure AD).

+- The customers you manage in Lighthouse need to be set up in Partner Center with either a reseller relationship or an existing delegated relationship (DAP or GDAP).

+- To enable the JIT Only tier permissions, you'll need an Azure AD P2 license for your partner tenant.

+1. In the left navigation pane in Lighthouse, select **Home**.

+2. On the **Set up GDAP for your organization** card, select **Begin setup**.

+1. From the **Define tiers of permissions** page, select the roles needed for each tier based on your employees' job functions. Do one of the following:

+ - Adopt recommended configurations

+ - Manually assign a role to each tier

+You can rename tiers to match your organizational needs. You can also remove roles from each tier within the recommendations. Certain roles can't be added to different tiers&mdash;for example, the roles in the JIT Only tier can't be added to any other tier.

+5. Select **Next** to go to the next section or select **Save and close** to save your settings and exit GDAP Setup.

+You'll need at least one security group per tier for each template. For the first template, you'll create a new security group, but for subsequent templates, you may reuse groups if desired.

+2. In the security group pane, enter a name and description.

+5. Select **Save**.

+If you want to reassign a customer tenant, rerun GDAP Setup and remove that customer from the existing assignment. Then you can reassign it to a different template. You can filter the list using the search box in the upper right corner.

+1. From the **Review settings** page, review the settings you created, and then select **Finish**.

+2. Select **Done**.

+If any customer tenants already had a DAP relationship, during the no-consent window, these settings will be automatically applied. For customers without DAP, or if the no consent window has closed, choosing **Finish** will take you to the last page where a consent link is generated for each customer, as needed. Once the customer consents to the GDAP relationship, the rest of the settings will be automatically applied.

+Microsoft 365 Lighthouse lets you manage users across customer tenant accounts by selecting any of the links under **Users** in the left navigation pane. From the Users page, you can search for users and assess and act on the security state of your user accounts. You can also view insights into risky users and the status of multifactor authentication and self-service password reset (SSPR).

+The Password reset page shows detailed information on the status of SSPR enablement across your tenants. It also provides insights into users who have SSPR enabled but still need to register before they can reset their password on their own.

+Microsoft 365 Lighthouse now provides a list of all the inactive user accounts in your managed tenants. To access the list, select **Users** > **Inactive users** in the left navigation pane in Microsoft 365 Lighthouse. You can reduce security risks by using this list to track and clean up accounts that are still enabled but that haven't been used in the past six months.

+Microsoft 365 Lighthouse now includes the capability for MSPs to use Granular Delegated Admin Privileges (GDAP) roles. With the latest update, MSPs can leverage GDAP by assigning roles to their technicians to enforce the principle of least privilege access in Microsoft 365 Lighthouse. This capability reduces the risks inherent in the broad permissions of the Delegated Access Permissions (DAP) role of the Admin Agent by enabling granular controls on the customers' data and settings that each technician will be able to work with.

+We've made it easier to communicate with users in your customer tenants about actions they're required to take. From the list of users not registered for multifactor authentication (MFA) or self-service password reset (SSPR), you can now select one or more users and send them an email message using a downloadable email template.

+Windows 365 is a cloud-based service that lets Microsoft Endpoint Manager (MEM) admins provision and manage Cloud PCs for their users who have a Windows 365 license. Windows 365 is fully integrated with MEM for device management, and with Microsoft 365 Lighthouse for Managed Service Provider (MSP) management of Cloud PCs across all their customer tenants.

+Once you've provisioned Cloud PCs for your customer tenant, the Windows 365 card on the Microsoft 365 Lighthouse Home page provides a brief alert on the Cloud PCs in need of action, such as the number of Cloud PCs that failed to provision and Azure network connection failures. To get a detailed status, select the button on the Windows 365 card (or select **Devices** > **Windows 365** in the left navigation pane in Lighthouse) to open the Windows 365 page. From this page, you can get a status overview of the Cloud PCs assigned to your customer tenants, view a list of all the Cloud PCs you manage and the tenants they're assigned to, and view the Azure network connections between your customer tenants and Azure Active Directory (Azure AD) and their status.

+Defender for Endpoint operates in the Microsoft Azure datacenters in the European Union, the United Kingdom, or in the United States. Customer data collected by the service may be stored in: (a) the geo-location of the tenant as identified during provisioning or, (b) if Defender for Endpoint uses another Microsoft online service to process such data, the geolocation as defined by the data storage rules of that other online service. For more information, see [Where your Microsoft 365 customer data is stored](/microsoft-365/enterprise/o365-data-locations).

+You can turn Microsoft Defender Antivirus cloud protection on or off by using one of several methods, such as:

+- [Microsoft Intune](#use-microsoft-intune-to-turn-on-cloud-protection)

+- [Group Policy](#use-group-policy-to-turn-on-cloud-protection)

+- [PowerShell cmdlets](#use-powershell-cmdlets-to-turn-on-cloud-protection)

+- [Windows Management Instruction](#use-windows-management-instruction-wmi-to-turn-on-cloud-protection) (WMI)

+You can also use [Configuration Manager](/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection). And, you can turn cloud protection on or off on individual endpoints by using the [Windows Security app](#turn-on-cloud-protection-on-individual-clients-with-the-windows-security-app).

+## Use Microsoft Intune to turn on cloud protection

+1. Go to the Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)) and sign in.

+3. In the **AV policies** section, either select an existing policy, or choose **+ Create Policy**.

+ | Task | Steps |

+ |||

+ | Create a new policy | 1. For **Platform**, select **Windows 10, Windows 11, and Windows Server**. <br/>2. For **Profile**, select **Microsoft Defender Antivirus**.<br/>3. On the **Basics** page, specify a name and description for the policy, and then choose **Next**.<br/>4. In the **Defender** section, find **Allow Cloud Protection**, and set it to **Allowed**. Then choose **Next**. <br/>5. On the **Scope tags** step, if your organization is using [scope tags](/mem/intune/fundamentals/scope-tags), select the tags you want to use, and then choose **Next**.<br/>6. On the **Assignments** step, select the groups, users, or devices that you want to apply this policy to, and then choose **Next**.<br/>7. On the **Review + create** step, review the settings for your policy, and then choose **Create**. |

+ | Edit an existing policy | 1. Select the policy that you want to edit.<br/>2. Under **Configuration settings**, choose **Edit**.<br/>3. In the **Defender** section, find **Allow Cloud Protection**, and set it to **Allowed**.<br/>4. Select **Review + save**. |

+> [!TIP]

+> To learn more about Microsoft Defender Antivirus settings in Intune, see [Antivirus policy for endpoint security in Intune](/mem/intune/protect/endpoint-security-antivirus-policy).

+- [Configuration

+New functionality is rolling out now to protect Microsoft Defender Antivirus exclusions on devices that are managed by Intune. Certain conditions must be met. See [What about exclusions](prevent-changes-to-security-settings-with-tamper-protection.md#what-about-exclusions)?

+The best way for technology partners to certify that their integration works is to have a joint customer approve the suggested integration design in the [Partner Application page](https://security.microsoft.com/interoperability/partnersapps) in Microsoft 365 Defender and have it tested and demoed to the Microsoft Defender for Endpoint team.

+| status | Shows the status and output of specific command. | Y | Y | Y |

+| undo | Restores an entity that was remediated. | Y | N | N |

+ms.reviwer: joshbregman

+|Fine-tune tamper protection settings in your organization <br/><br/> Use Microsoft Intune to turn tamper protection on or off on devices managed by Intune. You can configure tamper protection for some or all users with this method.|[Manage tamper protection for your organization using Intune](manage-tamper-protection-microsoft-endpoint-manager.md)|

+- Tamper protection is deployed and managed by using Intune. Devices are also managed by Intune. (See [Manage tamper protection for your organization using Microsoft Intune](manage-tamper-protection-microsoft-endpoint-manager.md).)

+The XMDEClientAnalyzer is used for diagnosing Microsoft Defender for Endpoint health or reliability issues on onboarded devices running either Linux, or macOS.

+There are two ways to run the client analyzer tool:

+1. Using a binary version (no Python dependency)

+2. Using a Python-based solution

+## Running the binary version of the client analyzer

+1. Download the [XMDE Client Analyzer Binary](https://aka.ms/XMDEClientAnalyzerBinary) tool to the macOS or Linux machine you need to investigate.\

+If using a terminal download using the command:

+ ```

+ wget --quiet -O XMDEClientAnalyzerBinary.zip https://aka.ms/XMDEClientAnalyzerBinary

+ ```

+2. Verify the download

+ >[!NOTE]

+ >The current SHA256 hash of 'XMDEClientAnalyzerBinary.zip' that is downloaded from the above link is: '01B6165F54C00083F40D8BC9481911897591B9497D04395F3440382DFD03B481'

+ ```

+ echo '01B6165F54C00083F40D8BC9481911897591B9497D04395F3440382DFD03B481 XMDEClientAnalyzerBinary.zip' | sha256sum -c

+ ```

+3. Extract the contents of <i>XMDEClientAnalyzerBinary.zip</i> on the machine.

+ If using a terminal download using the command:

+ ```

+ unzip -q XMDEClientAnalyzerBinary.zip -d XMDEClientAnalyzerBinary

+ ```

+4. Change to the tool's directory using the following command:

+ ```

+ cd XMDEClientAnalyzerBinary

+ ```

+5. Three new zip files will be produced:

+ 1. **SupportToolLinuxBinary.zip** : For all Linux devices

+ 2. **SupportToolmacOSBinary.zip** : For Intel based Mac devices

+ 3. **SupportToolmacOS-armBinary.zip** : For Arm based Mac devices

+6. Unzip one of the above 3 zip files based on the machine you need to investigate.\

+When using a terminal, unzip the file using one of the following commands based on machine type:

+ - Linux

+

+ ```

+ unzip -q SupportToolLinuxBinary.zip

+ ```

+ - Intel based Mac

+

+ ```

+ unzip -q SupportToolmacOSBinary.zip

+ ```

+ - For Arm based Mac devices

+

+ ```

+ unzip -q SupportToolmacOS-armBinary.zip

+ ```

+7. Run the tool as <i>root</i> to generate diagnostic package:

+ ```

+ sudo ./MDESupportTool -d

+ ```

+ > [!NOTE]

+ > The binary is currently unsigned. To allow the package run on MacOS, you will need to use the command

+ >

+ > `spctl --add /Path/To/MDESupportTool`

+ >

+## Running the Python-based client analyzer

+>- The analyzer depends on few extra pip packages(sh, distro, lxml, pandas) to produce the result output. If not installed, the analyzer will try to fetch it from the [official repository for Python packages](https://pypi.org/search/?q=lxml).

+>

+1. Download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer) tool to the macOS or Linux machine you need to investigate.

+ If using a terminal, download by running the command:

+ ```

+ wget --quiet -O XMDEClientAnalyzer.zip https://aka.ms/XMDEClientAnalyzer

+ ```

+

+2. Verify the download

+ ```

+ echo '815F3E83EB1E6C33D712F101618018E1E38211D4E2807C3A9EF3CC0B0F95225C XMDEClientAnalyzer.zip' | sha256sum -c

+ ```

+3. Extract the contents of XMDEClientAnalyzer.zip on the machine.\

+ If using a terminal unzip using the command:

+ ```

+ unzip -q XMDEClientAnalyzer.zip -d XMDEClientAnalyzer

+ ```

+4. Change directory to the extracted location.

+ ```

+ cd XMDEClientAnalyzer

+ ```

+5. Give the tool executable permission:

+ ```

+ chmod a+x mde_support_tool.sh

+ ```

+6. Run as a non-root user to install required dependencies:

+ ```

+ ./mde_support_tool.sh

+ ```

+5. To collect actual diagnostic package and generate the result archive file run again as root:

+ ```

+ sudo ./mde_support_tool.sh -d

+ ```

+## Command line options

+

+### Primary command lines

+ Use this for getting machine diagnostic

+ ```

+ -h, --help show this help message and exit

+ --output OUTPUT, -o OUTPUT

+ Output path to export report

+ --no-zip, -nz If set a directory will be created instead of an archive file

+ --force, -f Will overwrite if output directory exists

+ --diagnostic, -d Collect extensive machine diagnostic information

+ --bypass-disclaimer Do not display disclaimer banner

+ --mdatp-log {info,trace,error,warning,debug,verbose}

+ Set MDATP log level

+ --max-log-size MAX_LOG_SIZE

+ Maximum log file size in MB before rotating(Will restart mdatp)

+ ```

+

+ Usage example: `sudo ./MDESupportTool -d`

+

+### Positional arguments

+#### Collect performance info

+ Collect extensive machine performance tracing for analysis of a performance scenario that can be reproduced on demand

+ ```

+-h, --help show this help message and exit

+--frequency FREQUENCY

+ profile at this frequency

+--length LENGTH length of time to collect (in seconds)

+ ```

+ Usage example: `sudo ./MDESupportTool performance --frequency 2`

+#### Use OS trace (for macOS only)

+Use OS tracing facilities to record Defender for Endpoint performance traces.

+

+> [!NOTE]

+> This functionality exists in the Python solution only.

+```

+-h, --help show this help message and exit

+--length LENGTH Length of time to record the trace (in seconds).

+--mask MASK Mask to select with event to trace. Defaults to all

+```

+On running this command for the first time, it will install a Profile configuration.

+Follow this to approve profile installation: [Apple Support Guide](https://support.apple.com/en-in/guide/mac-help/mh35561/mac#:~:text=Choose%20Apple%20menu%20%3E%20System%20Settings,%2C%20double%2Dclick%20the%20profile.)

+Usage example `./mde_support_tool.sh trace --length 5`

+#### Exclude mode

+Add exclusions for audit-d monitoring.

+

+> [!NOTE]

+> This functionality exists for Linux only

+

+

+```

+-h, --help show this help message and exit

+-e <executable>, --exe <executable>

+ exclude by executable name, i.e: bash

+-p <process id>, --pid <process id>

+ exclude by process id, i.e: 911

+-d <directory>, --dir <directory>

+ exclude by target path, i.e: /var/foo/bar

+-x <executable> <directory>, --exe_dir \<executable\> <directory>

+ exclude by executable path and target path, i.e:

+ /bin/bash /var/foo/bar

+-q <q_size>, --queue <q_size>

+ set dispatcher q_depth size

+-r, --remove remove exclusion file

+-s, --stat get statistics about common executables

+-l, --list list auditd rules

+```

+

+Usage example `sudo ./MDESupportTool exclude -d /var/foo/bar`

+

+ Description: Same diagnostic output that gets generated when running *mdatp diagnostic create* on either [macOS](mac-resources.md#collecting-diagnostic-information) or [Linux](linux-resources.md#collect-diagnostic-information)

+ Description: details on audited service and related components for [Linux](/microsoft-365/security/defender-endpoint/linux-resources) OS.

+

+ - **On** :::image type="icon" source="../../media/scc-toggle-on.png":::: The following configurations are supported:

+ - Users in your organization can see and use the built-in **Report** button in Outlook on the web or the Microsoft Report Message or Report Phishing add-ins in virtually all Outlook platforms to report messages.

+ - **Off** :::image type="icon" source="../../media/scc-toggle-off.png":::: The Microsoft-integrated reporting experience is turned off, and all other settings on the **User reported** page are unavailable, including the ability for users to report messages from quarantine.

+When the toggle is **On** :::image type="icon" source="../../media/scc-toggle-on.png"::: and you've selected **Use the built-in "Report" button with "Phishing", "Junk", and "Not Junk options**, the following options are available on the **User reported** page:

+ If this setting is selected, click **Customize before message** to enter the **Title** and **Message** text in the **Customize text before message is reported** flyout that opens. Use the variable `%type%` to include the submission type (junk, not junk, phishing, etc.).

+ If this setting is selected, click **Customize after message** to enter the **Title** and **Message** text in the **Customize text after message is reported** flyout that opens. Use the variable `%type%` to include the submission type (junk, not junk, phishing, etc.).

+When the toggle is **On** :::image type="icon" source="../../media/scc-toggle-on.png"::: and you've selected **Use a non-Microsoft add-in button**, the following options are available on the **User reported** page:

+- **Add a mailbox to send reported messages to** in the **Reported message destinations** section: Enter the email address of an existing Exchange Online mailbox to use as the reporting mailbox that holds user-reported messages from third-party reporting tools. These messages are not submitted to Microsoft.

+ These user-reported messages appear on the **User reported** tab of the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=user>. The **Result** value for these entries is **Not Submitted to Microsoft**.

+ Messages sent to the reporting mailbox must include the original user reported message as an uncompressed .EML or .MSG attachment. Don't forward the original user-reported message to the reporting mailbox.

+- The Microsoft integrated reporting experience is turned on: toggle **On** :::image type="icon" source="../../media/scc-toggle-on.png"::: and **Use the built-in "Report" button with "Phishing", "Junk", and "Not Junk options** is selected (`-EnableReportToMicrosoft $true -EnableThirdPartyAddress $false` are the default values).

+- The Microsoft integrated reporting experience is **On** :::image type="icon" source="../../media/scc-toggle-on.png"::: and **Use the built-in "Report" button with "Phishing", "Junk", and "Not Junk options** is selected (`-EnableReportToMicrosoft $true -EnableThirdPartyAddress $false` are the default values).

+- The Microsoft integrated reporting experience is **On** :::image type="icon" source="../../media/scc-toggle-on.png"::: and **Use the built-in "Report" button with "Phishing", "Junk", and "Not Junk options** is selected (you need to set `-EnableReportToMicrosoft $false`; `-EnableThirdPartyAddress $false` is the default value).

+- The Microsoft integrated reporting experience is **On** :::image type="icon" source="../../media/scc-toggle-on.png"::: and **Use a non-Microsoft add-in button** is selected (`-EnableReportToMicrosoft $false -EnableThirdPartyAddress $true`).

+This example creates the report submission policy with the Microsoft integrated reporting experience turned **Off** :::image type="icon" source="../../media/scc-toggle-on.png"::: (`-EnableReportToMicrosoft $false`; `-EnableThirdPartyAddress $false -ReportJunkToCustomizedAddress $false -ReportNotJunkToCustomizedAddress $false -ReportPhishToCustomizedAddress $false` are the default values).

+Virtually all of the same settings are available when you modify the report submission policy in PowerShell as when you created the policy as described in [the previous section](#use-powershell-to-create-the-report-submission-policy-and-the-report-submission-rule). The exception is:

+- Turn off the Microsoft integrated reporting experience **Off** :::image type="icon" source="../../media/scc-toggle-off.png"::::

+To temporarily disable sending email messages to the reporting mailbox without deleting the report submission rule, use [Disable-ReportSubmissionRule](/powershell/module/exchange/disable-reportsubmissionrule). For example:

+> Teams meeting policies only hide Whiteboard entry points; they don't prevent the users from using Whiteboard. Conditional access policies prevent any access to Whiteboard, but don't hide the entry points.

+To show or hide Whiteboard in meetings, see [Meeting policy settings](/microsoftteams/meeting-policies-content-sharing). To control the availability of the Whiteboard app for each user within the organization, see [App policy settings](/microsoftteams/app-policies).