Updates from: 03/10/2022 02:26:15
Category Microsoft Docs article Related commit history on GitHub Change details
business-premium M365bp Device Groups Mdb https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-device-groups-mdb.md
+
+ Title: Working with device groups in Microsoft 365 Business Premium
+description: Learn about device groups in Microsoft 365 Business Premium
+search.appverid: MET150
+++
+audience: Admin
+ Last updated : 03/08/2022
+ms.technology: mdb
+localization_priority: Normal
+
+f1.keywords: NOCSH
+
+- SMB
+- M365-security-compliance
+- m365-initiative-defender-business
++
+# Device groups in Microsoft 365 Business Premium
+
+Microsoft 365 Business Premium includes endpoint protection through Microsoft Defender for Business. Device protection policies are applied to devices through certain collections that are called device groups.
+
+**This article describes**:
+
+- [What device groups are](#whats-a-device-group)
+- [How to create a new device group](#how-do-i-create-a-new-device-group)
+
+## What's a device group?
+
+A device group is a collection of devices that are grouped together because of certain specified criteria, such as operating system version. Devices that meet the criteria are included in that device group, unless you exclude them.
+
+With your subscription, you have default device groups that you can use. The default device groups include all the devices that are onboarded to Defender for Business. However, you can also create new device groups to assign device protection policies with specific settings to certain devices.
+
+All device groups, including your default device groups and any custom device groups that you define, are stored in [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) (Azure AD).
+
+## How do I create a new device group?
+
+You can create a new device group while you are in the process of creating or editing a device protection policy.
+
+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
+
+2. In the navigation pane, choose **Device configuration**.
+
+3. Take one of the following actions:
+
+ 1. Select an existing policy, and then choose **Edit**.
+ 2. Choose **+ Add** to create a new policy.
+
+ > [!TIP]
+ > To get help creating or editing a policy, see [View or edit policies in Microsoft Defender for Business](m365bp-view-edit-create-mdb-policies.md).
+
+4. On the **General information** step, review the information, edit if necessary, and then choose **Next**.
+
+5. Choose **+ Create new group**.
+
+6. Specify a name and description for the device group, and then choose **Next**.
+
+7. Select the devices to include in the group, and then choose **Create group**.
+
+8. On the **Device groups** step, review the list of device groups for the policy. If needed, remove a group from the list. Then choose **Next**.
+
+9. On the **Configuration settings** page, review and edit settings as needed, and then choose **Next**. For more information about these settings, see [Understand next-generation configuration settings in Microsoft Defender for Business](../security/defender-business/mdb-next-gen-configuration-settings.md).
+
+10. On the **Review your policy** step, review all the settings, make any needed edits, and then choose **Create policy** or **Update policy**.
++
business-premium M365bp Onboard Devices Mdb https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-onboard-devices-mdb.md
+
+ Title: Onboard your organization's devices to Microsoft Defender for Business
+description: Onboard your organization's devices to Microsoft Defender for Business
+search.appverid: MET150
+++
+audience: Admin
+ Last updated : 03/08/2022
+ms.technology: mdb
+localization_priority: Normal
+
+f1.keywords: NOCSH
+
+- SMB
+- M365-security-compliance
+- m365-initiative-defender-business
++
+# Onboard managed devices to Microsoft Defender for Business
+
+Onboard devices to Microsoft Defender for Business to protect them with next-generation protection (antivirus, antimalware, and cloud-delivered protection), firewall protection, web content filtering and more.
+
+To onboard devices, you can choose from several options:
+
+- [Use automatic onboarding for Windows devices that are already enrolled in Microsoft Endpoint Manager](#use-automatic-onboarding-for-windows-devices-that-are-already-enrolled-in-microsoft-endpoint-manager)
+- [Use a local script to onboard Windows and macOS devices](#use-a-local-script-to-onboard-windows-and-macos-devices)
+- [Use Endpoint Manager to enroll devices](#use-microsoft-endpoint-manager-to-enroll-devices) (Windows, macOS, iOS, and Android) and then apply Defender for Business policies to those devices
+
+This article also includes:
+
+- [How to run a detection test on a Windows device](#run-a-detection-test-on-a-windows-device)
+- [How to onboard devices gradually](#onboard-devices-gradually)
+- [How to offboard a device](#offboard-a-device) if a device is replaced or someone leaves the organization
+
+> [!IMPORTANT]
+> If something goes wrong and your onboarding process fails, see [Microsoft Defender for Business troubleshooting](../security/defender-business/mdb-troubleshooting.yml).
+
+## Use automatic onboarding for Windows devices that are already enrolled in Microsoft Endpoint Manager
+
+The automatic onboarding option applies to Windows devices only. Automatic onboarding is available if your organization was already using Microsoft Endpoint Manager, Microsoft Intune, or Mobile Device Management (MDM) in Microsoft Intune before you got Defender for Business, and you already have Windows devices enrolled in Endpoint Manager.
+
+If Windows devices are already enrolled in Endpoint Manager, Defender for Business will detect those devices while you are in the process of setting up and configuring Defender for Business. You'll be asked if you want to use automatic onboarding for all or some of your Windows devices. You can onboard all Windows devices at once, or select specific devices to start with, and then add more devices later.
+
+To learn more about automatic onboarding, see Step 2 in [Use the wizard to set up Microsoft Defender for Business](../security/defender-business/mdb-use-wizard.md).
+
+## Use a local script to onboard Windows and macOS devices
+
+You can use a local script to onboard Windows and macOS devices. When you run the onboarding script on a device, it creates a trust with Azure Active Directory (if that trust does not already exist), enrolls the device in Microsoft Endpoint Manager (if it isn't already enrolled), and then onboards the device to Defender for Business.
+
+You can onboard up to 10 devices at a time with this method.
+
+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.
+
+2. In the navigation pane, choose **Settings** > **Endpoints**, and then under **Device management**, choose **Onboarding**.
+
+3. Select an operating system, such as **Windows 10 and 11**, and then, under **Onboard a device**, in the **Deployment method** section, choose **Local script**.
+
+4. Select **Download onboarding package**. We recommend saving the onboarding package to a removable drive.
+
+5. Follow the guidance in the following articles:
+
+ - Windows devices: [Onboard Windows devices using a local script](../security/defender-endpoint/configure-endpoints-script.md#onboard-windows-devices-using-a-local-script)
+ - macOS devices: [Manual deployment for Microsoft Defender for Endpoint on macOS](../security/defender-endpoint/mac-install-manually.md#download-installation-and-onboarding-packages)
+
+## Use Microsoft Endpoint Manager to enroll devices
+
+If you were already using Endpoint Manager (which includes Microsoft Intune and Mobile Device Management), before you got Defender for Business, you can continue to use Endpoint Manager to onboard your organization's devices. With Endpoint Manager, you can onboard computers, tablets, and phones, including iOS and Android devices.
+
+If your organization is using Android devices, use this method.
+
+See [Device enrollment in Microsoft Intune](/mem/intune/enrollment/device-enrollment).
+
+NEED PROCEDURES HERE
+
+## Run a detection test on a Windows device
+
+After you've onboarded Windows devices to Defender for Business, you can run a detection test on a Windows device to make sure that everything is working correctly.
+
+1. On the Windows device, create a folder: `C:\test-MDATP-test`.
+
+2. Open Command Prompt as an administrator.
+
+3. In the Command Prompt window, run the following PowerShell command:
+
+ ```powershell
+ powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'
+ ```
+
+After the command has run, the Command Prompt window will close automatically. If successful, the detection test will be marked as completed, and a new alert will appear in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) for the newly onboarded device in about 10 minutes.
+
+## Onboard devices gradually
+
+If you prefer to onboard devices in phases, which we call *gradual device onboarding*, follow these steps:
+
+1. Identify a set of devices to onboard.
+
+2. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.
+
+3. In the navigation pane, choose **Settings** > **Endpoints**, and then under **Device management**, choose **Onboarding**.
+
+4. Select an operating system (such as **Windows 10 and 11)**, and then choose an onboarding method (such as **Local script**). Follow the guidance provided for the method you selected.
+
+5. Repeat this process for each set of devices you want to onboard.
+
+> [!TIP]
+> You don't have to use the same onboarding package every time you onboard devices. For example, you can use a local script to onboard some devices, and later on, you can choose another method to onboard more devices.
+
+## Offboard a device
+
+If you want to offboard a device, follow these steps:
+
+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
+
+2. In the navigation pane, choose **Settings**, and then choose **Endpoints**.
+
+3. Under **Device management**, choose **Offboarding**.
+
+4. Select an operating system, such as **Windows 10 and 11**, and then, under **Offboard a device**, in the **Deployment method** section, choose **Local script**.
+
+5. In the confirmation screen, review the information, and then choose **Download** to proceed.
+
+6. Select **Download offboarding package**. We recommend saving the offboarding package to a removable drive.
+
+7. Run the script on each device that you want to offboard. Need help with this task? See the following resources:
+
+ - Windows devices: [Offboard Windows devices using a local script](../security/defender-endpoint/configure-endpoints-script.md#offboard-devices-using-a-local-script)
+ - macOS devices: [Uninstalling on macOS](../security/defender-endpoint/mac-resources.md#uninstalling)
+
+> [!IMPORTANT]
+> Offboarding a device causes the devices to stop sending data to Defender for Business. However, data received prior to offboarding is retained for up to six (6) months.
+
+## Next steps
+
+[Review remediation actions in Microsoft 365 Business Premium](m365bp-review-remediation-actions-devices.md)
business-premium M365bp Review Remediation Actions Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-review-remediation-actions-devices.md
+
+ Title: Review remediation actions in Microsoft 365 Business Premium
+description: See how to view remediations that were taken automatically or that are awaiting approval in the Action center
+search.appverid: MET150
+++
+audience: Admin
+ Last updated : 02/24/2022
+ms.technology: mdb
+localization_priority: Normal
+
+f1.keywords: NOCSH
+
+- SMB
+- M365-security-compliance
+- m365-initiative-defender-business
++
+# Review remediation actions in Microsoft 365 Business Premium
+
+As threats are detected, remediation actions come into play. Depending on the particular threat and how your security settings are configured, remediation actions might be taken automatically or only upon approval. Examples of remediation actions include sending a file to quarantine, stopping a process from running, and removing a scheduled task. All remediation actions are tracked in the Action center, which is located at [https://security.microsoft.com/action-center](https://security.microsoft.com/action-center).
++
+**This article describes**:
+
+- [How to use the Action center](#how-to-use-your-action-center)
+
+- [Types of remediation actions](#types-of-remediation-actions)
++
+## How to use your Action center
+
+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.
+
+2. In the navigation pane, choose **Action center**.
+
+3. Select the **Pending** tab to view and approve (or reject) any pending actions. Such actions can arise from antivirus/antimalware protection, automated investigations, manual response activities, or live response sessions.
+
+4. Select the **History** tab to view a list of completed actions.
+
+## Types of remediation actions
+
+Your subscription includes several different types of remediation actions for detected threats. These actions include manual response actions, actions following automated investigation, and live response actions.
+
+The following table lists remediation actions that are available:
+
+| Source | Actions |
+|||
+| [Automated investigations](../security/defender-endpoint/automated-investigations.md) | - Quarantine a file <br/>- Remove a registry key <br/>- Kill a process <br/>- Stop a service <br/>- Disable a driver <br/>- Remove a scheduled task |
+| [Manual response actions](../security/defender-endpoint/respond-machine-alerts.md) | - Run antivirus scan <br/>- Isolate device <br/>- Stop and quarantine <br/>- Add an indicator to block or allow a file |
+| [Live response](../security/defender-endpoint/live-response.md) | - Collect forensic data <br/>- Analyze a file <br/>- Run a script <br/>- Send a suspicious entity to Microsoft for analysis <br/>- Remediate a file <br/>- Proactively hunt for threats |
business-premium M365bp View Edit Create Mdb Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-view-edit-create-mdb-policies.md
+
+ Title: View or edit device protection policies
+description: View, edit, create, and delete device protection policies in Microsoft 365 Business Premium
+search.appverid: MET150
+++
+audience: Admin
+ Last updated : 03/08/2022
+ms.technology: mdb
+localization_priority: Normal
+
+f1.keywords: NOCSH
+
+- SMB
+- M365-security-compliance
+- m365-initiative-defender-business
++
+# View and edit your device protection policies
+
+In Microsoft 365 Business Premium, security settings for managed devices are configured through device protection policies. To help simplify your setup and configuration experience, you have preconfigured policies that can help protect your organization's devices as soon as they are onboarded. You can use the default policies, edit policies, or create your own policies.
+
+**This article describes how to**:
+
+- Get an overview of your default policies
+- View your existing policies
+- Edit an existing policy
+- Create a new policy
+
+## Default device protection policies
+
+Microsoft 365 Business Premium includes two main types of policies to protect your organization's devices:
+
+- **Next-generation protection policies**, which determine how Microsoft Defender Antivirus and other threat protection features are configured
+
+- **Firewall policies**, which determine what network traffic is permitted to flow to and from your organization's devices
+
+These policies are part of Microsoft Defender for Business, which is included in your Microsoft 365 Business Premium subscription.
+
+## View your existing device protection policies
+
+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.
+
+2. In the navigation pane, choose **Device configuration**. Policies are organized by operating system (such as **Windows client**) and policy type (such as **Next-generation protection** and **Firewall**).
+
+3. Select an operating system tab (for example, **Windows clients**), and then review the list of policies under the **Next-generation protection** and **Firewall** categories.
+
+4. To view more details about a policy, select its name. A side pane will open that provides more information about that policy, such as which devices are protected by that policy.
+
+## Edit an existing device protection policy
+
+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.
+
+2. In the navigation pane, choose **Device configuration**. Policies are organized by operating system (such as **Windows client**) and policy type (such as **Next-generation protection** and **Firewall**).
+
+3. Select an operating system tab (for example, **Windows clients**), and then review the list of policies under the **Next-generation protection** and **Firewall** categories.
+
+4. To edit a policy, select its name, and then choose **Edit**.
+
+5. On the **General information** tab, review the information. If necessary, you can edit the description. Then choose **Next**.
+
+6. On the **Device groups** tab, determine which device groups should receive this policy.
+
+ - To keep the selected device group as it is, choose **Next**.
+ - To remove a device group from the policy, select **Remove**.
+ - To set up a new device group, select **Create new group**, and then set up your device group. (To get help with this task, see [Device groups in Microsoft 365 Business Premium](m365bp-device-groups-mdb.md).)
+ - To apply the policy to another device group, select **Use existing group**.
+
+ After you have specified which device groups should receive the policy, choose **Next**.
+
+7. On the **Configuration settings** tab, review the settings. If necessary, you can edit the settings for your policy. To get help with this task, see the following articles:
+
+ - [Understand next-generation configuration settings](../security/defender-business/mdb-next-gen-configuration-settings.md)
+ - [Firewall settings](../security/defender-business/mdb-firewall.md)
+
+ After you have specified your next-generation protection settings, choose **Next**.
+
+8. On the **Review your policy** tab, review the general information, targeted devices, and configuration settings.
+
+ - Make any needed changes by selecting **Edit**.
+ - When youΓÇÖre ready to proceed, choose **Update policy**.
+
+## Create a new device protection policy
+
+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.
+
+2. In the navigation pane, choose **Device configuration**. Policies are organized by operating system (such as **Windows client**) and policy type (such as **Next-generation protection** and **Firewall**).
+
+3. Select an operating system tab (for example, **Windows clients**), and then review the list of **Next-generation protection** policies.
+
+4. Under **Next-generation protection** or **Firewall**, select **+ Add**.
+
+5. On the **General information** tab, take the following steps:
+
+ 1. Specify a name and description. This information will help you and your team identify the policy later on.
+ 2. Review the policy order, and edit it if necessary. (For more information, see [Policy order](../security/defender-business/mdb-policy-order.md).)
+ 3. Choose **Next**.
+
+7. On the **Device groups** tab, either create a new device group, or use an existing group. Policies are assigned to devices through device groups. Here are some things to keep in mind:
+
+ - Initially, you might only have your default device group, which includes the devices people in your organization are using to access organization data and email. You can keep and use your default device group.
+ - Create a new device group to apply a policy with specific settings that are different from the default policy.
+ - When you set up your device group, you specify certain criteria, such as the operating system version. Devices that meet the criteria are included in that device group, unless you exclude them.
+ - All device groups, including the default and custom device groups that you define, are stored in Azure Active Directory (Azure AD).
+
+ To learn more about device groups, see [Device groups in Microsoft Defender for Business](../security/defender-business/mdb-create-edit-device-groups.md).
+
+8. On the **Configuration settings** tab, specify the settings for your policy, and then choose **Next**. For more information about the individual settings, see [Understand next-generation configuration settings in Microsoft Defender for Business](../security/defender-business/mdb-next-gen-configuration-settings.md).
+
+9. On the **Review your policy** tab, review the general information, targeted devices, and configuration settings.
+
+ - Make any needed changes by selecting **Edit**.
+ - When youΓÇÖre ready to proceed, choose **Create policy**.
++
+## Next steps
+
+[Device groups in Microsoft 365 Business Premium](m365bp-device-groups-mdb.md)
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
In all cases, matched files are labeled until the OneDrive account is permanentl
![Choose locations page for auto-labeling configuration.](../media/locations-auto-labeling-wizard.png)
- To specify individual OneDrive accounts, see [Get a list of all user OneDrive URLs in your organization](/onedrive/list-onedrive-urls).
+ More information about the locations:
+
+ - If you choose **Exchange** and want to label incoming email from outside your organization, you must keep the default of **All** included. For this configuration to be scoped to specific users in your organization, choose **Advanced rules** in the next step. Then configure the conditions to include specific recipients in your organization to achieve the scoping requirement for a subset of users.
+
+ - To specify individual OneDrive accounts, see [Get a list of all user OneDrive URLs in your organization](/onedrive/list-onedrive-urls).
-7. For the **Set up common or advanced rules** page: Keep the default of **Common rules** to define rules that identify content to label across all your selected locations. If you need different rules per location, select **Advanced rules**. Then select **Next**.
+7. For the **Set up common or advanced rules** page: Keep the default of **Common rules** to define rules that identify content to label across all your selected locations. If you need different rules per location, including more options for Exchange, select **Advanced rules**. Then select **Next**.
The rules use conditions that include sensitive information types and sharing options: - For sensitive information types, you can select both built-in and custom sensitive information types. - For the shared options, you can choose **only with people inside my organization** or **with people outside my organization**.
- If your only location is **Exchange**, or if you select **Advanced rules**, there are other conditions that you can select:
+ If your location is **Exchange** and you selected **Advanced rules**, there are other conditions that you can select:
- Sender IP address is - Recipient domain is - Recipient is
compliance Bulk Add Custodians https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/bulk-add-custodians.md
search.appverid: - MOE150 - MET150
-description: "Use the import tool dto quickly add multiple custodians and their associated data sources to a case in Advanced eDiscovery."
+description: "Use the bulk-import tool to quickly add multiple custodians and their associated data sources to a case in Advanced eDiscovery."
# Import custodians to an Advanced eDiscovery case
-For Advanced eDiscovery cases that involve many custodians, you can import multiple custodians at once by using a CSV file that contains the information necessary to add them to a case.
+For Advanced eDiscovery cases that involve many custodians, you can import multiple custodians at once by using a CSV file that contains the information necessary to add them to a case. The import custodians tool will also validate the CSV file before the import job is created. This means you can fix any errors in the CSV file instead of having to wait until the import job is complete before learning there are errors that prevent a custodian from being added to the case.
+
+## Before you import custodians
+
+- You can import a maximum of 1,000 custodians (rows) per CSV file.
+
+- You can associate up to 500 data sources for each custodian.
+
+- You can only import custodians that are part of your organization's Azure Active Directory.
+
+- Each custodian must have a unique email address.
+
+- To import an inactive mailbox as a custodian or to associate an inactive mailbox with another custodian, add a "." prefix to the email address of the inactive mailbox (for example, .sarad@contoso.onmmicrosoft.com).
## Import custodians
For Advanced eDiscovery cases that involve many custodians, you can import multi
2. Click **Add data source** > **Import custodians**.
-3. On the **Import custodians** flyout page, click **Download a blank template** to download a custodian template CSV file.
+3. On the **Get template** wizard page, click **Download the CSV template** to download a custodian template CSV file.
![Download a CSV template from Import custodians flyout page.](../media/ImportCustodians1.png)
-4. Add the custodial information to the CSV file and save it to your local computer. See the [Custodian CSV file](#custodian-csv-file) section for information about the required properties in the CSV file.
+4. Add the custodial information to the CSV file and save it to your local computer. See the [Custodian CSV file](#custodian-csv-file) section for detailed information about the required properties in the CSV file.
5. After you've prepared the CSV file with the custodian information, go back to the **Data sources** tab, and click **Add data source** > **Import custodians** again.
-6. On the **Import custodians** flyout page, click **Browse** and then upload the CSV file that contains the custodian information.
+6. On the **Upload CSV file** wizard page, click **Upload csv file** and then upload the CSV file that contains the custodian information.
+
+ After you upload the CSV file, the import wizard validates the CSV file. If any validation errors exist, the wizard displays an error banner with a link to view the errors.
+
+ ![Validation error banner with link to more information.](../media/ImportCustodians2.png)
+
+ The error information identifies the row and column of the cell that contains the error, and suggests a remediation action. You have to fix any validation error and then reupload the fixed CSV file. The CSV file must be successfully validated before you can create the import custodian job.
- After the CSV file is uploaded, a job named **BulkAddCustodian** is created and displayed on the **Jobs** tab. The job validates the custodians and their associated data sources and then adds them to the **Data sources** page of the case.
+7. Once the CSV file has been successfully validated, click **Next** and then click **Import** to start the import job.
+
+After you start the import job, Advanced eDiscovery does the following things:
+
+- Creates a job named **BulkAddCustodian** on the **Jobs** tab of the case.
+
+- Performs Advanced indexing of all data sources for each custodian.
+
+- Places all custodian data sources on hold (if the **Is OnHold** property in the CSV file is set to TRUE)
+
+When the import custodian job is complete, the custodians and their associated data sources are added to the **Data sources** page of the case.
## Custodian CSV file
-After you download the CSV custodian template, you can add custodians and their data source in each row. Be sure not to change the column names in the header row. Use the workload type and workload location columns to associate other data sources to a custodian.
+After you download the CSV custodian template, you can add custodians and their data sources in each row. Be sure not to change the column names in the header row. Use the workload type and workload location columns to associate other data sources to a custodian.
| Column name|Description| |:- |:| |**Custodian contactEmail** |The custodian's UPN email address. For example, sarad@contoso.onmicrosoft.com. | |**Exchange Enabled** | TRUE/FALSE value to include or not include the custodian's mailbox. |
-|**OneDrive Enabled** | TRUE/FALSE value to include or not included the custodian's OneDrive for Business account. |
+|**OneDrive Enabled** | TRUE/FALSE value to include or not include the custodian's OneDrive for Business account. |
|**Is OnHold** | TRUE/FALSE value to indicate whether to place the custodian data sources on hold. <sup>1</sup> |
-|**Workload1 Type** |String value indicating the type of data source to associate with the custodian. Possible values include: <br/>- ExchangeMailbox<br/> - SharePointSite<br/>- TeamsMailbox<sup>2</sup><br/>- YammerMailbox<sup>2</sup>|
+|**Workload1 Type** |String value indicating the type of data source to associate with the custodian. Possible values include: <br/>- ExchangeMailbox<br/> - SharePointSite<br/>- TeamsMailbox<sup>2</sup><br/>- YammerMailbox<sup>2</sup>. The previous values for these workload types are case sensitive. The CSV file contains columns for three workload types and their corresponding workload locations. You can add a total of 500 workload types and locations.|
|**Workload1 Location** | Depending on your workload type, this would be the location of the data source. For example, the email address for an Exchange mailbox or the URL for a SharePoint site. | ||| > [!NOTE]
-> <sup>1</sup> When you put more than 1,000 mailboxes or 100 sites on hold, the system will automatically scale the eDiscovery hold as needed. This means the system will automatically add data locations to multiple holds, instead of adding them to a single hold. However, the limit of 10,000 case holds per organization still applies. For more information about hold limits, see [Limits in Advanced eDiscovery](limits-ediscovery20.md#hold-limits).
+> <sup>1</sup> If you put more than 1,000 mailboxes or 100 sites on hold in a case, the system will automatically scale the eDiscovery hold as needed. This means the system automatically adds data locations to multiple hold policies, instead of adding them to a single policy. However, the limit of 10,000 case hold policies per organization still applies. For more information about hold limits, see [Limits in Advanced eDiscovery](limits-ediscovery20.md#hold-limits).
<br> > <sup>2</sup> When you include TeamsMailbox and YammerMailbox workloads in the CSV file, the group site (TeamSite and YammerSite) are automatically added by default. You don't need to specify TeamsSite and YammerSite separately in the CSV file.
Here's an example of a CSV file with custodian information:<br/><br/>
|||||| > [!NOTE]
-> To import an inactive mailbox as a custodian or to associate an inactive mailbox with another custodian, add a "." prefix to the UPN address of the inactive mailbox.
-
-## Custodian and data source validation
-
-After you upload the custodian CSV file, Advanced eDiscovery does the following things:
-
-1. Validates the custodians and their data sources.
-
-2. Indexes all data sources for each custodian and places them on hold (if the **Is OnHold** property in the CSV file is set to TRUE).
-
-### Custodian validation
-
-Currently, we only support importing custodians that are included in your organization's Azure Active Directory (Azure AD).
-
-The custodian import tool finds and validates custodians using the UPN value in the **Custodian contactEmail** column in the CSV file. Custodians that are validated are automatically added to the case and listed on the **Data sources** tab of the case. If a custodian can't be validated, they are listed in the error log for the BulkAddCustodian job that is listed on the **Jobs** tab in the case. Unvalidated custodians are not added to the case or listed on the **Data sources** tab.
-
-### Data source validation
-
-After custodians are validated and added to the case, each primary mailbox and OneDrive account that's associated with a custodian is added.
-
-However, if any of the other data sources (such as SharePoint sites, Microsoft Teams, Microsoft 365 Groups, or Yammer groups) associated with a custodian can't be found, none of them are assigned to the custodian and the value **Not validated** is displayed in the **Status** column next to the custodian on the **Data sources** tab.
-
-To add validated data sources for a custodian:
-
-1. On the **Data sources** tab, select a custodian that contains data sources that aren't validated.
-
-2. On the custodian flyout page, scroll to the **Custodial locations** section to view both validated and unvalidated data sources that are associated with custodian.
-
-3. Click **Edit** at the top of the flyout page to remove invalid data sources or add new ones.
-
-4. After you remove unvalidated data sources or add a new one, the value **Active** is displayed in **Status** column for the custodian on the **Data sources** tab. To add sources that previously appeared to be invalid, follow the remediation steps below to manually add them to a custodian.
-
-### Remediating invalid data sources
-
-To manually add and associate a data source that was previously invalid:
-
-1. On the **Data sources** tab, select a custodian to manually add and associate a data source that was previously invalid.
-
-2. Click **Edit** at the top of the flyout page to associate mailboxes, sites, Teams, or Yammer groups to the custodian. Do this by clicking **Edit** next to the appropriate data location type.
-
-3. Click **Next** to display the **Hold settings** page and configure the hold setting for the data sources you added.
-
-4. Click **Next** to display the **Review custodians** page, and then click **Submit** to save your changes.
+> As previously explained, add a "." prefix to the UPN address of an inactive mailbox to import an inactive mailbox as a custodian or to associate an inactive mailbox with another custodian.
compliance Create A Custom Sensitive Information Type https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-custom-sensitive-information-type.md
Title: "Create a custom sensitive information types"
+ Title: "Create custom sensitive information types"
f1.keywords: - NOCSH
For example, if you want the rule to trigger a match when at least 500 unique in
> While creating a regex using a double byte hyphen or a double byte period, make sure to escape both the characters like one would escape a hyphen or period in a regex. Here is a sample regex for reference: > - (?<!\d)([4][0-9]{3}[\-?\-\t]*[0-9]{4}) >
+> Double-byte special characters should not be used in the keyword.
+>
> We recommend using a string match instead of a word match in a keyword list.
compliance Create Ediscovery Holds https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-ediscovery-holds.md
To create an eDiscovery hold that's associated with a Core eDiscovery case:
11. Review your settings (and edit them if necessary), and then click **Submit**.
+> [!NOTE]
+> When you create a query-based hold, all content from selected locations is initially placed on hold. Subsequently, any content that doesn't match the specified query is cleared from the hold every seven to 14 days. However, a query-based hold won't clear content if more than five holds of any type are applied to a content location, or if any item has indexing issues.
+ ## Query-based holds placed on sites Keep the following things in mind when you place a query-based eDiscovery hold on documents located in SharePoint sites:
compliance Disposition https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/disposition.md
As you can see from the example shown, the actions supported are:
- **Approve disposal**: - When this action is selected for an interim stage of disposition review (you have configured multiple stages): The item moves to the next disposition stage.
- - When this action is selected for the final stage of disposition review, or there is only one stage of disposition: The item is marked as eligible for permanent deletion. The exact timing for that deletion depends on the workload. For more information, see [How retention settings work with content in place](retention.md#how-retention-settings-work-with-content-in-place).
+ - When this action is selected for the final stage of disposition review, or there is only one stage of disposition: The item is marked as eligible for permanent deletion, which then happens within 7 days.
- **Relabel**: - When this action is selected, the item exits the disposition review process for the original label. The item is then subject to the retention settings of the newly selected retention label. - **Extend**:
compliance Endpoint Dlp Using https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-using.md
Restrict sensitive files that match your policies from being shared with unrestr
#### Unallowed browsers
-For Windows devices you add browsers, identified by their executable names, that will be blocked from accessing files that match the conditions of an enforced a DLP policy where the upload to cloud services restriction is set to block or block override. When these browsers are blocked from accessing a file, the end users will see a toast notification asking them to open the file through Microsoft Edge.
+For Windows devices you add browsers, identified by their executable names, that will be blocked from accessing files that match the conditions of an enforced a DLP policy where the upload to cloud services restriction is set to block or block override. When these browsers are blocked from accessing a file, the end users will see a toast notification asking them to open the file through Microsoft Edge or display a customized message if one has been configured.
For macOS devices, you must add the full file path. To find the full path of Mac apps:
There are three procedures.
#### Test Auto-quarantine on the Windows 10 device
-1. Login to the Windows 10 computer with the user account you specified in [Configure a policy to block OneDrive synchronization of files with the sensitivity label Highly Confidential](#configure-a-policy-to-block-onedrive-synchronization-of-files-with-the-sensitivity-label-highly-confidential) step 5.
+1. Log in to the Windows 10 computer with the user account you specified in [Configure a policy to block OneDrive synchronization of files with the sensitivity label Highly Confidential](#configure-a-policy-to-block-onedrive-synchronization-of-files-with-the-sensitivity-label-highly-confidential) step 5.
2. Create a folder whose contents will not be synchronized to OneDrive. For example:
compliance Managing Holds https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/managing-holds.md
To create a non-custodial hold for an Advanced eDiscovery case:
12. Review your settings, and then click **Create this hold**.
+> [!NOTE]
+> When you create a query-based hold, all content from selected locations is initially placed on hold. Subsequently, any content that doesn't match the specified query is cleared from the hold every seven to 14 days. However, a query-based hold won't clear content if more than five holds of any type are applied to a content location, or if any item has indexing issues.
+ > [!NOTE] > If the SMTP address of the user changes after you place the user's mailbox on hold, the mailbox will remain on hold. To use the new SMTP address to place hold, create a new hold.
compliance Retention Limits https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-limits.md
A maximum of 1,000 retention labels are supported per tenant.
A single tenant can have a maximum of 10,000 policies (any configuration). This maximum number includes the different policies for retention, and other policies for compliance such as policies for DLP, information barriers, eDiscovery holds, Litigation holds, In-Place Holds, and sensitivity labels. However, this maximum excludes: -- Label policies for SharePoint and OneDrive that delete-only, rather than retain-only or retain and then delete. The exception is auto-apply label policies for cloud attachments, which are always included in the 10,000 maximum.
+- Auto-labeling policies for SharePoint and OneDrive, unless they are for cloud attachments.
+- Published label policies for SharePoint and OneDrive that delete-only, rather than retain-only, or retain and then delete.
- Exchange retention policies from [messaging records management (MRM)](/exchange/security-and-compliance/messaging-records-management/messaging-records-management). Within this 10,000 policies limit, there are also some limits on the maximum number of policies for retention per workload:
compliance Search The Audit Log In Security And Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance.md
Here's the process for searching the audit log in Microsoft 365.
4. Click **Search** to run the search using your search criteria.
- The search results are loaded, and after a few moments they are displayed on a new page. When the search is finished, the number of results found is displayed. A maximum of 50,000 events will be displayed in increments of 150 events.
+ The search results are loaded, and after a few moments they are displayed on a new page. When the search is finished, the number of results found is displayed. A maximum of 50,000 events will be displayed in increments of 150 events. If more than 50,000 events meet the search criteria, only the 50,000 unsorted events returned will be displayed.
![The number of results are displayed after the search is finished.](../media/986216f1-ca2f-4747-9480-e232b5bf094c.png)
compliance Use Content Search For Targeted Collections https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-content-search-for-targeted-collections.md
To display a list of mailbox folders or site documentlink (path) names:
### Script output for mailbox folders
-If you're getting mailbox folder IDs, the script connects to Exchange Online PowerShell, runs the **Get-MailboxFolderStatisics** cmdlet, and then displays the list of the folders from the specified mailbox. For every folder in the mailbox, the script displays the name of the folder in the **FolderPath** column and the folder ID in the **FolderQuery** column. Additionally, the script adds the prefix of **folderId** (which is the name of the mailbox property) to the folder ID. Because the **folderid** property is a searchable property, you'll use `folderid:<folderid>` in a search query in Step 2 to search that folder. The script displays a maximum of 100 mailbox folders.
+If you're getting mailbox folder IDs, the script connects to Exchange Online PowerShell, runs the **Get-MailboxFolderStatisics** cmdlet, and then displays the list of the folders from the specified mailbox. For every folder in the mailbox, the script displays the name of the folder in the **FolderPath** column and the folder ID in the **FolderQuery** column. Additionally, the script adds the prefix of **folderId** (which is the name of the mailbox property) to the folder ID. Because the **folderid** property is a searchable property, you'll use `folderid:<folderid>` in a search query in Step 2 to search that folder.
> [!IMPORTANT] > The script in this article includes encoding logic that converts the 64-character folder Id values that are returned by **Get-MailboxFolderStatistics** to the same 48-character format that is indexed for search. If you just run the **Get-MailboxFolderStatistics** cmdlet in PowerShell to obtain a folder Id (instead of running the script in this article), a search query that uses that folder Id value will fail. You have to run the script to get the correctly-formatted folder Ids that can be used in a Content Search.
The example in Step 2 shows the query used to search the Purges subfolder in the
### Script output for site folders
-If you're getting the path of the **documentlink** property from SharePoint or OneDrive for Business sites, the script connects to Security & Compliance PowerShell, creates a new Content Search that searches the site for folders, and then displays a list of the folders located in the specified site. The script displays the name of each folder and adds the prefix of **documentlink** to the folder URL. Because the **documentlink** property is a searchable property, you'll use `documentlink:<path>` property:value pair in a search query in Step 2 to search that folder. The script displays a maximum of 200 site folders. If there are more than 200 site folders, the newest ones are displayed.
+If you're getting the path of the **documentlink** property from SharePoint or OneDrive for Business sites, the script connects to Security & Compliance PowerShell, creates a new Content Search that searches the site for folders, and then displays a list of the folders located in the specified site. The script displays the name of each folder and adds the prefix of **documentlink** to the folder URL. Because the **documentlink** property is a searchable property, you'll use `documentlink:<path>` property:value pair in a search query in Step 2 to search that folder. The script displays a maximum of 100 site folders. If there are more than 100 site folders, the newest ones are displayed.
Here's an example of the output returned by the script for site folders.
contentunderstanding Accessibility Mode https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/accessibility-mode.md
Title: SharePoint Syntex accessibility mode
+ Title: Accessibility mode in SharePoint Syntex
ms.prod: microsoft-365-enterprise search.appverid: ms.localizationpriority: medium
-description: Learn how to use accessibility mode when training a model in SharePoint Syntex.
+description: Learn how to use accessibility features mode when training and working with models in SharePoint Syntex.
-# SharePoint Syntex accessibility mode
+# Accessibility mode in SharePoint Syntex
In [SharePoint Syntex](index.md), users can turn on accessibility mode in all stages of model training (label, train, test) when working with example documents. Using accessibility mode can help low-sight users to have easier keyboard accessibility as they navigate and label items in the document viewer.
contentunderstanding Adoption Scenarios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/adoption-scenarios.md
search.appverid: ms.localizationpriority: medium
-description: Find scenarios about how to use SharePoint Syntex in your organization.
+description: Find business scenarios about how to use SharePoint Syntex in your organization.
# Scenarios and use cases for Microsoft SharePoint Syntex
contentunderstanding Difference Between Document Understanding And Form Processing Model https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/difference-between-document-understanding-and-form-processing-model.md
Title: Difference between document understanding and form processing models
+ Title: Differences between document understanding and form processing models
- enabler-strategic - m365initiative-syntex ms.localizationpriority: medium
-description: Learn about key difference between a document understanding model and a form processing model.
+description: Learn about key differences between a document understanding model and a form processing model.
-# Difference between document understanding and form processing models
+# Differences between document understanding and form processing models
Content understanding in Microsoft SharePoint Syntex allows you to identify and classify documents that are uploaded to SharePoint document libraries, and extract relevant information from each file. For example, as files are uploaded to a SharePoint document library, all files that are identified as *Purchase Orders* are classified as such, and then displayed in a custom document library view. Additionally, you can pull specific information from each file (for example, *PO Number* and *Total*) and display it as a column in your document library view.
contentunderstanding Duplicate A Model https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/duplicate-a-model.md
- enabler-strategic - m365initiative-syntex ms.localizationpriority: medium
-description: Learn how and why to duplicate a model in Microsoft SharePoint Syntex.
+description: Learn how and why to duplicate a document understanding model in Microsoft SharePoint Syntex.
# Duplicate a model in Microsoft SharePoint Syntex
lti Onedrive Lti Blackboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lti/onedrive-lti-blackboard.md
+
+ Title: Integrate Microsoft OneDrive LTI with Blackboard
++++
+audience: admin
++
+f1.keywords:
+- CSH
+
+ms.localizationpriority: medium
+
+description: "Create and grade assignments, build and curate course content, and collaborate on files in real time with the new Microsoft OneDrive Learning Tools Interoperability for Blackboard."
++
+# Integrate Microsoft OneDrive LTI with Blackboard
+
+Integrating Microsoft OneDrive LTI with Blackboard is a two-step process. The first step makes the Microsoft OneDrive LTI available within Blackboard courses, and the second step turns on Microsoft OneDrive for Blackboard.
+
+> [!IMPORTANT]
+> The person who performs this integration should be an administrator of Blackboard and an administrator of the Microsoft 365 tenant.
+
+## Recommended browser settings
+
+- Cookies should be allowed for Microsoft OneDrive.
+- Popups shouldn't be blocked for Microsoft OneDrive.
+
+> [!NOTE]
+>
+> - Cookies aren't allowed by default in the Chrome browser incognito mode and will need to be allowed.
+> - Microsoft OneDrive LTI works in the private mode in Microsoft Edge browser. Ensure that you havenΓÇÖt blocked cookies (which are allowed by default).
+
+## Register the OneDrive LTI 1.3 tool in Blackboard
+
+1. From BlackboardΓÇÖs Administrator Panel, selectΓÇ»**LTI Tool Providers**.
+2. SelectΓÇ»**Register LTI 1.3 Tool**.
+3. In the Client ID field, type or copy and paste this ID: ``78cd1b1c-ccbd-4318-9f90-22241f63b1f5``
+
+ > [!NOTE]
+ > Adding this client ID will configure two different placements in Blackboard: one that allows access to the tool from the Content Market, Books and Tools, and the Rich text editor, and another which allows access to the tool from the Add Content menu in the course online for Ultra courses.
+
+4. Select **Submit**.
+5. Review all pre-populated settings in the **Tool Status** view, and make sure the **Tool Status** round button selected is **Approved**.
+6. InΓÇ»**Institution Policies**, select the **Role in course** and the **Name** checkboxes in the user fields to send. All other user fields are optional, but itΓÇÖs recommended to leave them on to future proof your OneDrive installation.
+7. **Allow grade service access** and **Allow membership service access** are also optional at this time but might be required for future updates to the LTI tool.
+8. Copy the **Deployment ID**. You will need it to configure the Microsoft LTI Tool.
+9. Select the **Submit** button to finish.
+
+## Configure the Microsoft LTI Tool to work with Blackboard
+
+1. Sign into the [Microsoft OneDrive LTI Registration Portal](https://onedrivelti.microsoft.com/admin).
+2. Select the **Admin Consent** button and accept the permissions.
+
+> [!CAUTION]
+> If this step isn't performed, the following step will give you an error, and you won't be able to take this step for an hour once you've gotten the error.
+
+3. Select the **Create new LTI Tenant** button.
+4. On the LTI Registration page, choose **Blackboard** from the LTI Consumer Platform dropdown, and then select the **Next** button.
+5. Paste the **Deployment Id** that you copied while registering the tool in Blackboard and select **Next**.
+6. Review and save your changes. A message will be displayed upon successful registration.
+7. Your registration details can also be reviewed by selecting the **View LTI Tenants** button on the home page.
+
+After you complete these steps, your instructors will be able to open documents from OneDrive when they use the ΓÇÿplusΓÇÖ menu in the Course Content page.
+
+## Recommended content
+
+[Microsoft Integrations for Blackboard](https://help.blackboard.com/Learn/Administrator/SaaS/Integrations/Microsoft)
+
+[Microsoft Teams Classes integration](https://help.blackboard.com/Learn/Administrator/SaaS/Integrations/Microsoft_Classes)
security Mdb Onboard Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-onboard-devices.md
audience: Admin Previously updated : 03/03/2022 Last updated : 03/09/2022 ms.prod: m365-security ms.technology: mdb localization_priority: Normal
The following table describes the most commonly used methods to onboard devices
| **Microsoft Intune** or **Microsoft Endpoint Manager**<br/>(*available to customers who are using Microsoft Intune or Endpoint Manager*) | [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Mobile Device Management](/mem/intune/enrollment/device-enrollment) are part of Endpoint Manager. Microsoft 365 Business Premium customers already have Microsoft Intune, and can use this option.<br/><br/>If you were already using Endpoint Manager before you got Defender for Business, you can opt to continue using Endpoint Manager to onboard and manage devices<br/><br/>To use this method, see [Microsoft Endpoint Manager](#microsoft-endpoint-manager). | Windows <br/>macOS<br/>iOS<br/>Android OS | | **Microsoft Defender for Business security configuration** <br/>(*uses the Microsoft 365 Defender portal*) | To use this option, you configure certain settings to facilitate communication between Defender for Business and Endpoint Manager. Then, you onboard devices in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) by using a package that you download and run on each device. A trust is established between devices and Azure Active Directory (Azure AD), and Defender for Business security policies are pushed to devices.<br/><br/>To learn more, see [Microsoft Defender for Business security configuration](#microsoft-defender-for-business-security-configuration). | Windows <br/>macOS | -- > [!IMPORTANT] > If something goes wrong and your onboarding process fails, see [Microsoft Defender for Business troubleshooting](mdb-troubleshooting.yml).
To learn more about automatic onboarding, see step 2 in [Use the wizard to set u
## Local script in Defender for Business
-You can use a local script to onboard Windows and Mac devices. When you run the onboarding script on a device, it creates a trust with Azure Active Directory, enrolls the device in Microsoft Endpoint Manager, and onboards the device to Defender for Business. This method is useful for onboarding devices in Defender for Business. You can onboard up to 10 devices at a time.
+You can use a local script to onboard Windows and Mac devices. When you run the onboarding script on a device, it creates a trust with Azure Active Directory (if that trust doesn't already exist), enrolls the device in Microsoft Endpoint Manager (if it isn't already enrolled), and then onboards the device to Defender for Business. This method is useful for onboarding devices in Defender for Business. You can onboard up to 10 devices at a time.
1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.
See [Device enrollment in Microsoft Intune](/mem/intune/enrollment/device-enroll
Microsoft Defender for Business security configuration was built on a capability known as [Security Management for Microsoft Defender for Endpoint (preview)](/mem/intune/protect/mde-security-integration). It enables you to onboard devices to Defender for Business in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) without requiring those devices to be fully enrolled in Microsoft Endpoint Manager beforehand.
-This method enables you to onboard devices and manage your antivirus and firewall policies in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). Here's how it works:
+This method enables you to onboard devices and manage your antivirus and firewall policies in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). Here's how it all works:
1. You download an onboarding package from the Microsoft 365 Defender portal, and then run the package on your devices to onboard those devices to Defender for Business.
security Mdb Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-overview.md
audience: Admin Previously updated : 03/01/2022 Last updated : 03/09/2022 ms.prod: m365-security ms.technology: mdb localization_priority: Normal
Microsoft Defender for Business is a new endpoint security solution that was designed especially for the small and medium-sized business (up to 300 employees). With this endpoint security solution, your organization's devices are better protected from ransomware, malware, phishing, and other threats.
-Watch the following video to learn more about Defender for Business:
+Watch the following video to learn more about Defender for Business: <br/><br/>
-[:::image type="content" source="mediB-MicrosoftMechanics)
+> [!VIDEO https://www.youtube.com/embed/umhUNzMqZto]
This article describes what's included in Defender for Business, with links to learn more about these features and capabilities.
security Mdb Use Wizard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-use-wizard.md
The wizard is designed to help you set up and configure Defender for Business qu
2. **Onboard and configure Windows devices**. In this step, you can onboard your organization's Windows devices to Defender for Business quickly. Onboarding devices right away helps to protect those devices from day one. See [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md) for more details.
- - If you're already using Microsoft Intune (part of Microsoft Endpoint Manager), and your organization has devices enrolled in Endpoint Manager, you'll be asked whether you want to use automatic onboarding for some or all of your enrolled Windows devices. Automatic onboarding sets up a connection between Endpoint Manager and Defender for Business, and then onboards Windows devices to Defender for Business seamlessly.
+ - If you're already using Microsoft Intune (part of Microsoft Endpoint Manager), and your organization has devices enrolled in Endpoint Manager, you'll be asked whether you want to use [automatic onboarding](mdb-onboard-devices.md#automatic-onboarding-for-windows-devices-enrolled-in-microsoft-endpoint-manager) for some or all of your enrolled Windows devices. Automatic onboarding sets up a connection between Endpoint Manager and Defender for Business, and then onboards Windows devices to Defender for Business seamlessly.
- If you're not already using Endpoint Manager, or if you have non-Windows devices enrolled in Endpoint Manager, you can onboard devices to Defender for Business manually.
security Device Control Removable Storage Access Control https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control.md
ms.technology: mde Previously updated : 02/07/2022 Last updated : 03/09/2022 # Microsoft Defender for Endpoint Device Control Removable Storage Access Control
Microsoft Defender for Endpoint Device Control Removable Storage Access Control
- auditing, allowing or preventing the read, write or execute access to removable storage with or without exclusion
-<br/><br/>
- |Privilege|Permission| ||| |Access|Read, Write, Execute|
Microsoft Defender for Endpoint Device Control Removable Storage Access Control
|User-based Support|Yes| |Machine-based Support|Yes|
-<br/><br/>
- |Capability|Description|Deploy through Intune|Deploy through Group Policy| ||||| |Removable Media Group Creation|Allows you to create reusable removable media group|Step 1 and step 3 in the section, [Deploying policy via OMA-URI](#deploying-policy-via-oma-uri) | Step 1 in the section, [Deploying policy via Group Policy](#deploying-policy-via-group-policy)|
Deploy Removable Storage Access Control on Windows 10 and Windows 11 devices tha
- **4.18.2111 or later**: Add 'Enable or Disable Removable Storage Access Control', 'Default Enforcement', client machine policy update time through PowerShell, file information
+- **4.18.2201 or later**: Support a copy of file written to allowed storage through OMA-URI
+ :::image type="content" source="images/powershell.png" alt-text="The PowerShell interface."::: > [!NOTE]
You can use the following properties to create a removable storage group:
### Removable Storage Group
-<br/><br/>
- |Property Name|Description|Options| |||| |**GroupId**|GUID, a unique ID, represents the group and will be used in the policy.||
-|**DescriptorIdList**|List the device properties you want to use to cover in the group. For each device property, see [Device Properties](device-control-removable-storage-protection.md) for more detail. All properties are case sensitive. |**PrimaryId**: `RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`<p>**BusId**: For example, USB, SCSI<p>**DeviceId**<p>**HardwareId**<p>**InstancePathId**: InstancePathId is a string that uniquely identifies the device in the system, for example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0`. The number at the end (for example &0) represents the available slot and may change from device to device. For best results, use a wildcard at the end. For example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*`.<p>**FriendlyNameId**<p>**SerialNumberId**<p>**VID**<p>**PID**<p>**VID_PID**<p>0751_55E0: match this exact VID/PID pair<p>55E0: match any media with PID=55E0 <p>0751: match any media with VID=0751|
+|**DescriptorIdList**|List the device properties you want to use to cover in the group. For each device property, see [Device Properties](device-control-removable-storage-protection.md) for more detail. All properties are case sensitive. |**PrimaryId**: `RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`<p>**BusId**: For example, USB, SCSI<p>**DeviceId**<p>**HardwareId**<p>**InstancePathId**: InstancePathId is a string that uniquely identifies the device in the system, for example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0`. The number at the end (for example &0) represents the available slot and may change from device to device. For best results, use a wildcard at the end. For example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*`.<p>**FriendlyNameId**<p>**SerialNumberId**<p>**VID**<p>**PID**<p>**VID_PID**<p>`0751_55E0`: match this exact VID/PID pair<p>`_55E0`: match any media with PID=55E0 <p>`0751_`: match any media with VID=0751|
|**MatchType**|When there are multiple device properties being used in the `DescriptorIDList`, MatchType defines the relationship.|**MatchAll**: Any attributes under the `DescriptorIdList` will be **And** relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, system will check to see whether the USB meets both values. <p> **MatchAny**: The attributes under the DescriptorIdList will be **Or** relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, system will do the enforcement as long as the USB has either an identical **DeviceID** or **InstanceID** value. | ### Access Control Policy
-<br/><br/>
- | Property Name | Description | Options | |||| | **PolicyRuleId** | GUID, a unique ID, represents the policy and will be used in the reporting and troubleshooting. | |
Before you get started with Removable Storage Access Control, you must confirm y
If you want to restrict a specific user, then use SID property into the Entry. If there is no SID in the policy Entry, the Entry will be applied to everyone login instance for the machine.
- If you want to monitor file information for Write access, use the right AccessMask with the right Option (8 or 16); here is the example of [Capture file information](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Audit%20File%20Information.xml).
+ If you want to monitor file information for Write access, use the right AccessMask with the right Option (16); here is the example of [Capture file information](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Audit%20File%20Information.xml).
The following image illustrates the usage of SID property, and an example of [Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs](#scenario-1-prevent-write-and-execute-access-to-all-but-allow-specific-approved-usbs).
Before you get started with Removable Storage Access Control, you must confirm y
4. Default enforcement: allows you to set default access (Deny or Allow) to removable media if there is no policy. For example, you only have policy (either Deny or Allow) for RemovableMediaDevices, but do not have any policy for CdRomDevices or WpdDevices, and you set default Deny through this policy, Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked. - Once you deploy this setting, you will see **Default Allow** or **Default Deny**.
+ - Consider both Disk level and File system level AccessMask when configuring this setting, for example, if you want to Default Deny but allow specific storage, you have to allow both Disk level and File system level access, you have to set AccessMask to 63.
:::image type="content" source="images/148609579-a7df650b-7792-4085-b552-500b28a35885.png" alt-text="Default Allow or Default Deny PowerShell code":::
Before you get started with Removable Storage Access Control, you must confirm y
:::image type="content" source="images/148608318-5cda043d-b996-4146-9642-14fccabcb017.png" alt-text="Device Control settings":::
- - Once you deploy this setting, you will see ΓÇÿEnabledΓÇÖ or ΓÇÿDisabledΓÇÖ - Disabled means this machine does not have Removable Storage Access Control policy running.
+ - Once you deploy this setting, you will see **Enabled** or **Disabled**. Disabled means this machine does not have Removable Storage Access Control policy running.
:::image type="content" source="images/148609685-4c05f002-5cbe-4aab-9245-83e730c5449e.png" alt-text="Enabled or Disabled device control in PowerShell code"::: 6. Set location for a copy of the file: if you want to have a copy of the file when Write access happens, you have to set the location where system can save the copy.
- You have to deploy this together with the right AccessMask and Option - see step 2 above.
+ Deploy this together with the right AccessMask and Option - see step 2 above.
:::image type="content" source="../../media/define-device-control-policy-rules.png" alt-text="Group Policy - Set locaiton for file evidence":::
Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>) \> *
- Data Type: String (XML file)
- If you want to monitor file information for Write access, use the right AccessMask with the right Option (8 or 16); here is the example of [Capture file information](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Audit%20File%20Information.xml).
+ If you want to monitor file information for Write access, use the right AccessMask with the right Option (16); here is the example of [Capture file information](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Audit%20File%20Information.xml).
3. Default enforcement: allows you to set default access (Deny or Allow) to removable media if there is no policy. For example, you only have policy (either Deny or Allow) for RemovableMediaDevices, but do not have any policy for CdRomDevices or WpdDevices, and you set default Deny through this policy, Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked.
Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>) \> *
`DefaultEnforcementDeny = 2` - Once you deploy this setting, you will see **Default Allow** or **Default Deny**
+ - Consider both Disk level and File system level AccessMask when configure this setting, for example, if you want to Default Deny but allow specific storage, you have to allow both Disk level and Fiel system level access, you have to set AccessMask to 63.
:::image type="content" source="images/148609590-c67cfab8-8e2c-49f8-be2b-96444e9dfc2c.png" alt-text="Default Enforcement Allow PowerShell code":::
Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>) \> *
5. Set the location for a copy of the file: if you want to have a copy of the file when Write access happens, you have to set the location where the system can save the copy.
- - OMA-URI: `./Vendor/MSFT/Defender/Configuration/DataDuplicationRemoteLocation`
+ - OMA-URI: `./Vendor/MSFT/Defender/Configuration/DataDuplicationRemoteLocation;**username**;**password**`
- Data Type: String
security Live Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response.md
Before you can initiate a session on a device, make sure you fulfill the followi
> [!NOTE] > Only users with manage security or global admin roles can edit these settings.
+ >
+ > Automated Investigation must be enabled in the [Advanced features settings](advanced-features.md) prior to enabling live response.
- **Enable live response for servers from the advanced settings page** (recommended).
security Minimum Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/minimum-requirements.md
Access to Defender for Endpoint is done through a browser, supporting the follow
- Windows 11 Pro Education - Windows 10 Enterprise - [Windows 10 Enterprise LTSC 2016 (or later)](/windows/whats-new/ltsc/)
+- Windows 10 Enterprise IoT
+
+ >[!NOTE]
+ >While Windows 10 IoT Enterprise is a supported OS in Microsoft Defender for Endpoint and enables OEMs/ODMs to distribute it as part of their product or solution, customers should follow the OEM/ODM's guidance around host-based installed software and supportability.
+ - Windows 10 Education - Windows 10 Pro - Windows 10 Pro Education
security Top Scoring Industry Tests https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/top-scoring-industry-tests.md
Microsoft 365 Defender combines the capabilities of [Microsoft Defender for Endp
Core to MITRE's testing approach is emulating real-world attacks to understand whether solutions can adequately detect and respond to them. While the test focused on endpoint detection and response, MITRE's simulated APT29 attack spans multiple attack domains, creating opportunities to empower defenders beyond just endpoint protection. Microsoft expanded visibility beyond the endpoint with Microsoft 365 Defender. -- ATT&CK-based evaluation of Microsoft 365 Defender - May 2020: [Leading in real-world detection](https://www.microsoft.com/security/blog/2020/05/01/microsoft-threat-protection-leads-real-world-detection-mitre-attck-evaluation/)
+- ATT&CK-based evaluation of Microsoft 365 Defender - April 2021: [Evaluation proves Microsoft Defender for Endpoint stops advanced attacks across platforms](https://www.microsoft.com/security/blog/2021/04/21/)
Microsoft 365 Defender provided nearly 100 percent coverage across the attack chain stages. It delivered leading out-of-box visibility into attacker activities. The visibility dramatically reduces manual work for the security operations center and vendor solutions that relied on specific configuration changes. Microsoft 365 Defender also had the fewest gaps in visibility, diminishing attacker ability to operate undetected.
Microsoft Defender Antivirus is the [next generation protection](https://www.you
The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The following scores are for the Protection category that has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware"). -- November - December 2020 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2020/microsoft-defender-antivirus-4.18-205017/) <sup>**Latest**</sup>
+- November - December 2021 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2021/microsoft-defender-antivirus-4.18-212622/) <sup>**Latest**</sup>
- Microsoft Defender Antivirus achieved a perfect Protection score of 6.0/6.0, with 100% in November and December. 11,382 malware samples were used.
+ Microsoft Defender Antivirus achieved a perfect Protection score of 6.0/6.0, with 100% in November and December. 18,870 malware samples were used.
-- September - October 2020 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2020/microsoft-defender-antivirus-4.18-204116/)
+- September - October 2021 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2021/microsoft-defender-antivirus-4.18-212518/)
-- July - August 2020 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2020/microsoft-defender-antivirus-4.18-203215/)
+- July - August 2021 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2021/microsoft-defender-antivirus-4.18-212419/)
-- May - June 2020 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2020/microsoft-windows-defender-antivirus-4.18-202513/)
+- May - June 2021 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2021/microsoft-defender-antivirus-4.18-212318/)
-- March - April 2020 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2020/microsoft-windows-defender-antivirus-4.18-200614/)
+- March - April 2021 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2021/microsoft-defender-antivirus-4.18-212216/)
-- January - February 2020 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2020/microsoft-windows-defender-antivirus-4.18-200614/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4CflZ)
+- January - February 2021 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2021/microsoft-defender-antivirus-4.18-212117/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4CflZ)
### AV-Comparatives: Protection rating of 99.8% in the latest test Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example by USB), and the Performance Test that looks at the impact on the system's performance. -- Business Security Test 2020 (August - November): [Real-World Protection Rate 99.8%](https://www.av-comparatives.org/tests/business-security-test-2020-august-november/) <sup>**Latest**</sup>
+- Business Security Test 2021 (August - November): [Real-World Protection Rate 99.8%](https://www.av-comparatives.org/tests/business-security-test-2021-august-november/) <sup>**Latest**</sup>
Microsoft Defender Antivirus has scored consistently high in Real-World Protection Rates over the past year, with 99.8% in the latest test. -- Business Security Test 2020 (March - June): [Real-World Protection Rate 99.7%](https://www.av-comparatives.org/tests/business-security-test-2020-march-june/)
+- Business Security Test 2021 (March - June): [Real-World Protection Rate 99.7%](https://www.av-comparatives.org/tests/business-security-test-2021-march-june/)
-- Business Security Test 2019 (August - November): [Real-World Protection Rate 99.6%](https://www.av-comparatives.org/tests/business-security-test-2019-august-november/)
+- Business Security Test 2020 (August - November): [Real-World Protection Rate 99.8%](https://www.av-comparatives.org/tests/business-security-test-2020-august-november/)
-- Business Security Test 2019 (March - June): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-2019-march-june/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
+- Business Security Test 2020 (March - June): [Real-World Protection Rate 99.7%](https://www.av-comparatives.org/tests/business-security-test-2020-march-june/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
### SE Labs: AAA award in the latest test
Microsoft Defender for Endpoint [endpoint detection and response](/windows/secur
Microsoft Defender for Endpoint's EDR and endpoint protection capabilities have received positive results from industry tests and publications. [SC Labs assessed endpoint security tools](https://www.scmagazine.com/home/reviews/sc-product-reviews-endpoint-security/) in June 2020, and gave Microsoft Defender for Endpoint [5/5 stars](https://www.scmagazine.com/review/microsoft-defender-advanced-threat-protection/). They called out Microsoft Defender for Endpoint's ability to protect organizations against the modern threat landscape using a full set of security capabilities. SC Labs also identified the endpoint security solution as holistic and unified. They also acknowledged the convergence of endpoint protection with endpoint detection and response functionality, because the attack chain now gets fully covered by solutions.
-### MITRE: Industry-leading optics and detection capabilities
-
-MITRE tested the ability of products to detect techniques commonly used by the targeted attack group APT3 (also known as Boron or UPS). To isolate detection capabilities, all protection and prevention features were turned off. Microsoft is happy to be one of the first EDR vendors to sign up for the MITRE evaluation based on the ATT&CK framework. The framework is widely regarded today as the most comprehensive catalog of attacker techniques and tactics.
--- ATT&CK-based evaluation of Microsoft Defender for Endpoint - December 2018: [Leading optics and detection capabilities](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/) | [Analysis](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/MITRE-evaluation-highlights-industry-leading-EDR-capabilities-in/ba-p/369831)-
- Microsoft Defender for Endpoint delivered comprehensive coverage of attacker techniques across the entire attack chain. Highlights included the breadth of telemetry, the strength of threat intelligence, and the advanced, automatic detection through machine learning, heuristics, and behavior monitoring.
- ## To what extent are tests representative of protection in the real world? Independent security industry tests aim to evaluate the best antivirus and security products in an unbiased manner. However, Microsoft sees a wider and broader set of threats beyond what's tested in the evaluations highlighted in this article. In an average month, Microsoft's security products identify over 100 million new threats. Even if an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In other words, the vastness of the malware landscape makes it difficult to evaluate the quality of protection against real world threats.
security Anti Malware Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-malware-protection.md
EOP offers multi-layered malware protection that's designed to catch all known m
- **Real-time threat response**: During some outbreaks, the anti-malware team may have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks. - **Fast anti-malware definition deployment**: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.
-In EOP, messages that are found to contain malware in *any* attachments are quarantined. Whether the recipients can view or otherwise interact with the quarantined messages is controlled by _quarantine policies_. By default, messages that were quarantined due to malware can only be viewed and released by admins. For more information, see the following topics:
+In EOP, messages that are found to contain malware in _any_ attachments are quarantined. Whether the recipients can view or otherwise interact with the quarantined messages is controlled by _quarantine policies_. By default, messages that were quarantined due to malware can only be viewed and released by admins. For more information, see the following topics:
- [Quarantine policies](quarantine-policies.md) - [Manage quarantined messages and files as an admin in EOP](manage-quarantined-messages-and-files.md).
To submit malware to Microsoft, see [Report messages and files to Microsoft](rep
Anti-malware policies control the settings and notification options for malware detections. The important settings in anti-malware policies are: -- **Recipient notifications**: By default, a message recipient isn't told that a message intended for them was quarantined due to malware. But, you can enable recipient notifications in the form of delivering the original message with *all* attachments removed and replaced by a single file named **Malware Alert Text.txt** that contains the following text:
+- **Recipient notifications**: By default, a message recipient isn't told that a message intended for them was quarantined due to malware. But, you can enable recipient notifications in the form of delivering the original message with _all_ attachments removed and replaced by a single file named **Malware Alert Text.txt** that contains the following text:
> Malware was detected in one or more attachments included with this email message. <br> Action: All attachments have been removed. <br> \<Original malware attachment name\> \<Malware detection result\>
Anti-malware policies control the settings and notification options for malware
The common attachments filter uses best effort true-typing to detect the file type regardless of the file name extension. If true-typing fails or isn't supported for the specified file type, then simple extension matching is used. -- **Zero-hour auto purge (ZAP) for malware**: ZAP for malware quarantines messages that are found to contain malware *after* they've been delivered to Exchange Online mailboxes. By default, ZAP for malware is turned on, and we recommend that you leave it on.
+- **Zero-hour auto purge (ZAP) for malware**: ZAP for malware quarantines messages that are found to contain malware _after_ they've been delivered to Exchange Online mailboxes. By default, ZAP for malware is turned on, and we recommend that you leave it on.
- **Sender notifications**: By default, a message sender isn't told that their message was quarantined due to malware. But, you can enabled notification messages for senders based on whether the sender is internal or external. The default notification message looks like this:
Anti-malware policies control the settings and notification options for malware
You can also specify an additional recipient (an admin) to receive notifications for malware detected in messages from internal or external senders.
+ > [!NOTE]
+ > Admin notifications are sent only for _attachments_ that are classified as malware.
+ - **Recipient filters**: For custom anti-malware policies, you can specify recipient conditions and exceptions that determine who the policy applies to. You can use these properties for conditions and exceptions: - **The recipient is**
security Attack Simulation Training Simulation Automations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations.md
On the **Landing page** page, you configure the web page that user are taken to
You need to configure the following additional settings on the **Landing page** page:
- - **Payload indicators**: This setting is not available if you previously selected **Malware attachment** or **Link to malware** on the [Select social engineering techniques](#select-one-or-more-social-engineering-techniques) page.
-
- Select **Add payload indicators to email** to help users learn how to identify phishing messages.
+ - **Payload indicators**: This setting is available to select only if both of the following conditions are true:
+ - You previously selected **Credential harvest**, **Link in attachment**, or **Drive-by URL** on the [Select social engineering techniques](#select-one-or-more-social-engineering-techniques) page.
+ - After you add the **Dynamic tag** named **Insert email content** into the page content.
- Page content: Two tabs are available: - **Text**: A rich text editor is available to create your landing page. In addition to the typical font and formatting settings, the following settings are available: - **Dynamic tag**: Select from the following tags:
- - **Username**
- - **Email sender name**
- - **Sender email address**
- - **Email subject**
- - **Email content**
+ - **Insert name**
+ - **Insert sender name**
+ - **Insert sender email**
+ - **Insert email subject**
+ - **Insert email content**
+ - **Insert date**
- **Use from default**: Select one of the 5 available landing page templates to start with. You can modify the text and layout in the editing area. To reset the landing page back to the default text and layout of the template, click **Reset to default**. - **Training link**: In the **Name training URL** dialog that appears, enter a link title for the training link, and then click **Confirm** to add the link to the landing page. - **Code**: You can view and modify the HTML code directly.
security Attack Simulation Training https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training.md
Microsoft-curated landing pages are available in 12 languages: Chinese (Simplifi
- **Add logo**: Click **Browse** to find and select a .png, .jpeg, or .gif file. To remove the logo, click **Remove**. - **Add payload indicators to email**: This setting is not available if you previously selected **Malware attachment** or **Link to malware** on the [Select technique](#select-a-social-engineering-technique) page.
- Select **Add payload indicators to email** to help users learn how to identify phishing messages.
- You can preview the results by clicking the **Open preview panel** button at the bottom of the page. - **Use a custom URL**: This setting is not available if you previously selected **Malware attachment** or **Link to malware** on the [Select technique](#select-a-social-engineering-technique) page.
Microsoft-curated landing pages are available in 12 languages: Chinese (Simplifi
If you select **Use a custom URL**, you need to add the URL in the **Enter the custom landing page URL** box that appears. No other options are available on the page. - **Create your own landing page**: This value has the following associated options to configure:
- - **Add payload indicators to email**: This setting is not available if you previously selected **Malware attachment** or **Link to malware** on the [Select technique](#select-a-social-engineering-technique) page.
-
- Select **Add payload indicators to email** to help users learn how to identify phishing messages.
+ - **Add payload indicators to email**: This setting is available to select only if both of the following conditions are true:
+ - You previously selected **Credential harvest**, **Link in attachment**, or **Drive-by URL** on the [Select technique](#select-a-social-engineering-technique) page.
+ - After you add the **Dynamic tag** named **Insert email content** into the page content.
- Page content: Two tabs are available: - **Text**: A rich text editor is available to create your landing page. In addition to the typical font and formatting settings, the following settings are available: - **Dynamic tag**: Select from the following tags:
- - **Username**
- - **Email sender name**
- - **Sender email address**
- - **Email subject**
- - **Email content**
+ - **Insert name**
+ - **Insert sender name**
+ - **Insert sender email**
+ - **Insert email subject**
+ - **Insert email content**
+ - **Insert date**
- **Use from default**: Select an available template to start with. You can modify the text and layout in the editing area. To reset the landing page back to the default text and layout of the template, click **Reset to default**. - **Code**: You can view and modify the HTML code directly.
security Configure Anti Malware Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-anti-malware-policies.md
Creating a custom anti-malware policy in the Microsoft 365 Defender portal creat
- **Notify an admin about undelivered messages from internal senders**: If you select this option, enter a notification email address in the **Admin email address** box that appears. - **Notify an admin about undelivered messages from external senders**: If you select this option, enter a notification email address in the **Admin email address** box that appears.
+ > [!NOTE]
+ > Admin notifications are sent only for _attachments_ that are classified as malware.
+ - **Customize notifications**: These settings replace the default notification text that's used for senders or admins. For more information about the default values, see [Anti-malware policies](anti-malware-protection.md#anti-malware-policies). - **Use customized notification text**: If you select this option, you need to use the **From name** and **From address** boxes to specify the sender's name and email address that's used in the customized notification message. - **Customize notifications for messages from internal senders**: If you chose to notify senders or admins about undeliverable messages from internal senders, you need to use the **Subject** and **Message** boxes to specify the subject and message body of the custom notification message.
test-base Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/faq.md
Title: Test Base FAQ description: Review frequently asked questions search.appverid: MET150--++ audience: Software-Vendor
f1.keywords: NOCSH
# Test Base FAQ
-**Q: How do we submit our packages to Test Base team?**
+**Q: How do we submit our packages to the Test Base team?**
**A:** Submit your packages directly to the Test Base environment using our self-serve portal. To submit your application package, navigate to the [Azure Portal](https://www.aka.ms/testbaseportal "Test Base Homepage") and upload a zipped folder containing your application's binaries, dependencies, and test scripts via the self-serve Test Base portal dashboard.
-Please see the onboarding user guide for more information or contact our team at <testbasepreview@microsoft.com> for assistance and more information.
+See the onboarding user guide for more information or contact our team at <testbasepreview@microsoft.com> for assistance and more information.
**Q: What are Out-of-box (OOB) tests?**
The Out-of-box (OOB) tests provide you with standardized telemetry on your appli
**Q: Can we submit tests outside of the Out-of-box tests (install, launch, close, uninstall test scripts)?** **A:** Yes, customers can also upload application packages for **functional tests** via the self-serve portal dashboard.
-**Functional tests** are tests that enable customers execute their scripts to run custom functionality on their application.
+**Functional tests** are tests that enable customers to execute their scripts to run custom functionality on their application.
## Testing **Q: Do you support functional tests?**
-**A:** Yes, Test Base supports functional tests. Functional tests are tests that enable our customers execute their scripts to run custom functionality on their application.
+**A:** Yes, Test Base supports functional tests. Functional tests are tests that enable our customers to execute their scripts to run custom functionality on their application.
-To submit your application package for functional testing, simply upload the zipped folder containing your application's binaries, dependencies, and test scripts via our self-serve portal dashboard.
+To submit your application package for functional testing, upload the zipped folder containing your application's binaries, dependencies, and test scripts via our self-serve portal dashboard.
-Please see the onboarding user guide for more information or contact our team at <testbasepreview@microsoft.com> for assistance and more information.
+See the onboarding user guide for more information or contact our team at <testbasepreview@microsoft.com> for assistance and more information.
**Q: How does Test Base handle our test data?**
You will also need to provide (upload) the dependent binaries of the required fr
**A:** For each test that we run against the pre-release builds, we will provide results within 48 hours on your [Azure Portal](https://www.aka.ms/testbaseportal "Test Base Homepage") dashboard.
-**Q: Can you reboot after install?**
+**Q: Can you reboot after installation?**
**A:** Yes, our process supports rebooting after installation. Be sure to select this option from the ΓÇ£Optional settingsΓÇ¥ drop list when setting your **Tasks** on the onboarding portal.
While for functional tests, you can specify whether a reboot is required for eac
**Q: What is the difference between Security Update tests and Feature Update tests?**
-**A:** For Security update tests, we test against the **<ins>monthly pre-release security updates</ins>** on Windows which are focused on keeping our users always secure and protected. For the Feature update tests, we test against the **<ins>bi-annual pre-release feature updates</ins>** which introduces new features and capabilities on Windows.
+**A:** For Security update tests, we test against the **<ins>monthly pre-release security updates</ins>** on Windows, which is focused on keeping our users always secure and protected. For the Feature update tests, we test against the **<ins>bi-annual pre-release feature updates</ins>** which introduce new features and capabilities on Windows.
## Debugging options
In addition to pre-release security updates testing, we support pre-release feat
**Q: Is there a cost associated with the service?**
-**A:** The Test Base service will be free to users until General Availability (GA). At that time, we will announce a cost structure that will be in effect for all customers.
+**A:** Effective 1 March 2022, youΓÇÖll be provided with 100 free hours (valued at $800) expiring in 6 months under your subscription for your validation needs. After the free hours get consumed (or expired before used), youΓÇÖll automatically be metered at $8 per hour against your usage.ΓÇ»
**Q: How can I provide feedback about Test Base?**
test-base Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/overview.md
Title: 'Overview' description: Understanding Test Base search.appverid: MET150--++ audience: Software-Vendor
This guide is divided into four (4) parts to ensure a hitch free experience whil
4. The **Reference** section that provides answers to the typical questions we receive from our customers.
-## Test Base is in public preview!
+## Test Base has reached general availability
-Test Base has officially been declared `Public Preview` during the Microsoft Inspire conference in July 2021.
+Test Base has officially been declared General Availability during the Microsoft Ignite conference in November 2021.
This means anyone with a valid enterprise Azure account is able to onboard their test collateral and quickly start testing their applications on the service.