+ Title: "Copilot for Microsoft 365 features adoption using organizational messages"

+description: "Learn how you can use organizational messages to help with the adoption of Copilot for Microsoft 365."

+# Copilot for Microsoft 365 features adoption using organizational messages

+To help with the adoption of Copilot for Microsoft 365 features, organizational messages in Microsoft 365 usage analytics report enable admins to send messages to their Microsoft 365 licensed users who haven't recently used any Copilot features. In the pipeline, we're planning to expand organizational messages across platforms like Teams, Outlook, Excel, PowerPoint, and Word to further enhance the adoption of specific Copilot features.

+To preview organizational messages in the Copilot for Microsoft 365 usage report, you need to have one of the following admin roles:

+Within the **Message** section of the Organizational messages panel, choose one from the set of the pre-made content, each containing a title, message, and link for your users to visit when they interact with the message. You can then review what the message will look like to your targeted users within the **Preview** section. In the preview, we support the Windows 11 notification and Teaching popover in new Teams.

+*The users see the Windows 11 notification recommending they use Copilot for Microsoft 365.*

+*The users see Teams in-product Teaching Popovers in the new Teams recommending they use Copilot in Teams.*

+>[!NOTE]

+> Organizational messages will only show up in the new Teams.

+For this Copilot awareness scenario, the recipients of your message are, by default, selected based on their activities. Accordingly, within the Recipients section, your messages' recipient list will, at minimum, include users in your tenant who have Microsoft 365 licenses but have not actively used any Copilot for Microsoft 365 features in the past month. You can further restrict the message to be seen only by members of the Microsoft 365 group you specify with the **Filter by Microsoft 365 Group** component.

+In this preview, we support the teaching call-out and business bars in Word, Excel, PowerPoint, Outlook Desktop Apps, and new Teams.

+*The user sees an in-product notification recommending they use interactive features during Teams meetings.*

+1. Sign in to the [admin center](https://admin.microsoft.com/) as a global administrator and go to **Reports** \> **Adoption Score**.

+1. Under the **Organizational Messages** tab, select **Allow approved admins to send in-product recommendations to specified users**.

+2. Select **Apply filter** \> **Choose organizational attribute**.

+### Why does the total number of messages seen differ from the expected number?

+### How can I test the messages before sending them to users of my entire company?

+You can send messages to specific Microsoft Entra groups, such as your IT department. See [Select the recipients](#step-2-select-the-recipients) for details.

+### What is the recommended time frame window for the messages?

+As the frequency of the messages is at most once a week, the recommended minimum duration is one month. The recommended length of the time window is 12 months. The recipient's list is refreshed daily. Your messages will always be sent to users who haven't adopted the recommended practices in the last 28 days. Messages won't repeatedly send to users who have already adopted.

+### Will I be able to customize the text in the messages?

+Not currently, but additional customization options will be enabled in future releases.

+- commerce_billing

+- Tier1

+- Tier1

+- commerce_licensing

+- empty

+- Tier2

+- commerce_purchase

+- Tier1

+- Tier1

+If you plan to move a user to another subscription that has fewer data-related services, or a user leaves the organization, you can download a copy of their data stored in Microsoft 365 before they're switched to the new subscription.

+### Save files stored in OneDrive

+Before you switch user to a different subscription, they can [download files and folders from OneDrive or SharePoint](https://support.microsoft.com/office/5c7397b7-19c7-4893-84fe-d02e8fa5df05) to a different location, such as a folder on their computer's hard drive, or a file share on the organization's network.

+However, as long as the new subscription is within the same organization as the one they're switched from, users can still access the SharePoint team site. They can view and update notebooks, documents, tasks, and calendars by using the direct URL to the team site.

+By default, the URL of the team website is in the form

+`https://<orgDomain>/_layouts/15/start.aspx#/SitePages/Home.aspx`, where _\<orgDomain\>_ is the organization's URL.

+Users can also download SharePoint Online documents from the SharePoint team site to their local computer or to another location at any time.

+- Tier1

+- Tier1

+- commerce_signup

+- commerce_subscriptions

+- commerce_billing

+ :::image type="content" source="media/event-side-panel.png" alt-text="Screenshot of the event side panel." lightbox="media/event-side-panel.png":::

+ 

+

+

+

+

+> [!NOTE]

+> For this feature to work on Windows Server 2016 and Windows Server 2012 R2, those devices must be onboarded using the instructions in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2012-r2-and-windows-server-2016).

+> Custom file indicators with the Allow, Block and Remediate actions are now also available in the [enhanced antimalware engine capabilities for macOS and Linux](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/enhanced-antimalware-engine-capabilities-for-linux-and-macos/ba-p/3292003).

+Understand the following prerequisites before you create indicators for files:

+- This feature is available if your organization uses [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) (in active mode)

+- [Behavior Monitoring is enabled](/microsoft-365/security/defender-endpoint/behavior-monitor)

+- [Cloud-based protection is turned on](/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).

+- [Cloud Protection network connectivity is functional](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus)

+- The Antimalware client version must be `4.18.1901.x` or later. See [Monthly platform and engine versions](microsoft-defender-antivirus-updates.md#monthly-platform-and-engine-versions)

+- This feature is supported on devices running Windows 10, version 1703 or later, Windows 11, Windows Server 2012 R2, Windows Server 2016 or later, Windows Server 2019, or Windows Server 2022.

+- In `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\`, the file hash computation feature should be set to **Enabled**

+

+- To start blocking files, [turn on the "block or allow" feature](advanced-features.md) in Settings (in the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings** > **Endpoints** > **General** > **Advanced features** > **Allow or block file**).

+This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including `.exe` and `.dll` files. Coverage is extended over time.

+ - Indicator: Specify the entity details and define the expiration of the indicator.

+ - Action: Specify the action to be taken and provide a description.

+ - Scope: Define the scope of the device group (scoping isn't available in [Defender for Business](../defender-business/mdb-overview.md)).

+ > [!NOTE]

+ > Device Group creation is supported in both Defender for Endpoint Plan 1 and Plan 2

+## Alerting on file blocking actions (preview)

+## Advanced hunting capabilities (preview)

+Currently in preview, you can query the response action activity in advance hunting. Below is a sample advance hunting query:

+- `EUS:Win32/CustomEnterpriseBlock!cl`

+- `EUS:Win32/CustomEnterpriseNoAlertBlock!cl`

+- `EUS:Win32/CustomCertEnterpriseBlock!cl`

+Cert and File IoC policy handling conflicts follow this order:

+1. If the file isn't allowed by Windows Defender Application Control and AppLocker enforce mode policies, then **Block**.

+2. Else, if the file is allowed by the Microsoft Defender Antivirus exclusions, then **Allow**.

+3. Else, if the file is blocked or warned by a block or warn file IoCs, then **Block/Warn**.

+4. Else, if the file is blocked by SmartScreen, then **Block**.

+5. Else, if the file is allowed by an allow file IoC policy, then **Allow**.

+6. Else, if the file is blocked by attack surface reduction rules, controlled folder access, or antivirus protection, then **Block**.

+7. Else, **Allow** (passes Windows Defender Application Control & AppLocker policy, no IoC rules apply to it).

+> In situations when Microsoft Defender Antivirus is set to **Block**, but Defender for Endpoint indicators for file hash or certificates are set to **Allow**, the policy defaults to **Allow**.

+If there are conflicting file IoC policies with the same enforcement type and target, the policy of the more secure (meaning longer) hash is applied. For example, an SHA-256 file hash IoC policy takes precedence over an MD5 file hash IoC policy if both hash types define the same file.

+Microsoft Defender Vulnerability Management's block vulnerable application features uses the file IoCs for enforcement and follows the conflict handling order described earlier in this section.

+ - [RHEL and variants (CentOS, Fedora, Oracle Linux, Amazon Linux 2, Rocky, and Alma)](#rhel-and-variants-centos-fedora-oracle-linux-amazon-linux-2-rocky-and-alma-1)

+ |For RHEL/Centos/Oracle 8.0-8.9|<https://packages.microsoft.com/config/rhel/8/prod.repo>|

+ If `gpg` isn't available, then install `gnupg`.

+### RHEL and variants (CentOS, Fedora, Oracle Linux, Amazon Linux 2, Rocky, and Alma)

+ If you're running RHEL 8.x or Ubuntu 20.04 or higher, you need to use `python3`.

+ For the rest of distros and versions, you need to use `python`.

+ - The file should be quarantined by Defender for Endpoint on Linux. Use the following command to list all the detected threats:

+- For DEBIAN, the mde-netfilter package requires "libnetfilter-queue1", "libglib2.0-0"

+- For RPM, the mde-netfilter package requires "libmnl", "libnfnetlink", "libnetfilter_queue", "glib2"

+- For Mariner, the mde-netfilter package requires "libnfnetlink", "libnetfilter_queue"

+ > In case of Oracle Linux and Amazon Linux 2, replace *[distro]* with "rhel". For Amazon Linux 2, replace *[version]* with "7". For Oracle Linux, replace *[version]* with the version of Oracle Linux.

+> In the event eBPF doesn't become enabled or is not supported on any specific kernel, it will automatically switch back to auditd and retain all auditd custom rules.

+You can also check the status of eBPF (enabled/disabled) on your linux endpoints using advanced hunting in the Microsoft Defender Portal. Steps are as follows:

+- [Microsoft Defender for Endpoint Plan 1 and Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+This article provides some general steps that can be used to narrow down performance issues related to Defender for Endpoint on macOS.

+Depending on the applications that you're running and your device characteristics, you might experience suboptimal performance when running Microsoft Defender for Endpoint on macOS. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Defender for Endpoint on macOS.

+> Before you perform the procedures described in this article, make sure that other security products are not currently running on the device. Multiple security products can conflict and impact the host performance.

+## Troubleshoot performance issues using real-time protection statistics

+- Only performance issues related to Microsoft Defender Antivirus (`wdavdaemon_unpriviliged`).

+Prerequisites:

+- Microsoft Defender for Endpoint version (Platform Update) 100.90.70 or newer

+- If you have [Tamper protection](tamperprotection-macos.md) turned on in block mode, use [Troubleshooting mode](mac-troubleshoot-mode.md) to capture real-time-protection-statistics. Otherwise, you will get null results.

+To troubleshoot and mitigate such issues, follow these steps:

+1. Disable real-time protection by using one of the methods in the following table, and then observe whether performance improves. This approach helps narrow down whether Microsoft Defender for Endpoint on macOS is contributing to the performance issues.

+ | Device management | Method |

+ ||--|

+ | Device isn't managed by organization | **User interface**: Open Microsoft Defender for Endpoint on macOS and navigate to **Manage settings**. |

+ | Device isn't managed by organization | **Terminal**: In Terminal, run the following command: `mdatp config real-time-protection --value disabled` |

+ | Device is managed by organization | See [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md). |

+ If the performance problem persists while real-time protection is off, the origin of the problem could be the endpoint detection and response component. In this case, contact customer support for further instructions and mitigation.

+2. Open Finder and navigate to **Applications** > **Utilities**. Open **Activity Monitor** and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers.

+3. This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command:

+ ```bash

+ mdatp health --field real_time_protection_enabled

+ ```

+ Verify that the **real_time_protection_enabled** entry is *true*. Otherwise, run the following command to enable it:

+ ```bash

+ mdatp config real-time-protection --value enabled

+ ```

+ ```output

+ Configuration property updated

+ ```

+4. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint on macOS. Run the following command:

+ ```bash

+ mdatp config real-time-protection-statistics --value enabled.

+ ```

+ This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command:

+ ```bash

+ mdatp diagnostic real-time-protection-statistics --output json > real_time_protection.json

+ ```

+ > [!NOTE]

+ > Using `--output json` (note the double dash) ensures that the output format is ready for parsing. The output of this command will show all processes and their associated scan activity.

+5. On your Mac system, download the sample Python parser `high_cpu_parser.py` using the command:

+ ```bash

+ curl -O https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py

+ ```

+ The output of this command should be similar to the following:

+ ```Output

+ --2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft.

+ mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py

+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.xxx.xxx

+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)| 151.101.xxx.xxx| :443... connected.

+ HTTP request sent, awaiting response... 200 OK

+ Length: 1020 [text/plain]

+ Saving to: 'high_cpu_parser.py'

+ 100%[===========================================>] 1,020 --.-K/s in

+ 0s

+ ```

+6. Type the following commands:

+ ```bash

+ chmod +x high_cpu_parser.py

+ ```

+ ```bash

+ cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log

+ ```

+ The output should be a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is the process name, and the last column is the number of scanned files, sorted by impact. Here's an example:

+ ```output

+ ... > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10

+ 27432 None 76703

+ 73467 actool 1249

+ 73914 xcodebuild 1081

+ 73873 bash 1050

+ 27475 None 836

+ 1 launchd 407

+ 73468 ibtool 344

+ 549 telemetryd_v1 325

+ 4764 None 228

+ 125 CrashPlanService 164

+ ```

+7. To improve the performance of Defender for Endpoint on Mac, locate the one with the highest number under the **Total files scanned** row, and then add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint on macOS](mac-exclusions.md).

+ > [!NOTE]

+ > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted.

+7. Configure Microsoft Defender for Endpoint on macOS with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.

+ See [Configure and validate exclusions for Microsoft Defender for Endpoint on macOS](mac-exclusions.md).

+## Troubleshoot performance issues using Microsoft Defender for Endpoint Client Analyzer

+The Microsoft Defender for Endpoint Client Analyzer (MDECA) can collect traces, logs, and diagnostic information in order to troubleshoot performance issues on [onboarded devices](/microsoft-365/security/defender-endpoint/onboard-configure) on macOS.

+To run the client analyzer for troubleshooting performance issues, see [Run the client analyzer on macOS and Linux](run-analyzer-macos-linux.md).

+>

+> - The Microsoft Defender for Endpoint Client Analyzer tool is regularly used by Microsoft Customer Support Services (CSS) to collect information such as (but not limited to) IP addresses, PC names that will help troubleshoot issues you may be experiencing with Microsoft Defender for Endpoint. For more information about our privacy statement, see [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement).

+> - As a general best practice, it is recommended to update the [Microsoft Defender for Endpoint agent to latest available version](linux-whatsnew.md) and confirming that the issue still persists before investigating further.

+- For [device control](device-control-overview.md) customers using removable media policies with disk/device-level access only (masks that include the values 1, 2, 3, 4, and 7), enforcement might not work as expected. In such situations, we recommend customers roll back to the previous version of the Defender platform.

+ :::image type="content" source="media/f91f406e6e0aae197a947d3b0e8b2d0d.png" alt-text="The attack surface reduction rules reports1" lightbox="media/f91f406e6e0aae197a947d3b0e8b2d0d.png":::

+2. [Enable attack surface reduction rules](attack-surface-reduction-rules-deployment.md).

+5. Enable [removable storage protection](device-control-overview.md).

+7. Enable [Web protection](web-protection-overview.md).

+ - Controlled folder access events custom view: *cfa-events.xml*

+ - Exploit protection events custom view: *ep-events.xml*

+ - Attack surface reduction events custom view: *asr-events.xml*

+ - Network/ protection events custom view: *np-events.xml*

+ > 

+ > 

+3. Double-click on the sub item to see events. Scroll through the events to find the one you're looking.

+ 

+ - **Send a copy of suspicious outbound that exceed these limits to these users and groups**: This setting adds the specified recipients to the Bcc field of suspicious outbound messages that were marked as spam, phishing, or malware.